KeySafe 5 Local
There is a Local installation available for KeySafe 5 for managing a single machine through its local graphical desktop environment. If you have an internal nShield HSM you may set up the Agent configuration to communicate with the KeySafe 5 Local installation. You may also configure remote nShield Connect HSMs to communicate with the KeySafe 5 Local installation.
Installation
Linux
Only users that are members of the nfastadmin group may use KeySafe 5 Local.
Add your local users who will be using the system to this group before we begin, and ensure that this is reflected in the output of id -Gn .
You may need to log out, and then log back in again for changes to group membership to apply.
|
-
Extract the KeySafe 5 Local package to the root of the filesystem:
sudo tar -C / -xf /path/to/keysafe5-local-1.3.0-linux.tar.gz
-
Ensure any running services using the nShield HSMs have been cleanly shut down.
-
Run the nShield Security World install script:
sudo /opt/nfast/sbin/install
This will set up the log files along with the local directory as writeable to users in the
nfastadmin
group.
Windows
To install KeySafe 5 Local, double-click on keysafe5-local.msi
.
You must have Microsoft WebView2 installed to run KeySafe 5 in Windows. |
Configuration
Linux
The configuration file is located in /opt/nfast/keysafe5/local/config
and named config.yaml
.
There is an example configuration file named config.yaml.example
located in the same place.
If one does not already exist, the install
process above will copy the config.yaml.example
over to a new config.yaml
that you may modify.
Do not modify the known_clients
section as there is a tool that will add to this.
If any of the paths are modified, ensure that new paths are created with the right permissions, writeable to users who will be permitted to run KeySafe 5 Local.
The databases are stored in the database_directory
, and this directory should be part of your backup routine.
Running /opt/nfast/bin/keysafe5-local-admin init
will set up the TLS keys for securing communication between KeySafe 5 Agents and KeySafe 5 Local.
Windows
The configuration file is located in %NFAST_DATA_HOME%\keysafe5\local\conf\config.yaml
.
There is an example configuration file named config.yaml.example
located in the same place.
The easiest approach is to copy the config.yaml.example
to config.yaml
and then modify anything as required.
The databases are stored in the database_directory
, and this directory should be part of your backup routine.
Running %NFAST_HOME%\bin\keysafe5-local-admin init
from an Administrator command prompt will set up the TLS keys for securing communication between KeySafe 5 Agents and KeySafe 5 Local.
Running
Adding HSMs to KeySafe 5 Local
For KeySafe 5 Local to manage local and remote HSMs, a KeySafe 5 Agent running alongside the HSM must be configured to communicate with KeySafe 5 Local.
KeySafe 5 Local may be configured to communicate with any number of KeySafe 5 Agents running on HSMs, but only with one KeySafe 5 Agent that is running on a host machine. That host machine agent must be on the same machine as the KeySafe 5 Local instance. If configuring a KeySafe 5 Agent on HSM to communicate with KeySafe 5 Local, then the port used for agent communications must be open to incoming connections in your firewall configuration for the machine running KeySafe 5 Local. This port is specified in the KeySafe 5 Local configuration. By default, this is port 18084. |
Adding KeySafe 5 Agents to KeySafe 5 Local
The steps below provide an example for configuring the KeySafe 5 Agent on the host machine that is running KeySafe 5 Local. For configuring a KeySafe 5 Agent on a network-attached HSM, see KeySafe 5 agent on network-attached HSMs.
-
Configure the KeySafe 5 Agent to communicate with KeySafe 5 Local. In the KeySafe 5 Agent configuration file:
-
Set
message_bus.type
tonats
. -
Set
message_bus.url
to the IP address the host running KeySafe 5 Local (or 127.0.0.1 if this is the same machine). The port of the url should match theagent_comms
port set in the KeySafe 5 Local configuration file. -
Set
message_bus.auth_type
totls
to enabled TLS authentication.message_bus: type: nats url: 127.0.0.1:18084 auth_type: tls
-
-
Produce a TLS private key and Certificate Signing Request (CSR) for this Agent using
ks5agenttls
. See Generating a KeySafe 5 agent private key and TLS certificate. If you did not initially generate the private key to the KeySafe 5 Agent configuration directory, ensure that the TLS private key is saved totls.key
in the correct directory on the KeySafe 5 Agent machine.cp tls.key /opt/nfast/keysafe5/conf/messagebus/tls/tls.key
-
Copy the CSR produced by
ks5agenttls
to the KeySafe 5 Local machine, and runkeysafe5-local-admin sign
with the file.keysafe5-local-admin sign <path_to_csr_file>
A
tls.crt
andca.crt
will be written to the current directory and the KeySafe 5 Agent will automatically be added to the list of known clients in KeySafe 5 Local’s configuration file. -
Copy
tls.crt
andca.crt
to the correct directory on the KeySafe 5 Agent machine.cp tls.crt /opt/nfast/keysafe5/conf/messagebus/tls/tls.crt cp ca.crt /opt/nfast/keysafe5/conf/messagebus/tls/ca.crt
-
Restart KeySafe 5 Local to apply the changes to KeySafe 5 Local’s configuration.
Because the KeySafe 5 Agent communicates directly with KeySafe 5 Local, updates from the KeySafe 5 Agent will only be received and processed while KeySafe 5 Local is running. |
Application Logs
You can find application logs at:
-
Linux:
/opt/nfast/log/keysafe5-local-*.log
-
Windows:
%NFAST_LOGDIR%\KeySafe5-local-*.log
This path is configurable by setting logging.file.path
in the KeySafe 5 Local configuration file.
Database backup
The database can be backed up by stopping KeySafe 5 Local and creating a backup of the SQLite database files found in the configured database_directory
.
By default, you can find the database file at:
-
Linux:
/opt/nfast/kmdata/databases
-
Windows:
%NFAST_KMDATA%\databases
Uninstalling
Linux
To uninstall, first run the main uninstall script sudo /opt/nfast/sbin/install -u
.
This will remove the desktop environment shortcuts.
The files added by the tar.gz are:
-
/opt/nfast/keysafe5/local/config/config.yaml.example
-
/opt/nfast/scripts/install.d/20keysafe5-local
-
/opt/nfast/bin/keysafe5-local
-
/opt/nfast/bin/keysafe5-local.png
-
/opt/nfast/bin/keysafe5-local-admin
-
/opt/nfast/lib/versions/keysafe5-local-atv.txt
There are additional files and directories that may have been created that may also be removed:
-
/opt/nfast/keysafe5/local
-
/opt/nfast/kmdata/databases
-
/opt/nfast/log/keysafe5-local-*.log
Windows
To uninstall, you may use Uninstall a program from Control Panel to uninstall nShield KeySafe 5 Local.
There are additional files and directories that may have been created that may also be removed:
-
%NFAST_DATA_HOME%\keysafe5\local
-
%NFAST_DATA_HOME%\Key Management Data\databases
-
%NFAST_DATA_HOME%\Log Files\keysafe5-local-*.log