Black Box EncrypTight, ET0010A, ET0100A, ET1000A Adding ETKMSs

Managing Key Management Systems

156 EncrypTight User Guide

In order to ensure network resiliency, some EncrypTight configurations may have external ETKMSs

installed in pairs: a primary ETKMS and a backup ETKMS. The ETPM distributes the policies to both

the primary ETKMS and backup ETKMS. Only the primary ETKMS distributes the keys and policies to

the PEPs. If a communication failure occurs with the primary ETKMS due to a ETKMS failure or

network failure, the backup ETKMS assumes the generation and distribution of the keys and policies to

the PEPs. Once communication with the primary ETKMS is reestablished, the primary resumes the

distribution of the keys and policies to the PEPs.

CAUTION

Do not add backup ETKMSs as separate appliances in the Appliance Manager in ETEMS. Backup

ETKMSs should only be specified in the Backup IP Address box in the ETKMS editor. Backup ETKMSs

are not listed in the Appliance Manager view. If you add a backup ETKMS to the Appliance Manager, you

can accidentally use it in network sets and policies, which will interfere with the ability of the server to act

as a backup.

Adding ETKMSs

To add an ETKMS:

1 From the perspective tab, click >> and select Appliance Manager.

2 In the Appliance Manager, select File > New Appliance.

3 Select Product Family > ETKMS and Software Version ETKMS n.n where n.n is the appropriate

ETKMS version.

If you want to add a local ETKMS, select ETKMS LM and the appropriate software version. Enter

the ETKMS properties in the ETKMS appliance editor as described in Table 40.

Figure 52 Key Management System appliance editor

Contents

Main BL A C K B OX Table of Contents Part I: EncrypTight Installation and Maintenance Page Part II: Working with Appliances using ETEMS Part III: Using ETPM to Create Distributed Key Policies Page Part IV: Troubleshooting Part V: Reference Page Page Page Preface About This Document Page Page Page 1 Distributed Key Topologies Page EncrypTight Elements EncrypTight Element Management System Policy Manager Key Management System Policy Enforcement Point Point-to-Point Negotiated Topology Security within EncrypTight Secure Communications Between Devices Secure Key Storage within the ETKMS 2 EncrypTight Component Connections Management Station Connections ETPM to ETKMS Connections ETPM and ETKMS on the Same Subnetwork ETPM and ETKMS on Different Subnetworks Page External ETKMS to ETKMS Connections Connections for Backup ETKMSs Connecting Multiple ETKMSs in an IP Network ETKMS to ETKMS Connections in Ethernet Networks ETKMS to PEP Connections ETKMS to PEP Connections in IP Networks ETKMS to PEP Connections in Ethernet Networks Network Clock Synchronization IPv6 Address Support Certificate Support Network Addressing for IP Networks Page 3 Before You Start Hardware Requirements EncrypTight software can be installed on a Windows PC or laptop. Software Requirements Table 4 EncrypTight management station requirements Table 5 Third party management station software EncrypTight Software Installation Installing EncrypTight Software for the First Time Upgrading to a New Version of EncrypTight Uninstalling EncrypTight Software Starting EncrypTight Exiting EncrypTight Management Station Configuration Securing the Management Interface Enabling the Microsoft FTP Server Configuring the Syslog Server Installing ETKMSs Configuring ETKMSs Basic Configuration for Local ETKMSs About Local ETKMSs Adding a Local ETKMS Launching and Stopping a Local ETKMS Starting the Local ETKMS Automatically Configuring External ETKMSs Logging Into the ETKMS Changing the Admin Password Changing the Root Password Configure the Network Connection Page Configure Time and Date Properties Page Check the Status of the Hardware Security Module Starting and Stopping the ETKMS Service Checking the Status of the ETKMS Secure the Server with the Front Bezel Configuring Syslog Reporting on the ETKMSs Policy Enforcement Point Configuration Default User Accounts and Passwords Managing Licenses Installing Licenses Upgrading Licenses Upgrading the EncrypTight License Upgrading ETEP Licenses Next Steps Page Page 4 Working with EncrypTight User Accounts Configuring EncrypTight User Authentication Page Page Managing EncrypTight Accounts Changing an EncrypTight User Password How EncrypTight Users Work with ETEP Users Page 5 Working with the EncrypTight Workspace About the EncrypTight Workspace Saving a Workspace to a New Location Loading an Existing Workspace Moving a Workspace to a New PC Deleting a Workspace Installing Software Updates Step 1: Schedule the Upgrade Step 2: Prepare ETPM Status and Renew Keys Step 3: Upgrade the EncrypTight Software Step 4: Verify ETKMS Status and Deploy Policies Step 5: Upgrade PEP Software Page Step 6: Change the PEP Software Version and Check Status Step 7: Return Status Refresh and Key Renewal to Original Settings Upgrading External ETKMSs Page Page Page Page 6 ETEMS Quick Tour Defining Appliance Configurations Pushing Configurations to Appliances Page Maintenance and Troubleshooting Policy and Certificate Support Understanding the ETEMS Workbench Page Toolbars Status Indicators Understanding Roles EncrypTight User Types ETEP Appliance Roles Modifying Communication Preferences 5Click OK. Table 24 General communication preferences Table 25 Strict authentication communication preferences 7 Provisioning Basics Adding a New Appliance Saving an Appliance Configuration Pushing Configurations to Appliances Viewing Appliance Status Page Comparing Configurations Filtering Appliances Based on Address Rebooting Appliances Appliance User Management ETEP User Roles Configuring the Password Enforcement Policy User Name Conventions Default Password Policy Conventions Strong Password Policy Conventions Cautions for Strong Password Enforcement Managing Appliance Users Adding ETEP Users Page Modifying ETEP User Credentials Deleting ETEP Users Viewing ETEP Users Working with Default Configurations Customizing the Default Configuration Restoring the ETEMS Default Configurations Provisioning Large Numbers of Appliances Creating a Configuration Template Importing Configurations from a CSV File Page Importing Remote and Local Interface Addresses Changing Configuration Import Preferences Checking the Time on New Appliances Shutting Down Appliances 8 Editing Configurations Changing the Management IP Address Changing the Address on the Appliance Changing the Address in ETEMS Changing the Date and Time Changing Settings on a Single Appliance Changing Settings on Multiple Appliances Deleting Appliances Connecting Directly to an Appliance Connecting to the Command Line Interface Upgrading Appliance Software Page Page Page Canceling an Upgrade What to do if an Upgrade is Interrupted Checking Upgrade Status Restoring the Backup File System Page Page Page 9 Opening ETPM About the ETPM User Interface Page EncrypTight Components View Editors Policy View ETPM Status Indicators Sorting and Using Drag and Drop ETPM Toolbar ETPM Status Refresh Interval About ETPM Policies IP Policies Ethernet Policies Policy Generation and Distribution Page Creating a Policy: An Overview Page Page Page Page Page 10 Provisioning PEPs Adding a New Appliance Adding a New PEP in ETEMS NOTE Related topics: Table 39 EncrypTight PEP configuration (continued) Adding a New PEP Using ETPM Adding Large Numbers of PEPs Pushing the Configuration Editing PEPs Editing PEPs From ETEMS Editing Multiple PEPs Editing PEPs From ETPM Changing the IP Address of a PEP Changing the PEP from Layer 3 to Layer 2 Encryption Deleting PEPs Page 11 Adding ETKMSs Editing ETKMSs Deleting ETKMSs Page 12 Adding Networks Page Advanced Uses for Networks in Policies Grouping Networks into Supernets Using Non-contiguous Network Masks Page Editing Networks Deleting Networks Page Page 13 Types of Network Sets Page Adding a Network Set Table 43 Network Set fields (continued) Importing Networks and Network Sets Page Editing a Network Set Deleting a Network Set Page Page 14 Networks Adding a VLAN ID Range Page Editing a VLAN ID Range Deleting a VLAN ID Range Page 15 Policy Concepts Policy Priority Schedule for Renewing Keys and Refreshing Policy Lifetime Policy Types and Encryption Methods Encapsulation Encryption and Authentication Algorithms Key Generation and ETKMSs Addressing Mode Using Encrypt All Policies with Exceptions Policy Size and ETEP Operational Limits Minimizing Policy Size Adding Layer 2 Ethernet Policies 4Click Save when complete. Table 47 Layer 2 Mesh policy entries Page Adding Layer 3 IP Policies Adding a Hub and Spoke Policy Page Table 48 Hub and spoke policy entries (continued) Page Adding a Mesh Policy Table 49 Mesh policy entries Table 49 Mesh policy entries (continued) Page Adding a Multicast Policy Page Table 50 Multicast policy entries (continued) Page Adding a Point-to-point Policy 4Click Save when complete. Table 51 Point-to-point policy entries Table 51 Point-to-point policy entries (continued) Page Policy Deployment Verifying Policy Rules Before Deployment Deploying Policies Setting Deployment Confirmation Preferences Editing a Policy Deleting Policies Page 16 Basic Layer 2 Point-to-Point Policy Example Layer 2 Ethernet Policy Using VLAN IDs Page Complex Layer 3 Policy Example Encrypt Traffic Between Regional Centers Encrypt Traffic Between Regional Centers and Branches Page Page Passing Routing Protocols Page Page Page Page 17 Possible Problems and Solutions Appliance Unreachable Appliance Configuration Pushing Configurations Status Indicators Software Upgrades Pinging the Management Port Retrieving Appliance Log Files Page Viewing Diagnostic Data Viewing Statistics Page Viewing Port and Discard Status Exporting SAD and SPD Files CLI Diagnostic Commands Working with the Application Log Viewing the Application Log from within EncrypTight Sending Application Log Events to a Syslog Server Exporting the Application Log Setting Log Filters Other Application Log Actions 18 Learning About Problems Monitoring Status Table 65 ETPM status problems and solutions TIP Symptoms and Solutions NOTE This section includes the following topics: Policy Errors Status Errors Renew Key Errors rpm -qi etkms Viewing Log Files ETPM Log Files ETKMS Log Files PEP Log Files ETKMS Troubleshooting Tools ETKMS Server Operation Optimizing Time Synchronization Shutting Down or Restarting an External ETKMS Resetting the Admin Password PEP Troubleshooting Tools Statistics Changing the Date and Time ETEP PEP Policy and Key Information Replacing Licensed ETEPs Troubleshooting Policies Checking Traffic and Encryption Statistics Solving Policy Problems Viewing Policies on a PEP Placing PEPs in Bypass Mode Allowing Local Site Exceptions to Distributed Key Policies Expired Policies Cannot Add a Network Set to a Policy Packet Fragments are Discarded in Point-to-Point Port-based Policies Solving Network Connectivity Problems Modifying EncrypTight Timing Parameters Certificate Implementation Errors Cannot Communicate with PEP ETKMS Boot Error Invalid Certificate Error Invalid Parameter in Function Call Page Page Page Page 19 About the ETKMS Properties File Hardware Security Module Configuration Digital Certificate Configuration Logging Setup Base Directory for Storing Operational State Data Peer ETKMS and ETPM Communications Timing Policy Refresh Timing PEP Communications Timing Page Page 20 About Enhanced Security Features About Strict Authentication Prerequisites Order of Operations Certificate Information Using Certificates in an EncrypTight System Changing the Keystore Password Changing the EncrypTight Keystore Password Changing the ETKMS Keystore Password Changing the Keystore Password on a ETKMS Changing the Keystore Password on a ETKMS with an HSM Configuring the Certificate Policies Extension Page Page Working with Certificates for EncrypTight and the ETKMSs Generating a Key Pair Requesting a Certificate Importing a CA Certificate Importing a CA Certificate Reply Exporting a Certificate Working with Certificates and an HSM Configuring the HSM for Keytool Importing CA Certificates into the HSM Generating a Key Pair for use with the HSM Generating a Certificate Signing Request for the HSM Importing Signed Certificates into the HSM Working with Certificates for the ETEPs Understanding the Certificate Manager Perspective Certificate Manager Workflow Working with External Certificates Obtaining External Certificates Installing an External Certificate Working with Certificate Requests Requesting a Certificate Page Installing a Signed Certificate Viewing a Pending Certificate Request Canceling a Pending Certificate Request Setting Certificate Request Preferences Managing Installed Certificates Viewing a Certificate Exporting a Certificate Deleting a Certificate Validating Certificates Validating Certificates Using CRLs Configuring CRL Usage in EncrypTight and the ETKMSs Configuring CRL Usage on ETEPs Handling Revocation Check Failures Validating Certificates Using OCSP Page Page Enabling and Disabling Strict Authentication Removing Certificates Using a Common Access Card Configuring User Accounts for Use With Common Access Cards Enabling Common Access Card Authentication Page Handling Common Name Lookup Failures Page 21 Identifying an Appliance Product Family and Software Version Appliance Name Throughput Speed Interface Configuration Management Port Addressing IPv4 Addressing IPv6 Addressing Auto-negotiation - All Ports Remote and Local Port Settings Transparent Mode Local and Remote Port IP Addresses Transmitter Enable DHCP Relay IP Address Ignore DF Bit Reassembly Mode Trusted Hosts Page SNMP Configuration System Information Community Strings Traps SNMPv2 Trap Hosts SNMPv3 Page Generating the Engine ID Retrieving and Exporting Engine IDs Configuring the SNMPv3 Trap Host Users Page Logging Configuration Log Event Settings Defining Syslog Servers Log File Management Advanced Configuration Path Maximum Transmission Unit Non IP Traffic Handling CLI Inactivity Timer Password Strength Policy XML-RPC Certificate Authentication SSH Access to the ETEP SNTP Client Settings IKE VLAN Tags OCSP Settings Certificate Policy Extensions Features Configuration FIPS Mode Enabling FIPS Mode Disabling FIPS Verifying FIPS Status on the ETEP EncrypTight Settings Encryption Policy Settings Working with Policies Using EncrypTight Distributed Key Policies Creating Layer 2 Point-to-Point Policies Page Selecting a Role Using Preshared Keys for IKE Authentication Using Group IDs Selecting the Traffic Handling Mode How the ETEP Encrypts and Authenticates Traffic Table 107 IKE Phase 1 Parameters Factory Defaults Interfaces Trusted Hosts SNMP Table 110 Trusted hosts defaults Table 111 SNMP defaults Table 109 Interfaces defaults Logging Policy Advanced Table 112 Logging defaults Table 113 Policy defaults Features Hard-coded Settings Index Numerics A B C Page D E F G H I K L M N O P R S T U V W X BLACK BOX