Create Software Keystore HSM Credential

Release Notes
- SAKA 4.13.0
- SAKA 4.12.0
- SAKA 4.11.0
- Upgrading from SAKA 4.x
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- HSM Battery Replacement
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Internal Repositories Rocky 9.x
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Check Replication
- Replicate Essentials Only
- Disable Replication to Inactive Nodes
- Known Behavior
- Back
Appendices
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Configure Syslog
- Create Software Keystore HSM Credential
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Migration Information
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.3
  - Back
- Modifying the Appliance's IP Address or Hostname
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Replace CMOS Battery
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Using a Custom Trust Store
- Using HAProxy as a Load Balancer
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Test Appliance Funcationality
  - Using pingsaka script
  - Back
- Back

When administering a hardware security module (HSM) within StrongKey Tellaro appliances, the HSM supports authenticating Administrators in multiple ways:

Using cryptographic credentials on smartcards with user-verifying PINs: These deliver the highest level of security, but require that sites have smartcard PIN-pad readers, as well as the user with their smartcard, present in front of the StrongKey Tellaro appliance to authenticate to the HSM;
Using cryptographic credentials in keystore files with user-verifying PINs: These deliver high levels of security and can be used for remote authentication - but they require the user’s keystore file be accessible on the StrongKey Tellaro appliance while performing administrative tasks. Some of the risk associated with having the keystore file on the appliance can be managed by having the user place their keystore file on the appliance only when they need to perform administrative tasks and deleting it when completing their tasks;
Using username and password: StrongKey does not recommend this method because of the risks of using this mechanism on highly sensitive devices.

Prerequisites

At least two HSM Administrators (to satisfy ‘M of N’ authentication security requirements) with smartcards, in front of the StrongKey Tellaro appliance with a PIN-pad smartcard reader.
As many USB flash-drives as new administrator credentials that need to be created. These are necessary to copy software keystore files to individual USB flash-drives to be assigned to specific individuals for custody and use

Create the new credentials on the first Tellaro appliance

Connect the appropriate smartcard reader with a PIN-pad to the front USB port of the StrongKey Tellaro appliance. Depending on the server hardware, some models do not recognize the reader on the USB ports at the back of the machine without configuration changes in the machine’s BIOS.
Login into the appliance as the ‘strongauth’ user. Login into the appliance’s console to operate the smartcard and PIN-pad reader with the HSM’s Cryptoserver Administration Tool (CAT) – SSH or Putty session cannot be used for this task.
If the graphical user interface (GUI) of the appliance does not start automatically, at the command prompt, start X-Windows as follows:
```
shell> startx
```
Open the terminal. When the Terminal window has started up, create a directory to store the software keystore files:
```
shell> mkdir /usr/local/strongauth/keystores
```
Run the Cryptoserver Administration Tool (CAT) and put it in the background:
```
shell> java -jar /usr/local/bin/cat.jar & 
```
Click on the Devices button and connect to the HSM with /dev/cs2.0 as the device and click 'OK'.
Authenticate to the tool by selecting the Login/Logoff button. A panel will display a list of existing credentials with additional information about the credentials
Choose one of the Administrator credentials on the displayed User Management panel. The administrator must insert their smartcard into the reader and follow prompts on the PIN-pad reader’s screen to enter their secret PIN. A successful PIN authentication will enable the smartcard to authenticate the user to CAT
When ‘M’ administrators have successfully authenticated to CAT, close the User Management panel
Remove the smartcard reader with the PIN-pad from the front USB port (however, have it handy in case the work does not get completed and the session, inadvertently, expires)
Select Authentication Token from the CAT menu and generate a keystore file for each administrator, one-at-a-time. Choose the location and name of the keystore file and input a password to protect access to the contents of this file. It is recommended to include the name of the administrator who will associated with the keystore file to identify which administrator is using which keystore file. For example, if administrator is expected to be administrator01, use a keystore filename such as softkey-administrator01.key

NOTE: This password should be recorded on a 3x5 index card, sealed in a security envelope and locked away for security and disaster recovery purposes.
Repeat the keystore file generation step for as many administrators that will be added
After generating the requisite number of keystore files on the Tellaro appliance, create new administrative users and associate each keystore file with the individual administrator authorized to authenticate to the HSM. Do this by clicking on the Manage User button.
Select Add User

Type in a unique name for the new administrator – it can be a generic role-based name or the username of the specific individual assigned to that role
Choose ADMIN Manager two-person rule for the User Profile
Select the type of algorithm that was chosen earlier for the keystore file and click OK
This will prompt for a keystore file to be associated with the new administrator; choose the appropriate keystore file assigned to this user and select ‘OK’

Repeat the above two steps to add at least three (3) credentials for the HSM administrators who will use software keystore files for authentication.

Verify authentication, administrative privileges with the new credentials and take backup of the keystores and databases

Without disconnecting from CAT, logoff all users from the session by selecting the Login/Logoff button and then selecting the Logoff All… button
Select any one of the newly created administrator credentials using keystore files to authenticate, and select the Login.. button
The Choose User Token for Login panel will prompt for either using a smartcard or Keyfile token. Choosing Keyfile Token, supply the password assigned to the specified administrator
If correct, a Green check-mark shows up against the credential indicating that the administrator is authenticated. Verify all software keystore administrator credentials to confirm that the credential authenticates to the HSM correctly
While authenticated with software keystore administrator credentials, select the Backup/Restore button
In the CryptoServer Database Backup/Restore Wizard panel, select the ‘Backup databases from Source CryptoServer to Backup directory’ option
Choose the /usr/local/strongauth/keystores folder for Backup directory
If there are no errors, a Database Export panel will display the names of the databases that were exported – this will indicate that the software keystore administrators have the appropriate credentials

NOTE: If the CXIKEY.db and the user.db files already exist in the target directory (presumably, from a previous backup), there will be a warning prompt to overwrite a preexisting file by the same name. Cancel the operation and rename the preexisting files to preserve the prior backup (STRONGLY RECOMMENDED).
Navigate to the /usr/local/keystores folder where the newly generated software keystores are located. For each software keystore, copy the keystores to the individual USB flash-drives
Using a different USB flash-drive, copy the CXIKEY.db and the user.db files from /usr/local/keystores onto the flash-drive
This concludes the process on the first StrongKey Tellaro appliance. It is now necessary to import the exported databases from the HSM to make sure that other appliances can authenticate the newly created software keystore administrators.

Import HSM Databases on StrongKey Tellaro Appliances

Login into the appliance as the strongauth user. Login into the appliance’s console to operate the smartcard and PIN-pad reader with the HSM’s Cryptoserver Administration Tool (CAT) – SSH or Putty session cannot be used for this task
When the Terminal window has started up, create a directory to store the keystore files:
```
shell> mkdir /usr/local/strongauth/keystores
```
Insert the USB flash-drive containing the CXIKEY.db and user.db files into the front port of the StrongKey Tellaro appliance. Copy the databases to the newly created keystores folder.
Run the Cryptoserver Administration Tool (CAT) and put it in the background:
```
shell> java -jar /usr/local/bin/cat.jar & 
```
Click on the Devices button and connect to the HSM with /dev/cs2.0 as the device and click 'OK'.
Authenticate to the tool by selecting the Login/Logoff button. A panel will display a list of existing credentials with additional information about the credentials
Choose one of the Administrator credentials on the displayed User Management panel. The administrator must insert their smartcard into the reader and follow prompts on the PIN-pad reader’s screen to enter their secret PIN. A successful PIN authentication will enable the smartcard to authenticate the user to CAT
When ‘M’ administrators have successfully authenticated to CAT, close the User Management panel
Select the Backup/Restore button
In the CryptoServer Database Backup/Restore Wizard panel, select the Restore databases from Backup directory to Target CryptoServer option.
Choose the /usr/local/strongauth/keystores folder for Backup directory and select all the available databases in the backup directory.
Click on 'Add All' and Execute.
If there are no errors, a Database Import panel will display the names of the databases that were imported

Verify authentication, Administrative privileges with new credentials

Without disconnecting from CAT, logoff all users from the session by selecting the Login/Logoff button and then selecting the Logoff All… button
Select any one of the newly created administrator credentials using keystore files to authenticate, and select the Login.. button
The Choose User Token for Login panel will prompt for either using a smartcard or Keyfile token. Choosing Keyfile Token, supply the password assigned to the specified administrator
If correct, a Green check-mark shows up against the credential indicating that the administrator is authenticated. Verify all software keystore administrator credentials to confirm that the credential authenticates to the HSM correctly
Continue importing the HSM databases on the remaining Tellaro appliances until all appliances have the same CXIKEY.db and user.db contents, and until all software keystore administrators can authenticate to CAT successfully.
This concludes the process of generating software keystores for HSM administrators and verifying their access.