KeyNexus OpenStack Guide...Table of Contents Introduction ..... 5 ... User Guide KeyNexus OpenStack...
Transcript of KeyNexus OpenStack Guide...Table of Contents Introduction ..... 5 ... User Guide KeyNexus OpenStack...
-
KeyNexus OpenStack Guide v1.2
09/2018
D
-
.
Copyright Notice
Copyright 2018 KeyNexus Inc. All rights reserved.
Information in this document is subject to change without notice. The software described in
this document is furnished under a license agreement or nondisclosure agreement. No part
of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
or any means electronic or mechanical, including photocopying and recording for any
purpose other than the purchaser's personal use without written permission
-
Table of Contents
Introduction ................................................................................................................................ 5
System Requirements ............................................................................................................ 5
Hardware Requirements ..................................................................................................... 5
Software Requirements ....................................................................................................... 5
Port Configuration .................................................................................................................. 6
KeyNexus Ports .................................................................................................................. 6
Internode Communication ................................................................................................... 6
Section 1 Deploy KeyNexus VMDK File on OpenStack .............................................................. 7
Section 2 KeyNexus Initialization and Activation .......................................................................11
Cluster Node Initialization ..................................................................................................11
Cluster Nodes ....................................................................................................................13
Section 3 KeyNexus Configuration ............................................................................................16
Account Login page ...............................................................................................................16
Dashboard .............................................................................................................................17
Groups ..................................................................................................................................18
Add a group .......................................................................................................................18
Delete a group ...................................................................................................................19
View Users in a Group .......................................................................................................19
Search for a Group ............................................................................................................20
Keys ......................................................................................................................................20
Add a new key ...................................................................................................................20
Import Custom Keys ..........................................................................................................23
Key Details .........................................................................................................................25
Key Rotation ......................................................................................................................26
Add Batch Keys through the API ........................................................................................31
Users .....................................................................................................................................33
Create a New User ............................................................................................................33
Authentication Certificate ...................................................................................................35
Delete a User .....................................................................................................................37
Administration ........................................................................................................................37
Company info .....................................................................................................................38
Corporate Sign-in ...............................................................................................................38
-
User Guide KeyNexus OpenStack Guide
Page 4 of 48 KeyNexus
Cluster ...............................................................................................................................39
JWT ...................................................................................................................................40
Logging ..............................................................................................................................41
Backup ...............................................................................................................................43
Support ..................................................................................................................................43
Release Notes ...................................................................................................................43
KeyNexus Key Management REST API .............................................................................43
Support Desk .....................................................................................................................44
Changes to Account ..............................................................................................................44
KMIP .....................................................................................................................................47
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 5 of 48
Introduction A Key Management Service provides you with the means to create, apply and manage
encryption keys from a single location.
Rather than using multiple encryption solutions to manage your keys, a Unified Key Manager
(UKM) such as KeyNexus can manage all the keys used by your organization on all platforms
and environments, resulting in reduced implementation times, resource allocation and usage,
and providing better protection of your sensitive data.
This document provides information relating to the deployment of KeyNexus on the OpenStack
platform, as well as the various aspects of the KeyNexus installation, activation and
configuration process.
Section 1 Provides information and instruction relating to the deployment of the KeyNexus VM
on several popular virtual machine platforms.
Section 2 Provides information and instruction relating to the node initialization, cluster
configuration and activation of your KeyNexus implementation.
Section 3 Provides information and instruction relating to the function and configuration of the
various KeyNexus features.
The OpenStack Guide v1.2 supports KeyNexus version 1.10.
System Requirements
Hardware Requirements
Hardware Requirement
Processor Recommended: Intel quad core or higher
Memory Minimum: 6 GB RAM Recommended: 16 GB of RAM
Storage Minimum: 20 GB HDD Recommended: 40 GB HDD
Software Requirements
When deploying on the OpenStack platform, KeyNexus is provided as a VMDK file. Refer to
https://www.openstack.org to ensure your system meets the platform requirements. As long as
your system software meets the necessary requirements to run your virtual machine platform
and meets the KeyNexus hardware requirements, KeyNexus will perform as described.
Supported Browsers KeyNexus has been tested and is supported on the following browsers:
• Google Chrome Version 62.0.3202.94 (64-bit)
https://www.openstack.org/
-
User Guide KeyNexus OpenStack Guide
Page 6 of 48 KeyNexus
• Safari Version 11.0.1 (12604.3.5.1.1)
• Microsoft Edge Version 41.16299.15.0 (EdgeHTML 16.16299)
• Firefox Version 54.0.1 (64-bit)
• Microsoft Internet Explorer 11 Version 11.64.16299.0
Note: If you are using a browser version different from the ones shown here, your experience
might be different.
Port Configuration Before you begin initialization and configuring KeyNexus, it is important to confirm the ports that
KeyNexus requires are open. If these ports are not open, you cannot access the KeyNexus
client, or successfully make modifications to a KeyNexus cluster.
KeyNexus Ports
In order to access the KeyNexus Subscription Activator and the KeyNexus client, there are
several ports that must be open. Make sure these ports are open in your firewall using the
protocol indicated.
• port 8443 (TCP)
• port 1443 (TCP)
• port 443 (TCP)
• port 5696 (TCP)
Internode Communication
When configuring KeyNexus to operate as a cluster, there are ports that must be open in order
for the nodes that make up the cluster to communicate with one another. Make sure these ports
are open in your firewall using the protocol indicated.
• port 8443 (TCP)
• port 2377 (TCP)
• port 7946 (TCP and UDP)
• port 4789 (UDP)
• port 50 (TCP)
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 7 of 48
Section 1 Deploy KeyNexus VMDK File on OpenStack OpenStack® is an IaaS open source cloud operating system and allows deployment of an
application as a virtual machine. When KeyNexus is provided as a Virtual Machine Disk
(VMDK), it can be imported and run on the OpenStack platform.
It is assumed you have OpenStack installed on your system. For information regarding
downloading and installing OpenStack onto your system, visit https://www.openstack.org.
1. Download the KeyNexus Virtual Machine Disk (VMDK) file from your KeyNexus Service
Representative.
Note: The VMDK file is quite large and can take some time to download, depending on
your connection speed.
2. Start the OpenStack dashboard and provide a User Name and Password.
3. Click Connect.
4. Under the Project tab on the left, select Compute > Images.
https://www.openstack.org/
-
User Guide KeyNexus OpenStack Guide
Page 8 of 48 KeyNexus
5. Click Create Image. The Create an Image dialog appears.
6. Create a name for the image in the Name field.
7. Create a description in the Description field. (optional)
8. Select Image File from the Image Source dropdown.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 9 of 48
9. Click Choose File and navigate to the file location. Click Open.
10. Select VMDK – Virtual Machine Disk from the Format dropdown.
11. Provide architecture information in the Architecture field. (optional)
12. Enter the minimum disk size required for the image in the Minimum Disk (GB) field.
13. Enter the minimum RAM required for the image in the Minimum RAM (MB) field. The
KeyNexus VMDK requires a minimum of 8 GB base memory.
14. Under the Project tab on the left, select Compute > Instances.
15. Click the Copy Data checkbox to copy image data to the image service.
16. Select if you want the image to be Public or Protected by checking the applicable
checkbox.
17. Confirm that all fields have been entered correctly and click Create Image. This process
can take some time to complete, based on your system.
Once the image has been created, you can use that image when launching an instance.
18. Under the Project tab on the left, select Compute > Instances.
-
User Guide KeyNexus OpenStack Guide
Page 10 of 48 KeyNexus
19. Click Launch Instance. The Launch Instance dialog appears. Items marked with an
asterisk are required fields. Flavor Details that show the resources allocated to the
instance are displayed on the right.
20. Create a name for the VM in the Instance Name field.
21. Select a size for the instance by selecting an option from the Flavor dropdown list.
Instance size refers to the amount of resources allocated to that VM.
Note: The VMDK file requires a minimum of 8 GB of base memory to operate correctly.
It is recommended you use the Large option.
22. Select the number of instances to launch from the Instance Count field. (default is 1).
23. Select Boot from Image from the Instance Boot Source dropdown.
24. Select the applicable image from the Image Name dropdown.
25. Click Launch. OpenStack sends a successful launch message and the new instance
appears in the Instance list.
26. Click the newly created instance from the list. The Instance Overview page appears. Use
the IP address displayed under IP Addresses to connect to the configuration portal
through your browser.
The other options available are optional and should only be implemented by users with
knowledge of the OpenStack platform.
-
Section 2 KeyNexus Initialization and Activation This section provides information regarding the activation of the KeyNexus UKM. Setting up
KeyNexus involves the initialization of the nodes that make up a cluster, the deployment of the
cluster, and activating KeyNexus with a subscription key and the creation of an Administrator
account.
Cluster Node Initialization
To successfully configure your KeyNexus cluster, the nodes that make up that cluster must be
initialized. Perform this operation on each node before adding it to your cluster.
To access the KeyNexus Subscription Activator, open your browser and provide the URL
containing the IP address (for example https://:8443 where
is the IP address of the KeyNexus node), or the fully qualified domain name.
Make sure to add port 8443 to the end of the URL.
Note: When applicable, accept the self-signed certificate when navigating to the Initialize
Network Node, Cluster Configuration, or Account Login pages.
If you are initializing a network node for the first time, the KeyNexus Subscription Activator page
appears.
Initialize a Node
1. Select Reboot if your system requires a reboot in order for the network config to take
effect.
-
User Guide KeyNexus OpenStack Guide
Page 12 of 48 KeyNexus
2. Select DHCP or Static from the Network Config options.
Select DHCP to configure the network automatically using DHCP.
Select Static to manually configure the host and enter your valid network information (IP
Address, Network Mask, Network Gateway and DNS) in their respective fields.
There are several considerations when deciding between using DHCP or Static IP:
• When using DHCP, if the same IP address cannot always be provided to the
same node, DHCP should only be used for short term test clusters.
• If you need to use DHCP in a production environment, ensure that the same IP is
provided to the same node using external tools such as pinned entries in the
DHCP server. This helps to ensure that the same IP is provided to the same
node.
• Static IP can be used in a production environment to help ensure the same IP is
provided to the same node.
Note: If you select Static, change the IP address of the machine and choose the
Reboot option, the Cluster Configuration on the Initialize Network Node success page
does not advance you to the Cluster Nodes page. The IP in the address tab of the
browser is no longer associated with that node. You must connect to the activator again
with one of the new IPs to finish the configuration once the reboot is complete.
3. Click Show Terms to review the Terms of Service and click Accept to accept them.
Terms of service must be accepted to continue.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 13 of 48
4. Enter a Cluster Admin Password. Passwords must be 8-256 characters long. You
must provide this password when clustering nodes. All nodes in a cluster must share the
same password.
5. Click Initialize Node. If any configuration step has been missed or entered incorrectly,
that area is highlighted in red when you attempt to initialize the node. The information in
highlighted area must be entered correctly to continue.
When the node has been initialized, a message indicating the node has been
successfully initialized is displayed.
6. Click Cluster Configuration to continue.
Perform this operation for each additional node that will be part of the cluster. An uninitialized
node cannot be part of a cluster.
Cluster Nodes
Use the Cluster Nodes page to enter the name and IP address of each node in your cluster.
1. Enter the name and IP address of your first node in the NODE #1 box.
2. Click Add Node to open an additional node box. Enter the name and IP address of the
second node. Repeat for each node you are adding to your cluster. When a valid node
name and IP address are entered, the border around the Node box turns green.
3. To remove a node, click the x in the top right corner of the node box. You cannot remove
NODE #1.
Once you have configured all the nodes in your cluster, click Continue to Specify License.
This button appears when at least one node contains a valid name and IP address.
Use the License page to enter your subscription key, create a first admin username and
password, re-enter your cluster configuration password, and set the external IP address for the
node currently being configured.
-
User Guide KeyNexus OpenStack Guide
Page 14 of 48 KeyNexus
Activate your KeyNexus Subscription
1. Provide your subscription key in the Subscription Key field. There are several ways you
can enter your key. You can enter your key manually, you can cut and paste the key
from a text file, or you can import the subscription key by dragging and dropping a text
file containing the subscription key into the Subscription Key field.
2. Once a valid subscription key is entered in the Subscription Key field, information
regarding the Business ID, the company associated with this subscription key, and the
subscription key expiry date are displayed.
3. Create an admin user by entering a name in the Pick your admin username field.
4. Enter a password in the Pick your admin password field and verify it in the Pick your
admin Password (Verify) field. The password must contain a minimum of 10
characters. KeyNexus uses a password strength meter to indicate the strength of the
password and provides tips for creating stronger passwords.
Note: The tips provided by the password strength meter are informational. As long as
your password meets the minimum length requirement, KeyNexus accepts the
password.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 15 of 48
5. Enter the Cluster Configuration Password you created during the node initialization.
6. Select the External IP address from the dropdown list. This list is made up of the nodes
entered on the Cluster Nodes page.
7. Click Activate Cluster when all fields have been completed. It can take some time for
this action to complete.
Successful activation of the KeyNexus cluster brings you to a summary page that contains
information regarding your Business ID, the nodes in your cluster, the Administrator account
and company account details.
Click the Portal URL link or the Log In button to go to the KeyNexus login page, where the
Business ID and Username fields are prepopulated.
The Business ID is a unique alphanumeric code assigned to your organization, and is required
when logging in using your account credentials. Record this number and store in a secure
location as it is required for access to your account. If you lose your Business ID, contact your
KeyNexus representative.
-
User Guide KeyNexus OpenStack Guide
Page 16 of 48 KeyNexus
Section 3 KeyNexus Configuration
Account Login page Once you have received your Business ID, provide the URL containing the IP address (for
example https:///login or the fully qualified domain name into your
browser’s address bar. Make sure to add /login to the end of the URL. You can log in with
your regular login credentials (Business ID, Username and Password), using Single Sign-On
(SSO), or with a Client Certificate.
1. Enter the Business Number provided on the Subscription Activation page in the
Business field.
2. Click the Login via SSO button if you have Single Sign On (SSO) configured for this
account, otherwise enter a Username and Password in the applicable fields. Refer to
the Administration section for information regarding configuring the KeyNexus portal for
Single Sign-On.
3. Click Login.
4. Alternatively, click Sign in with client certificate. If you have previously generated a
client certificate, you can use it to sign in to the KeyNexus portal as the user associated
with the client certificate. Drag and drop the certificate file into the dialog, or click in the
dialog, locate the certificate and click Open. If you have not generated a client
certificate, refer to the Users section for instructions regarding the creation of a user with
an associated client certificate.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 17 of 48
A successful login advances you to the Dashboard Page.
Dashboard When logged in as an Administrator, the KeyNexus Dashboard provides visibility into the long-
term trends in your organization’s key management development.
The Dashboard shows the total keys, keys added, keys provisioned and keys rotated, and
can display those values over the past day, week, month or year. Click on each item to display
that information on the graph. Select Day, Week, Month or Year from the dropdown to display
the key management information for the respective timeframe on the graph.
When logged in as a Key User, the Dashboard provides your Business ID and links to your
Keys and Account pages.
-
User Guide KeyNexus OpenStack Guide
Page 18 of 48 KeyNexus
Groups Use the Groups feature to create key groups that can assist you with the organization of your
keys. Click the Groups tab to navigate to the Groups page.
Note: The Groups tab is only available to users with Admin access.
Add a group
1. Click +Add Group. The Add New Group dialog appears.
2. Enter the name of the key group in the Group Name field. This name should follow a
naming convention to assist with the logical grouping of your keys.
Note: Group names cannot use uppercase letters.
3. Click Save. A message indicating that the new group was created appears in the top
right corner.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 19 of 48
The new group now appears in the Group Name list.
Delete a group
1. Locate the group to delete in the list and click Delete under the Actions heading next to
the group name. The Delete Group Confirmation dialog appears.
2. Click Delete Group to remove the group or click Cancel to return to the Groups page.
Note: This operation cannot be undone.
The group is removed from the Group Name list.
View Users in a Group
1. Hover the mouse pointer over the number of users beside the applicable group. The
users in that group appear as a tooltip.
-
User Guide KeyNexus OpenStack Guide
Page 20 of 48 KeyNexus
Search for a Group
1. Use the Search field to locate existing groups. The groups table is filtered to display
only groups matching the entry provided in the field. Groups are searched by group
names as a substring. For example, entering ‘key' in the search field displays only
the groups that contain ‘key’ in their name.
Keys The Keys feature is used to create keys, add keys to the system and to view and edit details
relating to existing keys. Click the Keys tab to navigate to the Keys page.
The Keys Page contains a list of key names. Beside each key name is a version number,
indicating how many times the key has been rotated. Each key row contains the type of key,
owner information, and View and Delete Action buttons.
Note: Each key must be associated with either a group or a key user. If no groups or key users
have been created, you are prompted to create one before you can continue creating a key.
See the Users and Groups sections for instructions regarding the creation of new users and
groups.
Add a new key
1. Click +Add Key to advance to the Add or import new key dialog.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 21 of 48
2. Select one of the following to add a new key:
a. Symmetric (AES)
b. Asymmetric (RSA)
c. Custom key
3. Select a key type from the Key Type dropdown.
• Symmetric (AES) key types include AES128, AES192 and AES256. Select
Import Existing Key to import an existing key and enter that key in the Base 64
encoded key field.
• Asymmetric (RSA) key types include RSA 2048, RSA3072, RSA4096, and
ECDSA. Check Import Existing Key to import an existing private/public key pair.
• Custom Key is any key created outside KeyNexus that you want to store and
manage with KeyNexus.
-
User Guide KeyNexus OpenStack Guide
Page 22 of 48 KeyNexus
4. Provide a key name in the Key Name field. The key name cannot contain uppercase
letters.
5. Provide a description of the key in the Key Description field. (optional)
6. Keys can be associated with a group or with an individual user. Select the group the key
is associated with from the Key Group dropdown. Alternatively, you can associate the
key with an individual user by selecting key is owned by user from the dropdown. The
key is owned by user selection opens the Key Owner item in the Add Key dialog. If
you have not created a group, you can still create a key, but the key is owned by user
option is the only one available.
7. Select a key location (Production, Dev or Test) from the Key Location dropdown.
8. Click Automatic Rotation (optional). The Rotation Interval field appears.
The automatic rotation feature allows you to set a recurring key rotation period. After the
set time has elapsed and just prior to the provisioning of the key, the key automatically
rotates.
9. Click inside the Rotation Interval field to open the Interval dialog. Enter the interval
between key rotations in the fields provided.
10. Click Apply to set the schedule. The schedule is now displayed in the Rotation Interval
field.
11. Click Disable Key Until Date. (optional)
This function hides the private part of the key when you use the /service/key/get API
endpoint. The private part of the key displays in the API response once the selected time
and date have passed. Click the date on the calendar, select a time and click on the
applicable time zone.
Note: The only way to see key data is through the API.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 23 of 48
12. Click Save. A message appears indicating the key was successfully created.
Import Custom Keys
In addition to generating its own keys, KeyNexus can also import and store keys generated
outside KeyNexus. This operation can be performed in several different ways; it can be
imported as a Base64 encoded AES key, as an RSA public and private key pair, or as a custom
key. This section describes the method for importing and storing each key type.
Import a Base64 Encoded AES key
1. Under the Symmetric tab, select Import Existing Key from the Key Type dropdown.
The Base64 Encoded Key field appears under the Key Type dropdown.
2. Enter the Base64 encoded key in the Base64 Encoded Key field.
3. Follow the remaining steps as shown in the To add a new key section to complete the
import process.
Encode and Decode AES keys in Base64
To encode an existing AES key in Base64 on a Linux or Mac system, enter the following
command through the command line interface:
base64 [infile.txt] > [outfile.b64]
To decode the Base64 file stored in KeyNexus and save it to a text file on a Linux or Mac
system, retrieve the key through a cURL request and enter the following command through the
command line interface:
base64 -D [infile.b64] > [outfile.txt]
To encode an existing AES key in Base64 on a Windows system, enter the following command
in the command line interface:
-
User Guide KeyNexus OpenStack Guide
Page 24 of 48 KeyNexus
certutil -encode [infile.txt] [outfile.b64]
To decode the Base64 file stored in KeyNexus and save it to a text file on a Windows system,
retrieve the key through a cURL request and enter the following command through the
command line interface:
certutil -decode [infile.b64] [outfile.txt]
Note: The length of the encoded AES key is determined from the input, but it must be one of the
supported lengths (128, 192 or 256 bits). If your key is not one of the supported lengths, it is
recommended that you import it as a custom key. See Importing Custom Keys for more
information.
Import RSA keys
1. Under the Asymmetric tab, select the key type from the Key Type dropdown and check
the Import Existing Key box below.
2. Add the Public Key and Private Key information in the applicable fields.
3. Follow the remaining steps as shown in the To add a new key section to complete the
import process.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 25 of 48
Import Custom Keys
1. Under the Custom tab, Enter the key data into the Custom Key field. You can do this
by copying the key content and pasting it into the field, dropping the key file into the field,
or by clicking the Upload file button, navigating to the file location and clicking the Open
button.
2. Follow the remaining steps as shown in the To add a new key section to complete the
import process.
Key Details
Once a key has been created or imported, it appears in the table located on the Keys page.
Click View beside each key name to display additional key details, edit attributes or rotate the
key.
-
User Guide KeyNexus OpenStack Guide
Page 26 of 48 KeyNexus
Key users also have the option of downloading the key from this page.
Key Rotation
Key Rotation retains the attributes of the original encryption key while generating new key data.
Rotating keys on a regular basis reduces the risk of future compromise to your encrypted data.
To rotate your key manually, click Rotate, then click Confirm Rotate. When the key has
successfully rotated, the key version increments. Information relating to the rotation appears in
Key History.
To set or change the rotation schedule after a key has been created, make sure the Automatic
Rotation option has been selected and click in the Rotation Interval field to set the rotation
schedule.
Note: Only AES and RSA keys can be rotated. Custom keys cannot be rotated.
Note: Rotating your key periodically should be part of your key management strategy.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 27 of 48
Edit Key Attributes Select Edit Key Attributes to make changes to the key description, set the automatic key
rotation, or edit key access restrictions.
Enter any information concerning the key in the Key Description field.
Set the Key Rotation schedule Select Automatic Rotation to set a recurring key rotation period. After the set time has elapsed,
the key automatically rotates.
1. Select the Automatic Rotation check box.
2. Click inside the Rotation Interval field to open the Interval dialog. Enter the interval
between key rotations in the fields provided.
3. Click Apply to set the schedule.
Note: When automatic rotation is set, the rotation is not performed until necessary, such as just
prior to provisioning. For example, if the key is not provisioned for 5 days, then the key is not
rotated in this time period, even if the rotation interval is less than 5 days.
-
User Guide KeyNexus OpenStack Guide
Page 28 of 48 KeyNexus
Edit Key Access Restrictions Use the Edit Key Access Restrictions feature to disable the key until a specific date, or to make
changes to an existing key access restriction that was set during the key creation process.
1. Under Edit Key Access Restrictions, select the Set New Time option.
2. Select the Month, Day and Time that the access restriction ends.
3. Set the Time Zone.
When all changes have been made in the Modify Key dialog, click Apply changes to return to
the key’s View page.
Key Operations History You can also view your key history from this page. Operations History allows you to view the
key operations since it was created. Select a filter from the dropdown list to limit the history to
Add, Add Batch, Change State, Delete, Get, Get Batch, and Rotate. Select All Operations
to view the complete history of the key.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 29 of 48
Note: Operations History information is only available to users with Admin access.
Download a Key When a AES, RSA or custom key has been successfully generated or imported, you also have
the option of downloading the key. This can be useful when removing any formatting changes.
Log in under the key owner’s account. Click the Keys tab and click View beside the name of the
key.
Click the Download Key button. The key file downloads to your system.
Note: When downloading RSA keys, there are two download options; one for the private key,
the second for the public key.
-
User Guide KeyNexus OpenStack Guide
Page 30 of 48 KeyNexus
Delete a Key
1. Click Delete to permanently remove this key. Click Confirm Delete to complete this
action or Cancel to return to the Manage Keys page.
Important: This operation cannot be undone. Ensure this operation is necessary before you
proceed.
Search for a Key
Use the Search field to locate existing keys. The keys table is filtered to display only
keys matching the entry provided in the field. For example, entering ‘key' displays only
the groups that contain ‘key’ in their name.
Add keys through the API All the configuration request examples shown in this section are through cURL.
The service/key/add endpoint allows you to create a key.
Adding a key with business ID and credentials curl -k -H "content-type: application/json" -XPOST
"https://your.ip:1443/service/key/add" -d '{
"business": "BUSINESS_ID",
"creds": [
{
"username": "USER",
"password": "PASSWORD"
}
],
"group": "KEY_GROUP",
"keyLocation": "LOCATION",
"keyType": "TYPE",
"keyName": "KEY_NAME"
}'
Once you have authenticated with a Business ID and credentials with the authentication
endpoint, the API returns a token. Use this token for the remainder of the endpoints that require
or use a token for authenticating.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 31 of 48
Adding a key with a token curl -k -H "content-type: application/json" -XPOST
"https://your.ip:1443/service/key/add" -d '{
"token": "TOKEN",
"group": "KEY_GROUP",
"keyLocation": "LOCATION",
"keyType": "TYPE",
"keyName": "KEY_NAME"
}'
Add Batch Keys through the API
All the configuration request examples shown in this section are through cURL.
add_batch allows you to create multiple keys at one time, rather than using add, which
creates keys one at a time.
Add_batch using a Business ID and credentials curl -k -H "content-type: application/json" -XPOST
"https://your.ip:1443/service/key/add_batch" -d '{
"business": "BUSINESS_ID",
"creds": [
{
"username" : "USER",
"password" : "PASSWORD"
}
],
"group": "KEY_GROUP",
"keys": [
{
"keyName": "KEY_NAME_A",
"keyType": "KEY_TYPE_A",
"keyLocation": "LOCATION_A"
},
{
"keyName": "KEY_NAME_B",
"keyType": "KEY_TYPE_B",
"keyLocation": "LOCATION_B"
}
]
}'
Once you have authenticated with a Business ID and credentials with the authentication
endpoint, the API returns a token. Use this token for the rest of the endpoints that require or use
a token for authenticating.
-
User Guide KeyNexus OpenStack Guide
Page 32 of 48 KeyNexus
Add_batch using a token curl -k -H "content-type: application/json" -XPOST
"https://your.ip:1443/service/key/add_batch" -d '{
"token": "TOKEN",
"group": "KEY_GROUP",
"keys": [
{
"keyName": "KEY_NAME_A",
"keyType": "KEY_TYPE_A",
"keyLocation": "LOCATION_A"
},
{
"keyName": "KEY_NAME_B",
"keyType": "KEY_TYPE_B",
"keyLocation": "LOCATION_B"
}
],
}'
For each of the examples shown:
“https://your.ip:1443/service/key/add” is the address of your VM, the port number
and the add key endpoint.
“business” is the Business ID for your KeyNexus instance.
“username” is the name of the user signing in to create a key.
“password” is the password of the user signing in to create a key.
“token” is the returned value when you have provided the API a valid Business ID, username
and password.
“keyLocation” defines where the key is assigned (Production, Dev or Test)
“group” is the group the key is associated with.
“keyName” is an optional parameter for providing the name of the key. keyName cannot be the
same name used for an existing key. keyName cannot contain uppercase letters.
“keyType” defines the type of key used. The different allowable key types are: AES128,
AES192, AES256, RSA2048, RSA3072, RSA4096, ECDSA or CUSTOM.
If Custom key type is used, the keyData parameter that contains data related to the custom
key must be included in the request.
If ECDSA (Elliptic Curve Digital Signature Algorithm) is used for the keyType, you can include
the keyParams parameter and set it to one of the many available security curves. If ECDSA is
selected and keyParams is not included in the request, the default parameter prime256v1 is
used.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 33 of 48
Available ECDSA curves
FRP256v1, brainpoolp160r1, brainpoolp160t1, brainpoolp192r1, brainpoolp192t1,
brainpoolp224r1, brainpoolp224t1, brainpoolp256r1, brainpoolp256t1, brainpoolp320r1,
brainpoolp320t1, brainpoolp384r1, brainpoolp384t1, brainpoolp512r1, brainpoolp512t1,
B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256,
P-384, P-521, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1,
secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1,
secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2 ,
sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect409k1, sect409r1,
sect571k1, sect571r1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176w1, c2tnb191v1,
c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1,
c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3 prime256v1
Note: When using the add_batch endpoint, the keyType and keyLocation information must
be provided for each individual key (KEY_TYPE_A, KEY_TYPE_B, etc.). This also applies if
you are including the optional keyNames parameter in the request.
Users The Users feature is used to create additional administrator and key user accounts, and to view
and edit existing key request accounts and key groups.
Note: The Users tab is only available to users with Admin access.
Note: Each key must be associated with a group or user.
1. Click the Users tab. The Users page appears.
2. Click Administrators to view all users with admin access, or click Key Users to view all
users with key user access.
Create a New User
1. Click Add User. The Add New User dialog appears.
-
User Guide KeyNexus OpenStack Guide
Page 34 of 48 KeyNexus
1. Enter the information required in the Add New User dialog:
Field name Value/Description
Username Enter username.
User Role Check the Administrator or Key Access User option. Administrators can create additional keys, users and groups, while Key Access Users can create and manage keys, but cannot create additional users or groups.
Groups Select a group or groups from the available group names. This option is only available with the Key Access user.
Default Group From the list of groups, the user is a part of, you can select one to act as a default group. This is primarily used when integrating KeyNexus as a Key Management Server (KMS). (optional)
Email Enter email associated with this account. (optional)
Authenticate via Client Cert Select this option to generate or upload a certificate used to authenticate this user. You can download the certificate after the
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 35 of 48
new user is created. See Authentication Certificate for more information.
Password Enter password for this user. Password must have a minimum length of 10 characters. KeyNexus provides feedback relating to the strength of your password.
Confirm Password Re-enter your password
The Strength Meter under the Password field displays the strength of the
entered password. Password strength levels are displayed as a colored bar
below the Password field, and identified as Weak, Medium, Strong or Very
Strong.
2. (Optional) Click the Enforce IP Whitelist checkbox to restrict API requests for
this account to IP address contained in this range. Enter the IP addresses in the
field provided. To enter multiple IP addresses, enter the IP addresses in a
comma separated value format (a.b.c.d, a.b.c.d, etc.).
3. Click Add User.
Authentication Certificate
Instead of using a username and password to authenticate a KeyNexus user, you can generate,
download or upload an authentication certificate associated with a specific KeyNexus account
and use it in lieu of login credentials. This certificate can be generated in several different ways:
a. During the initial user creation process, select the Authenticate via Client Cert option.
b. After the user has been created, locate the user in the Users list and click
AuthCertificate beside the user name.
c. After the user has been created, locate the user in the Users list, click Edit beside the
user name, select the Authenticate via Client Cert option and click Apply Changes.
-
User Guide KeyNexus OpenStack Guide
Page 36 of 48 KeyNexus
In each case the Authentication Certificate Download dialog opens.
Click Download to download the existing authentication certificate or select the Generate New
Certificate option and click Generate and Download to generate and download a new
authentication certificate.
Important: Enabling a new authentication method automatically disables any existing method.
When you generate a new certificate, your login credentials change. Any current authentication
token becomes invalid and your login session terminates. Make sure you click Download to
download the new certificate. If you do not download the certificate, you will be unable to log
back in, as the current login credentials have been disabled.
Note: If there is no existing authentication certificate associated with the user, the dialog
displays a message indicating you must generate a new certificate.
Note: Generating a new certificate automatically invalidates any existing certificate for that user.
To apply an existing authentication certificate to the user account, click Upload. Copy and paste
the authentication certificate information into the Certificate field.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 37 of 48
Note: when uploading an auth cert, make sure it contains matching user and Business ID
information. If the certificate does not contain these items, a message appears, indicating that
the certificate is not valid.
This certificate can be provided when integrating KeyNexus to different applications. For an
example of how the authentication certificate is used, refer to the KeyNexus VSphere
Integration Guide.
Delete a User
1. Click Delete beside the user name in the Users list to permanently remove this user.
Click Confirm Delete to complete this action or Cancel to return to the Users page.
Note: This operation cannot be undone.
Note: Before deleting a user, ensure that any keys owned by that user have also been deleted.
To search for a user
1. Use the Search field to locate existing users. The Users table is filtered to display
only the user names that match the entry provided in the field. For example, entering
‘b' displays only the user names that contain the letter ‘b’.
Administration The Administration tab is used to configure or monitor the following administrative functions in
KeyNexus:
• Company Info
• Corporate Sign-in
• Cluster
• JWT
• Logging
• Backup
Note: The Administration tab is only available to users with Admin access.
-
User Guide KeyNexus OpenStack Guide
Page 38 of 48 KeyNexus
Company info
Under the Administration tab, click Company Info to display your Company Name, Business
ID, License Type and License Expiration.
To change the company name, click Change beside the Company Name entry. The Edit
Company Name dialog appears.
Enter the new company name and click Update.
Corporate Sign-in
Use the Corporate Sign-in feature to configure the KeyNexus portal to use Single Sign On
(SSO). Allowing SSO access requires configuration of the KeyNexus portal as well as the
Identity Management platform. For instructions regarding the configuration of two popular
Identity Management services, refer to the KeyNexus ADFS Single Sign-in Guide, or the
KeyNexus Splunk Single Sign-in Guide.
1. Click the Corporate Sign-in tab. If this is your first time configuring Corporate Sign-in,
click Enable. The Edit Corporate Sign-In dialog appears.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 39 of 48
2. Enter a name in the Entity ID field. (optional) This can be any name you want. This field
can even be left blank without affecting the configuration.
3. Enter the URL of the Identity Management provider in the SSO URL field.
4. Enter the Certificate Fingerprint. This information is provided by the Identity
Management platform.
5. Select the Fingerprint Algorithm from the dropdown. This information is provided by
the Identity Management platform.
6. Click Apply Changes.
Cluster
The Cluster feature provides a simple overview of the health of each node in a cluster.
1. Under the Administration tab, click Cluster. The Cluster Status page appears.
-
User Guide KeyNexus OpenStack Guide
Page 40 of 48 KeyNexus
If the cluster is healthy, the following message is displayed:
The health of each node in the cluster is also displayed on this page.
The Cluster Status page shows each node and displays the status of the web, API and
database for each node.
JWT
Use the JWT feature to configure the KeyNexus portal to use an existing authentication method
to authenticate a user. It is similar to Corporate Sign-In in that it is a method of signing into
KeyNexus without using a password. Instead of configuring an identity management service, the
JWT feature passes a JSON Web Token (JWT) to the KeyNexus API which is then exchanged
for a KeyNexus JWT.
Prior to configuring the JWT feature in KeyNexus, you must generate a private and public key
pair from your application. Once this is done, use the public key you generated and enter it in
the Public Key field.
1. Log in to the KeyNexus portal, click the Administrator tab then click JWT.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 41 of 48
If this is your first time configuring JWT, click Edit to open the Edit JWT Sign-In dialog.
2. Enter the JWT Public Key.
3. Select the JWT Algorithm from the dropdown.
4. Click Apply Changes.
Logging
The logging features allow you to send and store KeyNexus Portal log information to an external
syslog server. The KeyNexus portal can work with many syslog server applications. Whenever
an operation is performed, such as get, add, rotate, etc., the operation is written to the audit
log and logged on the syslog server. Refer to your syslog server documentation for
configuration details.
1. Click the Logging tab. If this is your first time configuring Logging, click Enable. The
Edit Logging dialog appears.
-
User Guide KeyNexus OpenStack Guide
Page 42 of 48 KeyNexus
2. Enter the Host location of the syslog server in the Host field. This value is entered as
either a fully qualified domain name or an IP address in the IPv4 format
(aaa.bbb.ccc.ddd).
3. Enter the port number. The default port number for communication with a syslog server
is 514, but you can change the port the syslog server is listening on.
Note: If you change the port number here, you must also change the port number on the
syslog server application. Refer to the syslog server documentation for more information.
4. Click the Use SSL checkbox to use Secure Sockets Layer to create an encrypted link
between KeyNexus and your syslog server.
5. Select the severity level of logging you want to record by selecting from the Level
dropdown. The syslog standard uses severity levels to differentiate between different
message types. By setting a level here, the KeyNexus portal sends messages from that
severity level and lower. For example, if a level of Warning is set, all severity
messages From Warning to Emergency are sent to the syslog server.
6. Enter a name in the Application Name field.
7. Click Apply Changes.
To disable logging, click Disable on the Logging page.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 43 of 48
Backup
The Backup and Restore features allow you to capture the current state of your KeyNexus
implementation, store it, and if necessary restore your implementation to that previous state.
The backup can be performed on demand, or can be set to operate on a schedule. The backup
and restore features can be accessed through the user interface or through the KeyNexus API.
For information regarding the Backup and Restore features, refer to the KeyNexus Clustering
and Backup Guide.
Support The Support tab contains additional information for using KeyNexus Key Management.
• Release Notes
• KeyNexus Key Management REST API
• Support Desk
Release Notes
Select the Release Notes tab to review new features, improvements and bugs fixes for each
version of the KeyNexus platform.
KeyNexus Key Management REST API
Select the Service Layer API Documentation tab to access the KeyNexus Key Management REST API.
-
User Guide KeyNexus OpenStack Guide
Page 44 of 48 KeyNexus
Support Desk
Click on Support Desk to link to the KeyNexus Help Center. Once there, provide your email
address to receive a link to access your tickets.
To create a new ticket, Click Send New Ticket. When the New Ticket dialog appears, enter
your name, email address, subject and message detailing the nature of your request in the
fields provided. If you need to include any files with your ticket, drop the file into the Drop your
files field or click the click here button, navigate to the file location, and click Open. Click
Create Ticket when you are finished.
Changes to Account Click on the username on the right side of the page to make changes to the account currently
logged in to KeyNexus, or to log out the current user.
Click My Account to make changes to your account information, to update your authentication
method or to update the IP Whitelist.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 45 of 48
The Account info page provides information such as the Business ID associated with the
account, user name, account type and email information. Click Change in the Email row to
update the account email information. Update the email address and click Update Email.
Click the Authentication tab to make changes to the current authentication method. Here, you
can view the current authentication method, change the account password, or generate a new
authentication certificate.
To set a new password, enter the password in the New Password field. Type it again in the
Confirm New Password and click Set / Change Password.
To generate a new authentication certificate, click Generate New Certificate. The
Important: Enabling a new authentication method automatically disables any existing method.
When you generate a new certificate, your login credentials change. Any current authentication
token becomes invalid and your login session terminates. Make sure you click Download to
download the new certificate. If you do not download the certificate, you will be unable to log
back in, as the current login credentials have been disabled.
-
User Guide KeyNexus OpenStack Guide
Page 46 of 48 KeyNexus
After the Current Authentication dialog closes, you are redirected to the login page. Click Sign
in with client certificate and drop the certificate file into the dialog box, or click in the dialog,
navigate to the file location and click Open.
Click the IP Whitelist tab to make changes to the IP Whitelist settings. Click Change to open
the Edit IP Whitelist dialog.
Click the Enforce IP Whitelist checkbox to restrict API requests for this account to IP address
contained in this range. Enter the IP addresses in the field provided. To enter multiple IP
addresses, enter the IP addresses in a comma separated value format (a.b.c.d, a.b.c.d, etc.).
Click Update IP Whitelist when finished.
Click Logout to exit the currently logged in account and return to the Account Login page.
-
KeyNexus OpenStack Guide User Guide
KeyNexus Page 47 of 48
KMIP The Organization for the Advancement of Structured Information Standards (OASIS), in
partnership with various security companies, has developed the Key Management
Interoperability Protocol, a standardization method for encryption of stored data and
cryptographic key management.
KeyNexus can be deployed as an enterprise or cloud-based encryption key service that
manages your keys throughout their entire lifecycle. As part of this key management service,
KeyNexus supports Key Management Interoperability Protocol (KMIP) communication between
key management servers and cryptographic clients.
KeyNexus supports KMIP versions 1.1 and 1.2. For information relating to the KeyNexus implementation of KMIP, refer to the KeyNexus KMIP Guide. For complete information, refer to the Key Management Interoperability Protocol documentation set at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip.
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmiphttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip
-
OpenStack Guide v1.2
KeyNexus Inc. 205 2657 Wilfert Road Victoria, B.C. V9B 5Z3
Copyright 2018 KeyNexus Inc. All rights reserved. KeyNexus is a trademark of KeyNexus Inc. All other product names, logos, and brands are
property of their respective owners. All other company,
product and service names used in this document are
for identification purposes only. Use of these names,
logos, and brands does not imply endorsement.