Domains

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

All cryptographic services performed by the SAKA servers are organized by SAKA encryption domains (SED). An SED is a logical entity that has a unique identifier, a name, its own key management policies, keys, users, and data. SAKA can host as many SEDs as the machine's physical capacity permits (it can theoretically manage (2⁶⁴‒1) encryption domains—but practically, most appliances will have just a few encryption domains on them—service providers that perform payment services, etc. may have a few hundred or even thousands of domains—one per customer).

When SAKA is newly installed, there is only one SED created on the machine as part of the installation process. This SED has a domain identifier (DID) value of 1. Most sites are likely to have just this one SED on the machine, and as such, the default values in the DA Preferences panel and the Domains panel are appropriate.

Click the Domains icon or Domains → View Domain on the menu. The following displays:

The Retrieve an encryption domain's information panel displays two fields—neither of which are modifiable—and two buttons:

Currently connected to SAKA	The URL of the SAKA server to which DACTool is currently connected. This field remains blank if there is no current connection.
Retrieve Encryption Domain	The unique identifier of the encryption domain to which DACTool is currently connected. This field remains blank if there is no current connection.
Cancel	Cancels the operation and return you to the Home panel.
Retrieve	Retrieves information about the encryption domain and provides an opportunity to view and edit information about it.

If the fields on this panel are not blank, upon selecting the Retrieve button, after a few seconds, a panel like the following is displayed (your domain information will differ):

NOTE: The blue buttons at left are used to dynamically restart the replication services which normally would require a full application restart to accomplish. Replication services consist of several ports and threads; this includes the Acknowledger thread (for receiving replication acknowledgment messages), the BackLog Proccessor (for re-sending old/stale replication objects if they are not acknowledged after a certain period after the replication record was created), the Publisher (for broadcasting replication messages the first time after they are created), and the Subscriber (for listening for incoming replication messages). Restart Replication restarts all the above-mentioned sub services at once.

View or make adjustments to the fields, which are defined here:

Currently connected to SAKA	The URL of the SAKA instance to which DACTool is currently connected.
Domain identifier	The unique identifier of the encryption domain to which DACTool is currently connected. This value can never be modified.
Domain's name	The “friendly” name of the encryption domain. This name can only be established when the domain is first created and never modified.
Domain's current status	The current status of this encryption domain: Active—Indicating the domain provides all cryptographic services to authorized clients. Inactive—Indicating the domain does NOT provide any encryption or decryption services to clients. However, a DA can perform all administrative actions on an inactive domain since administrative services always remain active on the domain. Other—Indicating that the domain does NOT provide any cryptographic services, but has a status different from Inactive, the meaning of which is site-specific. By default, it functions identically to Inactive status. Domain status can be modified by business and security policies.
TPM UUID of encryption key	For SAKA servers using the TPM cryptographic module, this field displays the universally unique identifier of the key object representing the EC encryption keys of this domain. This key object encrypts all symmetric encryption keys of this encryption domain. This value can never be modified.
TPM UUID of signing key	For SAKAs that use the TPM cryptographic module, this field will display the universally unique identifier of the key object that represents the EC signing keys of this domain. This key is used to digitally sign the digital certificates of the Domain Administrators of this domain. This value can never be modified.
Notes (if any)	User-defined comments with a maximum length of 512 alphanumeric characters.
Cancel	Cancels the operation and returns to the Home panel.
Reset	Resets all values to those retrieved from the database, as long as modifications since then have not been saved. Once saved, the saved values will become the new originals.
Save	This button is disabled by default, but if any modifiable values are changed on the screen, the button becomes enabled. Selecting it saves modified values to the database.

Click Save if any changes were made.