Immutable Configuration

Release Notes
- SAKA 4.13.0
- SAKA 4.12.0
- SAKA 4.11.0
- Upgrading from SAKA 4.x
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- HSM Battery Replacement
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Internal Repositories Rocky 9.x
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Check Replication
- Replicate Essentials Only
- Disable Replication to Inactive Nodes
- Known Behavior
- Back
Appendices
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Configure Syslog
- Create Software Keystore HSM Credential
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Migration Information
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.3
  - Back
- Modifying the Appliance's IP Address or Hostname
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Replace CMOS Battery
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Using a Custom Trust Store
- Using HAProxy as a Load Balancer
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Test Appliance Funcationality
  - Using pingsaka script
  - Back
- Back

All properties are in the format key=value where the key is of the form strongkeylite.cfg.property.<some-property-name>.

Property	strongkeylite.cfg.maxlen.10charstring
Explanation	The size of a 10-character string within the application. As the name indicates, the string cannot be more than 10 characters.
Immutable Value	10
Property	strongkeylite.cfg.maxlen.1024charstring
Explanation	The size of a 1024-character string within the application. As the name indicates, the string cannot be more than 1024 characters.
Immutable Value	1024
Property	strongkeylite.cfg.maxlen.128charstring
Explanation	The size of a 128-character string within the application. As the name indicates, the string cannot be more than 128 characters.
Immutable Value	128
Property	strongkeylite.cfg.maxlen.12285charstring
Explanation	The size of a 12285-character string within the application. As the name indicates, the string cannot be more than 12285 characters.
Immutable Value	12285
Property	strongkeylite.cfg.maxlen.13336charstring
Explanation	The size of a 13336-character string within the application. As the name indicates, the string cannot be more than 13336 characters.
Immutable Value	13336
Property	strongkeylite.cfg.maxlen.16384charstring
Explanation	The size of a 16384-character string within the application. As the name indicates, the string cannot be more than 16384 characters.
Immutable Value	16384
Property	strongkeylite.cfg.maxlen.16charstring
Explanation	The size of a 16-character string within the application. As the name indicates, the string cannot be more than 16 characters.
Immutable Value	16
Property	strongkeylite.cfg.maxlen.17792charstring
Explanation	The size of a 17792-character string within the application. As the name indicates, the string cannot be more than 17792 characters.
Immutable Value	17792
Property	strongkeylite.cfg.maxlen.2048charstring
Explanation	The size of a 2048-character string within the application. As the name indicates, the string cannot be more than 2048 characters.
Immutable Value	2048
Property	strongkeylite.cfg.maxlen.2080charstring
Explanation	The size of a 2080-character string within the application. As the name indicates, the string cannot be more than 2080 characters.
Immutable Value	2080
Property	strongkeylite.cfg.maxlen.256charstring
Explanation	The size of a 256-character string within the application. As the name indicates, the string cannot be more than 256 characters.
Immutable Value	256
Property	strongkeylite.cfg.maxlen.32768charstring
Explanation	The size of a 32768-character string within the application. As the name indicates, the string cannot be more than 32768 characters.
Immutable Value	32768
Property	strongkeylite.cfg.maxlen.32charstring
Explanation	The size of a 32-character string within the application. As the name indicates, the string cannot be more than 32 characters.
Immutable Value	32
Property	strongkeylite.cfg.maxlen.4charstring
Explanation	The size of a 4-character string within the application. As the name indicates, the string cannot be more than 4characters.
Immutable Value	4
Property	strongkeylite.cfg.maxlen.4096charstring
Explanation	The size of a 4096-character string within the application. As the name indicates, the string cannot be more than 4096 characters.
Immutable Value	4096
Property	strongkeylite.cfg.maxlen.5charstring
Explanation	The size of a 5-character string within the application. As the name indicates, the string cannot be more than 5 characters.
Immutable Value	5
Property	strongkeylite.cfg.maxlen.512charstring
Explanation	The size of a 512-character string within the application. As the name indicates, the string cannot be more than 512 characters.
Immutable Value	512
Property	strongkeylite.cfg.maxlen.6charstring
Explanation	The size of a 6-character string within the application. As the name indicates, the string cannot be more than 6 characters.
Immutable Value	6
Property	strongkeylite.cfg.maxlen.64charstring
Explanation	The size of a 64-character string within the application. As the name indicates, the string cannot be more than 64 characters.
Immutable Value	64
Property	strongkeylite.cfg.maxlen.65535charstring
Explanation	The size of a 65535-character string within the application. As the name indicates, the string cannot be more than 65535 characters.
Immutable Value	65535
Property	strongkeylite.cfg.maxlen.7charstring
Explanation	The size of a 7-character string within the application. As the name indicates, the string cannot be more than 7 characters.
Immutable Value	7
Property	strongkeylite.cfg.maxlen.8charstring
Explanation	The size of an 8-character string within the application. As the name indicates, the string cannot be more than 8 characters.
Immutable Value	8
Property	strongkeylite.cfg.maxlen.8192charstring
Explanation	The size of an 8192-character string within the application. As the name indicates, the string cannot be more than 8192 characters.
Immutable Value	8192
Property	strongkeylite.cfg.maxlen.9charstring
Explanation	The size of a 9-character string within the application. As the name indicates, the string cannot be more than 9 characters.
Immutable Value	9
Property	strongkeylite.cfg.property.admincertdnprefixsigning
Explanation	The prefix of the DN of the signing digital certificate issued to the DA. The unique domain identifier of the encryption domain is appended to this prefix during the creation of the certificate. The DA's signing certificate is used by the SAKA DACTool application to authenticate the DA to the SAKA server for administrative actions.
Immutable Value	CN=SAKA Domain Administrator Signing Certificate, OU=Domain ID
Property	strongkeylite.cfg.property.batchrequests.rootdir
Explanation	All batch jobs must transfer their files to the appliance (using SFTP, SMB or NFS, etc.) before the web service request for the transaction may be sent to the appliance. This configuration property identifies the root directory of all subdirectories where each encryption domain will transfer XML files in and out, before and after the cryptographic batch job is executed. The default location is `/usr/local/strongauth/batchrequests`.
Immutable Value	/usr/local/strongauth/batchrequests
Property	strongkeylite.cfg.property.domaincertdnprefixencryption
Explanation	The prefix of the DN of the encryption digital certificate issued to the encryption domain. The unique domain identifier of the encryption domain is appended to this prefix during the creation of this certificate. The SAKA domain's encryption certificate keys are used to protect all symmetric keys within the domain.
Immutable Value	CN=SAKA Encryption Certificate, OU=Domain ID
Property	strongkeylite.cfg.property.domaincertdnprefixsigning
Explanation	The prefix of the DN of the signing digital certificate issued to the encryption domain. The unique domain identifier of the encryption domain is appended to this prefix during the creation of this certificate. The SAKA domain's signing certificate keys are used to sign all digital certificates issued by this encryption domain. In that sense, this signing key's certificate represents a “mini” Certificate Authority (CA) whose sole purpose is to issue certificates to resources within its encryption domain. This CA cannot be used for purposes outside SAKA.
Immutable Value	CN=SAKA Signing Certificate, OU=Domain ID
Property	strongkeylite.cfg.property.enckeyalgorithm
Explanation	The cryptographic algorithm used by the SAKA to perform symmetric encryption and decryption of sensitive data. The only algorithm currently supported by the SAKA is the Advanced Encryption Standard, or AES.
Immutable Value	AES
Property	strongkeylite.cfg.property.encprefix
Explanation	The prefix used to distinguish between cryptographic keys within an encryption domain. SAKA uses three types of symmetric keys: 1) for encryption; 2) for generating Hashed Message Authentication Codes (HMAC) of plaintext sensitive data; and 3) for generating HMACs of user passwords in the SAKA internal database. Each of these keys are labeled with a key prefix so they may be uniquely identified for their purpose.
Immutable Value	ENC-
Property	strongkeylite.cfg.property.encsuffix
Explanation	The suffix used to map keys within internal data-structures of the SAKA application.
Immutable Value	-ENC
Property	strongkeylite.cfg.property.hmacprefix
Explanation	The prefix used to distinguish cryptographic HMAC keys within an encryption domain. SAKA uses three types of symmetric keys: 1) for encryption; 2) for generating HMACs of plaintext sensitive data; and 3) for generating HMACs of user passwords in the SAKA internal database. Each of these keys are labeled with a key prefix so they may be uniquely identified for their purpose.
Immutable Value	HMAC-
Property	strongkeylite.cfg.property.jdbc.dbdriver
Explanation	The name of the Java Database Connectivity (JDBC) driver used by the key rotation modules to communicate with the database directly. While most of the SAKA uses Java Persistence API (JPA) to communicate with the database, the Rotate HMAC Keys and the Rotate Symmetric Keys jobs use JDBC to dramatically improve performance and minimize memory consumption.
Immutable Value	com.mysql.jdbc.Driver
Property	strongkeylite.cfg.property.jdbc.jndiname
Explanation	The Java Naming and Directory Interface (JNDI) name for the resource to access the MariaDB database.
Immutable Value	jdbc/strongkeylite
Property	strongkeylite.cfg.property.keyduration.hmac
Explanation	Cryptographic keys used by the web service application are changed frequently, based on the policy defined in this property. The policy for the HMAC key is to use a new key every year (annual).
Immutable Value	annual
Property	strongkeylite.cfg.property.keyduration.pwd
Explanation	Cryptographic keys used by the web service application are changed frequently, based on the policy defined in this property. The policy for the PWD key is to use a new key every year (annual).
Immutable Value	annual
Property	strongkeylite.cfg.property.keyuse.annualformat
Explanation	The suffix used to label cryptographic keys when symmetric cryptographic keys are used for an entire calendar year. This property value is concatenated with the key's prefix property to derive the unique label of a cryptographic key. For instance, an encryption key, used annually would have the label ENC-2010 in the calendar year 2010, while another symmetric key would have the label ENC-2011 in 2011. An HMAC key in 2010 would have the label HMAC-2010, etc.
Immutable Value	yyyy
Property	strongkeylite.cfg.property.keyuse.dailyformat
Explanation	The suffix used to label cryptographic keys when symmetric cryptographic keys are used for 24 hours. This property value is concatenated with the key's prefix property to derive the unique label of a cryptographic key. For instance, an encryption key, generated and used on the 1^st day of January in 2010 would have the label ENC-01-JAN-2010, while a key generated and used on the 3^rd day of March in 2010, would have the label ENC-03-MAR-2010. HMAC keys for the same dates would have the labels HMAC-01-JAN-2010 and HMAC-03-MAR-2010 respectively.
Immutable Value	dd-MMM-yyyy
Property	strongkeylite.cfg.property.keyuse.monthlyformat
Explanation	The suffix used to label cryptographic keys when symmetric cryptographic keys are used for one calendar month. This property value is concatenated with the key's prefix property to derive the unique label of a cryptographic key. For instance, an encryption key, used for the month of January in 2010 would have the label ENC-JAN-2010, while an HMAC key would have the label HMAC-JAN-2010.
Immutable Value	MMM-yyyy
Property	strongkeylite.cfg.property.keyuse.weeklyformat
Explanation	The suffix used to label cryptographic keys when symmetric cryptographic keys are used for one week, starting from the second past midnight on a Sunday (Universal Coordinated Time) through the last second of the Saturday the same week. Since weeks do not have names, the week is indicated by the numeric value of the week—the first week of a year is 1, while the last week of the calendar year would be 52. This property value is concatenated with the prefix property to arrive at the unique label of a cryptographic key. For instance, an encryption key, generated and used on January 5^th, 2010 would have the label ENC-1-2010, while an HMAC key would have the label HMAC-1-2010.
Immutable Value	w-yyyy
Property	strongkeylite.cfg.property.ldapctxfactory
Explanation	The Java class used to create a Lightweight Directory Access Protocol (LDAP) context for querying an LDAP-based Directory server.
Immutable Value	com.sun.jndi.ldap.LdapCtxFactory
Property	strongkeylite.cfg.property.noncesigningalgorithmhsm
Explanation	The cryptographic algorithm used by application tools to digitally sign nonces for authentication, when an HSM is used as the cryptographic hardware module in the SAKA server.
Immutable Value	SHA256withECDSA
Property	strongkeylite.cfg.property.pwdprefix
Explanation	The prefix used to distinguish cryptographic HMAC keys used for generating HMACs of user passwords, within an encryption domain. SAKA uses three types of symmetric keys: 1) for encryption; 2) for generating HMACs of plaintext sensitive data; and 3) for generating HMACs of user passwords in the SAKA internal database. Each of these keys are labeled with a key prefix so they may be uniquely identified for their purpose.
Immutable Value	PWD-
Property	strongkeylite.cfg.property.sklesxsdnsurl
Explanation	SAKA converts XML files to Java objects and vice-versa. This URL defines the current XML Schema Definition (XSD) in use by the appliance. The current URL for this version of SAKA is: http://strongkeylite.strongauth.com/SKLES201009
Immutable Value	http://strongkeylite.strongauth.com/SKLES201009
Property	strongkeylite.cfg.property.strongkeylitehome
Explanation	The location on the SAKA file system where SAKA software components are installed.
Immutable Value	/usr/local/strongauth/strongkeylite