Chapter 1: About This Manual

 

Web interface

Server management tasks are performed via the secure web browser interface to the AKM server. For server management tasks, the web interface must be enabled. However, if you want to disable the web interface for any reason, Townsend Security will still support AKM. See Appendix A: Disable Webmin for more information.

SECURITY ALERT: If you are deploying AKM in the cloud, it is recommended to disable the web interface when not needed. This can reduce the risks associated with deploying in a cloud environment.

Who is this for?

This guide is intended to help System Administrators manage the AKM server. It covers backup and restore, logging, firewalls, changing the admin password, network configuration, modifying the configuration file, and problem determination.

This guide assumes you have already licensed AKM and installed TLS certificates. See the specific guide for your deployment platform for more information on these steps.

Other resources

The following documents provide additional information on the installation and use of Alliance Key Manager:

Note on software updates

Townsend Security will provide you with any needed updates to the web interface, operating system, and key management application through the Townsend Security customer support group.

IMPORTANT: You must not attempt to apply any software updates through automated patch facilities, the web interface, or any updates not directly provided by Townsend Security. Applying these updates will void your warranty, and you may be required to restore your system from backup in order to continue operation.

For current Townsend Security customers migrating to a new AKM server from an older version of AKM, see the platform specific deployment guide of the platform you are migrating to for instructions on completing the migration. Open a support ticket with Townsend Security for assistance.

Notices

This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information.

Change Log

The following table provides information on the changes to this documentation:

Version Date Description
1.0.0.001 5/28/2011 Initial release
1.0.0.002 10/17/2011 Add note about Java cache clearing for Mac users
1.0.0.003 11/23/2011 Add information about intermediate Certificate Authorities
1.0.0.004 11/26/2011 Add new screen snapshots for clarity
1.0.0.005 12/1/2011 Correct the syslog-ng source configuration instructions
1.0.0.006 12/15/2011 Add information about system logging message prefixes
1.0.0.007 12/22/2011 Added a section on how to set the time service on the key server
1.0.0.008 2/28/2012 Add configuration information on log rotation
1.0.0.009 4/9/2012 Add information about system log source definitions. The server management guide for both the 1u server and the mini-server are now merged and there is only one document.
10.0.0.010 7/10/2012 Correct directory path for AUTH and KEK certificates
1.0.0.011 9/27/2012 Correct the syslog-ng flags configuration name
3.0.0.001 1/21/2014 Revise for AKM 3.0.0
3.0.0.002 2/4/2014 Update information on using intermediate CA certificates. Update information about logrotate.
3.0.0.003 2/19/2014 Remove information on using intermediate CA certificates. Update information about modifying the AKM configuration file. Add note about ready to use implementations.
3.0.0.004 10/1/2014 Add chapter on backing up AKM certificates. Add appendix on enabling and disabling Webmin. Update for ready to use implementations of AKM.
3.0.3.001 12/16/2014 Update for AKM 3.0.3 and the ready to use version of AKM for VMware.
3.0.3.002 5/15/2015 Remove setup and configuration steps specific to HSM deployments. These steps are now located in the AKM HSM Quick Start Guide.
4.0.0.001 2/19/2016 Update for AKM 4.0. Add info about configuring TLS in the AKM configuration file. Add info on fields in akmaudit.log. Add appendices for manually setting up mirroring (traditional and bidirectional). Update web interface navigation screens. Update supported browsers. Add information about migrating to a new version of AKM. Add chapter on secret keys.
4.0.0.002 5/13/2016 Update platform information for AKM 4.0. Update AKM configuration file section. Remove chapter on backing up TLS certificates as these are now part of the application backup. Update manual mirroring appendices.
4.0.0.003 7/12/2016 Update for AKM 4.0 Azure release.
4.5.3.001 4/4/2017 Update for new File Manager.
4.6.0.001 9/21/2018 Updated for AKM 4.6 release. Added instructions for Google Authenticator 2FA in Webmin. Added descriptions of akm-menu functions including 2FA for SSH connections.
4.6.0.002 12/06/2018 Added software update instructions under chapter 3

Chapter 2: Administrative Menu

The Administrative Menu can be accessed directly in the akm shell by issuing the command akm-menu

image alt text

A number of administrative server management tasks can be performed here, this chapter will cover these functions.

Start/Stop AKM

After initializing the server, the main Administrative Menu will include the option to Stop AKM. This stops key services and prevents all clients from connecting to AKM. When AKM is stopped, you can select the option to Start AKM to restart key services.

Mirroring

This option should only be used when introducing a new mirror or high availability AKM instance. for more details on setting up a mirror via the admin’s akm-menu. For more information on introducinga new mirror AKM, see your specific quick start guide:

HSM Quick Start Guide: Initialize a secondary server VM Quick Start Guide: Initialize a secondary server Azure Quick Start Guide: Initialize a secondary server AWS Quick Start Guide: Initialize a secondary server

Mirroring can also be configured manually between two or more existing AKMs using the AKM Administrative Console. See Chapter 15 of the Administrative Console Guide for more information on establishing a mirror relationship this way.

Manage Certificates

During initialization, AKM automatically generates a certificate authority (CA) certificate, two admin (Crypto Officer, key generation and management) certificates and one client (key retrieval or remote encryption) certificate.

If you need to create additional key client certificates, admin certificates, or import certificate signing requests, you can do so using the Certificate Manager option. Connect via SSH to the primary AKM server and log in with user admin and the password you set during initialization. After initialization, the Administrative Menu has an the option to Start Certificate Manager. Select this option to display the Certificate Menu:

image alt text

Create an admin certificate

Enter option 1 to Create an admin client certificate and key pair. This will create an additional admin certificate and private key for a Crypto Officer to manage encryption keys. You will be prompted to enter a unique Common Name (CN) for this admin certificate:

image alt text

The admin certificate files have been created and are available in the /home/admin/downloads/ directory on the AKM server.

Create a key client certificate

From the Certificate Menu, enter option 2 to Create a key client certificate and key pair. This will create an additional client certificate and private key for key clients to perform key retrieval or encryption and decryption on the AKM server. You will be prompted to enter a unique Common Name (CN) and Organizational Unit (OU) for this key client certificate:

image alt text

The key client certificate files have been created and are available in the /home/admin/downloads/ directory on the AKM server.

SECURITY ALERT: If you are using an encryption key created on initialization of the primary AKM server and you want to use key access control, you will need to modify the key access policy of the encryption key and enter User and Group information that matches the Common Name (CN) and Organizational Unit (OU) of the key client certificate. See Chapter 7: Create and Manage Encryption Keys for more information.

Import and sign certificate signing requests

If you are on the IBM i platform, you will need to import a certificate signing request (CSR) to be signed by AKM’s CA certificate to create a signed key client certificate. For more detailed information on creating and signing certificate signing request, see the document AKM DCM Configuration for IBM i.

From the Certificate Menu, enter option 3 to Import and sign certificate signing requests. The following screen is displayed:

image alt text

Log in to the AKM web interface as the “admin” user with the password you created above. Click on the link for File Manager in the left navigation pane. Upload the CSRs to the /home/admin/uploads/ directory. You can upload multiple CSRs. After uploading the CSRs, return to the Certificate Menu and press Enter. AKM will detect the Common Name (CN) of each CSR and use it to name the client certificate files. The signed client certificate files are available in the /home/admin/downloads/ directory on the AKM server.

IMPORTANT: Initialization of the primary AKM server creates a unique CA certificate which is used to sign all client certificates. This CA certificate should only be used with AKM, and you do not need to create an additional CA certificate for use with AKM.

By default, one client certificate and two admin certificates are created by the initialization process. Two admin certificates are created in order to support dual control of encryption key administration.

Generate New Server Certificates

This option will allow you to generate a new server certificate for AKM. This can be used in the event that a certificate was compromised or if that certificate is due to expire. after selecting this option you will be prompted to provide a new AKM host name and or new alternate hostname. answering N will preserve the original host name. Once complete you will see the following output. You can download the certificates at /home/admin/downloads on the AKM filesystem.

image alt text

Once you have the new server certificate, you will need to import it to /etc/akm/Certs and be sure to remove or rename the existing server certificate. AKM must be stopped and restarted to accept the change.

Disable Webmin

From the Administrative Menu, select the option to Disable Webmin. Follow the prompts to disable the web interface.

If you want to use server management functions as described in this document (backup and restore, logging, etc), Webmin must be enabled. However, if you want to disable Webmin for any reason, Townsend Security will still support AKM.

If the SSH service is not active, log in to the web interface and click on the link for Custom Commands in the left navigation pane. Click the Start SSH button.

Log in to the AKM server using the SSH interface and execute the following commands:

sudo insserv -r webmin
sudo service webmin stop

This disables Webmin and prevents it from starting on boot. If you need to enable Webmin, use the following commands:

sudo insserv webmin
sudo service webmin start

Support

Collect logs for troubleshooting

For problem determination, the AKM logs will almost always be needed. They can be easily bundled and retrieved from the AKM filesystem. From the Administrative Menu, select the Support option to Collect logs for troubleshooting. The logs will befound under (/home/admin/downloads) on the AKM filesystem. See Chapter 15: Problem Determination for more information around troubleshooting errors.

Selecting this option will display system version information. Depending on how you are viewing this, some of the information may be cut off by your display without the ability to scroll back. if this is the case for you, the system information will be printed to a file when you take the option to Collect logs for troubleshooting it will be in the folder with the logs at /home/admin/downloads on the AKM filesystem.

Check certificate expiration

This option will display all relevant certificates present on AKM in adition to their expiration dates.

image alt text

Fix akm.conf

This option will appear if there is a conflict between the IP address assigned to the AKM server and what is listed in the AKM configuration file (akm.conf). Selecting this option will resolve the conflict by resetting all IP addresses to default (0.0.0.0). This will remove any manual changes you have made to the AKM configuration file IP addresses.

Manage SSH Authentication

Set Password

select option 1 to Set password. You will be prompted to enter a “New Password”, enter your new admin password. This is the password you will use when logging in to the AKM web interface as the “admin” user for server management.

image alt text

Set a strong password and protect it carefully, as the compromise of this password breaches the security of AKM. If you set a weak password you will receive a warning, but the password will still be accepted. It is recommended to set a password of at least 15 characters that includes upper and lower case letters, numbers, and symbols.

IMPORTANT: Do not lose this password, as there are no backdoors to recover it. If you lose the password please do not contact your software vendor to recover it for you, as this is not possible.

When prompted, reenter the password. The password has now been changed and will be used to access the primary AKM server’s Administrative Menu for all future sessions. You will also use this password and username “admin” to log in to the primary AKM server web interface to download client certificates and perform other server management tasks.

Disable Password Authentication

Option 2 here will allow you to restrict SSH autnentication to public key only. this will require you to download the AKMs public key id_rsa.pub from /home/admin/.ssh and specify that key when authenticatig to AKM via SSH.

image alt text

To activate simply take option 2 Disable password authentication and reply y to the prompt.

Generate 2FA token

To enable 2FA for SSH connections to AKM, you can take the option for Enable 2FA or you can take option 3 Generate 2FA token. The first time you take either option you will be prompted to confirm that youd like 2FA enabled, respond with y to confirm.

image alt text

You will then hit any key to generate your new token. Once you hit enter you should see output similar to what is below:

image alt text

From here you are able to scan the QR code using Google Authenticator or manually enter the 16 digit secret key. The process will also produce 5 one time use “scratch tokens” should you need to access the AKM in the event 2FA is not working or there are issues with your 3rd party 2FA provider. It is very important to keep a record of these one time use codes as they will be your only way in should you need to bypass 2FA in the future.

Below is an example of an SSH connection following the 2FA set up and connection to Google Authenticator:

image alt text

image alt text

Enable / Disable 2FA

If option 4 shows Enable 2FA you do not have 2FA active, you can take this option to activate 2FA. If you have had 2FA enabled on this AKM before, you will be prompted with the following query:

image alt text

If you would like to use previously established token data with this AKM you will answer N to this. If you reply y a new QR code and secret key will be generated. you will need to reconfigure Google Authenticator with the new QR code or secret key.

Exit to shell

You can exit to a shell if you need direct access to the OS for control over Linux or Ubuntu options and facilities.

Disconnect from AKM

You should disconnect from AKM when you are finished with the session.

Chapter 3: Log in to the Web Interface

Server management tasks are performed via the secure web browser interface to the AKM server.

First connection

Open a web browser and connect to the primary AKM virtual machine via a secure HTTPS connection. Use the DNS name or IP address and the web interface port number (default 3886) for the primary AKM server:

https://PrimaryAKMIPAddress:3886

NOTE: AKM generates a private SSL certificate during initialization, so you will likely be presented with a browser security warning. Choose the option to proceed.

The server login page is displayed:

image alt text

NOTE: The IP address displayed here will match your AKM server IP address.

Enter the default username “admin” and the password you set during server initialization. Click Login.

The status page is displayed:

image alt text

This page displays information about the server including the disk usage, time up, etc. To return to this screen after navigating elsewhere, click the System Information link on the left pane.

Software Updates

Each time you log into the Webmin UI, you will see new package updates available on the dashboard.

image alt text

When you click on the package updates section you will be taken to a list of the available updates. You should see something similar to the image below.

image alt text

You can apply all available updates by selecting the select all option. Once you have made your selection you can click the button to Update Selected Packages. You can specify to be alerted of new updates via email if you need. This feature can be found by scrolling to the bottom of the list. You will be able to set an interval to check for updates, as well as provide an email and specify any action to be taken.

image alt text

After clicking Update Selected Packages you will be taken to the screen below to confirm and install the updates. Click on Install Now when you are ready to begin the update.

image alt text

You will see the output similar to what is shown below. The update process is done when you see install complete at the bottom of the output window.

image alt text

Your updates will be complete at this point and any future updates can be applied in this manner as well.

NOTE: An alternative method to update your AKM can be completed via the AKM shell. This method requires accss to the AKM shell using SSH, Putty, your VM console, or a dummy console. Once connected, you can issue the command sudo apt-get update to list the available packages for update. When you are ready to apply the update, you will issue the command sudo apt-get upgrade. The process may take a few moments to finish.

Chapter 4: Two Factor Authentication

Once you have made your initial connection to the AKM via the Webmin web interface, you will have the option to enable two factor authentication on connections to Webmin. At this time AKM’s web interface only supports Google Authenticator. To enable two factor authentication, navigate to “Webmin Configuration” from the list of options on the left of the Webmin home page. You should see the menu shown below.

image alt text

Click on Two-Factor Authentication You will see the page displayed below.

image alt text

A drop down containing two options can be seen here, one for each two factor authentication providor currently available.

Google Authenticator

This section will cover how to configure Webmin with Google Autheticator. Select Google Authenticator and click the Save button. You should see the message below:

image alt text

Click on the words Webmin Users and you will be taken to the following menu.

image alt text

Select Generate randomly to generate a random ID and QR code for connection with Google Authenticator. You have the option of creating your own 16 character key as well. once you have made a selection, click on *_Enroll For Two-Factor Authentication_. You should see output similar to the image below.

image alt text

Open Google Authenticator on your phone or mobile device, and scan the QR code shown on your screen in Webmin. If you would like you can enter the 16 character key into the app manually. Once Google Authenticator gives confirmation, you will be able to test your new authentication method. Log out of webmin, and enter your user name and password. Google Authenticator displays a 6 character code every 30 seconds.

image alt text

With two factor authentication active, a valid code must be presented at login to gain access to webmin.

image alt text

Chapter 5: AKM Backup and Restore

This chapter guides you through the steps needed to perform backup and restore operations on the AKM server. These operations back up the secret keys, configuration files, key database, and authentication certificates.

Backup

There are two types of backup: Secret key backup and Application backup.

SECURITY ALERT: Never store an application backup in the same location as a secret key backup.

Secret key backup

AKM Backup and Restore allows you to back up the secret keys from your AKM. The “secret keys” are the Authentication Key (Auth Key) and Key Encryption Key (KEK). These keys unlock and authenticate the encryption key database and are part of the core of AKM.

You create these keys when performing the initial configuration and setup of AKM. These keys should also be periodically rolled. The duration of time that a key is active is called a crypto-period; when the crypto-period expires, the key should be rolled. Please see NIST SP800-57 Part 1 for establishing crypto-periods for your organization. Additionally, you will have to roll these keys under some exceptional circumstances: if your key server database or your certificate authority has been breached or you suspect a compromise.

The secret keys should be backed up once upon creation and then after each roll.

Application backup

AKM Backup and Restore also allows you to back up your application, including the AKM configuration files, AKM authentication certificates, and AKM key database. The key database includes the data encryption keys and key access policies.

Backing up your data encryption keys and access policy is an important part of a recovery strategy. It is recommended that you create a scheduled backup, perhaps monthly, and also perform backups immediately before and after significant changes to encryption keys, key attributes, and key access policies.

IMPORTANT: Performing an AKM Application restore is contingent on the state of the secret keys. That is to say, the secret keys present on the destination AKM server at the time of the application restore must be the same set of secret keys present on AKM at the time of the application backup.

If you have rolled the secret keys since you made your last application backup, make sure you restore the previous set of secret keys to run the application restore.

Click on the link for AKM Backup and Restore.

You must first define a backup destination. There are four types of possible backup destinations:

  • A local directory on the key server

  • An FTP server

  • An SSL FTP server

  • An SSH FTP (SFTP) server

Define a backup destination

In the navigation pane, click on the link for AKM Backup and Restore. The following panel is displayed:

image alt text

Click on the link for Manage backup destinations.

When you first initialize AKM there will be no destinations configured. Click Add a new destination.

Defining a local key server path as a destination

Complete the Name, Description, Type, and Path fields for this destination.

image alt text

Name: The name field can contain any value. It is recommended that you use a simple name with no special characters or blanks.

Description: Provide a description for this destination.

Type: The type must be path for a directory on the local key server.

Path: This field must contain a fully qualified path to receive the backup files.

Click the Create button to create the destination. The new destination will now appear in the list of destinations:

image alt text

Defining an FTP server as a destination

You can also create a remote FTP server as a destination. You must provide the Name, Description, Type, User ID, Password, Address, and Port number:

image alt text

Name: This field can contain any value. It is recommended that you use a simple name with no special characters or blanks.

Description: Provide a description for this destination.

Type: The type must be FTP for a remote FTP server.

User ID: This field must contain the FTP logon user ID.

Password: This field must contain the password for the FTP server.

Address: This field must contain the IP address or DNS name for the FTP server.

Port number: This field must contain the port number of the FTP server. This is usually 21.

Click the Create button to create this destination. It will now appear in the list of destinations.

Defining an SSH FTP (SFTP) server as a destination

You can also create a remote SFTP server as a destination. AKM is generated with a default SSH keypair located at /home/admin/.ssh/id_rsa.pub. That key pair is accessible via File Manager. If you should ever need to generate a new SSH key pair, you can use the option to Create SSH Key from the Manage backup destinations menu.

Click Add a new destination.

image alt text

Name: The name field can contain any value you want. It is recommended that you use a simple name with no special characters or blanks.

Description: Provide a description for this destination.

Type: The type must be SFTP (SSH) for a remote SFTP server.

User ID: This field must contain the SFTP logon user ID.

Password: This field must contain the password for the SFTP server.

Address: This field must contain the IP address or DNS name for the SFTP server.

Port number: This field must contain the port number of the FTP server. This is usually 22, but can be a different, non-standard port number.

Ignore host key checking: Check this box. The host key is used to uniquely identify the remote system, not to encrypt the session, and therefore checking this box poses no security risk. It does, however, save you the hassle of retrieving the host key manually.

Click the Create button to create this destination. It should now appear in the list of destinations.

Run the backup

On the AKM Backup and Restore menu, click the link to Run Backup. This will create an immediate backup of the secret keys or application data.

IMPORTANT: During the backup the AKM service will stop. Your applications will not be able to retrieve or manage encryption keys during this operation.

Secret key backup

This option backs up the secret keys (KEK and Auth Key):

image alt text

Select the Backup type Secret key. Click on the Backup now button.

The following panel is displayed for a successful backup:

image alt text

For local backups, use the File Manager to navigate to the target directory and double-click the backup file name. This will provide a dialog for the file download.

IMPORTANT: The KEK and Auth Key are vulnerable after being downloaded, so it is critical to store the downloaded backup file in a secure location.

Application backup

This option backs up two facets of AKM: the application configuration files and the AKM key database.

SECURITY ALERT: Never store an application backup in the same location as a secret key backup.

image alt text

Select Application for the backup type. Click on the Backup now button. The following screen is displayed for a successful backup:

image alt text

For local backups, you can now use the File Manager to navigate to the target directory and double-click the backup file name. This will provide a dialog for the file download. Store the downloaded file in a secure location.

Creating a scheduled backup

You can specify a scheduled backup with this option. The information will be added to the cron scheduler and the backup will take place at the interval you specify. Before creating a scheduled backup, you should first verify the backup process by running the Backup Now option.

In the AKM Backup and Restore menu, click on the link for Schedule backups. Click Add a new schedule. The following panel is displayed:

image alt text

Name: Provide a name for this scheduled backup.

Description: Provide a description for this scheduled backup.

Backup type: Select Secret Key or Application.

Destination: Select a destination from the drop-down list.

Schedule: Select the schedule frequency, day, and time for the backup.

Click the Create button to create the schedule.

Restore

To restore secret keys or perform an application restore, you must first use File Manager to upload and place the backup files in the /var/lib/townsend/akm/backup directory.

IMPORTANT: Restoring AKM from a backup requires that you first restore the KEK and Auth Key from the secret key backup file. You cannot restore a backup without performing this step first.

Be sure to back up the KEK and Auth secret keys after you create your first encryption keys, and after you perform a KEK and Auth Key rotation.

IMPORTANT: It is critical to maintain the backup file record on your backup server. In order to do this, copy the backup file to the restore directory on AKM, then run the restore. The copy of the backup file will be deleted by the restore process.

Secret key restore

Select AKM Backup and Restore in the left navigation menu and select the option to Run Restore. The following panel is displayed:

image alt text

Restore type: Select Secret key.

Archive to restore: Select the file to restore. The restore application will provide a drop-down list of files in the restore directory.

Click the Restore now button to start the restore. The following status panel is displayed:

image alt text

Note that the AKM service will not restart automatically after a restore of secret keys. It only restarts after a restore of an application file.

Click on the Return to menu link.

Application restore

The Application backup backs up two facets of AKM: the AKM configuration files and the AKM key database. First, use File Manager to upload the restore file to the /var/lib/townsend/akm/backup directory.

IMPORTANT: As noted in the introduction to this chapter, the secret keys must be exactly the same as when the application backup was run. If running the application restore results in a hash error, this means the secret keys used to create the backup are different than the secret keys currently loaded onto AKM. Restore the secret keys that were in place at the time of the application backup and try again.

On the AKM Backup and Restore menu, click on the link to Run Restore. The following panel is displayed:

image alt text

Restore type: There are three options for restore. Select Application to run an Application restore. To restore secret keys, see the previous section.

Archive to restore: Select the file to restore. The restore application will provide a drop-down list of files in the restore directory. Click the Restore now button to start the restore. The following status panel is displayed:

image alt text

Note that the AKM service will restart automatically after a restore of the application. Click on the Return to menu link.

View backup and restore history

Click on the link to Review backup and restore history on the AKM Backup and Restore menu. A history log will be displayed. You can also use File Manager to download the backup history file in CSV format. The file is located in the /var/log/townsend directory with the name backup_history.csv. Double click to download the file.

Restoring from a secondary server

If you are unable to perform a normal restore from backup, an alternative is to recover keys from a mirrored key server. You would need to install a replacement AKM server, configure it for mirroring, and then force the keys to synchronize from a mirrored server. All encryption keys that are enabled for mirroring will be copied to the replacement server.

IMPORTANT: This option is not a substitute for a normal backup of the AKM server, and should only be considered as a last resort. You will only be able to recover keys that have been enabled for mirroring, and you will not be able to recover the akm.conf file, certificates, or KEK and Auth Key. Please contact Townsend Security for assistance if this option is required.

Chapter 6: Set up Log Forwarding

Alliance Key Manager supports transferring system logs to a log collection server or SIEM solution. The server uses the syslog-ng application for this process. It is not active by default and you must configure it before it will start. These steps will show how to activate a logging source and a destination and, finally, how to define a target destination.

In the navigation area, click on the link for System Logs NG. The following menu is displayed:

image alt text

Click on the link for Log Sources.

Log sources

The first time you enter this panel there will only be one entry. Click on the link to Add a new log source. The following panel is displayed:

image alt text

Click on the link to Add a new log source.

The following panel is displayed:

image alt text

Select the option for Kernel log file. Enter the full path to the akmaudit.log file. Scroll down and click the Create button to create this syslog-ng source.

In some cases you may wish to provide a prefix to the system log event to better identify the source of the event. You can change the default for “Prefix for log messages” from None to a value that you specify. This character string will be the prefix for audit file messages.

Click on the Return to log sources link to return to the System Logs NG panel.

Modifying the log source definition

Alliance Key Manager creates three application log files:

  • akmaudit.log - A log of all key server activity in CSV format

  • akmerror.log - A summary error log

  • akmtrace.log - A verbose, detailed error log

You should consider adding the akmaudit.log to your syslog-ng configuration in order to transfer this information to your log collection server. The other two files could also be transferred to the log collection server for a more detailed debug history of activity.

Once you define the log source, you must use File Manager to add additional information for the akmerror.log and akmaudit.log files. In the navigation pane click on the link for File Manager and navigate to the /etc/syslog-ng directory. You will find a configuration file named syslog-ng.conf:

image alt text

Select syslog-ng.conf and click the Edit from the actions column. Navigate to the bottom of the configuration file to locate the log source for the akmerror.log file. Add the following directives to the file:

flags(no-parse) follow_freq(60)

The definition should now look like this:

image alt text

Click the Save and close button. You can now click the link for System Logs NG in the navigation pane to continue defining logging options.

Log destinations

In the navigation pane, click on the link for Log Destinations. Click on the link to Add a new log destination.

Enter a name for this definition. Select the option for Syslog server and add the IP address of your log collection server. If your log server is not listening on the default port 514, change the port number to the appropriate value.

image alt text

Click the Create button to save this log destination.

Log Targets

Return to the main System Logs NG menu. Click on the icon Log Targets. The following panel is displayed:

image alt text

Highlight the log source you created (akmaudit, in our example above) and the destination files (logserver, in our example). You can select multiple items. Click the Create button to establish the relationship between the log source and the destination.

NOTE: Once the target has been created, you cannot add additional log sources. If you wish to do so, you must delete and recreate the target, adding all of the desired log sources at the time of creation.

Apply configuration

Return to the System Logs NG menu. You must click the Apply Configuration button to activate this syslog-ng configuration:

image alt text

You may define as many syslog-ng sources, destinations, and log targets as you like.

IMPORTANT: Until you click Apply Configuration, changes will NOT be saved or in effect.

Chapter 7: Configure Log Rotation

Alliance Key Manager supports log rotation of its own logs and of system logs in order to avoid excessive storage utilization of AKM logs and to avoid application failures due to storage over-commitment. Log rotation is enabled by default.

See the sections below for information on viewing the log rotation schedule, changing the log rotation schedule, and forcing log rotation.

View log rotation schedule

In the navigation pane, click on the link for Log File Rotation. The following panel is displayed:

image alt text

Change log rotation schedule

You can edit individual log rotation scedules by clicking on the name of the log you wish to update. The following page will be displayed.

image alt text

Click the Save button to update this schedule.

Force log rotation

If you have large logs and want to compress and rotate them, return to the Log File Rotation panel. Click the button to Force Log Rotation

Chapter 8: System Time and NTP Servers

The server time is synchronized with a time server during initialization as described in other guides. If needed, you can configure the server time and NTP servers.

In the navigation pane, click on the link for System Time. The following panel is displayed:

image alt text

IMPORTANT: You can manually change the time on this display, but it is recommended to have the AKM server synchronize its clock with a Network Time Protocol (NTP) time server. This provides accurate times for key validity periods and in system logs.

To set the time synchronization service, click on the Time server sync tab:

image alt text

Enter the time service DNS name in the first field. You can use “time.nist.gov” or any other valid NTP time server.

You can set a schedule for time synchronization. It is recommended that you use the same synchronization time for all of your AKM servers.

To change the time zone, click on the Change timezone tab:

image alt text

Use the drop down box to select the time zone. The default selection will be UTC. Click Save.

NOTE: Although not necessary, it is best practice to set all AKM servers to UTC (Coordinated Universal Time). Certificates created using AKM Certificate Manager and all AKM logs are stamped in UTC.

Chapter 9: Firewall Configuration

Alliance Key Manager contains pre-established firewall rules to control inbound connections. The default settings are sufficient for running AKM and do not need to be changed. However, if you wish to add additional rules to improve the security of the server, you may do so by following the steps below.

Set additional firewall rules

You can add additional firewall rules to protect the AKM server on your network. AKM uses standard Linux firewall rules. From the navigation pane, click on the link for Linux firewall. You can now add and change firewall rules:

image alt text image alt text

You can change the precedence of firewall rules by moving them up or down with the arrows on the right-hand side. Use the Add Rule button to add additional firewall rules.

Chapter 10: Change the Admin Password

Changing the default admin password during initial setup and installation is highly recommended. This is included in the initialization process as described in platform-specific deployment guides.

If at any time you wish to change the admin password, see below.

In the navigation pane, click on the link to Change Passwords.

A list of user IDs are displayed:

image alt text

Click admin. The following panel is displayed:

image alt text

Enter a new, cryptographically strong password. Leave the box for Change password in other modules checked.

Click Change. You will receive a confirmation message. You will need to use the new password the next time you log on to the server.

IMPORTANT: If you forget the password you will need to restore the server from a backup. There are no backdoors to recover the password. If you lose the password please do not contact your software vendor to recover it for you, as this is not possible.

Chapter 11: Network Configuration

Basic network configuration is included in initial setup and installation steps described in other guides. However, if you are not using DHCP and need to set a static configuration, or if you need to change any networking settings, see below.

Set basic TCP/IP settings

In the navigation pane, click on the link for Network Configuration.

Click on the Network Interfaces icon:

image alt text

The following panel is displayed:

image alt text

Click eth0 to edit it.

The following panel is displayed:

image alt text

Select Static configuration and enter your TCP/IP settings, including IP, Netmask and Broadcast addresses. For proper operation please specify the broadcast address manually.

IMPORTANT: If you do not know these settings, please contact the appropriate personnel within your organization to obtain them. Townsend Security cannot provide you with these settings.

Click the Save button. You will be returned to the Network Interfaces screen. Click the checkbox next to eth0 and click Apply Selected Interfaces. Click Return to network configuration and click Apply Configuration. You will need to reconnect to the web interface using the new IP address you have specified and log in again.

Configure Routing (Default Gateway)

In the navigation pane, click on the link for Network Configuration.

Click on the Routing and Gateways icon:

image alt text

The following panel is displayed:

image alt text

Change the Default router setting from None and enter the IP address of your default gateway.

Most installations will not require a static route, so do not enter one unless you are absolutely sure that it is required for your installation. Click the Save button.

You will be returned to the Network Configuration screen. Click Apply Configuration.

Configure DNS Servers and Your Hostname (optional)

In the navigation pane, click on the link for Network Configuration.

Click on the Hostname and DNS Client icon:

image alt text

The following panel is displayed:

image alt text

Change the Hostname to the desired name for your server. Also list any DNS servers that you wish to use in the three fields provided. Click the Save button.

You will be returned to the Network Configuration screen. Click Apply Configuration.

Chapter 12: The License File

The license is a text file on the AKM server and can be accessed via File Manager in the /var/lib/townsend/akm directory.

Licensing AKM is included in initial setup and installation steps described in other guides.

To replace the license, select License.txt and click the Delete button. Click the Upload button to browse for the replacement license. The license must always be called License.txt when it is installed on the server.

See the platform-specific deployment guides for more information on migrating from a temporary to a permanent license.

Chapter 13: The AKM Configuration File

The AKM configuration file (akm.conf) contains the basic configuration options for the AKM server. This includes IP addresses and ports for administrative, mirroring, and crypto services, names of certificates and private keys, and other administrative options.

Setting the configuration file defaults is part of the initial setup and installation process described in other guides. However, if at any time you want to change these settings you can do so by modifying the AKM configuration file.

In File Manager navigate to the /etc/akm directory:

image alt text

Select akm.conf and click the Edit in the actions column.

Here is an example default akm.conf file:

; AKM configuration file

[IP]
AdminPortEnabled=Y
AdminIP=0.0.0.0
AdminPort=6001

KeyServerEnabled=Y
KeyServerIP=0.0.0.0
KeyServerPort=6000

; Define incoming mirror
MirrorPortEnabled=Y
MirrorIP=0.0.0.0
MirrorPort=6002

; Toggle outgoing mirroring
MirrorOut=Y

; Toggle encryption/decryption
EncryptionPortEnabled=Y
EncryptionIP=0.0.0.0
EncryptionPort=6003
EncryptionEnabled=Y
DecryptionEnabled=Y

; Toggle KMIP support
KmipPortEnabled=Y
KmipIP=0.0.0.0
KmipPort=5696

[cert]
PCIDSSMode=Y
GroupRes=Permissive
DualKnowledgeRequired=N

ServerSignedCert=AKMServerCertificate
ServerPrivKey=AKMServerPrivateKey
TrustedCACert=AKMRootCACertificate
TrustedCACert=Secondary_AKM.AKMRootCACertificate

[AutomaticRollover]
AutoRolloverEnabled=Y
AutoRolloverTimeOfDay=00:00:00

ClientBroadcast=Y
MinTlsVersion=1.0

IMPORTANT: For changes to the configuration file to take effect, you must stop and restart AKM. After modifying the AKM configuration file, click on the link for Custom Commands in the navigation pane, click Stop AKM, then click Start AKM. Verify the akmd process is running via the Running Processes link.

[IP] section

The [IP] section defines interfaces for the different AKM services. By default the interfaces are set to bind to all available IP addresses, represented by 0.0.0.0.

When custom configuration is needed, for example when isolating different AKM services from one another on different network interfaces, this may be overridden by entering AKM’s IP address, or assigning multiple IP addresses using different ethernet ports (eth0, eth1).

The AdminPortEnabled option controls the admin (crypto officer) service on AKM, which by default is enabled on port 6001. This service is used when connecting with the AKM Administrative Console to create and manage encryption keys. Enter N to disable the admin port, for example if this is a secondary AKM server to which you do not need to allow admin access.

The KeyServerEnabled option controls the key retrieval service on AKM, which by default is enabled on port 6000. Enter N (No) to disable key retrieval if not needed.

The MirrorPortEnabled option controls incoming mirroring, and is set by options taken during initialization, with the default port 6002. If set to Y, this AKM server will receive mirroring transactions from other AKM servers.

Normally with a primary AKM server and one secondary mirror server, this is set to N on the primary and Y on the secondary. The exception is a bidirectional mirroring configuration, when both servers would be set to Y.

To disable incoming mirroring, set MirrorPortEnabled to N and comment out the MirrorIP and MirrorPort lines by inserting a semi-colon (;) at the beginning of each line. To enable incoming mirroring, set MirrorPortEnabled to Y and remove the semi-colons.

The MirrorOut option controls outgoing mirroring, and is set by options taken during initialization. When enabled, this server will send mirror transactions to secondary servers. Enter N if this server will not be sending mirror transactions.

The EncryptionPortEnabled option controls the encryption/decryption service on AKM, which by default is enabled on port 6003. To disable the encryption services, set EncryptionPortEnabled to N and comment out each of the configuration lines after EncryptionPortEnabled by inserting a semi-colon (;) at the beginning of the line.

By default both encryption and decryption are enabled. Enter N to disable either encryption or decryption.

NOTE: In some environments there can be a compliance advantage in allowing only encryption or decryption. For example, at a point-of-sale checkout location you may want to encrypt a credit card number but not allow decryption in that environment.

The KmipPortEnabled option controls the KMIP interface to AKM, which is enabled by default on port 5696. Enter N to disable KMIP.

[cert] section

This section contains options for authentication certificates and access controls to AKM.

The PCIDSSMode option affects the “Export Symmetric Key” command in the AKM Administrative Console and is set to Y by default. When enabled, symmetric encryption keys may only be exported in an RSA encrypted format, complying with standards set by the PCI Data Security Standards (PCI DSS). When disabled, encryption keys may be exported in the clear and you will not be PCI DSS compliant.

The GroupRes option affects key access settings in the AKM Administrative Console and by default is set to Permissive. Enter Strict to force the most restrictive key access controls.

The DualKnowledgeRequired option controls dual control in the AKM Administrative Console and is disabled by default. When enabled, key management operations in the Admin Console require two crypto officers to be authorized using the “Authorize Administrator” command.

The ServerSignedCert entry lists the name of this AKM server’s unique server certificate (without the .pem extension).

The ServerPrivKeyentry lists the name of this AKM server’s unique server private key (without the .pem extension).

The TrustedCACert entry lists the name of this server’s root CA (certificate authority) certificate (without the .pem extension). If mirroring has been set up during initialization, there will be additional TrustedCACert entries for each server in the mirroring configuration.

[AutomaticRollover]

The AutoRolloverEnabled option controls automatic rollover of encryption keys and is enabled by default. When enabled, all encryption keys that have been set for automatic rollover will rollover at the time specified by AutoRolloverTimeOfDay (HH:MM:SS format).

IMPORTANT: This option must be disabled on secondary mirror servers.

The ClientBroadcast option determines whether the AKM server broadcasts its CA certificate(s) to clients connecting to the server and is enabled by default. Enter N to disable this option. Most client applications do not need the CA certificate list. An exception is the IBM System z SSL client. If you will be retrieving certificates from this platform, this option should be enabled.

The MinTlsVersion option controls the minimum TLS version that may be used for client/server TLS connections and is set to 1.0 by default. For enhanced security you can modify the setting to restrict connections to TLS 1.1 or 1.2, by raising the minimum allowed value.

During client/server TLS negotiation, the client and server will attempt to connect at the highest TLS level available. AKM will default to the highest TLS version supported by the client. However, if the minimum TLS version is set to 1.1 or 1.2 in the AKM configuration file and the client does not support TLS 1.1 or 1.2, then the connection will fail. In this case you must set the minimum TLS version to 1.0.

After any changes, click the Save and Close button. Stop and restart AKM via the Custom Commands link.

Chapter 14: Secret Keys

The “secret keys” are the KEK (Key Encryption Key) and Auth Key (Authentication Key), which protect the AKM key database. The KEK is used to protect data encryption keys. The Auth Key is used to detect and prevent corruption or substitution of data encryption keys and key attributes.

NOTE: NIST recommends that the KEK and Auth should be rolled every 2-3 years, or if a breach of AKM is suspected or occurs.

NOTE: It is recommended to perform an Application backup before rolling the master keys.

Before rolling the KEK and Auth, you must perform a “Validate Key Database” command in the AKM Administrative Console. If any corrupted keys are found, do not roll the secret keys. Contact Townsend Security support for assistance.

After validating the key database, log in to the web interface and select Custom Commands from the left navigation menu.

Enter “DELETE-KEK-AUTH” in the Confirmation field, then click the Rollover AKM KEK & Auth Keys button to roll the secret keys:

image alt text

 

Chapter 15: Problem Determination

The fastest way to collect the relevant material for troubleshooting will be to access the AKM shell, and Collect logs for troubleshooting. This option can be found by issueing the command akm-menu in the AKM shell. the following screen will be displayed:

image alt text

take option 5 Support

image alt text

The zip file containing the diagnostic material can be downloaded from AKM at /home/admin/downloads'. The individual log files can be found in the /var/log/townsend` directory. These are the most important resource for problem determination. Use File Manager to navigate to this directory and view a list of files.

The akmerror.log file

The akmerror.log file contains summary information about key manager activity. All administrative and key retrieval activity is logged in this file. View this file first to start problem determination. When you navigate to the log directory you will see the list of log files:

image alt text

Double click the akmerror.log file to download the log:

Each line in the log file provides date, time, thread ID, and text description of an operation. Errors are noted directly in the log. In the above example a Rollover operation was rejected because the encryption key specified automatic rollover and the security administrator tried to manually roll the key.

Customers with permanent licenses may open a support ticket on the Townsend Security website at www.townsendsecurity.com/support for further assistance with troubleshooting.

The akmtrace.log file

When trace level logging is enabled the akmtrace.log file will have much more detailed information about problems. Your Crypto Officer can enable detailed logging with the “Set Log Level” command in the AKM Administrative Console. Enter “50” for the log level to create a verbose diagnostic log in the akmtrace.log file.

IMPORTANT: The trace should only be used for problem determination and should be disabled as soon as the error running is complete. Leaving trace enabled will quickly fill up the storage of the AKM server.

Double click akmtrace.log to view the log:

The akmaudit.log file

The file akmaudit.log contains a Comma Separated Values record of all key manager administrative and user activity. You can copy this file to your PC and use Excel or any database tool to view the log entries and query by column.

Entries in the akmaudit.log have the following fields:

  • Date
  • Time
  • Command name
  • AKM
  • AKM version number
  • IP address and port that the command was received on
  • IP address that the command was received from
  • Message
  • User name (CN) of user who performed command
  • Group name (OU) of user who performed the command
  • Role (Admin, User, or Mirror)
  • Mirrored (was this request queued to be sent to mirror servers)
  • An index which increments every time and resets periodically
  • A hash that authenticates the audit entry

For example:

2015-06-23,18:11:28,SetMirrorAddress,akm,3.0.3.1438.1,10.0.1.217:6001,10.0.1.217:34496,Mirror <secondary.10.0.1.218> definition set,admin1,akm_admin,Admin,N,1,S6V/gFRDVzvPtzaq0wrXzwBdacCGgFKZVkLrJy/XsvA=

IMPORTANT: The akmaudit.log only shows successful activity.

image alt text