HP StorageWorks Secure Key Manager users guide *AJ087-96018* Part number: AJ087–96018 3rd edition: April 2009
Legal and notice information © Copyright 2007, 2009 Hewlett-Packard Development Company, I.E. © Copyright 2000, 2008 Ingrian Networks, Inc. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Contents About this guide ................................................................................. 23 Intended audience .................................................................................................................... Related documentation .............................................................................................................. Document conventions and symbols .............................................................................................
Creating and installing the SKM Server Certificate .................................................................. Propagating third-party certificates .............................................................................................. Copying the certificates ....................................................................................................... Installing the certificates ......................................................................................................
Viewing the FIPS status report .............................................................................................. KMS server procedures .............................................................................................................. Enabling SSL ..................................................................................................................... Enabling key and policy configuration by client applications ....................................................
Enabling signed logs .......................................................................................................... Verifying a secure log using Microsoft Outlook ....................................................................... Verifying a secure log using OpenSSL ................................................................................... Recreating the log signing certificate .....................................................................................
Accessing the Help system ................................................................................................. Using the Key and Policy Configuration screen ............................................................................ Keys ............................................................................................................................... Key Properties ..................................................................................................................
Support for Certificate Revocation Lists ....................................................................................... Local CAs ....................................................................................................................... Auto-Update ............................................................................................................. Force Periodic Update ................................................................................................
Hostname Setting ...................................................................................................... DNS Server List ......................................................................................................... Port Speed sections ........................................................................................................... Network Interface Port Speed/Duplex ......................................................................... IP Authorization sections ......
Secure logs .............................................................................................................. Log Configuration page .................................................................................................... Rotation Schedule ...................................................................................................... Log Rotation Properties .............................................................................................. Syslog Settings .........
Health check configuration commands ................................................................................ Help commands ............................................................................................................... History commands ............................................................................................................ Log commands ................................................................................................................ Mode commands ...
Estonian notice ................................................................................................................ Finnish notice ................................................................................................................... French notice ................................................................................................................... German notice ............................................................................................................
Figures 1 Identify the contents of the shipping carton ................................................................. 32 2 Connect the power supplies to AC power sources ....................................................... 35 3 Viewing the Certificate Response Field ....................................................................... 62 4 Filtering the list of keys ............................................................................................. 82 5 Exporting the key ..................
33 Front and top of SKM appliance ............................................................................. 114 34 Back of SKM appliance ......................................................................................... 114 35 Viewing the Administrator Authentication screen ....................................................... 115 36 Viewing the Logout window .................................................................................... 115 37 Viewing the Security Summary section ........
70 Viewing the LDAP User Directory Properties section ................................................... 145 71 Viewing the LDAP Schema Properties section ............................................................ 146 72 Viewing the LDAP Failover Server Properties section ................................................... 147 73 Viewing the LDAP Users section .............................................................................. 148 74 Viewing the LDAP Groups section ............................
107 Viewing the Join Cluster section .............................................................................. 197 108 Viewing the Date and Time Settings section .............................................................. 199 109 Viewing the NTP Settings section ............................................................................ 200 110 Viewing the Network Interface List section ................................................................
144 Viewing the Current Audit Log section ...................................................................... 252 145 Viewing the Activity Log section .............................................................................. 254 146 Viewing the Current Activity Log section ................................................................... 255 147 Viewing the Client Event Log section ........................................................................
Tables 1 Document conventions ............................................................................................. 23 2 Create Backup: Security Items section components ...................................................... 97 3 Create Backup: Device Items section components ........................................................ 98 4 Create Backup: Backup Settings section components ................................................... 99 5 Restore Backup section components ........................
33 Public Key section components ................................................................................ 128 34 Create Query section components ........................................................................... 128 35 Saved Queries section components ......................................................................... 129 36 Modify Query section components .......................................................................... 130 37 Create Key section components ..................
70 Create Local Certificate Authority section components ................................................ 165 71 CA Certificate List section components ..................................................................... 166 72 Install CA Certificate section components ................................................................. 167 73 FIPS Compliance section components ...................................................................... 171 74 High Security Settings section components .............
107 Change Your Password section components .............................................................. 229 108 Password Settings for Local Administrators section components .................................... 230 109 Multiple Credentials for Key Administration section components .................................. 234 110 Credentials Granted section components .................................................................. 235 111 Grant a Credential section components ................................
About this guide This guide provides information about: • Installing an HP StorageWorks Secure Key Manager • Configuring an HP StorageWorks Secure Key Manager • Administering security keys Intended audience This guide is intended for system administrators with knowledge of: • Basic computer system rack installation • Data security administration • Network configuration Related documentation The following documents and web sites provide related information: • HP StorageWorks Command View TL getting started
Convention Element • File and directory names Monospace text • System output • Code • Commands, their arguments, and argument values Monospace, italic text Monospace, bold text • Code variables • Command variables Emphasized monospace text WARNING! Indicates that failure to follow directions could result in bodily harm or death. CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: Provides clarifying information or specific instructions.
HP technical support For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: • • • • • • Product model names and numbers Technical support registration number (if applicable) Product serial numbers Error messages Operating system type and revision level Detailed questions Customer self repair HP customer self repair (CSR) programs allow you to repair your StorageWorks product.
Documentation feedback HP welcomes your feedback. To make comments and suggestions about product documentation, please send a message to storagedocsFeedback@hp.com. All submissions become the property of HP.
1 Installing and replacing hardware This section details the steps to install or replace the SKM hardware: • • • • • • • Preparing for the installation Rack planning resources Optimum environment Unpacking Identifying the shipping carton contents Removing the existing appliance Install rails in the rack Preparing for the installation Tools for installation • • • • Two people #2 Phillips screwdriver Box cutting knife Laptop or PC that can be attached to the appliance using the null modem cable for the ini
• Use heel straps, toe straps, or boot straps at standing workstations. Wear the straps on both feet when standing on conductive floors or dissipating floor mats. • Use conductive field service tools. • Use a portable field service kit with a folding static-dissipating work mat. If you do not have any of the suggested equipment for proper grounding, have an authorized reseller install the part.
Rack warnings WARNING! To reduce the risk of personal injury or damage to the equipment, be sure that: • The leveling jacks are extended to the floor. • The full weight of the rack rests on the leveling jacks. • The stabilizing feet are attached to the rack if it is a single-rack installation. • The racks are coupled together in multiple-rack installations. • Only one component is extended at a time. A rack may become unstable if more than one component is extended for any reason.
When vertical space in the rack is not filled by an SKM or rack component, the gaps between the components cause changes in airflow through the rack and across the servers. Cover all gaps with blanking panels to maintain proper airflow. Using a rack without blanking panels results in improper cooling that can lead to thermal damage. The Compaq 10000 Series racks provide proper SKM cooling from flow-through perforations in the front and rear doors that provide 64 percent open area for ventilation.
CAUTION: Protect the SKM from power fluctuations and temporary interruptions with a regulating uninterruptible power supply (UPS). This device protects the hardware from damage caused by power surges and voltage spikes and keeps the system in operation during a power failure. When installing an SKM connected to more than one disk array, you may need to use additional power distribution devices to safely provide power to all devices.
5. Place shipping materials back into the shipping cartons. 6. Set the shipping cartons aside for later use. Identifying the shipping carton contents A new SKM cluster contains at least two appliances, individually boxed. NOTE: If the Important System ROM updates for new processors, or the HP ProLiant Essentials Foundation Pack are included in the carton, please disregard them. Each appliance box contains the items shown in Figure 1.
CAUTION: There will be several tamper-evident labels. Do not cut or damage these labels because they are required for FIPS compliance audits. Selecting a rack location Select a rack location that meets the space, airflow, temperature, power, and electrical grounding requirements described in Rack planning resources. For adequate airflow within the rack, use appropriate high airflow inserts in rack cabinet doors and observe industry standard practices for adequate spacing between racks or rows of racks.
9. Remove the rails from the original appliance for reuse on the replacement appliance. To do so, pull out on the tab of the rail that locks the center tab of the appliance, slide the rail forward, and pull the rail off the appliance. 10. Return the original appliance to HP according to the repackaging instructions sent separately. 11. Skip to Attaching rails to the appliance. Installing the rails in the rack 1. 2. 3. 4. Locate the rail kit. Adjust the outer slide rail to the approximate rack depth.
3. With the appliance fully seated in the rack, tighten the thumbscrews just until the bezel is secured to the rack. Attaching the cables 1. Connect a standard Ethernet (CAT-5) cable from your local IP network (LAN) to the 10/100/1000 NIC 1 (RJ-45) connector. WARNING! To reduce the risk of electric shock, fire, or damage to the equipment, do not plug telephone or telecommunications connectors into RJ-45 (NIC) connectors. 2.
Installing and replacing hardware
2 Configuring the system Starting the SKM appliance NOTE: To prepare to configure the system, have ready all information listed on the pre-install survey. This information was gathered by your site Security Officer and the HP installation team before the system was shipped; if it has been lost, obtain the form from www.hp.com (on the SKM product page, under Support for your Product, Manuals) and complete it now.
5. Follow the prompts to enter the necessary information: TIP: Press Enter to accept the default. a. Admin account password. The Security Officer will use the admin account to configure the SKM appliances and clustering. b. Time zone c. Date d. Time. The time is based on a 24–hour clock. There is no a.m. or p.m. designation. For example, 1:20 p.m. is 13:20:00. e. IP address of the SKM appliance. The appliance must have a static network address, it cannot obtain an IP address through DHCP. f.
6. Configure the default settings for the key replication interval and retry attempts. NOTE: These commands require firmware version 1.1 or greater. a. Log in to the appliance as admin using the password specified during configuration. b. Type configure to enter configuration mode. #config (config)# c. Type the following commands to set both the key replication and key replication retry intervals.
If you are replacing an SKM appliance or adding a member to an existing cluster, skip to Establishing a cluster. The configurations in this step are performed from the SKM management web console, which can be accessed from any web browser with Internet access to the SKM appliance. The URL for the appliance is: https://: Where • is the hostname or IP address you provided in Starting the SKM appliance, step 4.
6. 7. Add the Local CA to the Trusted CAs list. a. In Certificates & CAs, click Trusted CA Lists to display the Trusted Certificate Authority List Profiles. b. Click on the Default Profile Name (not the radio button). c. In the Trusted Certificate Authority List, click Edit. d. From the list of Available CAs in the right panel, select the CA you created in step 4. For example, SKM Local CA. e. Click Add. f. Click Save. If appropriate, add known, third-party CAs to the Trusted CAs list. a.
3. Enter information required by the Create Certificate Request section of the window to create the SKM server certificate. a. Enter a Certificate Name and Common Name, for example SKM Server. b. Enter your organizational information. c. Enter the E-mail Address where you want messages to the Security Officer to go. d. Enter the Key Size. HP recommends using the default value: 1024. 4. Click Create Certificate Request. 5.
10. Enter data required by the Sign Certificate Request section of the window. a. Select the CA name from the Sign with Certificate Authority drop down box. For example, SKM Local CA. b. Select Server as the Certificate Purpose. c. Enter the number of days before the certificate must be renewed based on your site's security policies. The default value is 3649 or 10 years. d. Paste the copied certificate data from step 6 into the Certificate Request box. 11. Click Sign Request. 12.
3. In the KMS Server Settings section of the window, click Edit. The following warning may display. 4. Configure the KMS Server Settings as shown. (Ensure that the port and connection timeout settings are 9000 and 3600, respectively). For Server Certificate, select the name of the certificate you created in Creating the SKM server certificate, step 4. For example, SKM Server. 5. Click Save. IMPORTANT: Please apply the most recent security patch(es) to ensure maximum security.
1. From the SKM management console, click the Device tab. 2. In the Device Configuration menu, click Cluster. 3. Type the cluster password in the Create Cluster section of the main window to create the new cluster. 4. If required, change the Local Port. HP recommends using the default value of 9001. 5. Click the Create button. 6. In the Cluster Settings section of the window, click Download Cluster Key and save the key to a convenient location, such as your computer's desktop.
2. If you skipped Creating the cluster, retrieve the cluster key text file now. To do so, select the Cluster Settings section of the window, click Download Cluster Key and save the key to a convenient location, such as your computer's desktop. The cluster key is a text file and is only required temporarily. It may be deleted from your computer's desktop after all SKM appliances have been added to the cluster. 3.
6. 7. Join the appliance to the cluster. a. Select the Device tab. b. In the Device Configuration menu, click on Cluster. c. In the Cluster, click on Join Cluster. d. In the Join Cluster section of the window, leave Local IP and Local Port set to their defaults. e. Type the original cluster member’s IP into Cluster Member IP. f. Type the original cluster member’s port into Cluster Member Port. The default value of this port is 9001.
8. Click on the SKM Local CA. 9. Click Sign Request. 10. Enter information required in the Sign Certificate Request section of the window as shown: a. In the Sign with Certificate Authority drop down box, select SKM Local CA. b. Select Server as the Certificate Purpose. c. Use the default Certificate Duration 3649. d. Paste the copied certificate data into the Certificate Request box. 11. Click Sign Request. 12.
6. Click Select None. 7. Click Continue. 8. In the Create Backup screen, type a name, description, and password for the certificate backup. 9. Select Download to Browser. 10. Click Backup and save the backup to your desktop. Installing the certificates To install the certificates, perform the following steps on each of the additional cluster members: 1. In the Maintenance menu, click Backup & Restore and then Restore Backup. 2. Click Upload from browser. 3.
Configuring the system
3 Performing configuration and operation tasks Key and policy procedures Creating a key To create a key: 1. Log in to the Management Console as an administrator with Keys and Authorization Policies access control. 2. Navigate to the Create Key section on the Key and Policy Configuration page (Security > Keys). 3. Enter a unique key name in the Key Name field. 4. Enter a value in the Owner Username field to assign a specific owner or leave this value blank to create a global key.
4. Enter a value in the Owner Username field to assign a specific owner or leave this value blank to create a global key. If an owner is listed for the key, then that is the only user who can access the key, unless you set group permissions. Global keys can be accessed by all users. 5. Select the algorithm. 6. To make the key deletable by the owner, select Deletable. Deletable global keys are deletable by all users. 7. To make the key exportable on from non-FIPS SKM, select Exportable.
4. Click Download Public Key to download the public portion of the RSA key. Deleting a key To delete a key: 1. Log in to the Management Console as an administrator with Keys and Authorization Policies access control. 2. Navigate to the Keys section of the Key and Policy Configuration page (Security > Keys). 3. Select the key and click Delete. Authorization policy procedures Creating an authorization policy To create an authorization policy: 1.
User and group procedures NOTE: User accounts and groups can be managed locally on the SKM and shared among clustered nodes. This is the preferred method, as this maintains the Federal Information Processing Standards (FIPS) compliance for the nodes. User accounts and groups can also be managed centrally. If managing all user and group accounts centrally is a priority, refer to HP StorageWorks Secure Key Manager Key Protection Best Practices white paper. Creating a user To create a user: 1.
2. Navigate to the Local Groups section of the User & Group Configuration page (Security > Local Users & Groups). 3. Select a Group and click Properties or click the group name to access the User List section. 4. Click Add and enter the user in the Username field. 5. Click Save. Removing a user from a group To remove a user from a group: 1. Log in to the Management Console as an administrator with Users, Groups, and LDAP access control. 2.
LDAP server procedures Setting up the LDAP user directory To set up the LDAP user directory: 1. Log in to the Management Console as an administrator with Users, Groups, and LDAP access control. 2. Navigate to the LDAP User Directory Properties section of the LDAP Server Configuration page (Security > LDAP > LDAP Server). 3. Click Edit. 4. Enter the Server IP and Hostname, Server Port. 5. If using SSL, select Use SSL and enter the Trusted CA List Profile. 6.
2. Navigate to the LDAP Failover Server Properties section of the LDAP Server Configuration page (Security > LDAP > LDAP Server). 3. Click Edit. 4. Enter the Failover Server IP or Hostname and Failover Server Port. 5. Click Save. Testing the LDAP failover server connection To test the LDAP failover server connection: 1. Log in to the Management Console as an administrator with Users, Groups, and LDAP access control. 2.
NOTE: To generate a valid certificate, you must have a certificate authority sign a certificate request. You can create local CAs on the SKM, and use those CAs to sign certificate requests. Otherwise, you must use an external CA to sign certificate requests. The following steps assume that you have already created a local CA. To create a server certificate for the SKM: 1. Log in to the Management Console as an administrator with Certificates access control. 2.
7. Navigate to the Local Certificate Authority List section. 8. Select a CA and click Sign Request. 9. Paste the certificate request into the Certificate Request field. Select Server as the Certificate Purpose, specify a Certificate Duration and click Sign Request. The newly-activated certificate displays on a new page. 10. Copy the certificate text. 11. Navigate back to the Certificate List section. 12.
6. Copy the certificate request text. The certificate text looks similar, but not identical, to the following text.
IMPORTANT: A self-signed certificate should be used for testing purposes only. Any attempt to connect with an SKM using a test self-signed certificate sends a warning to the client browser. To create a self-signed certificate: 1. Log in to the Management Console as an administrator with Certificates access control. 2. Navigate to the Create Certificate Request section of the Certificate and CA Configuration page (Security > Certificates). 3.
6. Click Save. The SKM verifies the validity of the newly installed certificate. If determined to be valid, the certificate appears as “Certificate Active” in the Certificate List. Installing a certificate chain When CAs sign server certificates with an intermediate CA, it might be necessary for an SKM to send multiple certificates to a client to enable the client to verify the server certificate. Multiple certificates contained in one certificate are called a certificate chain.
Certificate Authority (CA) procedures Adding a CA certificate to the trusted CA list To add a CA certificate to the trusted CA list: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2. Navigate to the Trusted Certificate Authority List Profiles section of the Certificate and CA Configuration page (Security > Trusted CA Lists). 3. Select a profile and click Properties to access the Trusted Certificate Authority List section. 4. Click Edit. 5.
Deleting a trusted CA list profile To delete a trusted certificate authority list profile: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2. Navigate to the Trusted Certificate Authority List Profiles section of the Certificate and CA Configuration page (Security > Trusted CA Lists). 3. Select a profile and click Delete. NOTE: You cannot delete the default profile.
2. Navigate to the Local Certificate Authority List section of the Certificate and CA Configuration page (Security > Local CAs). 3. Select a certificate authority and click Download to download the CA to your local workstation. Alternatively, you can download the certificate authority by using the Download button on the CA Certificate Information section. Deleting a local CA To delete a local CA: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2.
4. Select Intermediate CA Request as the Certificate Authority Type. 5. Click Create. The new request appears in the Local Certificate Authority List section with a status of CA Certificate Request Pending. 6. Navigate to the Local Certificate Authority List section of the Certificate and CA Configuration page (Security > Local CAs). 7. Select the CA Certificate Request and click Properties to access the CA Certificate Information section. 8. Copy the CA certificate request text.
2. Navigate to the Install CA Certificate section of the Certificate and CA Configuration page (Security > Known CAs). 3. Enter a value for the Certificate Name and paste the CA certificate text in the Certificate field. 4. Click Install. The CA will be added to the CA Certificate list. Removing a CA certificate To remove a CA certificate: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2.
KMS server procedures The KMS server is the firmware component of the SKM server that manages communications between the SKM and the clients. This section describes the procedures you will follow when managing the KMS server. Enabling SSL Prior to enabling SSL, you must have a server certificate available on the KMS Server. To enable SSL: 1. Log in to the Management Console as an administrator with KMS Server access control. 2.
Enabling password authentication To enable password authentication: 1. Log in to the Management Console as an administrator with KMS Server access control. 2. Navigate to the KMS Server Authentication Settings section of the KMS Server Configuration page (Device > KMS Server > KMS Server). 3. Click Edit. 4. Select Required in the Password Authentication field. 5. Click Save. Enabling client certificate authentication To enable client certificate authentication: 1.
Clustering procedures Creating a cluster You create a cluster on one SKM and then join other members to that cluster. To create a cluster: 1. Select an SKM to be the first cluster member. This device cannot currently be a member of a cluster. 2. Log in to the Management Console as an administrator with Cluster access control. 3. Navigate to the Create Cluster section on the Cluster Configuration page (Device > Cluster). 4. Enter the Local IP, Local Port, and Cluster Password. 5.
4. Click Synchronize With and confirm this action. As part of the synchronization, the KMS Server will create an automatic synchronization backup before installing the new configuration. CAUTION: Synchronizing the local device with the cluster overwrites the existing configuration, which may include keys. You can access overwritten information using the synchronization backup.
Upgrading a cluster A cluster can be upgraded by upgrading one device at a time. Once all of the devices are running the new software, you can configure the replication settings as needed. TIP: We recommend that you do not make configuration changes while upgrading a cluster. To upgrade a cluster: 1. Log in to the Management Console as an administrator with Software Upgrade and System Health access control. 2. Upgrade the software on the device. 3. Repeat steps 1 and 2 for each member of the cluster.
2. Navigate to the NTP Settings section of the Date & Time Configuration page (Device > Date & Time). 3. Click Edit. 4. Select Enable NTP. 5. Enter the IP addresses of the NTP in the NTP Server fields. 6. Specify the frequency with which the SKM will poll the NTP server(s). If you enter a value that is not a multiple of 5, the SKM will round down to the nearest multiple of 5. 7. Click Save.
7. Repeat steps 3 through 6 as needed. 8. Click Edit on the IP Authorization Settings section. 9. For each service select either Allow All Connections to grant access to all clients or Only Allow IPs Specified Below to grant access to only the clients listed in the Allowed Client IP Addresses section with that service selected. 10. Click Save.
1. Configure the agent at the SNMP Agent Settings section. 2. Create an SNMPv3 username at the SNMPv3 Username List section to enable the NMS to access the Enterprise MIBs. 3. Define an NMS at the Create SNMP Management Station section if you want the SKM to initiate trap messages to the NMS. The fields required for defining an SNMPv3 NMS depend on the combination of authorization and privacy you choose. Administrator procedures Creating an administrator To create an administrator account: 1.
5. If using SSL, select Use SSL and enter the Trusted Certificate Authority. 6. Enter the number of seconds to wait for the LDAP server during connections in the Timeout field. 7. Enter the Bind DN (distinguished name) and Bind Password. 8. Click Save. Testing the LDAP administrator server connection To test the LDAP administrator server connection: 1. Log in to the SKM appliance as a Local administrator with High Access Administrator access control. 2.
3. Click LDAP Test. Password management procedures Changing your password To change your administrator account password: 1. Log in to the Management Console using your administrator account. 2. Navigate to the Change Your Password section of the Administrator Configuration page (Device Configuration > Administrators > Password Management). 3. Enter your current password in the Current Password field. 4. Enter a new password in the New Password and Confirm New Password fields. 5.
access to the SKM configuration is secured but not in a haphazard manner. It is best to have a documented procedure in place to handle such a situation. One possible procedure is the following: 1. Delete the former security officer’s administrator account immediately, then create a new administrator account with the same permissions but a different account name. Have the replacement security officer use the new account.
1. Log in to the Management Console as an administrator with High Access Administrator access control. This is the administrator that will grant credentials to another. 2. Navigate to the Grant a Credential section on the Administrator Configuration page (Device > Administrators > Multiple Credentials). 3. Select the administrator that will receive the credentials in the Grant to field. 4. Enter the duration that the credentials will be granted.
6. Click Sign Request. This will take you to the CA Certificate Information section where the certificate is displayed in PEM format. 7. Click the Download button to save the certificate to your client. Converting a certificate from PEM to PKCS12 format The SKM can provide you with a certificate in PEM format. You must convert that certificate to PKCS12 before importing it to your web browser.
5. Click Save. NOTE: This feature is immediately enabled when you select Web Admin User Authentication. You will be logged out of the Management Console and will need a valid client certificate to return. If needed, you can use the edit ras settings command from the CLI to disable this feature without presenting a certificate.
2. Determine the Key Sharing Group. a. From the filtered list of keys, choose the one with the most recent timestamp (the number sequence at the end of the key name) and click Properties. (See Figure 4). Figure 4 Filtering the list of keys 82 b. Select the Permissions tab to display the name of the Group, listed in the Group Permissions panel. c. Note the name of the Group.
3. Export (backup) the key. a. From the Device tab, in the Maintenance menu on the left, select Backup & Restore, then select Create Backup to display the Create Backup panel (see Figure 5). Figure 5 Exporting the key b. In the Security Items field, click Select None. c. In the Keys field, select One key, then enter or copy/paste the key name. d. Click Continue. e. From Device Items, click Select None. f. Click Continue. NOTE: Steps c. through f.
Figure 7 Entering backup information i. Click Backup. A message displays when the backup is complete. The backup operation should take a few seconds. 4. Send the tape and the Destination (backup) file to the Cluster #2 admin. Also transmit the Group name and the backup password. NOTE: For security reasons, HP recommends these communications occur separately, via different communication paths.
5. Import (restore) the backup file to Cluster #2 a. On the SKM, from the Device Tab, in the Maintenance menu on the left, select Backup & Restore, then Restore Backup. The Backup Restore Information screen displays. b. Specify the source of the file, and the backup password. c. On the next screen, Backup Restore Information (see Figure 8), in the All Items field, select Select None. Figure 8 Completing the Backup Restore Information screen d.
6. Restart the SKM software. NOTE: Following a restore, the SKM must be restarted. a. From the SKM Device tab, in the Maintenance menu, select Services. b. In the Restart/Halt pane, in the Restart/Halt field, select Restart. c. Click Commit. d. Select Confirm to initiate the restart request. Restart will take approximately 5 minutes. e. 7. When the restart is complete, login to the SKM again. Force replication of the key across Cluster #2. a.
8. Ensure that the key sharing group has been added. a. From the SKM interface, Security tab, Users and LDAP Menu, select Local Users and Groups. b. Verify that the Group name from Cluster #1 is listed in the Local Groups section under Group. c. If the Group name from Cluster #1 is not listed, add it now. i. Under Local Groups pane, select Add. ii. Enter the Group name, provided from Cluster #1. The name must match exactly. iii. Click the name of the new group. iv.
3. In the Keys field, select No keys. 4. Click Continue. 5. In the Device Items field, click Select All. 6. Click Continue. 7. In the Backup Summary section of the panel, verify that all of the settings, certificates, and local certificate authorities are included in the backup. Also verify that [None] is selected in the Keys field. (See Figure 12.) Figure 12 Verifying the Backup Summary section to backup the configurations and certificates 8.
1. From the SKM interface on the Device tab, in the Maintenance menu, select Backup Restore, then Create Backup. 2. In the Create Backup pane, in the Security Items field, click Select None. 3. In the Keys field, select All keys. 4. Click Continue. 5. In the Device Items field, click Select None. 6. Click Continue. 7. In the Backup Summary section of the panel, review the backup summary to ensure only keys are being backed up. Repeat steps 2 - 5 if needed. (See Figure 13.
1. Log in to the Management Console as an administrator with Logging access control. 2. Navigate to the Log Configuration page (Device > Log Configuration) and click the Rotation & Syslog tab. 3. Select a log in the Rotation Schedule section and click Properties to access the Log Rotation Properties section. 4. Click Edit. 5. Use the Rotation Schedule and Rotation Time fields to specify when the log will be rotated. 6.
3. Double-click on the file. Outlook Express will open and display a help screen with a security header that reads: “Digitally signed - signing digital ID is not trusted.” 4. Click Continue. A security warning will appear. 5. Click View Digital ID. The Signing Digital ID Properties dialog will appear. 6. Click the Details tab and scroll down to the Thumbprint field. 7. Download the Log Signing Certificate used to sign the log file from the SKM. 8. Double-click on the Log Signing Certificate.
Recreating the log signing certificate Prior to creating a new log signing certificate, backup the old certificate so you can verify previously signed logs. To recreate the log signing certificate: 1. Log in to the Management Console as an administrator with Logging access control. 2. Navigate to the Log Configuration page (Device > Log Configuration) and click the Rotation & Syslog tab. 3. Click Recreate Log Signing Cert in the Audit Log Settings section. 4. Enter a Certificate Duration. 5.
Clearing a log To clear a log: 1. Log in to the Management Console as an administrator with Logging access control. 2. Navigate to the Log Viewer page (Device > Log Viewer) and click the tab for the log you would like to download. 3. Choose a log in the Log File field. 4. Click Display Log. 5. Click Clear.
Performing configuration and operation tasks
4 Maintaining the SKM Backup and restore overview Clustering SKM nodes is an effective way of exchanging keys and configuration data to allow for failover, but it is not the complete solution for protecting the SKM environment. Perform regular backups of the SKM nodes to ensure that your encryption solution is protected in a disaster-recovery scenario.
If one of these objects is being restored on a device where there is already a similar object with the same name, the key, certificate, or local CA from the backup file overwrites the existing object. Every backup file is protected with a key on the SKM and a password provided by the administrator. Because a backup file may contain sensitive information, such as user accounts and certificates, we recommend a reasonably long backup password.
Figure 14 Viewing the Create Backup: Security Items section The following table describes the components of the Create Backup: Security Items section. Table 2 Create Backup: Security Items section components Components Description Security Items Click Select All to include all of the key management items in your backup. Click Select None to deselect all key management items. Keys Select the method for backing up keys. Select to backup all, none, or a specific key.
Components Description Continue Click Continue to configure the next group of items. Create Backup: Device Items Use this section to select the device items to include in your backup. Figure 15 Viewing the Create Backup: Device Items section The following table describes the components of the Create Backup: Device Items section. Table 3 Create Backup: Device Items section components Components Description Device Items Click Select All to include all of the device configuration items in your backup.
Figure 16 Viewing the Create Backup: Backup Settings section The following table describes the components of the Create Backup: Backup Settings section. Table 4 Create Backup: Backup Settings section components Components Description Backup Name Enter a name for the backup file. For backups stored externally, the backup filename is created by appending _0_bkp to the backup name. For large backups, the zero is incremented by 1 for each additional file.
Components Description Cancel Click Cancel to abort the backup and return to the Create Backup: Security Items section. Backup Summary Displays all of the items that could possibly be backed up and indicates the items to be included in your backup configuration. Restore Backup Use the Restore Backup section of the Backup and Restore page to restore data from a backup file. After you restore a backup configuration you must restart your system for the changes to take effect.
NOTE: Key Manager DataSecure appliance Number of Active Versions Allowed for a Key setting on the Key and Policy Configuration page. If the key has more active versions than permitted by that setting, the key restore will fail. To restore a key with more active versions than the system allows, you must change the Number of Active Versions Allowed for a Key setting before restoring the backup.
Figure 19 Viewing the Internal Backup List section The following table describes the components of the Internal Backup List section. Table 7 Internal Backup List section components Components Description Backup Name Displays the backup name. Date Displays the date on which the backup was created. Size Displays the size of the backup file. Download Click Download to download an internal backup file to your browser.
Figure 20 Viewing the Services List section The following table describes the components of the Services List section. Table 8 Services List section components Components Description • KMS Server: the “brains” of the SKM, which manages all incoming and outgoing connections (both secure and clear text). When disabled, the SKM cannot be used to fulfill requests. Name • Web Administration: When enabled, the SKM can be configured through a web browser.
Figure 21 Viewing the Restart/Halt section The following table describes the components of the Restart/Halt section. Table 9 Restart/Halt section components Components Description Select Restart to reboot the SKM, or Halt to shutdown. Restart/Halt NOTE: Using the restart and halt functions terminates all active connections to the SKM. Commit Click Commit to perform the function selected in the Restart/Halt field.
Figure 22 Viewing the Device Information section The following table describes the components of the Device Information section. Table 10 Device Information section components Components Description Product Displays the model of SKM. Unit ID The Unit ID is composed of letters and numbers. On the DL360 G5 platform, the Unit ID is ten characters. You will be required to provide your Unit ID if you ever need to contact Customer Support. Software Version Displays the version of the server software.
Software Upgrade/Install The software upgrade and installation mechanism can be used to install new features, upgrade core software, and apply security patches. You can upgrade or install software from both the Management Console and the Command Line Interface. If you are interested in monitoring the status of the upgrade, perform the upgrade from the Command Line Interface. Software upgrades must be applied to all SKM individually in a cluster.
IMPORTANT: You must be running the base release upon which the patch is built before upgrading to the patch release. You cannot upgrade directly from a previous base release to a patch. If you receive a software patch from HP, follow the installation instructions that come with it. Rolling back software Occasionally it is necessary to roll back software to a previous version. The SKM allows you to roll back one version of the software.
Figure 25 Viewing the Refresh Page section The following table describes the components of the Refresh Page section. Table 13 Refresh Page section components Component Description Specify the refresh rate of the System Statistics page. Available refresh intervals are: • Never (default value) • 5 seconds • 15 seconds • 30 seconds Refresh Every • 60 seconds • 2 minutes • 5 minutes NOTE: This value is only valid while you are viewing the System Statistics page.
Cooling Fan Status The Cooling Fan Status section provides information on the status all of the SKM's cooling fans. The following table describes the different states that are represented in the Cooling Fan Status section. Figure 27 Viewing the Cooling Fan Status section The following table describes the components of the Cooling Fan Status section. Table 15 Cooling Fan Status section components Component Description Displays the status of the cooling fan.
Traceroute Information Use the Traceroute Information section to examine the path between the SKM and a destination. Figure 29 Viewing the Traceroute Information section The following table describes the components of the Traceroute Information section. Table 17 Traceroute Information section components Component Description Traceroute Specify the host name or IP Address of the destination system for performing a traceroute.
Figure 31 Viewing the Netstat Information section The following table describes the components of the Netstat Information section. Table 19 Netstat Information section components Component Description Run Click Run to see a list of all active network connections on the SKM.
Maintaining the SKM
A SKM appliance information sheet This information is specific to the HP StorageWorks Secure Key Manager (SKM) appliance to which it is attached. There is one data sheet per appliance. See figures on reverse for item locations. IMPORTANT: Keep this information in a secure location, along with the external USB token, for access by the Security Officer only. It is needed for the successful installation and management of this SKM appliance.
Figure 33 Front and top of SKM appliance Figure 34 Back of SKM appliance Item Description 1 Product ID number (PID) of the appliance 2 Serial number of the appliance 3 Pull-out panel that also shows the appliance Serial Number.
B Using the Management Console Logging in and out Use the Administrator Authentication screen to log into the Management Console. Figure 35 Viewing the Administrator Authentication screen The following table describes the components of the Administrator Authentication page. Table 21 Administrator Authentication screen components Components Description Username When logging in for the first time, type the default username admin. Thereafter, type the name assigned by the system administrator.
• Recent Actions Security Summary Use this section to view security-related summary information for your SKM. Figure 37 Viewing the Security Summary section Click the High Security page link to access the High Security page. You can enable FIPS compliance from there. You can select the Do not show this message again checkbox and click Submit to remove the Security Summary section from the Home page. NOTE: Once you remove the Security Summary section from the Home page, you cannot restore that section.
Component Description Software Version Displays the version of the software currently running on the SKM. Date Displays the current date. Time Displays the current time. Time Zone Displays the current time zone setting. System Uptime Shows the length of time that the system has been running. Licenses Shows the number of licenses available. Licenses in Use Shows the number of licenses currently being used to connect to the SKM.
Figure 40 Viewing the Search Criteria section The following table describes the components of the Search Criteria section. Table 24 Search Criteria section components Component Description Query Keys Select the link to access the Query Key section, then create and/or run a query to return a specific set of keys. Search Select the values to search for. Possible values are Keys, Local Users, and Local Groups. Which Select the search criteria.
Using features common to the Security and Device tabs The following sections describe how to set display parameters for Management Console viewing. These parameters are used in some sections of screens on the Security tab and the Device tab. Filtering sections Some sections of the Management Console normally hold many rows of data. Key and Local Users sections may span multiple pages. Use the search fields on these screens or sections to filter the values that are displayed.
Accessing the Help system The Management Console provides you with two ways to access product documentation: context-sensitive help, and help. Both methods access the same files housed on the HP SKM. Context-sensitive help is available for each section by clicking the help icon on the top right side of the section header. Figure 44 Locating button to launch context-sensitive help Clicking this icon opens the documentation for the specific section in a new window. (Subsequent clicks open additional windows.
Figure 46 Finding the Help link Clicking this icon opens the help system in a new web browser. The default page shows the table of contents. Using the Key and Policy Configuration screen Keys are used to perform cryptographic operations such as encryption and decryption. Use authorization policies to restrict the use of a key to certain numbers of operations per hour or certain times during the week. The Key and Policy Configuration page enables you to create, import, and manage keys.
CAUTION: Do not delete keys that might be needed to decrypt data at some point in the future. Once you delete a key, there is no way to decrypt data that was encrypted with that key. As such, you should be extremely cautious when making decisions about deleting keys. The Keys section enables you to view all the keys on the server. You can click a field name (Key Name, Owner) to sort the keys by that value; toggle to alternate between ascending and descending order.
Component Description The algorithm might be any of the following: • AES-256 • AES-192 • AES-128 • DES-EDE-168 (three key triple DES) • DES-EDE-112 (two key triple DES) • DES • RC4-128 Algorithm • RC4-40 • HmacSHA1 • RSA-2048 • RSA-1024 • RSA-512 NOTE: Some of the algorithms listed above will not be available on FIPS-compliant devices. Deletable A check mark in the box indicates that the key is deletable via an XML request. If a key is marked deletable, only the owner can delete it.
Figure 48 Viewing the Key Properties section The following table describes the components of the Key Properties section. Table 29 Key Properties section components Component Description Key Name Name of key described in the current row. Name of the user that owns the key. If blank, the key is a global key and therefore accessible to all users. NOTE: Owner Username Once a key has an owner it is no longer a global key. You cannot change it into a global key by removing the owner.
The state, combined with the key type and group permissions determine how the key version can be used. Ultimately, a key version can only be used when: the key’s group permissions permit the operation, the key version’s state permits the operation, and the request comes from a member of the permitted group. A key can have a maximum of 4000 versions. Group Permissions Use the Group Permissions section to modify the permissions for a key. Key permissions are granted at the group level.
Component Description Delete Click Delete to remove the permissions for a group. For example, in Figure 49, members of group1 have permission to export key1. Members of group2 can export according to policy1. When a user is a member of multiple groups, the user inherits the union of the group permissions. In the example above, if a user is a member of group1 and group2, that user always has permission to export.
Component Description Add Click Add to add an attribute. Delete Click Delete to remove the selected attribute. Key Versions and Available Usage Use this section to create new key versions and manage how those versions are used. All versions of a key have the same metadata (found on the Key Properties, Permissions, and Custom Attributes sections). The version number, key state, creation date, default IV, and key bytes differ for each key version.
Figure 52 Viewing the Public Key section The following table describes the components of the Public Key section. Table 33 Public Key section components Component Description Public Key Displays the public key. Download Public Key Click Download Public Key to download the RSA public key. Create Query Use this section to create key queries. A key query enables you to view a subset of the keys that exist on the SKM.
Component Description Save Query Click Save Query to save the query without executing it. Run Query without Saving Click Run Query without Saving to execute the query. The query name will appear on the results page as Unnamed Query. You can navigate away from the Keys section and still reapply the Unnamed Query, however, the Management Console will only stored one Unnamed Query at a time. Old unnamed queries are forgotten. Use this section to modify, delete, and run saved queries.
Figure 55 Viewing the Modify Query section NOTE: You cannot greatly modify the built-in query [All]. The Appliance will only permit you to change the Columns Shown values. Table 36 Modify Query section components Component Description Query Name The name of the query. This field is only required when saving the query. You can run a query without saving, but you can only save a query before running it. Description A description of the query.
Figure 56 Viewing the Create Key section The following table describes the components of the Create Key section. Table 37 Create Key section components Component Description Key Name This is the name that the server uses to refer to the key. The key name must begin with a letter, must be between 1 and 64 characters (inclusive), and can consist of only letters, numbers, underscores (_), periods (.), and hyphens (-).
Component Description Versioned Key Bytes When selected, the key contains multiple versions, up to a maximum of 4000. Each key version has unique key bytes, but shared key metadata (key name, algorithm, permissions, etc. The first key version is created when the key is created. Additional key versions may be created later using the Key Versions section. Copy Group Permissions From Select an existing key to copy its group permissions.
IMPORTANT: The server will not import keys that are known to be weak, such as 64 bit DES. In addition, the parity bits must be set properly; otherwise, the server returns an error. Figure 58 Viewing the Import Key section The following table describes the components of the Import Key section. Table 39 Import Key section components Component Description Key Name This is the name that the server uses to refer to the key.
Component Description Deletable A check mark in the box indicates that the key is deletable via an XML request by the key owner (or any user for global keys). After a key is created, this value may be changed. Exportable A check mark in the box indicates that the key is exportable via an XML request. An exportable key can be exported by its owner and by members of a group with “Export” permission for the key. A global key marked exportable can be exported by any user.
NOTE: Authorization policies cannot be applied to global keys or to certificates. Key owners are not subject to policy restrictions. The Authorization Policy Configuration page enables you to create and manage authorization policies. This page contains the following sections: • Authorization Policies • Authorization Policy Properties • Authorized Usage Periods Authorization Policies Use the Authorization Policies section to create and manage the authorization policies for the SKM.
Figure 60 Viewing the Authorization Policy Properties section The following table describes the Authorization Policies Properties section. Table 41 Authorization Policy Properties section components Component Description Policy Name Click the name to view the details of a policy. Maximum Operations per Hour By default, policies can perform unlimited operations. The valid range of operations is 1 to 500,000,000. Edit Click Edit to modify the policy properties.
Figure 61 Viewing the Authorized Usage Periods section The following table describes the Authorization Usage Periods section. Table 42 Authorization Usage Periods section components Component Description Start Day Displays the day on which the usage period begins. Start Time Displays the time at which the usage period begins. End Day Displays the day on which the usage period ends. End Time Displays the time at which the usage period ends. Edit Click Edit to modify a usage period.
Figure 62 Viewing the Active Versions section Table 43 Active Versions section components Component Description Number of Active Versions Allowed for a Key Displays the number of active versions allowed for a versioned key. Edits Click Edit to change the number of active versions allowed. NOTE: When restoring a key to the Key Manager, the key must conform to the appliance’s current Number of Active Versions Allowed for a Key setting on the Key and Policy Configuration page.
Configuring the users and groups A user directory contains a list of users that may access the keys on your KMS Server, and a list of groups to which those users belong. The KMS Server can use one of two user directories: • A local user directory, where users and groups are defined only on the local device and are not available to any other SKM. • A central server running the Lightweight Directory Access Protocol (LDAP), which enables all devices to access the same set of users and groups.
Figure 64 Viewing the Local Users section The following table describes the components of the Local Users section. Table 45 Local Users section components Component Description Username This is the name of the user. The username must begin with a letter, it must be between 1 and 64 characters (inclusive), and it can consist of letters, numbers, underscores (_), periods (.), and hyphens (-). Password The password for the local user.
NOTE: The User Administration Permission and Change Password Permission apply only to local users. LDAP users cannot be managed through the SKM; they must be managed through the LDAP server. Selected Local User Use the Selected Local User section to views information about an individual user. Figure 65 Viewing the Selected Local User section The following table describes the components of the Selected Local User section.
Figure 66 Viewing the Custom Attributes section The following table describes the components of the Custom Attributes section. Table 47 Custom Attributes section components Component Description Enter the name of the attribute. NOTE: Attribute Name Attribute names must contain alphanumeric characters only. You cannot include special characters or whitespaces in the name. In addition, the first character of the name must be a letter. Maximum length is 64 characters.
Figure 67 Viewing the Local Groups section The following table describes the components of the Local Groups section. Table 48 Local Groups section components Component Description Group Displays the local groups on the SKM. Add Click Add to add a group to the group list. Delete Click Delete to delete a group from the group list. Properties Click Properties to access the User List section and view the users in the selected group.
Figure 69 Viewing the User List section The following table describes the components of the User List section. Table 50 User List section components Component Description Username Displays the users in the group. Add Click Add to add a user to the user list. Delete Click Delete to delete a user from the user list.
Figure 70 Viewing the LDAP User Directory Properties section The following table describes the components of the LDAP User Directory Properties section. Table 51 LDAP User Directory Properties section components Component Description Server IP or Hostname The IP address or hostname of the primary LDAP server. Server Port The port on which the LDAP server is listening. LDAP servers typically use port 389. For SSL connections, LDAP servers typically use port 636.
Figure 71 Viewing the LDAP Schema Properties section The following table describes the components of the LDAP Schema Properties section. Table 52 LDAP Schema Properties section components Component Description User Base DN The base distinguished name (DN) from which to begin the search for usernames. User ID Attribute The attribute type for the user on which to search. The attribute type you choose must result in globally unique users.
Component Description Edit Click Edit to modify the properties. Clear Click Clear to remove the current properties. LDAP Failover Server Properties Use the LDAP Failover Server Properties section to define a backup LDAP server to use in case the main LDAP server becomes inaccessible due to a non-timeout error. When the primary LDAP server is down, the SKM shifts to the failover LDAP server and periodically retry the main server to see if it has become accessible again.
• User List LDAP Users The LDAP Users section displays the users available in the LDAP user directory. Figure 73 Viewing the LDAP Users section The following table describes the components of the LDAP Users section. Table 54 LDAP Users section components Component Description Username Displays the users that can access the SKM from the LDAP server. LDAP Groups The LDAP Groups section displays the groups available in the LDAP user directory.
Figure 74 Viewing the LDAP Groups section The following table describes the components of the LDAP Groups section. Table 55 LDAP Groups section components Component Description Group Displays the groups that can access the SKM from the LDAP server. Click the group name to access the User List page and view the members of that group. Properties Click Properties to access the User List page and view the users within a specific group.
Certificate and CA Configuration Page Certificates identify one entity to another. In this case, when making SSL connections between a client application and the KMS Server, the server must provide its server certificate to the client application. Likewise, if you require client applications to validate themselves to the KMS Server via client certificates, then the client application must provide its client certificate to the server during the SSL handshake.
Component Description A certificate summary containing the following information: • Common Name: Name of entity to which certificate is issued. This is typically the name of the application. Certificate Information • Issuer Name: Name of CA that issued the certificate. This information is not displayed for certificate requests. • Expiration Date: The final date on which this certificate is valid. Following this date, the certificate can only be renewed by obtaining a new certificate from the CA.
Figure 77 Viewing the Certificate Information section The following table describes the components of the Certificate Information section. Table 58 Certificate Information section components Component Description Certificate Name Name of the certificate. This name is only used internally. Key Size Size of the key associated with this certificate. Start Date The activation date for the certificate. The certificate cannot be used before the activation date.
Component Description Click Install Certificate to go to the Certificate Installation page. The Install Certificate button can be applied to either certificate requests or active certificates. • When applied to a certificate request the button is intended for transforming the certificate request into an active certificate. Install Certificate • When applied to an existing certificate the button is intended for reinstalling a certificate.
The following table describes the components of the Certificate Installation section. Table 59 Certificate Installation section components Component Description Certificate Name Displays the name assigned to this certificate. Key Size Displays the key size associated with this certificate.
Component Description Certificate Duration (days) The duration during which the certificate is valid. Create Click Create to create the certificate. Back Click Back to return to the Certificate Request Information section. Create Certificate Request For instructions on how to use a local CA to sign a certificate request, please see Sign Certificate Request. The Create Certificate Request section is used to create certificate requests (CR) that can be signed by a local CA.
Component Description Email Address E–mail address of person requesting the certificate. This field is optional. Key Size Size of key being generated. The SKM supports 768–bit, 1024–bit, and 2048–bit key sizes. 1024–bit is the most commonly used key size. This field is required. Create Certificate Request Click Create Certificate Request to create the CR. Once created, the request appears in the Certificate List with a status of Request Pending.
Component Description Private Key Password The password used to access the key. Import Certificate Click Import Certificate to import the certificate to SKM. Using the Certificate and CA Configuration screen The SKM is capable of functioning as a certificate authority (CA). Local CAs are managed on the Certificate Authority Configuration page and are used to issue certificates to clients (including applications and databases) that might be making requests to the KMS Server.
Component Description Edit Click Edit to change the name of a profile. Add Click Add to create a profile. A newly created profile is initially empty. You must add CAs to the list of Trusted CAs for that profile. Delete Click Delete to remove a profile. You cannot delete a profile if it is specified on the KMS Server Authentication Settings section of the Key Management Services Configuration page. Properties Click Properties to access the Trusted CA List for the profile.
Figure 84 Viewing the Trusted Certificate Authority List (Edit Mode) The following table describes the components of the Trusted Certificate Authority List section. Table 65 Trusted Certificate Authority List Components Component Description Trusted CAs The Trusted CAs window displays the list of CAs that are trusted. You can remove a CA from the list of Trusted CAs by selecting it in the Trusted CAs window, and click Remove. You can select multiple CAs by holding down the Shift key while selecting.
Figure 85 Viewing the Local Certificate Authority List section The following table describes the components of the Local Certificate Authority List section. Table 66 Local Certificate Authority List section components Component Description CA Name Displays the internal name of a certificate authority. CA Information Displays the common name, issuer, and expiration date of a CA. CA Status Displays the status of the CA. Edit Click Edit to edit the values of a CA.
Figure 86 Viewing the CA Certificate Information section The following table describes the components of the CA Certificate Information section. Table 67 CA Certificate Information section components Component Description Certificate Name Name of the certificate. This name is only used internally. Key Size Size of the key associated with this certificate. Start Date The activation date for the certificate. The certificate cannot be used before the activation date.
Sign Certificate Request Use the Sign Certificate Request section to sign certificate requests. Figure 87 Viewing the Sign Certificate Request section The following table describes the components of the Sign Certificate Request section. Table 68 Sign Certificate Request section components Component Description Sign with Certificate Authority Select the CA that will sign the certificate request. Certificate Purpose Select where the certificate will be used, either on the client or the server.
Figure 88 Viewing the Signed Certificates section The following table describes the components of the Signed Certificates section. Table 69 Signed Certificates section components Component Description Serial Number The Serial Number, which is expressed in Base 16 notation, is assigned by the SKM and used internally to refer to a certificate signed by a local CA.
Figure 89 Viewing the Signed Certificate Information section The components of the Signed Certificate Information section are view-only. Create Local CA The Create Local CA section allows you to create a new local CA on the SKM. The fields are similar to those used to create a certificate on the Certificates page. When creating a local CA, you must provide a value for each field shown in the following graphic; you get an error otherwise.
Figure 90 Viewing the Create Local Certificate Authority section The following table describes the components of the Create Local Certificate Authority section. Table 70 Create Local Certificate Authority section components Component Description Certificate Authority Name Internal name of newly generated certificate authority. This name will be used when referring to this CA in other parts of the administrative interface. Common Name Common name of new CA.
Component Description Certificate Authority Type Local CAs can be one of two types: Self-signed root CA, or Intermediate CA Request. When you create a self-signed root CA, you must also specify a CA Certificate Duration and a Maximum User Certificate Duration, which become valid once you click Create. Once you create a self-signed root CA, you must add it to the trusted CA list for it to be recognized by the KMS Server.
Component Description Certificate Status Displays one of three values:Certificate Active - The CA can be used to issue certs and sign certificate requests.Certificate Expires: X Days - The CA cert expires in X days. This status appears 30 days before the certificate expires.Certificate Expired The CA has expired. For an external CA, such as VeriSign, contact the CA to obtain a new certificate. For a local CA, regenerate the CA. Edit Click Edit to change the name of a CA certificate.
CRL v2 format. Support for CRLs on the SKM allows you to obtain, query, and maintain CRLs published by CAs supported on the SKM. The SKM uses CRLs to verify certificates in two ways. • Require Client Authentication – when enabled, the SKM only accepts connections from clients that present a valid client certificate. As certificates are presented to the SKM, they are checked against the CRL published by the CA who issued the certificate.
NOTE: The Auto-Update feature does not apply to local CAs. Force Periodic Update The SKM performs a daily check of the Next Update field to determine whether it should attempt to update the CRL for a particular CA. If you are not satisfied with a daily check of the Next Update field or if it is possible that the CA incorrectly set the Next Update field in the CRL, you can use the optional Force Periodic Update parameter to instruct the SKM to download updated CRLs at an interval you specify.
Only the following models are capable of operating in accordance with FIPS standards: • HP DL360 R05 All other SKM can be configured for high security but cannot be FIPS-compliant Advanced Security Access Control Altering the security settings on the High Security Configuration page can have a profound effect on the security of your HP platform and alter your compliance with FIPS standards. For this reason, administrators must have the Advanced Security Access Control to modify these settings.
Software Patches and Upgrades HP will indicate which software patches and upgrades are FIPS certified. Apply only FIPS certified software to a FIPS-compliant device. Doing otherwise takes the device out of FIPS compliance. Enabling and Disabling FIPS Compliance According to FIPS requirements, you cannot enable or disable FIPS when there are keys on the SKM. You must manually delete all keys before enabling and disabling FIPS compliance. Keys are zeroized upon deletion.
Component Description Click Set FIPS Compliant to alter the settings shown in the High Security Settings and Security Settings Configured Elsewhere sections and enable FIPS compliance. When you enable FIPS compliance, the Management Console automatically adjusts the settings in the High Security Settings and Security Settings Configured Elsewhere sections to comply with FIPS standards.
Figure 94 Viewing the High Security Settings section The following table describes the components of the High Security Settings section. Table 74 High Security Settings section components Component Description Disable Creation and Use of Global Keys Disables the ability to create and use global keys. Once this option is selected, global keys cannot be created on the SKM. Any existing global keys will not be usable by the SKM for any purpose.
Component Description Prevents administrators from changing RAID drives through the Management Console. Disable Hotswappable RAID Drives IMPORTANT: You cannot replace RAID drives and remain FIPS-compliant. To change RAID drives you must either disable FIPS or return the device for drive replacement. This option will appear on RAID capable devices only. Click to change the settings in this section. IMPORTANT: Edit Deselecting any of these fields will bring SKM out of FIPS compliance.
Component Description Allowed SSL Protocols Displays the SSL Protocols enabled in the SSL Options section. Click the link to access the SSL Options section. FIPS compliance requires that SSL 2.0 and SSL 3.0 be disabled. Enabled SSL Ciphers Indicates the security strength of the SSL ciphers enabled in the SSL Cipher Order section. Click the link to access the SSL Cipher Order section.
Configuring the High Security Settings on an SKM IMPORTANT: When you enable FIPS compliance on the SKM, the functionality displayed here is disabled. Modifying any of the items in the High Security Settings section immediately takes the device out of FIPS compliance. This section should be used to review the key and device security functionality that has been disabled for full FIPS compliance. When the device is FIPS-compliant, you should not alter these settings.
Test X9.31 PRNG power-on Conditional Description Known Algorithm Test for the X9.31 PRNG. This test is performed at power-on. X Continuous Random Number Generation X Test of the random number generation. This test is run whenever the system generates a random number. RSA Pairwise Consistency X Pairwise consistency test of RSA key generation. This test is run whenever the system generates a key. DSA Pairwise Consistency X Pairwise consistency test of DSA key generation.
Figure 96 Viewing the FIPS Status Report: normal The following table describes the components of the FIPS Status Server Settings section. Table 77 FIPS Status Report components Component Description Product Displays the model of your device. Unit ID The Unit ID is composed of alphanumeric characters. Hostname The hostname is the name used to identify the SKM on the network. IP Address(es) This field specifies the IP address(es) on which the KMS Server is enabled on the SKM.
Component Description Displays the result and timestamp for each of the following self-tests: • AES Encryption • DES Encryption • DSA Encryption • HMAC Algorithm • SHA-1 Algorithm • SHA2–256 Algorithm Test Results • SHA2–384 Algorithm • SHA2–512 Algorithm • RSA Encryption • X9.31 PRNG • Continuous Random Number Generation • RSA Pairwise Consistency • DSA Pairwise Consistency • Software Integrity If the device enters an error state, reboot. If the error persists, contact customer support.
Component Description Local IP Select the IP addresses on which the FIPS Status Server is enabled on the SKM. Local Port Select the port on which the server status report is available. Default is 9081. SSL overview The SKM is designed to be able to establish Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections with all applications and databases that make requests to the KMS Server. SSL and TLS are the most widely deployed security protocols in network security.
SSL Session Timeout All SSL sessions stored in the SKM's session cache have an expiration period, typically two hours. This means the SKM accepts a session resume request for at most two hours after the session is first established. Consequently, every client application must renegotiate a session–key at least once every two hours. This limits the amount of information encrypted with a particular session–key.
IMPORTANT: Some web browsers, including Internet Explorer 6.0, do not have TLS 1.0 enabled by default. If you disable SSL 2.0 and 3.0, please check first that your browser has TLS 1.0 enabled. (In Internet Explorer, select Internet Options from the Tools menu, click the Advanced tab, scroll down to the Security section, and make sure the "Use TLS 1.0" checkbox is checked.
SSL Cipher Order Use this section to enable, disable, and order the priority of SSL ciphers. Different applications and databases support different encryption algorithms for securing SSL sessions. The SKM supports many SSL ciphers and consequently can communicate securely using all common ciphers. Please note that the SSL Cipher Order pertains to the communication channel between the client (application, database, etc.) and the SKM.
Component Description This field specifies the Hash function to use for SSL session integrity. The supported Hash functions are: • SHA–1: (Secure Hash Algorithm). SHA–1 operates on 64–byte blocks of data and produces a 160–bit authentication value. Hash • MD5: (Message Digest algorithm). MD5 operates on 64–byte blocks of data and produces a 128–bit authentication value.
The KMS Server can define a local users and groups list or you can use an LDAP server to centrally manage your users and groups. Authentication Options The KMS Server provides many options with respect to security and authentication. You can: • mandate SSL – You can choose between SSL connections and standard TCP connections; SSL connections are more secure since all data exchanged between client and server is encrypted.
Key Management Services Configuration sections The Key Management Services Configuration page enables you to configure the KMS Server, KMS Server Authentication Settings, and the user account lockout settings. This page contains the following KMS Server-related sections: • KMS Server Settings • KMS Server Authentication Settings • User Account Lockout Settings KMS Server Settings Use the KMS Server Settings section to set up the basic KMS Server settings.
Component Description Connection Timeout (sec) The Connection Timeout value specifies in seconds how long client connections can remain idle before the KMS Server begins closing them. The default value is 60; the maximum value is 7200 (2 hours). Specifying a value of 0 means that the KMS Server will not close client connections due to inactivity. When this feature is enabled, the KMS Server allows the following actions: • key creation and deletion. • key import.
Figure 101 Viewing the KMS Server Authentication Settings section The following table describes the elements of the KMS Server Authentication Settings section. Table 82 KMS Server Authentication Settings section components Component Description This field determines whether the KMS Server uses a local user and groups directory for this device or a central LDAP server. You can only choose one user directory at a time; if you choose LDAP, any local users or groups you define will be unavailable.
Component Description Trusted CA List Profile This field allows you to select a profile to use to verify that client certificates are signed by a CA trusted by the SKM. This option is only valid if you require clients to provide a certificate to authenticate to the KMS Server. For more information, see Trusted Certificate Authority List Profiles. As delivered, the default Trusted CA List profile contains no CAs.
Component Description Edit Click Edit to modify the account lockout settings. Health Check overview The Health Check feature allows you to configure client applications to check the availability of the KMS Server by sending the KMS Server an HTTP request. The Health Check feature listens for requests on a port that you specify in the Health Check section of the Key Management Services Configuration page.
Component Description In this field you specify the IP address on which you want to listen for health check requests. You can specify an individual IP address bound to the SKM or you can specify All. IMPORTANT: Local IP We strongly recommend that you limit the Health Check feature to a specific IP address.
• • • • • • • LDAP Server SSL Administrators and Remote Administration IP Authorization Logging Service Startup Known CAs, CRLs, and Trusted CA List Profiles The following configuration settings can not be automatically replicated within a cluster: • Network settings • Certificates (other than the Log Signing Certificate) NOTE: Items not replicated by the clustering feature can be replicated manually using the Backup and Restore mechanism described in Services Configuration Page.
NOTE: When upgrading from a previous release, local CA replication is disabled by default. Automatic Synchronization Backups Prior to each synchronization, and when an SKM joins a cluster, the KMS Server creates an automatic backup of the full list of items that can be replicated. Your synchronization backup may contain some configuration settings that you normally do not replicate.
Component Description The port on which the device listens for cluster administration requests. Server Port CAUTION: The cluster port (typically 9001) must be different from the KMS Server port (typically 9000). The device’s current status. Valid values are: • Active: The device is currently connected to the cluster. • Inactive: The device is currently not connected to the cluster.
Figure 105 Viewing the Cluster Settings section The following table describes the components of the Cluster Settings section. Table 86 Cluster Settings section components Component Description Local IP The IP of the current device. If the device has multiple network interfaces, the pulldown menu lists all available interfaces. The port on which the device listens for cluster administration requests.
Figure 106 Viewing the Create Cluster section The following table describes the components of the Create Cluster section. Table 87 Create Cluster section components Component Description Local IP The IP of the current device. If the device has multiple network interfaces, the pulldown menu lists all available interfaces. The port on which the device listens for cluster administration requests.
Figure 107 Viewing the Join Cluster section The following table describes the components of the Join Cluster section. Table 88 Join Cluster section components Component Description Local IP The IP of the current device. If the device has multiple network interfaces, the pulldown menu lists all available interfaces. The port on which the device listens for cluster administration requests. Local Port CAUTION: The cluster port (typically 9001) must be different from the KMS Server port (typically 9000).
• Date & Time Procedures Network Time Protocol overview The Network Time Protocol (NTP) is a protocol by which computers on a network synchronize their clocks against an NTP server. The NTP implementation on the SKM allows you to synchronize a clock manually or at regular intervals.
Figure 108 Viewing the Date and Time Settings section The following table describes the components of the Date and Time Settings section. Table 89 Date and Time Settings section components Component Description Use the drop-down boxes in this field to set the month, day, and year. Date • Month: select a value in the range 1 – 12. • Date: select a value in the range 1 – 31.
Figure 109 Viewing the NTP Settings section The following table describes the components of the NTP Settings section. Table 90 NTP Settings section components Component Enable NTP Description Click inside the box to enable automatic NTP synchronization on the SKM. A check mark inside the box denotes that the feature is enabled. When the NTP feature is enabled, the SKM synchronizes the time with the time on the NTP servers at the interval specified in the Poll Interval field.
Network Interfaces sections The Network Configuration page contains the following network interface-related section: • Network Interface List Network Interface List Network Interface settings are viewed and modified from the Network Interfaces tab on the Network Configuration page. Use the Network Interface List section to view and set network interfaces for the SKM. Figure 110 Viewing the Network Interface List section The following table describes the components of the Network Interface List section.
Figure 111 Viewing the Default Gateway List section The following table describes the components of the Default Gateway List section. Table 92 Default Gateway List section components Component Description Interface The network interface to which the default gateway is associated. The IP address associated with the server that routes all packets destined for a remote host. A blank Default Gateway indicates that no default gateway exists.
Example 2. Example 2 Interface Default Gateway Used for Outgoing Connections -----------------------------------------------------------------— Ethernet #1 none no Ethernet #2 10.20.41.1 yes All responses to incoming packets leave from 10.20.41.1 - except the responses to incoming packets from the 172.17.7.0 addresses (the local subnet of Ethernet #1). Those responses leave from the Ethernet #1 interface. All connections initiated by the SKM appliance leave from 10.20.41.1. Example 3.
This configuration is the same as example 3, but in this scenario there are some hosts and networks that are not reachable through 172.17.7.1. Most often these would be private or secure sub-networks. In such a case you would add a static route out of 10.20.41.1 so that the SKM appliance can reach the additional hosts or networks. The static route is shown here: IP Address Subnet Mask Gateway Interface -----------------------------------------------------------------— 66.230.200.0 255.255.255.0 10.20.
Hostname & DNS sections The Network Configuration page contains the following hostname and DNS-related sections: • Hostname Setting • DNS Server List Hostname Setting The hostname, which identifies each SKM in a network, is the unique name assigned to an SKM. The Hostname Setting section is shown here: Figure 113 Viewing the Hostname Setting section The following table describes the components of the Hostname Setting section.
The following table describes the components of the DNS Server List section. Table 95 DNS Server List section components Components Description Up, Down Use the Up and Down buttons to specify the order in which the DNS servers are to be queried by the SKM. Edit Click Edit to modify an existing domain name server. Add Click Add to add a domain name server. Delete Click Delete to remove a domain name server.
Figure 115 Viewing the Network Interface Port Speed/Duplex section The following table describes the components of the Network Interface Port Speed/Duplex section. Table 96 Network Interface Port Speed/Duplex section components Components Description Select from the following options: • Auto-Negotiate Ethernet #1/ Ethernet #2 • 10 Mbps/Half Duplex • 10 Mbps/Full Duplex • 100 Mbps/Half Duplex • 100 Mbps/Full Duplex Edit Click Edit to modify the Network Interface Port Speed/Duplex settings.
Figure 116 Viewing the IP Authorization Settings section The following table describes the components of the IP Authorization Settings section. Table 97 IP Authorization Settings section components Components Description KMS Server You can grant all IPs access to the server, or you can grant access to the IPs listed in the Allowed Client IP Addresses section.
Figure 117 Viewing the Allowed Client IP Addresses section The following table describes the components of the Allowed Client IP Addresses section. Table 98 Allowed Client IP Addresses section components Components Description Enter IP addresses in the following formats: • single IP address (192.168.1.60) IP Address, Range or Subnet • a range of IPs (192.168.1.70 - 192.168.1.80) • an IP and subnet (192.168.100.0/255.255.255.0) • an IP and subnet in CIDR format (192.168.200.
SNMP overview The SNMP protocol enables network and system administrators to remotely monitor devices on the network, such as switches, routers, proxies, and hubs. This protocol relies on three main concepts: network management station (NMS), agent, and Management Information Base (MIB).
secret key, and sends the message to the receiver, who decrypts it using the DES algorithm and the same secret key. Access control Access control in SNMP makes it possible for agents to provide different levels of MIB access to different managers. You can restrict access by allowing one NMS to view only standard MIBs and another NMS to view both standard MIBs and Enterprise MIBs. SNMP concepts Before discussing how SNMP is configured on the SKM, it is important that a few terms are understood.
This page contains the following sections: • SNMP Agent Settings – Changes to the SNMP Agent Settings section apply to all management stations, usernames and communities defined on the SKM. • SNMPv1/SNMPv2 Community List – This section of the SNMP configuration page is where you define from which SNMPv1/v2 management stations the SKM receives SNMP MIB requests. • SNMPv3 Username List – The SNMPv3 Username List defines from which SNMPv3 management stations the SKM receives SNMP MIB requests.
NOTE: If you are configuring the agent to communicate with an NMS running SNMPv3 software, you can disregard this section. When creating a community on the SKM, it is a good security practice to secure agents by filtering all SNMP requests by community name and source IP address. This filtering restricts where SNMP requests are allowed to come from, and greatly reduces system vulnerability to outside attacks.
SNMPv3 Username List As the name suggests, the SNMPv3 Username List is used to configure the agent to communicate with an NMS running SNMPv3 software. You can think of this section much in the same way as the SNMPv1/SNMPv2 Community List in that the SNMPv3 Username List defines from which management stations the SKM receives SNMP MIB requests. The main difference is that usernames are specific to SNMPv3.
Component Description This password is used to create the secret key that performs the encrypt and decrypt operations on the data shared between the agent and the NMS. The priv password must be between 8 and 64 characters. Priv Password MIB Access NOTE: If you select the auth, priv security option and you enter a valid value in the Auth Password field, and leave the Priv Password field blank, the value you entered in the Auth Password field is used for the Priv Password as well.
Component Description Management Community or Username Displays either the management community or username. The management community is used to send SNMP data to the SNMPv1/v2 management stations. The manager community is used by SNMPv1/v2 management stations to filter SNMP traps and is not related to the agent community name. The Manager Community name cannot exceed 64 characters. The username is used to send SNMP data to SNMPv3 management stations.
Component Description Username (v3 only) Name that is used to send SNMP data to SNMPv3 management stations. The username is used to create a key that is shared by the agent and the NMS. You have three choices for the security level Security Level (v3 only) • auth, priv – authorization and privacy. This option takes full advantage of the enhanced security features in SNMPv3.
Figure 123 Viewing the Create SNMP Management Station section The following table describes the components of the Create SNMP Management Station section. Table 104 Create SNMP Management Station section components Component Description Manager Type The SNMP version used on the NMS. All three versions of SNMP are supported on the SKM. Specifies whether this NMS is configured to receive Trap or Inform messages. Trap Type NOTE: We recommend that you always use Inform messages.
Component Description Auth Protocol (v3 only) You can choose from MD5 and SHA. Auth Password (v3 only) This password is used to create the secret key that is used to authenticate the sender of SNMP messages. The auth password must be between 8 and 64 characters. This password is used to create the secret key that is used to encrypt data that is shared between the HP agent and the NMS. The auth password must be between 8 and 64 characters.
• Security Warnings – an administrative experienced multiple password failures while attempting to log in, the system was reset to factory settings, the system was restored to default settings, configuration data was corrupted or modified. • Generic Security Objects – Content detected as defaced, invalid client certificate, multiple username/password failures from a user, wrong key in use, operation not permitted, other security warning.
and stored on the SKM appliance. The available access controls are grouped into categories and described here. Security Configuration access controls enable the administrator to: • create, modify, and delete keys and establish authorization policies (Keys and Authorization Policies). • create and modify users and groups and maintain LDAP server settings (Users and Groups). • create and import certificates (Certificates). • manage certificate authorities on the SKM appliance (Certificate Authorities).
When creating an administrator, you should assign the minimum amount of access controls needed. For example, a backup administrator will only need the Backup & Restore access controls. (You’ll probably also want to assign an Administrative Access access control to most of your administrators.) NOTE: We strongly discourage the sharing of administrator accounts. Each administrator should have their own administrator account.
WARNING! It is absolutely crucial that you remember the passwords for all of your local administrators. For security reasons, there is no way to reset a local administrator’s password without logging into the SKM appliance as a High Access Administrator. If you lose or forget the passwords for all administrator accounts, you cannot configure the SKM appliance, and you must ship it back to have the software reinstalled. All keys and configuration data will be unrecoverable.
Configuration of the LDAP Administrator Server and the first LDAP administrator must be performed by a local administrator. Thereafter, you can use the LDAP administrator. If you are using LDAP administrators, we recommend that you enable SSL in the LDAP Administrator Server settings. This ensures that the connection between the SKM and the LDAP server is secure.
1. Log in the Management Console as an administrator with High Access Administrator access control. 2. Navigate to the Administrator section on the Administrator Configuration page (Device > Administrators > Administrators). 3. Select the administrator in the Administrator section. 4. Click Delete. 5. Confirm the action on the Secondary Approval section. NOTE: For disaster recovery purposes, the last local administrator account on an SKM appliance cannot be deleted.
Component Description Access control options related to device security configuration. • Keys and Authorization Policies: Create, modify and delete keys and establish authorization policies. Access Control – Security Configuration • Users and Groups: create and modify local users and groups and maintain LDAP user server settings. • Certificates: Create and import certificates. • Certificate Authorities: Manage certificate authorities on the SKM.
Select LDAP Username The Select LDAP Username section enables you to browse and select an LDAP user when creating an LDAP administrator account. Figure 125 Viewing the Select LDAP Username section Table 106 Select LDAP Username section components Component Description Username Select a username from the list to create the LDAP administrator. Click on a username to select the user and return to the Create LDAP Administrator section.
Password expiration The password expiration feature allows you to specify a duration for administrator passwords. By default, this feature is disabled. When an administrator password expires, the system forces that administrator to create a new password after logging in with the expired password. (If the administrator is currently logged in when the password expires, that session continues as normal.
CAUTION: In addition to all scheduled password changes, immediately change all administrator, user account, and backup passwords any time a security officer takes a new position or leaves the company. Document the password policy and communicate it to all appropriate parties including security officers and other corporate personnel.
Component Description Confirm New Password Re-enter the new password. Change Password Click Change Password to implement any changes made to this section. Password Settings for Local Administrators The Password Settings for Local Administrators section allows you to specify additional password constraints for local administrator passwords. Some of these constraints (password length and character restrictions) also apply to local users, clusters, and backups.
Component Description Minimum Password Length Enter the minimum password length. The default length is 8. This value applies to all passwords on the SKM (local administrator, user, backup, tamper resistance, and cluster). Select one or more additional password constraints.
Any request for these operations, from either the Management Console or the CLI, results in a request for additional administrator accounts and passwords. The operation only continues when those credentials are supplied. Otherwise, an error message appears. Granting credentials Administrators can grant their credentials to another administrator for a specific period of time. This allows one administrator to execute several operations without having to enter multiple credentials for each request.
NOTE: If the SKM is configured to use NTP, modifications to the NTP system time can extend the life span of a granted credential. NOTE: Granted credentials are not included in backups. Multiple credentials in clusters To implement multiple credentials on SKMs within a cluster, you must adhere to the following guidelines: • All devices within the cluster must have the multiple credentials feature enabled. The feature can be enabled on one device and replicated to the others.
Multiple Credentials sections The Multiple Credentials sections on the Administrator Configuration page lets you enable the multiple credentials feature, grant credentials, and view granted credentials.
Credentials Granted Use the Credentials Granted section to view the credentials granted to or by the current administrator. Any credential grants that do not involve the current administrator are not displayed. Figure 129 Viewing the Credentials Granted section The following table describes the components of the Credentials Granted section. Table 110 Credentials Granted section components Component Description Grant to Displays the administrator receiving the credentials.
Component Description Duration (in minutes) Enter the length of duration. This duration cannot be longer than the Maximum Duration for Time-Limited Credentials established in the Multiple Credentials for Key Administration section. Allowed Operations Select the specific operations for which you are granting your credentials. You may only grant credentials for those operations listed here. Grant Click Grant to execute the credential grant.
Figure 131 Viewing the Remote Administration Settings section The following table describes the components of the Remote Administration Settings section. Table 112 Remote Administration Settings section components Components Description The Web Admin Server IP address is the local IP address used to configure the SKM via the Management Console. You can select one specific IP address or you can select all of the IP addresses bound to the SKM.
Components Description The SSH Admin Server IP address is the IP address used to configure the SKM from the CLI. You can select one specific IP address or all of the IP addresses bound to the SKM. CAUTION: SSH Admin Server IP We strongly recommend that you limit the SSH Admin Server IP to a specific IP address.
LDAP Administrator Server Properties section Use the LDAP Administrator Server Properties section to define the basic properties of the LDAP administrator directory server. Figure 132 Viewing LDAP Administrator Server Properties section Table 113 LDAP Administrator Server Properties section components Component Description Hostname or IP Address The hostname or IP address of the primary LDAP server. Port The port on which the LDAP server is listening. LDAP servers typically use port 389.
Figure 133 Viewing LDAP Schema Properties section Table 114 LDAP Schema Properties section components Component Description User Base DN The base distinguished name (DN) from which to begin the search for usernames. User ID Attribute The attribute type for the user on which to search. The attribute type you choose must result in globally unique users. User Object Class Used to identify records of users that can be used for authentication.
Component Description Edit Click to modify the properties. Clear Click to remove the current properties. LDAP Test Click to test the LDAP connection after you have defined an LDAP server. Viewing logs and statistics The SKM maintains logs and statistics you can use to monitor your system's performance. The Log Configuration and Log View pages enable you to configure log rotation schedules, syslog settings, specify log levels, and view and download logs.
For example, you can schedule that system rotate the Audit Log every Sunday morning at 3:15 or when the file size reaches 100 MB, whichever comes first. Log archives If you do not configure the log transfer feature, old log files are stored on the SKM. For each type of log, you can select the maximum number of log files that can be archived. When that maximum number is reached, any new addition to the log archive will remove the oldest log file.
Value Description datetime stamp The date and time when the log file was created. hostname The hostname of the SKM. For example, the filename audit.log.1.2002-04-04_160146.demo would identify this file as: • • • • An Audit Log. The first log file in the log index. A file created on 2002-04-04 at 16:01:46. A log from the SKM with the hostname 'demo'.
2005-09-12 10:23:47 irwin.company.com KMS Server: Starting KMS Server log message at syslog server (displays on one line): ------------------------------------------------------Sep 12 10:23:48 irwin.company.com demo System: 2005-09-12 10:23:47 irwin.company.com KMS Server: Starting KMS Server Secure logs The SKM allows you to sign your log files before moving them to another machine or downloading them, which makes your log files more secure than unsigned log files.
Figure 135 Viewing the Rotation Schedule section The following table describes the components of the Rotation Schedule section. Table 117 Rotation Schedule section components Component Description Log Name One of the predefined log names supported by the SKM. Log types are: System, Audit, Activity, and Client Event. Specifies the frequency of log rotation. When a log is rotated, the current log file is closed and a new log file is opened.
Figure 136 Viewing the Log Rotation Properties section The following table describes the components of the Log Rotation Properties section. Table 118 Log Rotation Properties section components Component Description Log Name One of the predefined log names supported by the SKM. Log types are: System, Audit, Activity, and Client Event. Rotation Schedule Specifies the frequency of log rotation. When a log is rotated, the current log file is closed and a new log file is opened.
Syslog Settings To enable syslog, select a type of log, and click Edit. Specify a hostname or IP address of the primary log server (Syslog Server #1) and the port that the syslog server is listening on. You can optionally specify a backup syslog server by entering an IP address and port for the Syslog Server #2 IP and Syslog Server #2 Port fields. Click Save when you are done.
Figure 138 Viewing the Log Signing section The following table describes the components of the Log Signing section. Table 120 Log Signing section components Component Description Log Name Displays the logs available on the device. Sign Log Select this option to enable Secure Logs. See Secure Logs for more information. Edit Click Edit to edit the log signing settings for the selected log. View Log Signing Cert Click View Log Signing Cert to view the Log Signing Certificate information.
Figure 139 Viewing the Log Signing Certificate Information section The following table describes the components of the Log Signing Certificate Information section. Table 121 Log Signing Certificate Information section components Component Description Download Log Signing Cert Click Download Log Signing Cert to download the certificate.
Figure 140 Viewing the Activity Log Settings section The following table describes the components of the Activity Log Settings section. Table 122 Activity Log Settings section components Component Description There are two possible levels for the Activity Log: • Normal: All requests received by the KMS Server are recorded in the log. This is the default log level. • Low: All requests received by the KMS Server, except for successful cryptographic requests, are recorded in the log.
Figure 141 Viewing the System Log section The following table describes the components of the System Log section. Table 123 System Log section components Component Description Log File Select older logs to display. Show Last Number of Lines Select the number of log entries to view. Wrap Lines Select to wrap text in the display area. Display Log Click Display Log to display the last few lines of the log. Rotate Logs Click Rotate Log to close the current log and start a new log.
• Date and time change was made. • Username: the username that made the configuration change. • Event: a text description of the configuration change. Figure 143 Viewing the Audit Log section The following table describes the components of the Audit Log section. Table 125 Audit Log section components Component Description Log File Select older logs to display. Show Last Number of Lines Select the number of log entries to view. Wrap Lines Select to wrap text in the display area.
Activity Log The Activity Log contains a record of each request received by the KMS Server. For client requests that contain multiple cryptographic operations, each operation is logged as a separate entry in the Activity Log. Requests for cryptographic operations are not logged until the KMS Server has received all the data from the client or an error has occurred. When there is no data for a particular field, a dash is inserted.
Request Type Detail Information key import algorithm and key size specified in the request; the value for the Deletable and Exportable options are listed as well if they are set by the client key deletion nothing is listed in the detail field key export nothing is listed in the detail field random number generation size in bytes of the random number being generated replication export nothing is listed in the detail field replication import nothing is listed in the detail field key information
Current Activity Log Figure 146 Viewing the Current Activity Log section The following table describes the components of the Current Activity Log section. Table 130 Current Activity Log section components Component Description Download Entire Log Click Download Entire Log to download the log to your browser. Clear Click Clear to delete the select log. Client Event Log The Client Event Log contains a record of each message sent by clients using the element.
Field Description message enclosed in brackets ( [] ), the message field displays the plaintext that corresponds with the base64 encoded message included in the client event. The following graphic shows an example of the Client Event Log section. Figure 147 Viewing the Client Event Log section The following table describes the components of the Client Event Log section. Table 132 Client Event Log section components Component Description Log File Select older logs to display.
Component Description Clear Click Clear to delete the select log. Statistics page The Statistics page enables you to view real-time system statistics about client connections, network throughput, and cache, CPU, and memory utilization. It also displays information about requests made to the KMS Server; such requests might include key generation, key deletion, authentication, cryptographic operations, key rotation, and more.
Component Description Set Refresh Time Click Set Refresh Time to apply the new value. Refresh Now Click Refresh Now to refresh the System Statistics page on demand. System Statistics The System Statistics section provides general system statistics, such as how much the CPUs are utilized and how long since the system was rebooted. Figure 150 Viewing the System Statistics section The following table describes the components of the System Statistics section.
Figure 151 Viewing the Connection Statistics section The following table describes the components of the Connection Statistics section. Table 136 Connection Statistics section components Component Description Total Connections • Non–SSL Connections KMS Server Statistics • SSL Connections • SSL Handshakes • SSL Resumes • Failed SSL Handshakes Current/second The Current per second column shows how many of a given statistic were counted on the SKM in the second the System Statistics were refreshed.
Figure 152 Viewing the Throughput section The following table describes the components of the Throughput section. Table 137 Throughput section components Component Description This field expresses in megabits per second the amount of data passing through the KMS Server. This traffic is generated when the SKM processes client requests. This does exclude any overhead from the SSL, TCP, or IP protocols. Furthermore, this does exclude traffic to the Management Console or the SSH administration tool.
Refresh Statistics (server) The Refresh Statistics section controls how frequently the Server Statistics page is refreshed. When the page is refreshed, the values displayed on the page are updated. The refresh interval you specify on the Refresh Statistics page does not affect the refresh interval on the CLI. Figure 154 Viewing the Refresh Statistics section The following table describes the components of the Refresh Statistics section.
Figure 155 Viewing the KMS Statistics section The following table describes the components of the KMS Statistics section. Table 140 KMS Statistics section components Component Description • Total - total number of client requests since the SKM was last rebooted. • Key Generate - request to generate a cryptographic key. • Key Information - requests for information about a particular key. • Key Delete - request to delete a key. • Key Query - request to view all keys available to a client.
C Using the Command Line Interface Shell commands The CLI supports a few shell commands that allow you to perform various search, cut, and paste operations. The following shell commands can be used: • • • • • Ctrl-C – clears the prompt. Ctrl-R – allows you to search backward through the command history. Ctrl-K – deletes the text from the cursor to the end of the line Ctrl-U – erases the entire line Ctrl-Y – pastes text erased by Ctrl-K or Ctrl-U • Ctrl-P – moves backwards through the history.
• new cert request If there are no spaces between segments of quoted and non–quoted text, the two segments are treated as one argument. Thus, the command new cert “new cert request” is treated as three separate arguments: • new • cert • new cert request Escaping characters using backslash You can include a quote character (“ or ‘) within an argument by putting a backslash (\) in front of it.
If the text you have entered can refer to multiple commands, tab completion will not work, but you can press the return key to view the possible commands. For example, if you type show sys and press the return key, the CLI displays the commands that begin with show sys. Command shortcuts Similar to tab completion, the CLI enables you to execute commands without typing the complete command name.
To exit configure mode and go to view mode, type exit at the prompt: hostname (config)# exit hostname# Entering script mode Script mode allows you to create and run scripts containing “show” and/or “configure” mode CLI commands. To enter script mode, you must first enter configure mode, then type script at the command prompt.
NOTE: The Script Recorder takes care of all such formatting issues and hence is probably the best way to create scripts initially. Script recorder The Script Recorder is started by typing in the command “record
