KeyNexus OpenStack Guide...Table of Contents Introduction ..... 5 ... User Guide KeyNexus OpenStack...

KeyNexus OpenStack Guide v1.2

09/2018

D

.

Copyright Notice

Copyright 2018 KeyNexus Inc. All rights reserved.

Information in this document is subject to change without notice. The software described in

this document is furnished under a license agreement or nondisclosure agreement. No part

of this publication may be reproduced, stored in a retrieval system, or transmitted in any form

or any means electronic or mechanical, including photocopying and recording for any

purpose other than the purchaser's personal use without written permission

Table of Contents

Introduction ................................................................................................................................ 5

System Requirements ............................................................................................................ 5

Hardware Requirements ..................................................................................................... 5

Software Requirements ....................................................................................................... 5

Port Configuration .................................................................................................................. 6

KeyNexus Ports .................................................................................................................. 6

Internode Communication ................................................................................................... 6

Section 1 Deploy KeyNexus VMDK File on OpenStack .............................................................. 7

Section 2 KeyNexus Initialization and Activation .......................................................................11

Cluster Node Initialization ..................................................................................................11

Cluster Nodes ....................................................................................................................13

Section 3 KeyNexus Configuration ............................................................................................16

Account Login page ...............................................................................................................16

Dashboard .............................................................................................................................17

Groups ..................................................................................................................................18

Add a group .......................................................................................................................18

Delete a group ...................................................................................................................19

View Users in a Group .......................................................................................................19

Search for a Group ............................................................................................................20

Keys ......................................................................................................................................20

Add a new key ...................................................................................................................20

Import Custom Keys ..........................................................................................................23

Key Details .........................................................................................................................25

Key Rotation ......................................................................................................................26

Add Batch Keys through the API ........................................................................................31

Users .....................................................................................................................................33

Create a New User ............................................................................................................33

Authentication Certificate ...................................................................................................35

Delete a User .....................................................................................................................37

Administration ........................................................................................................................37

Company info .....................................................................................................................38

Corporate Sign-in ...............................................................................................................38

User Guide KeyNexus OpenStack Guide

Page 4 of 48 KeyNexus

Cluster ...............................................................................................................................39

JWT ...................................................................................................................................40

Logging ..............................................................................................................................41

Backup ...............................................................................................................................43

Support ..................................................................................................................................43

Release Notes ...................................................................................................................43

KeyNexus Key Management REST API .............................................................................43

Support Desk .....................................................................................................................44

Changes to Account ..............................................................................................................44

KMIP .....................................................................................................................................47

KeyNexus OpenStack Guide User Guide

KeyNexus Page 5 of 48

Introduction A Key Management Service provides you with the means to create, apply and manage

encryption keys from a single location.

Rather than using multiple encryption solutions to manage your keys, a Unified Key Manager

(UKM) such as KeyNexus can manage all the keys used by your organization on all platforms

and environments, resulting in reduced implementation times, resource allocation and usage,

and providing better protection of your sensitive data.

This document provides information relating to the deployment of KeyNexus on the OpenStack

platform, as well as the various aspects of the KeyNexus installation, activation and

configuration process.

Section 1 Provides information and instruction relating to the deployment of the KeyNexus VM

on several popular virtual machine platforms.

Section 2 Provides information and instruction relating to the node initialization, cluster

configuration and activation of your KeyNexus implementation.

Section 3 Provides information and instruction relating to the function and configuration of the

various KeyNexus features.

The OpenStack Guide v1.2 supports KeyNexus version 1.10.

System Requirements

Hardware Requirements

Hardware Requirement

Processor Recommended: Intel quad core or higher

Memory Minimum: 6 GB RAM Recommended: 16 GB of RAM

Storage Minimum: 20 GB HDD Recommended: 40 GB HDD

Software Requirements

When deploying on the OpenStack platform, KeyNexus is provided as a VMDK file. Refer to

https://www.openstack.org to ensure your system meets the platform requirements. As long as

your system software meets the necessary requirements to run your virtual machine platform

and meets the KeyNexus hardware requirements, KeyNexus will perform as described.

Supported Browsers KeyNexus has been tested and is supported on the following browsers:

• Google Chrome Version 62.0.3202.94 (64-bit)

https://www.openstack.org/



• Safari Version 11.0.1 (12604.3.5.1.1)

• Microsoft Edge Version 41.16299.15.0 (EdgeHTML 16.16299)

• Firefox Version 54.0.1 (64-bit)

• Microsoft Internet Explorer 11 Version 11.64.16299.0

Note: If you are using a browser version different from the ones shown here, your experience

might be different.

Port Configuration Before you begin initialization and configuring KeyNexus, it is important to confirm the ports that

KeyNexus requires are open. If these ports are not open, you cannot access the KeyNexus

client, or successfully make modifications to a KeyNexus cluster.

KeyNexus Ports

In order to access the KeyNexus Subscription Activator and the KeyNexus client, there are

several ports that must be open. Make sure these ports are open in your firewall using the

protocol indicated.

• port 8443 (TCP)

• port 1443 (TCP)

• port 443 (TCP)

• port 5696 (TCP)

Internode Communication

When configuring KeyNexus to operate as a cluster, there are ports that must be open in order

for the nodes that make up the cluster to communicate with one another. Make sure these ports

are open in your firewall using the protocol indicated.

• port 8443 (TCP)

• port 2377 (TCP)

• port 7946 (TCP and UDP)

• port 4789 (UDP)

• port 50 (TCP)



Section 1 Deploy KeyNexus VMDK File on OpenStack OpenStack® is an IaaS open source cloud operating system and allows deployment of an

application as a virtual machine. When KeyNexus is provided as a Virtual Machine Disk

(VMDK), it can be imported and run on the OpenStack platform.

It is assumed you have OpenStack installed on your system. For information regarding

downloading and installing OpenStack onto your system, visit https://www.openstack.org.

1. Download the KeyNexus Virtual Machine Disk (VMDK) file from your KeyNexus Service

Representative.

Note: The VMDK file is quite large and can take some time to download, depending on

your connection speed.

2. Start the OpenStack dashboard and provide a User Name and Password.

3. Click Connect.

4. Under the Project tab on the left, select Compute > Images.

https://www.openstack.org/



5. Click Create Image. The Create an Image dialog appears.

6. Create a name for the image in the Name field.

7. Create a description in the Description field. (optional)

8. Select Image File from the Image Source dropdown.



9. Click Choose File and navigate to the file location. Click Open.

10. Select VMDK – Virtual Machine Disk from the Format dropdown.

11. Provide architecture information in the Architecture field. (optional)

12. Enter the minimum disk size required for the image in the Minimum Disk (GB) field.

13. Enter the minimum RAM required for the image in the Minimum RAM (MB) field. The

KeyNexus VMDK requires a minimum of 8 GB base memory.

14. Under the Project tab on the left, select Compute > Instances.

15. Click the Copy Data checkbox to copy image data to the image service.

16. Select if you want the image to be Public or Protected by checking the applicable

checkbox.

17. Confirm that all fields have been entered correctly and click Create Image. This process

can take some time to complete, based on your system.

Once the image has been created, you can use that image when launching an instance.

18. Under the Project tab on the left, select Compute > Instances.



19. Click Launch Instance. The Launch Instance dialog appears. Items marked with an

asterisk are required fields. Flavor Details that show the resources allocated to the

instance are displayed on the right.

20. Create a name for the VM in the Instance Name field.

21. Select a size for the instance by selecting an option from the Flavor dropdown list.

Instance size refers to the amount of resources allocated to that VM.

Note: The VMDK file requires a minimum of 8 GB of base memory to operate correctly.

It is recommended you use the Large option.

22. Select the number of instances to launch from the Instance Count field. (default is 1).

23. Select Boot from Image from the Instance Boot Source dropdown.

24. Select the applicable image from the Image Name dropdown.

25. Click Launch. OpenStack sends a successful launch message and the new instance

appears in the Instance list.

26. Click the newly created instance from the list. The Instance Overview page appears. Use

the IP address displayed under IP Addresses to connect to the configuration portal

through your browser.

The other options available are optional and should only be implemented by users with

knowledge of the OpenStack platform.

Section 2 KeyNexus Initialization and Activation This section provides information regarding the activation of the KeyNexus UKM. Setting up

KeyNexus involves the initialization of the nodes that make up a cluster, the deployment of the

cluster, and activating KeyNexus with a subscription key and the creation of an Administrator

account.

Cluster Node Initialization

To successfully configure your KeyNexus cluster, the nodes that make up that cluster must be

initialized. Perform this operation on each node before adding it to your cluster.

To access the KeyNexus Subscription Activator, open your browser and provide the URL

containing the IP address (for example https://:8443 where

is the IP address of the KeyNexus node), or the fully qualified domain name.

Make sure to add port 8443 to the end of the URL.

Note: When applicable, accept the self-signed certificate when navigating to the Initialize

Network Node, Cluster Configuration, or Account Login pages.

If you are initializing a network node for the first time, the KeyNexus Subscription Activator page

appears.

Initialize a Node

1. Select Reboot if your system requires a reboot in order for the network config to take

effect.



2. Select DHCP or Static from the Network Config options.

Select DHCP to configure the network automatically using DHCP.

Select Static to manually configure the host and enter your valid network information (IP

Address, Network Mask, Network Gateway and DNS) in their respective fields.

There are several considerations when deciding between using DHCP or Static IP:

• When using DHCP, if the same IP address cannot always be provided to the

same node, DHCP should only be used for short term test clusters.

• If you need to use DHCP in a production environment, ensure that the same IP is

provided to the same node using external tools such as pinned entries in the

DHCP server. This helps to ensure that the same IP is provided to the same

node.

• Static IP can be used in a production environment to help ensure the same IP is

provided to the same node.

Note: If you select Static, change the IP address of the machine and choose the

Reboot option, the Cluster Configuration on the Initialize Network Node success page

does not advance you to the Cluster Nodes page. The IP in the address tab of the

browser is no longer associated with that node. You must connect to the activator again

with one of the new IPs to finish the configuration once the reboot is complete.

3. Click Show Terms to review the Terms of Service and click Accept to accept them.

Terms of service must be accepted to continue.



4. Enter a Cluster Admin Password. Passwords must be 8-256 characters long. You

must provide this password when clustering nodes. All nodes in a cluster must share the

same password.

5. Click Initialize Node. If any configuration step has been missed or entered incorrectly,

that area is highlighted in red when you attempt to initialize the node. The information in

highlighted area must be entered correctly to continue.

When the node has been initialized, a message indicating the node has been

successfully initialized is displayed.

6. Click Cluster Configuration to continue.

Perform this operation for each additional node that will be part of the cluster. An uninitialized

node cannot be part of a cluster.

Cluster Nodes

Use the Cluster Nodes page to enter the name and IP address of each node in your cluster.

1. Enter the name and IP address of your first node in the NODE #1 box.

2. Click Add Node to open an additional node box. Enter the name and IP address of the

second node. Repeat for each node you are adding to your cluster. When a valid node

name and IP address are entered, the border around the Node box turns green.

3. To remove a node, click the x in the top right corner of the node box. You cannot remove

NODE #1.

Once you have configured all the nodes in your cluster, click Continue to Specify License.

This button appears when at least one node contains a valid name and IP address.

Use the License page to enter your subscription key, create a first admin username and

password, re-enter your cluster configuration password, and set the external IP address for the

node currently being configured.



Activate your KeyNexus Subscription

1. Provide your subscription key in the Subscription Key field. There are several ways you

can enter your key. You can enter your key manually, you can cut and paste the key

from a text file, or you can import the subscription key by dragging and dropping a text

file containing the subscription key into the Subscription Key field.

2. Once a valid subscription key is entered in the Subscription Key field, information

regarding the Business ID, the company associated with this subscription key, and the

subscription key expiry date are displayed.

3. Create an admin user by entering a name in the Pick your admin username field.

4. Enter a password in the Pick your admin password field and verify it in the Pick your

admin Password (Verify) field. The password must contain a minimum of 10

characters. KeyNexus uses a password strength meter to indicate the strength of the

password and provides tips for creating stronger passwords.

Note: The tips provided by the password strength meter are informational. As long as

your password meets the minimum length requirement, KeyNexus accepts the

password.



5. Enter the Cluster Configuration Password you created during the node initialization.

6. Select the External IP address from the dropdown list. This list is made up of the nodes

entered on the Cluster Nodes page.

7. Click Activate Cluster when all fields have been completed. It can take some time for

this action to complete.

Successful activation of the KeyNexus cluster brings you to a summary page that contains

information regarding your Business ID, the nodes in your cluster, the Administrator account

and company account details.

Click the Portal URL link or the Log In button to go to the KeyNexus login page, where the

Business ID and Username fields are prepopulated.

The Business ID is a unique alphanumeric code assigned to your organization, and is required

when logging in using your account credentials. Record this number and store in a secure

location as it is required for access to your account. If you lose your Business ID, contact your

KeyNexus representative.



Section 3 KeyNexus Configuration

Account Login page Once you have received your Business ID, provide the URL containing the IP address (for

example https:///login or the fully qualified domain name into your

browser’s address bar. Make sure to add /login to the end of the URL. You can log in with

your regular login credentials (Business ID, Username and Password), using Single Sign-On

(SSO), or with a Client Certificate.

1. Enter the Business Number provided on the Subscription Activation page in the

Business field.

2. Click the Login via SSO button if you have Single Sign On (SSO) configured for this

account, otherwise enter a Username and Password in the applicable fields. Refer to

the Administration section for information regarding configuring the KeyNexus portal for

Single Sign-On.

3. Click Login.

4. Alternatively, click Sign in with client certificate. If you have previously generated a

client certificate, you can use it to sign in to the KeyNexus portal as the user associated

with the client certificate. Drag and drop the certificate file into the dialog, or click in the

dialog, locate the certificate and click Open. If you have not generated a client

certificate, refer to the Users section for instructions regarding the creation of a user with

an associated client certificate.



A successful login advances you to the Dashboard Page.

Dashboard When logged in as an Administrator, the KeyNexus Dashboard provides visibility into the long-

term trends in your organization’s key management development.

The Dashboard shows the total keys, keys added, keys provisioned and keys rotated, and

can display those values over the past day, week, month or year. Click on each item to display

that information on the graph. Select Day, Week, Month or Year from the dropdown to display

the key management information for the respective timeframe on the graph.

When logged in as a Key User, the Dashboard provides your Business ID and links to your

Keys and Account pages.



Groups Use the Groups feature to create key groups that can assist you with the organization of your

keys. Click the Groups tab to navigate to the Groups page.

Note: The Groups tab is only available to users with Admin access.

Add a group

1. Click +Add Group. The Add New Group dialog appears.

2. Enter the name of the key group in the Group Name field. This name should follow a

naming convention to assist with the logical grouping of your keys.

Note: Group names cannot use uppercase letters.

3. Click Save. A message indicating that the new group was created appears in the top

right corner.



The new group now appears in the Group Name list.

Delete a group

1. Locate the group to delete in the list and click Delete under the Actions heading next to

the group name. The Delete Group Confirmation dialog appears.

2. Click Delete Group to remove the group or click Cancel to return to the Groups page.

Note: This operation cannot be undone.

The group is removed from the Group Name list.

View Users in a Group

1. Hover the mouse pointer over the number of users beside the applicable group. The

users in that group appear as a tooltip.



Search for a Group

1. Use the Search field to locate existing groups. The groups table is filtered to display

only groups matching the entry provided in the field. Groups are searched by group

names as a substring. For example, entering ‘key' in the search field displays only

the groups that contain ‘key’ in their name.

Keys The Keys feature is used to create keys, add keys to the system and to view and edit details

relating to existing keys. Click the Keys tab to navigate to the Keys page.

The Keys Page contains a list of key names. Beside each key name is a version number,

indicating how many times the key has been rotated. Each key row contains the type of key,

owner information, and View and Delete Action buttons.

Note: Each key must be associated with either a group or a key user. If no groups or key users

have been created, you are prompted to create one before you can continue creating a key.

See the Users and Groups sections for instructions regarding the creation of new users and

groups.

Add a new key

1. Click +Add Key to advance to the Add or import new key dialog.



2. Select one of the following to add a new key:

a. Symmetric (AES)

b. Asymmetric (RSA)

c. Custom key

3. Select a key type from the Key Type dropdown.

• Symmetric (AES) key types include AES128, AES192 and AES256. Select

Import Existing Key to import an existing key and enter that key in the Base 64

encoded key field.

• Asymmetric (RSA) key types include RSA 2048, RSA3072, RSA4096, and

ECDSA. Check Import Existing Key to import an existing private/public key pair.

• Custom Key is any key created outside KeyNexus that you want to store and

manage with KeyNexus.



4. Provide a key name in the Key Name field. The key name cannot contain uppercase

letters.

5. Provide a description of the key in the Key Description field. (optional)

6. Keys can be associated with a group or with an individual user. Select the group the key

is associated with from the Key Group dropdown. Alternatively, you can associate the

key with an individual user by selecting key is owned by user from the dropdown. The

key is owned by user selection opens the Key Owner item in the Add Key dialog. If

you have not created a group, you can still create a key, but the key is owned by user

option is the only one available.

7. Select a key location (Production, Dev or Test) from the Key Location dropdown.

8. Click Automatic Rotation (optional). The Rotation Interval field appears.

The automatic rotation feature allows you to set a recurring key rotation period. After the

set time has elapsed and just prior to the provisioning of the key, the key automatically

rotates.

9. Click inside the Rotation Interval field to open the Interval dialog. Enter the interval

between key rotations in the fields provided.

10. Click Apply to set the schedule. The schedule is now displayed in the Rotation Interval

field.

11. Click Disable Key Until Date. (optional)

This function hides the private part of the key when you use the /service/key/get API

endpoint. The private part of the key displays in the API response once the selected time

and date have passed. Click the date on the calendar, select a time and click on the

applicable time zone.

Note: The only way to see key data is through the API.



12. Click Save. A message appears indicating the key was successfully created.

Import Custom Keys

In addition to generating its own keys, KeyNexus can also import and store keys generated

outside KeyNexus. This operation can be performed in several different ways; it can be

imported as a Base64 encoded AES key, as an RSA public and private key pair, or as a custom

key. This section describes the method for importing and storing each key type.

Import a Base64 Encoded AES key

1. Under the Symmetric tab, select Import Existing Key from the Key Type dropdown.

The Base64 Encoded Key field appears under the Key Type dropdown.

2. Enter the Base64 encoded key in the Base64 Encoded Key field.

3. Follow the remaining steps as shown in the To add a new key section to complete the

import process.

Encode and Decode AES keys in Base64

To encode an existing AES key in Base64 on a Linux or Mac system, enter the following

command through the command line interface:

base64 [infile.txt] > [outfile.b64]

To decode the Base64 file stored in KeyNexus and save it to a text file on a Linux or Mac

system, retrieve the key through a cURL request and enter the following command through the

command line interface:

base64 -D [infile.b64] > [outfile.txt]

To encode an existing AES key in Base64 on a Windows system, enter the following command

in the command line interface:



certutil -encode [infile.txt] [outfile.b64]

To decode the Base64 file stored in KeyNexus and save it to a text file on a Windows system,

retrieve the key through a cURL request and enter the following command through the

command line interface:

certutil -decode [infile.b64] [outfile.txt]

Note: The length of the encoded AES key is determined from the input, but it must be one of the

supported lengths (128, 192 or 256 bits). If your key is not one of the supported lengths, it is

recommended that you import it as a custom key. See Importing Custom Keys for more

information.

Import RSA keys

1. Under the Asymmetric tab, select the key type from the Key Type dropdown and check

the Import Existing Key box below.

2. Add the Public Key and Private Key information in the applicable fields.


import process.



Import Custom Keys

1. Under the Custom tab, Enter the key data into the Custom Key field. You can do this

by copying the key content and pasting it into the field, dropping the key file into the field,

or by clicking the Upload file button, navigating to the file location and clicking the Open

button.


import process.

Key Details

Once a key has been created or imported, it appears in the table located on the Keys page.

Click View beside each key name to display additional key details, edit attributes or rotate the

key.



Key users also have the option of downloading the key from this page.

Key Rotation

Key Rotation retains the attributes of the original encryption key while generating new key data.

Rotating keys on a regular basis reduces the risk of future compromise to your encrypted data.

To rotate your key manually, click Rotate, then click Confirm Rotate. When the key has

successfully rotated, the key version increments. Information relating to the rotation appears in

Key History.

To set or change the rotation schedule after a key has been created, make sure the Automatic

Rotation option has been selected and click in the Rotation Interval field to set the rotation

schedule.

Note: Only AES and RSA keys can be rotated. Custom keys cannot be rotated.

Note: Rotating your key periodically should be part of your key management strategy.



Edit Key Attributes Select Edit Key Attributes to make changes to the key description, set the automatic key

rotation, or edit key access restrictions.

Enter any information concerning the key in the Key Description field.

Set the Key Rotation schedule Select Automatic Rotation to set a recurring key rotation period. After the set time has elapsed,

the key automatically rotates.

1. Select the Automatic Rotation check box.

2. Click inside the Rotation Interval field to open the Interval dialog. Enter the interval

between key rotations in the fields provided.

3. Click Apply to set the schedule.

Note: When automatic rotation is set, the rotation is not performed until necessary, such as just

prior to provisioning. For example, if the key is not provisioned for 5 days, then the key is not

rotated in this time period, even if the rotation interval is less than 5 days.



Edit Key Access Restrictions Use the Edit Key Access Restrictions feature to disable the key until a specific date, or to make

changes to an existing key access restriction that was set during the key creation process.

1. Under Edit Key Access Restrictions, select the Set New Time option.

2. Select the Month, Day and Time that the access restriction ends.

3. Set the Time Zone.

When all changes have been made in the Modify Key dialog, click Apply changes to return to

the key’s View page.

Key Operations History You can also view your key history from this page. Operations History allows you to view the

key operations since it was created. Select a filter from the dropdown list to limit the history to

Add, Add Batch, Change State, Delete, Get, Get Batch, and Rotate. Select All Operations

to view the complete history of the key.



Note: Operations History information is only available to users with Admin access.

Download a Key When a AES, RSA or custom key has been successfully generated or imported, you also have

the option of downloading the key. This can be useful when removing any formatting changes.

Log in under the key owner’s account. Click the Keys tab and click View beside the name of the

key.

Click the Download Key button. The key file downloads to your system.

Note: When downloading RSA keys, there are two download options; one for the private key,

the second for the public key.



Delete a Key

1. Click Delete to permanently remove this key. Click Confirm Delete to complete this

action or Cancel to return to the Manage Keys page.

Important: This operation cannot be undone. Ensure this operation is necessary before you

proceed.

Search for a Key

Use the Search field to locate existing keys. The keys table is filtered to display only

keys matching the entry provided in the field. For example, entering ‘key' displays only

the groups that contain ‘key’ in their name.

Add keys through the API All the configuration request examples shown in this section are through cURL.

The service/key/add endpoint allows you to create a key.

Adding a key with business ID and credentials curl -k -H "content-type: application/json" -XPOST

"https://your.ip:1443/service/key/add" -d '{

"business": "BUSINESS_ID",

"creds": [

{

"username": "USER",

"password": "PASSWORD"

}

],

"group": "KEY_GROUP",

"keyLocation": "LOCATION",

"keyType": "TYPE",

"keyName": "KEY_NAME"

}'

Once you have authenticated with a Business ID and credentials with the authentication

endpoint, the API returns a token. Use this token for the remainder of the endpoints that require

or use a token for authenticating.



Adding a key with a token curl -k -H "content-type: application/json" -XPOST

"https://your.ip:1443/service/key/add" -d '{

"token": "TOKEN",


"keyLocation": "LOCATION",

"keyType": "TYPE",

"keyName": "KEY_NAME"

}'

Add Batch Keys through the API

All the configuration request examples shown in this section are through cURL.

add_batch allows you to create multiple keys at one time, rather than using add, which

creates keys one at a time.

Add_batch using a Business ID and credentials curl -k -H "content-type: application/json" -XPOST

"https://your.ip:1443/service/key/add_batch" -d '{

"business": "BUSINESS_ID",

"creds": [

{

"username" : "USER",

"password" : "PASSWORD"

}

],


"keys": [

{

"keyName": "KEY_NAME_A",

"keyType": "KEY_TYPE_A",

"keyLocation": "LOCATION_A"

},

{

"keyName": "KEY_NAME_B",

"keyType": "KEY_TYPE_B",

"keyLocation": "LOCATION_B"

}

]

}'

Once you have authenticated with a Business ID and credentials with the authentication

endpoint, the API returns a token. Use this token for the rest of the endpoints that require or use

a token for authenticating.



Add_batch using a token curl -k -H "content-type: application/json" -XPOST

"https://your.ip:1443/service/key/add_batch" -d '{

"token": "TOKEN",


"keys": [

{

"keyName": "KEY_NAME_A",

"keyType": "KEY_TYPE_A",

"keyLocation": "LOCATION_A"

},

{

"keyName": "KEY_NAME_B",

"keyType": "KEY_TYPE_B",

"keyLocation": "LOCATION_B"

}

],

}'

For each of the examples shown:

“https://your.ip:1443/service/key/add” is the address of your VM, the port number

and the add key endpoint.

“business” is the Business ID for your KeyNexus instance.

“username” is the name of the user signing in to create a key.

“password” is the password of the user signing in to create a key.

“token” is the returned value when you have provided the API a valid Business ID, username

and password.

“keyLocation” defines where the key is assigned (Production, Dev or Test)

“group” is the group the key is associated with.

“keyName” is an optional parameter for providing the name of the key. keyName cannot be the

same name used for an existing key. keyName cannot contain uppercase letters.

“keyType” defines the type of key used. The different allowable key types are: AES128,

AES192, AES256, RSA2048, RSA3072, RSA4096, ECDSA or CUSTOM.

If Custom key type is used, the keyData parameter that contains data related to the custom

key must be included in the request.

If ECDSA (Elliptic Curve Digital Signature Algorithm) is used for the keyType, you can include

the keyParams parameter and set it to one of the many available security curves. If ECDSA is

selected and keyParams is not included in the request, the default parameter prime256v1 is

used.



Available ECDSA curves

FRP256v1, brainpoolp160r1, brainpoolp160t1, brainpoolp192r1, brainpoolp192t1,

brainpoolp224r1, brainpoolp224t1, brainpoolp256r1, brainpoolp256t1, brainpoolp320r1,

brainpoolp320t1, brainpoolp384r1, brainpoolp384t1, brainpoolp512r1, brainpoolp512t1,

B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256,

P-384, P-521, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1,

secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1,

secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2 ,

sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect409k1, sect409r1,

sect571k1, sect571r1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176w1, c2tnb191v1,

c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1,

c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v1, prime192v2, prime192v3,

prime239v1, prime239v2, prime239v3 prime256v1

Note: When using the add_batch endpoint, the keyType and keyLocation information must

be provided for each individual key (KEY_TYPE_A, KEY_TYPE_B, etc.). This also applies if

you are including the optional keyNames parameter in the request.

Users The Users feature is used to create additional administrator and key user accounts, and to view

and edit existing key request accounts and key groups.

Note: The Users tab is only available to users with Admin access.

Note: Each key must be associated with a group or user.

1. Click the Users tab. The Users page appears.

2. Click Administrators to view all users with admin access, or click Key Users to view all

users with key user access.

Create a New User

1. Click Add User. The Add New User dialog appears.



1. Enter the information required in the Add New User dialog:

Field name Value/Description

Username Enter username.

User Role Check the Administrator or Key Access User option. Administrators can create additional keys, users and groups, while Key Access Users can create and manage keys, but cannot create additional users or groups.

Groups Select a group or groups from the available group names. This option is only available with the Key Access user.

Default Group From the list of groups, the user is a part of, you can select one to act as a default group. This is primarily used when integrating KeyNexus as a Key Management Server (KMS). (optional)

Email Enter email associated with this account. (optional)

Authenticate via Client Cert Select this option to generate or upload a certificate used to authenticate this user. You can download the certificate after the



new user is created. See Authentication Certificate for more information.

Password Enter password for this user. Password must have a minimum length of 10 characters. KeyNexus provides feedback relating to the strength of your password.

Confirm Password Re-enter your password

The Strength Meter under the Password field displays the strength of the

entered password. Password strength levels are displayed as a colored bar

below the Password field, and identified as Weak, Medium, Strong or Very

Strong.

2. (Optional) Click the Enforce IP Whitelist checkbox to restrict API requests for

this account to IP address contained in this range. Enter the IP addresses in the

field provided. To enter multiple IP addresses, enter the IP addresses in a

comma separated value format (a.b.c.d, a.b.c.d, etc.).

3. Click Add User.

Authentication Certificate

Instead of using a username and password to authenticate a KeyNexus user, you can generate,

download or upload an authentication certificate associated with a specific KeyNexus account

and use it in lieu of login credentials. This certificate can be generated in several different ways:

a. During the initial user creation process, select the Authenticate via Client Cert option.

b. After the user has been created, locate the user in the Users list and click

AuthCertificate beside the user name.

c. After the user has been created, locate the user in the Users list, click Edit beside the

user name, select the Authenticate via Client Cert option and click Apply Changes.



In each case the Authentication Certificate Download dialog opens.

Click Download to download the existing authentication certificate or select the Generate New

Certificate option and click Generate and Download to generate and download a new

authentication certificate.

Important: Enabling a new authentication method automatically disables any existing method.

When you generate a new certificate, your login credentials change. Any current authentication

token becomes invalid and your login session terminates. Make sure you click Download to

download the new certificate. If you do not download the certificate, you will be unable to log

back in, as the current login credentials have been disabled.

Note: If there is no existing authentication certificate associated with the user, the dialog

displays a message indicating you must generate a new certificate.

Note: Generating a new certificate automatically invalidates any existing certificate for that user.

To apply an existing authentication certificate to the user account, click Upload. Copy and paste

the authentication certificate information into the Certificate field.



Note: when uploading an auth cert, make sure it contains matching user and Business ID

information. If the certificate does not contain these items, a message appears, indicating that

the certificate is not valid.

This certificate can be provided when integrating KeyNexus to different applications. For an

example of how the authentication certificate is used, refer to the KeyNexus VSphere

Integration Guide.

Delete a User

1. Click Delete beside the user name in the Users list to permanently remove this user.

Click Confirm Delete to complete this action or Cancel to return to the Users page.

Note: This operation cannot be undone.

Note: Before deleting a user, ensure that any keys owned by that user have also been deleted.

To search for a user

1. Use the Search field to locate existing users. The Users table is filtered to display

only the user names that match the entry provided in the field. For example, entering

‘b' displays only the user names that contain the letter ‘b’.

Administration The Administration tab is used to configure or monitor the following administrative functions in

KeyNexus:

• Company Info

• Corporate Sign-in

• Cluster

• JWT

• Logging

• Backup

Note: The Administration tab is only available to users with Admin access.



Company info

Under the Administration tab, click Company Info to display your Company Name, Business

ID, License Type and License Expiration.

To change the company name, click Change beside the Company Name entry. The Edit

Company Name dialog appears.

Enter the new company name and click Update.

Corporate Sign-in

Use the Corporate Sign-in feature to configure the KeyNexus portal to use Single Sign On

(SSO). Allowing SSO access requires configuration of the KeyNexus portal as well as the

Identity Management platform. For instructions regarding the configuration of two popular

Identity Management services, refer to the KeyNexus ADFS Single Sign-in Guide, or the

KeyNexus Splunk Single Sign-in Guide.

1. Click the Corporate Sign-in tab. If this is your first time configuring Corporate Sign-in,

click Enable. The Edit Corporate Sign-In dialog appears.



2. Enter a name in the Entity ID field. (optional) This can be any name you want. This field

can even be left blank without affecting the configuration.

3. Enter the URL of the Identity Management provider in the SSO URL field.

4. Enter the Certificate Fingerprint. This information is provided by the Identity

Management platform.

5. Select the Fingerprint Algorithm from the dropdown. This information is provided by

the Identity Management platform.

6. Click Apply Changes.

Cluster

The Cluster feature provides a simple overview of the health of each node in a cluster.

1. Under the Administration tab, click Cluster. The Cluster Status page appears.



If the cluster is healthy, the following message is displayed:

The health of each node in the cluster is also displayed on this page.

The Cluster Status page shows each node and displays the status of the web, API and

database for each node.

JWT

Use the JWT feature to configure the KeyNexus portal to use an existing authentication method

to authenticate a user. It is similar to Corporate Sign-In in that it is a method of signing into

KeyNexus without using a password. Instead of configuring an identity management service, the

JWT feature passes a JSON Web Token (JWT) to the KeyNexus API which is then exchanged

for a KeyNexus JWT.

Prior to configuring the JWT feature in KeyNexus, you must generate a private and public key

pair from your application. Once this is done, use the public key you generated and enter it in

the Public Key field.

1. Log in to the KeyNexus portal, click the Administrator tab then click JWT.



If this is your first time configuring JWT, click Edit to open the Edit JWT Sign-In dialog.

2. Enter the JWT Public Key.

3. Select the JWT Algorithm from the dropdown.


Logging

The logging features allow you to send and store KeyNexus Portal log information to an external

syslog server. The KeyNexus portal can work with many syslog server applications. Whenever

an operation is performed, such as get, add, rotate, etc., the operation is written to the audit

log and logged on the syslog server. Refer to your syslog server documentation for

configuration details.

1. Click the Logging tab. If this is your first time configuring Logging, click Enable. The

Edit Logging dialog appears.



2. Enter the Host location of the syslog server in the Host field. This value is entered as

either a fully qualified domain name or an IP address in the IPv4 format

(aaa.bbb.ccc.ddd).

3. Enter the port number. The default port number for communication with a syslog server

is 514, but you can change the port the syslog server is listening on.

Note: If you change the port number here, you must also change the port number on the

syslog server application. Refer to the syslog server documentation for more information.

4. Click the Use SSL checkbox to use Secure Sockets Layer to create an encrypted link

between KeyNexus and your syslog server.

5. Select the severity level of logging you want to record by selecting from the Level

dropdown. The syslog standard uses severity levels to differentiate between different

message types. By setting a level here, the KeyNexus portal sends messages from that

severity level and lower. For example, if a level of Warning is set, all severity

messages From Warning to Emergency are sent to the syslog server.

6. Enter a name in the Application Name field.


To disable logging, click Disable on the Logging page.



Backup

The Backup and Restore features allow you to capture the current state of your KeyNexus

implementation, store it, and if necessary restore your implementation to that previous state.

The backup can be performed on demand, or can be set to operate on a schedule. The backup

and restore features can be accessed through the user interface or through the KeyNexus API.

For information regarding the Backup and Restore features, refer to the KeyNexus Clustering

and Backup Guide.

Support The Support tab contains additional information for using KeyNexus Key Management.

• Release Notes

• KeyNexus Key Management REST API

• Support Desk

Release Notes

Select the Release Notes tab to review new features, improvements and bugs fixes for each

version of the KeyNexus platform.

KeyNexus Key Management REST API

Select the Service Layer API Documentation tab to access the KeyNexus Key Management REST API.



Support Desk

Click on Support Desk to link to the KeyNexus Help Center. Once there, provide your email

address to receive a link to access your tickets.

To create a new ticket, Click Send New Ticket. When the New Ticket dialog appears, enter

your name, email address, subject and message detailing the nature of your request in the

fields provided. If you need to include any files with your ticket, drop the file into the Drop your

files field or click the click here button, navigate to the file location, and click Open. Click

Create Ticket when you are finished.

Changes to Account Click on the username on the right side of the page to make changes to the account currently

logged in to KeyNexus, or to log out the current user.

Click My Account to make changes to your account information, to update your authentication

method or to update the IP Whitelist.



The Account info page provides information such as the Business ID associated with the

account, user name, account type and email information. Click Change in the Email row to

update the account email information. Update the email address and click Update Email.

Click the Authentication tab to make changes to the current authentication method. Here, you

can view the current authentication method, change the account password, or generate a new

authentication certificate.

To set a new password, enter the password in the New Password field. Type it again in the

Confirm New Password and click Set / Change Password.

To generate a new authentication certificate, click Generate New Certificate. The

Important: Enabling a new authentication method automatically disables any existing method.

When you generate a new certificate, your login credentials change. Any current authentication

token becomes invalid and your login session terminates. Make sure you click Download to

download the new certificate. If you do not download the certificate, you will be unable to log

back in, as the current login credentials have been disabled.



After the Current Authentication dialog closes, you are redirected to the login page. Click Sign

in with client certificate and drop the certificate file into the dialog box, or click in the dialog,

navigate to the file location and click Open.

Click the IP Whitelist tab to make changes to the IP Whitelist settings. Click Change to open

the Edit IP Whitelist dialog.

Click the Enforce IP Whitelist checkbox to restrict API requests for this account to IP address

contained in this range. Enter the IP addresses in the field provided. To enter multiple IP

addresses, enter the IP addresses in a comma separated value format (a.b.c.d, a.b.c.d, etc.).

Click Update IP Whitelist when finished.

Click Logout to exit the currently logged in account and return to the Account Login page.



KMIP The Organization for the Advancement of Structured Information Standards (OASIS), in

partnership with various security companies, has developed the Key Management

Interoperability Protocol, a standardization method for encryption of stored data and

cryptographic key management.

KeyNexus can be deployed as an enterprise or cloud-based encryption key service that

manages your keys throughout their entire lifecycle. As part of this key management service,

KeyNexus supports Key Management Interoperability Protocol (KMIP) communication between

key management servers and cryptographic clients.

KeyNexus supports KMIP versions 1.1 and 1.2. For information relating to the KeyNexus implementation of KMIP, refer to the KeyNexus KMIP Guide. For complete information, refer to the Key Management Interoperability Protocol documentation set at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip.

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmiphttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip

OpenStack Guide v1.2

KeyNexus Inc. 205 2657 Wilfert Road Victoria, B.C. V9B 5Z3

Copyright 2018 KeyNexus Inc. All rights reserved. KeyNexus is a trademark of KeyNexus Inc. All other product names, logos, and brands are

property of their respective owners. All other company,

product and service names used in this document are

for identification purposes only. Use of these names,

logos, and brands does not imply endorsement.

KeyNexus OpenStack Guide...Table of Contents Introduction ..... 5 ... User Guide KeyNexus OpenStack...

Documents

Transcript of KeyNexus OpenStack Guide...Table of Contents Introduction ..... 5 ... User Guide KeyNexus OpenStack...