Installation

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

Strongkey’s StrongAuth KeyAppliance (SAKA) is designed to be installed as a cluster with N appliances (nodes)in the cluster. A Development environment may have only a single node, while a Production environment must have a minimum of two (2) nodes. This is necessary to provide High Availability (HA) for cryptographic services to applications, and to ensure business continuity in the event of a disaster. A cluster may have more than two appliances, but two is the minimum. (If there are more than two nodes in the cluster, the third, fourth, etc. node follow the same steps as the second node).

As a result, SAKA installation follows a process where the tasks are alternated between two appliances. This chapter describes these tasks. The appliance expected to be installed first is known as the Primary SAKA, while appliances installed after the first SAKA instance are designated as Secondary SAKA in this documentation.

NOTE: Notwithstanding the designation of Primary and Secondary nodes within a SAKA 4.0 cluster, all nodes in the cluster are equal: they can receive and respond to web service requests simultaneously while replicating to each other asynchronously. While the replication latency depends on the network bandwidth between nodes of the cluster, the level of traffic on the network, and the number of transactions being processed at any given time, replication latency between nodes is generally in the order of seconds or minutes. If a node disappears from the cluster for any reason, all other nodes hold transactions for the missing node until it returns; when it does, synchronization is automatic.

When SAKA servers are delivered, the Linux operating system has already been installed with the necessary packages to operate the appliance. The operating system is partially configured; some parameters can only be configured upon connecting them to a network.

The uninstalled software components used by the SAKA application are delivered in the /usr/local/software/saka directory of each appliance.

At a high level, after choosing site-specific parameters in the forms shown in this chapter, the sequence of installation steps involves:

Installing the Primary with required software components—but not initializing the cryptographic module.
Installing the Secondary with required software components—but not initializing the cryptographic module.
Initializing the cryptographic module on the Primary.
Initializing the cryptographic module on the Secondary.
Creating a new encryption domain on the Primary, preparing the master key of the new domain for migration and testing the cryptographic web services on this appliance.
Completing the migration of the new encryption domain's master key on the Secondary and testing the cryptographic web services on this appliance.
Starting the appliance's administration console, adding service credentials for applications, configuring site-specific parameters, and running some tests.
Verifying two-way replication on the appliances.

Each SAKA ships with five (5) colored USB flash memory drives. The colored USB drives are intended to be used as described here:

Colored USB Drives and their Functions
	The Red flash drive is for use by the Key Custodian (KC) #1 for generating and storing their cryptographic keys and digital certificate. The KC1 who is also a Key Custodian, will use this credential to activate the cryptographic module on SAKA.
	The Green flash drive is for use by KC #2 for generating and storing their cryptographic keys and digital certificate. KC2 will use this credential to activate the cryptographic module on SAKA.
	The Blue flash drive is for use by KC #3 for generating and storing their cryptographic keys and digital certificate. KC3 will use this credential to activate the cryptographic module on SAKA.
	The Yellow flash drive is for use by the *Domain Administrator (DA)* for generating and storing their cryptographic keys and digital certificate. The DA will use this credential to administer SAKA.
	The Black flash drive is used optionally during the installation and configuration of SAKA instances to securely transfer the *Migration and Storage Keys (MASK)* of individual appliances to each other as a preparatory step.

NOTE: While the Production environment only needs four (4) USB flash drive tokens—Red, Green, Blue and Yellow—on a regular basis, it is recommended that the remaining flash drive tokens are used as secure backups of the primary tokens, in the event any of the primary tokens are lost/damaged. Without the tokens, the cryptographic hardware module cannot be activated; without the cryptographic hardware module, it is impossible to decrypt any cryptographic key in the appliance.