Alliance Key Manager A Solution Brief for Partners & Integrators

Similar documents
Alliance Key Manager A Solution Brief for Technical Implementers

VMware, SQL Server and Encrypting Private Data Townsend Security

VMware, SQL Server and Encrypting Private Data Townsend Security

Alliance Key Manager AKM for AWS Quick Start Guide. Software version: Documentation version:

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Axway Validation Authority Suite

Simplifying Security for IBM i and IBM Security QRadar

Securing Mainframe File Transfers and TN3270

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

XenApp 5 Security Standards and Deployment Scenarios

PROVIDING YOU LOG INFRASTRUCTURE LOG COLLECTION SOLUTIONS TO BUILD A SECURE, FLEXIBLE AND RELIABLE

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

FIPS Non-Proprietary Security Policy

PUT DATA PROTECTION WHERE YOU NEED IT

Brocade Virtual Traffic Manager and Parallels Remote Application Server

SnapCenter Software 4.0 Concepts Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Installing and Configuring System Center 2012 Operations Manager SCOM

PCI DSS Compliance. White Paper Parallels Remote Application Server

Securing VMware NSX MAY 2014

The most common type of certificates are public key certificates. Such server has a certificate is a common shorthand for: there exists a certificate

Securing VMware NSX-T J U N E 2018

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

AES Encryption Strategies

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

Introduction to Windows Azure. Managing Windows Azure. Module Manual. Authors: Joey Snow

Security in Bomgar Remote Support

vshield Administration Guide

This Security Policy describes how this module complies with the eleven sections of the Standard:

Content and Purpose of This Guide... 1 User Management... 2

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

IBM i Version 7.2. Security Digital Certificate Manager IBM

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

Exam : Implementing Microsoft Azure Infrastructure Solutions

Security in the Privileged Remote Access Appliance

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

VMware vsphere with ESX 6 and vcenter 6

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

CommandCenter Secure Gateway

Secret Server Demo Outline

RSA Authentication Manager 8.0 Security Configuration Guide

Security Digital Certificate Manager

Guardium UI Login using a Smart card

2018 GLOBALSCAPE TRAINING OVERVIEW

VSP18 Venafi Security Professional

Control Center Over the NET Management Software

Delivers cost savings, high definition display, and supercharged sharing

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

VMware vsphere 6.5: Install, Configure, Manage (5 Days)

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter One Introducing Windows Server 2008

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

SafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION

DELL EMC DATA DOMAIN ENCRYPTION

DS Series Solutions Integrated Solutions for Secure, Centralized Data Center Management

[VMICMV6.5]: VMware vsphere: Install, Configure, Manage [V6.5]

TECHNICAL DESCRIPTION

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Understanding Cisco Cybersecurity Fundamentals

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Inventory and Reporting Security Q&A

Corente Cloud Services Exchange

IBM. Security Digital Certificate Manager. IBM i 7.1

Pulseway Security White Paper

Platform Services Controller Administration. Update 1 Modified on 11 DEC 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

AWS FREQUENTLY ASKED QUESTIONS (FAQ)

CO Oracle WebLogic Server 12c. Administration II. Summary. Introduction. Prerequisites. Target Audience. Course Content.

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

vsphere Installation and Setup Update 2 Modified on 10 JULY 2018 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

Citrix XenApp and XenDesktop 7.15 LTSR FIPS Sample Deployments

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

CA SiteMinder. Upgrade Guide. r12.0 SP3. Third Edition

OpenIAM Identity and Access Manager Technical Architecture Overview

TLS 1.1 Security fixes and TLS extensions RFC4346

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

HRSD Position Description: UNIX Systems Administrator

Integrated Cloud Environment Security White Paper

NetIQ Privileged Account Manager 3.5 includes new features, improves usability and resolves several previous issues.

BlackBerry Dynamics Security White Paper. Version 1.6

Cloud Services. Introduction

Secured by RSA Implementation Guide. Last Modified: August 2, 2013

Echidna Concepts Guide

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

SOURCEFIRE SSL APPLIANCE RELEASE NOTES

Administering WebLogic Server on Java Cloud Service I Ed 1 Coming Soon

The SafeNet Security System Version 3 Overview

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Awareness Technologies Systems Security. PHONE: (888)

Managing Performance in Liferay DXP: An Overview of Liferay Connected Services

Platform Services Controller Administration. Modified on 27 JUN 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

Document Number: rev D Intuitive Surgical, Inc. OnSite Overview. for the da Vinci Xi and da Vinci Si Surgical System.

Puppet on the AWS Cloud

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

HP Database and Middleware Automation

Transcription:

Alliance Key Manager A Solution Brief for Partners & Integrators Key Management Enterprise Encryption Key Management This paper is designed to help technical managers, product managers, and developers understand how Alliance Key Manager works, how user applications manage encryption keys on the key server, and the scope of effort required to deploy encryption key management in your applications. The goal of this paper is to describe the technical issues related to key management integration, and not to provide actual programming samples. The intended audience is technical managers, product managers, and application developers in our partner community. Compatible Alliance Key Manager works with all major business platforms, leading encryption applications, and even legacy devices connected via serial port. Flexible Delivery Methods Available as: - Appliance - VMware Instance - Cloud Instance Reliable NIST AES Validation (All key sizes, all modes of encryption) NIST SHA Validation (in process) NIST FIPS-140-2 Level 1 (in process) About Townsend Security Townsend Security provides data encryption & tokenization, key management, secure communications, and compliance logging solutions to Enterprise customers on a variety of server platforms including IBM i, IBM z, Windows, Linux, and UNIX. The company can be reached on the web at www.townsendsecurity.com, or (800) 357-1019. www.townsendsecurity.com 724 Columbia Street NW, Suite 400, Olympia, WA 98501 800 357 1019 +1 360 359 4400 Fax 360.357.9047

The Alliance Key Manager Server Alliance Key Manager is a symmetric key management solution deployed on a hardware or software appliance. It is designed to properly create, activate, distribute, expire, and escrow encryption keys using industry best practices. You can think of the AKM solution as a secure vault for your encryption keys. Properly managing encryption keys is an important component of a data encryption strategy and is required by many compliance regulations. ISV and OEM partners are an important customer segment for Alliance Key Manager. Townsend Security (Townsend Security) works with a number of partners who need to integrate key management into their own solutions. We help our partners through the technical implementation, testing, and certification of the solution. How Keys Are Managed Encryption keys are managed by a security administrator, or by an application that is performing the role of a security administrator. Alliance Key Manager provides two applications to enable this process. A Java GUI application that runs on a Windows PC is used by a security administrator to create and manage encryption keys. There is also a Command Line administrative console that allows for scripting the key creation and management functions. In this latter case an application (perhaps a shell script) is performing the role of the security administrator. If your application only needs to retrieve encryption keys for use, you can deploy the Java GUI client for your customers to use to create encryption keys. But if you need to create and manage keys under program control, you can use the command line utility to do this. There is another alternative available to partners for key management: You can write applications that directly communicate with the key manager and perform key management functions. This interface is described in more detail below. How Keys Are Retrieved For Use Encryption keys are retrieved by user applications that open a secure SSL/TLS connection to the server, format a key retrieval request, send the request to the server, receive the response from the server that includes the encryption key, and then uses the key to encrypt or decrypt sensitive data. The key retrieval request is a very simple transaction. The communication session lasts for a very short period of time, and then is terminated. Once an encryption key is retrieved it can be used for many encryption and decryption tasks. Additionally, it can even be cached by your application for use by several tasks. Key Management SSL/TLS Services Encryption keys are sensitive data that must be protected at every step. The connection between your application that uses the encryption key, and the Alliance Key Manager server is an encrypted and authenticated SSL/TLS session. No encryption key data is exposed on the network when you retrieve the key. The security for this SSL/TLS session is more stringent than for normal network connections that use SSL. The Alliance Key Manager server will validate the X509 certificate presented by the client application, and will only allow known client-side certificates to make a key retrieval request. In addition, the information on the X509 certificate s Subject distinguished name (DN) field is used to provide additional security controls. The client side can also authenticate the key server s certificate to insure that a connection has been made to an actual instance of Alliance Key Manager, and not a surrogate server. This allows for mutual authentication by both the client and server. No communication is allowed with the key management server using unsecure connections, invalid certificates, or un-authenticated sessions. Communications Service Architecture The Alliance Key Manager exposes four services on the server: HTTPS service on port 3886 for browser-based server management SSL/TLS key retrieval service on port 6000 Page 2

SSL/TLS key management service on port 6001 SSL/TLS mirroring service on port 6002 These services can be configured for other ports if desired. No other services are exposed on the key server. The HTTPS web browser service is designed for server management (IP address configuration, starting and stopping the server, backup and recovery, etc.). This service is not used by partner applications for key management and retrieval. The mirroring service is not for use by partner applications. This service is used by the Alliance Key Manager application for real time distribution of encryption keys to remote failover servers. Partner applications use the key retrieval service to retrieve encryption keys. Partner applications can also use the key management service to create and manage encryption keys if desired. The SSL/TLS communications interfaces are multi-threaded and interleaved. That is, multiple applications can make simultaneous key retrieval and key management requests. There is no enforced limit to the number of requests that can made at the same time. The Role of X509 Certificates X509 certificates, RSA private keys, and related PKI infrastructure are critical to the protection of data encryption keys as they are retrieved from the key server. Alliance Key Manager requires a Certificate Authority (CA) certificate, and a server certificate in order to work properly. Client applications that communicate with the key server also need client-side X509 certificates that are signed by the same Certificate Authority. Improperly created certificates will cause the key server to reject key management and key retrieval requests. You can use a private or public Certificate Authority. For example, you can provide your own private CA infrastructure using an application like openssl. The Alliance Key Manager documentation describes how to do this. You can even automate certificate management through this application. An alternative is to use a public certificate authority like Verisign or Thawte. In this case you will purchase certificates from the public certificate authority and install them on the key server and in client applications. The Key Management Data Protocol Alliance Key Manager interfaces are agent-less. That is, any application that is capable of creating an SSL/TLS communications session, which has the appropriate X509 certificates, and which makes a request in the proper data format, can manage and retrieve encryption keys. No software from Townsend Security is required for this connection. This is sometimes referred to as a Wire protocol. This is in contrast to an API protocol where a vendor s software must be installed on the client system. The Alliance Key Manager interface requires no client-side software from Townsend Security. Of course, Alliance Key Manager provides software to help you get started faster on the client side (more on this below). The advantages of a wire protocol to an ISV or OEM partner are the following: No requirement for vendor software on the client system Very small software footprint on the client side Minimal or no impacts related to client OS upgrades, patches, etc. Minimal or no impacts related to key server OS upgrades, patches, etc. Alliance Key Manager Client Libraries To help our partners get up and running fast, Townsend Security provides client-side libraries for a number of common server platforms. You can use our libraries directly in your applications. Provided libraries are for the following platforms: Linux / Unix (shared libraries) Windows (.NET, VBNET, C#) IBM z (Mainframe) IBM i (AS/400) Java The above libraries are also used by customers who need to retrieve keys from the Alliance Key Manager server. Alliance Key Manager Client Sample Code For customers who can t use the Alliance Key Manager binary libraries, we provide source code for a variety of platforms. The source code can help customers with operating systems or client platforms where Townsend Security does not have binary implementations. Sample source is available for: Linux / Unix (shared libraries) Windows (.NET, VBNET, C#) Page 3

IBM z (Mainframe) IBM i (AS/400) Java All diagnostic logs are placed under syslog and log-rotate controls. Problems can easily be routed to a log collection server or SIEM solution. Alliance Key Manager Command Line Console Alliance Key Manager provides a Linux command line facility for key management. This command line facility can be used to automate routine key management operations, and can be especially helpful when a partner needs to generate a large number of keys on a periodic basis. The command line facility uses an interface that will be familiar to any Linux or Unix developer. Here is an example of creating an encryption key:./akmamin create-key MyKey key-size 256 expiration-date 00000000 The command line console is designed to work well with common scripting environments such as Shell and Perl. Partners can use the Townsend Security test scripts for regression testing, and as a platform for testing their own scripts. Error Handling All of the Alliance Key Manager APIs and commands return an error code indicating success or failure. You can fully automate applications that use Alliance Key Manager and know that all error conditions will be reported with a unique error indicator. Alliance Key Manager Diagnostic Logging Alliance Key Manager implements a variety of diagnostic logging functions as well as audit trails. This can greatly help the ISV partner analyze problems for their end customers. A basic level of diagnostic logging is enabled by default and output goes to a simple text log file. The log file can be viewed at any time using the server web browser session. For more complex problems Alliance Key Manager enables verbose diagnostic logging. This helps the partner s customer support team, and the Townsend Security support team, understand and react to problems quickly. Backup and Recovery Backup and recovery operations are included with the Alliance Key Manager web management application. Partners do not need to do any additional development work to take advantage of this built-in capability. End customers can use a familiar secure web browser session to back up the server. All backups are encrypted to protect the encryption keys, and key-encrypting keys are backed up separately from the data encryption key database. Mirroring, High Availability, and Load Balancing Alliance Key Manager includes real-time mirroring capabilities to provide for high availability failover, data redundancy, and load balancing support. The partner does not need to provide any additional development resources to enable this capability. Mirroring is enabled through simple configuration options in the server web management interface. Encryption keys can be selectively mirrored to the backup server. When you create an encryption key you assign the mirroring policy to the key. You can specify that some keys are mirrored to a mirror server, while other keys can remain resident on the key server without mirroring. Key Import and Export Alliance Key Manager supports a number of key import and export formats. Key import is available to the partner through the standard key management SSL/TLS interface. It can be completely automated if desired. Keys can be exported in RSA encrypted format for secure transfer to another key manager. If needed, Alliance Key Manager can also export encryption keys in binary, Base64, and Base16 (hex) formats. The ability to import and export keys through an automated interface provides an excellent method of migrating encryption keys from less secure environments to AKM for professional key management. Page 4

Product Evaluation Partners can evaluate the Alliance Key Manager solution by downloading the VMware instance of the server from the Townsend Security web site. This demonstration server is fully functional and comes pre-loaded with license, certificates, and a common configuration. In addition to the VMware instance of the key server, the demonstration software includes a Java GUI console application for creating and managing keys, and a Java GUI sample application for key retrieval. The key retrieval application includes an Eclipse project and source code. Partners can quickly install and use the key server for evaluation. Custom Configurations and Services Townsend Security values its partner customers and offers a variety of services designed to make partners successful. If you have special needs for key management we can work with your development team to extend AKM functionality. While the AKM server works without modifications for most of our partners, we know that one size does not fit all. We ll help you get the solution you need. NIST Certification Services Many of our partners want to sell a solution under their own brand name, and with their own NIST FIPS-140 certification. We work closely with an NVLAP certification laboratory and can help you achieve this as quickly as possible. The current AKM FIPS-140 certification was prepared in a way designed to help our OEM partners achieve certification quickly. If you are new to the FIPS-140 certification process we will coach you through the many steps needed to satisfy NIST requirements. Townsend Security Townsend Security provides data encryption & tokenization, key management, secure communications, and compliance logging solutions to Enterprise customers on a variety of server platforms including IBM i, IBM z, Windows, Linux, and UNIX. The company can be reached on the web at www.townsendsecurity.com, or (800) 357-1019. Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback