Product Documentation
SEARCH
Home
StrongKey Tellaro Appliance
Release Notes
SAKA 4.13.0
SAKA 4.12.0
SAKA 4.11.0
Upgrading from SAKA 4.x
Back
Preface
Default Paths and Filenames
Third-Party Website References
Strongkey Welcomes Your Comments!
Back
KAM Introduction
Architecture
Installation
Preliminary Steps
Install Components (Primary)
Install Components (Secondary)
Define KCs (Primary)
Verify KCs (Secondary)
Set Personal Identification Numbers (PINs) [Primary]
Set PINs and Complete Key Migration [Secondary]
Create System Users [Primary]
Create a New Encryption Domain [Primary]
Complete Second Domain Key Migration [Secondary]
Add System Users [Primary]
Configure the SKCE domain [Primary]
Replicate the CEM Domain [Secondary]
Back
CCS Web Service Operations
CCReturnObject
Manufacturer Identifiers for Processing CardHolder Data (CHD)
CCS Module GetCardCaptureData Mechanics
CCS Module DukptEncrypt Mechanics
CCS Module DukptDecrypt Mechanics
CCS Module DukptMAC Mechanics
CCS Module ReencryptPINBlock Mechanics
Back
KAM Web Service Operations
KAM Encryption Mechanics
KAM Decryption Mechanics
Notes on the Mechanics
KAM Deletion Mechanics
KAM Search Mechanics
KAM Entropy Mechanics
KAM General Purpose Key Encryption Mechanics
KAM General Purpose Key Decryption Mechanics
KAM Batch Operations
KAM Relay Mechanics
HTTPS Interface
SOAP Interface
Back
KMS Web Service Operations
CCReturnObject
CCKeyComponentType
CCCryptographicMaterialType
CCEncryptedAnsiX9241KeyType
KMS Module loadKeyComponent Mechanics
KMS Module loadBaseDerivationKey Mechanics
KMS Module generateBaseDerivationKey Mechanics
KMS Module generateInitialKey Mechanics
KMS Module storeAnsiX9241Key Mechanics
KMS Module replaceAnsiX9241Key Mechanics
KMS Module deleteAnsiX9241Key Mechanics
KMS Module updateAnsiX9241Key Mechanics
Back
KAM Batch Operations
SKLESBatchInput Element
SKLESBatchOutput Element
Generating the SBI XML file
Transferring XML Files to and from the Appliance
Submitting Batch Operations
Back
KAM DemoClients
Installing SAKA Clients
USB Copy from SAKA
Downloading the Certificate
Importing the Certificate into the JVM
Back
sakaclient.jar Operations
Displaying Help Options
Encryption (CBC Mode)
Decryption (CBC Mode)
Encryption (GCM Mode)
Decryption (GCM Mode)
Back
Back
KAM KCSetPINTool
Setting KC Preferences
Changing KC Passwords
Setting the KC PIN on the SAKA Server
Back
KAM DACTool
Changing DA Passwords
Preferences
Systems
Domains
Adding a New Domain
Generating and Storing Keys
Migrating Keys
Back
Users
Domain Administrators
Pinguser
Normal Users
Add New User
View Users
Deleting a User
Back
Jobs
Scheduled Jobs
Scheduling a Job
Canceling a Scheduled Job
Back
Configuration
Back
KAM Key Migration Tool
Prerequisites
Validating Credentials
Migrating a Key from this Appliance
Import a Migrating Key to this Appliance
Back
Back
KAM KMS ConsoleTool
Loading Key Components
Loading a BDK
Storing ANSI X-924.1 Keys from Key Components
Storing ANSI X-924.1 Keys from Wrapped Keys
Back
KAM Configuration
Immutable Configuration
Mutable Configuration
Sample Configuration File
Integrating with Active Directory
Integrating with Another Directory Server
Back
Back
KAM Key Management
Cryptographic Hardware Modules
Trusted Platform Module (TPM)
Hardware Security Module (HSM)
Encryption Domain Keys
Symmetric Cryptography Keys
Key Duration
Key Generation
Key Storage
Key Backup
Key Recovery
Key Rotation
Impact of Key Rotation on Applications
Using the HMAC as the Token
Using the PSN as the Token
ANSI X9.24-1 Keys
Back
Back
HSM Integration
Building the HSM Driver
Rebuilding the HSM Driver
Back
HSM Administration Basics
Checking the HSM Status
Starting CryptoServer Adminstration Tool (CAT)
Setting Up the Smart Card Reader
Logging in to the HSM
Back
Clearing the HSM
Running Clear
Loading Firmware
Setting the Real Time Clock
Back
Setting Up the HSM
Initializing an Admin Smart Card
Changing an Administrator Smart Card PIN
Creating an Admin
Creating the Master Backup Key
Changing a MBK Smart Card PIN
Back
Backing up the HSM
Deleting an Admin
Exporting the HSM Database
Back
Restoring from a Backup
Loading the MBK
Importing the HSM Database
Back
HSM Battery Replacement
Back
Managing Credentials
KAM Credentials
Web Service Users
Domain Administrators
Key Custodians
Back
HSM Credentials
Admin Smart Cards
MBK Smart Cards
Back
System Credentials
Hardware System BIOS
Linux root
Back
Linux strongauth
MariaDB root
MariaDB skles
Payara admin
Back
Back
Changing Hostname and IP
Changing the IP Address
Changing the Hostname
Back
Internal Repositories
Repository Requirements
Choosing an Online Mirror
Internal Repository Setup
KA Setup
Back
Internal Repositories Rocky 9.x
Repository Requirements
Choosing an Online Mirror
Internal Repository Setup
KA Setup
Back
Appliance Security
Physical Security
Operating System
Network
Relational Database
JEE Application Server
Lightweight Directory Access Protocol (LDAP)
Back
Appliance Credentials
The Security Conundrum
Credential Matrix
Protecting PINs from root
Protecting the strongauth Application Credential
Other Controls
Back
Back
PCI DSS 3.2
Requirement 3: Protect Stored Cardholder Data
PCI DSS Requirement 3.4
PCI DSS Requirement 3.5
PCI DSS Requirement 3.6
Back
Requirement 6: Develop and Maintain Secure Systems and Applications
PCI DSS Requirement 6.5
PCI DSS Requirement 6.6
PCI DSS Requirement 6.7
Back
Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
Check Replication
Replicate Essentials Only
Enable Replication of Essential Tables Only
Archive Data
Back
Disable Replication to Inactive Nodes
Known Behavior
Back
Appendices
Adding a Data Recovery Server to a Cluster
Step #1 on an EXISTING server
Step #2 on the NEW server
Step #3 on the EXISTING node
Step #4 on the NEW node
Post-Installation
Back
Adding an Additional Server to a Cluster
Step #1 on an EXISTING server
Step #2 on the NEW server
Step #3 On the EXISTING node
Step #4 on the NEW node
Back
Application Development Guide
Application Design for “Card Not Present” transactions
Storing Encryption Domain Identifier (DID)
Securing Decryption Credentials
Cluster Communications
Relay Processing
Summary on “Card Not Present” transactions
Back
Batch Delete Tokens
CIS Hardening Verification RHEL 7.X
CIS Hardening Verification ROCKY 9.X
Cleanup SAKA Disk Space
Cleanup Old Distributions and Files
Cleanup Database Tables
Cleanup Encryption Requests Table
Back
Back
Configure Syslog
Create Software Keystore HSM Credential
Installing KCSPTool and DACTool on Windows
Installation
Back
KA Replace EOL Node
Prerequisites
Step 1 (On New SAKA)
Step 2 (On EOL SAKA)
Step 3 (On New SAKA)
Step 4 (On EOL SAKA)
Step 5 (On New SAKA)
Step 6 (On EOL SAKA)
Step 7 (On New SAKA)
Back
KAM KC Replace Tool
Prerequisites
Validating Credentials
Recreate a set of Key Custodians
Create a new set of Key Custodians
Back
MariaDB Audit Logging Configuration
Enable MariaDB Audit Logging
Monitoring the MariaDB for Replication anomalies
Disable MariaDB Audit Logging
The counts_v2.sql file
Back
Migration Information
Migrating from Centos to Rocky
Rocky Linux Kickstart USB Guide
Step 1: On an Existing Production Server in the Cluster
Step 2: On the Same Machine after Installing Rocky 9.3
Back
Modifying the Appliance's IP Address or Hostname
Reboot StrongKey Tellaro
Pre-Reboot
Reboot
Post-Reboot
Back
Relay Webservice
Mechanics of the Relay
Deploying the service
Relay Webservice Client
HTTP interface
SOAP interface
Back
Replace CMOS Battery
Setting up LACP Bonding on Tellaro KA
Strongkey Tellaro & Ransomware Protection
Using Custom SSL/TLS Certificates
Generating a TLS certificate with the SAN extension
Installing the keystore on SAKA
Conclusion
Back
Using a Custom Trust Store
Using HAProxy as a Load Balancer
Using the Key Migration Tool (KMTool)
Pre-requisites
Mechanics
Details
Back
Test Appliance Funcationality
Using pingsaka script
Back
Back
In order to avoid any disruptions, make sure following are in place before rebooting the appliance.
Appliance being rebooted is taken out of the Load Balancer and is not processing any transaction.
KeyCustodians are available to set PINs after appliance is rebooted.