Key Manager Plus - User Manual

Overview

ManageEngine Key Manager Plus is a web-based key management solution that helps you consolidate, control, manage, monitor, and audit the entire life cycle of SSH (Secure Shell) keys and SSL (Secure Sockets Layer) certificates. It provides visibility into the SSH and SSL environments and helps administrators take total control of the keys to preempt breaches and compliance issues.

What Problems Does ManageEngine Key Manager Plus Solve?

Safeguarding data in transit has always been a big challenge for security administrators. While SSH keys have helped organizations ensure security in remote administrative access and data transfer, digital keys present some unique challenges.

Usually, SSH keys are left unmonitored and unmanaged, making organizations vulnerable to cyber attacks. In the absence of an automated system, getting the list of all the keys in use, finding and restricting access privileges, and ensuring periodic rotation is a herculean task.

Similarly, managing a Secure Socket Layer (SSL) environment can be daunting when organizations use a large number of SSL certificates issued by different vendors with varying validity periods. On the other hand, SSL certificates left unmonitored and unmanaged could expire, or rogue/invalid certificates could be used. Both scenarios could lead to service downtime or display of error messages that would destroy customer trust in data security and, in extreme cases, even result in security breaches.

ManageEngine Key Manager Plus has been designed to solve all these issues and serves a one-stop solution for managing all digital identities.

Prerequisite Software

There is no prerequisite software installation required to use Key Manager Plus. The standard system (hardware and software) requirements as mentioned below plus an external mail server (SMTP server) are essential for the functioning of Key Manager Plus server and to send various notifications to users.

Note:

Make sure you have the following prerequisites if you are planning to utilize Key Manager Plus' SSH and SSL discovery operation:

A service account that has domain admin rights in the Key Manager Plus server and in the target systems that you would like to manage.
Microsoft .NET framework.

System Requirements

Hardware requirements

The below table explains the minimum hardware capabilities that your Key Manager Plus application server needs to possess for successful installation and running.

Organization Size	Processor	RAM	Hard Disk
Small (Less than 500 keys*)	Dual Core / Core 2 Duo or above	4 GB	300 MB for product 10 GB for database
Medium (500 – 1000 keys*)	Quad Core or above	8 GB	500 MB for product 20 GB for database
Large (>1000 keys*)	Octa Core or above	16 GB	1 GB for product 30 GB for database

*The term 'keys' refers to the number of SSH private keys plus the number of SSL/TLS certificates plus any digital key managed using Key Manager Plus.

Software requirements

Operating Systems

Windows

Windows 10
Windows 8
Windows 7
Windows Vista
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Windows 2000 Server / Professional

Linux

(Key Manager Plus usually works well with all the flavours of Linux)

Ubuntu 9.x and above
CentOS 4.4 & above
Red Hat Linux 9.0
Red Hat Enterprise Linux 5.3, 5.4, 5.5

Note:

Key Manager Plus can also be run on the VMs of all the above operating systems.

Supported Databases

PostgreSQL 9.2.4 —comes bundled with the product.
Supports MS SQL Server 2008 and above(SQL server should be installed in Windows 2008 Server or above).

Supported Browsers

The HTML client requires one of the following browsers to be installed on the application server.

IE 9 and above (on Windows)
Chrome & Firefox (on Windows, Linux, and Mac)

Prerequisite Software

There is no prerequisite software installation required to use Key Manager Plus. You just need to have the above mentioned hardware and software requirements plus an external mail server (SMTP server) to send email notifications to the users.

Apart from this, you need to have the following capabilities additionally if you are planning to utilize the SSH and SSL discovery operations in Key Manager Plus.

A service account that has domain admin rights in the Key Manager Plus server and in the target systems that you would like to manage.
Microsoft .NET framework.

Click here to view the PDF version.

Components of Key Manager Plus

Key Manager Plus consists of the following components:

Key Manager Plus server.
PostgreSQL 9.2.4 bundled with Key Manager Plus. It runs as a separate process. It accepts connections only from the host in which it is running and is not visible externally.

Installing Key Manager Plus

In Windows

Download and execute ManageEngine_KeyManagerPlus.exe (run as administrator).
The installation wizard will guide you through the installation process.
Choose an installation directory - by default, it will be installed in c:/Programe Files/ManageEngine/KeyManager, this installation directory path is referred as "KeyManagerPlus_Home".
In the final step, you will see two check-boxes—one for viewing ReadMe file and the other one for starting the server immediately after installation. If you choose to start the server immediately, it will get started in the background.
If you choose to start the server later, after installation, you can start it from the Start >> Programs >> ManageEngine Key Manager Plus (as administrator) menu.
From the Start Menu, you can perform other actions such as stopping the server or uninstalling the product.

Notes:

Install Key Manager Plus with the service account that will be used to run it.
If the service account is subject to change, then grant necessary permissions to allow PG SQL or the data directory to have full control.
Alternatively, open a command prompt with the required service account and run the command Initpgsql.bat postgres to initialize the database.

In Linux

Download ManageEngine_KeyManagerPlus.bin for linux.
Assign executable permission using command chmod a+x <file-name>
Execute the following command: ./<file_name>.
If you are installing on a headless server, execute the command: ./<file_name> -console.
Follow the instructions as they appear on the screen.
Key Manager Plus is installed in your machine in the desired location. Henceforth, this installation directory path shall be referred as "KeyManagerPlus_Home".

Starting & Shutting Down Key Manager Plus

In Windows

Using Start Menu

From Start >> Programs >> ManageEngine Key Manager Plus menu, you can do the following:

Start Key Manager Plus.
Start server (as administrator).
Stop server.
Uninstall Key Manager Plus.

Using Tray Icon

Once you install Key Manager Plus, in the windows tray area on the far right end of your task bar, you will find the icon for Key Manager Plus. Right click the tray icon and click the desired operation

Right click the tray icon and click the desired operation

Start Key Manager Plus Service (as administrator).

Stop Key Manager Plus Service.
Key Manager Plus web console.
Show Startup Logs.
Startup options.

In Linux

Installing as Startup Service

Login as root user.
Open a console and navigate to <KeyManagerPlus_Home>/bin directory.
Execute "sh keymanager.sh install" (In Ubuntu, execute as "bash keymanager.sh install").
To uninstall the service, execute the script "sh keymanager.sh remove".

Starting & Stopping the Server as Service

To start Key Manager Plus as a service in Linux

Login as root user.
Execute /etc/rc.d/init.d/sshkeymanagerplus-service start
Key Manager Plus server runs in the background as service.
To stop Key Manager Plus Server started as service in Linux
Execute /etc/rc.d/init.d/sshkeymanagerplus-service stop (as root user).

Connecting Web Interface

1.Automatic Browser Launch

Once the server is started successfully, a browser is automatically launched with the Key Manager Plus login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.

2.Launching the Web Client Manually

In the case of windows, you can also launch the web client manually from the Windows Tray. Right-click the Key Manager Plus tray icon and click "Key Manager Plus Web Console". A browser would be launched with the Key Manager Plus login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.

In the case of Linux, open a browser and connect to the URL

https://<hostname>:portnumber/

where hostname - host where Key Manager Plus Server is running; Default port – 6565

Example: https://localhost:6565.

3.Connecting the Web Client in Remote Hosts

To connect web clients in a different machine from the one in which Key Manager Plus is running, open a browser and connect to the URL

https://<hostname>:port

As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.

Managing Key Manager Plus Encryption Key

Key Manager Plus uses AES - 256 encryption to secure SSH keys, SSL certificate and other sensitive information in its database. The key used for encryption is auto-generated and is unique for every installation. You can find the key in the file named pmp_key.key under the path <KeyManager_Home>/conf. Key Manager Plus does not allow you to store the encryption key within the Key Manager Plus installation directory. This is done to prevent storing of both the encrypted key and encrypted data, in both live and backed-up database, together in the same place.

We strongly recommend that you store the encryption key outside Key Manager Plus server - preferably in any other separate machine or in any external drive (hard drive, thumb drive etc.,). And in such cases, you have to make sure that Key Manager Plus server has full permission to access the device and the encryption key stored in it, whenever you start Key Manager Plus service. Once the service gets up and running, it does not need the encryption key anymore and the external device containing the key can be taken offline.

Key Manager Plus stores the path of the encryption key in a configuration file named manage_key.conf under the location <KeyManager_Home>/conf. You can edit that file directly to change the key location. Edit the location and provide the new path where you have now stored the key.

Note: You need to take care of sufficiently protecting the key with layers of encryption (like using Windows File Encryption for example) and access control. Only Key Manager Plus needs access to this key, so make sure no other software, script or person has access to this key under any circumstance. You also need to take care of securely backing up the pmp_key.key file yourself. You can recover from PMP backups only if you supply this key. If you misplace the key or lose it, Key Manager Plus will not start.

Ports Used by Key Manager Plus

Key Manager Plus uses the following two ports:

PostgreSQL port :53306
Web client port :6565

Backend Database

Key Manager Plus supports PostgreSQL and MSSQL databases as backend. PostgreSQL database is bundled with the product and by default, it is configured to run with PostgreSQL. In case, you wish to change the database to MSSQL, follow the steps detailed here

Moving Key Manager Plus Installation Within Same Machine / From One Machine to Another

If you want to move the Key Manager Plus installed in one machine to another or to a different location within the same machine, follow the procedure detailed below:

Prerequisite
- Do not remove existing installation of Key Manager Plus until the new installation works fine. This is to ensure backup to overcome disasters/data corruption during the movement.
Procedure
- Take backup of the current database. Install the same version of Key Manager Plus (as the version of which backup was taken) in the new machine.
- Restore the backup data in the new installation.

Quick Start Guide

Refer to the "Getting Started" section of help documentation

For any assistance, please contact
keymanagerplus-support@manageengine.com / Toll Free: + 1-888-720-9500

Licensing

There are three license types for ManageEngine Key Manager Plus:

Evaluation Version

Fully Functional
Valid for 30 days
Supports upto 50 keys*

Free Version

Valid forever
Supports upto 5 keys*

Registered version

The licensing is based on the number of managed keys*

The term 'Keys' refers to the number of SSH private keys plus SSL certificates plus any other digital key being managed.

Note: Key Manager Plus provides two user roles – Administrator and Operator. For more details on the user roles, refer to this section of our help documentation.

For more information, contact sales@manageengine.com