Alliance Key Manager AKM for AWS Quick Start Guide. Software version: Documentation version:

Transcription

1 Alliance Key Manager AKM for AWS Quick Start Guide Software version: Documentation version: Townsend Security

2 Alliance Key Manager AKM for AWS Quick Start Guide Copyright 2016 by Townsend Security, Inc. All rights reserved. Both this book and the software described by this book are protected by copyright. You may not copy or reproduce this book in any form without prior written permission from Townsend Security, Inc. The software associated with this product is governed by a license agreement. This software is yours to use only as long as you adhere to the terms of the license agreement. US GOVERNMENT RESTRICTED RIGHTS. The SOFTWARE PRODUCT and documentation are provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR , as applicable. Manufacturer is Townsend Security, Inc., 724 Columbia St. NW, Suite 400, Olympia, WA USA. Alliance Key Manager is a registered trademark of Townsend Security, Inc. Amazon Web Services (AWS) is a registered trademark of Amazon, Inc. Townsend Security, Inc. 724 Columbia St. NW, Suite 400 Olympia, WA USA Phone: Toll Free: Fax: Website: info@townsendsecurity.com Copyright 2016 Townsend Security, Inc. ii

3 Table of Contents Chapter 1: About This Manual... 1 Alliance Key Manager... 1 AKM for AWS... 1 Who is this for?... 2 Client applications and SDKs... 2 Other resources... 2 Notices... 2 Change log... 3 Chapter 2: Introduction... 4 Deploy AKM for AWS... 4 Set up AKM for AWS... 4 Licensing... 5 Certificates... 5 Encryption keys... 6 Chapter 3: Before You Begin... 7 Download the AKM Supplemental... 7 Software updates... 7 Chapter 4: Launch AKM for AWS... 8 Locate AKM for AWS in the Amazon Marketplace Click Launch Manual Launch Regions, Availability Zones, and Virtual Private Cloud Security Group Select or create a key pair Note the IP address or hostname Chapter 5: Set up AKM for AWS Overview Initialize the primary AKM server Create an initial set of encryption keys Set the admin password Initialize a secondary mirror server SSH key pairing options Disable automatic rollover on the secondary AKM (IMPORTANT) Next steps Copyright 2016 Townsend Security, Inc. iii

4 Certificate Manager Other administrative options Migrate (Initialize from backup) Start/Stop AKM Disable Webmin Collect logs for troubleshooting Fix akm.conf Exit to shell Disconnect from AKM Next steps Chapter 6: Start Using AKM for AWS Log in to the web interface Set up admin and key clients Download key client certificates Download Crypto Officer certificates Give the name of an encryption key to your client application developer Chapter 7: Create and Manage Encryption Keys AKM Administrative Console Verify the connection to AKM server Set key access policy on an encryption key Create a new encryption key Chapter 8: Create Additional Admin and Client Certificates Create an admin certificate Create a key client certificate Import and sign certificate signing requests Chapter 9: Manage the AKM Server Server management Certificate backup Chapter 10: Obtain a Permanent License BYOL Install a new license Fee-based Migrate from a test environment to a production environment Chapter 11: Support Appendix A: Connecting with PuTTY Copyright 2016 Townsend Security, Inc. iv

5 Appendix B: Set up Bidirectional Mirroring Copyright 2016 Townsend Security, Inc. v

6 Chapter 1: About This Manual Chapter 1: About This Manual Alliance Key Manager Townsend Security s Alliance Key Manager (AKM) provides a complete key management solution, including server setup and configuration, key lifecycle administration, secure key storage, key import/export, key access control, mirroring, and backup/restore. AKM supports compliance audit logging of all server, key access and configuration functions. AKM can be deployed using VMware, as a cloud server in Microsoft Azure or Amazon Web Services, as a privately managed Hardware Security Module (HSM), or as a dedicated Cloud HSM. Server management is accessed via a secure web browser interface and you can create and manage encryption keys using the AKM Administrative Console. The AKM solution supports the generation of certificates and private keys needed for authentication between client and server. A number of client-side applications, pre-compiled libraries, and code samples are available to help developers and key clients on a variety of platforms retrieve data encryption keys or perform remote encryption and decryption on the AKM server. All materials needed for deployment can be found on the AKM Supplemental zip archive. NOTE: Please register at to receive a link to download the AKM Supplemental and receive support for your evaluation or deployment. AKM for AWS Alliance Key Manager for Amazon Web Services (AKM for AWS) is deployed as an Amazon Machine Image (AMI) in the AWS cloud. AKM for AWS is offered both as a BYOL (Bring Your Own License) model and a fee-based model. AKM for AWS allows you to quickly set up key retrieval or remote encryption in your client application. Initialization of the AKM server is controlled through a text interface Administrative Menu. A license and all of the certificates and private keys needed for TLS will be generated through the menu, and you will have the option to generate an initial set of encryption keys which can be used in client applications for proof of concept, development, or production. After initialization of the primary AKM server you can create additional certificates and private keys for client/server connections if needed. Additional encryption keys can be created and managed using the AKM Administrative Console. Alliance Key Manager can also be deployed as a Hardware Security Module (HSM), hosted HSM, or VMware instance, and you can create a custom implementation across platforms to integrate with your existing applications or for high availability mirroring. Copyright 2016 Townsend Security, Inc. 1

7 Chapter 1: About This Manual Who is this for? This guide is intended to help Project Managers, Crypto Officers, System Administrators, and Application Developers deploy and use AKM for AWS. It covers deploying AKM for AWS, setting up AKM, starting to use AKM, creating and managing encryption keys, creating additional client and admin (Crypto Officer) certificates, managing the AKM server, obtaining a permanent license, and support. Client applications and SDKs Townsend Security provides the following applications and SDKs to assist with client-side key retrieval or remote encryption with AKM for AWS: Key Connection for SQL Server: Microsoft Extensible Key Management Provider for Transparent Data Encryption (TDE) and cell level encryption SQL Server UDF for all editions of SQL Server Key Connection for Drupal Key Connection for Encryptionizer Windows SDK for.net applications Encryption solutions for Linux In addition to these offerings, Townsend Security provides software libraries and code samples to assist with custom implementations. Please register with Townsend Security to receive support, documentation, SDKs, and related software. Other resources The following documents provide additional information on the installation and use of Alliance Key Manager: AKM User Guide AKM Server Management Guide AKM Administrative Console Guide These and other resources are available on the AKM Supplemental. You will receive the AKM Supplemental when you register with Townsend Security. Notices This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information. Copyright 2016 Townsend Security, Inc. 2

8 Chapter 1: About This Manual Change log The following table provides information on the changes to this documentation: Version Date Description /2/2014 Initial draft /8/2014 Update screenshots of the text interface /15/2014 Updates. Add screenshots for the Amazon Marketplace. Add information on permanent licensing /16/2014 Update for fee-based AMI /13/2015 Add information for different mirroring configurations /18/2015 Updates. Add appendix on connecting to the AKM server using PuTTY /16/2016 Update for AKM 4.0, including new mirroring setup and migration option. Add appendix on setting up bidirectional mirroring /12/2016 Remove references to demo apps. Copyright 2016 Townsend Security, Inc. 3

9 Chapter 2: Introduction Chapter 2: Introduction This chapter briefly describes the deployment process for AKM for AWS. Subsequent chapters describe these steps in more detail. Deploy AKM for AWS Deploying AKM for AWS includes launching the AKM AMI from the Amazon Marketplace and configuring regions, availability zones, and other options specific to AWS. Set up AKM for AWS Setting up AKM for AWS begins with connecting via SSH to your primary AKM server. This will launch an Administrative Menu from which you can complete the following tasks: Initialize the primary AKM server o Automatically activate the license and create all certificates and private keys needed to set up client/server connections o Create an initial set of encryption keys (optional) Set the admin password Initialize a secondary mirror AKM server for real-time key mirroring, high availability, or failover support (optional) Migrate from to a new AKM server from a previous version of AKM (optional) Initialize a secondary AKM server for real-time key mirroring, high availability, or failover support (optional) Create additional certificates and private keys for client/server connections (optional) Collect logs for troubleshooting if needed IMPORTANT: For AKM to activate the license, your VM must have a route to the internet. If licensing fails, contact Townsend Security or your software vendor to manually license AKM. Then, see the section on Installing a new license in Chapter 10 for instructions on manually installing the license. Once you have initialized the primary AKM server and set the password, you can log in to the web interface and download the certificates and private keys needed for client/server connections. If you set up a secondary mirror server, you should download certificates and private keys after setting up mirroring. SECURITY ALERT: Since the certificates and encryption keys are dynamically generated upon initialization, no one except you has access to these components. Copyright 2016 Townsend Security, Inc. 4

10 Chapter 2: Introduction See below for more information. Licensing AKM for AWS supports two licensing models: BYOL (Bring Your Own License) and fee-based. With a BYOL model, a 30-day license is generated automatically on initialization of AKM, and you will need to contact Townsend Security to purchase a permanent license. If you choose a fee-based licensing model, AKM will generate a permanent license, but your use of the license will be determined by Amazon. You can evaluate AKM for free for 30 days, after which you will be charged by Amazon Web Services for the then-current hourly or monthly license fee for AKM. See Chapter 10: Obtain a Permanent License for information on migrating from a temporary to a permanent license. Certificates The following certificates are created automatically on initialization and stored on the AKM server: Authentication Key (Auth Key) and Key Encryption Key (KEK) certificates and private keys: The KEK and Auth certificate and private key pairs are used by AKM to create the Key Encryption Key (KEK) and Authentication Key (Auth Key), two symmetric keys that are stored on the AKM server. These secret keys are used by AKM to protect your data encryption keys. You will not need to use or distribute the KEK and Auth certificates and private keys. Server certificate and private key: These are used by the AKM server to authenticate with each other for mirroring, and to authenticate with client applications. Certificate authority (CA) certificate: This is a unique CA certificate that is used to sign admin and key client certificates. Admin and key clients usually install the CA certificate along with a client certificate to authenticate with the AKM server. The CA certificate will also be used to sign additional admin (Crypto Officer) and client certificates if needed. See Chapter 8: Create Additional Admin and Client Certificates for more information. Admin certificates and private keys: Admin certificates and private keys allow for authentication between admin clients and the AKM server, and are used by crypto officers for key creation and management in the AKM Administrative Console. Two admin certificates are created by default to support dual control. See the AKM Administrative Console Guide for information on key creation, key management, and enabling dual control. Client certificate and private key: You will give the client certificate and private key to client application developers to set up key retrieval or remote encryption in client Copyright 2016 Townsend Security, Inc. 5

11 Chapter 2: Introduction applications. This is covered in Chapter 6: Start Using AKM for AWS. One client certificate is created by default. After deploying AKM for AWS, you can immediately download and distribute certificates and private keys to Crypto Officers and client application developers for client configuration. After you initialize the primary AKM server, you will be presented with the option to create additional admin and client certificates and private keys if needed. See Chapter 8: Create Additional Admin and Client Certificates for more information. SECURITY ALERT: Private key files must be protected during creation, distribution, and storage to prevent loss. The loss of these files will compromise the security of the AKM server. Depending on the file format, the private key files may be bundled with a certificate or they may be separate files. Transfer the private key files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys, including encryption. In the event the private keys are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See the AKM Certificate Manager Guide for more information. Encryption keys On initialization, you will be given the option to generate an initial set of encryption keys. You can use these keys in client applications for proof of concept, development, or production. See Chapter 5: Set up AKM for AWS and Chapter 6: Start Using AKM for AWS for more information. If you need to create additional encryption keys or manage existing keys, see Chapter 7: Create and Manage Encryption Keys. Copyright 2016 Townsend Security, Inc. 6

12 Chapter 3: Before You Begin Chapter 3: Before You Begin Before deploying AKM for AWS, you will need to complete the following steps: Download the AKM Supplemental If deploying to production, see below for important information on software updates See below for more information. Download the AKM Supplemental Please register at to receive a link to download the AKM Supplemental. Download and unzip this file. The AKM Supplemental contains everything you will need to deploy AKM, including additional technical documentation, related software such as the AKM Administrative Console for creating and managing encryption keys, and applications and SDKs for key retrieval and remote encryption. Software updates Townsend Security will provide you with any needed updates to the web interface, operating system, and key management application through the Townsend Security customer support group. IMPORTANT: You must not attempt to apply any software updates through automated patch facilities or any updates not directly provided by Townsend Security. Applying these updates will void your warranty, and you may be required to restore your system from a backup in order to continue operation. For current Townsend Security customers migrating to a new AKM server from an older version of AKM, see the section on migration in this guide for instructions. Open a support ticket with Townsend Security for assistance. Copyright 2016 Townsend Security, Inc. 7

13 Chapter 4: Launch AKM for AWS Chapter 4: Launch AKM for AWS First you will launch the AKM AMI from the Amazon Marketplace. During the launch process you will configure regions, availability zones, and other options specific to AWS. See below for more information. Locate AKM for AWS in the Amazon Marketplace AKM for AWS is available as a BYOL (bring your own license) on the Amazon Marketplace: AKM for AWS is also available with a fee-based license: The following page is displayed: Copyright 2016 Townsend Security, Inc. 8

14 Chapter 4: Launch AKM for AWS Note that the screenshots displayed refer to the BYOL listing, but instructions for the fee-based option will be similar. Click Continue. The following page is displayed: Copyright 2016 Townsend Security, Inc. 9

15 Chapter 4: Launch AKM for AWS 1-Click Launch If you would like to perform a 1-Click Launch, select the configuration options you want to use in the left panel. The exact configuration options will be particular to your application needs, but be sure to select at least a size of m1.small for EC2 Instance Type. If you are deploying more than one AKM server for real-time key mirroring, high availability, or failover support, we recommend that you deploy your AKM instances in separate regions. For more information on configuration options or to perform a Manual Launch, see the Manual Launch section. Select licensing options in the right panel. Click Accept Terms & Launch with 1-Click. The following dialog is displayed: The AKM AMI has been added to your Software Subscriptions. Copyright 2016 Townsend Security, Inc. 10

16 Chapter 4: Launch AKM for AWS Manual Launch From the launch page, select Manual Launch: In the Launching Options pane, select a region in which to launch the AKM AMI by clicking the Launch with EC2 Console button next to your desired region. If you are deploying more than one AKM server for real-time key mirroring, high availability, or failover support, we recommend that you deploy your AKM instances in separate regions. Copyright 2016 Townsend Security, Inc. 11

17 Chapter 4: Launch AKM for AWS The following page is displayed: Use an Instance Type of at least m1.small. Click Next: Configure Instance Details to configure regions, availability zones, and other configuration options specific to AWS. Copyright 2016 Townsend Security, Inc. 12

18 Chapter 4: Launch AKM for AWS The following page is displayed: Configure your Instance Details. See below for information on regions, Availability Zones, and Virtual Private Cloud. Regions, Availability Zones, and Virtual Private Cloud Regions and Availability Zones in AWS are used to provide high availability failover support. Amazon describes regions and Availability Zones as follows: Amazon EC2 is hosted in multiple locations world-wide. These locations are composed of regions and Availability Zones. Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones. Amazon EC2 provides you the ability to place resources, such as instances, and data in multiple locations. Resources aren't replicated across regions unless you do so specifically. Amazon operates state-of-the-art, highly-available data centers. Although rare, failures can occur that affect the availability of instances that are in the same Copyright 2016 Townsend Security, Inc. 13

19 Chapter 4: Launch AKM for AWS location. If you host all your instances in a single location that is affected by such a failure, none of your instances would be available. 1 Amazon further states: When you launch an instance, you can select an Availability Zone or let us choose one for you. If you distribute your instances across multiple Availability Zones and one instance fails, you can design your application so that an instance in another Availability Zone can handle requests. 2 We recommend that you deploy your AKM instances in separate Availability Zones to maintain high availability. See the links above and the following website for more information about deploying in EC2-VPC (Virtual Private Cloud): Click Next: Add Storage Ibid. Copyright 2016 Townsend Security, Inc. 14

20 Chapter 4: Launch AKM for AWS The following page is displayed: Select the default storage options. Click Next: Tag Instance. Copyright 2016 Townsend Security, Inc. 15

21 Chapter 4: Launch AKM for AWS The following page is displayed: While not necessary, setting a tag will help you identify the instance, if you have more than one VM running in AWS. Click Next: Configure Security Group. Copyright 2016 Townsend Security, Inc. 16

22 Chapter 4: Launch AKM for AWS The following page is displayed: Configure your Security Group. See below for more information. Security Group AKM uses the following ports: 22 for SSH 3886 for the web administrative interface 5696 for key requests formatted in KMIP 6000 for key retrieval requests formatted in AKM s protocol 6001 for key management commands formatted in AKM s protocol 6002 for mirroring between AKMs 6003 for AKM s encryption service Best practice dictates that you use the most restrictive security group that your application allows. We recommend that you open only those ports for which you need external access. For port 3886, we recommend closing the port until you need to access AKM s web administrative interface. After initializing AKM through the SSH menu, we recommend that you close port 22 unless you need to access the Certificate Manager again. Copyright 2016 Townsend Security, Inc. 17

23 Chapter 4: Launch AKM for AWS IMPORTANT: To configure mirroring between a primary AKM server and a secondary server, the security group of the primary AKM server must allow connections from the secondary server on port 22, and the security group of the secondary server must allow connections from the primary on port Click Review and Launch. The following page is displayed: Review your instance launch details and click Launch. Copyright 2016 Townsend Security, Inc. 18

24 Chapter 4: Launch AKM for AWS Select or create a key pair The following dialog is displayed: Select Create a new key pair, give the key pair a name, and click Launch Instances. You will be prompted to save the newly created key to your workstation. If you prefer to use an existing key, select Choose an existing key pair and select the key pair you would like to use. Click Launch Instances. The private key you select or create here will be used when connecting to the AKM server via SSH. Note the IP address or hostname The AKM IP address or hostname is displayed on the AWS dashboard. Take note of this value as it will be used to connect to the AKM server via SSH. Copyright 2016 Townsend Security, Inc. 19

25 Chapter 5: Set up AKM for AWS Chapter 5: Set up AKM for AWS Setting up AKM for AWS includes the following steps: Initializing the primary AKM server Providing a name for the AKM server Creating an initial set of encryption keys (optional) Setting the admin password for each AKM server Initializing the secondary AKM server (optional) Creating additional admin and client certificates (optional) Exiting to a shell (optional) Disconnecting from AKM These steps are completed through a text interface Administrative Menu. Overview First, you will initialize the primary AKM server and set the admin password. The initialization process sets up the AKM server, creates a unique CA certificate for use with AKM, creates all certificate and private key pairs needed for server/client communication, and activates the license. You will also have the option to create an initial set of encryption keys to use during testing or production. After initializing the primary AKM server and setting the admin password, you can set up a secondary AKM server if needed. A secondary AKM server can be used for real-time key mirroring, high availability, or failover support. To set up a secondary AKM server, you will have to disconnect from the primary AKM server and reconnect using the IP address or hostname of the secondary AKM server. After you initialize the primary AKM server, you will have the option to create additional admin and key client certificate and private key pairs via the Certificate Manager option on the text interface Administrative Menu if needed. Other administrative options include exiting to a shell and disconnecting from AKM. You can exit to a shell if you need direct access to the OS for control over Linux options and facilities. You should disconnect from AKM when you are finished with the session. Initialize the primary AKM server Open an SSH connection to the primary AKM server using the private key you specified during the launch of your AKM virtual machine and the AKM IP address or hostname (which you can find on the AWS dashboard). For example: ssh -i ~/.ssh/privatekey.pem admin@akmhostname Copyright 2016 Townsend Security, Inc. 20

26 Chapter 5: Set up AKM for AWS IMPORTANT: For AKM to activate the license, your VM must have a route to the internet. Be sure to use the public IP address or hostname of the VM to initialize. See for more information. If licensing fails, contact Townsend Security or your software vendor to manually license AKM. Then, see the section on Installing a new license in Chapter 10 for instructions on manually installing the license. NOTE: Windows users can connect to the server via SSH using PuTTY. See Appendix A: Connecting with PuTTY for more information. SECURITY ALERT: For Linux users, be aware that user permissions on the private key file must be read and write only. If he private key file has different permissions you may be presented with the following WARNING: UNPROTECTED PRIVATE KEY Permissions 0644 for privatekey.pem' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. To modify the private key file for the correct user permissions, execute the following command: chmod 400 privatekey.pem Copyright 2016 Townsend Security, Inc. 21

27 Chapter 5: Set up AKM for AWS Indicate that you have read and accept the AKM End User License Agreement (available at to continue with initialization: The Administrative Menu is displayed: If you have not already done so, please register at to receive support, documentation, SDKs, and related software. Enter option 1 to Initialize AKM. Copyright 2016 Townsend Security, Inc. 22

28 Chapter 5: Set up AKM for AWS The Initialization Menu is displayed: Enter option 1 to Initialize as PRIMARY. This will designate this server as your primary AKM server and start the initialization process. NOTE: In the context of mirroring, a primary AKM server either operates alone or sends mirrored keys and metadata to any number of mirror servers. You must initialize a primary server first and can then initialize any additional mirror servers. A server initialized as a primary can also receive mirrored keys in a bidirectional mirroring configuration. Copyright 2016 Townsend Security, Inc. 23

29 Chapter 5: Set up AKM for AWS You will be prompted to enter the two-character country code, the name of your state or province, your city/locale, and your organization name (for example, your company name), and a unique name for this AKM server: Create an initial set of encryption keys You will now be prompted to create an initial set of encryption keys: Enter y if you would like to create an initial set of encryption keys. You can use these encryption keys for proof of concept, development, or production. Enter N if you do not want to create encryption keys at this time. You can also create encryption keys at any time using the AKM Administrative Console. See Chapter 6: Create and Manage Encryption Keys for more information. NOTE: Creating encryption keys at this point is optional and does not affect the operation of AKM. However, it may be convenient to have keys available for development or proof of concept without having to use the AKM Administrative Console to manually create encryption keys. Copyright 2016 Townsend Security, Inc. 24

30 Chapter 5: Set up AKM for AWS AKM will now initialize. Make sure you do not interrupt this process: The primary AKM server has now initialized and AKM is running. The server time has been synchronized with a time server (time.nist.gov). The initialization process has created a unique certificate authority (CA) certificate and server certificate for AKM, activated the license, and generated client certificate and private key pairs needed for key clients and admin clients to connect to the AKM server. By default, one client certificate and two admin certificates are created by the initialization process. Two admin certificates are created in order to support dual control of encryption key administration. You can create additional client or admin certificates at a later time. IMPORTANT: The CA certificate created during this process is unique and should only be used with AKM, and you do not need to create an additional CA certificate for use with AKM. Copyright 2016 Townsend Security, Inc. 25

31 Chapter 5: Set up AKM for AWS Press any key to return to the main menu. After initialization, the following menu is displayed: Set the admin password After initialization you should change the password for the server. This password will be used to access the Administrative Menu on all future sessions and to log in to the AKM server via the web interface. From the Administrative Menu, enter option 2 to Set admin password. You will be prompted to change the admin password: Copyright 2016 Townsend Security, Inc. 26

32 Chapter 5: Set up AKM for AWS When prompted to enter a New Password, enter your new admin password. This is the password you will use when logging in to the AKM web interface as the admin user for server management. Set a strong, safe password and protect it carefully, as the compromise of this password breaches the security of AKM. IMPORTANT: Do not lose this password, as there are no backdoors to recover it. If you lose the password please do not contact your software vendor to recover it for you, as this is not possible. When prompted, reenter the password. The password has been changed. You can now log in to the primary AKM server as the admin user with the password you created above. See the AKM Server Management Guide on the AKM Supplemental for information on server management functions, including backup/restore, logging, and firewall configuration. See Chapter 4: Launch AKM for AWS for information on Regions and Availability Zones in AWS. Setting up the secondary server at this point is optional and can be completed at a later time. Initialize a secondary mirror server After initializing the primary AKM server, you can set up additional mirror AKM servers for realtime key mirroring and high availability failover support. See Chapter 4: Launch AKM for AWS for information on Regions and Availability Zones in AWS. Setting up the secondary server at this point is optional and can be completed at a later time. Setting up mirror servers at this point is optional and can be completed at a later time. Copyright 2016 Townsend Security, Inc. 27

33 Chapter 5: Set up AKM for AWS NOTE: If there is a firewall in place between the primary AKM server and any mirror servers, be sure that ports 22 and 6002 are open before setting up mirroring. IMPORTANT: For mirroring setup to be successful, the security group of the primary AKM server will need to allow connections from the secondary server on port 22, and the security group of the secondary server will need to allow connections from the primary on port SSH key pairing options During mirroring setup, you will be prompted to establish authentication between the two servers using an SSH key. You can accomplish this in one of three ways: by copying the primary AKM server s public SSH key and pasting it into the menu of the secondary AKM server, by downloading the public SSH key from the primary and uploading it to the secondary, or by using an already established SSH key. 1: Paste the SSH public key This is the most common option to exchange an SSH key between a secondary and primary AKM server. Open the Administration Menu on the primary AKM server and select option 2) Mirroring after initializing the server. The Mirror Configuration Menu is displayed: Select 1) Add mirror. Copy and save the SSH public key displayed on the screen. Open an SSH connection to the secondary AKM server using the IP address or hostname of the secondary AKM server. For example: ssh -i ~/.ssh/privatekey.pem admin@secondaryakmhostname Copyright 2016 Townsend Security, Inc. 28

34 Chapter 5: Set up AKM for AWS Enter user admin and default password OOHXPq6r530N6re. The Administrative Menu is displayed. SECURITY ALERT: It is recommended to change the admin password for the mirror server at this time. Enter option 1 to Initialize AKM, then enter option 2 to Initialize as MIRROR. Enter the locality information and unique name for this server, then wait for the server to initialize. Return to the main menu. Selection the option for Mirroring and then select the option to Accept mirrored keys. You will see three options for establishing authentication using an SSH key: Select option 1 and press Enter. Paste the SSH public key of the primary AKM server into the console. NOTE: If you are using PuTTY on Windows, right-click in the console to paste the SSH public key. After pasting in the SSH public key, press Enter, then press Ctrl-D to continue mirroring setup: Copyright 2016 Townsend Security, Inc. 29

35 Chapter 5: Set up AKM for AWS Copy the fingerprint of this AKM for later verification. Press any key to return to the main menu. Return to the primary AKM server s Mirror Configuration Menu and press Enter: Enter the IP address of the secondary mirror server to complete mirroring setup. Verify the fingerprint of the mirror server and enter yes to continue. Wait for mirroring setup to complete. Do not interrupt this process. Copyright 2016 Townsend Security, Inc. 30

36 Chapter 5: Set up AKM for AWS 2: Upload the public SSH key to the server Instead of copying and pasting the SSH public key, you may download the SSH public key from the primary AKM server, then upload it to the secondary mirror AKM server. Open the Administration Menu on the primary AKM server and select option 2) Mirroring after initializing the server. The Mirror Configuration Menu is displayed: Select 1) Add mirror. Open an SSH connection to the secondary AKM server using the IP address or hostname of the secondary AKM server. For example: ssh -i ~/.ssh/privatekey.pem Enter user admin and default password OOHXPq6r530N6re. The Administrative Menu is displayed. SECURITY ALERT: It is recommended to change the admin password for the mirror server at this time if you have not done so already. Select option 1) Initialize AKM, then select option 2) Initialize as MIRROR. Enter the locality information and unique name for this server, then wait for the server to initialize. Return to the main menu. Selection the option for Mirroring and then select the option to Accept mirrored keys. You will see three options for establishing authentication using an SSH key: Copyright 2016 Townsend Security, Inc. 31

37 Chapter 5: Set up AKM for AWS On the secondary AKM server select option 2 from the SSH menu: Log in to the primary AKM server web interface and navigate to File Manager. The SSH public key is located in /home/admin/.ssh/ and is called id_rsa.pub. Select this file and click the Save button. Log in to the secondary AKM server web interface and upload this file to /home/admin/uploads/ via File Manager. Copyright 2016 Townsend Security, Inc. 32

38 Chapter 5: Set up AKM for AWS Return to the SSH menu on the secondary AKM server and press any key to continue: Enter y to confirm that you would like this secondary AKM server to accept mirrored AKM keys from the primary. Note the fingerprint of the secondary AKM for later confirmation. Return to the primary AKM server Administrative Menu, then use the mirroring menu to select the secondary AKM as its mirror. Confirm the fingerprint of the secondary AKM server. Mirroring setup is complete. 3: Use an established SSH key Use this option if the public SSH key has already been authenticated but mirroring setup was not completed. Open an SSH connection to the secondary AKM server using the IP address or hostname of the secondary AKM server. For example: ssh -i ~/.ssh/privatekey.pem admin@secondaryakmhostname Enter user admin and default password OOHXPq6r530N6re. The Administrative Menu is displayed. Copyright 2016 Townsend Security, Inc. 33

39 Chapter 5: Set up AKM for AWS SECURITY ALERT: It is recommended to change the admin password for the mirror server at this time if you have not done so already. Select option 1) Initialize AKM, then select option 2) Initialize as MIRROR. Enter the locality information and unique name for this server, then wait for the server to initialize. Return to the main menu. Selection the option for Mirroring and then select the option to Accept mirrored keys. You will see three options for establishing authentication using an SSH key: Select option 3 from the SSH menu of the secondary AKM server: You should see the name of the primary AKM server under the list of public keys that are already trusted. If not, establish trust using one of the previous authentication options. Copyright 2016 Townsend Security, Inc. 34

40 Chapter 5: Set up AKM for AWS Enter y to confirm that you want the secondary AKM server to receive keys from this server. Wait for mirroring setup to complete. Once mirroring setup is complete, press any key to return to the main menu. Disable automatic rollover on the secondary AKM (IMPORTANT) The automatic rollover attribute must be disabled on any secondary mirror servers. That way, keys with the automatic rollover attribute are only rolled on the primary server, and the new keys then mirrored to the secondary server. You would not want the mirrored keys on the secondary server (which are mirrored with the same automatic rollover attribute) to roll once again on the secondary, independent of and without the knowledge of the primary server. Log in to the secondary mirror server via the web interface and select Java File Manager from the left navigation menu. Navigate to the /etc/akm directory and select akm.conf, then click the Edit button. Locate the [AutomaticRollover] section and set Enabled to N. Click the Save and Close button. Stop and restart AKM via the Custom Commands link. Next steps After setting up mirroring, bundled CA certificate files are created which contain the CA certificates of both AKM servers. These must be installed on any client connecting to AKM along with the client certificate and private key. If you have previously set up clients before setting up mirroring, the CA certificates installed on the client must be replaced with the CA certificate bundle. See the section Set up admin and key clients for more information. The client certificate and private key files do not need to be replaced. NOTE: If a bidirectional mirroring configuration is desired, continue with the steps in Appendix B: Set up Bidirectional Mirroring. Certificate Manager After initialization, you will be presented with the option to Start Certificate Manager when you return to the Administrative Menu. On initialization, AKM generated one client certificate and private key pair for a client application to authenticate with the AKM server to perform key retrieval or remote encryption. Two admin certificate and key pairs were created for Crypto Officers to manage encryption keys on the AKM server. You only need to run the Certificate Manager if you need to create additional admin or client certificates or sign a CSR. See Chapter 8: Create Additional Admin and Client Certificates for more information. Copyright 2016 Townsend Security, Inc. 35

41 Chapter 5: Set up AKM for AWS IMPORTANT: Initialization of the primary AKM server creates a unique CA certificate which is used to sign all client certificates. This CA certificate should only be used with AKM, and you do not need to create an additional CA certificate for use with AKM. By default, one client certificate and two admin certificates are created by the initialization process. Two admin certificates are created in order to support dual control of encryption key administration. Other administrative options This section describes other Administrative Menu options. Migrate (Initialize from backup) Current Townsend Security customers can migrate the key database and authentication certificates from an earlier version of AKM to a new AKM. Start a support ticket on the Townsend Security website for assistance with the migration, including information about transferring your permanent license to your new AKM. Follow the steps below to migrate the key database and authentication certificates. Log in to the web interface of the server you wish to migrate from and run both an application and a secret key backup, selecting a local folder on AKM as the destination. For more information on running a backup, see the AKM Server Management Guide. Navigate to the directory in Java File Manager where you saved the backups, and select Save to download both files. Launch the new AKM VM, then log in to that AKM server via the web interface. Use the Java File Manager to upload both files to the /home/admin/uploads directory. Launch the Administrative Menu on the new AKM VM and select the option to Initialize AKM. Select the option to Migrate (Initialize from BACKUP). Press Enter. Wait until the migration is successful and AKM has started. Do not interrupt this process. This initialization option does not include the creation of new client and admin certificates. Use the Start Certificate Manager option in the main menu if new certificates are needed. See the next chapter for information on downloading these certificates. Client certificates already in use in client applications will still be valid to connect to AKM. However, if the new AKM has a different IP address than the previous AKM, this will need to be updated in the client application configuration. Copyright 2016 Townsend Security, Inc. 36

42 Chapter 5: Set up AKM for AWS Start/Stop AKM After initializing the server, the main Administrative Menu will include the option to Stop AKM. This stops key services and prevents all clients from connecting to AKM. When AKM is stopped, you can select the option to Start AKM to restart key services. Disable Webmin You will use the web interface to download key and admin client certificates and private keys in the next chapter. However, it is recommended to disable the web interface to the AKM server when not in use. From the Administrative Menu, select the option to Disable Webmin. Follow the prompts to disable the web interface. Collect logs for troubleshooting For problem determination, you can view logs and start a support ticket on the Townsend Security website for assistance. From the Administrative Menu, select the option to Collect logs for troubleshooting. See Chapter 11: Support for more information. Fix akm.conf This option will appear if there is a conflict between the IP address assigned to the AKM server and what is listed in the AKM configuration file (akm.conf). Selecting this option will resolve the conflict by resetting all IP addresses to default ( ). This will remove any manual changes you have made to the AKM configuration file IP addresses. Exit to shell You can exit to a shell if you need direct access to the OS for control over Linux options and facilities. Disconnect from AKM You should disconnect from AKM when you are finished with the session. Next steps You can now log in to the AKM server and download admin and client certificate and key pairs for distribution to admin and key clients. See Chapter 6: Start Using AKM for AWS for more information. Copyright 2016 Townsend Security, Inc. 37

43 Chapter 6: Start Using AKM for AWS Chapter 6: Start Using AKM for AWS To get started using AKM, you will first need to log in to the AKM server web interface. You will check that AKM is running, then download the certificates and private keys needed for client applications to perform key retrieval or encryption and decryption on the AKM server. Log in to the web interface You may use any browser that supports NPAPI plugins and Java, such as Firefox (see exception below), Internet Explorer, and Safari. NOTE: Firefox for Windows 64-bit does not support the Java plugin, which is needed to run the web interface Java file manager. NOTE: Chrome does not support NPAPI plugins. Open a web browser and connect to the AKM virtual machine via a secure HTTPS connection. Use the IP address or DNS name of the primary AKM server and the port number for the web interface (3886). Your web browser address might look something like the following: NOTE: AKM generates a private SSL certificate during initialization, so you will likely be presented with a browser security warning. Choose the option to proceed. The login page is displayed: Enter the default username admin and the password you set during initialization. Click Login. Copyright 2016 Townsend Security, Inc. 38

44 Chapter 6: Start Using AKM for AWS The following page is displayed: Click the green arrow next to AKM to expand the navigation pane: Copyright 2016 Townsend Security, Inc. 39

45 Chapter 6: Start Using AKM for AWS The navigation pane contains different options for managing the AKM server, including backup/restore, mirroring and logging. See the AKM Server Management Guide for information on these tasks. To verify that AKM is running, click on the link for Running Processes in the navigation pane. Click Search in the Display menu at the top of the page. Select Matching, enter akmd, and click Search. If AKM is running, you will see it listed as a running process: If AKM is not running, click on the link for Custom Commands in the navigation pane. Click on the Start AKM button to start the AKM process and click Return to commands. Check the Running Processes tab again for the akmd process. If the akmd process is still not running, navigate back to Custom Commands in the navigation pane. Click on the Display AKM Error Log Snippet button. This will display a list of recent errors to help with problem determination. Contact Townsend Security or your software vendor if you need assistance. IMPORTANT: If you are deploying AKM for AWS in a production environment, you may need to install software patches. Contact Townsend Security or your software vendor to find out if there are any necessary software patches, and if so, install them now. Copyright 2016 Townsend Security, Inc. 40

46 Chapter 6: Start Using AKM for AWS Set up admin and key clients Setting up clients for key retrieval or remote encryption includes downloading and distributing client certificates and giving the name of an encryption key to your client application developer. For key management in the AKM Administrative Console, you will download admin certificates and private keys. SECURITY ALERT: The private key files associated with admin and key client certificates must be protected during creation, distribution, and storage. The loss of these files will compromise the security of any encryption keys this client has access to. Depending on the file format, the private key files may be bundled with a certificate or they may be separate files. Transfer these files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys, including encryption. In the event the certificates are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See the AKM Certificate Manager Guide for more information. In the web interface for the primary AKM server, click on the link for Java File Manager in the navigation pane. Java File Manager is a Java applet for managing the files on the AKM server. IMPORTANT: Your default Java settings may block applications using self-signed certificates. You will need to add the URL of your AKM server to the list of Java exceptions. To do this, click on Configure Java in your Windows All Programs list or Start Screen. Click the Security tab. Click on the Edit Site List button. Click Add. Enter the URL exactly as you entered it in your browser when logging in to the web interface. Click OK. Now when you run Java File Manager, take the option to continue on the Security Warning dialog. Download key client certificates Key client certificates are used in client applications for key retrieval or remote encryption and decryption on the AKM server. Your client application developer will need AKM s CA certificate or a CA certificate bundle (when implementing mirroring), a client certificate/private key pair, and any associated passwords to set up client applications for key retrieval or remote encryption on the AKM server. Copyright 2016 Townsend Security, Inc. 41

47 Chapter 6: Start Using AKM for AWS The format of the certificate files your client application developer will need depends on the platform and language of the client application environment. If using a secondary mirror server, follow the steps in the section Certificates to use after setting up mirroring. NOTE: If you do not need to control access to keys, you can use the same client certificate/private key in each client application. If you need to control access to keys, each client application will need a unique client certificate/private key. See Chapter 8: Create Additional Admin and Client Certificates for information on creating additional client certificates. Certificates to use prior to setting up mirroring In Java File Manager, navigate to the /home/admin/downloads/ directory. Client certificates are located in <AKMServerName>_user.zip. Select <AKMServerName>_user.zip and click Save. Unzip this archive. The following certificates and private keys can be used to set up key clients before mirroring setup: /JKS o AKMClientKeystore.jks (client certificate/private key) o AKMClientPassword.txt (client certificate/private key password) o AKMRootCATruststore.jks (AKM s CA certificate) o AKMRootCATruststorePassword.txt (the CA certificate password) /KeyConnection o AKMClientCertificateAndPrivateKey.p12 (client certificate/private key) o AKMClientPassword.txt (client certificate/private key password) o AKMRootCACertificate.pem (AKM s CA certificate) /P12 o AKMClientCertificateAndPrivateKey.p12 (client certificate/private key) o AKMClientPassword.txt (the client certificate/private key password) /PEM o AKMClientCertificate.pem (client certificate) o AKMClientPrivateKey.pem (client private key) o AKMRootCACertificate.pem (AKM s CA certificate) o <PrimaryAKMServerName>.AKMServerCertificate.pem (the primary AKM s server certificate, used for certificate pinning ) Copyright 2016 Townsend Security, Inc. 42

48 Chapter 6: Start Using AKM for AWS Certificates to use after setting up mirroring After mirroring setup, you will need to use a bundle containing the CA certificates of both AKM servers along with the client certificate and private key. Log in to the web interface and redownload <AKMServerName>_user.zip to gain access to the new mirroring configuration certificates used in client applications after a mirroring pair has been established. If you have previously set up clients before setting up mirroring, the CA certificates installed on the client must be replaced with this new CA certificate bundle (.pem or.jks) for seamless client failover when AKM is unreachable. The client certificate and private key files do not need to be replaced. NOTE: When setting up clients in a Windows environment, Windows Certificate Store will not import all of the CA certificates in the bundle. In this case, the primary and secondary mirror CA certificates must be imported individually. In Java File Manager, navigate to the /home/admin/downloads/ directory. Client certificates are located in <AKMServerName>_user.zip. Select <AKMServerName>_user.zip and click Save. Unzip this archive. The following certificates and private keys can be used to set up key clients after mirroring: /JKS o AKMClientKeystore.jks (keystore containing the client certificate/private key) o AKMClientPassword.txt (keystore password) o /Mirror_Config_Certificates AKMTruststoreBundle.jks (truststore bundle containing both AKM s CA certificates) AKMTruststoreBundlePassword.txt (truststore password) /KeyConnection o AKMClientCertificateAndPrivateKey.p12 (client certificate/private key) o AKMClientPassword.txt (client certificate/private key password) o /Mirror_Config_Certificates <PrimaryAKMServerName>.AKMRootCACertificate.pem (the primary AKM s CA certificate) <MirrorAKMServerName>.AKMRootCACertificate.pem (the mirror AKM s CA certificate) /P12 o AKMClientCertificateAndPrivateKey.p12 (client certificate/private key) o AKMClientPassword.txt (the client certificate/private key password) Copyright 2016 Townsend Security, Inc. 43

49 Chapter 6: Start Using AKM for AWS /PEM o o o o AKMClientCertificate.pem (client certificate) AKMClientPrivateKey.pem (client private key) <PrimaryAKMServerName>.AKMServerCertificate.pem (the primary AKM s server certificate, used for certificate pinning ) /Mirror_Config_Certificates <PrimaryAKMServerName>.AKMRootCACertificate.pem (the primary AKM s CA certificate) <MirrorAKMServerName>.AKMRootCACertificate.pem (the mirror AKM s CA certificate) AKMRootCertificatesBundle.pem (bundle with both AKM s CA certificates) Download Crypto Officer certificates Crypto Officer certificates are used to connect to AKM for key management operations. Your Crypto Officer will need the AKM CA certificate truststore or truststore bundle (when implementing mirroring), and an admin client certificate/private key keystore in.jks format, as well as any associated passwords, to use the AKM Administrative Console to create and manage encryption keys..pem files can be used for admin clients under program control if needed. See the AKM Admin API Reference for more information on using admin commands under program control. If using a secondary mirror server, follow the steps in the section Certificates to use after setting up mirroring. Certificates to use prior to setting up mirroring In Java File Manager, navigate to the /home/admin/downloads/ directory. Crypto Officer certificates are located in <AKMServerName>_admin1.zip and <AKMServerName>_admin2.zip in the /home/admin/downloads/ directory. Two unique sets of admin certificates are provided if you want to implement PCI requirements around dual control of key management operations. Select <AKMServerName>_admin1.zip and/or <AKMServerName>_admin2.zip and click Save. Unzip the archives. The following files can be used to set up admin clients before mirroring setup: /PEM o AKMAdminCertificate.pem (admin certificate) Copyright 2016 Townsend Security, Inc. 44

50 Chapter 6: Start Using AKM for AWS o AKMAdminPrivateKey.pem (admin private key) o AKMRootCACertificate.pem (AKM s CA certificate) /Admin_Console o AKMAdminKeystore.jks (admin keystore) o AKMAdminKeystorePassword.txt (admin keystore password) o AKMRootCATruststore.jks (admin truststore with AKM s CA certificate) o AKMRootCATruststorePassword.txt (admin truststore password) Certificates to use after setting up mirroring After mirroring setup, you will need to use a truststore bundle containing the CA certificates of both AKM servers, along with the keystore file. Log in to the web interface and redownload <AKMServerName>_admin1.zip and <AKMServerName>_admin2.zip (if implementing dual control) to gain access to the new mirroring configuration certificates used in the admin application after a mirroring pair has been established. If you have previously set up the admin client before setting up mirroring, the CA certificates installed on the client must be replaced with the new CA certificate bundle (.pem or.jks) for seamless client failover when AKM is unreachable. The client certificate and private key (.pem or.jks) do not need to be replaced. NOTE: If setting up an admin client under program control in a Windows environment with.pem files, Windows Certificate Store will not import all of the CA certificates in the bundle. In this case, the primary and secondary mirror CA certificates must be imported individually. The following files can be used to set up admin clients after mirroring: /PEM o AKMAdminCertificate.pem (admin certificate) o AKMAdminPrivateKey.pem (admin private key) o /Mirror_Config_Certificates <PrimaryAKMServerName>.AKMRootCACertificate.pem (the primary AKM s CA certificate) <MirrorAKMServerName>.AKMRootCACertificate.pem (the mirror AKM s CA certificate) AKMRootCertificatesBundle.pem (bundle with both AKM s CA certificates) /Admin_Console o AKMAdminKeystore.jks (admin keystore) o AKMAdminKeystorePassword.txt (admin keystore password) o /Mirror_Config_Certificates Copyright 2016 Townsend Security, Inc. 45

51 Chapter 6: Start Using AKM for AWS AKMTruststoreBundle.jks (truststore bundle with both AKM s CA certificates) AKMTruststoreBundlePassword.txt (truststore bundle password) Give the name of an encryption key to your client application developer If you created a set of initial encryption keys on initialization of the primary AKM server, the following keys are available for use: AES bit symmetric key, general access AES bit symmetric key, general access AES bit symmetric key, general access EKM bit symmetric key for use with SQL Server EKM, enabled for EKM EKM bit symmetric key for use with SQL Server EKM, enabled for EKM EKMSS bit RSA key for use by SQL Server EKM, enabled for EKM Give the name of the appropriate encryption key to your client application developer. SECURITY ALERT: These encryption keys are set for general access. That means anyone with a valid key client certificate for AKM can retrieve these keys or use them for remote encryption. If you have multiple clients and you would like to implement key access control, you can change the access level for these keys or create new encryption keys with a restricted access level in the AKM Administrative Console. Key Access is based on the Common Name (CN) and Organization Unit (OU) of the client certificate which you entered earlier. See Chapter 7: Create and Manage Encryption Keys for more information. Copyright 2016 Townsend Security, Inc. 46

52 Chapter 7: Create and Manage Encryption Keys Chapter 7: Create and Manage Encryption Keys If you created a set of encryption keys during initialization of the primary AKM server, you can use one of these encryption keys. If you would like to manage these encryption keys (for example, to change the access policy) or create new encryption keys, you can do so using the AKM Administrative Console. AKM Administrative Console The AKM Administrative Console is a Windows application with a GUI interface for one or more Crypto Officers to create and manage encryption keys. See the AKM Administrative Console Guide for detailed instructions on installing and using the AKM Administrative Console. To set up the Admin Console, you will need the AKM CA certificate truststore or truststore bundle and an admin client certificate/private key in.jks format and passwords for these files. If you are using the Admin Console after setting up mirroring, you will need to use the CA certificate truststore bundle which contains the CA certificates of both AKM servers (AKMTruststoreBundle.jks) and the associated password. See the section Download Crypto Officer certificates for information on downloading the truststore and keystore. IMPORTANT: By default, two sets of admin certificates and private keys are generated for two Crypto Officers in order to support dual control (<AKMServerName>_admin1.zip and <AKMServerName>_admin2.zip). To authorize a second Crypto Officer to use the Admin Console, you will need to follow the same steps using the <AKMServerName>_admin2.zip file. See the AKM Administrative Console Guide for information on implementing dual control. Copyright 2016 Townsend Security, Inc. 47

53 Chapter 7: Create and Manage Encryption Keys When opening the AKM Administrative Console for the first time, the following dialog is displayed: This dialog allows you to define the AKM server to which you want to connect using the AKM Administrative Console. Server Name: Enter a name of your choosing for this key server. Server Address: Enter the IP address or host name of this key server (example: ec us-west-2.compute.amazonaws.com). Server Port: Enter the admin port number (the default is 6001). Key Store File: Click Browse and select AKMAdminKeystore.jks. Passphrase: Enter the password contained in the AKMAdminKeystorePassword.txt file. Copyright 2016 Townsend Security, Inc. 48

54 Chapter 7: Create and Manage Encryption Keys Trust Store File: Click Browse and select AKMRootCATruststore.jks (or AKMTruststoreBundle.jks if you have already set up mirroring). Passphrase: Enter the password contained in the AKMRootCATruststorePassword.txt file (or AKMTruststoreBundlePassword.txt if you have already set up mirroring). Click Add. You are now authorized to create and manage encryption keys on the AKM server. See the AKM Administrative Console Guide for more information. Verify the connection to AKM server In the AKM Administrative Console you will see a list of options in the left pane. Expand the option for Status and select the link for Administrative NoOp. Click Submit. You should see the following output in the right pane: AKM_222 ( port 6001) Command: Administrative NoOp Server: AKM_222 ( port 6001) Transaction Length: <00008> Transaction Id: <1044> Return Code: <0> Command completed successfully. Command Output: No additional command output End Command Administrative NoOp If you receive an error message contact Townsend Security Support for assistance. You are now ready to use the AKM Administrative Console to create and manage encryption keys. Set key access policy on an encryption key To modify the key access policy on an existing encryption key, expand the option for Manage Key Attributes in the left pane and select the Set Key Access command. Enter the key name and select the desired key access policy. See the AKM User Guide for more information on key access control. Create a new encryption key To create a new encryption key, expand the option for Manage Keys in the left pane and select the Create Symmetric Key command. Next you will define attributes for the encryption key in the middle pane. First give your key a user-friendly name and a key size. For evaluation Copyright 2016 Townsend Security, Inc. 49

55 Chapter 7: Create and Manage Encryption Keys purposes check the box next to Activate key immediately and Key never expires, and select the option for Anyone to access the key. For production encryption keys, the expiration date of the key should be determined by your organization s policy on cryptoperiods, and you should use a restricted access policy. Define additional options for the key and scroll down to click the Submit button to create the key. You should receive the following output: Command: Create Symmetric Key Server: ( port 6001) Transaction Length: <00072> Transaction Id: <1002> Return Code: <0> Command completed successfully. Command Output: Key Name: <TEST KEY > Key Instance: <SAZ4he9kkZYjmF5+n2A6Mg==> End Create Symmetric Key Command You will now be able to use this encryption key in your client application. Copyright 2016 Townsend Security, Inc. 50

56 Chapter 8: Create Additional Admin and Client Certificates Chapter 8: Create Additional Admin and Client Certificates AKM automatically generates a certificate authority (CA) certificate, two admin (Crypto Officer) certificates and one client (key retrieval or remote encryption) certificate. For information on using these certificates, see Chapter 6: Start Using AKM for AWS and Chapter 7: Create and Manage Encryption Keys. If you need to create additional key client certificates, admin certificates, or import certificate signing requests, you can do so using the AKM Certificate Menu. After initializing the primary AKM server, reconnect to the primary AKM server via SSH. After initialization of the primary server has been completed, the Administrative Menu displays the following options: Enter option 1 to Start Certificate Manager. Copyright 2016 Townsend Security, Inc. 51

57 Chapter 8: Create Additional Admin and Client Certificates The Certificate Menu is displayed: Create an admin certificate Enter option 1 to Create an admin client certificate and key pair. This will create an additional admin certificate and private key for a Crypto Officer to manage encryption keys. You will be prompted to enter a unique Common Name (CN) for this admin certificate: The admin certificate files have been created and are available in the /home/admin/downloads/ directory on the AKM server. Create a key client certificate From the Certificate Menu, enter option 2 to Create a key client certificate and key pair. This will create an additional client certificate and private key for key clients to perform key retrieval or encryption and decryption on the AKM server. You will be prompted to enter a unique Common Name (CN) and Organizational Unit (OU) for this key client certificate: Copyright 2016 Townsend Security, Inc. 52

58 Chapter 8: Create Additional Admin and Client Certificates The key client certificate files have been created and are available in the /home/admin/downloads/ directory on the AKM server. SECURITY ALERT: If you are using an encryption key created on initialization of the primary AKM server and you want to use key access control, you will need to modify the key access policy of the encryption key and enter User and Group information that matches the Common Name (CN) and Organizational Unit (OU) of the key client certificate. See Chapter 7: Create and Manage Encryption Keys for more information. Import and sign certificate signing requests If you are on the IBM i platform, you will need to import a certificate signing request (CSR) to be signed by AKM s CA certificate to create a signed key client certificate. For information on creating a certificate signing request, see the document AKM DCM Configuration for IBM i on the AKM Supplemental. From the Certificate Menu, enter option 3 to Import and sign certificate signing requests. Copyright 2016 Townsend Security, Inc. 53

59 Chapter 8: Create Additional Admin and Client Certificates The following screen is displayed: Log in to the AKM web interface as the admin user with the password you created above. Click on the link for Java File Manager in the left navigation pane. Upload the CSRs to the /home/admin/uploads/ directory. You can upload multiple CSRs. After uploading the CSRs, return to the Certificate Menu and press Enter. The following screen is displayed: AKM will detect the Common Name (CN) of each CSR and use it to name the client certificate files. The signed client certificate files are available in the /home/admin/downloads/ directory on the AKM server. Copyright 2016 Townsend Security, Inc. 54

60 Chapter 9: Manage the AKM Server Chapter 9: Manage the AKM Server Server management Backup and restore, system logging, and firewalls can be configured via the web interface. See the AKM Server Management Guide for information on these tasks. See the AKM User Guide for more detail on these concepts. IMPORTANT: You should perform a backup of the AKM server as soon as you have finished setting up AKM for AWS, and periodically after any significant changes to keys, user access policies, and certificates. Certificate backup You should back up all certificate and private keys using by AKM. See the AKM Server Management Guide for more information. SECURITY ALERT: Private key files must be protected during creation, distribution, and storage. The loss of these files will compromise the security of the AKM server. Transfer the certificate files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys from loss, including encryption. In the event the client certificates are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in the chain of trust. See the AKM Certificate Manager Guide for more information. Copyright 2016 Townsend Security, Inc. 55

61 Chapter 10: Obtain a Permanent License Chapter 10: Obtain a Permanent License BYOL If you choose a BYOL licensing model, AKM for AWS is deployed with a 30-day temporary license. Please contact your account manager to receive a permanent license if you wish to continue using AKM for AWS. You will need to provide your Instance ID. This can be found in the AWS dashboard or by running the following command from the command line: ec2-instance-id Install a new license Once you receive the license, you can upload it to the AKM server. IMPORTANT: The license file must have the name License.txt when it is installed on the server. If you receive a license with a different name, rename the file to License.txt. Log in to the web interface and expand the navigation pane. Click on the link for Java File Manager. Navigate to the /var/lib/townsend/akm directory. Select License.txt and click the Delete button. Click the Upload button. Click Choose File, select the permanent license, and click Open. On the Upload File dialog, click Upload. Now you will need to restart AKM. Click on the link for Custom Commands in the navigation pane, click the Stop AKM button, then click the Start AKM button. Fee-based If you choose a fee-based licensing model, AKM will generate a permanent license, but your use of the license will be determined by Amazon. You can evaluate AKM for free for 30 days, after which you will be charged by Amazon Web Services for the then-current hourly or monthly license fee for AKM. Migrate from a test environment to a production environment If you have used an AKM instance in a test or development environment, it is recommended to use a new instance of AKM for production. Your new AKM instance will contain unique keys and PKI components that differ from the ones used during testing. Make sure to adjust your client configurations accordingly. Copyright 2016 Townsend Security, Inc. 56

62 Chapter 10: Obtain a Permanent License If you would like to migrate to a production environment using your original instance, be sure to remove all test data and accounts that have had access to AKM prior to deploying key management in a production environment. It is recommended that you remove all client and admin certificates and private keys used in testing from any applications/systems that have been used to evaluate AKM. You should then create new client certificates and use these certificates in your client applications. Additionally, you should avoid using the same data encryption keys in your production environment that were used during testing (see Chapter 7: Create and Manage Encryption Keys). SECURITY ALERT: Failure to follow these recommendations will include your test environment in the scope of your production environment, which from a regulatory and security stance exposes your applications and the key manager to risk. Copyright 2016 Townsend Security, Inc. 57

63 Chapter 11: Support Chapter 11: Support There are two levels of technical support available for AKM customers. The basic level of support comes with your permanent AKM license and includes technical documentation as well as support, during business hours, Monday through Friday. Contact Townsend Security to purchase premium level support. Townsend Security customers with a permanent license can collect logs and send them to Townsend Security support for assistance. From the Administrative Menu, select the option to Collect logs for troubleshooting. Then start a support ticket on the Townsend Security website at Copyright 2016 Townsend Security, Inc. 58

64 Appendix A: Connecting with PuTTY Appendix A: Connecting with PuTTY If you are a Windows user, you can use PuTTY to connect to the AKM server via SSH for initialization. First, download PuTTY at and run the executable. When you open PuTTY for the first time, you will be prompted to enter configuration information for the AKM server: Enter the AKM server IP address. Leave the default port 22. You can save this configuration by entering a name (example: AKM1) in the Saved Sessions field and clicking Save. Click Open. Copyright 2016 Townsend Security, Inc. 59

65 Appendix A: Connecting with PuTTY You will be prompted to log in: Enter admin as the username, and when prompted, the default password OOHXPq6r530N6re. If the login is successful, the Administrative Menu will be displayed. Return to Chapter 5: Set up AKM for AWS to continue with initialization. Copyright 2016 Townsend Security, Inc. 60