Chapter 1: About This Manual

AKM Administrative Console

The AKM Administrative Console (Admin Console) for Windows is a GUI application for creating, managing, and distributing encryption keys. The Admin Console processes one key management command at a time. Each request is formatted and sent to the AKM server and a response is returned to the Admin Console, after which the communications session will end. The Admin Console does not maintain a persistent connection to the server. The Admin Console supports dual control over key management operations.

Who is this for?

This guide is designed for Crypto Officers using the AKM Administrative Console to access the administrative functions available for AKM, including creating, managing, and distributing encryption keys and setting user access policies.

Other resources

The following documents provide additional information on the installation and use of Alliance Key Manager:

• AKM User Guide

• AKM Server Management Guide

Notices

This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information.

Change log

The following table provides information on the changes to this documentation:

Chapter 2: Preparation

You will need to complete the following steps before continuing:

• Review pre-requisites

• Install and set up the primary AKM server and any secondary mirror servers (instructions are located in platform specific deployment guides)

• Download certificates from the AKM server

• Know the IP address(es) of the AKM server(s) and port number for admin services (the default is 6001)

See below for more information.

Pre-requisites

You will need the following to run the AKM Administrative Console:

• Windows operating system

Licensing

A temporary or permanent license is required to use or evaluate AKM. All deployments of AKM create a 30-day license automatically during setup and initialization, except for the Amazon Web Services fee-based deployment, which generates a permanent license.

A temporary license will enable a fully functional AKM server that may be run in your environment for evaluation or testing. If the temporary license expires, a permanent license may be purchased from Townsend Security or your software vendor. See your AKM platform specific deployment guide for information on installing a permanent license.

Certificates and private keys

The admin client and AKM server use certificates and private keys to establish a secure TLS connection and perform authentication. You will need the following certificate files and any associated passphrases before continuing:

• A JKS truststore containing the AKM certificate authority (CA) certificate

• A JKS keystore containing the admin certificate and private key (one for each Crypto Officer if implementing dual control)

These certificates are generated on initialization and stored on the AKM server. See your platform specific AKM deployment guide for instructions on downloading admin client certificates.

IMPORTANT: Two admin certificates are created by default to support dual control within the AKM Administrative Console. Additional admin certificates can be created if needed. If only one admin certificate is required, either can be used. For more information on dual control, see Chapter 6: Implement Dual Control.

SECURITY ALERT: Private key files must be protected during creation, distribution, and storage to prevent loss. The loss of these files will compromise the security of the AKM server. Depending on the file format, the private key files may be bundled with a certificate or they may be separate files. Transfer the private key files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys, including encryption. In the event the private keys are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See the AKM Certificate Manager Guide for more information.

Server information

The following server information is required to set up the Admin Console:

• The IP address or DNS name of the primary AKM server and any secondary AKM servers

• The port number for administrative services on AKM (the default is 6001)

Checklist

Before continuing, you will need the following items:

• The IP address or DNS name of the AKM server and any secondary AKM servers, and the port numbers they will use for administrative services (the default is 6001)

• AKM’s CA certificate in .jks format

• An admin certificate/private key in .jks format

Chapter 3: Install the AKM Administrative Console

Once you have installed the admin certificate/private key and AKM’s CA certificate on the admin client and know the server information for each AKM server, you are ready to begin installing the AKM Administrative Console. The Admin Console can be downloaded here.

Unzip and double-click AKMAdmin_[version]_Installer.exe to begin the installation.

The following panel is displayed:

Click Next to continue.

The following panel is displayed:

Click I Agree to accept the license agreement and continue. The following panel is displayed:

Select the install location and click Next. The following panel is displayed:

Click Install. The following panel is displayed:

Click Finish to exit the wizard.

Chapter 4: Start the AKM Administrative Console

Open the AKM Administrative Console (Admin Console) by clicking the appropriate link in your Windows Start menu, All Programs list, or the icon on your desktop or Start Screen.

Add a key server

The first time you start the Admin Console you will be prompted to add a key server:

You can define multiple AKM servers as needed for your installation. If you need to add additional key servers, click File, Add Key Server. For each key server you define, you must have the IP address of the server and administrative services port number.

Server name: Enter a name of your choosing for this key server.

Server address: Enter the IP address of this key server.

Server port: Enter the administrative services port number. The default is 6001.

Key store file: Enter the full path to the admin certificate keystore file or click Browse to select the file.

Passphrase: Enter the passphrase for the admin certificate keystore file.

Trust store file: Enter the full path to the truststore file or click Browse to select the file.

Passphrase: Enter the passphrase for the truststore file.

Trust store is the same as key store: Check this box if the keystore and the truststore file are the same.

SECURITY ALERT: Some certificate authorities (CAs) issue all of their certificates in a single keystore file. While the Admin Console supports this option, Townsend Security recommends using two keystore files: one containing the public CA certificate (the truststore) and one containing the client certificate and key. AKM certificate generation tools create two separate keystores by default. This provides security for both the client certificate in the keystore and the CA certificate in the truststore.

Click Add to add the key server definition and start the Admin Console, or click Cancel to cancel defining the key server. Click File, Add Key Server to define additional secondary AKM servers.

Verify the connection to the key server

To verify your connection, click Status in the left frame and select the “Administrative NoOP” command. Click Submit in the middle pane. If the output specifies a Return Code of “0”, then the AKM Administrative Console has successfully connected to the AKM server. If you receive an error message, check the akmerror.log file for more detail. Ask your System Administrator or see the AKM Server Management Guide for more information about the akmerror.log file.

You are now ready to begin using the AKM Administrative Console.

Chapter 5: Use the AKM Administrative Console

Open the AKM Administrative Console by clicking the appropriate link or icon. The initial panel is displayed:

The File menu contains options to add, switch, edit and delete key servers. The Help menu contains information about the AKM Administrative Console, an option to turn on Verbose Status Information, and a link to the Townsend Security website. For more information on Verbose Status Information, see the section on the Status pane below. The currently selected server information is displayed above the Command Entry Page.

Command Entry Page

The left pane of the application contains a list of all of the key management commands organized into groups for convenience. The “All Commands” group lists all of the commands in alphabetical order. When you select a command, the command options will appear to the right of this list.

Output pane

The right pane displays response output information. These responses will accumulate until you click the Clear Contents icon in the upper-right corner of the pane. You can select, copy, and save the responses. The Admin Console automatically logs information from the Output and Status panes in a text file. See the section on Logging for more information.

Status pane

The bottom pane contains diagnostic status information about each request. If you encounter errors with a command, this pane may contain useful information to help you solve the problem. If you select Verbose Status Information from the Help menu, this pane will contain verbose status messages. These responses will accumulate until you click the Clear Contents icon in the upper-right corner of the pane. You can select, copy, and save the responses. The Admin Console automatically logs information from the Output and Status panes in a text file. See the section on Logging for more information.

SECURITY ALERT: Cryptographic information, such as the value of a key, is never displayed in the Admin Console.

Logging

The log file contains information from the Status and Output panes. If you select Verbose Status Information from the Help menu, the log will contain verbose messages from the Status pane.

Logs are collected in a text file (akmadmin_log.txt) located in the directory chosen during installation (C:\Users\<UserName>\Documents\TownsendSecurity\Log by default). When the current log file akmadmin_log.txt reaches 10 MB, it will archive and rename itself akmadmin_log.txt, and a new current log file will be created with the name akmadmin_log.txt. A maximum of 99 archived files will be saved (akmadmin_log.txt.1, akmadmin_log.txt.2,..., akmadmin_log.txt.99). After the maximum number of archived files is reached, the oldest archived file (akmadmin_log.txt.99) will be deleted.

Chapter 6: Implement Dual Control

Dual control is an important concept in most security regulations. For example, the PCI Data Security Standards (PCI DSS 3.0) specifically affirms the need for dual control on all sensitive key management activities. Alliance Key Manager supports a dual control option for key management tasks. When enabled in the AKM configuration file, you can only perform key management tasks when two different Crypto Officers authenticate to the key manager.

Certificates required for dual control

Certificates created with AKM tools include two admin certificates for two Crypto Officers to support dual control in the Admin Console, and more can be created if additional Crypto Officers are needed to perform key management tasks. Each Crypto Officer will need an admin certificate and the truststore file containing the certificate authority (CA). The number of Crypto Officers using the Admin Console will depend on the security policy of your organization. If only one admin certificate is required, either of the default admin certificates can be used.

Enable dual control

These steps describe how to enable dual control. You will need to follow these steps for every AKM server for which you wish to enable dual control.

Have your System Administrator log on to the web interface and set the DualKnowledgeRequired field to Y (Yes) in the AKM configuration file (akm.conf):

DualKnowledgeRequired=Y

They will then need to stop and restart AKM. See the AKM Server Management Guide for more information.

Once these steps have been completed, select the “Authorize Administrator” command under the “System Management” command group in the Admin Console. Specify the time in minutes for how long you wish to authorize a second Crypto officer’s connectivity to AKM for the purpose of key management tasks. Click Submit.

During the time specified, you will not be able to use any commands except for the “Authorize Administrator” command. The second Crypto Officer will be able to perform all key management tasks within the specified time frame. If that time frame expires and they need additional time, they can ask you to allocate more time using the “Authorize Administrator” command. Alternatively, they could use the “Authorize Administrator” command to authorize another Crypto Officer to perform key management tasks.

This ensures dual control over key management operations.

Chapter 7: Common Administrative Commands

This chapter lists common administrative commands with links to the sections describing these commands.

System Management

Administrative NoOp: Test the connection to the AKM server.

Set Mirror Address: Set up a secondary mirror server.

Authorize Administrator: Authorize a second Crypto Officer for key management.

Key import and export

Key Wrapping Certificates and Keys

Import Certificate: Import a certificate from the local file system to the AKM server.

Import Private Key: Import a private key from the local file system to the AKM server.

RSA Keys

Import RSA Public Key: Import an RSA public key from the local file system to the AKM server.

Symmetric (AES) Keys

Import Symmetric Key: Import a symmetric encryption key

Create encryption keys

Create Symmetric Key: Create a symmetric encryption key.

Create EKM Key: Create an asymmetric key for use with SQL Server TDE.

Enable Key for EKM: Enable a key for use by SQL Server.

Manage encryption keys

Display Key Name List: View a list of all symmetric key names.

Display Key Instance List: Display a list of all key instances associated with a given symmetric key.

Display Symmetric Key Policy: View the attributes of a specific key instance.

Rollover: Roll a symmetric key, creating a new instance (version) of the key.

Set Meta Data: Set the meta data on a symmetric key instance.

Retrieve Meta Data: Retrieve a list of symmetric keys by a search on their metadata values.

Revoke Key: Revoke a symmetric key, making it and all of its instances unavailable for use.

Revoke Key Instance: Revoke an instance of a symmetric key, making it unavailable for use.

Activate Key: Activate a symmetric key that has previously been revoked.

Activate Key Instance: Activate a symmetric key instance that has previously been revoked.

Force Key Sync: Cause all keys or a specified key to mirror, provided the key or keys have mirror flag attribute Y. (eg. If a key or keys have been enabled for mirroring before mirroring has been configured.)

User and group access controls for symmetric and RSA keys

Set Key Access Flag: Set the access policy for a key.

Revoke All User and Group Access To Key: Remove all access to a key.

Grant User Access To Key: Grant access to a specified key for a specified User.

Grant Group Access To Key: Grant access to a specified key for a specified Group.

Chapter 8: Automatically Generate Symmetric Keys

This group includes the following commands:

• Automatically Generate Keys

• Change Next Increment

• Get Template Depth

• Get Template List

• Remove Template Record

See the sections below for more information.

Automatically Generate Keys

Use this command to automatically generate a number of symmetric keys based on a key-name template.

Constant: The root name used to generate keys.

Constant Length: The length of the root name used to generate keys. Entering a value greater than the actual length of the Constant will result in blank padding between the root name and increment value. A value less than the actual length of the Constant will result in the truncation of the entered Constant value to the specified length.

Increment Length: The number of characters allowed for the increment field. Increment values that do not fill the entire increment field will be left-padded with zeros.

Increment Code: The type of incrementing to be performed. Possible values are:

• Alphanumeric (A): (0-9, A-Z, a-z). The initial value will be zeros, then the incrementing will step through numbers, followed by upper case letters, then lower case letters.

• Hex (H): (0-9, A-F, upper-case only). The initial value will be zeros, then the incrementing will step through numbers followed by upper-case letters A-F.

• Numeric (N): (0-9). The initial value will be zeros, then the incrementing will step through numbers.

Increment Number: The number of keys to generate.

Increment Mode: The type of addition that will be made to the key generation template. Possible values are:

• Initialize: Create a new template and keys.

• Add: Add keys to an existing template.

Key Size: The size of the generated keys in bits. Possible values are 128-bit, 192-bit, and 256-bit.

Activation Date: The date the keys will be activated and available for use.

Activate key immediately: Checking this box will cause the keys to be activated immediately. They will be available for use as soon as they are created.

Expiration Date: The date the keys will expire.

Key never expires: Checking this box will cause the keys to never expire. They will be available for use until they are deleted from the server.

Rollover Code: The way new instances of this key will be generated. Possible values are:

• Automatic: New key instances will be automatically created based on the value entered in the Rollover Days field.

• Manual: New key instances will need to be created manually using the “Rollover” command.

• Never: New key instances will never be created.

Rollover Days: The number of days before new key instances are created if Automatic is selected for Rollover Code. This field is required if Automatic is selected.

Deletable: Determines if the generated keys are deletable. Possible values are Yes they can be deleted and No they cannot be deleted. A key’s “deletable” flag can later be changed via the “Change Deletable” command.

Mirror Key: Determines if the generated keys are mirrored (copied and maintained) to a high availability server if one is configured. Possible values are Yes they should be mirrored and No they should not be mirrored. A key’s “mirrored” flag can later be changed via the “Change Mirror Key” command.

Key Access: Determines who can access the generated keys. Possible values are:

• Anyone: The keys are available to anyone holding a client certificate.

• User: The keys are available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to these keys. A User may be entered in the User Name field. Additional Users can be granted access to individual keys using the “Set User Access To Key” command.

• Group: The keys are available to anyone holding a client certificate that has an Organizational Unit (OU) that matches one of the Groups defined to have access to these keys. A Group may be entered in the Group Name field. Additional Groups can be granted access to individual keys using the “Set Group Access To Key” command.

• User + Group Permissive: The keys are available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to these keys, and an Organizational Name (OU) that matches one of the Groups defined to have access to these keys.

• User + Group Strict: The keys are available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to these keys, and an Organizational Name (OU) that matches one of the Groups defined to have access to these keys, if the User has been added to a Group defined to have access to these keys. This must be done with the “Add User to Group” command.

User Name: The name of the user who will have access to the generated keys. This field is only active if User, User + Group Permissive or User + Group Strict is selected for Key Access.

Group Name: The name of the group that will have access to the generated keys. This field is only active if Group, User + Group Permissive or User + Group Strict is selected for Key Access.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Automatically Generate Keys
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length: 00008
 Transaction Id: 1118
 Return Code: 0
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Automatically Generate Keys Command
---------------------------------------

A Return Code of “0” indicates that the keys were generated successfully.

Change Next Increment

Use this command to change which automatically generated symmetric key will be returned the next time one is requested. Providing incorrect key information when using this command can disrupt future key retrieval requests for the entered automatic keys, so all entered values should be verified before submission.

Constant: The root name used to generate keys.

Constant Length: The length of the root name used to generate keys. Entering a value greater than the actual length of the Constant will result in blank padding between the root name and increment value. A value less than the actual length of Constant will result in the truncation of the entered Constant value to the specified length.

Increment Length: The number of characters allowed for the increment field. Increment values that do not fill the entire increment field will be left-padded with zeros.

Next Increment: The new increment value that will be returned the next time the key is requested.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Next Increment
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length: 00008
 Transaction Id: 1160
 Return Code: 0
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Change Next Increment Command
---------------------------------------

A Return Code of “0” indicates that the next increment value was successfully changed.

Get Template Depth

Use this command to inspect the state of a given automatic symmetric key generation template.

Constant: The root name used to generate keys.

Constant Length: The length of the root name used to generate keys. Entering a value greater than the actual length of the Constant will result in blank padding between the root name and increment value. A value less than the actual length of Constant will result in the truncation of the entered Constant value to the specified length.

Increment Length: The number of characters allowed for the increment field. Increment values that do not fill the entire increment field will be left-padded with zeros.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Template Depth
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length: 00093
 Transaction Id: 1122
 Return Code: 0
 Command completed successfully.
Command Output:
 Increment Length: 04
 Next Increment: 0000
 Last Increment: null
 Key Served: N
 Template Full: N
 Increment Code: A
---------------------------------------
End Get Template Depth Command
---------------------------------------

A Return Code of “0” indicates the command completed successfully and is followed by specific information about the template:

Increment Length: The size of the incrementing field in bytes.

Next Increment: The increment value that will be used for the next key name.

Last Increment: The last increment value that will be used by the template, i.e. the end increment value for this template.

Key Served: Indicates whether any keys have been served from this template yet. A value of Y indicates that a key has been served from this template. A value of N indicates that no keys have been served from this template.

Template Full: Indicates whether the last key in this template has been used. A value of Y indicates that the last key in this template has been used, which can be verified by noting if the returned Next Increment value is equal to the Last Increment value. A value of N indicates that the last key in this template has not been used.

Increment Code: The type of incrementing the template is using. Possible values are:

• A: Alphanumeric (0-9, A-Z, a-z). The initial value starts as all zeros, then the incrementing will step through numbers, then upper case letters, then lower case letters.

• H: Hex (0-9, A-F, upper-case only). The initial value starts as all zeros, then the incrementing will step through numbers followed by upper-case letters A-F.

• N: Numeric (0-9). The initial value starts as all zeros, then the incrementing will step through numbers.

Get Template List

Use this command to view a list of all of the currently defined automatic symmetric key generation templates.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Template List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1124 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00088 
  Constant:  MyGeneratedKey
   Increment Length:  04 
   Increment Code:  A 
   Constant Length:  14 
  Constant:  YourGeneratedKey
   Increment Length:  05 
   Increment Code:  H 
   Constant Length:  16 
 Total number of entries returned: 2
---------------------------------------
End Get Template List Command
---------------------------------------

A Return Code of “0” indicates the command completed successfully. A list of templates follows, with the following template-specific information printed for each template:

Constant: The root name used to generate keys.

Increment Length: The number of characters allowed for the increment field.

Increment Code: The type of incrementing the template is using. Possible values are:

• A: Alphanumeric (0-9, A-Z, a-z). The initial value starts as all zeros, then the incrementing will step through numbers, then upper case letters, then lower case letters.

• H: Hex (0-9, A-F, upper-case only). The initial value starts as all zeros, then the incrementing will step through numbers followed by upper-case letters A-F.

• N: Numeric (0-9). The initial value starts as all zeros, then the incrementing will step through numbers.

Constant Length: The length of the root name used to generate keys.

Remove Template Record

Use this command to remove a symmetric key template from the server. Note that this command does not remove the keys generated by the template from the server. The keys remain and can be listed using the “Display Key Name List” command. However, once a template is removed the generated keys can no longer be retrieved and used by internal processes.

Constant: The root name used to generate keys.

Constant Length: The length of the root name used to generate keys.

Increment Length: The number of characters allowed for the increment field.

Ignore Missing Records: Determines whether this command throws an error if a template with the specified parameters is not found. Selecting Yes causes a missing template to be silently ignored (i.e. the command will NOT throw an error if the template is not found). Selecting No causes an error to be thrown if the template is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Remove Template Record
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00052 
 Transaction Id:  1126 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Constant:  MyGeneratedKey
 Constant Length:  14 
 Increment Length:  04 
 Ignore Missing Records Flag:  N 
---------------------------------------
End Remove Template Record Command
---------------------------------------

A Return Code of “0” indicates the command completed successfully. The information for the template that was removed is printed as part of the output:

Constant: The root name used to generate keys.

Constant Length: The length of the root name used to generate keys.

Increment Length: The number of characters allowed for the increment field.

Ignore Missing Records: Was the command told to throw an error if a template matching the entered parameters was not found? A value of Y indicates that the command was told to ignore the lack of a matching template. A value of N indicates that the command was told NOT to ignore a lack of a matching template (and thus would have thrown an error if the template had not been found).

Chapter 9: Key Import/Export

This group contains three subsets of commands:

• Key Wrapping Certificates and Keys For Import/Export

• RSA Keys

• Symmetric Keys

Key Wrapping Certificates and Keys for Import/Export

These certificates and keys are distinct from the normal symmetric and RSA keys that are used for your data protection–your data protection keys. These, in contrast, are used to encrypt and decrypt your data protection keys during import and export, preserving their secrecy while outside the key manager. This group includes the following commands:

• Delete Certificate

• Delete Private Key

• Export Certificate

• Get Certificate List

• Get Private Key List

• Import Certificate

• Import Private Key

See the sections below for more information.

Delete Certificate

Use this command to remove a certificate from the AKM server.

Certificate Name: The name of the certificate to remove from the AKM server.

Certificate Type: The type of certificate being removed. Possible values are a Client certificate or a certificate authority (CA) certificate. A “Client” certificate could be either an admin certificate or a key client certificate.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete Certificate
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1142 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Delete Certificate Command
---------------------------------------

A Return Code of “0” indicates that the certificate was successfully removed from the AKM server.

Delete Private Key

Use this command to permanently delete a private key from the AKM server.

Private Key Name: The name of the private key to delete from the AKM server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete Private Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1146 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Delete Private Key Command
---------------------------------------

A Return Code of “0” indicates that the private key was successfully removed from the AKM server.

Export Certificate

Use this command to export a certificate from the AKM server to your local file system in PEM format.

Certificate Name: The name of the certificate on the AKM server to export.

Certificate Type: The type of certificate being exported. Possible values are a Client certificate or a certificate authority (CA) certificate. A “Client” certificate could be either an admin certificate or a key client certificate.

Choose File: Choose a destination folder on the local file system and a file name for the exported certificate. A .pem extension will be added to the end of the chosen file name.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Export Certificate
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00078 
 Transaction Id:  1154 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Certificate Type:  C 
 Certificate Name:  MyCertificate
 Certificate Length:  01598 
---------------------------------------
End Export Certificate Command
---------------------------------------

The Certificate Type and Certificate Name are both echoed as part of the command response, as well as the total length of the exported certificate (Certificate Length).

Get Certificate List

Use this command to display a list of certificates.

Certificate Type: The type of certificates you would like to list. Client certificates are public certificates used to identify users or entities on the AKM server. They could be either admin certificates or key client certificates. CA certificates are trusted certificates used to sign client certificates.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Certificate List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1050 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00152 
  Certificate:  AKMServerSignedCert
   Not Before Date:  091005 
   Not After Date:  370220 
  Certificate:  MyCertificate
   Not Before Date:  091005 
   Not After Date:  370220 
 Total number of entries returned: 2
---------------------------------------
End Get Certificate List Command
---------------------------------------

Each returned Certificate has its name displayed followed by its dates of validity. The certificate is not valid before its Not Before Date nor after its Not After Date, but is valid any date in between the two, inclusive.

Get Private Key List

Use this command to display the list of private keys.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Private Key List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1120 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00064 
  Line 1:  AKMServerPrivKey
---------------------------------------
End Get Private Key List Command
---------------------------------------

Each private key name is listed on its own numbered line (Line 1, Line 2, Line 3, etc.) On the above example only one private key is returned, AKMServerPrivKey, and it is printed on Line 1.

Import Certificate

Use this command to import a certificate stored on the local file system into the AKM server.

Certificate Name: The name you would like the certificate to have on the AKM server.

Certificate Type: The type of certificate that is being imported. Possible values are a Client certificate or a certificate authority (CA) certificate. A “Client” certificate could be either an admin certificate or a key client certificate. These can be found in the /home/admin/downloads/*user.zip.

Overwrite Existing Certificate: If a certificate with the same name already exists on the AKM server selecting Yes will cause the existing certificate to be silently overwritten. Selecting No will cause an error to be thrown if a certificate with the same name already exists on the AKM server.

Choose File: Browse to select a .pem file from the local file system that contains the certificate you wish to import.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Import Certificate
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1140 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Import Certificate Command
---------------------------------------

A Return Code of “0” indicates that the certificate was successfully imported.

Import Private Key

Use this command to import a private key to the AKM server.

Private Key Name: The unique name the private key will be identified by on the AKM server.

Overwrite Existing Key: If a private key with the same name already exists on the server, selecting Yes will cause the existing private key to be silently overwritten. Selecting No will cause an error to be thrown if a private key with the same name already exists on the server.

Choose File: Browse to select the file that contains the .pem formatted private key that will be imported to the server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Import Private Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1144 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Import Private Key Command
---------------------------------------

A Return Code of “0” indicates that the private key was successfully imported.

RSA Keys

Export RSA Public Key

Use this command to export an RSA public key from AKM to your filesystem.

** Key Name:** The name of the RSA public key on the AKM server to export. (required)

** Key Instance:** The instance of the RSA public key on the AKM server to export.

Choose File: Choose a destination folder on the local file system and a file name for the exported RSA public key. The exported key will be DER encoded.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Export RSA Public Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00082 
 Transaction Id:  1228 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name: test
 Key Instance: 8D8njkPXS3sucezqkI9N1Q==
Value Length:  00140
---------------------------------------
End Export RSA Public Key Command
---------------------------------------

Import RSA Public Key

Use this command to import an RSA public key from your filesystem into your AKM server.

Key Name: The name the key will be referenced by on the AKM server.

Key Size: The size of the key in bits. This selection should match the actual size of the key that will be imported.

Activation Date: The date the key will be available for use. A date may be chosen or the Activate key immediately checkbox can be selected to make the key immediately available for use.

Expiration Date: The date the key will be made unavailable for use. A date may be chosen or the Key never expires checkbox can be selected to mark the key as always available.

Deletable: Determines if this key is deletable. Possible values are Yes it can be deleted and No it cannot be deleted. A key’s “deletable” flag can later be changed via the “Change Deletable” command.

Mirror Key: Determines if the generated keys are mirrored (copied and maintained) to a high availability server if one is configured. Selecting Yes indicates you would like the key mirrored to a high availability server. Selecting No indicates you would not like the key mirrored to a high availability server.

Key Access: Determines who can access this key once it is imported. Possible values are:

• Anyone: The key is available to anyone holding a client certificate.

• User: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key. A User may be entered in the User Name field. Additional Users can be granted access to individual keys using the “Set User Access To Key” command.

• Group: The key is available to anyone holding a client certificate that has an Organizational Unit (OU) that matches one of the Groups defined to have access to this key. A Group may be entered in the Group Name field. Additional Groups can be granted access to individual keys using the “Set Group Access To Key” command.

• User + Group: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key.

User Name: The name of the user who has access to this key. This field is only active if a Key Access selection of User, User + Group Permissive or User + Group Strict is selected.

Group Name: The name of the group that has access to this key. This field is only active if a Key Access selection of Group, User + Group Permissive or User + Group Strict is selected.

Choose File: Select the RSA public key DER file.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Import RSA Public Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00056 
 Transaction Id:  1230 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  import_test
 Key Instance:  Lmyr8ofebWjWyJrhLn+60w== 
---------------------------------------
End Import RSA Public Key Command
---------------------------------------

The Key Name is echoed as part of the command response in addition to the newly generated Key Instance for that key.

Symmetric Keys

This group includes the following commands:

• Export Symmetric Key

• Import Symmetric Key

See the sections below for more information.

Export Symmetric Key

Use this command to export a key to your local file system.

Key Name: The key whose instance will be exported.

Key Instance: The key instance to be exported.

Key Format: The format that the exported key will be written in. Possible values are:

• RSA: Export the key in Base64 encoded PEM format.

• BIN: Export the key in binary format.

• B16: Export the key in Base16, or hex, format.

• B64: Export the key in Base64 encoded using the RFC 4846 standard.

IMPORTANT: If PCIDSSMode has been set to Y (Yes) in the AKM configuration file (akm.conf), it will only be possible to export keys in RSA format. See the AKM Server Management Guide for information on modifying the AKM configuration file.

If RSA is selected then the key will be encrypted using the public key of the certificate named in the Certificate Name field using the padding specified in the RSA Padding Mode field. Your certificate will be the public cert of the CA Public pair. These certificates can be found in the AKM filesystem at /home/admin/downloads/* user.zip. To export a key you will need to first import the client certificate. For this you can use the “Import Certificate” command under Key Import/Export.

Certificate Name: The certificate whose public key will be used to encrypt the file containing the exported key if RSA is selected as the Key Format. If you are unsure what it is called, you can use “Get Certificate List” under Key Import/Export

RSA Padding Mode: The mode of padding to use if RSA is selected as the Key Format.

Choose File: The destination on the local file system for the exported key file.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Export Symmetric Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00340 
 Transaction Id:  1026 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
 Key Size Bits:  0128 
 Key Format:  RSA 
 RSA Padding Mode:  2 
---------------------------------------
End Export Symmetric Key Command
---------------------------------------

The Key Name, Key Instance, Key Format and RSA Padding Mode (if key format was RSA) are all echoed as part of the command response as well as the exported keys size in bits (Key Size Bits). If the Return Code is “0” a file containing the exported key now exists in the location specified in the “Choose File” field.

Import Symmetric Key

Use this command to import a symmetric key from your local file system into the Alliance Key Manager key database.

Key Name: The name the key will be referenced by on the AKM server.

Key Size: The size of the key in bits. This selection should match the actual size of the key that will be imported.

Activation Date: The date the key will be available for use. A date may be chosen or the Activate key immediately checkbox can be selected to make the key immediately available for use.

Expiration Date: The date the key will be made unavailable for use. A date may be chosen or the Key never expires checkbox can be selected to mark the key as always available.

Rollover Code: The way new instances of this key will be generated. Automatic indicates that new instances will be created automatically after the number of days entered in the Rollover Days field. Manual indicates that new instances will need to be manually created using the “Rollover” command. Never indicates that new instances of the key will never be created.

Rollover Days: The number of days before new key instances are created if Automatic is selected for Rollover Code. This field is required if Automatic is selected.

Deletable: Determines if this key is deletable. Possible values are Yes it can be deleted and No it cannot be deleted. A key’s “deletable” flag can later be changed via the “Change Deletable” command.

Mirror Key: Determines if the generated keys are mirrored (copied and maintained) to a high availability server if one is configured. Selecting Yes indicates you would like the key mirrored to a high availability server. Selecting No indicates you would not like the key mirrored to a high availability server.

Key Access: Determines who can access this key once it is imported. Possible values are:

• Anyone: The key is available to anyone holding a client certificate.

• User: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key. A User may be entered in the User Name field. Additional Users can be granted access to individual keys using the “Set User Access To Key” command.

• Group: The key is available to anyone holding a client certificate that has an Organizational Unit (OU) that matches one of the Groups defined to have access to this key. A Group may be entered in the Group Name field. Additional Groups can be granted access to individual keys using the “Set Group Access To Key” command.

• User + Group Permissive: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key.

• User + Group Strict: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key, if the User has been added to a Group defined to have access to this key. This must be done with the “Add User to Group” command.

User Name: The name of the user who has access to this key. This field is only active if a Key Access selection of User, User + Group Permissive or User + Group Strict is selected.

Group Name: The name of the group that has access to this key. This field is only active if a Key Access selection of Group, User + Group Permissive or User + Group Strict is selected.

Key Format: The format the key is in. The supported formats are:

• RSA: Base64 encoded PEM format

• BIN: binary format

• B16: Base16, or hex, format

• B64: Base64 encoded using the RFC 4846 standard

RSA Private Key Name: The name of the RSA private key that was used to encrypt the symmetric key. This field is only active if RSA was selected for Key Format. The private key here refers to the CA certificate that can be found using the “Get Certificate List” command under Key Import/Export.

RSA Padding Mode: The padding mode used when encrypting the symmetric key. This field is only active if RSA was selected for Key Format.

Choose File: Select the file that contains the symmetric key that will be imported from the local file system.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Import Symmetric Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00072 
 Transaction Id:  1024 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  MyKeyImported
 Key Instance:  /myr8ofebWjWyJrhLn+60w== 
---------------------------------------
End Import Symmetric Key Command
---------------------------------------

The Key Name is echoed as part of the command response in addition to the newly generated Key Instance for that key.

Chapter 10: Key Connection for SQL Server

This group includes the following commands:

• Create EKM Key

• Delete EKM Key

• Display EKM Info List

• Display EKM Info Policy

• Display EKM Key List

• Display EKM Key Policy

• Enable Key for EKM

• Remove Key for EKM

See the sections below for more information.

Create EKM Key

Use this command to create an asymmetric key for use with SQL Server.

Key Name: The name for the new key.

Key Size: The size of the new key in bits.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Create EKM Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00072 
 Transaction Id:  1186 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyEkmKey
 Key Instance:  Q9TGt4qxmwpcefycUKaL+Q== 
---------------------------------------
End Create EKM Key Command
---------------------------------------

The Key Name is echoed as part of the command response as well as the newly generated Key Instance.

Delete EKM Key

Use this command to permanently delete an EKM key from the AKM server.

Key Name: The name of the key to delete from the AKM server.

Ignore Missing Records: Determines whether the command will throw an error if a key with the specified name is not found. Selecting Yes causes a missing key name to be silently ignored (i.e. the command will not throw an error if the key name is not found). Selecting No causes an error to be thrown if the key name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete EKM Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00056 
 Transaction Id:  1192 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyEkmKey
 Date of Deletion:  20131204 
---------------------------------------
End Delete EKM Key Command
---------------------------------------

The Key Name (MyEkmKey) is echoed as part of the command response along with the Date of Deletion in YYYYMMDD format.

Display EKM Info List

Use this command to display a list of EKM keys, including keys that are not currently enabled for use by EKM.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display EKM Info List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1194 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00240 
  Line 1:  KEY
  Line 2:  MyEkmKey
  Line 3:  RSA1
  Line 4:  RSA2
---------------------------------------
End Display EKM Info List Command
---------------------------------------

Each key name is displayed on its own numbered line, i.e. Line 1 (KEY), Line 2 (MyEkmKey), Line 3 (RSA1), Line 4 (RSA2).

Display EKM Info Policy

Use this command to display the details of an EKM key.

Key Name: The name of the key whose details will be displayed

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display EKM Info Policy
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00117 
 Transaction Id:  1198 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyEkmKey
 Key ID:  0000000007 
 Thumbprint:  Wg8AAqiBaO9UgkGuBYPm1g== 
 Algorithm ID:  RSA_1024             
 Supported:  N 
 Volatile:  N 
 Exportable:  N 
 Importable:  N 
 Key Type:  E 
 Timestamp:  20131204013010 
---------------------------------------
End Display EKM Info Policy Command
---------------------------------------

The Key Name is echoed as part of the command response followed by the details of the key.

Display EKM Key List

Use this command to display a list of all keys enabled for use by EKM.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display EKM Key List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1196 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00200 
  Line 1:  MyEkmKey
  Line 2:  RSA1
  Line 3:  RSA2
---------------------------------------
End Display EKM Key List Command
---------------------------------------

Each key name is displayed on its own numbered line, i.e. Line 1 (MyEkmKey), Line 2 (RSA1), Line 3 (RSA2).

Display EKM Key Policy

Use this command to display details of a specific EKM key instance.

Key Name: The name of the key

Key Instance: The key instance whose details will be displayed.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display EKM Key Policy
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00108 
 Transaction Id:  1200 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyEkmKey
 Key Instance:  Q9TGt4qxmwpcefycUKaL+Q== 
 Current:  Y 
 Key Size:  01024 
 Creation Date:  20131204 
 Deleted Date:  00000000 
 Timestamp:  20131204012050 
---------------------------------------
End Display EKM Key Policy Command
---------------------------------------

The Key Name and Key Instance are both echoed as part of the command response along with whether the given instance is the Current or active instance (Y), the Key Size (1024 bits), Creation Date (12/04/2013), Delete Date (none) and Timestamp (20131204012050).

Enable Key for EKM

Use this command to enable a key for use by EKM.

Key Name: The name of the key that will be enabled

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Enable Key for EKM
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1182 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Enable Key for EKM Command
---------------------------------------

A Return Code of “0” indicates that the key was successfully enabled for use by EKM.

Remove Key for EKM

Use this command to remove access to a key from EKM.

Key Name: The name of the key to remove from EKM access.

Ignore Missing Records: Determines if this command will throw an error if a key with the specified name is not found. Selecting Yes causes a missing key name to be silently ignored (i.e. the command will not throw an error if the key name is not found). Selecting No causes an error to be thrown if the key name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Remove Key for EKM
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1188 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Remove Key for EKM Command
---------------------------------------

A Return Code of “0” indicates that the key was successfully removed from EKM access.

Chapter 11: Manage RSA Keys

This group includes the following commands:

• Activate RSA Public Key

• Activate RSA Private Key

• Change Private Key Activation Date

• Change Private Key Deletable Flag

• Change Private Key Expiration Date

• Change Private Key Mirror Flag

• Change Public Key Activation Date

• Change Public Key Deletable Flag

• Change Public Key Expiration Date

• Change Public Key Mirror Flag

• Create RSA Key Pair

• Delete RSA Key

• Delete RSA Key Instance

• Delete RSA Private Key

• Delete RSA Public Key

• Display RSA Key Name List

• Display RSA Key Policy

• Revoke RSA Private Key

• Revoke RSA Public Key

See the sections below for more information.

Activate RSA Public Key

This option can be used to activate a revoked RSA public key. After a key is revoked, change activation date will not be allowed on that key. You must first activate the public key with this command.

Key Name: The name of the RSA public key which will have its activation date set.

Activation Date: The date the RSA public key will be activated and available for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Activate RSA Public Key
------------------------------------------
Server: SQL_AKM (10.0.1.109 port 6001)
 Transaction Length: 00056
 Transaction Id: 1258
 Return Code: 0
 Command completed successfully.
Command Output: 
 Key Name: RSAtest                                 
 Activation Date: 00000000
---------------------------------------
End Activate RSA Public Key Command
---------------------------------------

A Return Code of “0” indicates that the RSA public key was successfully activated.

Activate RSA Private Key

Similar to the above option. This can be used to activate a revoked RSA private key. After a key is revoked, you will be unable to change the activation date on that key. You must first activate the private key with this command.

Key Name: The name of the RSA private key which will have its activation date set.

Activation Date: The date the RSA private key will be activated and available for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Activate RSA Private Key
------------------------------------------
Server: SQL_AKM (10.0.1.109 port 6001)
 Transaction Length: 00056
 Transaction Id: 1256
 Return Code: 0
 Command completed successfully.
Command Output: 
 Key Name: RSAtest                                 
 Activation Date: 00000000
---------------------------------------
End Activate RSA Private Key Command
---------------------------------------

A Return Code of “0” indicates that the RSA public key was successfully activated.

Change Private Key Activation Date

Use this command to activate the private key of an RSA key pair immediately or on a future date.

Key Name: The name of the key which will have its activation date set.

Activation Date: The date the key will be activated and available for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Private Key Activation Date
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1232
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Activation Date: 20160929
---------------------------------------
End Change Private Key Activation Date Command
---------------------------------------

Change Private Key Deletable Flag

Use this command to change the deletable flag for an RSA private key.

Key Name: The name of the key which will have its deletable flag set.

Deletable: Determines if this key is deletable. Possible values are Yes it can be deleted and No it cannot be deleted.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Private Key Deletable Flag
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00049
 Transaction Id: 1240
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Deletable: Y
---------------------------------------
End Change Private Key Deletable Flag Command
---------------------------------------

Change Private Key Expiration Date

Use this command to expire the private key of an RSA key pair on a specified date or never.

Key Name: The name of the key which will have its expiration date set.

Expiration Date: The date the key will be expired and unavailable for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Private Key Expiration Date
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1236
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Expiration Date: 20161014
---------------------------------------
End Change Private Key Expiration Date Command
---------------------------------------

Change Private Key Mirror Flag

Use this command to change the mirroring status of an RSA private key. Keys that are mirrored are automatically copied to a high availability server if one has been configured.

Key Name: Then name of the private key whose mirror value will be changed

Mirror Key: The new mirror value for the key. Selecting Yes indicates you would like the key mirrored to a high availability server. Selecting No indicates you would not like the key mirrored to a high availability server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Private Key Mirror Flag
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00049
 Transaction Id: 1244
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Mirror Key: Y
---------------------------------------
End Change Private Key Mirror Flag Command
---------------------------------------

Change Public Key Activation Date

Use this command to activate the public key of an RSA key pair immediately or on a future date.

Key Name: The name of the key which will have its activation date set.

Activation Date: The date the key will be activated and available for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Public Key Activation Date
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1234
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Activation Date: 00000000
---------------------------------------
End Change Public Key Activation Date Command
---------------------------------------

Change Public Key Deletable Flag

Use this command to change the deletable flag for an RSA public key.

Key Name: The name of the key which will have its deletable flag set.

Deletable: Determines if this key is deletable. Possible values are Yes it can be deleted and No it cannot be deleted.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Public Key Deletable Flag
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00049
 Transaction Id: 1242
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Deletable: Y
---------------------------------------
End Change Public Key Deletable Flag Command
---------------------------------------

Change Public Key Expiration Date

Use this command to expire the public key of an RSA key pair on a specified date or never.

Key Name: The name of the key which will have its expiration date set.

Expiration Date: The date the key will be expired and unavailable for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Public Key Expiration Date
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1238
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Expiration Date: 00000000
---------------------------------------
End Change Public Key Expiration Date Command
---------------------------------------

Change Public Key Mirror Flag

Use this command to change the mirroring status of an RSA public key. Keys that are mirrored are automatically copied to a high availability server if one has been configured.

Key Name: Then name of the public key whose mirror value will be changed

Mirror Key: The new mirror value for the key. Selecting Yes indicates you would like the key mirrored to a high availability server. Selecting No indicates you would not like the key mirrored to a high availability server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Public Key Mirror Flag
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00049
 Transaction Id: 1246
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Mirror Key: Y
---------------------------------------
End Change Public Key Mirror Flag Command
---------------------------------------

Create RSA Key Pair

Use this command to create an RSA key pair on AKM.

Key Name: The name of the key.

Key Size: The size of the key in bits. The larger the number of bits, the more secure the key.

Activation Date: The date that the key will be activated and available for use. To activate the key immediately, select the Activate key immediately checkbox.

Expiration Date: The date that the key will expire and no longer be available for use. Select the Key never expires checkbox if you wish the key to never expire.

Deletable: Determines if this key is deletable. Possible values are Yes it can be deleted and No it cannot be deleted. A key’s “deletable” flag can later be changed via the “Change Deletable” command.

Mirror Key: Determines if the generated keys are mirrored (copied and maintained) to a high availability server if one is configured. If Yes is selected the key will be mirrored to a backup server. If No is selected then the key will not be mirrored to a backup server.

Key Access: Determines who can access this key once it is created. Possible values are:

• Anyone: The key is available to anyone holding a client certificate.

• User: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key. A User may be entered in the User Name field. Additional Users can be granted access to individual keys using the “Set User Access To Key” command.

• Group: The key is available to anyone holding a client certificate that has an Organizational Unit (OU) that matches one of the Groups defined to have access to this key. A Group may be entered in the Group Name field. Additional Groups can be granted access to individual keys using the “Set Group Access To Key” command.

• User + Group Permissive: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key.

User Name: The name of the user who has access to the key.

Group Name: The name of the group whose members have access to the key.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Create RSA Key Pair
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00096
 Transaction Id: 1208
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Public Key Instance: IemsF31iBGJIdisTzRNQOQ==
 Private Key Instance: wkUWHl9jJlL/UmZ0MmgVJw==
---------------------------------------
End Create RSA Key Pair Command
---------------------------------------

Delete RSA Key

Use this command to delete both public and private key by key name.

Key Name: The name of the key.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete RSA Key
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1218
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Date of Deletion: 20160928
---------------------------------------
End Delete RSA Key Command
---------------------------------------

Delete RSA Key Instance

Use this command to delete an RSA key by instance.

Key Instance: The instance of the key to be deleted.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete RSA Key Instance
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00072
 Transaction Id: 1212
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Instance: BlEzr+pkpfeMvTEPE8NSGg==
---------------------------------------
End Delete RSA Key Instance Command
---------------------------------------

Delete RSA Private Key

Use this command to delete an RSA private key.

Key Name: The name of the RSA private key to delete.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete RSA Private Key
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1252
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Date of Deletion: 20160928
---------------------------------------
End Delete RSA Private Key Command
---------------------------------------

Delete RSA Public Key

Use this command to delete an RSA public key.

Key Name: The name of the RSA public key to delete.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete RSA Public Key
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1254
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Date of Deletion: 20160928
---------------------------------------
End Delete RSA Public Key Command
---------------------------------------

Display RSA Key Name List

Use this command to display a list of RSA keys on AKM.

RSA Key Type: Can be Public, Private, or Both.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display RSA Key Name List
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00014
 Transaction Id: 1220
 Return Code: 0
 Command completed successfully.
Command Output:
 More Flag: N
 List Segment Length: 00132
  RSAtest
    Type: Pub
  RSAtest2
    Type: Pub
  test
    Type: Pub
Total Number of Keys Returned: 3
---------------------------------------
End Display RSA Key Name List Command
---------------------------------------

Display RSA Key Policy

Use this command to show the policy attributes applied to a key.

Key Name: The name of the key whose policy to display.

Key Instance: The instance of the key whose policy to display.

RSA Key Type: The type of the key. Can be public or private.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display RSA Key Policy
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00153
 Transaction Id: 1222
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Key Type: Pub
 Key Instance: 3PC882gUwe9qHygGxpXyBA==
 Paired Key Instance: YNkXEK7ua2+MK+W5mHhy7A==
 Key Size Bits: 01024
 Creation Date: 20160928
 Activation Date: 00000000
 Expiration Date: 00000000
 Deletable: Y
 Key Revoked Date: 00000000
 Mirror Key: Y
 Time Stamp: 20160928222824
---------------------------------------
End Display RSA Key Policy Command
---------------------------------------

Revoke RSA Private Key

Use this command to revoke an RSA private key.

Key Name: The name of the private key to revoke.

------------------------------------------
Command: Revoke RSA Private Key
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1248
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Key Revoked Date: 20160928
---------------------------------------
End Revoke RSA Private Key Command
---------------------------------------

Revoke RSA Public Key

Use this command to revoke an RSA public key.

Key Name: The name of the public key to revoke.

------------------------------------------
Command: Revoke RSA Public Key
------------------------------------------
Server: qakm1 (10.0.1.177 port 6001)
 Transaction Length: 00056
 Transaction Id: 1250
 Return Code: 0
 Command completed successfully.
Command Output:
 Key Name: RSAtest
 Key Revoked Date: 20160928
---------------------------------------
End Revoke RSA Public Key Command
---------------------------------------

Chapter 12: User And Group Access To Keys

This group includes the following commands:

• Get Group List For All Keys

• Get Group List For Key

• Get Key Access Flag

• Get Key Access List

• Get Key List For Group

• Get Key List For User

• Get User List For All Keys

• Get User List For Key

• Grant Group Access To Key

• Grant User Access To Key

• Revoke All Group Access To Key

• Revoke All User Access To Key

• Revoke All User And Group Access To Key

• Revoke Group Access To All Keys

• Revoke Group Access To Key

• Revoke User Access To All Keys

• Revoke User Access To Key

• Set Key Access Flag

Strict User/Group Access Control

• Add User To Group

• Get Group List For User

• Get Group Member List

• Get User List For Group

• Remove All Users From Group

• Remove User From All Groups

See the sections below for more information.

Get Group List For All Keys

Use this command to view all group/key access pairings.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Group List For All Keys
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1114 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00888 
 Key Name:  MyKey
  Group Name:  MyGroup
 Key Name:  MyKey
  Group Name:  YourGroup
 Key Name:  MyKey128
  Group Name:  MyGroup
 Total number of entries returned: 3
---------------------------------------
End Get Group List For All Keys Command
---------------------------------------

The command response lists all of the key/group pairings with the Key Name appearing first and the Group Name of the group with access to that key indented below it. If multiple groups have access to the same key then there will be a an individual entry for each of the groups. For instance, in the above example key “MyKey” is accessible to groups “MyGroup” and “YourGroup”, so “MyKey” appears twice in the group access list: once for the MyKey/MyGroup key access entry and again for MyKey/YourGroup key access entry.

Get Group List For Key

Use this command to view a list of groups that can access the given key.

Key Name: The key whose group list will be displayed

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Group List For Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00054 
 Transaction Id:  1072 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  MyKey
 More Flag:  N 
 List Segment Length:  00512 
  Line 1:  MyGroup
  Line 2:  YourGroup
---------------------------------------
End Get Group List For Key Command
---------------------------------------

The Key Name is echoed as part of the command response followed by a list of groups that have access to the key, with one group per numbered line (Line 1, Line 2, etc.) In the above example key “MyKey” can be accessed by group “MyGroup” and group “YourGroup”.

Get Key Access Flag

Use this command to retrieve the access control currently enabled on a specific key.

Key Name: The key whose access control state you wish to view

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Key Access Flag
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00049 
 Transaction Id:  1080 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  MyKey
  Access Flag:  1 
---------------------------------------
End Get Key Access Flag Command
---------------------------------------

The Key Name is along with its Access Flag value. Access flag values are as follows:

1: Anyone

2: User

3: Group

4: User + Group

Get Key Access List

Use this command to retrieve a list of all configured keys and the type of access control currently enabled on each key.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Key Access List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1100 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00574 
 Key Name:  MyKey
  Access Flag:  1 
 Key Name:  MyKey128
  Access Flag:  1 
 Key Name:  MyKey192
  Access Flag:  1 
 Key Name:  MyKey256
  Access Flag:  1 
 Total number of entries returned: 4
---------------------------------------
End Get Key Access List Command
---------------------------------------

Each Key Name is returned with its corresponding Access Flag value printed beneath it. Access flag values are as follows:

1: Anyone

2: User

3: Group

4: User + Group

Get Key List For Group

Use this command to view a list of all keys that a group has access to.

Group: The group whose keys you wish to display

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Key List For Group
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00270 
 Transaction Id:  1074 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Group Name:  MyGroup
 More Flag:  N 
 List Segment Length:  00080 
  Line 1:  MyKey
  Line 2:  MyKey128
---------------------------------------
End Get Key List For Group Command
---------------------------------------

The Group Name is echoed as part of the command response, followed by a list of keys the group has access to, one key per numbered line (Line 1, Line 2, etc.) In the above example output group “MyGroup” has access to two keys “MyKey” and “MyKey128”.

Get Key List For User

Use this command to retrieve a list of keys that a specified user has access to.

User Name: The user to retrieve a list of keys for

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Key List For User
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00270 
 Transaction Id:  1060 
 Return Code:  0 
 Command completed successfully.
Command Output:
 User Name:  MyUser
 More Flag:  N 
 List Segment Length:  00120 
  Line 1:  MyKey
  Line 2:  MyKey128
  Line 3:  MyKey256
---------------------------------------
End Get Key List For User Command
---------------------------------------

The User Name is echoed in the output along with a list of keys, one key per numbered line (Line 1, Line 2, Line 3, etc.). In the above example “MyUser” has access to “MyKey”, “MyKey128” and “MyKey256”.

Get User List For All Keys

Use this command to retrieve a list of all keys and all of the users with access to the keys.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get User List For All Keys
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1112 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  01184 
  Key Name:  MyKey
   User:  MyUser
  Key Name:  MyKey
   User:  YourUser
  Key Name:  MyKey128
   User:  MyUser
  Key Name:  MyKey256
   User:  MyUser
 Total number of entries returned: 4
---------------------------------------
End Get User List For All Keys Command
---------------------------------------

The output lists Key Name/User pairs. If a key has multiple users assigned to it, each User will be listed under a separate Key Name heading. For instance, in the above example “MyKey” is listed twice, once for user “MyUser” and once for user “YourUser”. The end of the output lists the Total number of entries returned, in this case “4”.

Get User List for Key

Use this command to retrieve a list of all Users that have been granted access to a specific key.

Key Name: The key whose user list will be retrieved

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get User List For Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00054 
 Transaction Id:  1058 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  MyKey
 More Flag:  N 
 List Segment Length:  00512 
  Line 1:  MyUser
  Line 2:  YourUser
---------------------------------------
End Get User List For Key Command
---------------------------------------

The specified Key Name is echoed and the Users are listed after List Segment Length with each User printed on a single numbered line (Line 1, Line 2, etc.). In the above example two Users currently have access to the specified key: MyUser and YourUser.

Grant Group Access To Key

Use this command to allow a group access to a specific key. The key must already exist. A group may have access to more than one key and a key may be accessed by more than one group.

Group: The name of the group that will have access to the key

Key Name: The name of the key that the group will have access to

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Grant Group Access To Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00304 
 Transaction Id:  1070 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Group Name:  MyGroup
 Key Name:  MyKey
---------------------------------------
End Grant Group Access To Key Command
---------------------------------------

The Group Name and Key Name of the key the group now has access to are returned as part of the command response.

Grant User Access To Key

Use this command to give a user access to a predefined key. Users may be granted access to multiple keys and keys may be accessed by multiple users.

User Name: The user that will be granted access to the key

Key Name: The key that the user will be granted access to

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Grant User Access To Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00304 
 Transaction Id:  1056 
 Return Code:  0 
 Command completed successfully.
Command Output:
 User:  MyUser
 Key Name:  MyKey
---------------------------------------
End Grant User Access To Key Command
---------------------------------------

A Return Code of “0” signifies that the User was successfully granted access to the key associated with the returned Key Name.

Revoke All Group Access To Key

Use this command to remove access to a key from all groups.

Key Name: The key that will no longer be accessible by any groups

Ignore Missing Records: Selecting Yes will cause the command to return success even if the key was not being accessed by any groups. Selecting No will cause the command to return an error if the key was not being accessed by any groups.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke All Group Access To Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00049 
 Transaction Id:  1082 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Ignore Missing Record Flag:  N 
 Key Name:  MyKey128
---------------------------------------
End Revoke All Group Access To Key Command
---------------------------------------

Both the Key Name and Ignore Missing Record Flag are echoed back as part of the command response. A Return Code of “0” indicates that the access to the key was successfully removed from all groups.

Revoke All User Access To Key

Use this command to revoke access to a specific key for all Users.

Key Name: The key to revoke user access to

Ignore Missing Records: This flag tells the server whether to send an error message if the specified key name does not exist. If Yes is selected, then an error message will not be sent if the key name is not found. If No is selected, then an error message will be sent if the key name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke All User Access To Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00049 
 Transaction Id:  1066 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Ignore Missing Record Flag:  N 
 Key Name:  MyKey128
---------------------------------------
End Revoke All User Access To Key Command
---------------------------------------

The Key Name and Ignore Missing Record Flag are echoed if the command completes successfully.

Revoke All User And Group Access To Key

Use this command to make a key inaccessible. The key and its current instance are unchanged and still remain on the server but will be unusable until the access flag for the key is changed using the “Set Key Access Flag” command.

Key Name: The key that will be inaccessible.

Ignore Missing Records: If no key access entry is found for the given Key Name, should an error be thrown? If Yes is chosen then no error will be thrown. If No is chosen then an error will be thrown.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke All User And Group Access To Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00049 
 Transaction Id:  1110 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  MyKey
 Ignore Missing Record Flag:  N 
---------------------------------------
End Revoke All User And Group Access To Key Command
---------------------------------------

A Return Code of “0” means the command completed successfully. The Key Name of the key removed from key access is echoed back as part of the command output as well as the chosen value for the Ignore Missing Record Flag.

Revoke Group Access To All Keys

Use this command to remove a group’s access to all encryption keys using permissive access controls.

Group Name: The group whose access will be removed.

Ignore Missing Records: This flag tells the server whether to send an error message if the specified group name does not exist. If Yes is selected, then an error message will not be sent if the group name is not found. If No is selected, then an error message will be sent if the group name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke Group Access To All Keys
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00265 
 Transaction Id:  1102 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Ignore Missing Record Flag:  N 
 Group Name:  MyGroup
---------------------------------------
End Revoke Group Access To All Keys Command
---------------------------------------

The output text echoes the Group Name whose access has been removed and the selection for the Ignore Missing Record Flag.

Revoke Group Access To Key

Use this command to revoke a group’s access to a key.

Group: The group that will no longer have access to the key

Key Name: The key that will be removed from the group’s access

Ignore Missing Records: Selecting Yes will cause the command to return success even if the group did not have access to the key originally. Selecting No will cause the command to return an error if the group did not have access to the key originally.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke Group Access To Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00305 
 Transaction Id:  1076 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Group Name:  MyGroup
 Key Name:  MyKey
 Ignore Missing Record Flag:  N 
---------------------------------------
End Revoke Group Access To Key Command
---------------------------------------

Group Name, Key Name and Ignore Missing Record Flag are echoed as part of the command response.

Revoke User Access To All Keys

Use this command to remove user access to all encryption keys where the user access is explicitly defined.

User Name: The user whose access will be removed.

Ignore Missing Records: This flag tells the server whether to send an error message if the specified user name does not exist. If Yes is selected, then an error message will not be sent if the user name is not found. If No is selected, then an error message will be sent if the user name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke User Access To All Keys
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00265 
 Transaction Id:  1064 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Ignore Missing Record Flag:  N 
 User:  MyUser
---------------------------------------
End Revoke User Access To All Keys Command
---------------------------------------

The output text echoes the selection for the Ignore Missing Record Flag and the User Name that has been deleted.

Revoke User Access to Key

Use this command to remove a user’s access to a specific key.

User Name: The user to remove key access from

Key Name: The key to remove from the user’s access

Ignore Missing Records: This flag tells the server whether to send an error message if the specified user name or key name does not exist. If Yes is selected, then an error message will not be sent if the user name or key name is not found. If No is selected, then an error message will be sent if the user name or key name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke User Access To Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00305 
 Transaction Id:  1062 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  MyKey256
 User Name:  MyUser
 Ignore Missing Record Flag:  N 
---------------------------------------
End Revoke User Access To Key Command
---------------------------------------

The Key Name, User Name and Ignore Missing Record Flag are echoed as part of a successful response.

Set Key Access Flag

Use this command to set who can access a key.

Key Name: The key whose access flag will be modified

Key Access: Determines who can access this key once it is created. Possible values are:

• Anyone: The key is available to anyone holding a client certificate.

• User: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key. A User may be entered in the User Name field. Additional Users can be granted access to individual keys using the “Set User Access To Key” command.

• Group: The key is available to anyone holding a client certificate that has an Organizational Unit (OU) that matches one of the Groups defined to have access to this key. A Group may be entered in the Group Name field. Additional Groups can be granted access to individual keys using the “Set Group Access To Key” command.

• User + Group Permissive: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key.

• User + Group Strict: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key, if the User has been added to a Group defined to have access to this key. This must be done with the “Add User to Group” command.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Set Key Access Flag
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00049 
 Transaction Id:  1106 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Access Flag:  2 
---------------------------------------
End Set Key Access Flag Command
---------------------------------------

The Key Name and raw Access Flag value selected are echoed back as part of the command response.

Strict User/Group Control

Add User To Group

Use this command to add a User to a Group. This will allow a client to use keys that have been assigned a User + Group Strict access policy, if the CN (Common Name) and the OU (Organizational Unit) on the client certificate match the User Name and Group fields.

User Name: The name of the user you wish to add to the group.

Group: The name of the group the user will be added to.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Add User To Group
------------------------------------------
Server: Test Server Q (216.211.138.178 port 6001)
 Transaction Length:  00520 
 Transaction Id:  1086 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Group Name:  MyGroup
 User Name:  MyUser
---------------------------------------
End Add User To Group Command
---------------------------------------

A Return Code of “0” indicates that the command completed successfully. The Group Name and the User Name added to that group are echoed in the command response.

Get Group List for User

Use this command to retrieve the list of groups to which this user belongs.

User Name: The name of the user whose group list you wish to retrieve.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Group List For User
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00270 
 Transaction Id:  1090 
 Return Code:  0 
 Command completed successfully.
Command Output:
 User Name:  MyUser
 More Flag:  N 
 List Segment Length:  00512 
  Line 1:  MyGroup
  Line 2:  YourGroup
---------------------------------------
End Get Group List For User Command
---------------------------------------

A Return Code of “0” indicates the command completed successfully. The following fields are returned:

User Name: The name of the user whose group list is being viewed

More Flag: Indicates whether there are more group names to display. This field will always be “N” when viewing list in the AKM Administrative Console.

Line Segment Length: The total length of the returned list

Line N: Each returned entry is printed on its own number line. In the above example the user is a member of two groups: “MyGroup” (printed on Line 1) and “YourGroup” (printed on Line 2).

Get Group Member List

Use this command to retrieve a list of all groups and the users that are members of those groups.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Group Member List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1116 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  01536 
  Group:  MyGroup
   User:  MyUser
  Group:  MyGroup
   User:  YourUser
  Group:  YourGroup
   User:  YourUser
 Total number of entries returned: 3
---------------------------------------
End Get Group Member List Command
---------------------------------------

A Return Code of “0” indicates the command completed successfully. The More Flag will always be “N” when viewing lists in AKM Administrative Console. The List Segment Length displays the total number of bytes the returned list items occupy. Each entry in each group is given its own Group/User pairing in the list, so groups with more than one user as a member will appear more than once in the output. For example “MyGroup” has two members: “MyUser” and “YourUser”. Therefore “Mygroup” is displayed twice in the list, once for the “MyGroup/MyUser” pairing and once for the “MyGroup/YourUser” pairing. After all Group/User pairings have been printed a total number of returned pairings is printed as Total number of entries returned.

Get User List For Group

Use this command to retrieve the list of users that are members of the group.

Group: The name of the group you want to retrieve the user list for.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get User List For Group
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00270 
 Transaction Id:  1088 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Group Name:  MyGroup
 More Flag:  N 
 List Segment Length:  00512 
  Line 1:  MyUser
  Line 2:  YourUser
---------------------------------------
End Get User List For Group Command
---------------------------------------

A Return Code of “0” indicates the command completed successfully. The command returns the Group Name and More Flag (which will always be ‘N’ when view in the AKM Administrative Console) and then lists the users that are members of the group, one user per numbered line (Line 1, Line 2, etc.).

Remove User From Group

Use this command to remove a user from a group.

User Name: The name of the user to remove.

Group: The name of the group the user will be removed from.

Ignore Missing Records: This flag tells the server whether to send an error message if the specified user name or group does not exist. If Yes is selected, then an error message will not be sent if the user name, group or both are not found. If No is selected, then an error message will be sent if the user name, group or both are not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Remove User From Group
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00521 
 Transaction Id:  1092 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Ignore Missing Record Flag:  N 
 Group Name: MyGroup
 User Name: MyUser
---------------------------------------
End Remove User From Group Command
---------------------------------------

A Return Code of “0” indicates the command completed successfully. The User Name, Group Name and Ignore Missing Records Flag are all returned as part of the command output.

Remove All Users From Group

Use this command to empty a group of its members. This effectively revokes access to all strictly controlled keys for a group.

Group Name: The group that will be emptied.

Ignore Missing Records: This flag tells the server whether to send an error message if the specified group name does not exist. If Yes is selected, then an error message will not be sent if the group name is not found. If No is selected, then an error message will be sent if the group name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Remove All Users From Group
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00265
 Transaction Id:  1094
 Return Code:  0
 Command completed successfully.
Command Output:
 Ignore Missing Record Flag:  N
 Group Name:  MyGroup
---------------------------------------
End Remove All Users From Group Command
---------------------------------------

The output text echoes the selection for the Ignore Missing Record Flag and the Group Name that has been deleted.

Remove User From All Groups

Use this command to remove a user from all groups.

User Name: The name of the user to be removed from all groups.

Ignore Missing Records: This flag tells the server whether to send an error message if the specified user name does not exist. If Yes is selected, then an error message will not be sent if the user name is not found. If No is selected, then an error message will be sent if the user name is not found.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Remove User From All Group
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00265 
 Transaction Id:  1096 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Ignore Missing Record Flag:  N 
 User:  MyUser
---------------------------------------
End Remove User From All Group Command
---------------------------------------

The output text echoes the selection for the Ignore Missing Record Flag and the User Name that has been deleted.

Chapter 13: Manage Symmetric Key Attributes

This group includes the following commands:

• Change Activation Date

• Change Deletable

• Change Expiration Date

• Change Mirror Key

• Change Rollover

• Retrieve Meta Data

• Set Meta Data

See the sections below for more information.

Change Activation Date

Use this command to change the date that the key instance will be available for use.

Key Name: The name of the key.

Key Instance: The key instance whose activation date will be changed.

Activation Date: The new date that the key instance will be activated and available for use. The date selected must be after the current date.

Activate key immediately: Checking this box will make the key instance immediately available for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Activation Date
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00080 
 Transaction Id:  1010 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
 Activation Date:  20131206 
---------------------------------------
End Change Activation Date Command
---------------------------------------

Key Name and Key Instance are both echoed as part of the command response as well as the updated Activation Date. The special value “00000000” for Activation Date indicates that the command has been activated immediately.

Change Deletable

Use this command to change whether a key instance can be deleted or is permanent. If no key instance is specified, the current instance is changed.

Key Name: The name of the key.

Key Instance: The key instance that will have its deletable state updated.

Deletable: Selecting Yes will allow the key instance to be deleted. Selecting No will prevent the key instance from being deleted

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Deletable
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00073 
 Transaction Id:  1006 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
 Deletable:  Y 
---------------------------------------
End Change Deletable Command
---------------------------------------

Key Name and Key Instance are both echoed as part of the command response as well as the new setting for the Deletable flag.

Change Expiration Date

Use this command to change the expiration date of a key instance. After this date the key instance will be expired and unusable.

Key Name: The name of the key.

Key Instance: The name of the key instance that will be expired.

Expiration Date: The date the key instance will expire.

Key never expires: Check this box to indicate that the key instance will never expire. Any date entered in the Expiration Date field will be ignored and the key instance will never expire.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Expiration Date
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00080 
 Transaction Id:  1008 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
 Expiration Date:  20131231 
---------------------------------------
End Change Expiration Date Command
---------------------------------------

Key Name and Key Instance are both echoed as part of the command response, as well as the new Expiration Date. A value of “00000000” for Expiration Date indicates that the key instance will never expire.

Change Mirror Key

Use this command to change the mirroring status of a key. Keys that are mirrored are automatically copied to a high availability server if one has been configured.

Key Name: Then name of the key whose mirror value will be changed

Mirror Key: The new mirror value for the key. Selecting Yes indicates you would like the key mirrored to a high availability server. Selecting No indicates you would not like the key mirrored to a high availability server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Mirror Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00049 
 Transaction Id:  1014 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Change Mirror Key Command
---------------------------------------

A Return Code of “0” indicates that the update to the mirror key flag was successful.

Change Rollover

Use this command to change how a key’s instance is rolled over, i.e. how a new key instance is generated to replace the existing key instance.

Key Name: the name of the key

Key Instance: the key instance that will be affected by the new rollover settings

Rollover Code: the new rollover setting. Automatic indicates that the key will be rolled over automatically after a number of days entered in the Rollover Days field. Manual indicates that the key will need to be manually rolled over using the “Rollover” command. Never indicates that the key will never be rolled over.

Rollover Days: The number of days before new key instances are created if Automatic is selected for Rollover Code. This field is required if Automatic is selected.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Change Rollover
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00077 
 Transaction Id:  1012 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
 Rollover Code:  A 
 Rollover Days:  0030 
---------------------------------------
End Change Rollover Command
---------------------------------------

Key Name, Key Instance and the new settings for Rollover Code and Rollover Days are all echoed as part of the command response.

Retrieve Meta Data

Use this command to retrieve a list of keys and their meta data values by a search on their metadata values.

Values may be entered for each metadata field (MD01 - MD16) and a comparison operator for each value must be selected. The available comparison operators are:

• EQ (equals)

• NE (does not equal)

• LT (less than)

• LE (less than or equal to)

• GT (greater than)

• GE (greater than or equal to)

• CT (contains)

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Retrieve Meta Data
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1054 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  02472 
---- Start Key Data ----
 Key Name:  MyKey                                        
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
 Current:  Y 
 Key Size Bits:  0128 
 Key Creation:  20131126 
 Activation Date:  00000000 
 Expiration Date:  20131225 
 Rollover Code:  M 
 Rollover Days:  0000 
 Last rollover date:  00000000 
 Deletable:  Y 
 Key Revoked Date:  00000000 
 Mirror Key:  Y 
  MD01'My Metadata 1                                               '
  MD02'My Metadata 2                                               '
  MD03'My Metadata 3                                               '
  MD04'                                                            '
  MD05'                                                            '
  MD06'                                                            '
  MD07'                                                            '
  MD08'                                                            '
  MD09'                                                            '
  MD10'                                                            '
  MD11'                                                            '
  MD12'                                                            '
  MD13'                                                            '
  MD14'                                                            '
  MD15'                                                            '
  MD16'                                                            '
---- End Key Data ----
---- Start Key Data ----
 Key Name:  MyKey128                                     
 Key Instance:  VViixIONRg1MzhqtAMTxHw== 
 Current:  Y 
 Key Size Bits:  0128 
 Key Creation:  20131122 
 Activation Date:  00000000 
 Expiration Date:  20131221 
 Rollover Code:  M 
 Rollover Days:  0000 
 Last rollover date:  00000000 
 Deletable:  Y 
 Key Revoked Date:  00000000 
 Mirror Key:  Y 
  MD01'My Metadata 1                                               '
  MD02'My Metadata 2                                               '
  MD03'My Metadata 3                                               '
  MD04'                                                            '
  MD05'                                                            '
  MD06'                                                            '
  MD07'                                                            '
  MD08'                                                            '
  MD09'                                                            '
  MD10'                                                            '
  MD11'                                                            '
  MD12'                                                            '
  MD13'                                                            '
  MD14'                                                            '
  MD15'                                                            '
  MD16'                                                            '
---- End Key Data ----
---------------------------------------
End Retrieve Meta Data Command
---------------------------------------

Every key that matches the request will be printed between its own —- Start Key Data —- and —- End Key Data —- tags with a detailed listing of its attributes, including all metadata fields.

Set Meta Data

Use this command to set the meta data fields on a key instance. Meta data can be used to more fully identify a key instance.

Key Name: The name of the key.

Key Instance: The key instance meta data that will be updated.

MD01 - MD16: The meta data to add. Each field is 64 bytes long and must be composed of only printable upper and lower case letters, numbers, and spaces. Special characters are not supported.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Set Meta Data
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00072 
 Transaction Id:  1040 
 Return Code:  0 
 Command completed successfully.
Command Output:
 KeyName:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
---------------------------------------
End Set Meta Data Command
---------------------------------------

The Key Name and Key Instance are both echoed as part of the command response.

Chapter 14: Manage Symmetric Keys

This group includes the following commands:

• Activate Key

• Activate Key Instance

• Create Symmetric Key

• Delete Key

• Delete Key Instance

• Display Key Instance list

• Display Key Name list

• Display Symmetric Key Policy

• Force Rollover

• Revoke Key

• Revoke Key Instance

• Rollover

See the sections below for more information.

Activate Key

Use this command to activate a key that has previously been revoked.

Key Name: The name of the key to activate.

Activation Date: The date the key will be activated and available for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Activate Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00056 
 Transaction Id:  1020 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Activation Date:  20131123 
---------------------------------------
End Activate Key Command
---------------------------------------

Both the Key Name and selected Activation Date are echoed as part of the command response.

Activate Key Instance

Use this command to activate an already created, but inactive key instance.

Key Name: The name of the key.

Key Instance: The key instance that will be activated.

Activation Date: The date that the key instance will be activated and available for use.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Activate Key Instance
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00080 
 Transaction Id:  1034 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  54B2134iLqnDW/xLq9HdcA== 
 Activation Date:  20131124 
---------------------------------------
End Activate Key Instance Command
---------------------------------------

The Key Name, Key Instance and Activation Date are all echoed as part of the command response.

Create Symmetric Key

Use this command to create a new key.

Key Name: The name of the key.

Key Size: The size of the key in bits. The larger the number of bits, the more secure the key.

Activation Date: The date that the key will be activated and available for use. To activate the key immediately, select the Activate key immediately checkbox.

Expiration Date: The date that the key will expire and no longer be available for use. Select the Key never expires checkbox if you wish the key to never expire.

Rollover Code: The method in which a new key instance is generated for this key. If Automatic is selected then a new key instance will be created automatically after the number of days entered in the Rollover Days field. If Manual is entered, then a new key instance will only be created when an explicit call is made to the “Rollover” command. If Never is selected then a new instance will never be created for the key.

Rollover Days: The number of days before new key instances are created if Automatic is selected for Rollover Code. This field is required if Automatic is selected.

Deletable: Determines if this key is deletable. Possible values are Yes it can be deleted and No it cannot be deleted. A key’s “deletable” flag can later be changed via the “Change Deletable” command.

Mirror Key: Determines if the generated keys are mirrored (copied and maintained) to a high availability server if one is configured. If Yes is selected the key will be mirrored to a backup server. If No is selected then the key will not be mirrored to a backup server.

Key Access: Determines who can access this key once it is created. Possible values are:

• Anyone: The key is available to anyone holding a client certificate.

• User: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key. A User may be entered in the User Name field. Additional Users can be granted access to individual keys using the “Set User Access To Key” command.

• Group: The key is available to anyone holding a client certificate that has an Organizational Unit (OU) that matches one of the Groups defined to have access to this key. A Group may be entered in the Group Name field. Additional Groups can be granted access to individual keys using the “Set Group Access To Key” command.

• User + Group Permissive: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key.

• User + Group Strict: The key is available to anyone holding a client certificate that has a Common Name (CN) that matches one of the Users defined to have access to this key, and an Organizational Name (OU) that matches one of the Groups defined to have access to this key, if the User has been added to a Group defined to have access to this key. This must be done with the “Add User to Group” command.

User Name: The name of the user who has access to the key.

Group Name: The name of the group whose members have access to the key.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Create Symmetric Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00072 
 Transaction Id:  1002 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
---------------------------------------
End Create Symmetric Key Command
---------------------------------------

The Key Name is echoed as part of the command response along with the generated Key Instance.

Delete Key

Use this command to permanently delete a key. The specified key must be deletable for this command to complete successfully.

Key Name: The name of the key

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00056 
 Transaction Id:  1016 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Date of Deletion:  20131126 
---------------------------------------
End Delete Key Command
---------------------------------------

The Key Name is echoed as part of the command output along with the Date of Deletion of the key in YYYYMMDD format.

Delete Key Instance

Use this command to permanently delete a key instance. The specified key must be deletable for this command to complete successfully.

Key Name: The name of the key.

Key Instance: The key instance that will be deleted.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Delete Key Instance
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00072 
 Transaction Id:  1030 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  54B2134iLqnDW/xLq9HdcA== 
---------------------------------------
End Delete Key Instance Command
---------------------------------------

The Key Name and deleted Key Instance are echoed as part of the command output.

Display Key Instance List

Use this command to display a list of all key instances associated with a given key.

Key Name: The key whose instance list will be displayed

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display Key Instance List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00054 
 Transaction Id:  1036 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 KeyName:  MyKey
 List Segment Length:  00048 
  Line 1:  54B2134iLqnDW/xLq9HdcA== 
  Line 2:  TUFBA7UJLMmA2lg/qyHJZw== 
---------------------------------------
End Display Key Instance List Command
---------------------------------------

The Key Name is echoed as part of the output, followed by a list of the key instances associated with that key, one instance per numbered line (Line 1, Line 2, etc.)

Display Key Name List

Use this command to view a list of all key names.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display Key Name List
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1038 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00080 
  Line 1:  MyKey
  Line 2:  YourKey
---------------------------------------
End Display Key Name List Command
---------------------------------------

A Return Code of “0” indicates that the command completed successfully. The command enumerates a list of key names, one key per numbered line (Line 1, Line 2, etc.) In the above example, two key names were returned: “MyKey” and “YourKey”.

Display Symmetric Key Policy

Use this command to view the attributes of a given key instance. This command does not retrieve the actual value of the key.

Key Name: The key name.

Key Instance: The key instance whose attributes will be displayed. This field may be left blank to retrieve the attributes of the current instance of the key.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Display Symmetric Key Policy
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  01258 
 Transaction Id:  1004 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  Ni3s7rbx3WUGHPPJLr9mkA== 
 Current:  Y 
 Key Size Bits:  0128 
 Creation Date:  20131126 
 Activation Date:  20131206 
 Expiration Date:  20131231 
 Rollover Code:  A 
 Rollover Days:  0030 
 Last rollover date:  00000000 
 Deletable:  Y 
 Key Revoked Date:  00000000 
 Mirror Key:  N 
 Time Stamp:  20131201015807 
  MD01'My Metadata 1
  MD02'My Metadata 2
  MD03'My Metadata 3
  MD04'
  MD05'
  MD06'
  MD07'
  MD08'
  MD09'
  MD10'
  MD11'
  MD12'
  MD13'
  MD14'
  MD15'
  MD16'
---------------------------------------
End Display Symmetric Key Policy Command
---------------------------------------

A Return Code value of “0” indicates that the command completed successfully. The following key attributes are returned:

Key Name: The name of the key.

Key Instance: The key instance that is being reported on.

Current: Indicates whether the Instance is the currently active instance for this key.

Key Size Bits: The size of the key in bits.

Creation Date: The date the key was created.

Activation Date: The date the key was made active and available for use.

Expiration Date: The date the key expired and was made unavailable for use.

Rollover Code: Indicates how new instances of the key are generated. Possible values are:

• A: New key instances are automatically created every Rollover Days days.

• M: New key instances are manually created using the “Rollover” command.

• N: New key instances are never created

Rollover Days: The number of days before a new key instance is generated if Rollover Code is set to Automatic. If Rollover Code is Manual or Never then this value will be all zeros.

Last Rollover Date: The last date that a new key instance was generated. This value will be all zeros if a new key instance has never been generated for this key.

Deletable: Indicates if this key is able to be deleted. Possible values are Y for yes and N for no.

Key Revoke Date: The date the key was revoked. If the key has not been revoked then this value will be all zeros.

Mirror Key: Indicates if this key is being mirrored to another server. Possible values are Y for yes and N for no.

Timestamp: The timestamp for the last time the key was created or changed.

MD01 - MD16: The metadata associated with this key.

Force Rollover

Use this command to force a rollover of all keys.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Force Rollover
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1176 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Force Rollover Command
---------------------------------------

A Return Code of “0” indicates that the forced rollover was successful.

Revoke Key

Use this command to revoke a key, making it and all of its instances unavailable to use.

Key Name: The name of the key to revoke

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke Key
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00056 
 Transaction Id:  1018 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Revoked Date:  20131124 
---------------------------------------
End Revoke Key Command
---------------------------------------

The Key Name is echoed as part of the command response along with the date the key was revoked (Key Revoked Date).

Revoke Key Instance

Use this command to revoke an instance of the key, making it unavailable to use. The key instance is retained, however, and can be reactivated at a later time using the Activate Key Instance command.

Key Name: The name of the key.

Key Instance: The key instance to be revoked.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Revoke Key Instance
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00080 
 Transaction Id:  1032 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  54B2134iLqnDW/xLq9HdcA== 
 Key Revoked Date:  20131124 
---------------------------------------
End Revoke Key Instance Command
--------------------------------------

The Key Name and Key Instance that has been revoked are echoed as part of the output, along with the Key Revoked Date.

Rollover

Use this command to generate and activate a new instance of a key.

Key Name: The key that you want to generate a new instance for

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Rollover
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00072 
 Transaction Id:  1022 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Key Name:  MyKey
 Key Instance:  TUFBA7UJLMmA2lg/qyHJZw== 
---------------------------------------
End Rollover Command
---------------------------------------

The Key Name is echoed as part of the output, along with the key’s newly generate and activated Key Instance.

Chapter 15: Mirroring

This group includes the following commands:

• Force Key Sync

• Get Mirror Address

• Get Mirrored Data Hash

• Get Mirror Status

• Get Queue Size

• List Mirror Names

• Remove Mirror Address

• Set Mirror Address

• Trigger Put

See the sections below for more information.

Force Key Sync

Use this command to send a selected key or all keys to a mirror. If all keys are sent, then all users and groups are also sent to the mirror.

Mirror Name: The name of the mirror to synchronize with

Mirror All Keys: Specifying Yes causes all keys to be sent to the mirror. Specifying No synchronizes only the key entered in Key Name.

Key Name: The name of the key to be synchronized if Mirror All Keys is set to No.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Force Key Sync
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1152 
 Return Code:  0 
 Command completed successfully.
Command Output:
---------------------------------------
End Force Key Sync Command
---------------------------------------

A Return Code of “0” signifies that the key synchronization was successful.

Get Mirror Address

Use this command to display the configuration information for a mirror.

Mirror Name: the name of the mirror whose configuration information will be displayed.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Mirror Address
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00309 
 Transaction Id:  1128 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Mirror Name:  MyMirror
 Mirror Address:  216.211.138.179
 Mirror Port:  06001 
---------------------------------------
End Get Mirror Address Command
---------------------------------------

The output echoes the Mirror Name and specifies the associated Mirror Address and Mirror Port.

Get Mirrored Data Hash

Use this command to retrieve the SHA-256 hash of the data that would been sent, or would have been received, for mirroring.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Mirrored Data Hash
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00052 
 Transaction Id:  1170 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Mirrored Data Hash:  rYblil2wlwjXYNv2ePTLef+zmw/fqWM9zXcwGU0LIWU= 
---------------------------------------
End Get Mirrored Data Hash Command
---------------------------------------

The output returns the Mirrored Data Hash in Base64 format.

Get Mirror Status

Use this command to verify that a connection can be made to a mirror server. If specified this command will also retrieve the mirror server’s mirrored-data hash and compare it to the local mirrored-data hash. In addition, this command reports and resets the accumulated fault count for the specified mirror server.

Mirror Name: The mirror server whose connection will be verified.

Compare Hash: Select Yes or No for whether the mirrored-data hash will be retrieved and compared.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Mirror Status
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00104 
 Transaction Id:  1136 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Mirror Name:  MyMirror 
 Fault Count:  0000000000 
 Mirror Status:  Y 
 Data Hash Compare:    
 Mirrored Data Hash:    
---------------------------------------
End Get Mirror Status Command
---------------------------------------

If Return Code is “0” then the command completed successfully and will display the following output:

Mirror Name: The mirror server.

Fault Count: The number of mirrored transactions rejected by this mirror server.

Mirror Status: Indicates whether the mirror server could be contacted. Possible values are Y for “Yes, the server was contacted” and N for “No, the server was not contacted”.

Data Hash Compare: Indicates whether the mirror’s data hash matched the data hash of the AKM server. Possible values are Y for “Yes” and N for “No” or blank if the original command’s Compare Hash selection was “No”.

Mirrored Data Hash: The value of the mirror server’s data hash. This will be blank if the mirror server could not be contacted or if the original command’s Compare Hash selection was “No”.

Get Queue Size

Use this command to display the number of transactions that still need to be sent to the specified mirror server.

Mirror Name: The name of the mirror whose queue size you wish to display

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Get Queue Size
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00018 
 Transaction Id:  1148 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Queue Size:  0000000000 
---------------------------------------
End Get Queue Size Command
---------------------------------------

The returned Queue Size specifies how many transactions remain to be sent to the mirror. In the above example no transaction remain (Queue Size is “0000000000”), i.e. all transactions have been sent to the mirror.

List Mirror Names

Use this command to list all of the mirror names currently configured on the AKM server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: List Mirror Names
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1134 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00080 
  Line 1:  MyMirror
  Line 2:  YourMirror
---------------------------------------
End List Mirror Names Command
---------------------------------------

The output lists each mirror name on its own numbered line (Line 1, Line 2, etc.) for easier reference.

Remove Mirror Address

Use this command to end mirroring to a previously configured mirror and to remove that mirror from mirror list.

Mirror Name: The name of the mirror to remove

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Remove Mirror Address
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00048 
 Transaction Id:  1132 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Remove Mirror Address Command
---------------------------------------

If Return Code is “0” then the mirror was successfully deactivated and removed from the mirror list.

Set Mirror Address

Use this command to create and activate a new mirror server.

Mirror Name: A name for the mirror server. The name must be unique.

Host Name: The hostname or IP address of the mirror

Port: The port the mirror server will use

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Set Mirror Address
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1130 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Set Mirror Address Command
---------------------------------------

No output values are echoes as part of the command response, but if Return Code is “0” the mirror address has been successfully added and activated on the AKM server.

Trigger Put

Use this command to force transactions to the mirror server no matter what their current state is (error, retry or wait). If transactions are already being sent normally this command will have no effect.

Mirror Name: The name of the mirror to force transactions to

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Trigger Put
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00048 
 Transaction Id:  1150 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Mirror Name:  MyMirror
---------------------------------------
End Trigger Put Command
---------------------------------------

The output echoes the Mirror Name of the server and a Return Code of “0” signifies that the forcing of transactions to the mirror was successful.

Chapter 16: Status

This group includes the following commands:

• Administrative NoOP

• Crypto Self-Test

• Report FIPS-140 Mode

• Validate Key Database

See the sections below for more information.

Administrative NoOp

Use this command to verify the connection to the AKM server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Administrative NoOp
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1044 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Administrative NoOp Command
---------------------------------------

If the output specifies a Return Code of “0”, then the Alliance Key Manager Administrative Console has successfully connected to the AKM server.

Crypto Self-Test

Use this command to validate the cryptographic components of the AKM server.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Crypto Self-Test
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00009 
 Transaction Id:  1046 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Mode:  P 
---------------------------------------
End Crypto Self-Test Command
---------------------------------------

The output returns a “P” for Mode if the cryptographic test passed and an “F” for Mode if errors were encountered during the cryptographic test.

Report FIPS-140 Mode

Use this command to determine if the key server is operating in FIPS-140 mode.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Report FIPS-140 Mode
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00073 
 Transaction Id:  1048 
 Return Code:  0 
 Command completed successfully.
Command Output:
 Mode:  F 
 Program Version:  AKM Version 2.1.13
 Database Version:  AKM DB Version 2.3.0
---------------------------------------
End Report FIPS-140 Mode Command
---------------------------------------

The output specifies “F[a][b]” for Mode if the server is operating in FIPS mode and “N[c]” for Mode if the server is not operating in FIPS mode. The output also reports the AKM Program and Database versions the server is currently using.

Validate Key Database

Use this command to determine if there are any corrupted key instances in the key database.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Validate Key Database
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00014 
 Transaction Id:  1042 
 Return Code:  0 
 Command completed successfully.
Command Output:
 More Flag:  N 
 List Segment Length:  00000 
Number of Key Instances Returned: 0
---------------------------------------
End Validate Key Database Command
---------------------------------------

The output will specify the number of corrupted keys found as Number of Key Instances Returned, and will list the corrupted key and key instances. In the above example no corrupted keys were found.

Chapter 17: System Management

This group includes the following commands:

• Authorize Administrator

• Set Log Level

• Stop Key Store

See the sections below for more information.

Authorize Administrator

Use this command to allow an additional Crypto Officer to manage keys on this server. This command will complete successfully only if DualKnowledgeRequired has been set to Y (Yes) in the AKM configuration file (akm.conf). See the AKM Server Management Guide for information on modifying the AKM configuration file.

Time: The number of minutes that the additional Crypto Officer has to manage keys on this server. Entering 0 will immediately cancel the additional Crypto Officer’s authorization and prevent them from managing keys.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Authorize Administrator
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1044 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Authorize Administrator Command
---------------------------------------

A Return Code of “0” indicates that the command completed successfully.

Set Log Level

Use this command to set the logging level on the server.

Log Level: The logging level to set on the server. A value of 00 will produce a minimal log, a value of 50 will produce a detailed log.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Set Log Level
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1156 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Set Log Level Command
---------------------------------------

The set log level is not echoed back as part of the command, but if the Return Code is “0” then the log level has been set to the entered value.

Stop Key Store

Use this command to halt key management services on the AKM server. The services that are stopped include key retrieval, encryption, administration, and key mirroring. To restart Alliance Key Manager you must log on to the web interface using your user ID and password, then restart AKM via the Custom Commands link. See the AKM Server Management Guide for more information.

When you click Submit, the information is sent to the AKM server and the application responds with the result of your request:

------------------------------------------
Command: Stop Key Store
------------------------------------------
Server: AKM Server (216.211.138.178 port 6001)
 Transaction Length:  00008 
 Transaction Id:  1028 
 Return Code:  0 
 Command completed successfully.
Command Output:
 No additional command output
---------------------------------------
End Stop Key Store Command
---------------------------------------

A Return Code value of “0” indicates that key management services were successfully halted.

Chapter 18: Problem Determination

In the event you have a problem using the AKM Administrative Console, review the diagnostic messages in the bottom pane. Correct any errors and try again. View the log file for more detailed information. The log file is located at C:\Users\<UserName>\Documents\TownsendSecurity\Log by default.

You can also view AKM server error logs via the web interface. Ask your System Administrator for assistance with viewing AKM server error logs, or see the AKM Server Management Guide.