|
You can carry out the basic settings to administer Key Manager Plus from the Settings section. You can create accounts for other users, perform basic configurations like mail server setting, proxy details, active directory integration, periodic backup schedule, and other tasks.
Key Manager Plus allows you to have two types of user roles. Administrator and Operator.
Administrator | Operator | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Di | C | I | V | A | D | E | Di | C | I | V | A | D | E | |
Manage User accounts (in Key Manager Plus) | NA | ![]() |
![]() |
![]() |
![]() |
![]() |
NA | NA | ![]() |
![]() |
![]() |
![]() |
![]() |
NA |
Manage SSH Servers and Resource Groups | ![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
NA | ![]() |
![]() |
NA | ![]() |
![]() |
![]() |
NA |
Manage SSH keys and Key Groups | ![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Manage SSH Users and User Groups | ![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Manage SSL Certificates | ![]() |
![]() |
![]() |
![]() |
NA | ![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
NA | ![]() |
![]() |
Connect with remote SSH terminal | ![]() |
![]() (Only to user accounts assigned by the administrator) |
||||||||||||
Schedule operations | ![]() |
![]() |
Di – discover ; C – create ; I – import ; V – view ; A – assign ; D – delete; E-Export
You can add users to Key Manager Plus and create an account for them to access the product in two ways:
To create a user:
You can simultaneously assign SSH user accounts, and SSL certificates to the same user (operator).
A pop up message will confirm the addition of a new user to the database.
Note : Only operators need to be assigned the resources and groups for which they need access. Administrators are automatically provided with access to all resources and certificates associated with Key Manager Plus.
You can also create and sign certificates for Key Manager Plus users based on a root certificate. To generate user certificates,
You then have to deploy these certificates to their corresponding end-servers. Refer to this section of help for step-by-step explanation on certificate deployment.
To edit a user:
You will get a confirmation message that the changes to the user have been updated successfully.
You need to carry out the following steps to import users from AD and assign them necessary roles and permissions in Key Manager Plus:
You can store any key file securely in the Key Manager Plus repository from the Key Store tab. From here, you can also edit the key details, update key file, keep track of previous versions of the key, store them in an organized manner, or export the keys, or previous versions to your system or mail address.
From the server in which it is running, Key Manager Plus automatically gets the list of domains available under the Microsoft Windows Network folder. You need to select the required domain and provide domain controller credentials.
To do this,
As mentioned above, to enable SSL mode, the domain controller should be serving over SSL in port 636. If the certificate of the domain controller is not signed by a certified CA, you will have to manually import the certificate into the Key Manager Plus server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain – that is the certificate of the Key Manager Plus server machine and intermediate certificates, if any.
To import domain controller's certificate into Key Manager Plus machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. One example is given below)
Key Manager Plus server can now communicate with this particular domain controller over SSL. Repeat these steps for all domain controllers to which you want Key Manager Plus to communicate over SSL. Note that the DNS name you specify for the domain controller should match the CN (common name) specified in the SSL certificate for the domain controller.
Important Note:
Groups/OUs too large to display
When you have a large number of groups or OUs in the domain controller, specifically when the number exceeds 2500, Key Manager Plus will not display them in the GUI. In such cases, you will see the message Groups too large to display / Organizational Units too large to display. When this happens, you have to specify the groups or OUs that are to be imported alone, instead of getting all the groups / OUs in the display.
Step -2 Assigning Roles
All the users imported from AD will be assigned the Operator role by default. To assign specific roles to specific users and/or to assign SSH user accounts of discovered resources, refer the Modify Users page of the help document.
You will get a confirmation that the user has been deleted successfully.
After installation, you need to carry out certain basic settings. The first setting is related to configuring the mail server to let Key Manager Plus send emails directly from within the application without the need of an external mail client. You need to configure the SMTP server details as given in the steps below. Key Manager Plus users can be notified regarding schedules, policy enforcements, and reports, only through email. The same settings are also used while exporting the certificate, digital key files via email; and also for the Forgot Password option in the login page.
To set/modify the mail server settings:
You will get a confirmation that the mail server settings have been updated.
You then need to specify how you want to connect to the Internet - directly or over a proxy.
To set/modify the proxy server settings:
You will get a confirmation message that the proxy server settings have been updated.
Key Manager Plus facilitates raising SNMP traps to management systems within your network for various key and certificate management operations performed from within the application. On the occurrence of a configured operation, an SNMP v2c trap is sent to the specified host and port. The varbinds include the name of the user who operated, date and time and the reason of the operation that resulted in the event.
To configure your SNMP server details,
You will get a confirmation message that the SNMP server details have been configured.
You can configure Key Manager Plus to generate and send RFC-3164 compliant Syslog messages to a dedicated server and port within your network. Syslog notification can be configured for the occurrence of key / certificate expiration, and for various other key / certificate management operations performed from the product.
To configure Syslog settings,
You will get a confirmation message that the Syslog server details have been configured.
Since either or both of SSH keys and SSL certificates can be managed by a user, you can customize the Dashboard to reflect the details of only SSH keys, or SSL certificates, or both.
To customize the dashboard details:
You will get a confirmation message that the configuration settings have been updated.
Key Manager Plus allows you to create a high level policy on SSH keys management. You can specify whether to retain or overwrite the existing keys. That means, when Key Manager Plus creates new keys if they are to be appended to the existing ones or they should be deleted. The second option helps you to remove all existing keys and have a fresh start. Your SSH environment will have only the keys that were generated by the Key Manager Plus. Key Manager Plus carries out these changes in the authorized_keys file directly.
From the Policy configuration tab in the GUI, you can set the option for adding keys to the authorized_keys file. You can choose from:
To change the policy configuration:
You will get a confirmation that the policy configuration settings have been updated.
Users having a local account with Key Manager Plus, can change their own password and email ID. The Change Password tab facilitates this.
To change login password,
To delete the users:
You can get notified if SSH keys are not rotated or if your SSL certificates / domain names are about to expire or for specific key / certificate management operations performed from within the application. You can choose to get notified through email, syslog messages or SNMP traps.
To set/modify expiry notification settings:
SSH
<190> Key_Name:172.21.147.130_test123_id Days_Exceeded:0 Modified_On:2016-02-16 17:41:24.008
SSL
<190> Parent_Domain: manageengine.com Included_Domain: kmp.com Days_to_Expire: 100 Expire_Date: 5.08.2017
Note : The number of days specified in the SSH key rotation and SSL certificate expiry notification policy will be applied to the dashboard settings also.
To set/modify audit notification settings,
Key Manager Plus has an in-built WHOIS look up tool that helps administrators query and obtain information about any registered domain name such as ownership details, date of registration & expiration, IP address history and more.
To access the WHOIS look up tool,
Note:
Before performing the lookup, ensure that port 43 is open in your environment without which connection to WHOIS servers would fail.
When you purchase Key Manager Plus, you will get a product license key. You can apply the license key by following the steps below:
Upload the license file supplied to you by Key Manager Plus.