Top

Key Manager Plus - User Manual

Overview

ManageEngine Key Manager Plus is a web-based key management solution that helps you consolidate, control, manage, monitor, and audit the entire life cycle of SSH (Secure Shell) keys and SSL (Secure Sockets Layer) certificates. It provides visibility into the SSH and SSL environments and helps administrators take total control of the keys to preempt breaches and compliance issues.

What Problems Does ManageEngine Key Manager Plus Solve?

Safeguarding data in transit has always been a big challenge for security administrators. While SSH keys have helped organizations ensure security in remote administrative access and data transfer, digital keys present some unique challenges.

Usually, SSH keys are left unmonitored and unmanaged, making organizations vulnerable to cyber attacks. In the absence of an automated system, getting the list of all the keys in use, finding and restricting access privileges, and ensuring periodic rotation is a herculean task.

Similarly, managing a Secure Socket Layer (SSL) environment can be daunting when organizations use a large number of SSL certificates issued by different vendors with varying validity periods. On the other hand, SSL certificates left unmonitored and unmanaged could expire, or rogue/invalid certificates could be used. Both scenarios could lead to service downtime or display of error messages that would destroy customer trust in data security and, in extreme cases, even result in security breaches.

ManageEngine Key Manager Plus has been designed to solve all these issues and serves a one-stop solution for managing all digital identities.

Prerequisite Software

There is no prerequisite software installation required to use Key Manager Plus. The standard system (hardware and software) requirements as mentioned below plus an external mail server (SMTP server) are essential for the functioning of Key Manager Plus server and to send various notifications to users.

Note:

Make sure you have the following prerequisites if you are planning to utilize Key Manager Plus' SSH and SSL discovery operation:

  • A service account that has domain admin rights in the Key Manager Plus server and in the target systems that you would like to manage.
  • Microsoft .NET framework.

System Requirements

Hardware

Processor

  • 1.8 GHz Pentium® processor

RAM

  • 2 GB

Hard Disk

  • 300 MB for product
  • 10 GB for database
Operating systems

Windows

  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Vista
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows 2000 Server / Professional

Linux

    • Ubuntu 9.x and above
    • CentOS 4.4 & above
    • Red Hat Linux 9.0
    • Red Hat Enterprise Linux 5.3, 5.4, 5.5
    • Key Manager Plus normally works well with any flavor of Linux.

Note: Key Manager Plus can be run on VMs of the above operating systems.

Web Interface

HTML client requires one of the following browsers** to be installed in the system:

  • IE 9 and above (on Windows)
  • Chrome, Firefox, and Safari (on Windows, Linux and Mac)

**Key Manager Plus is optimized for 1280 x 800 resolution and above.

Database

  • PostgreSQL 9.2.4, bundled with the product.
  • Supports MS SQL Server 2008 and above. SQL server should be installed in Windows 2008 Server and above.

Components of Key Manager Plus

Key Manager Plus consists of the following components:

Installing Key Manager Plus

In Windows

In Linux

Starting & Shutting Down Key Manager Plus

In Windows

Using Start Menu

From Start >> Programs >> ManageEngine Key Manager Plus menu, you can do the following:

  • Start Key Manager Plus.
  • Start server (as administrator).
  • Stop server.
  • Uninstall Key Manager Plus.
Using Tray Icon

Once you install Key Manager Plus, in the windows tray area on the far right end of your task bar, you will find the icon for Key Manager Plus. Right click the tray icon and click the desired operation

Right click the tray icon and click the desired operation

    • Start Key Manager Plus Service (as administrator).
  • Stop Key Manager Plus Service.
  • Key Manager Plus web console.
  • Show Startup Logs.
  • Startup options.

In Linux

Installing as Startup Service
  • Login as root user.
  • Open a console and navigate to <KeyManagerPlus_Home>/bin directory.
  • Execute "sh keymanager.sh install" (In Ubuntu, execute as "bash keymanager.sh install").
  • To uninstall the service, execute the script "sh keymanager.sh remove".
Starting & Stopping the Server as Service

To start Key Manager Plus as a service in Linux

  • Login as root user.
  • Execute /etc/rc.d/init.d/sshkeymanagerplus-service start
  • Key Manager Plus server runs in the background as service.

    To stop Key Manager Plus Server started as service in Linux

  • Execute /etc/rc.d/init.d/sshkeymanagerplus-service stop (as root user).

Connecting Web Interface

1.Automatic Browser Launch

Once the server is started successfully, a browser is automatically launched with the Key Manager Plus login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.

2.Launching the Web Client Manually

In the case of windows, you can also launch the web client manually from the Windows Tray. Right-click the Key Manager Plus tray icon and click "Key Manager Plus Web Console". A browser would be launched with the Key Manager Plus login screen. As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.

In the case of Linux, open a browser and connect to the URL

https://<hostname>:portnumber/

where hostname - host where Key Manager Plus Server is running; Default port – 6565

Example: https://localhost:6565.

3.Connecting the Web Client in Remote Hosts

To connect web clients in a different machine from the one in which Key Manager Plus is running, open a browser and connect to the URL

https://<hostname>:port

As the connection is through HTTPS, you will be prompted to accept security certificate. Hit 'Yes' and then type the user name and password in the login screen and press Enter. For an unconfigured setup, the default user name and password will be admin and admin respectively. Every time you start the server, the browser will be automatically launched.

Managing Key Manager Plus Encryption Key

Key Manager Plus uses AES - 256 encryption to secure SSH keys, SSL certificate and other sensitive information in its database. The key used for encryption is auto-generated and is unique for every installation. You can find the key in the file named pmp_key.key under the path <KeyManager_Home>/conf. Key Manager Plus does not allow you to store the encryption key within the Key Manager Plus installation directory. This is done to prevent storing of both the encrypted key and encrypted data, in both live and backed-up database, together in the same place.

We strongly recommend that you store the encryption key outside Key Manager Plus server - preferably in any other separate machine or in any external drive (hard drive, thumb drive etc.,). And in such cases, you have to make sure that Key Manager Plus server has full permission to access the device and the encryption key stored in it, whenever you start Key Manager Plus service. Once the service gets up and running, it does not need the encryption key anymore and the external device containing the key can be taken offline.

Key Manager Plus stores the path of the encryption key in a configuration file named manage_key.conf under the location <KeyManager_Home>/conf. You can edit that file directly to change the key location. Edit the location and provide the new path where you have now stored the key. 

Note: You need to take care of sufficiently protecting the key with layers of encryption (like using Windows File Encryption for example) and access control. Only Key Manager Plus needs access to this key, so make sure no other software, script or person has access to this key under any circumstance. You also need to take care of securely backing up the pmp_key.key file yourself. You can recover from PMP backups only if you supply this key. If you misplace the key or lose it, Key Manager Plus will not start.

Ports Used by Key Manager Plus

Key Manager Plus uses the following two ports:

  1. PostgreSQL port :53306
  2. Web client port :6565

Backend Database

Key Manager Plus supports PostgreSQL and MSSQL databases as backend. PostgreSQL database is bundled with the product and by default, it is configured to run with PostgreSQL. In case, you wish to change the database to MSSQL, follow the steps detailed here

Moving Key Manager Plus Installation Within Same Machine / From One Machine to Another

If you want to move the Key Manager Plus installed in one machine to another or to a different location within the same machine, follow the procedure detailed below:

  1. Prerequisite
    • Do not remove existing installation of Key Manager Plus until the new installation works fine. This is to ensure backup to overcome disasters/data corruption during the movement.
  2. Procedure
    • Take backup of the current database. Install the same version of Key Manager Plus (as the version of which backup was taken) in the new machine.
    • Restore the backup data in the new installation.

Quick Start Guide

Refer to the "Getting Started" section of help documentation

For any assistance, please contact
keymanagerplus-support@manageengine.com / Toll Free: + 1-888-720-9500

Licensing

There are three license types for ManageEngine Key Manager Plus:

Evaluation Version
  • Fully Functional
  • Valid for 30 days
  • Supports upto 50 keys*
Free Version
  • Valid forever
  • Supports upto 5 keys*
Registered version
  • The licensing is based on the number of managed keys*

The term 'Keys' refers to the number of SSH private keys plus SSL certificates plus any other digital key being managed.

 

Note: Key Manager Plus provides two user roles – Administrator and Operator. For more details on the user roles, refer to this section of our help documentation.

For more information, contact sales@manageengine.com