Chapter 1: About This Manual

AKM for VMware

Alliance Key Manager for VMware is is deployed as a virtual machine that you can run in your VMware environment. AKM for VMware allows you to quickly set up key retrieval or remote encryption in your client application. Initialization of the AKM server is controlled through a text interface Administrative Menu. A 30-day temporary license and all of the certificates and private keys needed for TLS will be generated using the menu, and you will have the option to generate an initial set of encryption keys which can be used in client applications for proof of concept, development, or production. After initialization of the primary AKM server you can create additional certificates and private keys for client/server connections if needed. Additional encryption keys can be created and managed using the AKM Administrative Console.

Who is this for?

This guide is intended to help project managers, crypto officers, system administrators, and application developers deploy and use AKM for VMware. It covers deploying AKM for VMware, starting to use AKM, creating and managing encryption keys, creating additional client and admin (crypto officer) certificates, managing the AKM server, obtaining a permanent license, and support.

Client applications and SDKs

Townsend Security provides the following applications and SDKs to assist with client-side key retrieval or remote encryption:

  • Key Connection for SQL Server: Microsoft Extensible Key Management Provider for Transparent Data Encryption (TDE) and cell level encryption
  • Windows SDK for .NET applications
  • SQL Server UDF for all editions of SQL Server
  • Key Connection for Drupal
  • Key Connection for Encryptionizer

In addition to these offerings, Townsend Security provides software libraries and code samples to assist with custom implementations. Visit this page https://info.townsendsecurity.com/alliance-key-manager-evaluation for a current list of client applications, software libraries, and code samples.

Other resources

The following documents provide additional information on the installation and use of Alliance Key Manager:

Notices

This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information.

Change log

The following change log provides information on the changes to this documentation:

Version Date Description
1.0.0 1/10/2010 Reformat and revise for AKM version 2.0.0
1.1.0 10/14/2011 Reformat for documentation standards. Rename document for the VMware evaluation instance.
2.1.13 3/1/2012 This document is updated for the new web interface.
3.0.0.001 1/24/2014 Update for AKM 3.0.0.
3.0.0.002 1/29/2014 Add note about Java security settings.
3.0.0.003 4/23/2014 Updates. Add information about assigning a temporary IP address if you do not have a DHCP server.
3.0.0.004 5/21/2014 Add information about virtualization extensions and VMware Player.
3.0.0.005 8/19/2014 Update Before You Begin chapter. Add Overview chapter.
3.0.3.001 1/20/2015 Update for the ready to use version of AKM for VMware. Rename from “AKM Evaluation Quick Start Guide for VMware” to “AKM for VMware Quick Start Guide”. Merge info from AKM VMware User Guide.
3.0.3.002 1/22/2015 Add appendix on connecting to the AKM server using PuTTY.
3.0.3.003 2/19/2015 Updates. Add information on ensuring your VM has a route to the internet for licensing. Update initialization instructions to describe initializing from the VMware command prompt.
4.0.0.001 2/16/2016 Update for AKM 4.0, including new mirroring setup and migration option. Add appendix on setting up bidirectional mirroring.
4.0.0.002 5/24/2016 Remove references to demo apps.
4.5.0.001 10/25/2016 Update for asymmetric RSA key support.
4.5.3.001 5/19/2017 Update for new File Manager.
4.6.0.001 7/25/2018 Correct administrative certificate names.
4.6.0.002 9/11/2018 Updated screenshots for 4.6 release.
4.6.0.003 12/11/2018 Added Software Update section
4.6.1.001 5/20/2019 Removed password from Supplemental and .ovf zip files.
4.6.1.002 10/18/2019 Updated links and references to technical information.

Chapter 2: Introduction

This chapter briefly describes the deployment process for AKM for VMware. Subsequent chapters describe these steps in more detail.

Deploy AKM for VMware

Deploying AKM for VMware includes the following steps:

  • Accquire and launch AKM for VMware Alliance Key Manager OVA You can either download and deploy this file or copy and paste the link during the virtual machine creation process.
  • Start the AKM VM
  • Log in to the VM instance
  • Determine the IP address. If you don’t have a DHCP server complete the instructions in Chapter 11: Troubleshooting

Set up AKM for VMware

Next you will launch the Administrative Menu through the command prompt. From the Administrative Menu you can complete the following tasks:

  • Initialize the primary AKM server
    • Automatically activate the license and create all certificates and private keys needed to set up secure client/server connections
    • Create an initial set of encryption keys (optional)
  • Set the admin password

  • Initialize a secondary mirror AKM server for real-time key mirroring, high availability, or failover support (optional)

  • Migrate from to a new AKM server from a previous version of AKM (optional)

  • Create additional certificates and private keys for client/server connections if needed to conform to any applicable security policies in your organization (optional)

  • Collect logs for troubleshooting and print system info if needed

    IMPORTANT: For AKM to activate the license, your VM must have a route to the internet. If licensing fails, see the section on Installing a new license in Chapter 9 for instructions on manually installing the license. Once you have initialized the primary AKM server and set the password, you can log in to the web interface and download the certificates and private keys needed for client/server connections.

If you set up a secondary mirror server, you should download certificates and private keys after setting up mirroring.

NOTE: Since the certificates and encryption keys are dynamically generated upon initialization, no one except you has access to these components. See below for more information.

Licensing

The AKM license generated on initialization provides you with a fully functional AKM server that you can run for 30 days. See Chapter 9: Obtain a Permanent License for information on migrating from a temporary to a permanent license.

Certificates

The following certificates are created automatically on initialization and stored on the AKM server:

  • Authentication Key (Auth Key) and Key Encryption Key (KEK) certificates and private keys: The KEK and Auth certificate and private key pairs are used by AKM to create the Key Encryption Key (KEK) and Authentication Key (Auth Key), two symmetric keys that are stored on the AKM server. These “secret keys” are used by AKM to protect your data encryption keys. You will not need to use or distribute the KEK and Auth certificates and private keys.
  • Server certificate and private key: These are used by AKM servers to authenticate with each other for mirroring, and to authenticate with client applications.
  • Certificate authority (CA) certificate: This is a unique CA certificate that is used to sign admin and key client certificates. Admin and key clients must install the CA certificate to authenticate with the AKM server. The CA certificate will also be used to sign additional admin (Crypto Officer) and client certificates if needed. See Chapter 7: Create Additional Admin and Client Certificates for more information.
  • Admin certificates and private keys: Admin certificates and private keys allow for authentication between admin clients and the AKM server, and are used by crypto officers for key creation and management in the AKM Administrative Console. Two admin certificates are created by default to support dual control. See the AKM Administrative Console Guide for information on key creation, key management, and enabling dual control.
  • Client certificate and private key: Client certificates and private keys allow for authentication between key clients and the AKM server when retrieving keys or sending sensitive data to the AKM server for remote encryption. One client certificate/private key is created by default and additional client certificates and private keys can be created at any time. After deploying AKM for VMware, you can immediately download and distribute certificates and private keys to client application developers and crypto officers for client configuration. After you initialize the primary AKM server, you will be presented with the option to create additional admin and client certificates and private keys if needed. See Chapter 7: Create Additional Admin and Client Certificates for more information.

    SECURITY ALERT: Private key files must be protected during creation, distribution, and storage to prevent loss. The loss of these files will compromise the security of the AKM server. Depending on the file format, the private key files may be bundled with a certificate or they may be separate files. Transfer the private key files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys, including encryption. In the event the private keys are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See the AKM HSM Quick Start Guide for more information.

Encryption keys

On initialization, you will be given the option to generate an initial set of encryption keys. You can use these encryption keys in client applications for proof of concept, development, or production. If you need to create additional encryption keys or manage existing keys, you can do so at any time using the AKM Administrative Console.

Chapter 3: Before You Begin

Before deploying AKM for VMware, you will need to complete the following steps:

  • Review VMware deployment responsibilities
  • Review hardware and software prerequisites, resource recommendations, and supported VMware platforms
  • If deploying directly to production, take note of important information on software updates
  • Accquire the AKM.OVA
  • Download any technical resources relevent to your implementation.

Production VMware deployment responsibilities

AKM for VMware is intended for use by customers with an appropriate level of knowledge of VMware configuration, deployment, and management. You should not use AKM for VMware in a production environment if you do not have adequate internal resources and knowledge of VMware. Townsend Security does not provide support or problem analysis of VMware. You should only deploy AKM for VMware if you have adequate internal support for VMware and a support contract with VMware, Inc.

Prerequisites

You will need the following in order to evaluate AKM for VMware:

  • A 64-bit processor is required to run the VMware instance (note that some 64-bit PCs will not work if VT-x extensions are disabled or unsupported)

    IMPORTANT: Your server hardware must support virtualization extensions (Intel VT-x or AMD-V) in order to run the VM. Some vendors may disable Intel VT-x extensions in the BIOS. See your hardware support documentation as to how to enable them. Hardware without virtualization extensions will be unable to run the VM and are unsupported.

  • A DHCP server in your environment (if you do not have a DHCP server, see Chapter 11: Troubleshooting for a workaround)

    Resource recommendations

    The following are the operational recommendations for your production deployment of AKM for VMware:

  • Memory: 2 GB
  • Disk: 5 GB minimum for 100 keys or less. Estimate an additional 2K of disk for each additional key.
  • Hardware: resilience RAID disk protection, UPS power source, network redundancy You are responsible for managing the resources needed by Alliance Key Manager when deployed in a VMware environment.

    Supported VMware platforms

    AKM for VMware is designed to run in commercial VMware infrastructure. The supported VMware platforms for production AKM for VMware deployments are:

  • VMware ESX
  • VMware vSphere (ESXi)
  • VMware vCloud
  • VMware Cloud on AWS
  • At the current time all other virtualization platforms are not supported for production AKM for VMware deployment. These include, but are not limited to, VirtualBox, Microsoft Hyper-v, Xen, etc.

    VMware Player

    If you do not have an existing VMware environment and wish to evaluate AKM for VMware, you can download the free VMware Player and run AKM for VMware on your workstation or laptop for evaluation purposes. VMware Player is available at this address:

  • https://www.vmware.com/products/player/

Scroll down and locate the “Free for Personal Use” VMware Player. Install this on your workstation using the normal defaults for the installation. You will now have the ability to run AKM for VMware. You must download AKM for VMware instance from our website before you can start the evaluation.

IMPORTANT: VMware Player cannot be used for any AKM deployment except the AKM evaluation. VMware Player is not a supported platform for VMware production deployments.

VMware Tools

You can install VMware Tools on the AKM server, but you are responsible for the installation, update, security, and support for VMware Tools. The AKM warranty does not cover VMware Tools, nor any problems created by those tools. In the event of a problem, you may be asked to remove VMware Tools.

Software updates

Townsend Security or your software vendor will provide you with any needed updates to the web interface, operating system, and key management application through the Townsend Security customer support group. IMPORTANT: Make sure to backup your AKM before applying system updates. AKM Backup and Restore Process For current Townsend Security customers migrating to a new AKM server from an older version of AKM, see the section on migration in this guide for instructions. Open a support ticket with Townsend Security for assistance.

Accquire the AKM.OVA for VMware

Alliance Key Manager OVA You can either download and deploy this file or copy and paste the link during the virtual machine creation process.

Download Technical Resources

Townsend Security provides technical resources for you to deploy AKM, including related software such as the AKM Administrative Console for creating and managing encryption keys, and applications and SDKs for key retrieval and remote encryption.

 

Chapter 4: Set up AKM for VMware

Setting up AKM for VMware includes the following steps:

  • Launch AKM for VMware
  • Start the AKM VM
  • Log in to the VM instance
  • Determine the IP address
  • Launch the Administrative Menu
  • Initialize the primary AKM server
  • Provide a name for the AKM server
  • Create an initial set of encryption keys (optional)
  • Set the admin password for each AKM server
  • Initialize a mirror AKM server (optional)
  • Start or stop AKM key services (optional)
  • Create additional admin and client certificates if needed (optional)
  • Exit to a shell (optional)
  • Disconnect from AKM

    Launch AKM for VMware

    If you have not already done so, unzip the AKM for VMware archive. If you are using VMware Player or VMware Workstation to evaluate AKM, launch the VM by double-clicking the .ovf file. You will then be prompted to import the virtual machine. You can accept the defaults, or choose a custom location to store the VMware data. Once the import completes, the AKM VM will launch and you can continue with the steps in the following sections.

    DHCP services

    When AKM for VMware starts for the first time, it will obtain an IP address using DHCP services. You must have a DHCP server in your network environment in order for the system to obtain an IP address automatically. Consult with your network administrator to determine if you have DHCP services available to you. If you do not have a DHCP server, see Chapter 11: Troubleshooting for a workaround. The steps for the workaround must be completed before continuing, or initialization will fail.

    Start the AKM VM

    Use the following steps to start the AKM VM. Note that different versions of VMware will look and act differently, so you may see slightly different prompts than described below. The VMware instance will show a status bar as it starts, and then a command line log in prompt is displayed.

    IMPORTANT: You may see a prompt that asks if you have moved or copied the instance from another location. You must answer that you “moved” the instance. This will retain your evaluation license. If you answer the option that you “copied” the instance the evaluation will not function, and you will need to delete and reinstall the download.

    Log in to the VM instance

    When you see the command line login prompt, enter the user “admin” and press Enter. Enter the password “OOHXPq6r530N6re”. You will change this password later, so do not change it now.

    Determine the IP Address

    You will need to determine and record AKM’s IP address for use during initial setup and later in your client application configuration. Use the IFCONFIG procedure to determine the IP address assigned to this VMware instance. From the command line, type “ifconfig” and press Enter. You will see output that contains something like this:

eth0      Link encap:Ethernet  HWaddr 00:AB:CD:EF:FF:11 
          inet addr:10.0.1.230  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2ab:cdff:feef:ff11/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:447 errors:0 dropped:0 overruns:0 frame:0
          TX packets:117 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:46586 (45.4 Kb)  TX bytes:45080 (44.0 Kb)

The IP address is the address specified after inet addr (highlighted in red in the example above). This IP address may be different on your system. Note this IP address, as you will need it when logging in to the web interface.

Launch the Administrative Menu

If you are not already logged in to the VMware command prompt, log in with user “admin” and the default password “OOHXPq6r530N6re“. Enter “akm-menu” to launch the Administrative Menu.

NOTE: Alternatively, you can launch the Administrative Menu by connecting to the AKM server via SSH. See Appendix A: Connect to the AKM Server via SSH for more information.

Indicate that you have read and accept the AKM End User License Agreement (available here) to continue with initialization:

image alt text The Administrative Menu is displayed:

image alt text

Initialize the primary AKM server

Enter option 1 to Initialize AKM. The Initialization Menu is displayed:

image alt text Enter option 1 to Initialize as PRIMARY. This will designate this server as a primary AKM server and start the initialization process.

IMPORTANT: For AKM to activate the license, your VM must have a route to the internet. If licensing fails, see the section on Installing a new license in Chapter 9 for instructions on manually installing the license.

NOTE: In the context of mirroring, a primary AKM server either operates alone or sends mirrored keys and metadata to any number of mirror servers. You must initialize a primary server first and can then initialize any additional mirror servers. A server initialized as a primary can also receive mirrored keys in a bidirectional mirroring configuration. You will be prompted to enter the two-character country code, the name of your state or province, your city/locale, and your organization name (for example, your company name), and a unique name for this AKM server:

image alt text

Create an initial set of encryption keys

You will be prompted to create an initial set of encryption keys:

image alt text Enter y if you would like to create an initial set of encryption keys. You can use these encryption keys for proof of concept, development, or production. Enter N if you do not want to create encryption keys at this time. You can also create encryption keys at any time using the AKM Administrative Console. See Chapter 6: Create and Manage Encryption Keys for more information.

NOTE: Creating encryption keys at this point is optional and does not affect the operation of AKM. However, it may be convenient to have keys available for development or proof of concept without having to use the AKM Administrative Console to manually create encryption keys.

AKM will now initialize. Make sure you do not interrupt this process:

image alt text The primary AKM server has now initialized and AKM is running. The server time has been synchronized with a time server (time.nist.gov). The initialization process has created a unique certificate authority (CA) certificate and server certificate for AKM, activated the license, and generated client certificate and private key pairs needed for key clients and admin clients to connect to the AKM server. By default, one client certificate and two admin certificates are created by the initialization process. Two admin certificates are created in order to support dual control of encryption key administration. You can create additional client or admin certificates at a later time.

IMPORTANT: The CA certificate created during this process is unique and should only be used with AKM, and you do not need to create an additional CA certificate for use with AKM.

Press any key to return to the main menu. After initialization, the following menu is displayed:

image alt text

Set the admin password

After initialization you should change the password for the server. This password will be used to access the Administrative Menu on all future sessions and to log in to the AKM server via the web interface. From the Administrative Menu, enter the option to Set admin password. You will be prompted to change the admin password: image alt text When prompted to enter a “New Password”, enter your new admin password. This is the password you will use when logging in to the AKM web interface as the “admin” user for server management. Set a strong password and protect it carefully, as the compromise of this password breaches the security of AKM. If you set a weak password you will receive a warning, but the password will still be accepted. It is recommended to set a password of at least 15 characters that includes upper and lower case letters, numbers, and symbols.

IMPORTANT: Do not lose this password, as there are no backdoors to recover it. If you lose the password please do not contact your software vendor to recover it for you, as this is not possible. When prompted, reenter the password. The password has now been changed and will be used to access the primary AKM server’s Administrative Menu for all future sessions. You will also use this password and username “admin” to log in to the primary AKM server web interface to download client certificates and perform other server management tasks.

 

Initialize a secondary mirror server

After initializing the primary AKM server, you can set up additional mirror AKM servers for real-time key mirroring and high availability failover support. Setting up mirror servers at this point is optional and can be completed at a later time.

NOTE: If there is a firewall in place between the primary AKM server and any mirror servers, be sure that ports 22 and 6002 are open before setting up mirroring.

SSH Key Pairing Options

During mirroring setup, you will be prompted to establish authentication between the two servers using an SSH key. You can accomplish this in one of three ways: by copying the primary AKM server’s public SSH key and pasting it into the menu of the secondary AKM server, by downloading the public SSH key from the primary and uploading it to the secondary, or by using an already established SSH key.

1: Paste the SSH public key

This is the most common option to exchange an SSH key between a secondary and primary AKM server. Open the Administration Menu on the primary AKM server and select option 2) Mirroring after initializing the server. The Mirror Configuration Menu is displayed:

image alt text

Select 1) Add mirror. Copy and save the SSH public key displayed on the screen.

NOTE: Your version of VMware may not allow copying of text displayed in the console. To copy text, SSH into the server as described in Appendix A: Connect to the AKM Server via SSH. Alternatively, you can upload the SSH public key of the primary AKM server to the mirror. See section 2: Upload the public SSH key to the server for more information. Start the secondary AKM VM and log in using the command prompt with user “admin” and the default password “OOHXPq6r530N6re”, then launch the Administrative Menu. SECURITY ALERT: It is recommended to change the admin password for the mirror server at this time if you have not done so already. Select option 1) Initialize AKM, then select option 2) Initialize as MIRROR. Enter the locality information and unique name for this server, then wait for the server to initialize. Return to the main menu. Selection the option for Mirroring and then select the option to Accept mirrored keys. You will see three options for establishing authentication using an SSH key:

image alt text Select option 1 and press Enter. Paste the SSH public key of the primary AKM server into the console.

NOTE: If you are using PuTTY on Windows, right-click in the console to paste the SSH public key. After pasting in the SSH public key, press Enter, then press Ctrl-D to continue mirroring setup:

image alt text

Copy the fingerprint of this AKM for later verification. Press any key to return to the main menu.

Return to the primary AKM server’s Mirror Configuration Menu and press Enter:

image alt text

Enter the IP address of the secondary mirror server to complete mirroring setup. Verify the fingerprint of the mirror server and enter yes to continue. Wait for mirroring setup to complete. Do not interrupt this process.

 

2: Upload the public SSH key to the server

Instead of copying and pasting the SSH public key, you may download the SSH public key from the primary AKM server, then upload it to the secondary mirror AKM server. Open the Administration Menu on the primary AKM server and select option 2) Mirroring after initializing the server. The Mirror Configuration Menu is displayed:

image alt text

Select 1) Add mirror. Start the secondary AKM VM and log in using the command prompt with user “admin” and the default password “OOHXPq6r530N6re”, then launch the Administrative Menu.

SECURITY ALERT: It is recommended to change the admin password for the mirror server at this time if you have not done so already. Select option 1) Initialize AKM, then select option 2) Initialize as MIRROR. Enter the locality information and unique name for this server, then wait for the server to initialize. Return to the main menu. Selection the option for Mirroring and then select the option to Accept mirrored keys. You will see three options for establishing authentication using an SSH key:

image alt text On the secondary AKM server select option 2 from the SSH menu:

image alt text

Log in to the primary AKM server web interface and navigate to File Manager. The SSH public key is located in /home/admin/.ssh/ and is called id_rsa.pub. Select this file and click the Save button. Log in to the secondary AKM server web interface and upload this file to /home/admin/uploads/ via File Manager. Return to the SSH menu on the secondary AKM server and press any key to continue:

image alt text

Enter y to confirm that you would like this secondary AKM server to accept mirrored AKM keys from the primary. Note the fingerprint of the secondary AKM for later confirmation. Return to the primary AKM server Administrative Menu, then use the mirroring menu to select the secondary AKM as its mirror. Confirm the fingerprint of the secondary AKM server. Mirroring setup is complete.

3: Use an established SSH key

Use this option if the public SSH key has already been authenticated but mirroring setup was not completed. Start the secondary AKM VM and log in using the command prompt with user “admin” and the default password “OOHXPq6r530N6re”, then launch the Administrative Menu.

SECURITY ALERT: It is recommended to change the admin password for the mirror server at this time if you have not done so already. Select option 1) Initialize AKM, then select option 2) Initialize as MIRROR. Enter the locality information and unique name for this server, then wait for the server to initialize. Return to the main menu. Selection the option for Mirroring and then select the option to Accept mirrored keys. You will see three options for establishing authentication using an SSH key:

image alt text Select option 3 from the SSH menu of the secondary AKM server:

image alt text

You should see the name of the primary AKM server under the list of public keys that are already trusted. If not, establish trust using one of the previous authentication options. Enter y to confirm that you want the secondary AKM server to receive keys from this server. Wait for mirroring setup to complete. Once mirroring setup is complete, press any key to return to the main menu.

Disable automatic rollover on the secondary AKM (IMPORTANT)

The automatic rollover attribute must be disabled on any secondary mirror servers. That way, keys with the automatic rollover attribute are only rolled on the primary server, and the new keys then mirrored to the secondary server. You would not want the mirrored keys on the secondary server (which are mirrored with the same automatic rollover attribute) to roll once again on the secondary, independent of and without the knowledge of the primary server.

Log in to the secondary mirror server via the web interface and select File Manager from the left navigation menu. Navigate to the /etc/akm directory and select akm.conf, then click the Edit in the Actions column. Locate the [AutomaticRollover] section and set Enabled to N. Click the Save and Close button. Stop and restart AKM via the Custom Commands link.

Next steps

After setting up mirroring, bundled CA certificate files are created which contain the CA certificates of both AKM servers. These must be installed on any client connecting to AKM along with the client certificate and private key. If you have previously set up clients before setting up mirroring, the CA certificates installed on the client must be replaced with the CA certificate bundle. See the section Set up admin and key clients for more information. The client certificate and private key files do not need to be replaced.

NOTE: If a bidirectional mirroring configuration is desired, continue with the steps in Appendix B: Set up Bidirectional Mirroring.

Certificate Manager

After initialization, you will be presented with the option to Start Certificate Manager when you return to the Administrative Menu. On initialization, AKM generated one client certificate and private key pair for a client application to authenticate with the AKM server to perform key retrieval or remote encryption. Two admin certificate and key pairs were created for Crypto Officers to manage encryption keys on the AKM server. You only need to run the Certificate Manager if you need to create additional admin or client certificates or sign a CSR. See Chapter 7: Create Additional Admin and Client Certificates for more information. IMPORTANT: Initialization of the primary AKM server creates a unique CA certificate which is used to sign all client certificates. This CA certificate should only be used with AKM, and you do not need to create an additional CA certificate for use with AKM. By default, one client certificate and two admin certificates are created by the initialization process. Two admin certificates are created in order to support dual control of encryption key administration.

Other administrative options

This section describes other Administrative Menu options.

 

Migrate (Initialize from backup)

Current Townsend Security customers can migrate the key database and authentication certificates from an earlier version of AKM to a new AKM. Start a support ticket on the Townsend Security website for assistance with the migration, including information about transferring your permanent license to your new AKM. Follow the steps below to migrate the key database and authentication certificates. Log in to the web interface of the server you wish to migrate from and run both an application and a secret key backup, selecting a local folder on AKM as the destination. For more information on running a backup, see the AKM Server Management Guide. Navigate to the directory in File Manager where you saved the backups, and double click to download both files. Launch the new AKM VM, then log in to that AKM server via the web interface. Use the File Manager to upload both files to the /home/admin/uploads directory. Launch the Administrative Menu on the new AKM VM and select the option to Initialize AKM. Select the option to Migrate (Initialize from BACKUP). Press Enter. Wait until the migration is successful and AKM has started. Do not interrupt this process. This initialization option does not include the creation of new client and admin certificates. Use the Start Certificate Manager option in the main menu if new certificates are needed. See the next chapter for information on downloading these certificates. Client certificates already in use in client applications will still be valid to connect to AKM. However, if the new AKM has a different IP address than the previous AKM, this will need to be updated in the client application configuration.

Start/Stop AKM

After initializing the server, the main Administrative Menu will include the option to Stop AKM. This stops key services and prevents all clients from connecting to AKM. When AKM is stopped, you can select the option to Start AKM to restart key services.

Disable Webmin

You will use the web interface to download key and admin client certificates and private keys in the next chapter. However, it is recommended to disable the web interface to the AKM server when not in use. From the Administrative Menu, select the option to Disable Webmin. Follow the prompts to disable the web interface.

Support

Collect logs for troubleshooting

For problem determination, you can view logs. From the Administrative Menu, select the Support option to Collect logs for troubleshooting. See Chapter 10: Support for more information.

Selecting this option will display system version information.

Fix akm.conf

This option will appear if there is a conflict between the IP address assigned to the AKM server and what is listed in the AKM configuration file (akm.conf). Selecting this option will resolve the conflict by resetting all IP addresses to default (0.0.0.0). This will remove any manual changes you have made to the AKM configuration file IP addresses.

Exit to shell

You can exit to a shell if you need direct access to the OS for control over Linux options and facilities.

Disconnect from AKM

You should disconnect from AKM when you are finished with the session.

Next steps

You can now log in to the AKM server web interface and download admin and client certificate and key pairs for distribution to admin and key clients. See Chapter 5: Start Using AKM for VMware for more information.

Chapter 5: Start Using AKM for VMware

 

Overview

To get started using AKM for VMware, you will need to set up your key clients for key retrieval and/or remote encryption. You will first log in to the AKM server web interface and download the client certificates and private keys needed for client/server connections. You will then give a key client certificate and private key plus the name of one or more AKM encryption keys to your client application developer. You can also download admin client certificates needed for encryption key management functions in the AKM Administrative Console.

Log in to the web interface

Open a web browser and connect to the primary AKM virtual machine via a secure HTTPS connection. You will use the DNS name or IP address and the web interface port number for the primary AKM server:

  • https://PrimaryAkmIPAddress:3886

NOTE: AKM generates a private SSL certificate during initialization, so you will likely be presented with a browser security warning. Choose the option to proceed. The login page is displayed:

image alt text

NOTE: A different IP address may be displayed. Enter the default username “admin” and the password you set during initialization. Click Login. The following page is displayed:

image alt text

The navigation pane contains different options for managing the AKM server, including backup/restore, mirroring and logging. See the AKM Server Management Guide for information on these tasks. To verify that AKM is running, click on the link for Running Processes in the navigation pane. Click Search in the Display menu at the top of the page. Select Matching, enter “akmd”, and click Search. If AKM is running, you will see it listed as a running process:

image alt text

If AKM is not running, click on the link for Custom Commands in the navigation pane. Click on the Start AKM button to start the AKM process and click Return to commands. Check the Running Processes tab again for the “akmd” process. If the “akmd” process is still not running, navigate back to Custom Commands and click on the Display AKM Error Log Snippet button. This will display a list of recent errors to help with problem determination. Contact Townsend Security or your software vendor if you need assistance.

IMPORTANT: If you are deploying AKM for VMware in a production environment, you may need to install software patches. If there are any necessary software patches available from Townsend Security or your software vendor, you should install them now.

 

Set up admin and key clients

Setting up clients for key retrieval or remote encryption includes downloading and distributing client certificates and giving the name of an encryption key to your client application developer. For key management in the AKM Administrative Console, you will download admin certificates and private keys.

SECURITY ALERT: The private key files associated with admin and key client certificates must be protected during creation, distribution, and storage. The loss of these files will compromise the security of any encryption keys this client has access to. Depending on the file format, the private key files may be bundled with a certificate or they may be separate files. Transfer these files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys, including encryption. In the event the certificates are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See the AKM HSM Quick Start Guide for more information.

Download key client certificates

Key client certificates are used in client applications for key retrieval or remote encryption and decryption on the AKM server. Your client application developer will need AKM’s CA certificate or a CA certificate bundle (when implementing mirroring), a client certificate/private key pair, and any associated passwords to set up client applications for key retrieval or remote encryption on the AKM server. The format of the certificate files your client application developer will need depends on the platform and language of the client application environment.

If using a secondary mirror server, follow the steps in the section Certificates to use after setting up mirroring.

NOTE: If you do not need to control access to keys, you can use the same client certificate/private key in each client application. If you need to control access to keys, each client application will need a unique client certificate/private key. See Chapter 7: Create Additional Admin and Client Certificates for information on creating additional client certificates.

Certificates to use prior to setting up mirroring

In File Manager, navigate to the /home/admin/downloads/ directory. Client certificates are located in <AKMServerName>_user.zip. Select <AKMServerName>_user.zip and click Save. Unzip this archive. The following certificates and private keys can be used to set up key clients before mirroring setup:

  • /JKS
    • AKMClientKeystore.jks (client certificate/private key)
    • AKMClientPassword.txt (client certificate/private key password)
    • AKMRootCATruststore.jks (AKM’s CA certificate)
    • AKMRootCATruststorePassword.txt (the CA certificate password)
  • /KeyConnection
    • AKMClientCertificateAndPrivateKey.p12 (client certificate/private key)
    • AKMClientPassword.txt (client certificate/private key password)
    • AKMRootCACertificate.pem (AKM’s CA certificate)
  • /P12
    • AKMClientCertificateAndPrivateKey.p12 (client certificate/private key)
    • AKMClientPassword.txt (the client certificate/private key password)
  • /PEM
    • AKMClientCertificate.pem (client certificate)
    • AKMClientPrivateKey.pem (client private key)
    • AKMRootCACertificate.pem (AKM’s CA certificate)
    • <PrimaryAKMServerName>.AKMServerCertificate.pem (the primary AKM’s server certificate, used for “certificate pinning”)

 

Certificates to use after setting up mirroring

After mirroring setup, you will need to use a bundle containing the CA certificates of both AKM servers along with the client certificate and private key. Log in to the web interface and redownload <AKMServerName>_user.zip to gain access to the new mirroring configuration certificates used in client applications after a mirroring pair has been established. If you have previously set up clients before setting up mirroring, the CA certificates installed on the client must be replaced with this new CA certificate bundle (.pem or .jks) for seamless client failover when AKM is unreachable. The client certificate and private key files do not need to be replaced.

NOTE: When setting up clients in a Windows environment, Windows Certificate Store will not import all of the CA certificates in the bundle. In this case, the primary and secondary mirror CA certificates must be imported individually. In File Manager, navigate to the /home/admin/downloads/ directory. Client certificates are located in <AKMServerName>_user.zip. Select <AKMServerName>_user.zip and double click to save. Unzip this archive. The following certificates and private keys can be used to set up key clients after mirroring:

  • /JKS
    • AKMClientKeystore.jks (keystore containing the client certificate/private key)
    • AKMClientPassword.txt (keystore password)
    • /Mirror_Config_Certificates
      • AKMTruststoreBundle.jks (truststore bundle containing both AKM’s CA certificates)
      • AKMTruststoreBundlePassword.txt (truststore password)
  • /KeyConnection:
    • AKMClientCertificateAndPrivateKey.p12 (client certificate/private key)
    • AKMClientPassword.txt (client certificate/private key password)
    • /Mirror_Config_Certificates
      • <PrimaryAKMServerName>.AKMRootCACertificate.pem (the primary AKM’s CA certificate)
      • <MirrorAKMServerName>.AKMRootCACertificate.pem (the mirror AKM’s CA certificate)
  • /P12
    • AKMClientCertificateAndPrivateKey.p12 (client certificate/private key)
    • AKMClientPassword.txt (the client certificate/private key password)
  • /PEM
  • AKMClientCertificate.pem (client certificate)
  • AKMClientPrivateKey.pem (client private key)
  • <PrimaryAKMServerName>.AKMServerCertificate.pem (the primary AKM’s server certificate, used for “certificate pinning”)
  • /Mirror_Config_Certificates
    • <PrimaryAKMServerName>.AKMRootCACertificate.pem (the primary AKM’s CA certificate)

    • <MirrorAKMServerName>.AKMRootCACertificate.pem (the mirror AKM’s CA certificate)

    • AKMRootCertificatesBundle.pem (bundle with both AKM’s CA certificates)

 

Download Crypto Officer certificates

Crypto Officer certificates are used to connect to AKM for key management operations. Your Crypto Officer will need the AKM CA certificate truststore or truststore bundle (when implementing mirroring), and an admin client certificate/private key keystore in .jks format, as well as any associated passwords, to use the AKM Administrative Console to create and manage encryption keys. .pem files can be used for admin clients under program control if needed. See the AKM Admin API Reference for more information on using admin commands under program control. If using a secondary mirror server, follow the steps in the section Certificates to use after setting up mirroring.

Certificates to use prior to setting up mirroring

In File Manager, navigate to the /home/admin/downloads/ directory. Crypto Officer certificates are located in <AKMServerName>_admin1_<date>.zip and <AKMServerName>_admin2_<date>.zip in the /home/admin/downloads/ directory on the primary AKM server. Two unique sets of admin certificates are provided if you want to implement PCI requirements around dual control of key management operations. Select <AKMServerName>_admin1_<date>.zip and/or <AKMServerName>_admin2_<date>.zip and double click to save. Unzip the archives. The following files can be used to set up admin clients before mirroring setup:

  • /PEM
    • AKMAdminCertificate.pem (admin certificate)
    • AKMAdminPrivateKey.pem (admin private key)
    • AKMRootCACertificate.pem (AKM’s CA certificate)
  • /Admin_Console
    • AKMAdminKeystore.jks (admin keystore)
    • AKMAdminKeystorePassword.txt (admin keystore password)
    • AKMRootCATruststore.jks (admin truststore with AKM’s CA certificate)
    • AKMRootCATruststorePassword.txt (admin truststore password)

 

Certificates to use after setting up mirroring

After mirroring setup, you will need to use a truststore bundle containing the CA certificates of both AKM servers, along with the keystore file. Log in to the web interface and redownload <AKMServerName>_admin1_<date>.zip and <AKMServerName>_admin2_<date>.zip (if implementing dual control) to gain access to the new mirroring configuration certificates used in the admin application after a mirroring pair has been established. If you have previously set up the admin client before setting up mirroring, the CA certificates installed on the client must be replaced with the new CA certificate bundle (.pem or .jks) for seamless client failover when AKM is unreachable. The client certificate and private key (.pem or .jks) do not need to be replaced.

NOTE: If setting up an admin client under program control in a Windows environment with .pem files, Windows Certificate Store will not import all of the CA certificates in the bundle. In this case, the primary and secondary mirror CA certificates must be imported individually. The following files can be used to set up admin clients after mirroring:

  • /PEM
    • AKMAdminCertificate.pem (admin certificate)
    • AKMAdminPrivateKey.pem (admin private key)
    • /Mirror_Config_Certificates
      • <PrimaryAKMServerName>.AKMRootCACertificate.pem (the primary AKM’s CA certificate)
      • <MirrorAKMServerName>.AKMRootCACertificate.pem (the mirror AKM’s CA certificate)
      • AKMRootCertificatesBundle.pem (bundle with both AKM’s CA certificates)
  • /Admin_Console
    • AKMAdminKeystore.jks (admin keystore)
    • AKMAdminKeystorePassword.txt (admin keystore password)
    • /Mirror_Config_Certificates
      • AKMTruststoreBundle.jks (truststore bundle with both AKM’s CA certificates)
      • AKMTruststoreBundlePassword.txt (truststore bundle password)

Give the name of an encryption key to your client application developer

If you created a set of initial encryption keys on initialization of the primary AKM server, the following keys are immediately available for use:

  • AES128 - 128-bit symmetric key, general access
  • AES192 - 192-bit symmetric key, general access
  • AES256 - 256-bit symmetric key, general access
  • EKM128 - 128-bit symmetric key for use with SQL Server EKM, enabled for EKM
  • EKM256 - 256-bit symmetric key for use with SQL Server EKM, enabled for EKM

  • EKMSS - 2048-bit RSA key for use by SQL Server EKM, enabled for EKM

  • RSA1024 - 1024-bit RSA key
  • RSA2048 - 2048-bit RSA key
  • RSA3072 - 3072-bit RSA key
  • RSA4096 - 4096-bit RSA key Give the name of the appropriate encryption key to your client application developer.

    SECURITY ALERT: These encryption keys are set for general access. That means anyone with a valid key client certificate for AKM can retrieve these keys or use them for remote encryption. If you have multiple clients and you would like to implement key access control, you can change the access level for these keys or create new encryption keys with a restricted access level in the AKM Administrative Console. Key Access is based on the Common Name (CN) and Organization Unit (OU) of the client certificate which you entered earlier. See Chapter 6: Create and Manage Encryption Keys for more information.

Chapter 6: Create and Manage Encryption Keys

 

If you created a set of encryption keys during initialization of the primary AKM server, you can use one of these encryption keys. If you would like to manage these encryption keys (for example, to change the access policy) or create new encryption keys, you can do so using the AKM Administrative Console.

AKM Administrative Console

The AKM Administrative Console is a Windows application with a GUI interface for one or more Crypto Officers to create and manage encryption keys. See the AKM Administrative Console Guide for detailed instructions on installing and using the AKM Administrative Console. To set up the Admin Console, you will need the AKM CA certificate truststore or truststore bundle and an admin client certificate/private key in .jks format and passwords for these files. If you are using the Admin Console after setting up mirroring, you will need to use the CA certificate truststore bundle which contains the CA certificates of both AKM servers (AKMTruststoreBundle.jks) and the associated password. See the section Download Crypto Officer certificates for information on downloading the truststore and keystore.

IMPORTANT: By default, two sets of admin certificates and private keys are generated for two Crypto Officers in order to support dual control (<AKMServerName>_admin1_<date>.zip and <AKMServerName>_admin2_<date>.zip). To authorize a second Crypto Officer to use the Admin Console, you will need to follow the same steps using the <AKMServerName>_admin2_<date>.zip file. See the AKM Administrative Console Guide for information on implementing dual control. When opening the AKM Administrative Console for the first time, the following dialog is displayed: image alt text This dialog allows you to define the AKM server to which you want to connect using the AKM Administrative Console. Server Name: Enter a name of your choosing for this key server. Server Address: Enter the IP address or hostname of this key server (example: cloud-service-name.cloudapp.net). Server Port: Enter the admin port number (the default is 6001). Key Store File: Click Browse and select AKMAdminKeystore.jks. Passphrase: Enter the password contained in the AKMAdminKeystorePassword.txt file. Trust Store File: Click Browse and select AKMRootCATruststore.jks (or AKMTruststoreBundle.jks if you have already set up mirroring). Passphrase: Enter the password contained in the AKMRootCATruststorePassword.txt file (or AKMTruststoreBundlePassword.txt if you have already set up mirroring). Click Add. You are now authorized to create and manage encryption keys on the AKM server. See the AKM Administrative Console Guide for more information.

Verify the connection to AKM server

In the AKM Administrative Console you will see a list of options in the left pane. Expand the option for Status and select the link for Administrative NoOp. Click Submit. You should see the following output in the right pane:

AKM_222 (10.0.1.230 port 6001)
------------------------------------------
Command: Administrative NoOp
------------------------------------------
Server: AKM_222 (10.0.1.230 port 6001)
  Transaction Length: <00008>
  Transaction Id: <1044>
  Return Code: <0>
  Command completed successfully.
Command Output:
  No additional command output
---------------------------------------
End Command Administrative NoOp
---------------------------------------

If you receive an error message see Chapter 11: Troubleshooting below. You are now ready to use the AKM Administrative Console to create and manage encryption keys.

Create a new encryption key

To create a new encryption key, expand the option for Manage Keys in the left pane and select the Create Symmetric Key command. Next you will define attributes for the encryption key in the middle pane. First give your key a user-friendly name and a key size. For evaluation purposes check the box next to Activate key immediately and Key never expires, and select the option for Anyone to access the key. For production encryption keys, the expiration date of the key should be determined by your organization’s policy on cryptoperiods, and you should use a restricted key access policy. Define additional options for the key and scroll down to click the Submit button to create the key. You should receive the following output:

Command: Create Symmetric Key
------------------------------------------
Server: 10.0.1.230 (10.0.1.230 port 6001)
  Transaction Length: <00072>
  Transaction Id: <1002>
  Return Code: <0>
  Command completed successfully.
Command Output:
  Key Name: <TEST KEY               >                 
  Key Instance: <SAZ4he9kkZYjmF5+n2A6Mg==>
---------------------------------------
End Create Symmetric Key Command
---------------------------------------

You will now be able to use this encryption key in your client application.

Set key access policy on an encryption key

To modify the key access policy on an existing encryption key, expand the option for Manage Key Attributes in the left pane and select the Set Key Access Flag command. Enter the key name and select the desired key access policy. See the AKM User Guide for more information on key access control.

Chapter 7: Create Additional Admin and Client Certificates

 

During initialization, AKM automatically generates a certificate authority (CA) certificate, two admin (Crypto Officer) certificates and one client (key retrieval or remote encryption) certificate. For information on using these certificates, see Chapter 5: Start Using AKM for VMware and Chapter 6: Create and Manage Encryption Keys. If you need to create additional key client certificates, admin certificates, or import certificate signing requests, you can do so using the Certificate Manager option. Start the primary AKM VM and log in to the command prompt. Enter “akm-menu” to launch the Administrative Menu. After initialization of the primary AKM server you will see the option to Start Certificate Manager. Select this option to display the Certificate Menu: image alt text

Create an admin certificate

Enter option 1 to Create an admin client certificate and key pair. This will create an additional admin certificate and private key for a Crypto Officer to manage encryption keys. You will be prompted to enter a unique Common Name (CN) for this admin certificate: image alt text The admin certificate files have been created and are available in the /home/admin/downloads/ directory on the AKM server.

Create a key client certificate

From the Certificate Menu, enter option 2 to Create a key client certificate and key pair. This will create an additional client certificate and private key for key clients to perform key retrieval or encryption and decryption on the AKM server. You will be prompted to enter a unique Common Name (CN) and Organizational Unit (OU) for this key client certificate: image alt text The key client certificate files have been created and are available in the /home/admin/downloads/ directory on the AKM server.

SECURITY ALERT: If you are using an encryption key created on initialization of the primary AKM server and you want to use key access control, you will need to modify the key access policy of the encryption key and enter User and Group information that matches the Common Name (CN) and Organizational Unit (OU) of the key client certificate. See Chapter 6: Create and Manage Encryption Keys for more information.

Import and sign certificate signing requests

If you are on the IBM i platform, you will need to import a certificate signing request (CSR) to be signed by AKM’s CA certificate to create a signed key client certificate. For information on creating a certificate signing request, see the document AKM DCM Configuration for IBM i. From the Certificate Menu, enter option 3 to Import and sign certificate signing requests. The following screen is displayed: image alt text Log in to the AKM web interface as the “admin” user with the password you created above. Click on the link for File Manager in the left navigation pane. Upload the CSRs to the /home/admin/uploads/ directory. You can upload multiple CSRs. After uploading the CSRs, return to the Certificate Menu and press Enter. The following screen is displayed: image alt text AKM will detect the Common Name (CN) of each CSR and use it to name the client certificate files. The signed client certificate files are available in the /home/admin/downloads/ directory on the AKM server.

Chapter 8: Manage the AKM Server

 

Server management

Backup and restore, system logging, and firewalls can be configured via the web interface. See the AKM Server Management Guide for information on these tasks. See the AKM User Guide for more detail on these concepts.

IMPORTANT: You should perform a backup of the AKM server as soon as you have finished setting up AKM for VMware, and periodically after any significant changes to keys, user access policies, and certificates.

Software updates

Each time you log into the Webmin UI, you will see new package updates available on the dashboard.

image alt text

When you click on the package updates section you will be taken to a list of the available updates. You should see something similar to the image below.

image alt text

You can apply all available updates by selecting the select all option. Once you have made your selection you can click the button to Update Selected Packages. You can specify to be alerted of new updates via email if you need. This feature can be found by scrolling to the bottom of the list. You will be able to set an interval to check for updates, as well as provide an email and specify any action to be taken.

image alt text

After clicking Update Selected Packages you will be taken to the screen below to confirm and install the updates. Click on Install Now when you are ready to begin the update.

image alt text

You will see the output similar to what is shown below. The update process is done when you see install complete at the bottom of the output window.

image alt text

Your updates will be complete at this point and any future updates can be applied in this manner as well.

NOTE: An alternative method to update your AKM can be completed via the AKM shell. This method requires accss to the AKM shell using SSH, Putty, your VM console, or a dummy console. Once connected, you can issue the command sudo apt-get update to list the available packages for update. When you are ready to apply the update, you will issue the command sudo apt-get upgrade. The process may take a few moments to finish.

Certificate backup

You should back up all certificate and private keys using by AKM. See the AKM Server Management Guide for more information.

SECURITY ALERT: Private key files must be protected during creation, distribution, and storage. The loss of these files will compromise the security of the AKM server. Transfer the certificate files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys from loss, including encryption. In the event the client certificates are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See the AKM HSM Quick Start Guide for more information.

Chapter 9: Obtain a Permanent License

 

AKM for VMware is deployed with a 30-day temporary license. Please contact your account manager to receive a permanent license if you wish to continue using AKM for VMware. You may also need a replacement trial license in the event that licensing fails during initialization. See below for information on installing a new license.

Install a new license

Log in to the AKM web interface and click on the link for Custom Commands in the left navigation pane. Click on the link to Display eth0 MAC address. Copy the MAC address into an email message and send it to your presales engineer or account manager. Be sure to include your name, company name, and contact information. The license file you will receive will be named License.txt. Once you receive the license, you are ready to upload it to the AKM server.

IMPORTANT: Do not change the name of the license file. It must have the name License.txt when it is installed on the server. Log in to the web interface and expand the navigation pane. Click on the link for File Manager. Navigate to the /var/lib/townsend/akm directory. Select License.txt and click the Delete button. Click the Upload button. Click Choose File, select the permanent license, and click okay. Now you will need to restart AKM. Click on the link for Custom Commands in the navigation pane, click the Stop AKM button, then click the Start AKM button.

Migrate from a test environment to a production environment

If you have used an AKM instance in a test or development environment, it is recommended to use a new instance of AKM for production. Your new AKM instance will contain unique keys and PKI components that differ from the ones used during testing. Make sure to adjust your client configurations accordingly. If you would like to migrate to a production environment using your original instance, be sure to remove all test data and accounts that have had access to AKM prior to deploying key management in a production environment. Failing to do so will include your test environment in the scope of your production environment which from a regulatory and security stance exposes your applications and the key manager to risk. It is recommended that you remove all client and admin certificates and private keys used in testing from any applications/systems that have been used to evaluate AKM. You should then create new client certificates and use these certificates in your client applications. Additionally, you should avoid using the same data encryption keys in your production environment that were used during testing (see Chapter 6: Create and Manage Encryption Keys).

Chapter 10: Support

 

There are two levels of technical support available for AKM customers. The basic level of support comes with your permanent AKM license and includes technical documentation as well as email support, during business hours, Monday through Friday. Contact Townsend Security to purchase premium level support. Townsend Security customers with a permanent license can collect logs and send them to Townsend Security support for assistance. From the Administrative Menu, select the option to Collect logs for troubleshooting. Then start a support ticket on the Townsend Security website at https://townsendsecurity.com/support/.

Chapter 11: Troubleshooting

 

See below for common problems you may encounter when using AKM for VMware. For further information on troubleshooting, see the AKM Problem Determination Guide.

AKM fails to license during initialization

If AKM fails to license during initialization, check that your VM has a route to the internet, then rerun initialization. If licensing continues to fail, contact Townsend Security or your software vendor to manually license AKM. See the section Install a new license in Chapter 9 for information on manually installing the license.

The AKM server will not start

Launch the Administrative Menu of the AKM VM. Select the Support option to Collect logs for troubleshooting. Log in to the web interface and use File Manager to navigate to home/admin/downloads. Double click to download the logs. Unzip and open the log, then scroll to the bottom of the log. Observe the error and correct the problem.

The license for AKM is invalid

When you installed the VMware instance of the AKM evaluation server, you may have seen a prompt that asked if you have moved or copied the instance from another location. If you answer that you “copied” the instance, the license was invalidated. Delete the VMware instance and install it again. Answer the question with the “I moved it” response. Repeat the steps above. If the license is still invalid, it may be expired or the MAC address of the VM may have been changed, invalidating the license.

I can’t connect to the AKM server

If the server is active but you cannot connect to it from your AKM Administrative Console, you may not have set the IP address correctly in the AKM server. Open a browser HTTPS session on port 3886 to the AKM server, log in, expand the options under the AKM icon on the left side, start File Manager, and navigate to the /etc/akm directory. Select the file akm.conf and click on the Edit button in the Actions column to view the file. Review the AKM configuration file settings and be sure that the Server IP address and Admin IP address are correct for your VMware instance, and that certificate file names are correct. Then, check your certificates to make sure they are valid.

I do not have a DHCP server

If you do not have a DHCP server, the VM does not get assigned an IP address automatically. You will need to set a temporary IP address via the VM command line, log in to the web interface, and assign a static IP address. While logged in to the command line, enter the following command to set a temporary IP address (these are example values):

sudo ifconfig eth0 10.4.10.13 netmask 255.255.255.0 broadcast 10.4.10.255

If you need to set the default gateway, use the following command (these are example values):

sudo route add default gw 10.4.10.1

Set these values to an IP address that is available on your subnet. Consult with your network administrator for the correct values. Press Enter. This will change the network configuration temporarily. Log in to the web interface using this IP address. Click the arrow next to AKM to expand the navigation pane. Click on the link for Network Configuration. Click the Network Interfaces icon and click eth0 to edit it. Select Static Configuration and enter the IPv4 address (10.4.10.13 in this example) and Netmask (255.255.255.0). Select the radio button next to the Broadcast field to enter the broadcast (10.4.10.255). Click Save and you will be returned to the Network Interfaces screen. Click Apply Selected Interfaces. Restart the VM, log in to the VMware command prompt, and enter “akm-menu” to launch the Administrative Menu. Select the option for initialization and continue to follow the steps in the section Initialize the primary AKM server in Chapter 4 to set up the AKM server.

 

Appendix A: Connect to the AKM Server via SSH

It is also possible to access the Administrative Menu via SSH for initialization or other administrative options. To do so, use the AKM server’s DNS name or IP address to open an SSH connection. For example:

ssh admin@akmDNSnameorIPaddress

Use the default password “OOHXPq6r530N6re” if logging in for the first time, or the password you have set previously.

NOTE: Windows users can connect to the AKM server via SSH using PuTTY. See below for more information.

Connecting with PuTTY

First, download PuTTY at https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and run the executable. When you open PuTTY for the first time, you will be prompted to enter configuration information for the AKM server: image alt text Enter the AKM server IP address. Leave the default port 22. You can save this configuration by entering a name (example: AKM1) in the Saved Sessions field and clicking Save. Click Open. You will be prompted to log in: image alt text Enter “admin” as the username, and when prompted, the default password “OOHXPq6r530N6re”. If the login is successful, the Administrative Menu will be displayed. Return to Chapter 4: Set up AKM for VMware to continue with initialization.

 

Appendix B: Set up Bidirectional Mirroring

To set up bidirectional mirroring, first initialize the primary AKM server, then initialize a secondary mirror server as described in the section Initialize a secondary mirror server.

In the secondary server menu, select the option for Mirroring and select 1) Add a mirror. Copy the SSH public key of the secondary server. In the primary server menu, select Mirroring and select 2) Receive mirrored keys. Paste the SSH public key of the secondary into the menu. Return to the secondary server’s Mirror Configuration Menu and press Enter to continue. Enter the IP address of the primary server. Verify the fingerprint of the primary server and enter yes to continue.