Manuals
/
Brands
/
Kitchen Appliance
/
Appliance Trim Kit
/
Black Box
/
Kitchen Appliance
/
Appliance Trim Kit
Black Box
EncrypTight, ET0010A, ET0100A, ET1000A
- page 221
1
221
352
352
Download
352 pages, 7.53 Mb
222
EncrypTight User Guide
Contents
Main
BL A C K B OX
Table of Contents
Part I: EncrypTight Installation and Maintenance
Page
Part II: Working with Appliances using ETEMS
Part III: Using ETPM to Create Distributed Key Policies
Page
Part IV: Troubleshooting
Part V: Reference
Page
Page
Page
Preface
About This Document
Page
Page
Page
1
Distributed Key Topologies
Page
EncrypTight Elements
EncrypTight Element Management System
Policy Manager
Key Management System
Policy Enforcement Point
Point-to-Point Negotiated Topology
Security within EncrypTight
Secure Communications Between Devices
Secure Key Storage within the ETKMS
2
EncrypTight Component Connections
Management Station Connections
ETPM to ETKMS Connections
ETPM and ETKMS on the Same Subnetwork
ETPM and ETKMS on Different Subnetworks
Page
External ETKMS to ETKMS Connections
Connections for Backup ETKMSs
Connecting Multiple ETKMSs in an IP Network
ETKMS to ETKMS Connections in Ethernet Networks
ETKMS to PEP Connections
ETKMS to PEP Connections in IP Networks
ETKMS to PEP Connections in Ethernet Networks
Network Clock Synchronization
IPv6 Address Support
Certificate Support
Network Addressing for IP Networks
Page
3
Before You Start
Hardware Requirements
EncrypTight software can be installed on a Windows PC or laptop.
Software Requirements
Table 4 EncrypTight management station requirements
Table 5 Third party management station software
EncrypTight Software Installation
Installing EncrypTight Software for the First Time
Upgrading to a New Version of EncrypTight
Uninstalling EncrypTight Software
Starting EncrypTight
Exiting EncrypTight
Management Station Configuration
Securing the Management Interface
Enabling the Microsoft FTP Server
Configuring the Syslog Server
Installing ETKMSs
Configuring ETKMSs
Basic Configuration for Local ETKMSs
About Local ETKMSs
Adding a Local ETKMS
Launching and Stopping a Local ETKMS
Starting the Local ETKMS Automatically
Configuring External ETKMSs
Logging Into the ETKMS
Changing the Admin Password
Changing the Root Password
Configure the Network Connection
Page
Configure Time and Date Properties
Page
Check the Status of the Hardware Security Module
Starting and Stopping the ETKMS Service
Checking the Status of the ETKMS
Secure the Server with the Front Bezel
Configuring Syslog Reporting on the ETKMSs
Policy Enforcement Point Configuration
Default User Accounts and Passwords
Managing Licenses
Installing Licenses
Upgrading Licenses
Upgrading the EncrypTight License
Upgrading ETEP Licenses
Next Steps
Page
Page
4
Working with EncrypTight User Accounts
Configuring EncrypTight User Authentication
Page
Page
Managing EncrypTight Accounts
Changing an EncrypTight User Password
How EncrypTight Users Work with ETEP Users
Page
5
Working with the EncrypTight Workspace
About the EncrypTight Workspace
Saving a Workspace to a New Location
Loading an Existing Workspace
Moving a Workspace to a New PC
Deleting a Workspace
Installing Software Updates
Step 1: Schedule the Upgrade
Step 2: Prepare ETPM Status and Renew Keys
Step 3: Upgrade the EncrypTight Software
Step 4: Verify ETKMS Status and Deploy Policies
Step 5: Upgrade PEP Software
Page
Step 6: Change the PEP Software Version and Check Status
Step 7: Return Status Refresh and Key Renewal to Original Settings
Upgrading External ETKMSs
Page
Page
Page
Page
6
ETEMS Quick Tour
Defining Appliance Configurations
Pushing Configurations to Appliances
Page
Maintenance and Troubleshooting
Policy and Certificate Support
Understanding the ETEMS Workbench
Page
Toolbars
Status Indicators
Understanding Roles
EncrypTight User Types
ETEP Appliance Roles
Modifying Communication Preferences
5Click OK. Table 24 General communication preferences
Table 25 Strict authentication communication preferences
7
Provisioning Basics
Adding a New Appliance
Saving an Appliance Configuration
Pushing Configurations to Appliances
Viewing Appliance Status
Page
Comparing Configurations
Filtering Appliances Based on Address
Rebooting Appliances
Appliance User Management
ETEP User Roles
Configuring the Password Enforcement Policy
User Name Conventions
Default Password Policy Conventions
Strong Password Policy Conventions
Cautions for Strong Password Enforcement
Managing Appliance Users
Adding ETEP Users
Page
Modifying ETEP User Credentials
Deleting ETEP Users
Viewing ETEP Users
Working with Default Configurations
Customizing the Default Configuration
Restoring the ETEMS Default Configurations
Provisioning Large Numbers of Appliances
Creating a Configuration Template
Importing Configurations from a CSV File
Page
Importing Remote and Local Interface Addresses
Changing Configuration Import Preferences
Checking the Time on New Appliances
Shutting Down Appliances
8
Editing Configurations
Changing the Management IP Address
Changing the Address on the Appliance
Changing the Address in ETEMS
Changing the Date and Time
Changing Settings on a Single Appliance
Changing Settings on Multiple Appliances
Deleting Appliances
Connecting Directly to an Appliance
Connecting to the Command Line Interface
Upgrading Appliance Software
Page
Page
Page
Canceling an Upgrade
What to do if an Upgrade is Interrupted
Checking Upgrade Status
Restoring the Backup File System
Page
Page
Page
9
Opening ETPM
About the ETPM User Interface
Page
EncrypTight Components View
Editors
Policy View
ETPM Status Indicators
Sorting and Using Drag and Drop
ETPM Toolbar
ETPM Status Refresh Interval
About ETPM Policies
IP Policies
Ethernet Policies
Policy Generation and Distribution
Page
Creating a Policy: An Overview
Page
Page
Page
Page
Page
10
Provisioning PEPs
Adding a New Appliance
Adding a New PEP in ETEMS
NOTE
Related topics:
Table 39 EncrypTight PEP configuration (continued)
Adding a New PEP Using ETPM
Adding Large Numbers of PEPs
Pushing the Configuration
Editing PEPs
Editing PEPs From ETEMS
Editing Multiple PEPs
Editing PEPs From ETPM
Changing the IP Address of a PEP
Changing the PEP from Layer 3 to Layer 2 Encryption
Deleting PEPs
Page
11
Adding ETKMSs
Editing ETKMSs
Deleting ETKMSs
Page
12
Adding Networks
Page
Advanced Uses for Networks in Policies
Grouping Networks into Supernets
Using Non-contiguous Network Masks
Page
Editing Networks
Deleting Networks
Page
Page
13
Types of Network Sets
Page
Adding a Network Set
Table 43 Network Set fields (continued)
Importing Networks and Network Sets
Page
Editing a Network Set
Deleting a Network Set
Page
Page
14
Networks
Adding a VLAN ID Range
Page
Editing a VLAN ID Range
Deleting a VLAN ID Range
Page
15
Policy Concepts
Policy Priority
Schedule for Renewing Keys and Refreshing Policy Lifetime
Policy Types and Encryption Methods
Encapsulation
Encryption and Authentication Algorithms
Key Generation and ETKMSs
Addressing Mode
Using Encrypt All Policies with Exceptions
Policy Size and ETEP Operational Limits
Minimizing Policy Size
Adding Layer 2 Ethernet Policies
4Click Save when complete. Table 47 Layer 2 Mesh policy entries
Page
Adding Layer 3 IP Policies
Adding a Hub and Spoke Policy
Page
Table 48 Hub and spoke policy entries (continued)
Page
Adding a Mesh Policy
Table 49 Mesh policy entries
Table 49 Mesh policy entries (continued)
Page
Adding a Multicast Policy
Page
Table 50 Multicast policy entries (continued)
Page
Adding a Point-to-point Policy
4Click Save when complete. Table 51 Point-to-point policy entries
Table 51 Point-to-point policy entries (continued)
Page
Policy Deployment
Verifying Policy Rules Before Deployment
Deploying Policies
Setting Deployment Confirmation Preferences
Editing a Policy
Deleting Policies
Page
16
Basic Layer 2 Point-to-Point Policy Example
Layer 2 Ethernet Policy Using VLAN IDs
Page
Complex Layer 3 Policy Example
Encrypt Traffic Between Regional Centers
Encrypt Traffic Between Regional Centers and Branches
Page
Page
Passing Routing Protocols
Page
Page
Page
Page
17
Possible Problems and Solutions
Appliance Unreachable
Appliance Configuration
Pushing Configurations
Status Indicators
Software Upgrades
Pinging the Management Port
Retrieving Appliance Log Files
Page
Viewing Diagnostic Data
Viewing Statistics
Page
Viewing Port and Discard Status
Exporting SAD and SPD Files
CLI Diagnostic Commands
Working with the Application Log
Viewing the Application Log from within EncrypTight
Sending Application Log Events to a Syslog Server
Exporting the Application Log
Setting Log Filters
Other Application Log Actions
18
Learning About Problems
Monitoring Status
Table 65 ETPM status problems and solutions
TIP
Symptoms and Solutions
NOTE
This section includes the following topics:
Policy Errors
Status Errors
Renew Key Errors
rpm -qi etkms
Viewing Log Files
ETPM Log Files
ETKMS Log Files
PEP Log Files
ETKMS Troubleshooting Tools
ETKMS Server Operation
Optimizing Time Synchronization
Shutting Down or Restarting an External ETKMS
Resetting the Admin Password
PEP Troubleshooting Tools
Statistics
Changing the Date and Time
ETEP PEP Policy and Key Information
Replacing Licensed ETEPs
Troubleshooting Policies
Checking Traffic and Encryption Statistics
Solving Policy Problems
Viewing Policies on a PEP
Placing PEPs in Bypass Mode
Allowing Local Site Exceptions to Distributed Key Policies
Expired Policies
Cannot Add a Network Set to a Policy
Packet Fragments are Discarded in Point-to-Point Port-based Policies
Solving Network Connectivity Problems
Modifying EncrypTight Timing Parameters
Certificate Implementation Errors
Cannot Communicate with PEP
ETKMS Boot Error
Invalid Certificate Error
Invalid Parameter in Function Call
Page
Page
Page
Page
19
About the ETKMS Properties File
Hardware Security Module Configuration
Digital Certificate Configuration
Logging Setup
Base Directory for Storing Operational State Data
Peer ETKMS and ETPM Communications Timing
Policy Refresh Timing
PEP Communications Timing
Page
Page
20
About Enhanced Security Features
About Strict Authentication
Prerequisites
Order of Operations
Certificate Information
Using Certificates in an EncrypTight System
Changing the Keystore Password
Changing the EncrypTight Keystore Password
Changing the ETKMS Keystore Password
Changing the Keystore Password on a ETKMS
Changing the Keystore Password on a ETKMS with an HSM
Configuring the Certificate Policies Extension
Page
Page
Working with Certificates for EncrypTight and the ETKMSs
Generating a Key Pair
Requesting a Certificate
Importing a CA Certificate
Importing a CA Certificate Reply
Exporting a Certificate
Working with Certificates and an HSM
Configuring the HSM for Keytool
Importing CA Certificates into the HSM
Generating a Key Pair for use with the HSM
Generating a Certificate Signing Request for the HSM
Importing Signed Certificates into the HSM
Working with Certificates for the ETEPs
Understanding the Certificate Manager Perspective
Certificate Manager Workflow
Working with External Certificates
Obtaining External Certificates
Installing an External Certificate
Working with Certificate Requests
Requesting a Certificate
Page
Installing a Signed Certificate
Viewing a Pending Certificate Request
Canceling a Pending Certificate Request
Setting Certificate Request Preferences
Managing Installed Certificates
Viewing a Certificate
Exporting a Certificate
Deleting a Certificate
Validating Certificates
Validating Certificates Using CRLs
Configuring CRL Usage in EncrypTight and the ETKMSs
Configuring CRL Usage on ETEPs
Handling Revocation Check Failures
Validating Certificates Using OCSP
Page
Page
Enabling and Disabling Strict Authentication
Removing Certificates
Using a Common Access Card
Configuring User Accounts for Use With Common Access Cards
Enabling Common Access Card Authentication
Page
Handling Common Name Lookup Failures
Page
21
Identifying an Appliance
Product Family and Software Version
Appliance Name
Throughput Speed
Interface Configuration
Management Port Addressing
IPv4 Addressing
IPv6 Addressing
Auto-negotiation - All Ports
Remote and Local Port Settings
Transparent Mode
Local and Remote Port IP Addresses
Transmitter Enable
DHCP Relay IP Address
Ignore DF Bit
Reassembly Mode
Trusted Hosts
Page
SNMP Configuration
System Information
Community Strings
Traps
SNMPv2 Trap Hosts
SNMPv3
Page
Generating the Engine ID
Retrieving and Exporting Engine IDs
Configuring the SNMPv3 Trap Host Users
Page
Logging Configuration
Log Event Settings
Defining Syslog Servers
Log File Management
Advanced Configuration
Path Maximum Transmission Unit
Non IP Traffic Handling
CLI Inactivity Timer
Password Strength Policy
XML-RPC Certificate Authentication
SSH Access to the ETEP
SNTP Client Settings
IKE VLAN Tags
OCSP Settings
Certificate Policy Extensions
Features Configuration
FIPS Mode
Enabling FIPS Mode
Disabling FIPS
Verifying FIPS Status on the ETEP
EncrypTight Settings
Encryption Policy Settings
Working with Policies
Using EncrypTight Distributed Key Policies
Creating Layer 2 Point-to-Point Policies
Page
Selecting a Role
Using Preshared Keys for IKE Authentication
Using Group IDs
Selecting the Traffic Handling Mode
How the ETEP Encrypts and Authenticates Traffic
Table 107 IKE Phase 1 Parameters
Factory Defaults
Interfaces
Trusted Hosts SNMP
Table 110 Trusted hosts defaults
Table 111 SNMP defaults
Table 109 Interfaces defaults
Logging
Policy
Advanced
Table 112 Logging defaults
Table 113 Policy defaults
Features
Hard-coded Settings
Index
Numerics
A
B
C
Page
D
E
F
G
H
I
K
L
M
N
O
P
R
S
T
U
V
W
X
BLACK BOX