Details

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

The following steps will take you through the process of migrating keys from one appliance to another.

To start this tool on skles01 appliance, log into the appliance as the 'strongauth' user and start the X Windows environment by typing in 'startx' from the command-prompt
Execute the '/usr/local/strongauth/bin/KMTool.sh' shell script from a terminal window. This will display the following window:

Configure the KMTool with the URL of the source appliance by selecting 'Preferences' from the 'File' menu. The following screen is displayed. Additionally, the TPM, cryptographic module must be selected. You may, optionally, configure the KC role and the location of their keystore, but since KCs will not normally use this tool, this is not necessary.

The table below provides an explanation for the different fields:

Parameter	Explanation
Key Custodian Role	Select the appropriate key custodian to be validated.
Keystore Location	Select the location of the key for the user selected. It should either be in a flash drive or in the keystore folder on the appliance.
SKLES URLs	Enter the URLs of all the appliances in the cluster. The format is: https://<domain name>:8181

Each of the three Key Custodians and the Domain Administrator must now authenticate themselves to the appliance in the “Validate Credentials” panel of the KMTool.
Select the appropriate Custodian role from the pull-down option.
The KC inserts their USB token into the appliance.
Using the Browse button, select the appropriate KC's credential file – it will have a file-name that matches their role.
The KC types in their secret password to the credential file in the Password field.
Click the “Verify” button to ensure that the password unlocks the credential file correctly. If the password is correct a message will appear on the bottom of the tool as shown below:
If the password verification is successful, select the Validate button to send the credential to the appliance for validation. If the process works correctly, a “success” message will appear on the bottom of the screen as shown below:
Have all three Key Custodians authenticate themselves to the appliance in this manner.
Next, the Domain Administrator authenticates him/herself, but additionally, supplies the Domain ID in the panel. This field is activated only for the Domain Administrator. Once all four roles have successfully authenticated themselves, the remaining panels become available.

13. Generate the migration key object in the second panel titled “Migrate a key from this appliance” . The following figure shows this panel and Table 2 explains the parameters:

Parameter	Explanation
Test Token	A unique Pseudo-Number (Token) that was created on the Primary appliance, and which will be used for a decryption test on the new appliance. The standard “ well known token” is 9999000000000001 that was created during the installation wizard and which returns the standard “ well known plaintext” (1235711131719230).
Mask Location	Location of the MASK file of theskles03 appliance. In a production environment, this file is on the black-colored flash drive.

After selecting the file, click on “ Migrate” button; this generates the migration key file (on the same black-colored USB drive as the target-machine's MASK file) with a file-name that has the following format:
<source-appliance-FQDN>-<sarget-appliance-FQDN>-<domain Id>.migkey.xml

where FQDN is the fully-qualified domain name of the appliance. In this example, the file-name is:
skles01.strongauth.com-skles03.strongauth.com-1.migkey.xml
Now, the process switches over to the target appliance – skles03.
16. After starting KMTool on the target appliance, all Key Custodians and the Domain Administrator must authenticate themselves to the appliance with their USB flash-drives.

Once successfully validated the the Domain Administrator imports the migration key file from the black-colored USB drive to this target machine using the third panel titled “Import a migrating key to this appliance”. The figure below shows this panel and Table 3 explains the parameters.

Parameter	Explanation
Key File	The file-name of the migrating key that was generated on the source appliance (step 14)
Domain Id	The encryption domain identifier for which the key has to be migrated
Key UUID	The UUID created while generating the key; this is automatically filled out by the tool and helps verify the unique ID of the migrating EDK

Click on “Import” button to import this key onto the target appliance. If the process works correctly, you will see a message indicating success.
This concluded the key-migration process and you can exit KMTool. The new target appliance is now capable of decrypting objects encrypted by other appliances within the trusted-cluster.