ManageEngine Key Manager Plus is a web-based key management solution that helps you consolidate, control, manage, monitor, and audit the entire life cycle of SSH (Secure Shell) keys and SSL (Secure Sockets Layer) certificates. It provides visibility into the SSH and SSL environments and helps administrators take total control of the keys to preempt breaches and compliance issues.
Safeguarding data in transit has always been a big challenge for security administrators. While SSH keys have helped organizations ensure security in remote administrative access and data transfer, digital keys present some unique challenges.
Usually, SSH keys are left unmonitored and unmanaged, making organizations vulnerable to cyber attacks. In the absence of an automated system, getting the list of all the keys in use, finding and restricting access privileges, and ensuring periodic rotation is a herculean task.
Similarly, managing a Secure Socket Layer (SSL) environment can be daunting when organizations use a large number of SSL certificates issued by different vendors with varying validity periods. On the other hand, SSL certificates left unmonitored and unmanaged could expire, or rogue/invalid certificates could be used. Both scenarios could lead to service downtime or display of error messages that would destroy customer trust in data security and, in extreme cases, even result in security breaches.
ManageEngine Key Manager Plus has been designed to solve all these issues and serves a one-stop solution for managing all digital identities.
There is no prerequisite software installation required to use Key Manager Plus. The standard system (hardware and software) requirements as mentioned below plus an external mail server (SMTP server) are essential for the functioning of Key Manager Plus server and to send various notifications to users.
Make sure you have the following prerequisites if you are planning to utilize Key Manager Plus' SSH and SSL discovery operation:
The below table explains the minimum hardware capabilities that your Key Manager Plus application server needs to possess for successful installation and running.
|Organization Size||Processor||RAM||Hard Disk|
|Small (Less than 500 keys*)||Dual Core / Core 2 Duo or above||4 GB||
|Medium (500 – 1000 keys*)||Quad Core or above||8 GB||
|Large (>1000 keys*)||Octa Core or above||16 GB||
*The term 'keys' refers to the number of SSH private keys plus the number of SSL/TLS certificates plus any digital key managed using Key Manager Plus.
(Key Manager Plus usually works well with all the flavours of Linux)
Key Manager Plus can also be run on the VMs of all the above operating systems.
The HTML client requires one of the following browsers to be installed on the application server.
There is no prerequisite software installation required to use Key Manager Plus. You just need to have the above mentioned hardware and software requirements plus an external mail server (SMTP server) to send email notifications to the users.
Apart from this, you need to have the following capabilities additionally if you are planning to utilize the SSH and SSL discovery operations in Key Manager Plus.
Click here to view the PDF version.
Key Manager Plus consists of the following components:
From Start >> Programs >> ManageEngine Key Manager Plus menu, you can do the following:
Once you install Key Manager Plus, in the windows tray area on the far right end of your task bar, you will find the icon for Key Manager Plus. Right click the tray icon and click the desired operation
Right click the tray icon and click the desired operation
To start Key Manager Plus as a service in Linux
To stop Key Manager Plus Server started as service in Linux
Once the server is started successfully, a browser is automatically launched with the Key Manager Plus login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.
In the case of windows, you can also launch the web client manually from the Windows Tray. Right-click the Key Manager Plus tray icon and click "Key Manager Plus Web Console". A browser would be launched with the Key Manager Plus login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.
In the case of Linux, open a browser and connect to the URL
where hostname - host where Key Manager Plus Server is running; Default port – 6565
To connect web clients in a different machine from the one in which Key Manager Plus is running, open a browser and connect to the URL
As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.
Key Manager Plus uses AES - 256 encryption to secure SSH keys, SSL certificate and other sensitive information in its database. The key used for encryption is auto-generated and is unique for every installation. You can find the key in the file named pmp_key.key under the path <KeyManager_Home>/conf. Key Manager Plus does not allow you to store the encryption key within the Key Manager Plus installation directory. This is done to prevent storing of both the encrypted key and encrypted data, in both live and backed-up database, together in the same place.
We strongly recommend that you store the encryption key outside Key Manager Plus server - preferably in any other separate machine or in any external drive (hard drive, thumb drive etc.,). And in such cases, you have to make sure that Key Manager Plus server has full permission to access the device and the encryption key stored in it, whenever you start Key Manager Plus service. Once the service gets up and running, it does not need the encryption key anymore and the external device containing the key can be taken offline.
Key Manager Plus stores the path of the encryption key in a configuration file named manage_key.conf under the location <KeyManager_Home>/conf. You can edit that file directly to change the key location. Edit the location and provide the new path where you have now stored the key.
Note: You need to take care of sufficiently protecting the key with layers of encryption (like using Windows File Encryption for example) and access control. Only Key Manager Plus needs access to this key, so make sure no other software, script or person has access to this key under any circumstance. You also need to take care of securely backing up the pmp_key.key file yourself. You can recover from PMP backups only if you supply this key. If you misplace the key or lose it, Key Manager Plus will not start.
Key Manager Plus uses the following two ports:
Key Manager Plus supports PostgreSQL and MSSQL databases as backend. PostgreSQL database is bundled with the product and by default, it is configured to run with PostgreSQL. In case, you wish to change the database to MSSQL, follow the steps detailed here
If you want to move the Key Manager Plus installed in one machine to another or to a different location within the same machine, follow the procedure detailed below:
Refer to the "Getting Started" section of help documentation
For any assistance, please contact
firstname.lastname@example.org / Toll Free: + 1-888-720-9500
There are three license types for ManageEngine Key Manager Plus:
The term 'Keys' refers to the number of SSH private keys plus SSL certificates plus any other digital key being managed.
Note: Key Manager Plus provides two user roles – Administrator and Operator. For more details on the user roles, refer to this section of our help documentation.
For more information, contact email@example.com