Virtual KeySecure for AWS

Similar documents
MobilePASS for BlackBerry OS 10

CUSTOMER RELEASE NOTES SafeNet DataSecure and KeySecure

SAS Agent for NPS CUSTOMER RELEASE NOTES. Contents

Oracle iplanet Web Server Integration Guide

KeySecure Version 6.1.0

SAS Agent for NPS FAQS. Contents. Page 1 of 5. Description... 2 Frequently Asked Questions... 2 Product Documentation... 5 Support Contacts...

Integration Guide. SafeNet Authentication Client. Using SAC CBA with BitLocker

SAS Agent for Microsoft SharePoint

SAS Agent for Microsoft Internet Information Services (IIS)

Vaultive and SafeNet KeySecure KMIP Integration Guide v1.0. September 2016

Luna Crypto Command Center 1.1

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft NPS Technical Manual Template

SafeNet Authentication Manager. Integration Guide. Using SAM as an Identity Provider for Dropbox

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

SafeNet ProtectServer/ProtectToolkit 5.1

Integration Guide. SafeNet Authentication Client. Using SAC CBA with Juniper Junos Pulse

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft SharePoint on IIS 7/8. Technical Manual Template

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

SafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

Integration Guide. SafeNet Authentication Service. Strong Authentication for Citrix Web Interface 4.6

Who s Protecting Your Keys? August 2018

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

SAS Synchronization Agent

Integration Guide. SafeNet Authentication Manager. Using SafeNet Authentication Manager with Citrix XenApp 6.5

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with CA SiteMinder

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for VMware Horizon 6

Integration Guide. SafeNet Authentication Service. NetDocuments

KeySecure AWS Marketplace Installation Guide

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Integration Guide. SafeNet Authentication Service. Protecting Syncplicity with SAS

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

Synchronization Agent Configuration Guide

Synchronization Agent Configuration Guide

SafeNet KeySecure. Command Line Interface Reference Guide

Alliance Key Manager AKM for AWS Quick Start Guide. Software version: Documentation version:

Veritas NetBackup Read This First Guide for Secure Communications

Dyadic Security Enterprise Key Management

Gemalto Bluetooth Device Manager

Integration Guide. SafeNet Authentication Service. SAS using RADIUS Protocol with WatchGuard XTMv. SafeNet Authentication Service: Integration Guide

Welcome Guide. SafeNet Authentication Service. MP-1 BlackBerry. SafeNet Authentication Service: Welcome Guide. MP-1 BlackBerry

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Citrix GoToMyPC

Channel FAQ: Smartcrypt Appliances

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

PCI DSS Compliance. White Paper Parallels Remote Application Server

3 CERTIFICATION AUTHORITY KEY PROTECTION (HSMS)

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

Launch and Configure SafeNet ProtectV in AWS Marketplace

Sentinel Cloud V.3.6 Installation Guide

VMware, SQL Server and Encrypting Private Data Townsend Security

KT-4 Keychain Token Welcome Guide

SafeNet Authentication Client

Sentinel Cloud Run-time Java Samples ReadMe

Microsoft SQL Server Integration Guide

Alliance Key Manager A Solution Brief for Technical Implementers

TRACKVIA SECURITY OVERVIEW

Contents. Notices Terms and conditions for product documentation.. 45 Trademarks Index iii

Contents. Notices Terms and conditions for product documentation.. 43 Trademarks Index iii

Protecting Your Data in AWS. 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Bringing Core-Level Data Protection Solutions to the Tactical Field. January 2018

Encrypting Critical Data In Databases. An Overview of the Database Integration Process

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

SafeNet Authentication Service

McAfee epolicy Orchestrator Release Notes

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

Adding value to your MS customers

SafeNet Authentication Client

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

ZYNSTRA TECHNICAL BRIEFING NOTE

SafeNet Authentication Service Cisco AnyConnect Agent. Configuration Guide

Entrust Technical Integration Guide for Entrust Security Manager 7.1 SP3 and SafeNet Luna CA4

Configuring Secure Socket Layer HTTP

Configuring ApplicationHA in VMware SRM 5.1 environment

WORKSHARE SECURITY OVERVIEW

EMC Symmetrix Encryption with DPM

SafeNet HSM solutions for secure virtual amd physical environments. Marko Bobinac SafeNet PreSales Engineer

RSA Authentication Manager 8.1 Service Pack 1 Patch 12 Readme

VMware AirWatch Integration with RSA PKI Guide

ProtectV StartGuard. FIPS Level 1 Non-Proprietary Security Policy

VMware, SQL Server and Encrypting Private Data Townsend Security

Understanding Layer 2 Encryption

WHITE PAPER Complying with the Payment Card Industry Data Security Standard

The Common Controls Framework BY ADOBE

Welcome Guide. SafeNet Authentication Service. RB-1 Tokens. SafeNet Authentication Service: Welcome Guide. RB-1 Tokens

Configuring Secure Socket Layer HTTP

Launch and Configure SafeNet ProtectV in AWS Marketplace

Alliance Key Manager A Solution Brief for Partners & Integrators

Configuring Secure Socket Layer HTTP

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

Aventail README ASAP Platform version 8.0

Axway Validation Authority Suite

Preface. Microsoft SQL Server 2008 and Luna SA/Luna PCI Integration Guide SafeNet, Inc. All rights reserved.

Transcription:

Virtual KeySecure for AWS CUSTOMER RELEASE NOTES Version: 8.2.1 Issue Date: June 5 2015 Document Part Number: 007-013116-001, Rev A Contents Product Description... 2 Key Management... 2 High Performance... 2 Broad Flexibility... 2 Robust Security... 2 Release Description... 3 Supported Migration Paths... 3 New Features and Enhancements... 3 Galois Counter Mode for AES Encryption and Decryption... 3 Management Console Session Timeout... 3 Advisory Notes... 3 Duplicate IP Address for Virtual Machines... 3 Port Parameters on Virtual Machines... 4 Certificate Authorities... 4 Group Permissions and Certificates... 4 Clock Synchronization... 4 Clustering, Backup, and Restore between Platforms... 4 Key Management and Crypto Operation Failure after Remote HSM Disconnection... 4 Disable SSL 3.0... 4 Backup protocols... 5 Resolved and Known Issues... 5 Issue Severity and Classification... 5 Resolved Issues... 5 Known Issues... 5 Product Documentation... 6 Technical Support Information... 6 PN: 007-013116-001 Rev. A, Copyright 2015 SafeNet, Inc., All rights reserved. Page 1 of 6

Product Description By providing centralized management of keys, policies, and essential functions, KeySecure simplifies administration, helps ensure compliance, and maximizes security. Key Management KeySecure offers robust capabilities for managing cryptographic keys across their entire lifecycle, including key generation, key import and export, key rotation and much more. With KeySecure, all cryptographic keys are stored in a centralized, hardened appliance to simplify administration while ensuring tight security for the broadest array of data types. High Performance Even for large distributed enterprises that use multiple encryption solutions, keys can be centrally managed without making any perceptible impact on system performance. In addition, customers can deploy multiple KeySecure appliances in a clustered configuration with real-time replication of keys, policies, and configuration information across multiple appliances - enabling complete disaster recovery and business continuity. Broad Flexibility KeySecure offers key management capabilities that can be integrated with virtually any commercial encryption product. Supported technologies include: Luna SA HSM partitions and Luna PCI HSMs. Application encryption, either software or hardware based. Database encryption, including native database encryption. Device encryption. File and storage level encryption solutions. KeySecure supports a wide range of open cryptographic standard interfaces, including PKCS #11, JCE, and.net. KeySecure also supports the Key Management Interoperability Protocol (KMIP). Further, customers and partners can take advantage of KeySecure s NAE-XML interface to develop their own custom software utilizing the enterprise key management functionality of KeySecure. Robust Security KeySecure offers a range of robust security features: Capabilities for segregating administrative duties between different administrators. Granular authorization capabilities that enable constraints to be placed on user operations based on specific key permissions. Active alerting capabilities that inform administrators if attempts to breach protected data occur. Secure key distribution through support of TLS. Secure storage of key encryption keys on a Luna HSM card. Page 2 of 6

Release Description Virtual KeySecure version 8.2.1 is a virtual image available for download through Amazon Web Services (AWS) marketplace. There are two products available for download: SafeNet Virtual KeySecure and SafeNet Virtual KeySecure (BYOL). SafeNet Virtual KeySecure includes two application licenses, and is capable of data encryption with the purchase of the Crypto Pack. SafeNet Virtual KeySecure (BYOL) has no licenses upon installation. You can obtain licenses from SafeNet customer support, who will assist you in this process. Supported Migration Paths You can migrate keys from some older versions of Virtual KeySecure to Virtual KeySecure 8.2.1. You can migrate keys through backup and restore. To migrate through backup and restore, refer to the Backup and Restore chapter of the Appliance Administration Guide. The following migration paths are supported: From release To release 7.1.0 Virtual KeySecure for AWS 8.2.1 Virtual KeySecure for AWS 8.0.1 Virtual KeySecure for AWS 8.2.1 Virtual KeySecure for AWS 8.0.1 Virtual KeySecure for VMWare 8.2.1 Virtual KeySecure for AWS 8.1.0 Virtual KeySecure for AWS 8.2.1 Virtual KeySecure for AWS 8.1.0 Virtual KeySecure for VMWare 8.2.1 Virtual KeySecure for AWS New Features and Enhancements Galois Counter Mode for AES Encryption and Decryption Galois Counter Mode (GCM) is a mode of operation for AES keys which provides both confidentiality via data encryption, and authenticity by creating an authentication tag for the entire length of the data. The authentication tag created allows message receivers to verify message integrity and authenticity. You can optionally specify additional authenticated data (AAD), sent in the same format as the payload data. AAD is not encrypted, and is associated with the authentication tag. You can send AAD without any payload data, in which case AES/GCM performs no encryption, but generates an authentication tag. Refer to the NIST 800-38D publication for full information and recommendations about GCM. Management Console Session Timeout The session timeout value for the Management Console web interface is now configurable. To change the default value of 60 minutes, log in to the CLI and run the command set webadmin session timeout <minutes> replacing <minutes> with the desired timeout value. Note that a new session timeout value is applied immediately to any open Management Console session. Advisory Notes Duplicate IP Address for Virtual Machines When installing the KeySecure virtual machine, the system does not check to see if the IP Address you enter for the new virtual machine already exists. Be sure to choose an IP Address that is not already in use. Page 3 of 6

Port Parameters on Virtual Machines The virtual machine products do not support querying and setting Ethernet port parameters from either the Management Console or the command line interface. Certificate Authorities Certificate Authority (CA) certificates must be revoked individually. Chain revocation is not supported for Certificate Authority Certificates. If a CA certificate is revoked, the certificates signed by the CA certificate are not automatically revoked. Before installing a known CA, consult the list of CAs on the KeySecure. Do not install duplicates. Installing a known CA certificate more than once on a KeySecure can render, under some circumstances, the Certificate Revocation List (CRL) information unreliable for that CA. In such cases, a certificate that was revoked by that CA actually appears as active. Back up Local CAs after using them to issue certificates to avoid disrupting CRL operations. CAs issue serial numbers to the certificates they sign. Local CAs use a seed value to determine the serial number. Each time a certificate is signed, the seed value is incremented by one. If you back up a local CA with seed value x, and continue to issue certificates with that CA, the seed value becomes x + n, where n is the number of certificates signed by that local CA since the backup was created. If you then restore the backup, the seed value for the local CA will revert to x. After this restore, the local CA can possibly issue existing serial numbers to new certificates. Identical serial numbers on multiple certificates will interfere with CRL operations. Group Permissions and Certificates Group permissions specified for groups of certificates do not have any effect. Clock Synchronization Synchronizing the time causes the Key Server to restart if the time change is greater than one minute. While restarting, the Key Server is unavailable for up to 60 seconds. For more information on time synchronization, see Chapter 5, Date, Time and NTP in the KeySecure Appliance Administration Guide. Clustering, Backup, and Restore between Platforms A virtual platform can only cluster with, backup to, or restore to another virtual platform. A physical platform can only cluster with, backup to, or restore to another physical platform. As the physical platform has a higher level of assurance than the virtual platform, clustering, backing up and restoring between the two platforms may compromise key and certificate security. Key Management and Crypto Operation Failure after Remote HSM Disconnection If a virtual KeySecure that has a remote HSM repeatedly fails key management and crypto operations, the remote HSM may have disconnected and reconnected. If you suspect this has happened, back up your keys as a test. If the backup does not contain any keys, the remote HSM has disconnected and reconnected. Log the crypto user out and then log the crypto user in. If the virtual KeySecure is in a cluster, manually synchronize the virtual KeySecure with the cluster. Disable SSL 3.0 We strongly recommend disabling SSL 3.0 at all times, based on CVE-2014-3566. See the National Vulnerability Database for more details: http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3566. Ensure that your Page 4 of 6

internet browser does not use SSL 3.0 before disabling SSL 3.0 on KeySecure. We recommend using TLS 1.2 if available on your Internet browser. Backup protocols Backup via FTP is not supported. This option will be deprecated in the future. We strongly recommend performing backups via SCP instead. Resolved and Known Issues Issue Severity and Classification The following table serves as a key to the severity and classification of the issues listed in the Resolved Issues table and the Known Issues table, which can be found in the sections that follow. Severity Classification Definition C Critical No reasonable workaround exists H High Reasonable workaround exists M Medium Medium-level priority problems L Low Low-level priority problems Resolved Issues Severity Issue Synopsis M DS-41037 Summary: Appliance Administration Guide and Command Line Reference Guide do not show how to view statistics for certificate sign request operations in the NAE-XML server. Resolution: Fixed. The procedures were added to the two guides. L DS-41033 Summary: The Appliance Administration Guide incorrectly states that RSA-4096 keys cannot be created in the NAE-XML interface. This is outdated information. Resolution: Fixed. The statement was removed from the Appliance Administration Guide. Known Issues Severity Issue Synopsis M DS-41579 Summary: Configuration changes on a KMIP port do not take effect after saving, even though a confirmation appears. Workaround: Make the desired configuration changes, save, navigate to the Services Configuration page (Device >> Services), and then restart the NAE service. L DS-41316 Summary: If the web session timeout is set to a large value, administrators are locked out of the Management Console. Workaround: Log into the CLI and set the web session timeout value to 1440 minutes or fewer. The web session timeout does not affect CLI sessions. Page 5 of 6

Product Documentation The following product documentation is associated with this release: KeySecure Appliance Administration Guide, version 8.2.0 (P/N: 007-012893-001, Rev B) KeySecure Command Line Interface Reference Guide, version 8.2.0 (P/N: 007-12895-001, Rev B) KeySecure XML Development Guide, version 2.2 (P/N: 007-012894-001, Rev B) We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product. Technical Support Information If you have questions or need additional assistance, contact Technical Support through the listings below: Contact method Address Contact information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA Phone United States (800) 545-6608, (410) 931-7520 Australia 1800-020-183, +1 410-931-7520 New Zealand 0800-440-359, +1 410-931-7520 China (86) 10 8851 9191 France 0825 341000 Germany 01803 7246269 India 000-800-100-4290, +1 410-931-7520 United Kingdom 0800-056-3158, +1 410 931-7520 Web Support and Downloads Customer Connection Center http://www.safenet-inc.com http://www.safenet-inc.com/support Provides access to the SafeNet Knowledge Base and quick downloads for various products. https://serviceportal.safenet-inc.com Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback