Documentation. Installation and Administration. Crypt Pro KeyManager 5.2. Document Version 2.0

Size: px

Start display at page:

Download "Documentation. Installation and Administration. Crypt Pro KeyManager 5.2. Document Version 2.0"

Shavonne Dawson
5 years ago
Views:

1 Documentation Installation and Administration Crypt Pro KeyManager 5.2 Document Version 2.0

2 EDITOR S NOTE Editor s Note All rights reserved. This manual and the programs described therein are copyright-protected products of GBS Europa GmbH. No part of this publication may be reproduced without written permission from GBS Europa GmbH. All hardware and software names used are registered names and/or trademarks of their respective manufacturer/proprietor. Copyright 2018 GBS Europa GmbH, Ottostraße 4, Karlsruhe, Deutschland Edition: September GBS

3 Table of Contents TABLE OF CONTENTS 1 Preface Note on Product Name Hotline Copyright Warranty License Terms Third-Party Copyright Notes Details on the Manuals Installation Requirements Important Notes before Installing General System Requirements SQL Database Supported Databases Requirements for MS SQL or IBM DB Java Components Application Server Installation Installing Crypt Pro KeyManager Setup Installation General Information Installation Procedure Changing the KeyManager Service Settings Package Installation Unpacking the Installation Package Installing Java Components Setting Environment Variables Starting iq.suite KeyManager In Case of a Setup Installation In Case of a Package Installation Stopping Crypt Pro KeyManager In case of a Setup Installation In case of a Package Installation Data Migration from iq.suite Crypt to Crypt Pro KeyManager Required Tools and Components CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE I

4 TABLE OF CONTENTS Parameters to Generate a KeyManager-compatible XML File Importing S/MIME Keys and Certificates from the iq.suite Files from iq.suite for Microsoft Exchange/SMTP Files from iq.suite for IBM Domino Security Measures HTTPS Authentication HTTP Authentication Update Installation Upgrade of the H2 Database In Case of a Setup Installation In Case of a Package Installation Uninstallation Administration Initial Configuration Accessing the Crypt Pro KeyManager Web Interface Configuring a Database Connection Creating the Initial User (Business Administrator) Configuring the Mail Server (SMTP Server) Login to the Crypt Pro KeyManager Web Interface / Logout Creating Tenants Creating Users Business Administrator vs. Tenant User Creating a User Using iq.suite in Combination with KeyManager Server Configuring the Crypt Pro KeyManager Server Pausing/Stopping the Crypt Pro KeyManager Server Changing the Mail Server Configuration Using a Proxy Server Configuring an X.509 LDAP Server Configuring LDAP Authentication Server for Web Services Configuring Remote Connections Configuring Connectors General Connector Settings Common Settings for D-TRUST and QuoVadis D-TRUST QuoVadis Signer VR-Ident WinCA Configuring the Logging PAGE II CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

5 TABLE OF CONTENTS Defining a Log Server for Crypt Pro KeyManager Logging Defining a Log Level for Crypt Pro KeyManager Logging Configuring a Log Server for Crypt Pro KeyManager Logging Configuring Default Values for Certificate Requests Configuring Tenants Editing/Deleting Tenants Switching to the Tenant Context Exporting/Importing Tenants Searching Tenants Configuring the User Environment Resetting User Passwords Changing Personal User Data and Password System Notifications Managing Users Enabling/Disabling/Deleting Users Changing User Data and User Rights Searching Users User-Specific Display Options Tenant-specific Configuration Important Information before Configuration Configuring the Workflow Main Settings Certificate Renewal CRL: Check Certificates for Trust Status and Revocation Defining Default Values for Certificate Requests Configuring the Mail Server Configuring an X.509 LDAP Server Configuring Connectors Managing S/MIME Certificates Types of S/MIME Certificates Root Certificates Own Certificates External Certificates Certificate Properties Certificate Viewer for S/MIME Trust Method and Trust Status of S/MIME Certificates Requesting Certificates Renewing Own Certificates Monitoring User Activity Managing PGP Keys Important Notes on PGP in the Crypt Pro KeyManager CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE III

6 TABLE OF CONTENTS Certificate Viewer for PGP Trust Status (Owner Trust) for PGP Keys Importing S/MIME Certificates or PGP Keys Notes on Importing Certificates/Keys Import Procedure Exporting S/MIME Certificates or PGP Keys General Exporting S/MIME Certificates Exporting PGP Keys Exporting Certificate/Key Data (S/MIME, PGP) as CSV Searching Certificate Requests or Certificates/Keys Simple Search Advanced Search Lookup Page for Certificate Search (only S/MIME) Exporting Certificate Requests (S/MIME) as CSV Certificate Audit Error Analysis and Troubleshooting General Procedure Logs Log Files Events: KeyManager Logs Special Error Situations Insufficient Java Heap Size Adjusting the Java Heap in case of a Setup Installation Adjusting the Java Heap in case of a Package Installation KeyManager Server cannot be stopped Login Fails Login Page is not displayed Errors on Login Restoring the H2 Database from a Backup Appendix Average Sizes (Reference Values) of Database Elements How to configure KeyManager Database Settings Glossary PAGE IV CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

7 1 Preface PREFACE - NOTE ON PRODUCT NAME 1.1 Note on Product Name iq.suite Crypt Pro is essentially composed of two modules: Crypt Mail Job and Crypt Engine in iq.suite for IBM Domino or Microsoft Exchange/SMTP Crypt Pro KeyManager with own set-up and own configuration This manual only describes the Crypt Pro KeyManager module (short name: KeyManager). 1.2 Hotline To give you the best possible support, we need the following information from you in the event of a fault: Product version License number Domino or Exchange server version including any service pack Operating system and version including any service pack Configuration files Log files The GBS Support Team is available from 8:30 AM to 6:00 PM (time zone: EST). Europe, Asia, other Tel.: +49 (0) Fax: hotline@gbs.com USA & Canada: Tel.: help@gbs.com CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 1

8 PREFACE - COPYRIGHT 1.3 Copyright GBS Europa GmbH, hereafter referred to as GBS, is the owner of the full commercial copyright of this documentation protected by law. All rights not explicitly granted remain the property of GBS. Copyright GBS Europa GmbH, All rights reserved. 1.4 Warranty GBS assumes no liability, express or implied, for the documentation. This includes quality, design, adherence to commercial standards, or suitability for a specific purpose. The product descriptions are general and descriptive in nature. They can be interpreted neither as a promise of specific properties nor as a declaration of guarantee or warranty. The specifications and design of our products can be changed at any times without prior notice, especially to keep pace with technical developments. For up-to-date information, please contact the GBS Sales Department. 1.5 License Terms The GBS license terms are available on the product CD and the GBS website. Any license agreements from third-party software manufacturers are included with the software product as a PDF file. 1.6 Third-Party Copyright Notes The package includes third-party products listed in the "Third Party License Agreements" document. This document is available in the installation package Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. PAGE 2 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

9 PREFACE - DETAILS ON THE MANUALS 1.7 Details on the Manuals Personal Designations Our Manuals are addressed equally to both genders. Therefore, we make every effort to use gender-neutral language. Since it is not entirely possible to avoid personal designations, we use the word forms he/she, his/hers or him/her in these cases. Symbols Warning. Refers to critical situations. Please carefully read these messages to minimize the risk of data loss, damage to your system, etc. Information. Refers to important but noncritical situations. Tip. Provides assistance for a specific issue or describes special workarounds and features. Freely accessible documentation is available on If you have any suggestions on how we can make further improvements, we would be happy to get your feedback. Send an to: manual@gbs.com CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 3

10 2 INSTALLATION REQUIREMENTS - IMPORTANT NOTES BEFORE INSTALLING Installation Requirements Since Crypt Pro KeyManager is a modular extension of iq.suite Crypt, it can be used for the convenient and complete administration of S/MIME certificates and keys in OpenPGP standard (PGP and GnuPG) in combination with iq.suite. With KeyManager, self-signed certificates and certificates issued by certification authorities such as D-TRUST can be managed centrally. The status of the certificates can be queried and updated automatically by using certificate revocation lists (CRLs). However, the KeyManager also offers possibilities for manual control and administration e.g. to avoid unnecessary costs. Crypt Pro KeyManager can be integrated in existing PKI structures and can be connected to several iq.suite installations via web services. With Crypt Pro KeyManager, the certificate database certs.db available in iq.suite for Microsoft Exchange is no longer used. Your existing S/MIME certificates and GnuPG keys used in iq.suite can be imported into the KeyManager. Crypt Pro KeyManager is multi-tenant capable: If your enterprise consists of several legal, organizational, administrative and/or economic departments, you can handle these units individually. Every unit is considered as a single tenant. 2.1 Important Notes before Installing Before starting Crypt Pro KeyManager installation, make sure that the prerequisites described in this chapter are fulfilled and the required software components will be installed. This manual refers to Crypt Pro KeyManager as of Version When installing a newer KeyManager version, the information might differ. Please find further information on product changes in the Release Notes. Do not use any versions of third party software where the End-of-Service (EOS) has been reached. Using a discontinued version could result in unpredictable effects and malfunctions of iq.suite or Crypt Pro KeyManager. iq.suite support ends with the discontinuation notice by the third party manufacturer. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 9

11 INSTALLATION REQUIREMENTS - GENERAL SYSTEM REQUIREMENTS The file and directory paths mentioned in this chapter are sample or default paths that are valid for Windows Server 2008 or Linux distribution Ubuntu Depending on your system environment, these paths might differ. 2.2 General System Requirements One of the following operating systems: Windows Server 2008 R2 (64-bit) Windows Server 2012 R2 (64-bit) Windows Server 2016 (64-bit) Linux as of Kernel Version 2.6 (64-bit) If you want to use iq.suite KeyManager on Linux, please contact the GBS Sales team. We recommend you to update your operating system with security patches frequently. For information on update possibilities, please refer to the documentation of your Linux distribution. CPU: at least 1 GHz (2 GHz recommended) RAM: at least 2 GB (4 GB recommended) Hard disk: at least 500 MB (4 GB recommended) KeyManager requires additional disk space to store log files. The size of the log files and the disk space they require can be configured in KeyManager. Refer to Configuring the Logging on page 90. LAN: at least 10 Mbit (100 Mbit recommended) Web browser: Firefox: as of Version 42 (latest version recommended) Screen resolution: at least x 768 pixels PAGE 10 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

12 INSTALLATION REQUIREMENTS - SQL DATABASE 2.3 SQL Database Supported Databases The following database is automatically installed and setup when performing a KeyManager setup installation: H2 (embedded) For a package installation, the following database systems are supported (additional to H2): MS SQL Server 2008, 2012, 2014 and 2017 IBM DB2, Versions 9.5, 9.7 and 10 For a package installation, the database system is not installed automatically. Refer to Requirements for MS SQL or IBM DB2 on page 11. For further information on the installation methods, please refer to Installing Crypt Pro KeyManager on page Requirements for MS SQL or IBM DB2 When using MS SQL and DB2 database servers, please make sure to first create the following: A database to store the KeyManager data such as system data, keys, certificates, etc. at a central and secure location and to allow quick data access. A database user with appropriate rights on the database. The required rights depend on your database system. The database server and Crypt Pro KeyManager can be installed on different computers. If you are using IBM DB2, the following additional settings are required: Table space (page size): 16k Code page: UTF-8 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 11

13 INSTALLATION REQUIREMENTS - JAVA COMPONENTS 2.4 Java Components For a setup installation, the required Java components are automatically installed 1. For a package installation, the following Java components must be already installed on your system 2 : Server JRE (Java SE Runtime Environment) 8: Please make sure the selected installation package is compatible with the architecture of your system (64-bit) 3. Use the Java installation package from Oracle. Java OpenJDK is not supported. Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8. JCE is required to support unlimited cryptography functionality. For installation, download the jce_policy-8.zip file from the Oracle website 4. The default path for the JCE Jurisdiction Policy JAR files is: Under Windows: <java-home>\lib\security Under Linux: <java-home>/lib/security 2.5 Application Server For the KeyManager applications, an application server is required. The following application server is installed by default: Jetty For a Setup Installation or a Package Installation, Jetty is automatically installed with Crypt Pro KeyManager. 1. Refer to Setup Installation on page Refer to Package Installation on page Refer to html. 4. Refer to PAGE 12 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

14 3 The INSTALLATION - INSTALLING CRYPT PRO KEYMANAGER Installation file and directory paths mentioned in this chapter are sample or default paths that are valid for Windows Server 2008 or Linux distribution Ubuntu Depending on your system environment, these paths might differ. 3.1 Installing Crypt Pro KeyManager Before starting Crypt Pro KeyManager installation, please refer to Installation Requirements on page 9. Installation Methods Depending on your system environment, Crypt Pro KeyManager must be installed with one of the following installation methods: Setup installation (only possible under Windows). Refer to Setup Installation on page 13. Package installation. Refer to Package Installation on page Setup Installation General Information For a setup installation, Crypt Pro KeyManager is installed by a setup file (InstallShield). This installation method is only possible under Windows. When you perform a setup installation, all programs and components required for a functional KeyManager environment are installed and configured automatically. This means that all required Java components, Jetty (application server) and the embedded H2 database are installed. If the required Java Components are already installed on your computer, you can still use these components for other applications. iq.suite KeyManager uses only the Java components installed with the KeyManager installation. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 13

15 INSTALLATION - INSTALLING CRYPT PRO KEYMANAGER Installation Procedure For the setup installation, use the setup file: 64-bit: Keymanager-xxx-win-x64.exe The InstallShield wizard will guide you through the installation. Default paths: KeyManager: C:\Program Files\GBS\KeyManager KeyManager database: C:\Program Files\GBS\KeyManager\data During a setup installation, the KeyManager server is registered and started All automatically as a Windows service ( iq.suite KeyManager Service ). information required to create the KeyManager H2 database (path, database name, user, user password and encrypted password) was saved in plaintext in the kms.fe.preconfigured.conf and kms.hibernate.conf.backup.xml files. File path: refer to KMS_CONFIG_DIR under Setting Environment Variables on page 16.To avoid unauthorized access to this data and to prevent data loss, we strongly recommend you to save these files to another directory. Once the installation is completed, open the KeyManager web interface 1. It may take some time until the application server starts. Therefore, if the web interface page does not load immediately, please wait a few minutes and retry. In case of an error, check the log files. Refer to Log Files on page Changing the KeyManager Service Settings Generally, the default settings for iq.suite KeyManager Service do not need to be changed. However, in some cases (e.g. Jetty port is already used), it may be required to change these settings. To do this, open the kmsw.exe tool in the KeyManager installation directory and change the settings. For example, change the following parameters of the Java Options field in the Java tab: Jetty port (default: -Djetty.port=8080) 1. Refer to Accessing the Crypt Pro KeyManager Web Interface on page 47. PAGE 14 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

16 INSTALLATION - INSTALLING CRYPT PRO KEYMANAGER A modification of the port number might be required if you run another Jetty installation on the server which already uses port If Size of the Java heap (default: -Xmx1024m). Refer to Adjusting the Java Heap in case of a Setup Installation on page 152. you repair the KeyManager installation, your Service settings will be lost Package Installation The package installation can be used in the following situations: Installation of Crypt Pro KeyManager under Linux. Use of a MS SQL Server or IBM DB2 database system instead of the embedded H2 database 2. Since the initial configuration only provides the H2 database (embedded), please contact the GBS Support Team after the KeyManager installation and before starting the KeyManager server. The Jetty application server is supplied with the KeyManager installation package. However, unlike a setup installation the Java components must be installed and the environment variables must be set before starting the KeyManager server. In addition, a database connection must be configured during the initial KeyManager configuration (after the KeyManager server has been started). For further information on the package installation, please refer to the sections from Unpacking the Installation Package on page 15 to Setting Environment Variables on page Unpacking the Installation Package Use the appropriate installation package (archive) for your operating system: Under Windows: keymanager-bundle-<build_version>-win.zip Under Linux: Please contact the GBS Sales team. 2. For further information on installation requirements, please refer to SQL Database on page 11. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 15

$INSTALLATION - INSTALLING CRYPT PRO KEYMANAGER Extract the archive to the desired directory, e.g. C:\keymanager (under Windows) or /usr/local (under Linux). 3.1.2.$

17 INSTALLATION - INSTALLING CRYPT PRO KEYMANAGER Extract the archive to the desired directory, e.g. C:\keymanager (under Windows) or /usr/local (under Linux) Installing Java Components Refer to Java Components on page Setting Environment Variables The following environment variables must be set: KMS_CONFIG_DIR Path to the directory in which the configuration files and setting files for Crypt Pro KeyManager are generated and saved. If JDK is used: JAVA_HOME Path to the directory in which the Java Development Kit (JDK) is installed. If JRE is used: JRE_HOME Path to the directory in which JRE is installed. To set the required environment variables, proceed as follows: Under Windows 1. Run control sysdm.cpl and open the Advanced tab. In this tab, click on the ENVIRONMENT VARIABLES button: PAGE 16 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

18 INSTALLATION - STARTING IQ.SUITE KEYMANAGER 2. For every variable, enter the name and for the variable value the path to the desired directory: KMS_CONFIG_DIR: Path to the <etc> directory. Example: C:\keymanager\etc JAVA_HOME: Path to the Java directory. Example: C:\Program Files\Java JRE_HOME: Path to the <jre8> directory. Example: C:\Program Files\Java\jre8 Under Linux The environment variables are exported with the command export. To avoid exporting the variables after each system restart, add the following lines at the first position of the keymanager.sh file: export KMS_CONFIG_DIR=/usr/local/keymanager/etc; export JAVA_HOME=/usr/lib/jvm/java-8-sun/ 3.2 Starting iq.suite KeyManager In Case of a Setup Installation Start the Windows Service iq.suite KeyManager Service. By default, the KeyManager Service is started automatically after a successful completion of the setup In Case of a Package Installation To start the KeyManager, use the server console to switch to the keymanager directory and enter the following command: Under Windows: keymanager.cmd start CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 17

the Jetty server console, enter the following command:

19 INSTALLATION - STARTING IQ.SUITE KEYMANAGER The application server console opens automatically: Jetty: Under Linux:./keymanager.sh start Using Jetty: In order to display the log messages in the Jetty server console, enter the following command: keymanager.sh start; tail -f keymanager/logs/<jjjj_mm_tt>.stderrout.log PAGE 18 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

20 INSTALLATION - STOPPING CRYPT PRO KEYMANAGER The application server and the KeyManager applications are started. Continue with the initial configuration of the KeyManager. Refer to Initial Configuration on page 47. In case of problems while accessing the KeyManager web interface, check the log files for troubleshooting. Refer to Log Files. 3.3 Stopping Crypt Pro KeyManager You can stop Crypt Pro KeyManager completely including all KeyManager applications (km.backend, km.admin, km.logserver) by stopping the application server. Use this method for example to update or reinstall Crypt Pro KeyManager In case of a Setup Installation Stop the iq.suite KeyManager Service In case of a Package Installation With the server console switch to the keymanager directory and enter the following command: Under Windows: keymanager.cmd stop Under Linux: keymanager.sh stop If the application server cannot be stopped properly, proceed as described under KeyManager Server cannot be stopped on page Data Migration from iq.suite Crypt to Crypt Pro KeyManager This section describes how to import S/MIME certificates or GnuPG keys from iq.suite Crypt (Microsoft Exchange/SMTP and IBM Domino) to the KeyManager. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 19

21 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER Required Tools and Components KeyManager export tool: xml_export_tool.jar The JAR file is stored in the following directory: Setup installation: C:\Program Files\GBS\KeyManager\tools Package installation: Windows: <KeyManager InstallDir>\tools Linux: <KeyManager InstallDir>/tools With the export tool you can generate an XML file from public and private S/MIME or GnuPG keys. You can then import the XML file into the KeyManager. To execute the JAR file (export tool), the components mentioned under Java Components on page 12 must be installed on the executing computer. Certificate Manager (only for Microsoft Exchange/SMTP): tk_certmgr.exe The certificate manager (download under is used to export the S/MIME data from the certificate database certs.db before the export tool converts the data to XML Parameters to Generate a KeyManager-compatible XML File The following table describes the parameters relevant for the key export and the certificate export. The commands using these parameters are described under Importing S/MIME Keys and Certificates from the iq.suite on page 22 and Importing GnuPG keys from iq.suite (Exchange/SMTP and Domino) on page 30. Parameter Parameter Description -d Directory that contains the public keys and certificates (S/MIME)/key ring files (GnuPG) that shall be exported. PAGE 20 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

22 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER Parameter Parameter Description -f For S/MIME only: List of the file extensions the export tool shall process. The file extension DERBASE64 is created from the Notes export mechanism. -gpgtrust Optional: Path to the GnuPG ownertrust file that contains the information on the trust status (e.g. ownertrust.txt) that originates from the trust database (trustdb.gpg). According to the information of the ownertrust file, the export tool assigns a trust level to all loaded keys in the key ring. The XML file contains the trust level. -m GPG Mode that is used for exporting the GnuPG keys. -m S Mode that is used for exporting the S/MIME keys and S/MIME certificates. -o Path to the XML file which will be automatically created with all certificates and keys (S/MIME) or key rings (GnuPG) for being imported in the KeyManager. When specifying any name for the file, don't forget the XML file extension. -p Optional (S/MIME): If different passwords are used in the PFX files or P12 files, enter the passwords in the command line. Separate each password with a comma (e.g.: -p <password1,password2,password3 etc.>). The export tool opens each PFX/P12 file using one of these specified passwords. If none of them are valid, empty string will be used (""). If that also fails, the file will be skipped. The passwords are saved in the XML file as base64-encoded strings. -password -pkdir For GnuPG only: If you export only public GnuPG keys, this parameter is not needed. Use this parameter to enter the password(s) for the private GnuPG keys that shall be exported. If there are different passwords for the private keys, separate each password with a comma. The export tool uses the passwords to open the private keys. On success the passwords are written to the XML file (base64-encoded strings). Private keys that cannot be opened with one of these passwords are skipped. If you do not enter a password but private keys are found, errors occur and the export tool is stopped. No XML file is generated. Directory that contains the private keys (PFX/P12 files) that shall be exported. -r This parameter orders the export tool to search all subdirectories. Use this parameter if the keys or the certificates to be exported are located in subdirectories (e.g. Trusted, NotTrusted and Path). CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 21

23 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER Parameter -ts Parameter Description Optional: Specify which trust status the S/MIME keys or the S/MIME certificates or the keys of the key rings (GnuPG) that are to be exported, shall receive. In S/MIME context (for the key or certificate export from iq.suite for Microsoft Exchange): Possible trust status: default (calculated), trusted, not_trusted, unknown a. If no trust status is set manually, the status default is set. In this case, the KeyManager calculates the trust status on the basis of the certificate chain. In GnuPG context: KeyManager supports the trusting model Direct Trust (not Web of Trust ). Refer to Trust Status (Owner Trust) for PGP Keys on page 131. If ownertrust (refer to Optional: ownertrust) is used (parameter -gpgtrust) but the parameter -ts is not set, the trust status from the ownertrust file of the XML file (trutsstatus= <status> ) is used. Keys without defined trust status in the ownertrust receive the default status untrusted. If you use the ts parameter and ownertrust, the trust status from the ownertrust file is written to the XML file. The keys without trust status in the ownertrust receive the -ts status. If you use neither the -ts parameter nor the ownertrust, all keys receive the default status untrusted. a. Refer to Trust Status (Owner Trust) for PGP Keys on page Importing S/MIME Keys and Certificates from the iq.suite Files from iq.suite for Microsoft Exchange/SMTP Files to be imported The S/MIME keys and S/MIME certificates that shall be exported from iq.suite Crypt to Crypt Pro KeyManager are located in the certificate database certs.db and in the directory of the derived certificates derived_certs: certs.db: This database file usually contains root certificates, intermediate certificates and public keys. Default path: <iq.suite>\grpdata\smimedata PAGE 22 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

24 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER Before importing them to the KeyManager, the data must be exported manually from the database. Refer to Exporting keys and certificates on page 23. derived_certs: This directory usually contains the private (derived) keys. Since these keys are in the PFX format, it is not required to export them manually. Use the export tool to generate the XML import file. Default path: <iq.suite>\grpdata\smimedata Exporting keys and certificates To export the keys and certificates stored in the certificate database, proceed as follows: 1. Create a directory (migration directory). In this directory all files used for the migration are stored. Example: C:\SMIME-MSX-Migration 2. Store the files tk_certmgr.exe and xml_export_tool.jar in the migration directory 3. All DLLs under <iq.suite ProgramDir>\Bin\smime (e.g. tk_smime.dll) are required for data extraction from the certs.db. If the DLLs are not located in the same directory as the tk_certmgr.exe, extend the environment variable PATH with the path <iq.suite ProgramDir>\Bin\smime. Example under Windows:...;C:\Program Files\GBS\iQ.Suite\Bin\smime 3. For more clarity on the data, create the following subdirectories in the migration directory: One subdirectory for the data export (export directory). The certificate manager uses this subdirectory to store the keys and certificates from the certs.db. Example: C:\SMIME-MSX-Migration\SMIME-Export One subdirectory for the XML data. The export tool uses this subdirectory to store the XML file that was generated from the certificate database. Example: C:\SMIME-MSX-Migration\XML-Output 3. Refer to Required Tools and Components on page 20. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 23

25 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER Define the name for the XML file in the command line (e.g. kms_import.xml). Refer to step 8. One subdirectory for the copied data. After stopping the iq.suite services, copy the certificate database and the directory of the derived keys to this directory. Example: C:\SMIME-MSX-Migration\SMIME-OriginalData 4. Stop the iq.suite server by stopping the iq.suite Control Service (Windows Service). 5. Copy the certificate database and the directory for the derived keys from iq.suite to the C:\SMIME-MSX-migration\SMIME-OriginalData directory 4. With this, you prevent data loss of your S/MIME keys or certificates. The S/MIME data is exported from the subdirectory and not from the original location on the iq.suite server. Therefore, the traffic in your enterprise must be stopped only briefly during the copying process. Moreover, it is assured that iq.suite does not access the certs.db while copying the data and no remains unprocessed. 6. After copying the data, restart the iq.suite services. 7. To extract the data from the certs.db, proceed as follows: In the command prompt, switch to the directory in which the tk_certmgr.exe file is located and enter the following command line: tk_certmgr.exe EXPORT <path_to_certs.db> <any_path_for_crl.db> <path_to_the_export_directory> CMDLINE 1 NORMAL While executing the tk_certmgr.exe file, the crl.db is automatically created and stored in the directory specified in the command line. In the example: C:\SMIME-MSX-Migration>tk_certmgr.exe EXPORT C:\SMIME-MSX- Migration\SMIME-OriginalData\certs.db C:\SMIME-MSX-Migration\SMIME- 4. For the default paths to the S/MIME data in the iq.suite, please refer to Files to be imported on page 22. PAGE 24 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

$INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER OriginalData\crl.db C:\SMIME-MSX-Migration\SMIME Export CMDLINE 1 NORMAL 0 0 0 0 0 8.$

26 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER OriginalData\crl.db C:\SMIME-MSX-Migration\SMIME Export CMDLINE 1 NORMAL To generate the XML file, which will be imported into the KeyManager, open the command prompt and switch to the directory which contains the xml_export_tool.jar file. Then, enter the following command line: java -jar xml_export_tool.jar -m S -d <path_to_export_directory> -pkdir <path_to_derived_certs> -o <path_to_output_xml_file> -p <passwords_for_pfx_files> -r -ts <trust_status> For further information on applicable parameters, please refer to Parameters to Generate a KeyManager-compatible XML File on page 20. The XML file is generated: version: Gives information on the structure of the XML file. count: Overall number of generated certificates. mode: type of the XML file. id: Serial number of the keys in the list. type: Type of the key data. encrypted: Password that is required to open the key file. password: Base64-encoded password. truststatus: Trust status that shall be used for importing the key to the KeyManager. During the execution of the command line, the log file xml_export_tool.log is created. This log file contains complete information about the export process. In case of an error check the log file. 9. To import the keys and certificates from the previously generated XML file into the KeyManager tenants, open the KeyManager web interface CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 25

27 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER and click on <TENANT> -> CERTIFICATE MANAGEMENT -> <CERTIFICATE TYPE> (e.g. Own Certificates) -> IMPORT BUTTON. During the import, the keys/certificates are automatically assigned to the appropriate certificate type. Keys and certificates that already exist in the KeyManager database are not imported. This might be the case when you have uploaded root certificates already, or if the XML file includes both, an PFX file and a DER file that contain the same public key. The PFX file is imported while the DER file is not Files from iq.suite for IBM Domino The S/MIME keys and certificates that shall be imported from iq.suite Crypt into Crypt Pro KeyManager are located in the iq.suite certificate database g_cert.nsf. Before importing them into the KeyManager, the data must be exported. Refer to Exporting the keys and certificates on page 26. Default path (Windows): <Domino data directory>\iqsuite\g_cert.nsf Exporting the keys and certificates To export the S/MIME keys and certificates, proceed as follows: 1. Create a directory (migration directory). All files used for the migration are stored in this directory. Example: C:\SMIME-LND-Migration 2. For more clarity in the data, create the following subdirectories in the migration directory: One directory for the public keys and certificates: Example: C:\SMIME-LND-Migration\Public One directory for the private keys and specific key information: Example: C:\SMIME-LND-Migration\Private One directory for the XML file: Example: C:\SMIME-LND-Migration\XML_output The export tool stores the generated XML file in this subdirectory. Enter the name for the XML file in the command line, e.g. kms_import.xml. Refer to step 6. PAGE 26 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

CRYPT -> S/MIME CERTIFICATES -> LOCAL DATABASE -> ALL BY STATUS. 4. In the status categories, select the keys and certificates that shall be exported.

28 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER 3. In the iq.suite administration console, display all public S/MIME keys and SMIME certificates of the certificate database sorted by activation status and the trust status: CRYPT -> S/MIME CERTIFICATES -> LOCAL DATABASE -> ALL BY STATUS. 4. In the status categories, select the keys and certificates that shall be exported. Then, click on ACTIONS -> EXPORT SELECTED PUBLIC CERTIFICATES TO FOLDER ON FILESYSTEM and enter the path to the directory the exported data shall be stored (example: C:\SMIME-LND-Migration\Public): CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 27

INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER The keys and certificates are exported according to the trust status.

29 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER The keys and certificates are exported according to the trust status. For this, in the migration directory the following subdirectories are created automatically during the export: Trusted: Trusted keys and certificates. Category in the iq.suite administration console: Explicit Trusted. NotTrusted: Not Trusted keys and certificates. Category in the iq.suite administration console: Explicit Not Trusted. Path: The KeyManager calculates the trust status on the basis of the issuer certificate and of the path to the root certificate. Category in the iq.suite administration console: Depends on trust state of top issued. The selected keys and certificates are exported independently of the status of activation (Active, Not active). 5. To export the private keys of the certificate database, click on CRYPT -> S/MIME CERTIFICATES -> LOCAL DATABASE -> PERSONAL CERTIFICATES and select the private keys to be exported. Then, click on ACTIONS -> EXPORT SELECTED PRIVATE CERTIFICATES TO FOLDER ON FILESYSTEM and enter the path to the directory, the files are to be stored (in the example: C:\SMIME-LND-Migration\Private): PAGE 28 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER For each key file (PFX, P12) a PROPERTIES file is available. This file contains specific key information from the g_cert.

30 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER For each key file (PFX, P12) a PROPERTIES file is available. This file contains specific key information from the g_cert.nsf (key password, type etc.). 6. To generate the XML file, which will be imported into the KeyManager, proceed as follows: Store the xml_export_tool.jar file in the migration directory (KeyManager export tool) 5, e.g. C:\SMIME-LND-Migration\xml_export_tool.jar In the command prompt, switch to the migration directory mentioned above and enter the following command line: java -jar xml_export_tool.jar -m S -d <path_to_public_data_directory> -pkdir <path_to_private_data_directory> -o <path_to_output_xml_file> -p <password1,password2,etc.> -r -f pfx p12 der pem derbase64 For further information on applicable parameters, please refer to Parameters to Generate a KeyManager-compatible XML File on page Refer to Required Tools and Components on page 20. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 29

31 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER Refer to The XML file is generated: on page 25. During the execution of the command line, the log file xml_export_tool.log is created. This log file contains complete information about the export process. In case of an error check the log file. 7. To import the keys and certificates from the previously generated XML file into the KeyManager tenants, open the KeyManager web interface and click on <TENANT> -> CERTIFICATE MANAGEMENT -> <CERTIFICATE TYPE> (e.g. Own Certificates) -> IMPORT BUTTON. During the import, the keys/certificates are automatically assigned to the appropriate certificate type. Keys and certificates that already exist in the KeyManager database are not imported. This might be the case when you have uploaded root certificates already, or if the XML file includes both, an PFX file and a DER file that contain the same public key. The PFX file is imported while the DER file is not. Importing GnuPG keys from iq.suite (Exchange/SMTP and Domino) The key ring files contain the GnuPG keys: pubring.gpg: File for the public keys. secring.gpg: File for the private keys. When using GnuPG, your iq.suite installation contains the key ring files mentioned above. In addition, the installation might contain a trust database (trustdb.gpg). This database contains the ownertrust values that define the trust level for the key issuers 6. The key ring files and the trust database are located in the directory specified for the environment variable GNUPGHOME. To generate a KeyManager compatible XML file from your GnuPG data in iq.suite, proceed as follows: 6. For further information on GnuPG, please refer to the iq.suite Administration Manual. Download under PAGE 30 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

32 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER 1. Create a directory (migration directory). All files used for the migration are stored in this directory. Example: C:\GnuPG-LND-Migration or C:\GnuPG-MSX-Migration 2. For more data clarity, create the following subdirectories in the migration directory: One directory for the key ring files and the trust database: Example: C:\GnuPG-Migration\GnuPG-Data One directory fot the XML file: Example: C:\GnuPG-Migration\XML_output The export tool stores the generated XML file in this subdirectory. Enter the name for the XML file in the command line, e.g. kms_gpg_import.xml. Refer to step Stop the iq.suite server by stopping the iq.suite Control Service (Windows Service). 4. Copy the key ring files and the trust database to the directory C:\GnuPG- Mmigration\GnuPG-Data. With this, you prevent data loss of your GnuPG data. Since the GnuPG data is exported from the subdirectory and not from the original location on the iq.suite server, the traffic in your enterprise must be stopped only briefly during copying. Moreover, it is ensured that while copying, iq.suite cannot access the certs.db. With this, no s leave the mail server unchecked. 5. Optional: ownertrust On the basis of the trustdb.gpg a text file separated with CRLF can be created (e.g. ownertrust.txt). The key fingerprints and the trust values are exported to the ownertrust file. Then, they are written to the XML file generated from the export tool. In the command prompt, enter the following command line to create the ownertrust file: gpg --export-ownertrust > ownertrust.txt CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 31

$jar file in the migration directory (KeyManager export tool) 7, e.g. C:\GnuPG-Migration\xml_export_tool.$

33 INSTALLATION - DATA MIGRATION FROM IQ.SUITE CRYPT TO CRYPT PRO KEYMANAGER 6. To generate the XML file, which will be imported into the KeyManager, proceed as follows: Store the xml_export_tool.jar file in the migration directory (KeyManager export tool) 7, e.g. C:\GnuPG-Migration\xml_export_tool.jar In the command prompt, switch to the migration directory mentioned above and enter the following command line: java -jar xml_export_tool.jar -m GPG -d <path_to_gnupg_data> -o <path_to_output_xml_file> -ts <trust_status> -gpgtrust <path_to_gnupg_data>\ownertrust.txt -password <password> The -password parameter is optional. For further information on applicable parameters, please refer to Parameters to Generate a KeyManagercompatible XML File on page 20. The XML file is generated: version: Information on the implementation that was used for generating the XML file. count: Overall number of generated keys or key data (content of <armour>...</armour>). id: Serial number of the keys in the list. type: Type of the key data. truststatus: Trust status that shall be used for importing the key to the KeyManager. 7. Refer to Required Tools and Components on page 20. PAGE 32 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

34 INSTALLATION - SECURITY MEASURES password: Password for the private key (if the <armour> tag contains private key data). identities: List of all key identities that were read. armour: Actual key data. During the execution of the command line, the log file xml_export_tool.log is created. This log file contains complete information about the export process. In case of an error check the log file. Importing the GnuPG keys to the KeyManager To import the GnuPG keys from the previously generated XML file to the desired KeyManager tenants, in the KeyManager click on <TENANT> -> CERTIFICATE MANAGEMENT -> PGP CERTIFICATES -> IMPORT BUTTON Security Measures HTTPS Authentication To ensure an encrypted data transport (keys and certificates) between the KeyManager and an external application (e.g. iq.suite), we recommend you to configure an SSL connection. Prerequisite: A PKCS#12 container file that contains an X.509 certificate and a In private key (file extension: PFX or P12). Example: server-certificate.p12 the following section, the directories are specified relatively to the KeyManager installation directory. To configure SSL for a secure HTTPS connection between the client (external application) and Jetty (application server), proceed as follows: 1. Stop the KeyManager server For further information on the import procedure, please refer to Importing S/MIME Certificates or PGP Keys on page Refer to Stopping Crypt Pro KeyManager on page 19. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 33

35 INSTALLATION - SECURITY MEASURES 2. Import the PKCS#12 file to a Java key store. For this, use the keytool.exe available in the bin subdirectory of your JDK or JRE installation directory. Path to the key tool: Under Windows: %JAVA_HOME%\bin\keytool Under Linux: $JAVA_HOME$/bin/keytool To import the PKCS#12 file, switch to the keymanager directory in the server console and enter the following command line 10 : <path_to_keytool> -importkeystore -srckeystore <servercertificate.p12> -srcstoretype PKCS12 -destkeystore <server.keystore> Output: Enter destination keystore password:... Re-enter new password:... Enter source keystore password:... When the entries are correct, the following message is displayed: Entry for alias <aliasname> successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled If the import was successful, the server.keystore file is created. This file contains the imported X.509 certificate and the private key. 3. Create a coded (obfuscated) password for the server.keystore file. For this, switch to the keymanager directory and enter the following command line: For the private key: Windows: The name of the JAR file must be specified with the version number: java -cp lib\jetty-util-<version>.jar org.eclipse.jetty.util.security. Password <password1> 10. The angle brackets in the command line are used to distinguish examples from obligatory entries. PAGE 34 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

36 INSTALLATION - SECURITY MEASURES The complete filename (e.g. jetty-util v jar) can be found under <KeyManager_InstallDir>\KeyManager\keymanager\lib Unix: java -cp lib\jetty-util*.jar org.eclipse.jetty.util.security.password <password1> Example for possible output: password1 OBF:18xp18xr18xt MD5:202cb962ac59075b964b07152d234b70 For the server.keystore file: java -cp lib/jetty-util*.jar org.eclipse.jetty.util.security.password <password2> Example for possible output: password2 OBF:1c3x1iup1kfv1vne1vno1kcj1irx1c35 MD5:e64b78fc3bc91bcbc7dc232ba8ec59e0 4. Open keymanager\km-base\start.d\ssl.ini in the text editor and modify it as follows: Activate the ssl module by uncommenting the line --module=ssl Optional uncomment and adjust # jetty.ssl.port=8443: Set the path to the server.keystore file in the jetty.sslcontext.keystorepath property. Specify the path relatively to $jetty.base directory. Set (uncomment) the jetty.sslcontext.keystoretype property to JKS. Set the path to the server.truststore in the file in the jetty.sslcontext.truststorepath property. Specify the path relatively to $jetty.base directory. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 35

37 INSTALLATION - SECURITY MEASURES Enter the coded (obfuscated) password to the private key of the certificate in the jetty.sslcontext.keymanagerpassword property. Enter the coded (obfuscated) password to the server.keystore file in the jetty.sslcontext.keystorepassword and the jetty.sslcontext.truststorepassword property. 5. Restart the KeyManager server Call the KeyManager web interface with the following URL: server IP address>:<8443>/kms 7. Optional: After the KeyManager installation, access to the KeyManager web interface by HTTPS is automatically enabled. If you want to also access the KeyManager server and the log server by HTTPS and your issuer certificate comes from a well-known certification authority, proceed as follows: a) In the login dialog, adjust the server address: server IP address>:<8443>/km.backend/services/ KMSFrontendWebService b) On successful login, adjust the URL under SYSTEM CONFIGURATION -> REMOTE CONNECTION -> LOG SERVER WEB SERVICE: server IP address>:<8443>/km.logserver/services/ LogServerWebService If you want to use a self-signed issuer certificate and to disable HTTP, the following additional steps are required: 8. Import the self-signed SSL issuer certificate into the Java file cacerts: C:\Program Files\GBS\KeyManager\jre8\lib\security\ cacerts In the server console, use the following command line for import: C:\Program Files\GBS\KeyManager\jre8\lib\security>keytool -importcert -file <issuer>.crt -keystore cacerts -alias "<myca>" 11. Refer to Starting iq.suite KeyManager on page 17. PAGE 36 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

38 INSTALLATION - SECURITY MEASURES After an update installation, you must import the certificate again or replace it with a backup file created before updating. 9. Log in to the KeyManager web interface. Then, open SYSTEM CONFIGURATION -> REMOTE CONNECTIONS and add the desired web service URL, respectively for HTTPS access to the KeyManager server and the log server: Example: Server web service Service Log server web service For further information, please refer to Configuring Remote Connections on page Stop the iq.suite KeyManager Service. 11. Disable HTTP access and make sure that HTTPS access is enabled. The corresponding configuration files http.ini and https.ini are under...\gbs\keymanager\keymanager\km-base\start.d CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 37

INSTALLATION - SECURITY MEASURES a) Disable HTTP: In the http.ini file, comment out the --module=http entry by placing a # character before the entry: # --module=http b) Enable HTTPS: In the https.

39 INSTALLATION - SECURITY MEASURES a) Disable HTTP: In the http.ini file, comment out the --module=http entry by placing a # character before the entry: # --module=http b) Enable HTTPS: In the https.ini file, HTTPS is enabled by default: --module=https. If HTTPS is disabled (# --module=https), remove the # character to enable HTTPS. 12. Restart the iq.suite KeyManager Service. 13. Call the KeyManager web interface, e.g. with The web service URL to the KeyManager server (for HTTPS) which was added in step 2 is now available in the drop-down list under Server address: HTTP Authentication If you are using Jetty the authentication method HTTP BASIC can be used for accessing the web-based KeyManager applications. For this, proceed as follows: 1. Stop the KeyManager Create a keymanager.realm file and save this file in the keymanager directory. This file is used to store details on the users, the passwords and the roles for accessing the KeyManager applications. 3. In the server console, switch to the keymanager directory and enter the following command line to generate a user password: 12. Refer to Stopping Crypt Pro KeyManager on page 19. PAGE 38 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

40 INSTALLATION - SECURITY MEASURES java -cp lib/jetty-util*.jar org.eclipse.jetty.util.security.password <password> Example of the output: password OBF:1sw01zet1u9d1y7p1y0s1x881sar1 MD5:8ac b2e0eccdfe0fa24036b6d5 4. In the keymanager.realm file, enter the coded (obfuscated) password in the following format: <user>: <password>, <role_name> Example: admin: OBF:1sw01zet1u9d1y7p1y0s1x881sar1, keymanager.admin 5. Under keymanager\contexts\ (Windows) or keymanager/contexts/ (Linux), create the km.backend.d directory. 6. Create the servlet mapping file web.xml by copying the km.backend_web.xml.tpl template from the etc directory 13 to the km.backend.d directory. Rename the file, e.g. web.xml. File content: 13. Path to etc: refer to the environment variable KMS_CONFIG_DIR on page 16. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 39

INSTALLATION - SECURITY MEASURES 7. Modify the file if required: km.backend Name of the web path to be protected. services/kmbackendprivatewebservice/* Resources in this path are protected.

41 INSTALLATION - SECURITY MEASURES 7. Modify the file if required: km.backend Name of the web path to be protected. services/kmbackendprivatewebservice/* Resources in this path are protected. Note: To protect the public web service, copy and paste the details from <web-resource-collection> to </web-resource-collection> into the web.xml file. Then, modify the name for <url-pattern>: services/kmbackendpublicwebservice/* keymanager.admin Role that is defined in the keymanager.realm file. After authentication, the users with the keymanager.admin role can access the protected web service resources. 8. Create the file for the descriptor of the web application context (WebAppContext). For this, copy the km.backend_context.xml.tpl template PAGE 40 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

$INSTALLATION - SECURITY MEASURES from the etc directory 14 to the directory keymanager\contexts (Windows) or keymanager/contexts (Linux). Rename the file, e.g. km.backend.xml. File content: 9.$

42 INSTALLATION - SECURITY MEASURES from the etc directory 14 to the directory keymanager\contexts (Windows) or keymanager/contexts (Linux). Rename the file, e.g. km.backend.xml. File content: 9. Modify the file if required: km.backend Java servlet (web path) for the HTTP authentication. /km.backend.war Storage location for the web path. In this case, the web path is located in the web application km.backend.war. /contexts/km.backend.d/web.xml Servlet mapping file. The resources available for the configured users and roles are defined in this file. /keymanager.realm Name of the file that contains the user configuration and the role configuration. 10. Restart the KeyManager 15. Please observe the log messages 16. If one or more options are wrongly configured, Jetty will display error messages. On 14. Path to etc: refer to the environment variable KMS_CONFIG_DIR on page Refer to Starting iq.suite KeyManager on page Refer to Log Files on page 149. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 41

INSTALLATION - UPDATE INSTALLATION correct configuration, the protected private web service can be called with your web browser: http://<ipaddress_server>:<port>/km.

43 INSTALLATION - UPDATE INSTALLATION correct configuration, the protected private web service can be called with your web browser: Service?wsdl 17 After successful authentication the private web service is displayed: 3.6 Update Installation When performing an update, you can keep the configuration data and other data from previous KeyManager versions (e.g. users, tenants, workflow details, connector settings). Before the update, check the installation requirements. Especially when updating to a major version (e.g. from V3.5 to V4.0), changes are possible. 17. As an alternative to your IP address you can enter the host name (default: localhost) or the FQDN of the server. Default port: PAGE 42 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

INSTALLATION - UPDATE INSTALLATION 3.6.1 Upgrade of the H2 Database In case of an update to KeyManager 5.1, the H2 database must be upgraded to the latest version.

suite KeyManager Service starts automatically and the dialog for the database upgrade is displayed: The steps for an update installation of iq.

44 INSTALLATION - UPDATE INSTALLATION Upgrade of the H2 Database In case of an update to KeyManager 5.1, the H2 database must be upgraded to the latest version. This concerns the installation on Windows as well as the package installation on Linux. In order to upgrade the database, proceed as follows: 1. After the KeyManager installation, the iq.suite KeyManager Service starts automatically and the dialog for the database upgrade is displayed: The steps for an update installation of iq.suite KeyManager are described under In case of a Setup Installation on page 19 or In case of a Package Installation on page Click on UPGRADE to start the upgrade process. The upgrade will modify the kms.hibernate.xml file by removing any existing MV_STORE=false strings and will also change the connection URL path by adding the new database name (e.g. km.db_mv.mv). 3. After a successful upgrade, the following message is displayed: Restart the iq.suite KeyManager Service when this message appears for the changes to take effect In Case of a Setup Installation To update Crypt Pro KeyManager, proceed as follows: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 43

45 INSTALLATION - UPDATE INSTALLATION 1. Log in to the KeyManager web interface as a business administrator and stop the KeyManager server: HOME -> STOP BUTTON. 2. Back up your KeyManager database to prevent data loss. 3. Run the setup file for the version to be installed. 4. Note the information under Upgrade of the H2 Database on page Restart the KeyManager. Refer to Starting iq.suite KeyManager on page Log in to the KeyManager web interface and compare the version numbers with the number of your update installation: HOME -> SERVER INFORMATION -> SERVER VERSION/WEB CLIENT VERSION. Identical version numbers indicate a successful update installation In Case of a Package Installation To update Crypt Pro KeyManager, proceed as follows: 1. Log in to the KeyManager web interface as business administrator and stop the KeyManager server: HOME -> STOP BUTTON. 2. In case of a package installation: Make sure the Java process is stopped. 3. Stop the KeyManager applications. Refer to Stopping Crypt Pro KeyManager on page Back up your KeyManager database to prevent data loss. 5. Remove all WAR files (km.*.war) from the webapps directory: Under Windows: <InstallDir>\keymanager\km-base\webapps Under Linux: <InstallDir>/keymanager/km-base/webapps 6. Remove all directories from the work directory: Under Windows: <InstallDir>\keymanager\km-base\work Under Linux: <InstallDir>/keymanager/km-base/work PAGE 44 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

46 INSTALLATION - UNINSTALLATION 7. Copy the WAR files from the new KeyManager version to the webapps directory of the existing installation. 8. Start the KeyManager application. Refer to Starting iq.suite KeyManager on page 17. On errors, please check the log files for troubleshooting Note the information under Upgrade of the H2 Database on page Log in to the KeyManager web interface and compare the version numbers with the number of your update installation: HOME -> SERVER INFORMATION -> SERVER VERSION/WEB CLIENT VERSION. Identical version numbers indicate a successful update installation. 3.7 Uninstallation When you need the certificates and keys of the KeyManager database for other products, export them before starting the uninstallation. Refer to Exporting S/MIME Certificates or PGP Keys on page 134. To uninstall Crypt Pro KeyManager, proceed as follows: 1. Log in to the KeyManager web interface as business administrator and stop the KeyManager server: START PAGE -> STOP BUTTON. 2. Stop the KeyManager applications. Refer to Stopping Crypt Pro KeyManager on page Continue the uninstallation according to your installation method: Setup installation: Open the Control Panel and click on UNINSTALL A PROGRAM. In the list of programs, select IQ.SUITE KEYMANAGER and proceed RIGHT-CLICK -> CHANGE -> REMOVE. The data from the etc directory 19, the H2 database directory and the log files are not deleted by default. This allows data reuse if a new installation for Crypt Pro KeyManager shall be performed later on. If you want to delete all data from the KeyManager installation directory, enable in the last uninstallation dialog the Delete all user data option: 18. Refer to Log Files on page Path to etc: refer to the environment variable KMS_CONFIG_DIR on page 16. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 45

47 INSTALLATION - UNINSTALLATION Package installation: In the KeyManager installation directory delete unnecessary directories and files. To be able to reuse the data of your current H2 database (embedded) in case of a new KeyManager installation in the future, save the database files. These files are stored in the database directory whose path is specified in the kms.hibernate.xml in the etc directory, e.g.: <property name="connection.url">jdbc:h2:file:c:\program Files\GBS\KeyManager\data\km.db;CIPHER=AES</property> Make sure you have a backup of all the kmdb.* database files. PAGE 46 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

48 4 Administration ADMINISTRATION - INITIAL CONFIGURATION 4.1 Initial Configuration Accessing the Crypt Pro KeyManager Web Interface When all required components are installed and the application server is started, you need to perform the initial configuration: 1. In your web browser, enter the following URL: IP address>:<port>/km.admin/kms As an alternative for the IP address, you can use the host name (default: localhost) or the server s FQDN. Default port: The login page for the initial configuration opens: After startup of the web server, it might take a few seconds until the URL is available. If the login page is not displayed immediately, please wait a few seconds and retry to load the URL. If you have changed the default port for Jetty, make sure the server address field contains the correct port number. 2. Select the desired default language for the web interface. 3. Check the server address (IP address, port number): CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 47

49 ADMINISTRATION - INITIAL CONFIGURATION (default) Usually, the Crypt Pro KeyManager web interface and the Crypt Pro KeyManager server run on the same computer and within the same application server. In this case keep the default server address. 4. Click on ENTER. The login wizard for the first registration on the Crypt Pro KeyManager opens. Refer to Configuring a Database Connection on page Configuring a Database Connection In case of a setup installation, an H2 database is created and configured automatically. Therefore, no database connection must be configured. Proceed as described under Creating the Initial User (Business Administrator) on page 52. In case of a package installation, you are required to configure a database connection for the Crypt Pro KeyManager server: 1. Click on the WIZARD button and select one database system in the Type field. Only H2 is selectable in this field by default. PAGE 48 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

50 ADMINISTRATION - INITIAL CONFIGURATION To use MS SQL or IBM DB2, please contact the GBS Support. When MS SQL is enabled and you want to use a MS SQL Server > 2008, select the MSSQL 2008 option. 2. Fill in the dialog for database connection. The displayed fields depend on the selected database type (Type field): Database: If Crypt Pro KeyManager is installed for the first time, enter the desired database name in this field. The database tables will be automatically created in case of a successful configuration. If Crypt Pro KeyManager has been installed previously, a Crypt Pro Key- Manager database already exists. To continue using this database, enter the database name in this field. Username, Database password: To enable connection to the database, enter username and password. The password must be at least 8 characters long. Database host, Port: Enter the host and port of the database server. Database folder: To create a new H2 database, enter the absolute path to the directory in which the database file (<name of the database>.h2.db) shall be created. To use an existing H2 database, enter the absolute path to the directory which contains the database file. Encryption password: To create a new H2 database, enter the desired password for encrypting the database file. To use an existing H2 database, enter the existing password. The password must contain at least 8 characters. In addition to username and database password, an encryption password is required to open the H2 database. The H2 database file is stored on the file system encrypted in order to better protect the sensitive data inside. 3. Click on NEXT and control your settings. Then, click on FINISH: 4. Click on TEST CONNECTION to test the connection between Crypt Pro KeyManager and the database. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 49

51 ADMINISTRATION - INITIAL CONFIGURATION If the connection to the database fails, check the log files 1. When MS SQL Server or IBM DB2 is selected, first check whether the configured user has the required rights on the database. 5. Click on OK -> FINISH. After completion of the first configuration, you can change your KeyManager database settings, if required. Refer to How to configure KeyManager Database Settings on page 156. For further information on the Crypt Pro KeyManager database, please refer to Information on the Crypt Pro KeyManager database on page Refer to Log Files on page 149. PAGE 50 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

52 ADMINISTRATION - INITIAL CONFIGURATION 6. Create a business administrator. Refer to Creating the Initial User (Business Administrator) on page 52. Information on the Crypt Pro KeyManager database The Crypt Pro KeyManager data such as public keys, private keys, certificates, configuration data, user settings, tenant settings, etc. are stored in one common database. Refer to Supported Databases on page 11. For this data, several database tables are required. With a setup installation, the tables are created automatically in the database. With a package installation or a manual installation, the database tables are created after establishing a successful database connection. The database tables contain various data types: Data Typea Description Database Tables Private Public System Sensitive data: Keys (S/MIME and PGP), certificate requests, identity names for PGP keys. Public keys/data, root certificates... System-specific data: Configuration data for the Crypt Pro KeyManager, settings for tenants and users... km_smime_keypairs km_smime_queue km_pgp_keyrings km_pgp_identities km_smime_publickeys km_smime_keyidentifiers km_binary_objects all other databases, e.g.: km_users km_tenants km_messages km_configuration etc. a. Here, the database types have only an abstract meaning. Due to safety reasons, an individual password is generated for each S/MIME private key. The password is saved in encrypted form in the database table km_smime_keypairs. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 51

53 ADMINISTRATION - INITIAL CONFIGURATION For guidance values on the average size of some database elements such as S/MIME certificates, PGP keys or tenants, please refer to Average Sizes (Reference Values) of Database Elements on page Creating the Initial User (Business Administrator) Once the database configuration is completed, create a business administrator. This is an initial user that has unrestricted rights to access the Crypt Pro KeyManager web interface. 1. Enter the authentication data for the user to be the first business administrator. Select the language in which the user shall receive the system notifications. The Username and the Password are required for the first login to the Crypt Pro KeyManager web interface. System notifications are sent to the address defined under . PAGE 52 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

54 ADMINISTRATION - INITIAL CONFIGURATION After login to the web interface, create further users, if required. Refer to Creating Users on page 59. The data for user authentication and the language for the system notifications can be changed. Refer to Changing Personal User Data and Password on page Click on FINISH. 3. Configure a mail server. Refer to Configuring the Mail Server (SMTP Server) on page Configuring the Mail Server (SMTP Server) The initial SMTP server configuration is valid for all system-related and tenantrelated messages. Later you can configure a different mail server for every new tenant created. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 53

55 ADMINISTRATION - INITIAL CONFIGURATION 1. Define in the field group Server which SMTP server shall be used as an mail server: Host: Host name, FQDN or IP address of the SMTP server, e.g. of the Domino or Exchange server on which the iq.suite is installed (default: localhost). Port: Port number for the SMTP server. The default port depends on the selected encryption protocol (Secure connection option): SSL: 465 TLS: 25 No (unsecured connection): If an authentication for the SMTP server is required, enter the username and password. When using TLS or SSL 3.0 for data transmission via the Internet, The select the corresponding option under Secure connection. Crypt Pro KeyManager supports the SMTP authentication mechanisms LOGIN, PLAIN, DIGEST-MD5 and NTLM. 3. In the Sender of the system notifications field enter the text that shall be displayed in the From field of every system notification. Depending on the Most settings on the SMTP server it might be required to enter a domain. of the system notifications are sent by the mail server defined under SYSTEM CONFIGURATIONS a. Exception: If a tenant-specific mail server is configured, the system notifications concerning the expiration or the validity (CRL revocation status) of certificates are sent from the tenant-specific mail server. The tenantspecific mail server only sends system notifications of this type. a. For further information on system notifications, please refer to System Notifications on page Test the communication between the Crypt Pro KeyManager and the configured mail server. For this, enter an address in the Recipient of the test field and click on SEND TEST . Make sure the address is available on the mail server. 5. On success, click on FINISH. PAGE 54 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - INITIAL CONFIGURATION The initial configuration is completed. If required, you can change the settings for your mail server configuration later on.

5 Login to the Crypt Pro KeyManager Web Interface / Logout Log in to the Crypt Pro KeyManager web interface with the business administrator account previously created: If the login fails, perform an

56 ADMINISTRATION - INITIAL CONFIGURATION The initial configuration is completed. If required, you can change the settings for your mail server configuration later on. Refer to Changing the Mail Server Configuration on page Login to the Crypt Pro KeyManager Web Interface / Logout Log in to the Crypt Pro KeyManager web interface with the business administrator account previously created: If the login fails, perform an error analysis. Refer to Login Fails on page 153. The logged-in user is displayed at the right top. With a click on the user, the menu item LOGOUT is displayed: Creating Tenants Business administrators are allowed to create tenants. To use KeyManager Server, you need to create at least one tenant. You may use more than one tenant if your company consists of several units that shall be handled individually. 1. Click on TENANTS -> ADD and select how to create the new tenant: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 55

ADMINISTRATION - INITIAL CONFIGURATION Create a new blank tenant : The tenant will be created with the defaults (configuration and connector settings).

) of the tenant selected in the subsequent dialog will be copied for the new tenant. 2. Enter a name and label for the tenant: Name: Unique tenant name, e.

57 ADMINISTRATION - INITIAL CONFIGURATION Create a new blank tenant : The tenant will be created with the defaults (configuration and connector settings). Create a copy from existing tenant : The configuration and all connector settings (but not the certificates!) of the tenant selected in the subsequent dialog will be copied for the new tenant. 2. Enter a name and label for the tenant: Name: Unique tenant name, e.g. Unit_01, Unit_02. Hence, the tenant name is case-sensitive, you can create one tenant with the name Unit_01 and another with the name UNIT_01. PAGE 56 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - INITIAL CONFIGURATION Label: Optional in-house identification attribute for the tenant. The label can be used to label the tenant in KeyManager Server (e.g. company-x, company-y). 3.

58 ADMINISTRATION - INITIAL CONFIGURATION Label: Optional in-house identification attribute for the tenant. The label can be used to label the tenant in KeyManager Server (e.g. company-x, company-y). 3. Click on NEXT and define whether default Root Certificatess shall be imported: Yes (default): The root certificates list is generated from the Mozilla Network Security Services repository. Root certificates are public keys based on the X.509 standard and are issued by certification authorities that are trusted and acknowledged world-wide. No : Depending on the company policy, it might be reasonable not to import the default root certificates, e.g. to only use the certificates from a certain certification authority. If you decide not to import the default root certificates now, you can import them (or other root certificates) later on. Refer to Importing S/MIME Certificates or PGP Keys on page 132. Default root certifcates are stored in a file called default_certdata.xml. This file is located in the path specified in the environment variable KMS_CONFIG_DIR. Refer to Setting Environment Variables on page Click on NEXT and check the tenant data in the summary: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 57

ADMINISTRATION - INITIAL CONFIGURATION 5. To create a tenant with your settings, click on CREATE THE TENANT and then on FINISH. A GUID is assigned to the tenant automatically. Example:.

59 ADMINISTRATION - INITIAL CONFIGURATION 5. To create a tenant with your settings, click on CREATE THE TENANT and then on FINISH. A GUID is assigned to the tenant automatically. Example:. With a double-click on the view title (here: Tenants), only the selected view is enlarged. The navigation area and the header are hidden. PAGE 58 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

60 ADMINISTRATION - INITIAL CONFIGURATION Creating Users To split the administrational tasks for KeyManager Server, you may create additional users. For more information on the user types, please refer to Business Administrator vs. Tenant User on page Business Administrator vs. Tenant User Business Administrators have unrestricted rights on the Crypt Pro KeyManager. They are allowed to use all the Crypt Pro KeyManager functions, to create new users and tenants, to manage the system and to perform global or tenant-specific configurations. Business administrators can manage and request certificates for all tenants and have access to the events for troubleshooting. For the Tenant users, several combinations of user rights are possible. Depending on his/her rights, a tenant user can change tenant configurations and request or manage certificates for the tenant(s) he/she is assigned to. They are not allowed to create, edit or delete other users or tenants. In the system configuration, the tenant users are only allowed to configure remote connections to the Crypt Pro KeyManager server even if all possible rights are set. Tenant users have no access to the EVENTS page. To allow several users to configure the Crypt Pro KeyManager system, you have to create several business administrators. In case of several tenants, it might be reasonable to create several tenant users. The business administrators are displayed in blue color in the user view, whereas the tenant users are displayed in black color Creating a User As a business administrator you may create additional users: 1. Click on USERS -> ADD USER. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 59

61 ADMINISTRATION - INITIAL CONFIGURATION 2. In addition to the first and last name, specify the following: Username: Enter a unique username. The username is required for login to the Crypt Pro KeyManager. Enter the user s address. System notifications will be sent to this address. Notification language: Refer to Notification language on page 101. Use auto-generated password: By default, to log in to the Crypt Pro KeyManager web interface new users receive a password which is generated by the Crypt Pro KeyManager. To use a self-defined password, disable this option. Only the passwords generated by the Crypt Pro KeyManager are sent to the users via . The user account data can be changed later on, if required. Refer to Changing Personal User Data and Password on page 100 and Changing User Data and User Rights on page Click on NEXT and select the desired user role. PAGE 60 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

a) To create a Business administrator, click on NEXT -> FINISH.

62 ADMINISTRATION - INITIAL CONFIGURATION Business administrator Tenant user (default) Refer to Business Administrator vs. Tenant User on page Click on NEXT. a) To create a Business administrator, click on NEXT -> FINISH. b) To create a Tenant user, click on NEXT and assign the user to one or more tenants. 5. In case of a tenant user, click on NEXT to set the user rights: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 61

ADMINISTRATION - INITIAL CONFIGURATION The user rights are hierarchically structured: If subordinate user rights such as Can request certificates for others are enabled, the superordinate user rights

63 ADMINISTRATION - INITIAL CONFIGURATION The user rights are hierarchically structured: If subordinate user rights such as Can request certificates for others are enabled, the superordinate user rights are enabled automatically: Refer to Description of some user rights: on page 62. a) If a user is assigned to several tenants but you would like to assign certain user rights only to a specific tenant, select a tenant in the Available tenants field and enable the desired rights. Repeat this for each tenant from the drop-down-list. b) To assign the same user rights for all tenants the user is assigned to, enable the option Assign the same user rights for all selected tenants. Then, select the desired user rights. 6. Click on NEXT to review the user configuration in the summary view. 7. Click on NEXT -> FINISH. Description of some user rights: User Rights Can configure global connectors Can configure tenant connectors Can list certificate requests Can request certificates for own user Can request certificates for others Description Is allowed to configure connectors globally for all tenants. Is allowed to configure connectors for each tenant individually. Is allowed to view the list of all certificate requests: CERTIFICATE MANAGEMENT -> CERTIFICATE REQUESTS. Is allowed to request certificates for his/her address. Is allowed to request certificates for other users. PAGE 62 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

64 ADMINISTRATION - INITIAL CONFIGURATION User Rights Can list certificates Can list PGP certificates Description Is allowed to view all S/MIME certificates stored in the database. Is allowed to view all PGP keys stored in the database Using iq.suite in Combination with KeyManager Server KeyManager Server is designed to be used especially in combination with iq.suite for IBM Domino or iq.suite for Microsoft Exchange. For this, some conditions must be fulfilled: Although no license is required to access the Crypt Pro KeyManager web interface, connections between external applications such as iq.suite and Crypt Pro KeyManager are only possible with a valid license file 2 : 1. Stop the Crypt Pro KeyManager server. Refer to Stopping Crypt Pro KeyManager on page Copy the license file keymanager.lic into the Crypt Pro KeyManager configuration directory: In case of a setup installation: C:\Program Files\GBS\KeyManager\etc In case of a package or manual installation: Refer to KMS_CONFIG_DIR under Setting Environment Variables on page (Re-)start the Crypt Pro KeyManager server. Refer to Starting iq.suite Key- Manager on page 17. On the HOME page, you will find the information License status. The information License valid until is displayed in case the license is limited in time. iq.suite must be configured correctly. For further information on the iq.suite configuration, please refer to the iq.suite Administration Manual. Download on 2. For further information, please contact the GBS Sales Team. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 63

65 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER 4.2 Configuring the Crypt Pro KeyManager Server After login to the Crypt Pro KeyManager web interface, the start page (HOME) is displayed: Pausing/Stopping the Crypt Pro KeyManager Server You can control the Crypt Pro KeyManager server (km.backend component) with the buttons on the HOME page: PAUSE: The Crypt Pro KeyManager server is paused. Use this button to perform configuration changes or heavy load operations (e.g. to import many certificates at once). While the Crypt Pro KeyManager server is paused, the Crypt Pro KeyManager web services are disabled. The communication with external applications, such as iq.suite, is not available. However, changes and other PAGE 64 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

66 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER activities can be performed on the Crypt Pro KeyManager web interface as usual. To end the pause, click on RESUME. STOP: The Crypt Pro KeyManager server is stopped. This ensures that logged-in users are logged off automatically, preventing them from performing any actions on the web interface. Before stopping the application server, e.g. in order to update your Crypt Pro KeyManager installation, you should always stop the Crypt Pro KeyManager server with this button. Use this way to prevent data loss. Please note that when the Crypt Pro KeyManager server is stopped, operations in process such as importing certificates are cancelled. To restart the Crypt Pro KeyManager server, proceed as follow: In case of a setup installation: Restart the iq.suite KeyManager Service. When this Service is restarted, users are able to log in again on the Crypt Pro KeyManager web interface. In case of a package installation: Proceed as described under Starting iq.suite KeyManager on page Changing the Mail Server Configuration The mail server configured during the initial configuration will be used by all tenants. As a business administrator, you can change the mail server settings and/or configure tenant-specific mail servers. As a tenant user with the right Can manage tenant configuration, you can configure a seperate mail server for each of your tenants. Mail server configuration: cross-tenant configuration: SYSTEM CONFIGURATIONS -> MAIL SERVER 3. tenant-specific configuration: <TENANT> -> TENANT CONFIGURATIONS -> MAIL SERVER Configuration: refer to Configuring the Mail Server (SMTP Server) on page 53. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 65

67 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Using a Proxy Server For the following requests via Internet, a proxy server can be used: CRL requests Refer to CRL: Check Certificates for Trust Status and Revocation on page 112. Certificate requests via the connector QUOVADIS Refer to QuoVadis on page 81. Under GENERAL SETTINGS -> PROXY SERVER, configure the desired proxy server: Server name: Name or IP address of the proxy server. Port: Port to the proxy server, e.g User: Name of a user who is authorized to log in to the proxy server, e.g. domain\user or user. Password: Password of the user for login to the proxy server. To be able to use the configured proxy server, enable the option Use proxy server with Yes as follows: For CRL requests: 4. Configuration: refer to Important Information before Configuration on page 108 and Configuring the Mail Server (SMTP Server) on page 53. PAGE 66 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

68 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Setting under <TENANT> -> TENANT CONFIGURATIONS -> WORKFLOW. For Certificate requests via QUOVADIS: Setting under SYSTEM CONFIGURATIONS -> CONNECTORS -> QUOVADIS or <TENANT> -> TENANT CONFIGURATIONS -> CONNECTORS -> QUOVADIS Configuring an X.509 LDAP Server As a business administrator, you can configure X.509 LDAP servers: not tenant-specific: SYSTEM CONFIGURATIONS -> X.509 LDAP SERVERS tenant-specific: <TENANT> -> TENANT CONFIGURATIONS -> X.509 LDAP SER- VERS As a tenant user with the right Can manage tenant configuration, you can configure a seperate X.509 LDAP server for each of your tenants 5. In this manual, the term LDAP server refers to the term X.509 LDAP server. The following directory services (compatible with the LDAP protocol Version 3) are supported: Microsoft Active Directory OpenLDAP Facts you need to know before configuring LDAP servers LDAP server configuration is useful if you want to use the public S/MIME keys from your LDAP server for the Crypt Pro KeyManager. If the required public key cannot be found in the Crypt Pro KeyManager database, the LDAP servers will be searched. To do this, under <TENANT> -> TENANT CONFIGURATIONS -> WORKFLOW the option Use configured LDAP servers to retrieve public keys must be enabled and the LDAP server must be accessible. The public key from the LDAP server is stored automatically in the database. Because the key is then already available in Crypt Pro KeyManager, no further requests to the LDAP server will be made. 5. Refer to Facts you need to know before configuring LDAP servers on page 67. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 67

Example: Configuration To configure or change an LDAP server, proceed as follows: 1.

69 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER The LDAP servers are queried in the sequence in which they are displayed in the configuration view (from top to button). Example: Configuration To configure or change an LDAP server, proceed as follows: 1. Click on ADD LDAP SOURCE or EDIT: PAGE 68 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

70 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER 2. Enter the settings that are required for LDAP server connection. The LDAP server will use the same settings for key requests: This server is enabled : A configured LDAP server can be disabled temporarily. LDAP host: Host name, IP address or FQDN of the LDAP server. LDAP port: Port number of the LDAP server. Use SSL connection : By default, the data transfer with LDAP is not secured. For a secure data transfer, we recommend you to select this option if your LDAP server supports SSL. LDAP search base: Enter the distinguished name (DN) of the LDAP objects that shall be the search base for the public keys. Subdirectories CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 69

71 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER are included. Separate each object by a comma. Example: dc=company-x,dc=com If you do not specify a search base, the search starts from the root entry. This might result in long query times. LDAP attribute for Enter an attribute name according to the scheme of your LDAP server. The data that is assigned to the defined attribute is searched for the user object (using the address). LDAP attribute for certificate: Enter an attribute name according to the scheme of your LDAP server. The data that is assigned to the defined attribute is searched for the public key for the desired user (user certificate). Authentication: If authentication is required on the LDAP server, enter the corresponding username and password. Valid for these domains (CSV): If the LDAP server contains public keys for addresses from known domain, enter the domains in this field. This reduces the query time. If several LDAP servers are configured without specifying any domains, all LDAP servers are searched recursively. Separate each domain by a comma. Trust status: When importing the public keys from the LDAP server to the Crypt Pro KeyManager database, the keys receive the trust status defined in this field. If your LDAP server contains trusted keys only, select the status Trusted. Refer to Trust Status (Owner Trust) for PGP Keys on page Click on TEST LDAP CONNECTION to test the connection between the Crypt Pro KeyManager and the LDAP server. In case of errors, please refer to General Procedure on page 149. For further information on LDAP, please refer to your LDAP documentation. PAGE 70 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

72 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Configuring LDAP Authentication Server for Web Services If you are using the HTTPS server protocol for the connection between iq.suite and KeyManager Server and have a user directory on an LDAP server, you can configure this LDAP server in the Crypt Pro KeyManager to enable an additional authentication for the requests made via the Crypt Pro KeyManager web services. Background Information To allow the communication between iq.suite and an KeyManager Server tenant, a Crypt-Crypt Pro KeyManager connection must be configured on the iq.suite side 6. For this configuration, you need to specify the GUID of the desired tenant in the Tenant field. If no LDAP authentication server is used in Crypt Pro KeyManager, any administrator can theoretically request certificates by means of the tenant GUID also for tenants they are not responsible for and shouldn t be allowed to access. An authentication based on a user directory minimizes this risk. With each request to the Crypt Pro KeyManager via web services, the iq.suite client sends to the Crypt Pro KeyManager the tenant GUID and the username and user password specified in iq.suite when configuring the Crypt-Crypt Pro KeyManager connection. If you have enabled an LDAP authentication server configuration in Crypt Pro KeyManager, the Crypt Pro KeyManager checks not only whether this tenant exists in Crypt Pro KeyManager, but also whether the user is available on the LDAP server. The request from iq.suite is processed only if tenant and user exist and the user password is correct. To configure an LDAP authentication server, proceed as follows: 1. Click on SYSTEM CONFIGURATIONS -> WEB SERVICES (for all tenants) or <TENANT> -> TENANT CONFIGURATIONS -> WEB SERVICES (tenant-specific): 6. For further information, please refer to the iq.suite Administration Manual. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 71

ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Enable access authorization: This option is only available on the WEB SER- VICES page under SYSTEM CONFIGURATIONS.

73 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Enable access authorization: This option is only available on the WEB SER- VICES page under SYSTEM CONFIGURATIONS. This global configuration is not possible for each tenant individually. 2. Click on ADD LDAP SOURCE: Please note that only one LDAP authentication server or one per tenant can be configured and used. LDAP host: Host name, IP address or FQDN of the LDAP server. LDAP port: Port number of the LDAP server. PAGE 72 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

74 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Use SSL connection : By default, the data transfer with LDAP is not secured. For a secure data transfer, we recommend you to select this option if your LDAP server supports SSL. Authorization method: Authenticated access : The Crypt Pro KeyManager tries to log in to the LDAP server by using the credentials specified in the fields Administrator DN and Administrators password. In case of successful login, Crypt Pro KeyManager checks whether the user sent from iq.suite exists on the LDAP server in the specified Username attribute. In the Basis Search DN field, enter the LDAP query statement that the Crypt Pro KeyManager will use to find the user configured in iq.suite. Example: dc=company-x,dc=com If you do not specify a search base, the search starts from the root entry. This might result in long query times. Bind directly as user : Crypt Pro KeyManager tries to log in to the LDAP server by using the user information sent from iq.suite and the User DN. No additional authentication is performed. In case of successful login, the iq.suite request is processed. ${USER}: Placeholder that is automatically replaced by the username sent by iq.suite. 3. Click on TEST LDAP CONNECTION to test the connection between Crypt Pro KeyManager and the LDAP server. 4. Save your configuration. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 73

75 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Configuring Remote Connections The web interface (km.admin), the Crypt Pro KeyManager server (km.backend) and the log server (km.logserver) communicate via web services. Only business administrators are authorized to configure remote connections. Web service to the Crypt Pro KeyManager server 1. Under URL enter the address (web service URL) to the desired Crypt Pro KeyManager server. HTTP and HTTPS are supported. By default, the URL field contains the server address from the current session. 2. Click on ADD. The entered URL is displayed in the History field. Example: 3. If there are several known URLs, repeat these steps for each installed server. 4. Check whether the added URLs are available. For this, mark the URLs under History (holding the CRL key) and click on CONNECTION TEST. PAGE 74 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER In case of errors, please refer to General Procedure on page 149. 5. To save your configuration, click on SAVE.

76 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER In case of errors, please refer to General Procedure on page To save your configuration, click on SAVE. To cancel your changes and to revert to the last saved configuration, click on REVERT. If the server address in the URL field is different from the server address used for the last login, you will be logged out automatically after saving. With a double-click on the desired URL under History, you can change the server address to be used. 6. Log in to the web interface again. The address that was entered in the URL field before the automatic logout is displayed on the login page under Server address. If required, select a different URL from the drop-down-list. Web service to the log server 1. Enter the URL to the web service responsible for the connection to the log server (local or remote). Usually, the log server runs on the same host as the Crypt Pro KeyManager server. The log server stores the log messages related to the Crypt Pro KeyManager web interface and Crypt Pro KeyManager server into a log file on the file system. Define the location to this file under SYSTEM CONFIGURATIONS -> LOG- GING -> LOG SERVER SETTINGS. Refer to Configuring the Logging on page To test the connection to the web service, click on CONNECTION TEST. In case of errors, please refer to General Procedure on page 149. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 75

77 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Configuring Connectors Connectors enable communication between the Crypt Pro KeyManager and external certification authorities such as D-TRUST: Using a connector, the Crypt Pro KeyManager server can request own certificates from a certification authority. The certification authority issues the requested certificates and delivers them to the Crypt Pro KeyManager via the corresponding connector. Since the external systems (certification authorities) have different systeminherent characteristics, several connectors with different options are available. Connectors can be configured globally for all tenants under SYSTEM CONFIGURATIONS -> CONNECTORS -> <CONNECTOR>, or for each tenant individually. In the tenant-specific configuration, you can enable the Use system configurations option to use the global connector settings available in the System Configuration. For the global configuration, tenant users need the user rights Can configure global connectors General Connector Settings The following options are available in all connectors: Key pair algorithm: Algorithm that is used to generate key pairs: RSA : RSA is used to both encrypt and sign data. DSA : DSA can only be used to sign data. DSA is designed for key lengths no longer than bit. In case of greater key lengths, use RSA. For the connector SIGNER, the key pair algorithm of the issuer certificate is used. Bit length: Length of the key pair (in bit). Selectable lengths: RSA: You can select a value between and Default: bit. DSA: 1 024; (default) Note that data security increases with increasing key lengths. Signature algorithm: Define the cryptographic hash function for creating digital signatures: RSA: PAGE 76 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

78 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER RSA-MD5 (not recommended for security reasons) RSA-RIPEMD160 RSA-SHA1 (no longer recommended) RSA-SHA224 RSA-SHA256 (default) RSA-SHA384 RSA-SHA512 DSA: DSA-SHA1 Exceptions: For D-TRUST and WinCA, the signature algorithm cannot be configured in the respective connector. For D-TRUST, signature algorithm is defined on the Trust Center s side; for WinCA, it is defined in the Windows CA itself. Other Settings and Test Function: Auto approve requests: No (default): Certificate requests must be manually approved by a user. Note that the right Can change request status is required for this user. Yes : Newly generated certificate requests are automatically approved. Automatic certificate requests approval may result in high and unnecessary costs especially, for certificates issued by certification authorities. Manual approval allows for certificate requests to be approved only for certain users. Auto renew certificates: No (default): Expiring Own Certificates are not automatically renewed. To enable the renewal, any authorized user must renew the certificates manually. Refer to Renewing Own Certificates on page 127. Yes : For every expiring Own Certificate, a certificate renewal is automatically requested. However, the new certificate can be created only if the request is approved. Refer to Approving Certificate Requests for Certificate Renewal on page 128. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 77

79 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Validate Settings and Save Use the VALIDATE SETTINGS button to test your settings. Your settings will apply only if you have saved them by clicking on SAVE Common Settings for D-TRUST and QuoVadis For general information on the Certification Service Providers (CSP) D-TRUST and QuoVadis, please refer to D-TRUST on page 79 and QuoVadis on page 81. Description of the settings which are common to both connectors: Use proxy server: refer to Using a Proxy Server on page 66. Client certificate: This certificate has to be acquired from the Certification Service Provider (CSP). It will be used during certificate requests to allow the identification of the CSP customer. Password for client certificate: Enter the password of the client certificate. URL: For the KeyManager server to be able to communicate with the CSP, enter the URL to the certification services of the CSP. Usually, you should keep the predefined URL: D-TRUST: QuoVadis: Server certificate: This certificate is downloaded from the URL specified above to identify the accessed CSP s server. When you click on VALIDATE, details on the server certificate are displayed. Example: PAGE 78 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER If you trust this certificate, click OK. 4.2.7.

80 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER If you trust this certificate, click OK D-TRUST D-TRUST operates a Trust Center in conformity with the German signature law and ETSI TS This company offers additional, quality-assuring certifications according to ISO and TSI. D-TRUST provides, for example, certificates for digital signatures and cryptography, hardware authentication keys, PKI services, and applications. For further information on D-TRUST, please refer to CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 79

81 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER The settings which are common with QuoVadis are described under Common Settings for D-TRUST and QuoVadis on page 78. For further information on the settings and buttons that are independent from the connector, please refer to General Connector Settings on page 76. Connector-specific setting: Product type: Select the product package you want to use and how long (in years). If you want a product type which is not part of the drop-down list, select Custom product type and specify the desired product package in the input field. PAGE 80 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

82 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER QuoVadis QuoVadis is an international accredited Certification Service Provider (CSP) which is recognized worldwide. QuoVadis provides digital certificates according to Swiss law (ZertES), and the European (ETSI) and global standards (WebTrust). For further information on QuoVadis, please refer to Also refer to Common Settings for D-TRUST and QuoVadis on page 78. For further information on the settings and buttons that are independent from the connector, please refer to General Connector Settings on page 76. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 81

83 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Signer The certificates created by the SIGNER connector are signed with the CA certificate you have specified. In this manual, the CA certificate is also called issuer certificate. Please note that CA certificates may not have been issued by an official certification authority. Special settings for this connector: Path to issuer certificate: To specify the path to the issuer certificate which will be used to sign the requested certificates, select the desired certificate file with the BROWSE button and click on UPLOAD. The certificate file (key pair) must be included in a PKCS#12 container and must have the extension PFX or P12. PAGE 82 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

84 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER If you want to change your certificate selection after upload, click on the DELETE button and repeat the steps described above. If you have entered a path manually in a Crypt Pro KeyManager Version < 3.5, we recommend you to re-specify this path by using the BROWSE button because the manual input field is to be removed in a future Crypt Pro KeyManager version. If two different paths are specified, only the certificate selected via the BROWSE button will be used. Issuer certificate password: Enter the password for the certificate and click on VALIDATE. Issuer certificate alias: When the path and the password for the certificate are correct, this field is automatically filled out. If the certificate file under Path to issuer certificate contains several aliases, select the alias with the desired private key. If not, the default alias is automatically used (first alias in alphabetic order). Use the IMPORT ISSUER CERTIFICATE button to import the selected certificate as a trusted Root Certificate in the current tenant (in case of a tenant-specific configuration) or in the desired tenants (in case of a global connector configuration). Store alias: You can enter a store alias to store the PKI information in the PKCS#12 structure. Validity [days]: Enter the number of days the certificate shall be valid. Counting starts on the day of the certificate request. To import the issuer certificate as a trusted root certificate, click on IMPORT and select the tenants for which the certificate shall be imported. On successful import, the certificate is displayed under CERTIFICATE MANAGEMENT -> ROOT CERTIFICATES. For further information on the settings and buttons that are independent from the connector, please refer to General Connector Settings on page 76. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 83

85 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER VR-Ident VR-IDENT is a customer-specific connector WinCA Windows server operating systems can be extended with a customizable set of roles and services that allow an organization to set up its own Certification Authority (CA). The organization can use the Windows CA to issue, renew and revoke certificates for users and computers. For further information on how to setup and maintain a Windows CA, please refer to the documentation from Microsoft. The KeyManager WINCA connector is intended for companies which have already set up a Windows CA and want to use it for issuing Own Certificates for the communication of their employees. The advantage of managing these certificates in KeyManager is to be able to use them in iq.suite for signing, encryption, decryption and verification of s. Since the certificates issued by a Windows CA are usually not derived from a commonly trusted root certificate, communication partners have to explicitly trust these certificates. Issuing certificates from a Windows CA normally does not generate additional costs per certificate. The WINCA connector uses the certreq.exe that is part of current Windows systems as an underlying command processor. System Requirements In this manual, we assume that the KeyManager server and the Windows CA server are running on separate computers and are in the same domain. KeyManager needs to run as a computer of the domain or as a domain user so that the required rights can be assigned in the certificate template used. When running KeyManager for example as a local computer administrator, the WinCA connector is not supported. The WINCA connector is tested and supported on Windows Server 2008 R2 and Windows Server 2012 R2. PAGE 84 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER A correct and complete installation and configuration of the Windows CA is required.

CA: How to create a new User Certificate Template? The default User Certificate Template available on a Windows CA cannot be used for iq.suite KeyManager.

86 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER A correct and complete installation and configuration of the Windows CA is required. First Steps (before Connector Configuration) Before starting to configure the WINCA connector in KeyManager, you have to create an appropriate certificate template in the MMC console of the Windows CA: How to create a new User Certificate Template? The default User Certificate Template available on a Windows CA cannot be used for iq.suite KeyManager. Therefore, you have to create a new Certificate Template (e.g. named SMIME_User): 1. On the Windows CA server, clone the existing User Certificate Template: a) Open Run..., then type certtmpl.msc and click OK: b) Right-click the USER template and select DUPLICATE TEMPLATE: 2. In the Properties of the new template, change the following settings: a) In the Subject Name tab. select the Supply in the request option: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 85

$internal\administrator. 4.$

87 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER b) In the Security tab, add the KeyManager server (e.g. kmserver) and set the permissions Read, Write and Enroll to Allow : c) Click APPLY and OK to save your changes. 3. Verify that you are logged in with the Domain Administrator account, e.g. winca.internal\administrator. 4. In the MMC console, add a new Snap-in as follows: PAGE 86 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

88 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Click FILE -> ADD/REMOVE SNAP-IN... Then, select Certification Authority from the available snap-in list and click ADD. 5. Expand the Certification Authority tree until you see the Certificate Templates folder. 6. Right-click the Certificate Templates folder and select NEW -> CERTIFI- CATE TEMPLATE TO ISSUE: 7. In the Enable Certificate Template window, select the previously created SMIME_User template. 8. Open services.msc and restart the Active Directory Certificate Services service. Always restart the Active Directory Certificate Services after changing any values inside an active template, especially after changing security settings like access rights. Connector Configuration CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 87

89 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Path to certreq.exe: The WINCA connector uses the Windows certreq.exe command-line tool to request certificates from the Windows CA. This tool is available by default on Windows Server operating systems. Enter a valid path to the certreq.exe installed on the computer on which the KeyManager server is running. Default path: C:\Windows\System32\certreq.exe For further information on this tool, please refer to the Microsoft documentation: CA connection string: Specify the connection string to the Windows CA to be used by the connector. This is a combination of host name the Windows CA is running on and the CA name: PAGE 88 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

$ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER CAHostName\CAName Example: SRVWINCA\winca-SRVWINCA-CA The CA name is the name displayed on the corresponding node in the Certification$

90 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER CAHostName\CAName Example: SRVWINCA\winca-SRVWINCA-CA The CA name is the name displayed on the corresponding node in the Certification Authority snap-in: Verbose logging: With Yes, KeyManager will gather more detailed message output in the logs. Certificate template: Enter the name of the User Certificate Template that has been previously created on the Windows CA server. Refer to How to create a new User Certificate Template? on page 85. If KeyManager and the Windows CA are in the same domain, the settings for Authentication and RPC Connection are not required. These settings respectively correspond to the following Certreq parameters: -user, -p <Password> and -crl For further information on the settings and buttons that are independent from the connector, please refer to General Connector Settings on page 76. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 89

91 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Configuring the Logging As a business administrator, you can configure the Crypt Pro KeyManager logging (Crypt Pro KeyManager server and web interface) under SYSTEM CONFIGURATIONS -> LOGGING Defining a Log Server for Crypt Pro KeyManager Logging Under Send logs to define the log server that receives the log messages for the Crypt Pro KeyManager web interface and the Crypt Pro KeyManager server: Log server host: Host name, FQDN or IP address of the server to which the log messages are sent. Log server port: Port number of the server to which the log messages are sent. If the log server is available on a remote application server or on another web container server, it might be required to open the entered port in the firewall. PAGE 90 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

92 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER Defining a Log Level for Crypt Pro KeyManager Logging Log levels: Define the information detail for the log messages. The default log level DEBUG (recommended) is valid for both, the Crypt Pro KeyManager log file and the EVENTS page 7. Use the other log levels only in particular situations, e.g. for troubleshooting or to minimize the size of the log files. TRACE : Most detailed information on method calls and user interactions that caused an error. DEBUG : Debug information on method calls and user interactions that caused an error. INFO : Information on runtime events. Example: User creation successfully finished. WARN : Information on uncritical errors that might be resolved later on, e.g. in the case of rejected APIs or undesirable runtime situations. ERROR : Information on errors or unexpected situations that inhibit normal functionality of the application. Subordinate log levels are selected automatically with the selected log level. Example: If you select DEBUG, log messages of the types INFO, WARN and ERROR are written as well Configuring a Log Server for Crypt Pro KeyManager Logging Define where and how to store the Crypt Pro KeyManager log messages (Crypt Pro KeyManager server and Crypt Pro KeyManager web interface) in the file system: Port: Port number that is used by the log server to listen for log messages. Usually, this port number is the same as the port number for the Crypt Pro KeyManager log messages. Prefix: This prefix is added to the Crypt Pro KeyManager log files: 7. For further information on the log files and the Events page, please refer to Log Files on page 149 and Events: KeyManager Logs on page 150. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 91

93 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER <prefix>.log.xml: current log file. All log messages in this log file are displayed under EVENTS. Refer to Events: KeyManager Logs on page 150. <prefix>.log.<backup_index>.xml: backup log files for older log messages (refer to the description of the Max. file size [KB] field). Directory: Path to the directory which contains the log files. Default: Path specified in the environment variable KMS_CONFIG_DIR. Refer to Setting Environment Variables on page 16. Backup files number: Max. amount of backup files. When the limit is exceeded, the oldest backup files are deleted. Max. file size [KB]: When a log file has reached the max. size, a backup file with the content from the log file is created. A new log file is created to save the current log messages Configuring Default Values for Certificate Requests To create certificates, not only personal data such as first name, last name and address is required, but also general data which is common to a group of persons, e.g. company name, department or country. General data can be specified on the DEFAULTS page. When iq.suite requests a certificate from the KeyManager, iq.suite provides first name, last name and address. If no valid certificate is available for the user in KeyManager, this data and the defaults are used to issue a new certificate. To renew certificates, KeyManager uses the data from the existing certificate, but overwrites this data right before the certificate renewal with (maybe updated) data from the DEFAULTS page. In the input mask for manual certificate requests, the defaults can be used to pre-fill fields with standard values. Which values are required for the creation or renewal of certificates and which restrictions apply to these values, depends on the used connector and maybe also on your agreements with the issuing CA. For example, the domain of the address may be preset or the CA requires that the certificate request does not contain a Department (OU). PAGE 92 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

94 ADMINISTRATION - CONFIGURING THE CRYPT PRO KEYMANAGER SERVER You can specify default values for certificate requests relevant to all tenants under SYSTEM CONFIGURATIONS -> DEFAULTS (as a business administrator) or only for certain tenants under <TENANT> -> TENANT CONFIGURATIONS -> DEFAULTS. As a tenant user, the right Can manage tenant configuration is required 8. Title: Title of the user for whom the certificate is requested. This field is only used to pre-fill the input mask for manual certificate requests. In case of an automatic certificate creation/renewal, this field is not used. Company (O), Department (OU): Name of the company/department for which the certificate is requested. Country, State, Locality: Location of the company for that the certificate is requested. Comment: You can use this field to enter a comment. Example: Company X is a subsidiary of the Company X Group. 8. Refer to Important Information before Configuration on page 108. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 93

95 ADMINISTRATION - CONFIGURING TENANTS Fields of the DEFAULTS page which have no value are not used for creation of certificates. In case of a certificate renewal, the values from the existing certificate are kept for empty default fields. If a field in the existing certificate shall not be used anymore for the renewal of the certificate, set the value [empty] in the corresponding field. 4.3 Configuring Tenants Under TENANTS the following actions can be performed: Create tenants. Refer to Creating Tenants on page 55. Edit/Delete tenants. Refer to Editing/Deleting Tenants on page 94. Switch to the desired tenant. Refer to Switching to the Tenant Context on page 95. As a business administrator, you are allowed to perform these actions without restrictions. As a tenant user, you have only access to the tenants you are assigned to Editing/Deleting Tenants The To change the name and/or the label of existing tenants, click on EDIT. GUID cannot be changed and is used to identify the tenant to external parties (e.g. iq.suite clients) that deliver keys/certificates to or from the Crypt Pro KeyManager. To delete a tenant, select the desired tenant in the tenant view and click on DELETE. By deleting a tenant, all tenant-relating certificate data and settings are deleted from the database and cannot be restored. Several behaviors are possible to occur when deleting a tenant (e.g. Unit_01) to whom user (e.g. bzidane) is assigned: PAGE 94 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - CONFIGURING TENANTS Case 1: When the tenant was being deleted the tenant user bzidane had logged in to the web interface and had already switched to the tenant Unit_01.

96 ADMINISTRATION - CONFIGURING TENANTS Case 1: When the tenant was being deleted the tenant user bzidane had logged in to the web interface and had already switched to the tenant Unit_01. bzidane will be logged out automatically, since Unit_01 would no longer exists. Therefore, the user will be prevented from further working with the deleted tenant. Case 2: When the tenant was deleted, the tenant user bzidane was logged in. However, he had not switched to the tenant Unit_01. bzidane is not logged out. Case 3: When the tenant was deleted, the tenant user bzidane was not logged in. In all cases bzidane will receive a system notification Switching to the Tenant Context To switch to the tenant-specific configurations (<TENANT> -> TENANT CONFIGURATIONS and <TENANT> -> CONNECTORS) or to call the certificates and certificate requests for a tenant (<TENANT> -> CERTIFICATE MANAGEMENT), select the desired tenant under TENANTS. Then, click on SWITCH TENANT: In the navigation area, the selected tenant is displayed with all subordinate, tenant-related navigation items. As a business administrators, all tenant-related navigation items are displayed. As a tenant user, the displayed navigation items depend on the access rights. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 95

ADMINISTRATION - CONFIGURING TENANTS 4.3.

97 ADMINISTRATION - CONFIGURING TENANTS Exporting/Importing Tenants As a business administrator, yo can export all tenant data (inclusive configuration, connectors and certificates of the tenant) from a KeyManager server and then import it into another KeyManager server. The tenant data is exported or imported in an XML file: KMS_exported_tenant_for_<Tenant name>_on_dd.mm.yyyy-hh.mm.ss.xml The Export-Import procedure can, for example, make sense if you use a KeyManager productive server and a KeyManager test server. On the test server, new features and a changed configuration can be tested for a tenant, for example after a KeyManager update. If no issues are encountered during the test, the tenant can be imported into the productive server. The tenant is not removed from the KeyManager database during export. Exporting tenant To export a tenant, proceed as follows: 1. Select the desired tenant. 2. Click on the EXPORT button and confirm the export. Export progress is displayed: 3. Save the file. Importing tenantto import a tenant, proceed as follows: 1. Click on the IMPORT button. PAGE 96 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - CONFIGURING TENANTS 2. Select the file to be imported. 3. Click on UPLOAD -> NEXT. An overview of the tenant data to be imported is displayed: 4. Click on IMPORT TENANT -> NEXT.

98 ADMINISTRATION - CONFIGURING TENANTS 2. Select the file to be imported. 3. Click on UPLOAD -> NEXT. An overview of the tenant data to be imported is displayed: 4. Click on IMPORT TENANT -> NEXT. In case of a successful import, the tenant is displayed with its name and GUID. A message confirms the successful import of the mentioned tenant. 5. To complete the import, click on FINISH Searching Tenants Use the search function to search for particular tenants. The search function searches within the following tenant properties: Tenant name Tenant label Tenant GUID CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 97

Placeholders like asterisk (*) or question mark (?) are not permitted. The search function is not case-sensitive.

99 ADMINISTRATION - CONFIGURING TENANTS In the search field, enter the search string and click on. KeyManager lists all tenants for which at least one of the properties mentioned above contains this string. Placeholders like asterisk (*) or question mark (?) are not permitted. The search function is not case-sensitive. Search example: To display all tenants containing the string Unit in the tenant name, enter e.g. unit or Unit: Search result: PAGE 98 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

On the login page, click on the link Forgotten password. 2.

100 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT 4.4 Configuring the User Environment Resetting User Passwords To reset a user password, proceed as follows: 1. On the login page, click on the link Forgotten password. 2. In the wizard, enter either the username or the user password: 3. Click on SEND REQUEST -> FINISH. The user receives two s: The first contains a link to reset the password: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 99

ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT The generated link is only valid for 60 minutes. Upon expiration of this term, another password must be requested.

101 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT The generated link is only valid for 60 minutes. Upon expiration of this term, another password must be requested. The second contains the newly generated password: On success, a corresponding system message is displayed. To login to the web interface, click on the link To the login page. After the first login, you can change the generated password under MY PROFILE. Refer to Changing Personal User Data and Password on page 100. On error, an error message is displayed. To request a new password, click on To the login page Changing Personal User Data and Password As a business administrator or as a tenant user with the right Can edit own profile, you are allowed to change your address, your notification language and your password under MY PROFILE. Business administrators can additionally change their own full name and username. PAGE 100 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

102 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT Notification language Language for the system notifications that are sent to the user (default: English) 9. The notification language can differ from the language used for the web interface. Change Password Click on Change Password to display the password options System Notifications System notifications are all messages generated automatically by the Crypt Pro KeyManager. Depending on the events that occur while the Crypt Pro KeyManager server is running, notifications would be sent to the responsible users (refer to the table below). 9. For further information on system notifications, please refer to System Notifications on page 101. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 101

103 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT Test s are only sent to the user s address. All other system notifications are additionally sent to the user s inbox (<FULL NAME> -> INBOX). For further information on the mail server, please refer to Changing the Mail Server Configuration on page 65. The following table lists the situations in which the users receive a system notification: Situation Mail server configuration (Test ): Test connection with the mail server. User X changes the password of user Y. User X creates user Y with the option Use auto-generated password. User X requests a new password for user Y. Forgotten password: User X requests a new password for himself/herself. Forgotten password: User X resets his password. User X changes the Notification language for user Y. User X enables User Y User X disables User Y. User X deletes tenant A from tenant user Y. The certificate <name> will expire soon. Recipient of the System Notification A test is sent to the address entered in the Recipient of the test field. User Y is notified. User Y receives the generated password. User Y is notified. User X receives an to reset his/her password. User X is notified of his/her reset password. The contains the new password. User Y is notified. User Y is notified. User Y is notified. Tenant user Y is notified. Business administrators and authorized tenant users are notified when certificates for tenants they are assigned to are about to expire. PAGE 102 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

104 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT Situation The certificate has been revoked due to CRL status check. Recipient of the System Notification Business administrators and authorized tenant users are notified when certificates for their tenants has been revoked due to CRL status check. Example for the inbox of a Crypt Pro KeyManager user: The following actions can be performed in the INBOX: Change the status of the system notifications or archive the notifications to be stored. For this, select the desired option ( Unread, Read or Archived ). Then, click on REFRESH. Filter the system notifications according to the status All, Read, Unread or Archived. Delete no longer required system notifications from the database table km_messages with DELETE. Rearrange the table elements. Refer to User-Specific Display Options on page 107. To display archived messages in the inbox again (unarchive), proceed as follows: 1. Select the filter option Archived. 2. Mark the desired messages and select Unarchive. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 103

105 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT 3. Click on REFRESH. Since the archived messages are marked as Read (including the unread ones), the unarchived messages are only displayed with the filter options All or Read Managing Users Under USERS you can perform the following actions: Create users. Refer to Creating Users on page 59. Enable, disable or delete users. Refer to Enabling/Disabling/Deleting Users on page 104. Edit user data or user rights. Refer to Changing User Data and User Rights on page 105. To refresh the information displayed on the web interface, click on Enabling/Disabling/Deleting Users Newly created users are automatically enabled. Click on DISABLE to temporarily prevent selected users from accessing KeyManager Server, e.g. to edit user profiles ( address, access rights, etc.). PAGE 104 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT Disabled users remain in the database with all user-specific settings and can be activated with the ENABLE button.

106 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT Disabled users remain in the database with all user-specific settings and can be activated with the ENABLE button. Deleted users are completely deleted from the database and cannot be restored. To display the user properties, mark the desired user and click on above): (right-hand To hide the user settings, close the Properties tab with : Changing User Data and User Rights Only business administrators are allowed to change the user data and user rights of any user (EDIT button) 10. As soon as user data is changed, the edited user is automatically logged out. Tenant users can only change some data in their own user profile provided that they have the right Can edit own profile 11. Changing their own user data doesn t cause any logout. 10. For further information, please refer to Creating Users on page Refer to Changing Personal User Data and Password on page 100. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 105

ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT 4.4.4.3 Searching Users Use the search function to search for particular users.

107 ADMINISTRATION - CONFIGURING THE USER ENVIRONMENT Searching Users Use the search function to search for particular users. The search function searches within the following user properties: address Username Full name In the search field, enter the search string and click on. KeyManager lists all users for whom at least one of the properties mentioned above contains this string. Placeholders like asterisk (*) or question mark (?) are not permitted. The search function is not case-sensitive. Search example: To display all users containing the string mann in the username (e.g. Mustermann, Lehmann, Dahlmann), enter mann: Search result: PAGE 106 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

108 ADMINISTRATION - USER-SPECIFIC DISPLAY OPTIONS 4.5 User-Specific Display Options On every pages in the CERTIFICATE MANAGEMENT section, you can use the SHOW/HIDE COLUMNS button to show/hide columns as you like. On every pages containing a table (e.g. INBOX, CERTIFICATE MANAGEMENT pages, CERTIFICATE AUDIT, EVENTS), you can perform the following actions: To change the order of columns, select the column header by pressing the left mouse button and drag horizontally in order to achieve the desired position. To change the column width, select the column by placing the cursor at the end of the column header and move slightly in order to achieve the desired width with the left mouse button pressed. To sort the table entries individually, click on the desired column header. Example: To sort the system notifications by subject on the INBOX page, click on the column header Subject. On all pages under CERTIFICATE MANAGEMENT, the user-specific changes are automatically saved and remain unchanged for this user until the user makes changes again. This customization cannot be made per tenant. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 107

1 Important Information before Configuration As a business administrator or as a tenant user with the right Can manage tenant configuration, you can decide for each tenant whether to configure

109 ADMINISTRATION - TENANT-SPECIFIC CONFIGURATION 4.6 Tenant-specific Configuration Important Information before Configuration As a business administrator or as a tenant user with the right Can manage tenant configuration, you can decide for each tenant whether to configure tenantspecific settings or to use the system configuration. Exception: The workflow can only be configured for each tenant individually. Example for the tenant Unit_01 : As a business administrator, you can configure all existing tenants. As a tenant user, you can only configure tenants that are assigned to you. For tenant-specific configuration, switch to the desired tenant 12 and disable the Use system configurations option. Example: 12. Refer to Switching to the Tenant Context on page 95. PAGE 108 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

110 ADMINISTRATION - TENANT-SPECIFIC CONFIGURATION Configuring the Workflow Under <TENANT> -> TENANT CONFIGURATIONS -> WORKFLOW you can configure general tenant-specific workflow settings and settings for checking the status of S/MIME certificates Main Settings Default connector: This is the connector that will be responsible for creating new Own Certificates when certificates are requested via the private web service. Manually created certificate requests are not affected by this setting. Use configured LDAP servers to retrieve public keys: Define whether the configured X.509 LDAP server shall be used to call public S/MIME keys 14. Enable billing for tenant (for S/MIME and PGP): Crypt Pro KeyManager counts the amount of the outgoing operations encrypt and sign that the iq.suite performs using certificates or keys from the Crypt Pro KeyManager. In addition to the unique tenant ID (tenantguid), the amount of operations (count) and the time when reporting started/ended (startdatetime / enddate- Time), the following billing information is stored in the Crypt Pro KeyManager database table km_billing_info: id: Primary key. 13. Refer to Important Information before Configuration on page For further information on LDAP server configuration, please refer to Configuring an X.509 LDAP Server on page 67. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 109

111 ADMINISTRATION - TENANT-SPECIFIC CONFIGURATION reportedby: Name of the iq.suite server that sends the billing information. operation: This defines the type of operation assigned to the count value: Encrypt (1) or Sign (2). : The iq.suite receives an error code from the Crypt Pro KeyManager when billing is not enabled for a given tenant Certificate Renewal Certificate expiration threshold [days]: Define how many days before the certificate s expiration date the Own Certificates shall be renewed. At this point of time, new certificates are requested to replace the expiring certificates. If required, the user responsible for the tenant (the user assigned to the tenant) can be notified (refer to Notify responsible users of expiring certificates). With both options, the user can react early to avoid delays in the renewal of certificates. Notify responsible users of expiring certificates: When a tenant s Own Certificate expires, the user responsible for this tenant can be notified. Also refer to the description of the Certificate expiration threshold [days] field. PAGE 110 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

112 ADMINISTRATION - TENANT-SPECIFIC CONFIGURATION Use Defaults when renewing certificates: If this option is enabled, Key- Manager will use the defaults specified for the tenant when creating a certificate renewal request. If this option is disabled, KeyManager will retrieve the required information from the certificate that is being renewed. Auto approve every certificate renewal request: A certificate renewal is requested if a certificate expires or if a user has manually enabled the certificate renewal 15. If you set this option to Yes, such requests can be automatically approved and, in case of approval, corresponding certificates are requested. Automatic approval of certificate requests may result in high and unnecessary costs especially for certificates issued by certification authorities. Manual approval allows for certificate renewal requests to be approved only for certain users. Another way to avoid unnecessary costs is to make appropriate settings under Auto Approval of Certificate Requests : Check last certificate usage date on auto approval: Define whether to consider the Last used date of the certificate when the certificate has to be automatically renewed according to the Certificate expiration threshold. Before renewing, the KeyManager looks at the Last used date 16. If this date is older than the number of days specified in the Certificate usage threshold [days] field, the certificate will not be renewed. With this option, you can avoid that unneeded Own Certificates are automatically renewed in order to minimize the costs for the creation of new certificates. Example: The certificate for David Galler expires on 06/30/2015. The Certificate expiration threshold is 30 days. According to this threshold, the renewal date will be 06/01/2015. The Certificate usage threshold is 60 days. If the certificate was not used within 60 days before 06/01/2015, the certificate will not be renewed. 15. For further information on renewing certificates, please refer to Renewing Own Certificates on page You can display the Last used date information on the OWN CERTIFICATES page by using the SHOW/HIDE COLUMNS button. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 111

113 ADMINISTRATION - TENANT-SPECIFIC CONFIGURATION Notify responsible users of not approved certificate requests: In case certificate renewal requests have not been automatically approved due to the last certificate usage date, the users responsible for these certificates will be notified CRL: Check Certificates for Trust Status and Revocation Use proxy server: For CRL requests via Internet, a proxy server can be used. This proxy server must be set under GENERAL SETTINGS -> PROXY SERVER. Refer to Using a Proxy Server on page 66. The S/MIME certificates stored in the Crypt Pro KeyManager database can be automatically checked for validity by using CRLs: Enable CRL: The Crypt Pro KeyManager collects the URIs from the corresponding extension field of the X.509v3 certificates. In configurable time intervals Crypt Pro KeyManager checks which certificates have been revoked. Depending on this information, the trust status is updated. Only CRLs that can be accessed via HTTP or HTTPS can be requested. The Crypt Pro KeyManager does not support LDAP for CRL requests. The URI to the CRL is defined in the certificate: PAGE 112 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

114 ADMINISTRATION - TENANT-SPECIFIC CONFIGURATION Check CRL: Define the time intervals for the CRL status check (Every day at <HH:MM> or Every <xy> hours). Procedure for the CRL status check For every tenant, the Crypt Pro KeyManager checks whether the CRL status check is enabled (Enable CRL option). For each tenant with enabled CRL status check, the CRL is requested for all S/MIME certificates (Check CRL option). Exception: When you enable both options for the first time, the first CRL request is triggered right after saving Defining Default Values for Certificate Requests Refer to Configuring Default Values for Certificate Requests on page Configuring the Mail Server You can configure tenant-specific mail servers under <TENANT> -> TENANT CONFIGURATIONS -> MAIL SERVER. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 113

115 ADMINISTRATION - TENANT-SPECIFIC CONFIGURATION For further information, please refer to Important Information before Configuration on page 108 and Configuring the Mail Server (SMTP Server) on page 53. Note that tenant-specific mail servers only send system notifications to inform about the expiration or the CRL revocation status of certificates Configuring an X.509 LDAP Server For a tenant-specific LDAP server configuration (<TENANT> -> TENANT CONFIGURATIONS -> -> X.509 LDAP SERVERS), proceed as described under Configuring an X.509 LDAP Server on page 67. Refer as well to Important Information before Configuration on page Configuring Connectors Under <TENANT> -> CONNECTORS -> <CONNECTOR>, you can configure connectors for the selected tenant. For this, tenant users need the user rights Can configure tenant connectors. With the Use system configurations option, you have the possibility to decide for each connector whether to use the settings made under SYSTEM CONFIGURATIONS -> CONNECTORS -> <CONNECTOR>. Example for D-TRUST in the Unit_02 tenant: For further information on the connectors and their configurations, please refer to Configuring Connectors on page 76. PAGE 114 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

116 ADMINISTRATION - MANAGING S/MIME CERTIFICATES 4.7 Managing S/MIME Certificates Managing S/MIME certificates for each tenant individually is possible under <TENANT> -> CERTIFICATE MANAGEMENT -> <CERTIFICATE TYPE>. For business administrators and tenant users who are responsible for multiple tenants, multi-tenant views are available under SYSTEM CONFIGURATIONS -> CERTIFICATE MANAGEMENT. In the multi-tenant views, KeyManager users get an overview of all certificates existing in the tenants they are responsible for. The column Tenant name enables to sort the certificates by tenant. If the same certificate is available in different tenants and you want to select this certificate in all tenants, e.g. to perform the same action in all tenants at once, click SELECT FOR ALL TENANTS in the context menu: As a business administrator or as an authorized tenant user, you can perform the following actions: Display/Search certificates Import/Export S/MIME certificates Change the trust status of certificates Delete certificates Renew Own Certificates Revoke Own Certificates For certain actions, you can enter a comment which will be logged. Refer to Certificate Audit on page 146. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 115

ADMINISTRATION - MANAGING S/MIME CERTIFICATES For further information on the subjects listed above, please refer to the corresponding chapters below. 4.7.1

117 ADMINISTRATION - MANAGING S/MIME CERTIFICATES For further information on the subjects listed above, please refer to the corresponding chapters below Types of S/MIME Certificates Root Certificates The Root Certificatess in the KeyManager Server are used to determine the trust status of Own Certificates and External Certificates when the trust status is calculated by using the certificate chain. Common Name (CN): The term Common Name is used for root certificates. The superordinate entry (in this example AddTrust AB) corresponds to the name of the certification authority. The subordinate root certificates originate from this organization. Trust status/trust method: Refer to Trust Method and Trust Status of S/MIME Certificates on page 122. PAGE 116 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

118 ADMINISTRATION - MANAGING S/MIME CERTIFICATES Default root certificates can already be imported when the respective tenant is created 17. Alternatively, you can import the desired root certificates after the tenant has been created (IMPORT button). Use the search function to search for a special certificate. Refer to Searching Certificate Requests or Certificates/Keys on page Own Certificates Own Certificates are key pairs that consist of one public and one private key. Usually, this type of certificate is designed for employees inside the company (tenant). By contrast, the external certificates are from persons external to the company. Own Certificates are used to sign s addressed to external persons and to decrypt received s. Own Certificates can be imported 18 or issued via a connector (<TENANT> -> CONNECTORS) address of the user for whom the certificate was issued. The address of the logged-in user is displayed with blue color. 17. Refer to Creating Tenants on page Refer to Importing S/MIME Certificates or PGP Keys on page Refer to Requesting Certificates on page 124. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 117

119 ADMINISTRATION - MANAGING S/MIME CERTIFICATES Trust status/trust method: Refer to Trust Method and Trust Status of S/MIME Certificates on page 122. Status: This status information doesn t depend on the trust status. This information is given by the certificate issuer. Auto renew (Yes/No): Certificates will be automatically renewed if the automatic renewal is enabled (Yes). Besides the connector setting, there are other possibilities to enable/disable the automatic renewal. Certificates can also be renewed manually. Refer to Renewing Own Certificates on page 127. REVOKE: Use this button to revoke Own Certificates which were created with the VR-IDENT connector. After revocation, the certificate receives the status Revoked. Trust status and Status are two different concepts: A Not trusted certificate is not necessarily a Revoked certificate, and vice versa. The revocation is notified to the issuing certification authority and then transmitted to all third parties which are using the revoked certificate. Contrary to this, the trust status is handled locally within the infrastructure that uses the certificate; the issuing certification authority is not informed of the trust status change. Revoking a certificate cannot be undone. Imported certificates which are not linked to a connector or whose issuing connector is unknown by the KeyManager cannot be revoked. Use the search function to search for a special certificate. Refer to Searching Certificate Requests or Certificates/Keys on page 141. PAGE 118 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - MANAGING S/MIME CERTIFICATES 4.7.1.3 External Certificates External certificates only contains public keys from persons who are external to the company (e.g.

120 ADMINISTRATION - MANAGING S/MIME CERTIFICATES External Certificates External certificates only contains public keys from persons who are external to the company (e.g. business partners, customers). They are used for encryption and signature verification. Trust status/trust method: Refer to Trust Method and Trust Status of S/MIME Certificates on page 122. Status: This status information doesn t depend on the trust status. This information is given by the certificate issuer. Use the search function to search for a special certificate. Refer to Searching Certificate Requests or Certificates/Keys on page Certificate Properties In the table under <TENANT> -> CERTIFICATE MANAGEMENT -> <CERTIFICATE TYPE>, some certificate properties are displayed, e.g. issue/expiration date, issuer, trust status. Additional certificate-related information can be found in the Certificate Viewer. For further information on the trust status of S/MIME certificates, please refer to Trust Method and Trust Status of S/MIME Certificates on page 122. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 119

121 ADMINISTRATION - MANAGING S/MIME CERTIFICATES Certificate Viewer for S/MIME In the certificate table, double-click on a certificate to open the Certificate Viewer. The viewer displays certificate-related information from the X.509v3 standard. General information on the certificate is displayed in the Overview tab: The Details tab shows details on the certificate: PAGE 120 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - MANAGING S/MIME CERTIFICATES Certificate Chain: A certificate chain consists of several certificates that sign each other. The last certificate is the root certificate.

122 ADMINISTRATION - MANAGING S/MIME CERTIFICATES Certificate Chain: A certificate chain consists of several certificates that sign each other. The last certificate is the root certificate. If the root certificate is trusted, all certificates derived from the root certificate are generally trusted as well (exception: revoked certificates). Certificate Fields/Field Contents: To display the content of a certificate field, click on the certificate field. Log tab The Log tab logs actions carried out on the certificate: The following actions are logged: Change of trust status, e.g. from Unknown to Trusted. Activation of Automatic Renewal CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 121

123 ADMINISTRATION - MANAGING S/MIME CERTIFICATES Deletion Import This log information are also available under CERTIFICATE AUDIT. Refer to Certificate Audit on page Trust Method and Trust Status of S/MIME Certificates Trust method: The trust status of a certificate can be set manually by an authorized user (refer to Manually set trust status on page 122) or calculated via certificate chain lookup or via CRL (refer to Calculated trust status on page 122). A trust status that is set manually has a higher priority than a calculated one. Under <TENANT> -> CERTIFICATE MANAGEMENT -> <CERTIFICATE TYPE>, the Trust method column displays the method used to define the trust status of the certificate ( Manual or Calculated ). On the certificates pages, select the certificate(s) for which you want to change the trust status and select the desired trust status from the drop-down list. Click then on CHANGE. Manually set trust status Setting the trust status manually means that only you as user decide on the trust status of the certificate. This is the case if you select one of the following status: Trusted: You trust the certificate. Not trusted: You do not trust the certificate. Unknown: If you don t have enough information to decide on the trust status of a certificate, select Unkown. This option is usually used for root certificates. Calculated trust status If you select the status Calculated, the trust status is calculated automatically with the certificate chain or via CRL, depending on the WORKFLOW settings: If you want to use CRL, enable the corresponding option. Refer to Configuring the Workflow on page 109. PAGE 122 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

124 ADMINISTRATION - MANAGING S/MIME CERTIFICATES If you set the trust status to Calculated and no CRL is used, the certificate is checked for validity first. If the certificate is valid, the trust status is calculated by means of the certificate chain (derived trust status). The Unknown status is automatically assigned to imported root certificates (except default root certificates 20 ) as well as to imported intermediate certificates for which no trusted issuer certificate exists in the Crypt Pro KeyManager database. In the Overview tab, details on the certificate s trust status are displayed: Certificates coming from the Crypt Pro KeyManager with the Unknown status are set by the iq.suite to Not trusted. 20. For further information on the default root certificates, please refer to Creating Tenants on page 55. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 123

ADMINISTRATION - MANAGING S/MIME CERTIFICATES 4.7.

125 ADMINISTRATION - MANAGING S/MIME CERTIFICATES Requesting Certificates Under <TENANT> -> CERTIFICATE MANAGEMENT -> CERTIFICATE REQUESTS, Own Certificates can be requested for the users of the displayed tenant: Every time the Crypt Pro KeyManager job runs (every 30 seconds), up to 30 certificate requests can be processed. This time interval reduces the CPU usage. The business administrator can request certificates without restrictions. The tenant user can request Own Certificates only for himself/herself (right Can request certificates for own user ) or for the users of the tenants that are assigned to him/her (right Can request certificates for others ). Refer to Importing S/MIME Certificates or PGP Keys on page 132. To request a certificate manually, proceed as follows: 1. Click on NEW REQUEST. 2. Fill in the CREATE CERTIFICATE REQUEST dialog: PAGE 124 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

126 ADMINISTRATION - MANAGING S/MIME CERTIFICATES When you enable the Prefill with default values option, some fields are filled in with the default values automatically. The default values come either from the settings under SYSTEM CONFIGURATIONS -> DEFAULTS or from the tenantspecific default values. To use cross-tenant default values, click on <TENANT> -> TENANT CONFIGURATIONS -> DEFAULTS -> USE SYSTEM CONFIGURATIONS. 3. Under Issuer connector, select the connector that shall handle the certificate request. Default: The connector that is selected under <TENANT> -> TENANT CONFIGURATIONS -> WORKFLOW. 4. Check your settings and click on FINISH. The requested certificates are displayed: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 125

ADMINISTRATION - MANAGING S/MIME CERTIFICATES Phase: Before a certificate is created, each certificate request passes through the following phases: Approving, Registering, Requesting or Renewing.

Example: If the certificate request is in the phase Approving, the request is in the status Waiting for approval. The certificate will be requested only when the certificate request is approved.

127 ADMINISTRATION - MANAGING S/MIME CERTIFICATES Phase: Before a certificate is created, each certificate request passes through the following phases: Approving, Registering, Requesting or Renewing. Status: The status represents the result of each phase such as Waiting for approval, Approved, Pending, In process, Success/Error, Canceled. Example: If the certificate request is in the phase Approving, the request is in the status Waiting for approval. The certificate will be requested only when the certificate request is approved. The certificate requests that are not approved automatically, can be manually approved by authorized users: DROP-DOWN FIELD (AT THE BOT- TOM) -> OPTION APPROVED -> CHANGE -> CONFIRM: If the requested certificate is not required, decline the certificate request with DELETE. The certificate requests that are currently processed (status In progress ) cannot be deleted. Use the options for manual approval and deletion of certificate requests to control the amount of requested certificates in order to prevent unnecessary costs. PAGE 126 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

128 ADMINISTRATION - MANAGING S/MIME CERTIFICATES The certificate requests that have been processed successfully are removed from the CERTIFICATE REQUESTS view. The issued certificates are displayed under <TENANT> -> CERTIFICATE MANAGEMENT -> OWN CERTIFICATES. Use the search function to search for a special certificate request. Refer to Searching Certificate Requests or Certificates/Keys on page Renewing Own Certificates There are various reasons for renewing certificates, e.g. expiration, revocation, reduced trustworthiness etc. Only the certificates that have been created with a Crypt Pro KeyManager connector can be renewed. Certificates imported from PKCS#12 files cannot be renewed even if they have been previously created by the Crypt Pro KeyManager. Contrary to this, the certificates which have been exported as XML from the Crypt Pro KeyManager can be renewed after import into the Crypt Pro KeyManager. Manual Renewing: To renew a single or multiple certificates, select the Own Certificates to be renewed and click in the context menü (right-click) on RENEW CERTIFICATE. Enable/Disable Automatic Renewal: Connector Settings Under <TENANT> -> CONNECTORS -> <CONNECTOR> -> AUTO RENEW CERTIFI- CATES, define whether all certificates which will be created via the respective connector are to be automatically renewed. Manual Procedure for already created certificates To manually enable/disable the automatic renewal of single certificates, select on the OWN CERTIFICATES page the certificate and click in the context menü (right-click) on ENABLE AUTO RENEW. Confirm with YES. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 127

129 ADMINISTRATION - MANAGING S/MIME CERTIFICATES To manually enable/disable the automatic renewal of multiple certificates simultaneously, select the certificates and click on the AUTO RENEW button. Then, confirm with YES (for Enable ) or click NO (for Disable ). The certificate can only be renewed when the certificate request is approved. Approving Certificate Requests for Certificate Renewal The certificate requests must be approved. If required, enable automatic approval under <TENANT> -> TENANT CONFIGURATIONS -> WORKFLOW -> AUTO APPROVE EVERY CERTIFICATE RENEW REQUEST: YES/NO. Define the period of time the certificates shall be renewed automatically: <TENANT> -> CONFIGURATION -> WORKFLOW -> CERTIFICATE EXPIRATION THRESHOLD [DAYS]. The renewed certificates are displayed under OWN CERTIFICATES Monitoring User Activity Some of the actions performed by users in the context of S/MIME certificates are logged in the database table km_auditlogs: Import certificates Change the trust status of certificates Enable/Disable the Auto renew option for Own Certificates Delete certificates PAGE 128 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - MANAGING PGP KEYS 4.8 Managing PGP Keys With KeyManager Server you can manage, import or export PGP keys created with GnuPG or PGP.

130 ADMINISTRATION - MANAGING PGP KEYS 4.8 Managing PGP Keys With KeyManager Server you can manage, import or export PGP keys created with GnuPG or PGP. In this manual, the term PGP keys is used to name keys created by either GnuPG or PGP Important Notes on PGP in the Crypt Pro KeyManager All public and private PGP keys available in the Crypt Pro KeyManager database are listed under CERTIFICATE MANAGEMENT -> PGP CERTIFICATES: In the Name column, the user IDs (usually addresses) are displayed. An individual user ID is created for every user with a PGP key. A key can be used for several addresses that refer to one user, e.g. david.galler@companyx.com, david.galler@company-x.de and david.galler@company-y.com. A user s key is issued for his/her primary user ID (first node). Under the line containing the primary user ID, the primary user ID is repeated first. If available, the user s additional user IDs are displayed underneath 21. Example: 21. Refer to Certificate Viewer for PGP on page 130. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 129

ADMINISTRATION - MANAGING PGP KEYS For further information on the PGP key properties displayed in the other columns (primary user ID, key ID, fingerprint etc.

131 ADMINISTRATION - MANAGING PGP KEYS For further information on the PGP key properties displayed in the other columns (primary user ID, key ID, fingerprint etc.), please refer to the RFC 4880 documentation. Deleting keys with several user IDs: Clicking on DELETE while a User ID is selected would remove the complete PGP key from the Crypt Pro KeyManager database. Use the search function to search for a special PGP key. Refer to Searching Certificate Requests or Certificates/Keys on page Certificate Viewer for PGP In the PGP certificate table, double-click on a user ID to open the Certificate Viewer, which contains the key properties: PAGE 130 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

132 ADMINISTRATION - MANAGING PGP KEYS Owner trust: refer to Trust Status (Owner Trust) for PGP Keys on page 131. For further information on the PGP key properties such as primary user ID, key ID, fingerprint etc.), please refer to Managing PGP Keys on page 129 and to the RFC 4880 documentation. Like for S/MIME certificates, the Log tab logs for each PGP key the actions carried out on the key. Refer to Log tab on page Trust Status (Owner Trust) for PGP Keys To define the validity of a PGP key, the Crypt Pro KeyManager uses the trust model Direct Trust. Since the PGP keys that are imported individually do not include information on the trust status, such keys receive the trust status unknown in the Crypt Pro KeyManager. You can change the trust status for PGP keys manually: SELECT THE CERTIFICATE(S) -> SELECT THE DESIRED STATUS -> CHANGE: For GnuPG only: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 131

133 ADMINISTRATION - IMPORTING S/MIME CERTIFICATES OR PGP KEYS If you import an XML file created with the export tool into the Crypt Pro KeyManager, the information from the XML file about the reliability of the key owner ( owner trust ) is changed with the import: In the Ownertrust In the In the Crypt Pro Key- In the Crypt Pro File XML File Manager KeyManager Certi- Certificate Table ficate Viewer unknown unknown unknown unknown expired untrusted untrusted untrusted undefined unknown unknown unknown never untrusted untrusted untrusted marginal marginal untrusted untrusted fully complete trusted complete ultimate ultimate trusted complete 4.9 Importing S/MIME Certificates or PGP Keys As a business administrator, you can import S/MIME certificates and PGP keys for all tenants. As a tenant user, you can import S/MIME certificates and/or PGP keys for your tenants provided that you have the corresponding right (S/MIME: Can import certificates ; PGP: Can import PGP key rings ) Notes on Importing Certificates/Keys When importing more than 500 certificates/keys at once (XML file) and the import takes more than 10 minutes (= connection timeout), an error message is displayed. Nevertheless, the import will not be aborted. Refresh the certificates pages after a few minutes to check whether all certificates/keys are imported. The number of certificates/keys that can be imported depends on the capacity of your computer, on the CPU workload and on the speed for database connection. PAGE 132 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

134 ADMINISTRATION - IMPORTING S/MIME CERTIFICATES OR PGP KEYS Private keys (S/MIME, PGP) and public S/MIME keys that already exist in the Crypt Pro KeyManager database are not imported. Public PGP keys that already exist in the Crypt Pro KeyManager database cannot be overwritten when the public key is imported again. Exception: When importing a key pair, the public key which already exists in the database is overwritten by the key pair. With the import of PGP keys, all user IDs are read and stored in the Crypt Pro KeyManager database. Imported Own Certificates (S/MIME) can be renewed only under specific conditions. Refer to Renewing Own Certificates on page Import Procedure To import certificates/keys, proceed as follows: 1. Click on IMPORT. 2. Select the type of the certificate file(s) you want to import: Only for S/MIME: Certificates : The certificate files to be imported must be available in a format that is compatible with the certificate type: Root Certificates: CRT, 509, DER, CER, PEM Own Certificates: P12, PFX External Certificates: CRT, 509, DER, CER, PEM, P12 and PFX PKCS#7 Certificates: This option exists for root certificates and external certificates, i.e. for the import of public keys. Supported file extensions: P7B and P7C (Base64-encoded ASCII format) Only for PGP: PGP Key pair : You can import files with the file extension ASC (7-bit ASCII format) or GPG (binary). PGP Public key : You can import one or more public keys. These files must have the file extension ASC (7-bit ASCII format) or GPG (binary). CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 133

135 ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS For S/MIME and PGP: XML : If the certificates/keys to be imported are available as XML, select this option. Several certificates/keys can be imported at once. PGP: An XML file can consist of public keys only, private keys only or a combination of both public and private keys. S/MIME: To import an XML file with Own Certificates that were created via a connector and exported from a Crypt Pro KeyManager server, the issuer connector must be configured on the Crypt Pro KeyManager server into which the certificates are to be imported. 3. Select the tenants for which the certificates are to be imported. 4. Click on NEXT -> BROWSE to select the desired certificate files. Click on UPLOAD. 5. For private keys (private S/MIME certificates or private PGP keys) Not as XML: Enter the password of the private key. Click on NEXT. 6. For S/MIME: In the alias list, select All or the desired alias. 7. Click on IMPORT SELECTED. 8. For S/MIME (optional): To display an overview of the imported/not imported certificates (alias), click on NEXT. 9. Click on FINISH Exporting S/MIME Certificates or PGP Keys General As a business administrator, you can export S/MIME certificates and PGP keys of all tenants. As a tenant user, you can export S/MIME certificates and/or PGP keys of your tenants provided that you have the corresponding right (S/MIME: Can export certificates ; PGP: Can export PGP key rings ). PAGE 134 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

136 ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS When several files are exported at once, they are automatically compressed to a ZIP file. Exception: This applies not to certificates exported as XML. Some of the listed certificates might have been deleted from the database at the moment of the export. Such certificates will not be exported. Four-eyes principle for tenant users: A single tenant user is not authorized to export Own Certificates or PGP keys: The tenant user who wants to export certificates and a second user have both to authenticate. The second user must be either a business administrator or a tenant user with the user rights Can export certificates (for Own Certificates) or Can export PGP key rings. Furthermore, the second tenant user must be assigned to the tenant from which the certificates are to be exported Exporting S/MIME Certificates To export S/MIME certificates, proceed as follows: 1. Select the certificates to be exported and click on EXPORT. 2. For private S/MIME certificates and PGP keys: If you are a tenant user, an authentication according to the four-eyes principle is required: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 135

137 ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS The username is not case-sensitive. 3. Select an export method: XML: The certificates will be exported to an XML file. The Crypt Pro KeyManager-specific information such as Trust status and Issuer connector is retained and can further be exchanged between several Crypt Pro KeyManager servers. PKCS#12 (only available for Own Certificates): Since the exported Own Certificates are stored in the PKCS#12 format, the Crypt Pro KeyManager certificate information will be lost. When these certificates are imported, they are considered as foreign certificates and cannot be renewed automatically. The certificates exported as XML can be renewed if they are imported into the Crypt Pro KeyManager. Contrary to this, the certificates exported as PKCS#12 cannot be renewed after import into the Crypt Pro KeyManager. Public Key (DER): Only the public key part of the certificate will be exported. PAGE 136 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

138 ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS PKCS#7 (P7B) (only available for root certificates): The public part of the certificate is exported as a P7B file. The complete certificate chain is exported as well, if it is available in the KeyManager database. 4. Click on NEXT. The certificates to be exported are listed. For every listed certificate, one of the following certificate information is displayed: Common Name (highest priority) Subject (only if Common Name is not available!) SubjectAlternativeName (only if Subject is not available!): For certificates with more than one SubjectAlternativeName, only the first one found will be displayed. You can find the SubjectAlternativeName field in the Certificate Viewer under DETAILS TAB -> CERTIFICATE FIELDS: EXTENSIONS To export the listed certificates, click on the EXPORT button and save the certificates to the desired directory. 6. Click on FINISH Exporting PGP Keys To export PGP keys, proceed as follows: 1. Select the keys to be exported. 2. Click on EXPORT. 3. If you are a tenant user, an authentication according to the four-eyes principle is required 23 : 22. For further information, please refer to Certificate Viewer for S/MIME on page For further information on the four-eyes export mechanism, please refer to Exporting S/MIME Certificates or PGP Keys on page 134. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 137

139 ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS The username is not case-sensitive. 4. Select an export method: PGP Key pair: Key pairs, consisting of private and public PGP keys, will be exported. PGP Public key: Only the public PGP keys will be exported. 5. Click on NEXT. The keys to be exported are listed. 6. Click on EXPORT to confirm the export. 7. Save the keys to the desired directory and click on FINISH. PGP keys are exported in the 7-bit ASCII format with the ASC file extension. For PGP private keys, the TXT password files are exported together with the corresponding key files. Since the trust status of PGP keys is not inside the keys, it cannot be exported. PAGE 138 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS 4.10.

140 ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS Exporting Certificate/Key Data (S/MIME, PGP) as CSV To export S/MIME certificate or PGP key data as CSV (Comma-Separated Value), proceed as follows: 1. Select the certificates/keys to be exported. If required, you can first filter the certificates/keys by using the Search function. Refer to Searching Certificate Requests or Certificates/Keys on page 141. Example with Own Certificates: 2. Use the SHOW/HIDE COLUMNS button to display only the columns you want to export. 3. To export the selected data to a CSV file, click on the icon. Filename: KMS_exported_table_viewer_<CertificateType>_on_DD.MM.YYYY- HH.MM.SS.csv You can import the CSV data into a spreadsheet program like Microsoft Excel, for example. To import the file into the spreadsheet program, enter the pipe character ( ) as a delimiter. You should not use other delimiters since they may be contained in the certificate/key data. Example in Microsoft Excel 2010: 1. Open the CSV file with Excel. 2. Select the column A. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 139

In the Convert Text to Columns Wizard, select the file type Delimited : 5. Click NEXT.

141 ADMINISTRATION - EXPORTING S/MIME CERTIFICATES OR PGP KEYS 3. Select the menu DATA -> TEXT TO COUMNS. The Convert Text to Columns Wizard opens. 4. In the Convert Text to Columns Wizard, select the file type Delimited : 5. Click NEXT. Select as a delimiter the option Other and enter the Pipe character: PAGE 140 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

142 ADMINISTRATION - SEARCHING CERTIFICATE REQUESTS OR CERTIFICATES/KEYS 6. Click NEXT. Select General as file format of the columns. 7. Click FINISH Searching Certificate Requests or Certificates/Keys The search function can be used to search for special certificate requests (S/MIME), certificates or keys (S/MIME, PGP). The search function offers the possibility to filter in order, for example, to delete or to export particular certificates. On some pages, an Advanced Search is available additionally to the Simple The Search, for example for certificates and keys. search criteria specified by the user are automatically saved and remain unchanged for this user until the user makes changes again. When switching to another tenant, the search criteria will remain the same Simple Search With the Simple Search, the following fields are scanned: Search for S/MIME certificates (Root Certificates, Own Certificates, External Certificates) Own Certificates External Certificates PGP keys Certificate requests Scanned Fields Issuer Subject (SubjectDN) Status Name (user ID) CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 141

143 ADMINISTRATION - SEARCHING CERTIFICATE REQUESTS OR CERTIFICATES/KEYS In the Search field, enter the search string. Exception: To search within the Placeholders Status field, set a colon before the search string, e.g. :valid oder :expired. like asterisk (*) or question mark (?) are not permitted. The search function is not case-sensitive. Example: To display all root certificates from an AddTrust issuer, enter e.g. the string ddt. The search result is automatically displayed: Advanced Search With the Advanced Search, you can combine multiple search criteria. You can search within all columns no matter whether the columns are currently shown or hidden. This functionality is available for all certificate types (S/MIME and PGP) and on the CERTIFICATE AUDIT page, but not for certificate requests. The Simple Search can be used for pre-filtering: If you perform a simple search, the Avanced Search will search only in the results found by the Simple Search. The Simple Search remains always activated no matter, whether the Advanced Search is activated or not. PAGE 142 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

144 ADMINISTRATION - SEARCHING CERTIFICATE REQUESTS OR CERTIFICATES/KEYS To perform an Advanced Search, proceed as follows: 1. Click the ADVANCED SEARCH toggle button and select the checkbox Activate advanced search. In the now displayed drop-down field, select a column in which you want to search: 2. With the ADD COLUMN button, you can select additional columns. In the input fields (to the right of the columns), specify for which content the respective columns are to be searched. Between different columns the conjunction is AND. For same columns, the conjunction is OR. Example: We search for root certificates which contain the string ddt OR acta in the Common Name AND have received the Trust status Trusted via the Trust method Manual. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 143

ADMINISTRATION - LOOKUP PAGE FOR CERTIFICATE SEARCH (ONLY S/MIME) To remove a column from the selection, click. To reset the default values of the added columns, click the RESET VALUES button.

145 ADMINISTRATION - LOOKUP PAGE FOR CERTIFICATE SEARCH (ONLY S/MIME) To remove a column from the selection, click. To reset the default values of the added columns, click the RESET VALUES button. To disable the Advanced Search without deleting the search criteria, deselect the checkbox Activate advanced search. If you want to hide/show the search criteria of the Advanced Search, click the toggle button ADVANCED SEARCH Lookup Page for Certificate Search (only S/MIME) In combination with iq.suite, s addressed to recipients for which no valid certificates exist in the KeyManager database are either sent unencrypted or put in quarantine (depending on the setting in iq.suite). In some situations, users would like to send an only if a valid certificate already exists for the recipient in the KeyManager database. For this case, the user can search on the Lookup page whether at least one valid certificate is available for the recipient s address. PAGE 144 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ADMINISTRATION - LOOKUP PAGE FOR CERTIFICATE SEARCH (ONLY S/MIME) The search is possible only for S/MIME certificates for which a public key is available in KeyManager.

146 ADMINISTRATION - LOOKUP PAGE FOR CERTIFICATE SEARCH (ONLY S/MIME) The search is possible only for S/MIME certificates for which a public key is available in KeyManager. External certificates and Own Certificates are therefore included; root certificates are excluded. The search applies to all tenants; searching per tenant is not possible. Accessing the Lookup page is user-independent, i.e. possible without login. To block access to the Lookup page, open in the etc 24 directory the file kms.fe.finetuning.conf and set in this file the parameter kms.configuration.enablepubliccertificatesview to false. URL to the Lookup page: IP address>:<port>/km.admin/certificates No wildcards can be used for the search. In the Search field, the user must enter either the complete recipient s address (e.g. dgaller@company-x.com) or a string contained in the address (e.g. galler). You can use this method, for example, to list all certificates available for a subdomain (e.g. company-x) which may be a list of certificates of different persons. 24. Path to etc: refer to environment variable KMS_CONFIG_DIR on page 16. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 145

147 ADMINISTRATION - EXPORTING CERTIFICATE REQUESTS (S/MIME) AS CSV 4.13 Exporting Certificate Requests (S/MIME) as CSV No Export user rights are required to export certificate requests as CSV (Comma- Separated Value). To export them, proceed as described under Exporting Certificate/Key Data (S/MIME, PGP) as CSV on page Certificate Audit Under CERTIFICATE AUDIT, you will find logged information regarding all S/MIME certificates and PGP keys on which actions have been carried out. The following actions are logged: Change of trust status, e.g. from Unknown to Trusted. Activation of Automatic Renewal Deletion Import The coumn Comment contain the text which has been entered by the user as a comment for the action. PAGE 146 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

148 ADMINISTRATION - CERTIFICATE AUDIT To export audit information as CSV (Comma-Separated Value), select the entries to be exported. If required, you can first filter the audit entries by using the Search function 25. Afterwards, proceed as described under Exporting Certificate/Key Data (S/MIME, PGP) as CSV on page 139. Filename: KMS_exported_table_viewer_certificate_audit_on_DD.MM.YYYY- HH.MM.SS.csv Search: Proceed as described under Simple Search on page 141 or Advanced Search on page 142. In case of a simple search, only the Certificate info column is scanned. To get an overview of all logged information on a special certificate/key, open the Log tab in the Certificate Viewer. Refer to Log tab on page Refer to Searching Certificate Requests or Certificates/Keys on page 141. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 147

149 5 The ERROR ANALYSIS AND TROUBLESHOOTING - GENERAL PROCEDURE Error Analysis and Troubleshooting During the KeyManager installation or configuration or when logging in to the web interface, problems may occur. Before consulting the GBS Support, please perform an error analysis. file and directory paths mentioned in this chapter are sample or default paths that are valid for Windows Server 2008 or Linux distribution Ubuntu Depending on your system environment, these paths might differ. 5.1 General Procedure To perform an error analysis, proceed as follows: 1. Check whether the required components are available and run properly, e.g. the KeyManager server (km.backend). 2. Check the logs. Refer to Logs on page Logs Log Files If errors occur on starting the KeyManager server or when you do not have access to the KeyManager web interface, the EVENTS page is unavailable. For error analysis, check the following log files: Log File <YYYY-MM-DD>.stderrout.log commons-daemon.<yyyy-mm-dd>.log (only for a setup installation) Description Contains the log messages for Jetty and the KeyManager applications. As soon as Jetty is restarted, a new file is generated. Example: 2012_09_20.stderrout.log Contains the log messages for the KeyManager Service (e.g. on problems at starting/stopping the service). CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 149

150 ERROR ANALYSIS AND TROUBLESHOOTING - LOGS Default paths: Under Windows (for a setup installation or a package installation): <KeyManager InstallDir>\keymanager\logs Under Linux (for a package installation): <KeyManager InstallDir>/keymanager/logs Events: KeyManager Logs Log messages related to the KeyManager server and the KeyManager web interface are displayed under EVENTS. Functions for searching, filtering and ordering the logs are available. Please note that only business administrators can access the EVENTS page. The level of detail depends on the settings under SYSTEM CONFIGURATIONS -> LOGGING -> LOG LEVELS. Additional settings are described under Configuring a Log Server for Crypt Pro KeyManager Logging on page 91. The log messages are called from the web service for the log server specified under SYSTEM CONFIGURATIONS -> REMOTE CONNECTIONS. In case of errors on starting the KeyManager or on the initial configuration, the EVENTS page is unavailable. In this case, further information is provided in the log files. Refer to Log Files on page 149. PAGE 150 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

ERROR ANALYSIS AND TROUBLESHOOTING - SPECIAL ERROR SITUATIONS Application: Highlights wether the log message concerns the KeyManager server (backend) or the web interface (frontend).

151 ERROR ANALYSIS AND TROUBLESHOOTING - SPECIAL ERROR SITUATIONS Application: Highlights wether the log message concerns the KeyManager server (backend) or the web interface (frontend). Log level: refer to Defining a Log Server for Crypt Pro KeyManager Logging on page 90. Additional actions: To limit the number of log messages (per application or log level), use the filter options. To skip some pages, enter the desired page number in the Page field. To display a log message completely, mark the log message and click on MESSAGE DETAILS. 5.3 Special Error Situations Insufficient Java Heap Size In some situations, e.g. in case of an Out of memory error, the size of the Java Heap the application server is allowed to use must be increased. This might occur in system environments with many tenants or in the case of many requested/managed certificates. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 151

152 ERROR ANALYSIS AND TROUBLESHOOTING - SPECIAL ERROR SITUATIONS The Java Virtual Machine (Java VM) is responsible for the process that provides memory allocation and deallocation. The application server and the KeyManager rely on the memory allocation by the Java VM. Thus, it is required to configure the startup options of the Java VM in order to adjust the memory size Adjusting the Java Heap in case of a Setup Installation Change the properties of the Crypt Pro KeyManager Service to adjust the Java heap size: Open the kms.exe tool under <KeyManager InstallDir>/keymanager/ and change the parameter -Xmx512m in the Java tab under Java Options, e.g. to - Xmx1024m. This changes the size from 512 MB to MB Adjusting the Java Heap in case of a Package Installation To adjust the Java heap size, proceed as follows: 1. In a text editor, open the start script for the KeyManager: Under Windows: <InstallDir>\keymanager\keymanager.cmd Under Linux: <InstallDir>/keymanager/keymanager.sh 2. In the start script, change the parameter -Xmx512m, e.g. to -Xmx1024m. This changes the size from 512 MB to MB. The -Xmx<size> parameter refers to the maximum capacity of the Java heap. The size is enlarged automatically until the specified size has been reached. Depending on the Java heap size, the Garbage Collection can be very timeconsuming and might lead to freezing Java applications. Therefore, we recommend you to define the size for -Xmx with a reasonable value with respect to the expected load and data storage on the server. PAGE 152 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

153 ERROR ANALYSIS AND TROUBLESHOOTING - SPECIAL ERROR SITUATIONS If an H2 database (embedded) is used, the KeyManager server requires additional memory as the database runs in the same Java process as the KeyManager application server itself. 3. Restart the KeyManager. Refer to Starting iq.suite KeyManager on page KeyManager Server cannot be stopped Package Installation: If the application server cannot be stopped properly, proceed as follows: Under Windows: In the Jetty server console, click on. If this does not stop the application server, use the task manager to stop the Java process (java.exe). Under Linux: Stop the Java process with the kill command Login Fails Login Page is not displayed The application server is not started. In this case, start the application server (refer to Starting iq.suite KeyManager on page 17) and call the URL to the web interface again. The application server is started but errors occur on initialization. In this case, check the log files (refer to Log Files on page 149) Errors on Login When no login is possible though the login page is displayed correctly, please note the error message above the Language field. Common error causes: Wrong or unavailable server address. Wrong username or password. If required, reset the password. Refer to Resetting User Passwords on page 99. The user is disabled or does not have the appropriate rights for the login. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 153

154 ERROR ANALYSIS AND TROUBLESHOOTING - RESTORING THE H2 DATABASE FROM A BACKUP If login was possible once, check the log files. Refer to Logs on page Restoring the H2 Database from a Backup In order to be able to recover a H2 database, a backup of the database data is automatically performed: Each time the KeyManager server is started and the KeyManager successfully connects to the H2 database, a backup ZIP file is created in the directory configured for the H2 database (DB_BACKUP_JJJJ-MM-TThh-mm-ss.zip). Default path to the database directory in case of a setup installation: C:\Programme\GBS\KeyManager\data When the maximum number of 10 backups is reached, the oldest backup file is deleted. Copy the backup files you are interested in into another secure directory to make sure that they will be permanently available. To restore a H2 database from a backup, proceed as follows: 1. Stop the KeyManager server. Refer to Stopping Crypt Pro KeyManager on page Make sure you have a backup of the currently used H2 database (all files with the DB extension) from the configured database directory. 3. Extract the content of the desired backup file to the database directory. Thereby, overwrite the existing database files. 4. Restart the KeyManager server. Refer to Starting iq.suite KeyManager on page 17. PAGE 154 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

155 6 Appendix APPENDIX - AVERAGE SIZES (REFERENCE VALUES) OF DATABASE ELEMENTS 6.1 Average Sizes (Reference Values) of Database Elements This table provides guidance values for the average size of some elements managed in the KeyManager database 1. With these values you can estimate the required disk space for your database. Please note that your actual required database size may strongly differ. Since the size of PGP keys depend on the number of User IDs and signatures, deviations especially for such keys are probable. Database Element Test Quantity Average Size per Element Public S/MIME key (root certificate, external certificate) Private S/MIME key (Own Certificate) ,5 KB 300 8,3 KB Public PGP key 47 2,8 KB Private PGP key 5,8 KB Tenant KB The database tables which contain other elements than the ones mentioned in the table have an overall size of 5 MB. 1. For further information on the KeyManager database, please refer to Information on the Crypt Pro KeyManager database on page 51. CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 155

$Changing the database settings may be required, for example if you have renamed the database server, transferred the database from one drive to another drive (e.g.: from C:\ to D:\) or want to use another database than the database used so far.$

156 APPENDIX - HOW TO CONFIGURE KEYMANAGER DATABASE SETTINGS 6.2 How to configure KeyManager Database Settings This chapter describes how to change the KeyManager database settings. Changing the database settings may be required, for example if you have renamed the database server, transferred the database from one drive to another drive (e.g.: from C:\ to D:\) or want to use another database than the database used so far. This description is valid for all supported database systems and all KeyManager installation types. To configure KeyManager database settings during server start, proceed as follows: 1. Stop the KeyManager server. Refer to Stopping Crypt Pro KeyManager on page Remove the following files from the KeyManager configuration directory etc. a) kms.hibernate.xml b) kms.fe.preconfigured.conf This file is only available in case of a setup installation. 3. We recommend to make a backup of the file kms.hibernate.conf.backup.xml (in etc directory) because it contains the password in plain text of the currently connected database and it will be overwritten if you change the database settings and connect to another database. 4. In the kms.fe.finetuning.conf file (in etc directory), set kms.configuration.additionaldbenabled=true. 5. Restart the KeyManager server. Refer to Starting iq.suite KeyManager on page 17. The KeyManager LOGIN page opens: PAGE 156 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

157 APPENDIX - HOW TO CONFIGURE KEYMANAGER DATABASE SETTINGS 6. Click ENTER. The DATABASE configuration page opens: 7. Click WIZARD. a) Select the database Type and provide the new database settings: CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION PAGE 157

APPENDIX - HOW TO CONFIGURE KEYMANAGER DATABASE SETTINGS Copy the Database password and the Encryption password from the kms.hibernate.conf.backup.xml.

Click the TEST CONNECTION button to test the connection between KeyManager and the database. a) If the connection is valid, the Valid symbol (green tick) is displayed: Click SAVE.

158 APPENDIX - HOW TO CONFIGURE KEYMANAGER DATABASE SETTINGS Copy the Database password and the Encryption password from the kms.hibernate.conf.backup.xml. Both passwords are in the same line: b) Click NEXT -> FINISH to validate your database settings. 8. Click the TEST CONNECTION button to test the connection between KeyManager and the database. a) If the connection is valid, the Valid symbol (green tick) is displayed: Click SAVE. If at least one user exists in the configured database, the LOGIN page will be displayed and login will be possible with valid user credentials. If no user exists in the configured database, a dialog to create a user will be displayed. PAGE 158 CRYPT PRO KEYMANAGER INSTALLATION AND ADMINISTRATION

1 Motivation Frontend Fine-Tuning Parameters Location On Windows On Linux... 5

1 Motivation Frontend Fine-Tuning Parameters Location On Windows On Linux... 5 Inhalt 1 Motivation... 4 2 Frontend Fine-Tuning Parameters... 5 2.1 Location... 5 2.1.1 On Windows... 5 2.1.2 On Linux... 5 2.2 Configurable Parameters... 5 2.2.1 kms.configuration.dashboardreloadperiod...