1. Do I need to install any prerequisite software before using Key Manager Plus?
Apart from the standard system requirements (both hardware and software), the following elements are essential for the proper functioning of the Key Manager Plus server.
You need to have the following to utilize the SSH and SSL discovery operations in Key Manager Plus.
2. What are the operating systems supported by Key Manager Plus?
| Windows | Linux |
|---|---|
| Windows Server 2022 | Ubuntu 9.x and above |
| Windows Server 2019 | CentOS 4.x and above |
| Windows Server 2016 | Red Hat Linux 9.0 |
| Windows Server 2012 R2 | Red Hat Enterprise Linux 5.x and above |
| Windows Server 2012 | - |
| Windows 11 | - |
| Windows 10 | - |
| Windows 8 | - |
| Windows 7 | - |
Key Manager Plus usually works well with all the flavors of Linux.
Note: Key Manager Plus can also be run on the VMs of all the above operating systems.
3. What are the user roles available in Key Manager Plus? What are their access levels?
Key Manager Plus comes with two pre-defined roles:
Click here for details on the access levels of the default roles.
4. Can other administrators view the keys added by me?
Yes, all the Administrators will be able to view all the certificates added by the other Administrators. Note that only the administrator can add certificates to Key Manager Plus. The operator user can only view the certificates shared with them.
5. How to transfer ownership of private key?
All the administrators will be able to view and download the private key added by other administrators. So, it is not necessary to transfer ownership of the private key.
6. How to add a new Active Directory (AD) domain in Key Manager Plus?
Administrators can add new domains for both certificate discovery and user management operations. Follow the below steps for AD User Certificate discovery:
Refer to this help section for detailed instructions.
To add a new domain for user discovery:
Refer to this help section for detailed instructions.
7. How do I troubleshoot when the PostgreSQL server fails to start?
Error Scenarios:
'Trying to start PostgresSQL server failed' error in the command prompt after choosing the PPM file.
For the above two cases, do the following:
Open the <KMP-HOME>\logs\wrapper file with notepad/Notepad++ and move to the very bottom of the file (i.e. most recent time frame) and check if you get the 'Trying to start PostgresSQL server failed' error.
Possible Causes:
The following causes are explained with respect to the above error scenarios:
The 'Trying to start PostgresSQL server failed' error occurs when,
Solution:
The solution given below applies to all the above error scenarios. To fix this issue, follow the below steps to provide permission,
installation path - Provide the Manage_Engine folder location.
Users - Provide the Key Manager Plus service account in the following format: <DomainName\user name> or <username@domainname>.
Example: icacls "C:\ProgramFiles\ManageEngine\KMP" /q /c /t /grant ManageEngine\svckmp:F
If the issue still persists, zip and send us the logs from the <KMP_HOME> and also the <KMP-HOME>\pgsql\data\pg_log folder along with the above screen shots to keymanagerplus-support@manageengine.com.
8. What are the JDBC drivers supported by Key Manager Plus for database communication?
Microsoft's JDBC driver is the default driver selected during database configuration of Key Manager Plus and is recommended for most installations as it is compatible with the latest SQL server versions and features. The alternative JDBC driver for the Microsoft SQL server is jTDS, which supports specific compatibility features.
(Applicable from build 7040 onwards)
Note: By default, Microsoft's JDBC driver will act as the default driver for connection between MS SQL server and database. If you have configured jTDS as the database driver earlier, perform the below steps:
1. Are there any differences in the way SSH user accounts and SSH service accounts are managed using Key Manager Plus?
No. Key Manager Plus adopts the same approach for managing SSH user accounts and SSH service accounts. The only difference is that during server discovery, if service / root account credentials are provided to establish connection with the server, you acquire extended privileges to import and manage keys from all user accounts in the server. Whereas, when connection to the server is established using user account credentials, you get key management privileges only for SSH keys present in that particular account.
2.Is there a way to view SSH keys that were not rotated?
Yes. We have a dashboard that displays the number of keys that were not rotated for the predefined time period as specified in the notification policy.
3. Does Key Manager Plus support management of digital keys other than SSH keys and SSL certificates?
Key Manager Plus houses a key vault called "KeyStore" which facilitates the storage and management of any type of digital key. However, the option to discover and import is limited to SSH keys, PGP keys and SSL certificates only, and isn't available for other types of digital keys.
1. Is there any certificate type that Key Manager Plus is incompatible with?
No. Key Manager Plus supports all X.509 certificate types.
2. Is it possible to automatically identify and update the latest version of certificates in Key Manager Plus certificate repository?
Yes. You can create scheduled tasks to perform automatic certificate discovery through which you can import and replace old certificates from target systems with their updated versions in Key Manager Plus certificate repository. Click here for a detailed explanation on creating schedules.
3. Does the Linux version of Key Manager Plus support certificate discovery from Active Directory and MS Certificate Store?
No, it doesn't. The AD User Certificate and MS Certificate Store tabs appear only in the Windows version of Key Manager Plus.
4. Is it possible to group certificates with same common name?
Yes, Key Manager Plus allows you to group certificates based on common name.
Navigate to Settings >> SSL >> Certificate History and Enable Group Certificates By CommonName.
5. Is it possible to track the expiry of certificates with the same common name in Key Manager Plus certificate repository?
Key Manager Plus differentiates certificates by their common names and records certificates with the same common name as a single entry in its certificate repository. We've designed it this way because Key Manager Plus licensing is based on the number of certificates and we don't want customers to spend many license keys for the same certificate.
However, if there's a need to manage both the certificates separately, you can do so by listing them as separate entries in Key Manager Plus' certificate repository. Once listed, the newly added certificate will be counted for licensing.
To add a certificate with the same common name as a separate entry in certificate repository,
6. How do I import a private key for a certificate?
To import a certificate's private key,
Note: Key Content import method is applicable from build 7060 and above.
The private key will be imported and attached to the selected certificate.
7. How do I deploy a certificate to the Microsoft Certificate Store and map it to the application that uses the certificate?
Key Manager Plus facilitates certificate deployment through which you can deploy certificates from its repository to target server's Microsoft Certificate Store. Click here for a step-by-step explanation on certificate deployment. To map the certificate to its corresponding application, you've to manually restart the server on which the application is running for the change to take effect.
8. Does Key Manager Plus support subnet-based certificate discovery?
Yes. Key Manager Plus supports subnet-based SSL certificate discovery. Click here to learn about SSL certificate discovery.
9. Does Key Manager Plus support scheduling for certificate discovery from MS Certificate Store?
Yes, Key Manager Plus allows administrators to create schedules to periodically discover certificates from the MS Certificate store. Click here to learn about schedules in Key Manager Plus.
10. Are certificate related alert emails generated for all versions of a certificate (the ones that show in "certificate history" also) or only for those certificates listed in Key Manager Plus certificate repository?
Email notifications are generated for certificates listed in Key Manager Plus's certificate repository. You can navigate to Settings >> SSL >> Certificate Renewal and enable Send expiry notification for the previous version after the successful renewal to receive notifications for the previous version of the certificate.
11. Are certificates issued by the company's internal Certification Authority (CA) counted for licensing?
Yes. All types of SSL certificates, SSH keys and any other digital key being managed using Key Manager Plus are taken into account for licensing. There's a dashboard widget "License Details" that provides insights on the type and number of digital identities being managed using Key Manager Plus that will be taken into account for licensing.