Top

Admin Settings

You can carry out the basic settings to administer Key Manager Plus from the Settings section. You can create accounts for other users, perform basic configurations like mail server setting, proxy details, active directory integration, periodic backup schedule, and other tasks.

  1. User Management
  2. Integrate Active Directory and Import Users
  3. RADIUS authentication
  4. Mail Server Settings
  5. Proxy Server Settings
  6. RESTful API
  7. Dashboard Settings
  8. Installing server certificate
  9. Privacy Settings
  10. Policy Configuration
  11. Change Password
  12. Notification
  13. Integration with CMDB
  14. Domain Expiration
 

User Management

User Roles

Key Manager Plus allows you to have two types of user roles. Administrator and Operator.

  Administrator Operator
  Di C I V A D E Di C I V A D E
Manage User accounts (in Key Manager Plus) NA tick tick tick tick tick NA NA close close close close close NA
Manage SSH Servers and Resource Groups tick tick tick tick tick tick NA close close NA close close close NA
Manage SSH keys and Key Groups tick tick tick tick tick tick tick close close close close close close close
Manage SSH Users and User Groups tick tick tick tick tick tick tick close close close tick close close close
Manage SSL Certificates tick tick tick tick NA tick tick close close close tick NA close tick
Connect with remote SSH terminal tick tick
(Only to user accounts assigned by the administrator)
Schedule operations tick close

Di – discover ; C – create ; I – import ; V – view ; A – assign ; D – delete; E-Export

User Addition

You can add users to Key Manager Plus and create an account for them to access the product in two ways:

  1. Manually add users
  2. Import users from Active Directory.

Add Users

To create a user:

    1. Navigate to the Settings → User Management → Users tab in the GUI.
    2. Click the Add User button.
    3. Enter the login name, password, and the e-mail id of the user.
    4. Assign role for the new user - administrator or operator.
    5. If you are selecting the role for the new user as administrator, you can select and save that.
    6. If you are assigning the operator role to the user, you can select whether the user can access SSH user accounts and/or SSL certificates, and, these should be added manually. If you are assigning SSL certificates to the user, directly select the certificates. For SSH server selection, three options are available :
      • Select Specific Users – Click the check boxes available next to a resource name to assign all the user accounts of that resource to the operator. Else, click on the arrow next to the checkbox to expand the list of user accounts available in the resource and select individual user accounts to be assigned.
      • Resource group – Select the group(s) to be assigned to the operator. The operator is provided access to only those SSH user accounts across all the resource(s) (of the selected resource groups), which have the same name as the login name of the operator.
      • User group – Select the group(s) to be assigned to the operator. The operator is provided access to only those SSH user accounts available in the selected user group(s).

You can simultaneously assign SSH user accounts, and SSL certificates to the same user (operator).

  1. Hit Save.

A pop up message will confirm the addition of a new user to the database.

Note : Only operators need to be assigned the resources and groups for which they need access. Administrators are automatically provided with access to all resources and certificates associated with Key Manager Plus.

Generate user certificates

You can also create and sign certificates for Key Manager Plus users based on a root certificate. To generate user certificates,

You then have to deploy these certificates to their corresponding end-servers. Refer to this section of help for step-by-step explanation on certificate deployment.

Modify Users

To edit a user:

  1. Navigate to the Settings → User Management → Users tab in the GUI.
  2. Select a user and click the Edit User button.
  3. Modify the email id, assigned users list, or user role.
  4. Click the Update User button to update changes.

You will get a confirmation message that the changes to the user have been updated successfully.


Integrate Active Directory and Import Users

You need to carry out the following steps to import users from AD and assign them necessary roles and permissions in Key Manager Plus:

You can store any key file securely in the Key Manager Plus repository from the Key Store tab. From here, you can also edit the key details, update key file, keep track of previous versions of the key, store them in an organized manner, or export the keys, or previous versions to your system or mail address.

Step -1 Importing Users

From the server in which it is running, Key Manager Plus automatically gets the list of domains available under the Microsoft Windows Network folder. You need to select the required domain and provide domain controller credentials.

To do this,

As mentioned above, to enable SSL mode, the domain controller should be serving over SSL in port 636. If the certificate of the domain controller is not signed by a certified CA, you will have to manually import the certificate into the Key Manager Plus server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain – that is the certificate of the Key Manager Plus server machine and intermediate certificates, if any.

To import domain controller's certificate into Key Manager Plus machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. One example is given below)

Key Manager Plus server can now communicate with this particular domain controller over SSL. Repeat these steps for all domain controllers to which you want Key Manager Plus to communicate over SSL. Note that the DNS name you specify for the domain controller should match the CN (common name) specified in the SSL certificate for the domain controller.

Important Note:

Groups/OUs too large to display

When you have a large number of groups or OUs in the domain controller, specifically when the number exceeds 2500, Key Manager Plus will not display them in the GUI. In such cases, you will see the message Groups too large to display / Organizational Units too large to display. When this happens, you have to specify the groups or OUs that are to be imported alone, instead of getting all the groups / OUs in the display.

Step -2 Assigning Roles

All the users imported from AD will be assigned the Operator role by default. To assign specific roles to specific users and/or to assign SSH user accounts of discovered resources, refer the Modify Users page of the help document.

You will get a confirmation that the user has been deleted successfully.


Basic Settings

Mail server settings

After installation, you need to carry out certain basic settings. The first setting is related to configuring the mail server to let Key Manager Plus send emails directly from within the application without the need of an external mail client. You need to configure the SMTP server details as given in the steps below. Key Manager Plus users can be notified regarding schedules, policy enforcements, and reports, only through email. The same settings are also used while exporting the certificate, digital key files via email; and also for the Forgot Password option in the login page.

To set/modify the mail server settings:

  1. Navigate to the Settings → General Settings → Mail Server tab in the GUI.
  2. Enter the server name and specify the port used for communication. Enter the username and password for authentication.
  3. Enter the from and to mail addresses.
  4. Click the Test Mail button to send a test mail to the address specified, and verify the settings.
  5. Click the Save button.

You will get a confirmation that the mail server settings have been updated.


Proxy server settings

You then need to specify how you want to connect to the Internet - directly or over a proxy.
To set/modify the proxy server settings:

  1. Navigate to the Settings → General Settings → Proxy Server tab in the GUI.
  2. You can connect to the Internet either directly or using a proxy server.
  3. If you choose to connect using proxy server, enter the details of the server, and the user credential.
  4. Click Save.

You will get a confirmation message that the proxy server settings have been updated.


SNMP settings

Key Manager Plus facilitates raising SNMP traps to management systems within your network for various key and certificate management operations performed from within the application. On the occurrence of a configured operation, an SNMP v2c trap is sent to the specified host and port. The varbinds include the name of the user who operated, date and time and the reason of the operation that resulted in the event.

To configure your SNMP server details,

You will get a confirmation message that the SNMP server details have been configured.


Syslog settings

You can configure Key Manager Plus to generate and send RFC-3164 compliant Syslog messages to a dedicated server and port within your network. Syslog notification can be configured for the occurrence of key / certificate expiration, and for various other key / certificate management operations performed from the product.

To configure Syslog settings,

You will get a confirmation message that the Syslog server details have been configured.


Customize Dashboard

Since either or both of SSH keys and SSL certificates can be managed by a user, you can customize the Dashboard to reflect the details of only SSH keys, or SSL certificates, or both.

To customize the dashboard details:

  1. Navigate to the Settings → Dashboard Settings tab in the GUI.
  2. Select the SSH, SSL, or Both radio button from the Dashboard type options to display the respective details on the dashboard.
  3. Click Save.

You will get a confirmation message that the configuration settings have been updated.


Policy configuration

Key Manager Plus allows you to create a high level policy on SSH keys management. You can specify whether to retain or overwrite the existing keys. That means, when Key Manager Plus creates new keys if they are to be appended to the existing ones or they should be deleted. The second option helps you to remove all existing keys and have a fresh start. Your SSH environment will have only the keys that were generated by the Key Manager Plus. Key Manager Plus carries out these changes in the authorized_keys file directly.

From the Policy configuration tab in the GUI, you can set the option for adding keys to the authorized_keys file. You can choose from:

  1. Append – Allows you to retain existing keys as well the new ones deployed by Key Manager Plus.
  2. Overwrite – Removes all existing public key information from the authorized keys file and retains the public keys deployed from Key Manager Plus only. This is what we call as clean start.

To change the policy configuration:

  1. Navigate to the Settings → SSH → Policy Configuration tab in the GUI.
  2. Select to either Append or Overwrite the keys.
  3. Click Save.

You will get a confirmation that the policy configuration settings have been updated.


Modify login password

Users having a local account with Key Manager Plus, can change their own password and email ID. The Change Password tab facilitates this.

To change login password,

  1. Go to Settings → Change Password tab in the GUI.
  2. Enter the old password.
  3. Enter new password.
  4. The new password will NOT be emailed. Take care to remember your new password. If you forget your password, use the Forgot password link available in the login page of Key Manager Plus to reset your password.
  5. Confirm the new password.
  6. Click Save.

Delete Users

To delete the users:

  1. Navigate to the Settings → User Management → Users tab in the GUI.
  2. Select the user you would like to delete.
  3. Click the Delete User button.

Notification policy

You can get notified if SSH keys are not rotated or if your SSL certificates / domain names are about to expire or for specific key / certificate management operations performed from within the application. You can choose to get notified through email, syslog messages or SNMP traps.

To set/modify expiry notification settings:

Syslog Format

SSH
<190> Key_Name:172.21.147.130_test123_id Days_Exceeded:0 Modified_On:2016-02-16 17:41:24.008

SSL
<190> Parent_Domain: manageengine.com Included_Domain: kmp.com Days_to_Expire: 100 Expire_Date: 5.08.2017

Note : The number of days specified in the SSH key rotation and SSL certificate expiry notification policy will be applied to the dashboard settings also.

To set/modify audit notification settings,