KA Setup

Release Notes
- SAKA 4.13.0
- SAKA 4.12.0
- SAKA 4.11.0
- Upgrading from SAKA 4.x
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- HSM Battery Replacement
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Internal Repositories Rocky 9.x
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Check Replication
- Replicate Essentials Only
- Disable Replication to Inactive Nodes
- Known Behavior
- Back
Appendices
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Configure Syslog
- Create Software Keystore HSM Credential
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Migration Information
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.3
  - Back
- Modifying the Appliance's IP Address or Hostname
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Replace CMOS Battery
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Using a Custom Trust Store
- Using HAProxy as a Load Balancer
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Test Appliance Funcationality
  - Using pingsaka script
  - Back
- Back

Once the internal repository is setup, configure each SAKA server to communicate with the internal repository for updates. On each SAKA server, follow these steps:

Login to this SAKA as the root user through SSH or the console.
Change directory to the yum repos folder:
```
shell>cd /etc/yum.repos.d
```

Modify the default repository configuration to disable the default repo. Edit rocky.repo and add the lines highlighted:

# rocky.repo
#
# The mirrorlist system uses the connecting IP address of the client and the
# update status of each mirror to pick current mirrors that are geographically
# close to the client.  You should use this for Rocky updates unless you are
# manually picking other mirrors.
#
# If the mirrorlist does not work for you, you can try the commented out
# baseurl line instead.

[baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=0
countme=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

[baseos-debug]
name=Rocky Linux $releasever - BaseOS - Debug
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever-debug$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/debug/tree/
gpgcheck=1
enabled=0
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

[baseos-source]
name=Rocky Linux $releasever - BaseOS - Source
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=source&repo=BaseOS-$releasever-source$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/source/tree/
gpgcheck=1
enabled=0
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

[appstream]
name=Rocky Linux $releasever - AppStream
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=0
countme=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

[appstream-debug]
name=Rocky Linux $releasever - AppStream - Debug
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever-debug$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/AppStream/$basearch/debug/tree/
gpgcheck=1
enabled=0
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

Modify the extra repository configuration to disable the default repo. Edit rocky-extras.repo and add the lines highlighted:

# rocky-extras.repo
#
# The mirrorlist system uses the connecting IP address of the client and the
# update status of each mirror to pick current mirrors that are geographically
# close to the client.  You should use this for Rocky updates unless you are
# manually picking other mirrors.
#
# If the mirrorlist does not work for you, you can try the commented out
# baseurl line instead.

[extras]
name=Rocky Linux $releasever - Extras
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-$releasever$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/extras/$basearch/os/
gpgcheck=1
enabled=0
countme=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

[extras-debug]
name=Rocky Linux $releasever - Extras Debug
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-$releasever-debug$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/extras/$basearch/debug/tree/
gpgcheck=1
enabled=0
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

Create a new file called internal.repo. This file will host the configurations for the internal repository. Create the file as follows, replacing <internal-repo> with the FQDN of your internal repository:

[internal-base]
name=Internal Rocky-$releasever - Base
baseurl=http://<internal-repo>/rocky/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

[internal-appstream]
name=Internal Rocky-$releasever - AppStream
baseurl=http://<internal-repo>/rocky/$releasever/appstream/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

[internal-extras]
name=Internal Rocky-$releasever - Extras
baseurl=http://<internal-repo>/rocky/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

Clear the yum cache with the following command:
```
shell> dnf clean all
```
Check whether SAKA is configured properly and if it can connect to the internal repository by running the following command:
```
shell> dnf repolist
```
If everything is working correctly, the command returns output similar to the following:
```
repo id                       repo name
internal-base                 Internal Rocky-9 - Base                                                                            
internal-updates              Internal Rocky-9 – AppStream
internal-updates              Internal Rocky-9 – Extras
```
A PYCURL ERROR indicates SAKA could not connect to the internal repository. Check that there are no routing issues or firewall issues and try again.

Now SAKA is configured to receive updates through the internal repository. Update this SAKA through the command dnf update.

Remember that before making any updates to production appliances, make updates to your development/test appliance first. As part of the regression process, try restarting the development/test appliance and run any regression tests to confirm sane operations after the restart. A regression on the development/test appliance is absolutely required before updating production appliances.