KeySafe 5 Administration

This section is applicable to the Keysafe 5 Appliance Management component of the system.

Use a web browser to navigate to and then to log into the Keysafe 5 Appliance Management UI at https://<node-ip-address>/appliance using an account with Security Admin privileges

Keysafe 5 Settings

To view the current Keysafe 5 settings which indicates the MongoDB database mode and a means of downloading the Keysafe 5 Agent install media:

  1. In the top menu bar, click Settings.

  2. In the Application Settings section, click KeySafe5 Settings.

MongoDB Database

Keysafe 5 stores its data in MongoDB databases, these can be either be internal to the cluster, or Keysafe 5 can be configured to point to an external MongoDB server.

Internal Database

If Keysafe 5 is configured to use an internal MongoDB server, then this will be indicated by the Keysafe 5 setting stating the following:

MongoDB Database Mode: Internal

The internal MongoDB database can be used with other Entrust products, such as the nShield Web Services product. This requires a set of TLS certificates, and a private key for the secure connection with the Internal MongoDB server. These certificates can be obtained by following the steps below.

Before You Begin

  • Generation of an appropriate Certificate Signing Request (CSR) is required prior to following these steps, for more information on generating a CSR please see MongoDB CSR Generation.

Procedure

  1. Log into the Keysafe 5 Appliance Management UI using an account with Security Admin privileges.

  2. In the top menu bar, click Settings.

  3. In the Application Settings section, click KeySafe5 Settings.

  4. Click MongoDB Client Certificates.

  5. In the Upload CSR File section, click Load File and select the CSR file you wish to use for certificate generation.

  6. Click Generate and Download Certificate to download the certificate bundle from the cluster node.

    The certificate bundle is a .zip file you must unpack. It contains both the CA certificate and a TLS certificate in .pem format.

  7. The downloaded certificates can now be copied to the machine where the other Entrust product is installed. For information about the location, see the guide relevant to your system: Installation and Upgrade Guide or the OVA Installation Guide.

External Database

If Keysafe 5 is configured to use an external MongoDB server, then this will be indicated by the Keysafe 5 setting stating the following:

MongoDB Database Mode: External

To configure Keysafe 5 to use an external MongoDB Server please follow the steps below

Before You Begin

Ensure you have the following information:

  • MongoDB server hostname or IP address

  • MongoDB replica set name

  • CA Certificate (in pem format)

  • Client Certificate (in pem format)

  • Client private key

  • Client private key passphrase (if required)

Optionally you may require:

  • Username

  • Password

  • Authentication database name

Procedure

Entrust recommends that this procedure is performed on the master node.

  1. Log into the Keysafe 5 Appliance Management UI using an account with Security Admin privileges.

  2. In the top menu bar, click Settings.

  3. In the Application Settings section, click KeySafe5 Settings.

  4. Click Configuration Options > MongoDB.

  5. Select External MongoDB Database as the MongoDB Database Mode.

  6. Populate the form using the information gathered above.

  7. Click Test Configuration to verify the connection to the external MongoDB server.

    • If this fails, please verify the information entered is correct and that the Keysafe 5 cluster has network access to the external MongoDB server.

  8. Click Apply

  9. Keysafe 5 will now restart its internal services and distribute the configuration change to all other nodes, this will take a few minutes to complete.