Black Box ET1000A, ET0100A, ET0010A User Manual

EncrypTight User Guide

EncrypTight acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight Enforcement Points.

EncrypTight consists of a suite of tools that performs various tasks of appliance and policy management, including Policy Manager (PM), Key Management System (KMS), and EncrypTight Enforcement Points

ET0010A ET0100A ET1000A

(ETEPs).

Customer

Support

Information

Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018

Web site: w ww.blackbox.com • E-mail : info@blackbox.com

Preface....................................................................................................................................... 13

About This Document.......................................................................................................................... 13

Contacting Black Box Technical Support ............................................................................................ 14

Part I: EncrypTight Installation and Maintenance

Chapter 1: EncrypTight Overview ........................................................................................... 17

Distributed Key Topologies ..................................................................................................................17

EncrypTight Elements ................................................................................................................... 19

EncrypTight Element Management System............................................................................20

Policy Manager .......................................................................................................................20

Key Management System ....................................................................................................... 20

Policy Enforcement Point ........................................................................................................21

Point-to-Point Negotiated Topology .....................................................................................................22

Security within EncrypTight.................................................................................................................. 23

Secure Communications Between Devices................................................................................... 24

Secure Key Storage within the ETKMS.........................................................................................24

Chapter 2: EncrypTight Deployment Planning ...................................................................... 25

EncrypTight Component Connections ................................................................................................. 25

Management Station Connections ................................................................................................26

ETPM to ETKMS Connections ...................................................................................................... 26

ETPM and ETKMS on the Same Subnetwork ........................................................................ 27

ETPM and ETKMS on Different Subnetworks ........................................................................ 27

External ETKMS to ETKMS Connections...................................................................................... 29

Connections for Backup ETKMSs...........................................................................................29

Connecting Multiple ETKMSs in an IP Network ......................................................................30

ETKMS to ETKMS Connections in Ethernet Networks ........................................................... 30

ETKMS to PEP Connections ......................................................................................................... 31

ETKMS to PEP Connections in IP Networks .......................................................................... 31

ETKMS to PEP Connections in Ethernet Networks ................................................................ 32

Network Clock Synchronization ...........................................................................................................33

IPv6 Address Support .......................................................................................................................... 33

Certificate Support ...............................................................................................................................34

Network Addressing for IP Networks ...................................................................................................35

Chapter 3: Installation and Configuration .............................................................................. 37

Before You Start...................................................................................................................................37

Hardware Requirements................................................................................................................38

Software Requirements ................................................................................................................. 38

Firewall Ports.................................................................................................................................39

EncrypTight Software Installation......................................................................................................... 39

Installing EncrypTight Software for the First Time .........................................................................39

Upgrading to a New Version of EncrypTight ................................................................................. 40

EncrypTight User Guide 3

Table of Contents

Uninstalling EncrypTight Software.................................................................................................40

Starting EncrypTight ...................................................................................................................... 40

Exiting EncrypTight........................................................................................................................41

Management Station Configuration...................................................................................................... 41

Securing the Management Interface .............................................................................................42

Enabling the Microsoft FTP Server................................................................................................42

Configuring the Syslog Server....................................................................................................... 43

Installing ETKMSs................................................................................................................................ 43

Configuring ETKMSs............................................................................................................................ 43

Basic Configuration for Local ETKMSs .........................................................................................44

About Local ETKMSs ..............................................................................................................44

Adding a Local ETKMS ...........................................................................................................44

Launching and Stopping a Local ETKMS ...............................................................................45

Starting the Local ETKMS Automatically ................................................................................ 45

Configuring External ETKMSs....................................................................................................... 46

Logging Into the ETKMS ......................................................................................................... 47

Changing the Admin Password...............................................................................................47

Changing the Root Password .................................................................................................48

Configure the Network Connection .........................................................................................49

Configure Time and Date Properties....................................................................................... 51

Check the Status of the Hardware Security Module ............................................................... 53

Starting and Stopping the ETKMS Service ............................................................................. 53

Checking the Status of the ETKMS......................................................................................... 54

Secure the Server with the Front Bezel .................................................................................. 54

Configuring Syslog Reporting on the ETKMSs.............................................................................. 54

Policy Enforcement Point Configuration............................................................................................... 55

Default User Accounts and Passwords................................................................................................56

Managing Licenses ..............................................................................................................................56

Installing Licenses ......................................................................................................................... 57

Upgrading Licenses....................................................................................................................... 58

Upgrading the EncrypTight License ........................................................................................ 58

Upgrading ETEP Licenses ......................................................................................................58

Next Steps............................................................................................................................................ 58

Chapter 4: Managing EncrypTight Users ............................................................................... 61

Working with EncrypTight User Accounts ............................................................................................61

Configuring EncrypTight User Authentication ...................................................................................... 62

Managing EncrypTight Accounts ......................................................................................................... 65

Changing an EncrypTight User Password ...........................................................................................66

How EncrypTight Users Work with ETEP Users..................................................................................67

Chapter 5: Maintenance Tasks ................................................................................................ 69

Working with the EncrypTight Workspace ........................................................................................... 69

About the EncrypTight Workspace ................................................................................................ 69

Saving a Workspace to a New Location ........................................................................................ 70

Loading an Existing Workspace .................................................................................................... 71

Moving a Workspace to a New PC ................................................................................................ 72

Deleting a Workspace ................................................................................................................... 72

Installing Software Updates .................................................................................................................73

Step 1: Schedule the Upgrade ......................................................................................................73

4 EncrypTight User Guide

Table of Contents

Step 2: Prepare ETPM Status and Renew Keys ........................................................................... 74

Step 3: Upgrade the EncrypTight Software ................................................................................... 74

Step 4: Verify ETKMS Status and Deploy Policies ........................................................................ 74

Step 5: Upgrade PEP Software ..................................................................................................... 75

Step 6: Change the PEP Software Version and Check Status...................................................... 77

Step 7: Return Status Refresh and Key Renewal to Original Settings ..........................................78

Upgrading External ETKMSs ...............................................................................................................78

Part II: Working with Appliances using ETEMS

Chapter 6: Getting Started with ETEMS.................................................................................. 83

ETEMS Quick Tour ..............................................................................................................................83

Defining Appliance Configurations ................................................................................................83

Pushing Configurations to Appliances...........................................................................................84

Upgrading Appliance Software ...................................................................................................... 85

Comparing Configurations............................................................................................................. 85

Maintenance and Troubleshooting ................................................................................................86

Policy and Certificate Support .......................................................................................................87

Understanding the ETEMS Workbench ...............................................................................................87

Toolbars......................................................................................................................................... 89

Status Indicators............................................................................................................................90

Understanding Roles............................................................................................................................ 91

EncrypTight User Types ................................................................................................................ 91

ETEP Appliance Roles .................................................................................................................. 91

Modifying Communication Preferences ............................................................................................... 92

Chapter 7: Provisioning Appliances ....................................................................................... 95

Provisioning Basics .............................................................................................................................. 95

Adding a New Appliance ...............................................................................................................96

Saving an Appliance Configuration ...............................................................................................97

Pushing Configurations to Appliances...........................................................................................97

Viewing Appliance Status .............................................................................................................. 98

Comparing Configurations........................................................................................................... 100

Filtering Appliances Based on Address ....................................................................................... 101

Rebooting Appliances..................................................................................................................102

Appliance User Management.............................................................................................................102

ETEP User Roles ........................................................................................................................ 102

Configuring the Password Enforcement Policy ...........................................................................103

User Name Conventions .......................................................................................................104

Default Password Policy Conventions .................................................................................. 104

Strong Password Policy Conventions ................................................................................... 104

Cautions for Strong Password Enforcement .........................................................................105

Managing Appliance Users..........................................................................................................106

Adding ETEP Users ..............................................................................................................106

Modifying ETEP User Credentials......................................................................................... 108

Deleting ETEP Users ............................................................................................................108

Viewing ETEP Users............................................................................................................. 109

Working with Default Configurations .................................................................................................. 110

Customizing the Default Configuration ........................................................................................ 110

Restoring the ETEMS Default Configurations .............................................................................111

EncrypTight User Guide 5

Table of Contents

Provisioning Large Numbers of Appliances ....................................................................................... 111

Creating a Configuration Template..............................................................................................112

Importing Configurations from a CSV File ................................................................................... 112

Importing Remote and Local Interface Addresses ................................................................114

Changing Configuration Import Preferences ...............................................................................115

Checking the Time on New Appliances ....................................................................................... 116

Shutting Down Appliances .................................................................................................................116

Chapter 8: Managing Appliances .......................................................................................... 117

Editing Configurations ........................................................................................................................117

Changing the Management IP Address....................................................................................... 118

Changing the Address on the Appliance...............................................................................118

Changing the Address in ETEMS .........................................................................................119

Changing the Date and Time....................................................................................................... 120

Changing Settings on a Single Appliance ...................................................................................121

Changing Settings on Multiple Appliances ..................................................................................121

Deleting Appliances ...........................................................................................................................122

Connecting Directly to an Appliance .................................................................................................. 123

Connecting to the Command Line Interface ................................................................................ 123

Upgrading Appliance Software........................................................................................................... 123

Canceling an Upgrade................................................................................................................. 127

What to do if an Upgrade is Interrupted....................................................................................... 127

Checking Upgrade Status............................................................................................................127

Restoring the Backup File System ..................................................................................................... 127

Part III: Using ETPM to Create Distributed Key Policies

Chapter 9: Getting Started with ETPM.................................................................................. 131

Opening ETPM...................................................................................................................................131

About the ETPM User Interface .........................................................................................................131

EncrypTight Components View ................................................................................................... 133

Editors ......................................................................................................................................... 134

Policy View ..................................................................................................................................135

ETPM Status Indicators............................................................................................................... 135

Sorting and Using Drag and Drop ...............................................................................................136

ETPM Toolbar ............................................................................................................................. 137

ETPM Status Refresh Interval ..................................................................................................... 137

About ETPM Policies .........................................................................................................................138

IP Policies....................................................................................................................................138

Ethernet Policies..........................................................................................................................138

Policy Generation and Distribution.....................................................................................................139

Creating a Policy: An Overview.......................................................................................................... 141

Chapter 10: Managing Policy Enforcement Points.............................................................. 147

Provisioning PEPs..............................................................................................................................147

Adding a New Appliance .............................................................................................................147

Adding a New PEP in ETEMS ..............................................................................................148

Adding a New PEP Using ETPM ..........................................................................................150

Adding Large Numbers of PEPs..................................................................................................150

Pushing the Configuration ........................................................................................................... 151

6 EncrypTight User Guide

Table of Contents

Editing PEPs ...................................................................................................................................... 151

Editing PEPs From ETEMS.........................................................................................................151

Editing Multiple PEPs ..................................................................................................................152

Editing PEPs From ETPM ........................................................................................................... 152

Changing the IP Address of a PEP .............................................................................................153

Changing the PEP from Layer 3 to Layer 2 Encryption............................................................... 153

Deleting PEPs ....................................................................................................................................153

Chapter 11: Managing Key Management Systems.............................................................. 155

Adding ETKMSs................................................................................................................................. 156

Editing ETKMSs .................................................................................................................................157

Deleting ETKMSs............................................................................................................................... 157

Chapter 12: Managing IP Networks....................................................................................... 159

Adding Networks ................................................................................................................................159

Advanced Uses for Networks in Policies............................................................................................ 161

Grouping Networks into Supernets.............................................................................................. 161

Using Non-contiguous Network Masks........................................................................................ 162

Editing Networks ................................................................................................................................ 164

Deleting Networks .............................................................................................................................. 164

Chapter 13: Managing Network Sets..................................................................................... 167

Types of Network Sets .......................................................................................................................168

Adding a Network Set ........................................................................................................................170

Importing Networks and Network Sets...............................................................................................172

Editing a Network Set......................................................................................................................... 174

Deleting a Network Set ......................................................................................................................174

Chapter 14: Creating VLAN ID Ranges for Layer 2 Networks............................................. 177

Adding a VLAN ID Range .................................................................................................................. 177

Editing a VLAN ID Range................................................................................................................... 179

Deleting a VLAN ID Range ................................................................................................................179

Chapter 15: Creating Distributed Key Policies .................................................................... 181

Policy Concepts .................................................................................................................................181

Policy Priority...............................................................................................................................182

Schedule for Renewing Keys and Refreshing Policy Lifetime .....................................................182

Policy Types and Encryption Methods ........................................................................................183

Encapsulation........................................................................................................................ 183

Encryption and Authentication Algorithms ............................................................................ 184

Key Generation and ETKMSs .....................................................................................................185

Addressing Mode.........................................................................................................................185

Using Encrypt All Policies with Exceptions .................................................................................. 185

Policy Size and ETEP Operational Limits....................................................................................186

Minimizing Policy Size ................................................................................................................. 187

Adding Layer 2 Ethernet Policies ....................................................................................................... 188

Adding Layer 3 IP Policies .................................................................................................................191

Adding a Hub and Spoke Policy ..................................................................................................191

Adding a Mesh Policy .................................................................................................................. 195

EncrypTight User Guide 7

Table of Contents

Adding a Multicast Policy.............................................................................................................199

Adding a Point-to-point Policy .....................................................................................................203

Adding Layer 4 Policies...................................................................................................................... 206

Policy Deployment .............................................................................................................................207

Verifying Policy Rules Before Deployment .................................................................................. 207

Deploying Policies ....................................................................................................................... 208

Setting Deployment Confirmation Preferences ...........................................................................208

Editing a Policy................................................................................................................................... 209

Deleting Policies.................................................................................................................................209

Chapter 16: Policy Design Examples.................................................................................... 211

Basic Layer 2 Point-to-Point Policy Example .....................................................................................211

Layer 2 Ethernet Policy Using VLAN IDs ........................................................................................... 212

Complex Layer 3 Policy Example ...................................................................................................... 214

Encrypt Traffic Between Regional Centers.................................................................................. 214

Encrypt Traffic Between Regional Centers and Branches .......................................................... 215

Passing Routing Protocols ..........................................................................................................218

Part IV: Troubleshooting

Chapter 17: ETEMS Troubleshooting ................................................................................... 223

Possible Problems and Solutions....................................................................................................... 223

Appliance Unreachable ..............................................................................................................224

Appliance Configuration ..............................................................................................................225

Pushing Configurations ...............................................................................................................226

Status Indicators..........................................................................................................................226

Software Upgrades......................................................................................................................227

Pinging the Management Port............................................................................................................ 227

Retrieving Appliance Log Files........................................................................................................... 228

Viewing Diagnostic Data .................................................................................................................... 230

Viewing Statistics.........................................................................................................................230

Viewing Port and Discard Status .................................................................................................232

Exporting SAD and SPD Files .....................................................................................................232

CLI Diagnostic Commands.......................................................................................................... 233

Working with the Application Log ....................................................................................................... 234

Viewing the Application Log from within EncrypTight .................................................................. 234

Sending Application Log Events to a Syslog Server ................................................................... 235

Exporting the Application Log...................................................................................................... 235

Setting Log Filters........................................................................................................................235

Other Application Log Actions ..................................................................................................... 236

Chapter 18: ETPM and ETKMS Troubleshooting................................................................. 237

Learning About Problems................................................................................................................... 237

Monitoring Status.........................................................................................................................237

Symptoms and Solutions............................................................................................................. 238

Policy Errors.......................................................................................................................... 239

Status Errors .........................................................................................................................240

Renew Key Errors .................................................................................................................240

Viewing Log Files ........................................................................................................................ 241

ETPM Log Files..................................................................................................................... 241

8 EncrypTight User Guide

Table of Contents

ETKMS Log Files ..................................................................................................................241

PEP Log Files .......................................................................................................................242

ETKMS Troubleshooting Tools .......................................................................................................... 242

ETKMS Server Operation............................................................................................................ 242

Optimizing Time Synchronization ................................................................................................ 243

Shutting Down or Restarting an External ETKMS .......................................................................243

Resetting the Admin Password ...................................................................................................243

PEP Troubleshooting Tools ...............................................................................................................243

Statistics ......................................................................................................................................244

Changing the Date and Time....................................................................................................... 244

ETEP PEP Policy and Key Information ....................................................................................... 244

Replacing Licensed ETEPs ......................................................................................................... 245

Troubleshooting Policies ....................................................................................................................245

Checking Traffic and Encryption Statistics ..................................................................................245

Solving Policy Problems .............................................................................................................. 246

Viewing Policies on a PEP ....................................................................................................246

Placing PEPs in Bypass Mode..............................................................................................246

Allowing Local Site Exceptions to Distributed Key Policies................................................... 247

Expired Policies..................................................................................................................... 247

Cannot Add a Network Set to a Policy ..................................................................................248

Packet Fragments are Discarded in Point-to-Point Port-based Policies ...............................248

Solving Network Connectivity Problems ............................................................................................248

Modifying EncrypTight Timing Parameters ........................................................................................ 249

Certificate Implementation Errors....................................................................................................... 249

Cannot Communicate with PEP .................................................................................................. 249

ETKMS Boot Error....................................................................................................................... 250

Invalid Certificate Error ................................................................................................................ 250

Invalid Parameter in Function Call...............................................................................................250

Part V: Reference

Chapter 19: Modifying the ETKMS Properties File .............................................................. 255

About the ETKMS Properties File ......................................................................................................255

Hardware Security Module Configuration ..........................................................................................256

Digital Certificate Configuration.......................................................................................................... 256

Logging Setup .................................................................................................................................... 256

Base Directory for Storing Operational State Data ............................................................................ 257

Peer ETKMS and ETPM Communications Timing.............................................................................257

Policy Refresh Timing ........................................................................................................................258

PEP Communications Timing ............................................................................................................258

Chapter 20: Using Enhanced Security Features.................................................................. 261

About Enhanced Security Features ................................................................................................... 261

About Strict Authentication................................................................................................................. 262

Prerequisites................................................................................................................................263

Order of Operations..................................................................................................................... 263

Certificate Information .................................................................................................................264

Using Certificates in an EncrypTight System .....................................................................................265

Changing the Keystore Password......................................................................................................266

EncrypTight User Guide 9

Table of Contents

Changing the EncrypTight Keystore Password ........................................................................... 266

Changing the ETKMS Keystore Password .................................................................................. 266

Changing the Keystore Password on a ETKMS ................................................................... 267

Changing the Keystore Password on a ETKMS with an HSM .............................................. 268

Configuring the Certificate Policies Extension ...................................................................................269

Working with Certificates for EncrypTight and the ETKMSs ..............................................................272

Generating a Key Pair ................................................................................................................. 272

Requesting a Certificate .............................................................................................................. 273

Importing a CA Certificate ........................................................................................................... 274

Importing a CA Certificate Reply .................................................................................................274

Exporting a Certificate ................................................................................................................. 275

Working with Certificates and an HSM............................................................................................... 275

Configuring the HSM for Keytool .................................................................................................275

Importing CA Certificates into the HSM ....................................................................................... 276

Generating a Key Pair for use with the HSM ............................................................................... 276

Generating a Certificate Signing Request for the HSM ...............................................................277

Importing Signed Certificates into the HSM.................................................................................277

Working with Certificates for the ETEPs ............................................................................................277

Understanding the Certificate Manager Perspective ...................................................................278

Certificate Manager Workflow .....................................................................................................279

Working with External Certificates ...............................................................................................279

Obtaining External Certificates.............................................................................................. 279

Installing an External Certificate............................................................................................ 280

Working with Certificate Requests...............................................................................................281

Requesting a Certificate........................................................................................................281

Installing a Signed Certificate................................................................................................ 283

Viewing a Pending Certificate Request................................................................................. 283

Canceling a Pending Certificate Request .............................................................................284

Setting Certificate Request Preferences ...............................................................................284

Managing Installed Certificates ................................................................................................... 285

Viewing a Certificate .............................................................................................................286

Exporting a Certificate........................................................................................................... 286

Deleting a Certificate............................................................................................................. 287

Validating Certificates ........................................................................................................................287

Validating Certificates Using CRLs..............................................................................................287

Configuring CRL Usage in EncrypTight and the ETKMSs .......................................................... 288

Configuring CRL Usage on ETEPs .............................................................................................288

Handling Revocation Check Failures ..........................................................................................289

Validating Certificates Using OCSP ............................................................................................ 289

Enabling and Disabling Strict Authentication ..................................................................................... 292

Removing Certificates ........................................................................................................................293

Using a Common Access Card ..........................................................................................................294

Configuring User Accounts for Use With Common Access Cards .............................................. 295

Enabling Common Access Card Authentication ..........................................................................295

Handling Common Name Lookup Failures.................................................................................. 297

Chapter 21: ETEP Configuration ........................................................................................... 299

Identifying an Appliance .....................................................................................................................300

Product Family and Software Version ......................................................................................... 300

Appliance Name .......................................................................................................................... 300

Throughput Speed.......................................................................................................................301

10 EncrypTight User Guide

Table of Contents

Interface Configuration....................................................................................................................... 301

Management Port Addressing ..................................................................................................... 302

IPv4 Addressing ....................................................................................................................303

IPv6 Addressing ....................................................................................................................304

Auto-negotiation - All Ports.......................................................................................................... 305

Remote and Local Port Settings ..................................................................................................306

Transparent Mode................................................................................................................. 306

Local and Remote Port IP Addresses ...................................................................................307

Transmitter Enable................................................................................................................ 308

DHCP Relay IP Address ....................................................................................................... 309

Ignore DF Bit ......................................................................................................................... 310

Reassembly Mode ................................................................................................................310

Trusted Hosts..................................................................................................................................... 311

SNMP Configuration ..........................................................................................................................313

System Information...................................................................................................................... 313

Community Strings ...................................................................................................................... 314

Traps ........................................................................................................................................... 315

SNMPv2 Trap Hosts.................................................................................................................... 316

SNMPv3 ...................................................................................................................................... 316

Generating the Engine ID...................................................................................................... 318

Retrieving and Exporting Engine IDs .................................................................................... 318

Configuring the SNMPv3 Trap Host Users ........................................................................... 319

Logging Configuration ........................................................................................................................321

Log Event Settings ...................................................................................................................... 322

Defining Syslog Servers .............................................................................................................. 323

Log File Management.................................................................................................................. 324

Advanced Configuration.....................................................................................................................325

Path Maximum Transmission Unit............................................................................................... 326

Non IP Traffic Handling ............................................................................................................... 327

CLI Inactivity Timer......................................................................................................................327

Password Strength Policy............................................................................................................327

XML-RPC Certificate Authentication ...........................................................................................328

SSH Access to the ETEP ............................................................................................................ 329

SNTP Client Settings...................................................................................................................329

IKE VLAN Tags ........................................................................................................................... 329

OCSP Settings ............................................................................................................................ 330

Certificate Policy Extensions ....................................................................................................... 330

Features Configuration....................................................................................................................... 330

FIPS Mode...................................................................................................................................331

Enabling FIPS Mode .............................................................................................................331

Disabling FIPS ......................................................................................................................332

Verifying FIPS Status on the ETEP....................................................................................... 332

EncrypTight Settings ................................................................................................................... 333

Encryption Policy Settings ...........................................................................................................334

Working with Policies .........................................................................................................................334

Using EncrypTight Distributed Key Policies ................................................................................335

Creating Layer 2 Point-to-Point Policies...................................................................................... 335

Selecting a Role ....................................................................................................................337

Using Preshared Keys for IKE Authentication.......................................................................337

Using Group IDs................................................................................................................

....337

Selecting the Traffic Handling Mode .....................................................................................338

How the ETEP Encrypts and Authenticates Traffic............................................................... 338

EncrypTight User Guide 11

Table of Contents

Factory Defaults ................................................................................................................................. 339

Interfaces.....................................................................................................................................339

Trusted Hosts ..............................................................................................................................340

SNMP .......................................................................................................................................... 340

Logging........................................................................................................................................341

Policy ...........................................................................................................................................341

Advanced.....................................................................................................................................341

Features ...................................................................................................................................... 342

Hard-coded Settings.................................................................................................................... 342

Index......................................................................................................................................... 343

12 EncrypTight User Guide

Preface

About This Document

Purpose

The EncrypTight User Guide provides detailed information on how to install, configure, and troubleshoot EncrypTight components: ETEMS, Policy Manager (ETPM), and Key Management System (ETKMS). It also contains information about configuring EncrypTight Enforcement Points (ETEPs) using ETEMS.

Intended Audience

This document is intended for network managers and security administrators who are familiar with setting up and maintaining network equipment. Some knowledge of network security issues and encryption technologies is assumed.

Assumptions

This document assumes that its readers have an understanding of the following:

● EncrypTight encryption appliance features, installation and operation

● Basic principles of network security issues

● Basic principles of encryption technologies and terminology

● Basic principles of TCP/IP networking, including IP addressing, switching and routing

● Personal computer (PC) operation, common PC terminology, use of terminal emulation software and

FTP operations

● Basic knowledge of the Linux operating system

Conventions used in this document

Bold Indicates one of the following:

• a menu item or button

• the name of a command or parameter

Italics Indicates a new term

Monospaced Indicates machine text, such as terminal output and filenames

Monospaced bold

EncrypTight User Guide 13

Indicates a command to be issued by the user

Preface

Contacting Black Box Technical Support

Contact our FREE technical support, 24 hours a day, 7 days a week:

Phone 724-746-5500

Fax 724-746-0746

e-mail info@blackbox.com

Web site www.blackbox.com

14 EncrypTight User Guide

Part I EncrypTight Installation and

Maintenance

16 EncrypTight User Guide

1 EncrypTight Overview

EncrypTight™ Policy and Key Manager is an innovative approach to network-wide encryption. EncrypTight acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight encryption appliances.

EncrypTight consists of a suite of tools that perform various tasks of appliance and policy management:

● EncrypTight Element Management System (ETEMS) is the network management component of the

EncrypTight software. Use ETEMS to configure and manage your encryption appliances.

● EncrypTight Policy Manager (ETPM) is the policy generation and management tool. Use ETPM to

create polices for hub and spoke, mesh, point-to-point, and multicast networks that require common keys to secure traffic between multiple nodes.

● EncrypTight Key Management System (ETKMS) is the key generation and distribution tool that is

used with ETPM-generated policies. ETKMS can be run on a local machine for small deployments or on a dedicated server for larger scale networks.

● EncrypTight Enforcement Points (ETEPs) are the encryption appliances that enforce the security

policies. EncrypTight appliances are also referred to as PEPs.

The type of policies that you create, and the tools that you use to create them, are dependent on your network topology. EncrypTight supports two types of policies for the following topologies:

● Distributed key policies are appropriate for securing a variety of networks, including mesh, hub and

spoke, point-to-point (Layer 3/4 only), and multicast networks.

● Negotiated policies are appropriate in Layer 2 point-to-point networks where keys are negotiated with

a peer rather than distributed from a central key server.

This section includes the following topics:

● Distributed Key Topologies

● Point-to-Point Negotiated Topology

● Security within EncrypTight

Distributed Key Topologies

EncrypTight centralizes the creation and distribution of encryption keys and policies. It separates the functions of policy management, key generation and distribution, and policy enforcement. By doing so,

EncrypTight User Guide 17

EncrypTight Overview

multiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform assumes the function of renewing keys at pre-determined intervals.

In this system, you use ETEMS to configure the PEPs, Policy Manager (ETPM) to create and manage policies, and Key Management System (ETKMS) to generate keys and distribute keys and policies to the appropriate PEPs. The PEPs encrypt traffic according to the policies and keys that they receive.

Figure 1 EncrypTight components

Using EncrypTight, you can create distributed key policies for the network topologies shown in Table 1.

Table 1 Network topologies

Topology Description

Layer 3 IP topologies

Hub and Spoke In a hub and spoke network, a hub network communicates with the

Multicast In multicast transmission, one or more networks send unidirectional

Point-to-point In a point-to-point network, one network sends and receives data to

Mesh In a mesh network, any network can send or receive data from any

Layer 2 Ethernet topologies

Mesh For Ethernet, you can create policies for mesh networks. Note that if

spoke networks and the spoke networks communicate only with the hub network.

streams to a multicast network address. The multicast routers detect the multicast transmission, determine which nodes have joined the multicast network as destination networks, and duplicate the packet as needed to reach all multicast destination networks.

and from one other network.

other network.

the network uses VLAN ID tags, you can also create policies for virtual point-to-point connections.

18 EncrypTight User Guide

Distributed Key Topologies

Regardless of topology, PEPs are typically located at the point in the network where traffic is being sent to an untrusted network or coming from an untrusted network. As an example, Figure 2 shows a hub and spoke network secured with EncrypTight.

Figure 2 PEPs in a Hub and Spoke network

PEP A encrypts data traffic from Network A that goes to Networks B or C. PEP A also decrypts data that originates from Networks B and C. PEP B encrypts data from Network B that goes to Network A and decrypts data that comes from Network A. PEP C encrypts data from Network C that goes to Network A and decrypts data that comes from Network A.

Related topics:

● “EncrypTight Element Management System” on page 20

● “Policy Manager” on page 20

● “Key Management System” on page 20

● “Policy Enforcement Point” on page 21

EncrypTight Elements

EncrypTight consists of a suite of tools that perform various tasks of appliance and policy management:

● EncrypTight Element Management System is the element management component of the EncrypTight

software

● Policy Manager is the policy generation and management tool

● Key Management System is the key generation and distribution tool

● Policy Enforcement Points are the encryption appliances that enforce the security policies

The number of ETEPs that you can manage and the speed at which they run is controlled by licenses. You must enter a license for EncrypTight before you can install licenses on the ETEPs.

EncrypTight User Guide 19

EncrypTight Overview

EncrypTight Element Management System

The EncrypTight Element Management System (ETEMS) is the device management component of the EncrypTight software, allowing you to provision and manage multiple encryption appliances from a central location. It provides capabilities for appliance configuration, software updates, and maintenance and troubleshooting for your EncrypTight encryption appliances.

Policy Manager

The Policy Manager (ETPM) is the policy component of the EncrypTight software. You use ETPM to create and manage policies, and monitor the status of the PEPs and ETKMSs.

Each deployment of EncrypTight uses a single ETPM. The ETPM sends metapolicies to one or more ETKMSs. A metapolicy is a file that describes the policies created in ETPM and for each policy it specifies:

● The PEPs each ETKMS controls

● The networks each PEP protects

● The action that is performed (encrypt, send in the clear, or drop)

● The kind of traffic the policy affects

Key Management System

Distribution functions are provided by the EncrypTight Key Management System (ETKMS). All ETKMSs receive policies from a single ETPM. Based on the metapolicies received from the ETPM, the ETKMS generates keys for each of the PEPs within its network. The ETKMS distributes the keys and policies associated with its networks to the appropriate PEPs.

Depending on the size and configuration of your network, you can use a single ETKMS or multiple ETKMSs distributed throughout the network. When multiple ETKMSs are used, each ETKMS controls different sets of PEPs. All ETKMSs include the policy information and keys for the entire network. When policies are deployed or keys are renewed, each PEP receives its information from its designated ETKMS.

The EncrypTight system supports two types of ETKMSs: external ETKMSs and local ETKMSs.

● External ETKMSs are dedicated computers running the ETKMS software. By running on a dedicated

computer, external ETKMSs inherently provide more security and reliability, and can be used to help protect significantly larger networks. Each ETKMS can support several hundred PEPs.

● Local ETKMSs run as a separate process on the same management workstation as the EncrypTight

software. Local ETKMSs are intended for use with small to medium networks with no more than 10 PEPs. A local ETKMS is included with the EncrypTight software.

Figure 3 shows a single ETKMS distributing the keys for PEPs A, B, C, and D.

20 EncrypTight User Guide

Distributed Key Topologies

Figure 3 Single ETKMS for multiple sites

Figure 4 illustrates an EncrypTight deployment using multiple ETKMSs. With large, complex networks

that have hundreds of PEPs, you might want to use multiple ETKMSs. Each ETKMS distributes keys for the PEPs it controls. For example: ETKMS 1 distributes the policies and keys to PEPs A, B, and C. ETKMS 2 distributes the policies and keys to PEPs D and E. ETKMS 3 distributes the policies and keys to PEPs F and G.

Figure 4 Multiple ETKMSs in a network

Policy Enforcement Point

EncrypTight enforcement points (ETEPs) are encryption appliances that provide policy enforcement functions, and are referred to generically as PEPs (policy enforcement points). According to the policies distributed by the ETKMSs, the PEPs can encrypt and decrypt traffic, send traffic in the clear, or drop traffic. Each PEP can be used in multiple policies simultaneously.

EncrypTight User Guide 21

EncrypTight Overview

To securely transfer data between two PEPs over an untrusted network, both PEPs must share a key. One PEP uses the shared key to encrypt the data for transmission over the untrusted network, while the second PEP uses the same shared key to decrypt the data. Figure 5 illustrates the shared key concepts between two PEPs.

Figure 5 Shared keys

In this example, traffic moves between two trusted networks: Network A and Network B. PEP A and PEP B work in unison to insure data security as the traffic passes through an unsecured network. PEP A uses Shared Key 2 to encrypt all outbound traffic intended for Network B. PEP B uses the same shared key to decrypt all traffic inbound from Network A. Traffic flowing in the opposite direction is secured in the same manner using Shared Key 1.

EncrypTight Policy Enforcement Points (PEPs) can be configured for Layer 2 or Layer 3/4 operation. Models include:

● ET0010A

● ET1000A

Point-to-Point Negotiated Topology

You can protect simple, point-to-point Ethernet links using ETEMS. Two PEPs can be configured with ETEMS to protect a Layer 2 Ethernet link, without any need for ETPM or ETKMS. The policies and key are negotiated directly by the two PEPs, without requiring a centralized key generation and distribution tool.

This option provides a simple, quick, and straightforward way to secure a single point-to-point Layer 2 Ethernet link. All you need to secure your traffic is ETEMS and two ETEP encryption appliances.

The ETEP can be managed in-line or out-of-band through a dedicated Ethernet management interface, as shown in Figure 6.

22 EncrypTight User Guide

Figure 6 Layer 2 Point-to-Point Deployment

Security within EncrypTight

Use the Policy Manager (ETPM) and Key Management System (ETKMS) to create a Layer 3 point-topoint distributed key policy as one of several policies in a larger, more complex EncrypTight deployment.

The ETEP’s variable speed feature is controlled by the installation of a license. Note that you cannot install a license on the ETEP until you first enter a license for EncrypTight. For more information about licensing, see “Managing Licenses” on page 56.

Related topics:

● “Distributed Key Topologies” on page 17

● “EncrypTight Element Management System” on page 20

● “Policy Manager” on page 20

● “Key Management System” on page 20

● “Policy Enforcement Point” on page 21

● “Creating Layer 2 Point-to-Point Policies” on page 335

Security within EncrypTight

Because EncrypTight generates keys that provide security throughout a network, it is critical that the EncrypTight components also be secured.

Security in the EncrypTight system has two general areas:

● “Secure Communications Between Devices” on page 24

● “Secure Key Storage within the ETKMS” on page 24

EncrypTight User Guide 23

EncrypTight Overview

Secure Communications Between Devices

Each node in the distributed key system, the EncrypTight management station, the ETKMSs, and the PEPs, communicate policy and status information with other nodes. Given the distributed nature of networks, much of this communication occurs across public networks.

EncrypTight uses Transport Layer Security (TLS) to encrypt management traffic between EncrypTight components. This protocol allows secure communication between the devices in the system while providing information about the secure stream to EncrypTight. You can enhance that security by authenticating the management communications between EncrypTight components using certificates. To learn more about certificates and strict authentication, see “Using Enhanced Security Features” on

page 261.

Secure Key Storage within the ETKMS

Key generation and key storage on the ETKMS are critical to maintaining security in EncrypTight. The ETKMS uses the following mechanisms to protect the keys:

● Generates keys using known secure algorithms

● Encrypts keys that are distributed and stored locally

● Limits access to keys to authorized administrators

● Prevents external probing to access or modify keys

● Optionally generates and stores keys in a hardware security module

24 EncrypTight User Guide

2 EncrypTight Deployment Planning

When deploying EncrypTight, you must plan the following:

● EncrypTight Component Connections

● Network Clock Synchronization

● IPv6 Address Support

● Certificate Support

● Network Addressing for IP Networks

EncrypTight Component Connections

EncrypTight can be managed in-line or out-of-band. When managing in-line, management traffic flows through the data path. You must enable the Passing TLS traffic in the clear feature on all PEPs for proper communication among EncrypTight components (ETEMS, ETPM, ETKMS, PEPs). When passing TLS in the clear is enabled on Layer 2 PEPs, TLS and ARP packets are sent unencrypted.

If your network uses other routing protocols that need to pass in the clear, consider the following:

● At Layer 3, create policies to pass the routing protocols in the clear. The PEPs must also be

configured to pass non-IP traffic in the clear (this is the default setting on the Advanced tab in ETEMS).

● At Layer 2, consider a separate out-of-band management network, or put the management traffic on a

separate VLAN and create a Layer 2 policy to pass packets with this VLAN tag in the clear. Customer support can advise you on a solution that works best in your network.

● Use local site policies

Local site policies allow you to create locally configured policies using CLI commands, without requiring an EncrypTight ETKMS for key distribution. Using the local-site CLI commands you can create manual key encryption policies, bypass policies, and discard policies at either Layer 2 or Layer

3. Mesh policies can be created by adding policies that share the identical keys and SPIs to multiple ETEPs.

The primary use for local site policies is to facilitate in-line management in Layer 2 encrypted networks. These policies supplement existing encryption policies, adding the flexibility to encrypt or pass in the clear specific Layer 3 routing protocols, or Layer 2 Ethertypes and VLAN IDs.

For information on creating and using local site policies, see the CLI User Guide.

This chapter discusses connections between each of the EncrypTight components, providing in-line and out-of-band examples.

EncrypTight User Guide 25

EncrypTight Deployment Planning

● “Management Station Connections” on page 26

The EncrypTight software includes ETEMS for appliance configuration, ETPM for policy management, and a local ETKMS. The local ETKMS deploys keys and policies to all of the PEPs that it manages and checks the PEPs’ status. The management station also uses other services such as NTP, syslog, and SNMP.

● “ETPM to ETKMS Connections” on page 26

The ETPM passes metapolicies to the ETKMSs and checks the status of the PEPs through the ETKMSs.

● “External ETKMS to ETKMS Connections” on page 29

When multiple ETKMSs are used in a system, the ETKMSs must be able to share keys. If you set up a ETKMS to serve as a backup for another ETKMS, the backup ETKMS periodically checks the status of the primary ETKMS in case of ETKMS failure.

● “ETKMS to PEP Connections” on page 31

Each ETKMS deploys keys and policies to all of the PEPs that it manages and checks the PEPs status.

Management Station Connections

Keep the following items in mind when setting up your management connections:

● PEPs can be managed in-line or out-of-band. When managing the PEPs in-line, management traffic

flows through the data path. In distributed key deployments, enable the Pass TLS traffic in the clear option on the PEPs to ensure proper communication between the PEP and other EncrypTight components. This is configured on the Features tab of the ETEMS Appliance editor.

● The PEP management ports and management services such as NTP, syslog, and SNMP must be

directly addressable on the same network.

● EncrypTight to PEP connections when using a local ETKMS:

The EncrypTight software includes ETEMS, ETPM and local ETKMS. When you use a local ETKMS, the ETKMS software runs as a separate process on the same workstation as the ETPM software. In this scenario, ETPM communicates directly with the ETKMS without using a network connection.

The communications between the local ETKMS and the PEPs require a connection between an Ethernet port on the management workstation and the management port on each PEP. For these connections, follow the same general guidelines as external ETKMSs, outlined in “ETKMS to PEP

Connections” on page 31. The only difference is that the connections originate from the management

workstation and not an external ETKMS.

ETPM to ETKMS Connections

The ETPM sends metapolicies to the ETKMSs and checks the status of the PEPs through the ETKMSs. The communications between EncrypTight components depend on a connection between the Ethernet ports on each device. External ETKMSs can be located on the same subnetwork with the ETPM, or the ETPM and ETKMSs can be located on different subnetworks. If you use a local ETKMS, ETPM communicates directly with the ETKMS without using a network connection.

26 EncrypTight User Guide

This section describes the planning for the following connections:

NOTE

● “ETPM and ETKMS on the Same Subnetwork” on page 27

● “ETPM and ETKMS on Different Subnetworks” on page 27

ETPM and ETKMS on the Same Subnetwork

When the ETPM is located on the same subnetwork as the external ETKMS, the ETPM communicates with the ETKMS over the internal protected network using Ethernet connections as shown in Figure 7.

Figure 7 ETPM and ETKMS located in the same subnetwork

EncrypTight Component Connections

ETPM and ETKMS on Different Subnetworks

The ETPM and ETKMS interconnections on different subnetworks depends on the type of policy: Layer 3 IP policy or Layer 2 Ethernet policy.

ETPM and ETKMS in Layer 3 IP Policies

With larger IP networks, the ETPM and the external ETKMSs could be located on different subnetworks, as shown in Figure 8. When managing the ETPM and ETKMS in-line, the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls. For in-line management, in which management traffic can flow through the data path, be sure that the Enable passing TLS traffic in the clear feature is selected on all PEPs. Enable this feature from the ETEMS Appliance editor. By default, the Layer 3 PEPs are configured to pass all TLS traffic (port 443) in the clear.

The Enable passing TLS traffic in the clear feature passes all TLS traffic in the clear for all destination addresses. For added security, disable passing TLS traffic in the clear and create a policy for all TLS traffic (port 443) between EncrypTight components. For more information on creating policies, see

“Creating Distributed Key Policies” on page 181.

EncrypTight User Guide 27

EncrypTight Deployment Planning

Figure 8 In-line ETKMS management in an IP network

ETPM and ETKMS in Layer 2 Ethernet Policies

With Ethernet networks, you use Layer 2 PEPs. As with IP networks, when managing the ETPM and external ETKMS in-line the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls. For in-line management with Layer 2 PEPs be sure that the Enable passing TLS traffic in the clear feature is selected in the ETEMS Appliance editor.

If you need to pass additional traffic in the clear, such as routing protocols, you can route the management communications using out-of-band connections or put your management traffic on a separate VLAN.

If you choose to put the management traffic on a separate VLAN, you will need to create a Layer 2 policy to pass packets with this VLAN tag in the clear. To prevent an interruption in management traffic, set the policy’s key renewal/lifetime to zero, so that the policy does not expire.

With out-of-band management, the management traffic between the ETPM and ETKMS is routed over a separate network path through the ISP. When the communications path passes through any firewalls, be sure to configure the firewall to pass TLS traffic. Figure 9 shows an out-of-band management scenario with the ETPM connecting to an external ETKMS with Layer 2 PEPs encrypting Ethernet data.

Figure 9 Out-of-band ETKMS management in an Ethernet network

28 EncrypTight User Guide

External ETKMS to ETKMS Connections

ETKMSs must be able to communicate with each other in two situations:

● Backup ETKMSs are used for redundancy

● Multiple ETKMSs share policy information and keys to distribute to the PEPs that they control

This section addresses the connections between two or more external ETKMSs. If you also use a local ETKMS, the basic principles discussed here still apply.

If the ETKMSs are on the same subnetwork, the ETKMS to ETKMS interconnection is straightforward. ETKMSs communicate with each other using the Ethernet ports on each ETKMS. For large, dispersed networks, multiple ETKMSs must be able to share keys with each other. The connections between ETKMSs depend on the network type: IP network or Ethernet network.

This section includes the following topics:

● “Connections for Backup ETKMSs” on page 29

● “Connecting Multiple ETKMSs in an IP Network” on page 30

● “ETKMS to ETKMS Connections in Ethernet Networks” on page 30

EncrypTight Component Connections

Connections for Backup ETKMSs

In some EncrypTight configurations a pair of ETKMSs, a primary ETKMS and a secondary ETKMS, are used to provide network redundancy. The ETPM distributes the policies to both the primary ETKMS and backup ETKMS. Only the primary ETKMS distributes the keys and policies to the PEPs. If the backup ETKMS detects a communication failure with the primary ETKMS due to a ETKMS failure or network failure, the backup ETKMS assumes the generation and distribution of the keys and policies to the PEPs. Once communication with the primary ETKMS is reestablished, the primary resumes the distribution of the keys and policies to the PEPs.

Backup ETKMSs should be external ETKMSs. Using a local ETKMS as a backup ETKMS is not recommended. If you use backup ETKMSs, the backup ETKMS must be able to check the status of the primary ETKMS so that it can take over operations in the event of a communication failure. It is recommended that you locate the backup ETKMS and the primary ETKMS together. The primary and backup ETKMSs communicate using the Ethernet ports on each ETKMS.

Also keep in mind the following:

● Both the primary ETKMS and the backup ETKMS must be able to communicate with the same PEPs.

● Each ETKMS can only use one backup ETKMS. Similarly, each backup ETKMS can only serve as a

backup to one ETKMS.

● Backup ETKMSs must use the same type of IP address as the primary ETKMS. For example, if the

primary uses an IPv6 address, the backup ETKMS must use an IPv6 address.

● You do not explicitly add backup ETKMSs to the Appliance Manager in ETEMS and they are not

listed in that window. Instead, you specify a backup ETKMS when you add a primary ETKMS in ETEMS, and only the primary ETKMS is listed in the Appliance Manager.

EncrypTight User Guide 29

EncrypTight Deployment Planning

Connecting Multiple ETKMSs in an IP Network

Figure 10 shows two external ETKMSs located on different IP networks. Both ETKMSs are used as

primary ETKMSs in a large, dispersed network.

When the ETKMSs are managed in-line, the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls. By default, the Layer 3 PEPs pass all TLS traffic (port 443) in the clear. Be sure that the Enable passing TLS traffic in the clear feature is enabled for all PEPs which must pass TLS traffic. Enable this feature from the ETEMS Appliance editor.

Figure 10 In-line management of ETKMSs located on different IP networks

ETKMS to ETKMS Connections in Ethernet Networks

For in-line management when the ETKMSs are on different Ethernet networks, make sure that the Enable passing TLS traffic in the clear feature is enabled on the Layer 2 PEPs.

If you choose to put the management traffic on a separate VLAN, you will need to create a Layer 2 policy to pass the VLAN tag in the clear. To prevent an interruption in management traffic, set the policy’s key renewal/lifetime to zero, which means “do not expire or update.”

With out-of-band management, the management traffic between the ETKMSs is routed over a separate network path through the ISP. When the communications path passes through any firewalls, be sure to configure the firewall to pass TLS traffic. Figure 11 shows an out-of-band management scenario with the external ETKMS connecting to another external ETKMS, with Layer 2 PEPs encrypting Ethernet data.

30 EncrypTight User Guide

Figure 11 Out-of-band management of ETKMSs located on different Ethernet networks

ETKMS to PEP Connections

The communications between the ETKMSs and the PEPs require a connection between the Ethernet ports on each ETKMS and the management port on each PEP. The ETKMS to PEP connections depend on the network type: IP network or Ethernet network.

EncrypTight Component Connections

This section addresses connections between external ETKMSs and the PEPs. If you also use a local ETKMS, the basic principles discussed here still apply. However, a local ETKMS runs on the same workstation as the ETPM. Therefore the communications between the local ETKMS and the PEPs require a connection between an Ethernet port on the management workstation and the management port on each PEP.

This section includes the following topics:

● “ETKMS to PEP Connections in IP Networks” on page 31

● “ETKMS to PEP Connections in Ethernet Networks” on page 32

ETKMS to PEP Connections in IP Networks

Figure 12 shows one external ETKMS connecting to two PEPs. The connections between the ETKMS

and the first PEP co-located on the same network is a straightforward connection. The ETKMS’s Ethernet port connects through the internal protected network to the PEP’s management port.

When managing in-line, the connection between the ETKMS and the second PEP located on a different network must pass through the data ports on both PEPs to get to the management port on the second PEP.

To successfully pass management traffic, be sure that the Enable passing TLS traffic in the clear feature is enabled on all of the PEPs. By default, the Layer 3 PEPs pass all TLS traffic (port 443) in the clear. This option is configured on the Features tab of the ETEMS Appliance editor.

EncrypTight User Guide 31

EncrypTight Deployment Planning

Figure 12 In-line ETKMS to PEP communications in IP networks

ETKMS to PEP Connections in Ethernet Networks

If the ETKMS and the PEP are located on the same subnetwork, the ETKMS to PEP interconnection is straightforward. For in-line management when the ETKMS and the PEP are located on different Ethernet networks, make sure that the Enable passing TLS traffic in the clear feature is enabled on the Layer 2 PEPs.

With out-of-band management, the management traffic between the ETKMSs and the PEPs is routed over a separate network path through the ISP. When communications paths pass through any firewalls, be sure to configure the firewalls to pass TLS traffic. Figure 13 shows an out-of-band management scenario with the external ETKMS connecting to a PEP on a different subnetwork with Layer 2 PEPs encrypting Ethernet data.

Figure 13 Out-of-band ETKMS to PEP communications in Ethernet networks

32 EncrypTight User Guide

Network Clock Synchronization

CAUTION

NOTE

Failure to synchronize the time of all EncrypTight components can result in a loss of packets or compromised security.

EncrypTight requires that the clocks on all the system’s components be synchronized. If the clocks are not synchronized, communications between the components can be delayed, which can prevent the system from working as planned.

For example, the keys on the PEPs all have an expiration time. The ETKMSs must generate new keys and policies prior to that expiration time in order to prevent a lapse in security or loss of network data. In addition, PEPs that implement the same policy require matching sets of keys for communications to occur. If one PEP’s keys expire before another PEP’s keys or if one PEP’s keys become active before another PEP’s keys, packets can be improperly dropped or passed in the clear.

It is essential that ETPM, ETKMS, and PEPs are synchronized to the same time source.

● Configure the workstation running EncrypTight to synchronize with a corporate time server within

your network or with a public time server located somewhere on the Internet, or install a time service on the management station.

● External ETKMSs run on Linux servers that have Network Time Protocol (NTP) installed. Each of

these ETKMSs can operate as an NTP server or an NTP client, or both. You can configure each ETKMS to synchronize with a timer server, or you can configure the ETPM, ETKMSs and PEPs to synchronize with one of the ETKMS servers.

● The PEPs include a Simple Network Time Protocol (SNTP) client, which can connect to an NTP

server. The PEP SNTP client supports unicast client mode, in which the client sends a request to the designated NTP server and waits for a reply from the server.

Network Clock Synchronization

You can check the current time of your PEPs in the ETEMS Appliance Manager. Refresh the status of the appliances and then view the Date/Time column (you may need to resize the columns).

● After you enable SNTP on ETEP PEPs and push the configuration, the ETEP PEPs immediately

synchronize with the NTP server.

● If you re-provision a PEP that has been out of service, it is recommended that you synchronize the

appliance with an NTP server and reboot it before you attempt to use the PEP with either ETEMS or ETPM. For more information on using SNTP, see the configuration chapter for your PEP.

IPv6 Address Support

EncrypTight supports using both IPv4 and IPv6 addresses for the ETKMS and the management port of the ETEPs, as well as on the management workstation. The IPv6 standard was developed to provide a larger address space than the IPv4 standard and is intended to replace it as the IP addresses that are available with the older standard are exhausted. IPv6 addressing also provides other benefits, such as more efficient routing.

EncrypTight User Guide 33

EncrypTight Deployment Planning

IPv6 addresses are 128-bit addresses consisting of eight hexadecimal groups that are separated by colons, followed by an indication of the prefix length. Each group is a 4-digit hexadecimal number. The hexadecimal letters in IPv6 addresses are not case sensitive.

The prefix length is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. The decimal value is preceded by a forward slash (/). Valid values are 0-128 inclusive.

IPv6 addresses are typically composed of two logical parts: a network prefix (a block of address space, like an IPv4 subnet mask), and a host part. The prefix length indicates the number of bits used for the network portion of the address.

The following is an example of an IPv6 address with a 64-bit prefix:

2001:0DB8:0000:0000:0211:11FF:FE58:0743/64

IPv6 representation can be simplified by removing the leading zeros in any of the hexadecimal groups. Trailing zeroes may not be removed. Each group must include at least one digit.

IPv6 addresses often contain consecutive groups of zeros. To further simplify address entry, you can use two colons (::) to represent the consecutive groups of zeros when typing the IPv6 address. You can use two colons (::) only once in an IPv6 address.

Table 2 IPv6 address representations

Address Format Address Representation

Full format 2001:0DB8:0000:0000:0211:11FF:FE58:0743

Leading zeroes dropped 2001:DB8:0:0:211:11FF:FE58:743

Compressed format (two colons) with leading zeroes dropped

If any of your ETEPs are configured with an IPv6 address on the management port, the ETKMSs and the management workstation must be assigned an IPv6 address or configured for dual-homed operation to support both IPv4 and IPv6 addresses. If the ETKMS software is configured with an IPv4 address only, it cannot initiate connections to ETEPs that have IPv6 addresses. ETPM will not allow you to deploy a policy that includes an IPv4 ETKMS and IPv6 ETEPs.

Certificate Support

You can secure the management communications in an EncrypTight deployment using Public Key Infrastructure (PKI) certificates. By default, communications between EncrypTight components use the TLS protocol, which encrypts the communications. If you enable strict authentication, the communications are also authenticated with digitally signed certificates.

2001:DB8::211:11FF:FE58:743

To use strict authentication, you need to select a Certificate Authority (CA) from which you want to obtain signed certificates. Depending on the CA you choose and other factors such as the types of certificates you want to purchase, acquiring certificates can take as little as an hour or less, or several days.

This User Guide assumes you already have a relationship with a CA. If you do not already have an established relationship with a CA, acquiring CA-signed certificates can take longer. The CA that you choose can provide information regarding their process and what to expect, as well as the costs involved.

34 EncrypTight User Guide

Network Addressing for IP Networks

Another factor to consider if you plan to use certificates is the size of your EncrypTight deployment. Generating requests and installing certificates for a large number of appliances can take a considerable amount of time. Therefore, you need to plan for sufficient time to accomplish the necessary tasks.

In addition to strict authentication, EncrypTight supports the use of smart cards such as the DoD Common Access Card (CAC) to limit access to authorized personnel and to enhance auditing. When a smart card is used, EncrypTight uses certificates from the card in addition to the certificates you install. For more information about using smart cards with EncrypTight, see “Using a Common Access Card” on

page 294.

To learn more about working with certificates and strict authentication, see “Using Enhanced Security

Features” on page 261.

Network Addressing for IP Networks

With Layer 3 networks, EncrypTight can use one of three network addressing methods to specify the source IP address used in the encapsulated packet’s header:

Table 3 Network Addressing Options

Addressing Method Description

Preserve network addressing of the protected network

Use the PEP’s remote port address

Use a virtual IP address Replaces the original source IP address in the packet header with a

Uses the original source IP address in the packet header. This is the default network addressing method.

Replaces the original source IP address in the packet header with the PEP’s remote port IP address.

virtual IP address specified in the network set.

With most distributed key policies, you will preserve the network addressing of the protected networks, which is referred to as transparent mode. When you preserve the network addressing of the protected network, the encapsulated packets are routed to their proper destination without changing the routing tables within the WAN.

However, in certain situations you might want to conceal the original source IP address and replace it with either the IP address of the PEP’s remote port or a virtual IP address, which is referred to as non- transparent mode. For example, since private IP addresses cannot be routed over the internet, any traffic between private networks transmitted over the internet must use public IP addresses.

● If you need to route traffic through a specific PEP, use the PEP’s remote port IP address.

● For load balanced traffic, use a virtual IP address.

In the example shown in Figure 14, traffic is being sent between a corporate data center and remote locations over a Layer 3 public internet. The traffic is encrypted using a policy defined in ETPM. The PEPs are configured to operate in non-transparent mode in order to hide the source IP address of the packets. The traffic to and from the data center is load balanced and therefore a virtual IP address is used on both data center PEPs (labeled #2 in Figure 14). The remote sites use a remote port IP address to force traffic through a specific PEP. The specified IP addresses appear in the encryption header rather than the original source IP address.

EncrypTight User Guide 35

EncrypTight Deployment Planning

NOTE

Figure 14 Using remote IP and virtual IP addresses to obscure the source address of

the original packet

ETEP PEPs operate in transparent mode by default and no IP address is assigned to the local or remote ports. To use a remote port IP address or a virtual IP address, you need to disable transparent mode and assign the needed IP addresses when you add and configure the ETEP in ETEMS. With a virtual IP address, you also need to change the routing tables in the routers.

To use a virtual IP address as the source IP address:

1 Use ETEMS to disable transparent mode for the ETEP PEPs and configure the IP address settings for

the local and remote ports.

2 Make sure the ETEP PEPs are configured to use Layer 3 encryption policies.

3 Use ETPM to configure the network sets to use virtual IP addresses. For information about creating

network sets, see “Managing Network Sets” on page 167.

4 Use the policy editor in ETPM to disable both of the Addressing Mode Override options in order to

prevent the policy settings from overriding the virtual IP address settings. For more information about policy settings, see “Policy Concepts” on page 181.

5 Verify that the WAN can direct the return traffic, destined for the virtual IP address, to the PEP’s

remote port. A static route entry and a static ARP entry will need to be configured in the WAN router. For information on how to set up static routes, see the documentation for your router.

Multicast network policies always preserve the network addressing of the protected networks.

Related topics:

● “Adding a Network Set” on page 170

● “Addressing Mode” on page 185

● “ETEP Configuration” on page 299

36 EncrypTight User Guide

3 Installation and Configuration

This section describes how to install and configure EncrypTight for the first time, including:

● Before You Start

● EncrypTight Software Installation

● Management Station Configuration

● Installing ETKMSs

● Configuring ETKMSs

● Policy Enforcement Point Configuration

● Default User Accounts and Passwords

● Managing Licenses

● Next Steps

Before You Start

EncrypTight is a system that uses dedicated encryption devices referred to as Policy Enforcement Points (PEPs), a central server for distributing encryption keys (the Key Management System, or ETKMS), and a workstation running the management software.

● Install the EncrypTight software on a secure workstation.

● Install the ETKMS in a physically secure location and connect it to the network so that it can

communicate with the management workstation and the PEPs.

● Install and configure the PEPs, usually at the point in your network where traffic is being sent to or

from an untrusted network.

The EncrypTight software (version 1.9 and later) and the throughput speed of ETEPs with software version 1.6 and later are controlled by licenses. You must install a license for the EncrypTight software, and a license on each ETEP in your deployment. For more information, see “Managing Licenses” on

page 56.

This chapter provides instructions for these tasks. If you plan on using enhanced security options such as certificates, please refer to “Using Enhanced Security Features” on page 261 for additional configuration instructions.

Before you install EncrypTight, review the following topics:

● “Hardware Requirements” on page 38

EncrypTight User Guide 37

Installation and Configuration

● “Software Requirements” on page 38

● “Firewall Ports” on page 39

Hardware Requirements

EncrypTight software can be installed on a Windows PC or laptop.

Table 4 EncrypTight management station requirements

Component Requirements for the EncrypTight software

Operating System Windows XP with SP3

CPU 3.0 GHz Pentium 4

RAM 512 MB

Hard disk space 165 MB

CD ROM drive Read or read/write

Software Requirements

The third party software listed in Table 5 is used in conjunction with EncrypTight to manage EncrypTight appliances. This software has been verified for use with EncrypTight and EncrypTight appliances.

Table 5 Third party management station software

Software How it’s used Vendor

FTP server Copies files to and from

EncrypTight appliances, including log files and new firmware

SFTP server (optional: available with ETEP 1.6 and later)

PDF reader Opens the user documentation

SSH client (ETEPs) Securely connects to the ETEP

Syslog server (optional) Records log events to a syslog

Browser Used to configure external

Secures file transfers to and from EncrypTight appliances

files on the product CD

CLI

server

ETKMSs

Microsoft FTP server, included with Windows XP

Cerberus FTP Server 4 – Professional Edition

Adobe Acrobat Reader version

6.0 or higher. Free download available from www.adobe.com.

PuTTY, included with the ETEMS installation

Kiwi Syslog Server version

7.2.20 or higher (installed as an application). Free download available from

www.kiwisyslog.com.

Internet Explorer 6.0 or higher, included with Windows XP

If any of your ETEPs are configured with IPv6 addresses on the management ports, the management workstation and the ETKMSs must also be configured with an IPv6 address. See the documentation for your operating system for information on how to enable support for IPv6 and IPv4 addresses.

38 EncrypTight User Guide

Firewall Ports

In order for EncrypTight components to communicate, you need to make sure that any firewalls in your system are configured to allow the following protocols.

Table 6 Firewall ports

Protocol Port Comments

FTP TCP 20, 21 Used for upgrading the software on a PEP.

HTTP TCP 80 Used to communicate management information to EncrypTight

ICMP/Ping Used to check connectivity with a device.

IPsec ESP IP protocol 50 Used in encryption policies.

SFTP TCP 22 Used for secure FTP operations.

SNMP UDP 161, 162 Used to send SNMP traps from the PEPs to a management

SNTP UDP 123 Used for time synchronization among EncrypTight components.

SSH TCP 22 Used to securely access the CLI on ETEP PEPs and the

Syslog UDP 514 Used to send syslog messages from the PEPs to a syslog

TLS (HTTPS) TCP 443 A secure method of communicating management information

XML-RPC TCP 443 Used for communications between ETPM and the ETKMSs and

EncrypTight Software Installation

appliances when TLS is disabled.

workstation.

ETKMS.

server.

between ETEMS and the PEPs.

between the ETKMSs and the PEPs.

EncrypTight Software Installation

EncrypTight installation tasks are described in the following topics:

● “Installing EncrypTight Software for the First Time” on page 39

● “Upgrading to a New Version of EncrypTight” on page 40

● “Uninstalling EncrypTight Software” on page 40

● “Starting EncrypTight” on page 40

● “Exiting EncrypTight” on page 41

Installing EncrypTight Software for the First Time

To install EncrypTight for the first time, follow the procedure below.

To install the EncrypTight software:

1 Quit all programs before installing EncrypTight.

2 Insert the EncrypTight CD into the CD-ROM drive. The installation program should start

automatically. If it does not, open the CD and double click

3 Follow the instructions in the installation wizard. Click Next to advance through the wizard.

4 When the installation is complete, click Done to quit the installer.

EncrypTight.exe.

EncrypTight User Guide 39

Installation and Configuration

NOTE

It is strongly recommended that you synchronize the workstation hosting the EncrypTight software with an NTP server either on your network or on the Internet. For EncrypTight to function properly, all of the elements of EncrypTight need to synchronize with NTP servers.

Related topics:

● “Uninstalling EncrypTight Software” on page 40

● “Installing Software Updates” on page 73

● “Network Clock Synchronization” on page 33

Upgrading to a New Version of EncrypTight

Prior to upgrading to a new version of EncrypTight, uninstall the previous version (see “Uninstalling

EncrypTight Software” on page 40). Previously installed third party software should be unaffected by an

upgrade of EncrypTight.

To learn how to preserve and transfer your appliance and policy data if you are upgrading from ETEMS to EncrypTight, and for information about updating EncrypTight components to new versions, see

“Installing Software Updates” on page 73.

Uninstalling EncrypTight Software

To uninstall EncrypTight:

1 If you use a local ETKMS, stop it before continuing. For more information, see “Launching and

Stopping a Local ETKMS” on page 45.

2 Exit the EncrypTight application.

3 In the Microsoft Windows Control Panel, click Add or Remove Programs.

4 From the list of programs, select EncrypTight. Click Change/Remove.

5 The uninstall wizard asks if you want to save the appliance configurations. If you plan to reinstall

EncrypTight or upgrade to a new version, click Ye s to save the workspace data for use in the new version. Workspace data includes appliance configurations, default configurations, and policy data. User accounts are also retained, but not Login preferences. If you select No, workspace data and user accounts are deleted during the uninstall process.

Preferences are not saved when EncrypTight is uninstalled, regardless of whether you opt to save the appliance configurations.

Starting EncrypTight

Only one user at a time can be logged in to EncrypTight. User authentication is enabled by default. Use the default userId and password to log in to EncrypTight the first time. You can then change the default account or disable user authentication.

40 EncrypTight User Guide

Management Station Configuration

NOTE

To start ETEMS:

1From the Start menu, select All Programs > EncrypTight.

2 In the Login screen, enter the UserId admin and Password admin. Note that the userId and password

are case sensitive.

3Click Login.

EncrypTight allows a maximum of three login attempts. After three unsuccessful login attempts, the EncrypTight software closes and must be restarted.

Related topic:

● “Managing EncrypTight Users” on page 61

● “Using a Common Access Card” on page 294

● “Getting Started with ETEMS” on page 83

Exiting EncrypTight

Exiting EncrypTight terminates the application. The EncrypTight appliances continue to operate as configured, regardless of whether EncrypTight is open. To prevent unauthorized users from accessing appliances, exit EncrypTight when the application is unattended or not in use.

Local and external ETKMSs, as well as all PEPs, continue to run even when the EncrypTight application is closed.

To exit EncrypTight:

● On the File menu, click Exit.

Management Station Configuration

The section includes the following topics:

● “Securing the Management Interface” on page 42

● “Enabling the Microsoft FTP Server” on page 42

● “Configuring the Syslog Server” on page 43

EncrypTight User Guide 41

Installation and Configuration

Securing the Management Interface

EncrypTight provides the methods listed in Table 7 for encrypted and unencrypted communications between the management PC and the appliance’s management port.

Table 7 ETEMS communications options

Option Description

TLS TLS (HTTPS) is used to encrypt communications between ETEMS and the appliance.

TLS is enabled by default in EncrypTight. No additional software or configuration is required.

SSH Provides secure remote access to the appliance CLI from the management PC. Available

on ETEP appliances. An SSH client is included with EncrypTight. No additional configuration is required.

Consider the following items before choosing a method for securing management communications:

● HTTP is unavailable on ETEP appliances. If you disable TLS, ETEMS will be unable to communicate

with ETEP appliances.

● You can enable IPSec on ETEPs with software version 1.6 or newer to establish secure

communications to specific hosts.

Enabling the Microsoft FTP Server

EncrypTight uses FTP server software running on the management station to perform software upgrades on appliances and to extract appliance log files for viewing in ETEMS. This version of EncrypTight has been qualified with the Microsoft FTP server, which is included with the Windows XP operating system.

If you choose to use an SFTP server, refer to the documentation for your server software to learn about configuration options.

The following procedures describe how to enable the Microsoft FTP server and set up a new user. Prior to performing these tasks, check with your Windows administrator for information and restrictions specific to your organization’s network.

To enable the Microsoft FTP Server service:

1 In the Control Panel, click Add or Remove Programs.

2Click Add/Remove Windows Components.

3 Select Internet Information Services (IIS).

4Click Details.

5 Select File Transfer Protocol (FTP) Service, and then click OK.

6Click Next to start the Windows Component Wizard.

To create a user on the management station for the FTP client to access:

1 In Windows Explorer, right-click My Computer and select Manage.

2 Expand Local Users and Groups.

3 Select Users and right-click.

4 Select New User to define the user name and password.

42 EncrypTight User Guide

Configuring the Syslog Server

NOTE

The EncrypTight appliance can be configured to send log messages and events to a syslog server on the management PC or other device. First, install the Kiwi Syslog Daemon as an application and follow the documentation provided with the product for initial configuration.

After you have installed the syslog daemon, use ETEMS to configure the appliances to send log messages to the syslog server. See the configuration chapter for your appliance model for more information about configuring syslog servers and log events.

Installing ETKMSs

Install the ETKMS server in a physically secure location. This server should be dedicated to the ETKMS functionality and requires the following external connections:

Table 8 ETKMS server connections

Connection Description

System Power Connect the system power to a grounded electrical source. An uninterrupted power

supply (UPS) is recommended.

Mouse You can use a USB or PS2 mouse. A USB mouse can connect to either of the two

Keyboard You can use a USB or PS2 keyboard. The USB keyboard can connect to either of

Monitor Connect the monitor to the video connector on the front or rear panel.

Network connection (eth0)

Network connection (eth1)

USB ports on the front panel or either of the two USB ports on the rear panel. A PS2 mouse connects to the mouse connector on the rear panel.

the two USB ports on the front panel or either of the two USB ports on the rear panel. A PS2 keyboard connects to the keyboard connector on the rear panel.

eth0 is the Linux designation for the Ethernet connection with a path to the management workstation containing the ETPM and to the PEPs’ management ports. eth0 is normally configured to the Gb1 connector on the rear panel.

eth1 is inactive and unavailable by default.

Installing ETKMSs

The mouse and keyboard are required only for the initial system configuration and can be disconnected after you complete the ETKMS installation.

ETKMSs are shipped with a factory default IP address of 192.168.1.3.

Configuring ETKMSs

Although some of the essential configuration of a ETKMS is the same for both local ETKMSs and external ETKMSs, the procedures for configuring each are different. For this reason, the basic configuration of a local ETKMS is discussed separately.

EncrypTight User Guide 43

Installation and Configuration

This section includes the following topics:

● “Basic Configuration for Local ETKMSs” on page 44

● “Configuring External ETKMSs” on page 46

● “Configuring Syslog Reporting on the ETKMSs” on page 54

Basic Configuration for Local ETKMSs

The basic configuration of a local ETKMS includes assigning an IP address and launching the ETKMS software.

This section includes the following topics:

● “About Local ETKMSs” on page 44

● “Adding a Local ETKMS” on page 44

● “Launching and Stopping a Local ETKMS” on page 45

● “Starting the Local ETKMS Automatically” on page 45

About Local ETKMSs

Local ETKMSs are intended for use with small to medium networks with no more than 10 nodes. When you use a local ETKMS, the ETKMS software runs on the same workstation as the EncrypTight software. Keep in mind the following information:

● Although the EncrypTight application does not need to remain open, the ETKMS software needs to

run continuously in order to renew keys and refresh policies. For this reason, install the EncrypTight software on a reliable workstation. In addition, disable the Windows standby and hibernation modes. The local ETKMS software cannot renew keys and refresh policy lifetimes if the workstation enters standby or hibernation mode.

● It is strongly recommended that you assign a static IP address to the local ETKMS. If the local

ETKMS IP address does not match the management station IP address, an error is generated when you attempt to launch the local ETKMS. You can use either an IPv4 address or an IPv6 address.

● Local ETKMSs use the time and date settings in effect on the workstation on which the EncrypTight

software is installed. Because EncrypTight is dependant on network-wide clock synchronization, it is strongly recommended that you set up the management workstation to synchronize with an NTP server rather than setting the date and time manually. You should use the same time service for the EncrypTight workstation and the PEPs.

● You cannot run web server software on the same workstation as the EncrypTight software. The

ETKMS application must use port 443. When a web service is running on the workstation, an error message appears in the ETKMS window.

To stop the Windows XP web service, click Control Panel > Administrative Tools > Internet Information Services. Click the Web Sites folder, and stop the Default Web Site service. To stop another web service that is running or to configure it to use a different port, see the documentation for the web service.

Adding a Local ETKMS

You add a local ETKMS in the ETEMS Appliance Manager. The IP address must be the IP address of the workstation on which EncrypTight is installed.

44 EncrypTight User Guide

To add a local ETKMS:

1 In the Appliance Manager, click File > New.

2 In the New Appliance editor, from the Product Family box, select ETKMS LM.

3From the Software Version box, select the appropriate software version.

4In the Appliance Name box, enter a name for this local ETKMS.

5In the IP Address box, enter the IP address of the workstation on which EncrypTight is installed. The

address can be either an IPv4 address or an IPv6 address.

6Click Save.

Related topics:

● “Launching and Stopping a Local ETKMS” on page 45

● “Starting the Local ETKMS Automatically” on page 45

Launching and Stopping a Local ETKMS

When you launch a local ETKMS, the ETKMS software runs as a separate application in a command line window on the management workstation. If the management workstation running the local ETKMS restarts, you must relaunch the local ETKMS.

Configuring ETKMSs

To launch a local ETKMS:

1 In the Appliance Manager, select the local ETKMS.

2Click Tools > Launch ETKMS LM.

The ETKMS software starts and opens a command line window.

To stop a local ETKMS:

1 Switch to the command line window in which the local ETKMS is running.

2Press CTRL + C.

3Type Y.

Related topic:

● “Starting the Local ETKMS Automatically” on page 45

Starting the Local ETKMS Automatically

EncrypTight ships with a batch file that you can configure to start the local ETKMS automatically when a user logs in the management PC. This eliminates the need to launch EncrypTight to start the local ETKMS.

The batch file, named local ETKMS when you log in to the management PC and stops it when you log out or the PC is powered off.

start.bat, is included on the EncrypTight software CD. The batch file starts the

EncrypTight User Guide 45

Installation and Configuration

Changes to the local ETKMS configuration or EncrypTight software may necessitate changes to the batch file, as described in Table 9.

Table 9 Maintaining the start.bat file

Type of change Action

Upgrade to a new version of EncrypTight No action required.

Change the ETKMS LM name or IP address in ETEMS

Permanently uninstall EncrypTight Manually delete start.bat from the PC. It is not

Discontinue using a local ETKMS Delete the start.bat file from the PC.

Prior to configuring the batch file do the following:

1 Add a ETKMS LM in ETEMS (see “Adding a Local ETKMS” on page 44).

2 Launch the local ETKMS (Tools > Launch ETKMS LM). Successfully launching the local ETKMS

demonstrates that the IP address is configured correctly and that there are no conflicting services running on the management station.

After launching the local ETKMS, configure the batch file to start the ETKMS automatically.

Modify the batch file variables to match the new ETKMS configuration.

removed by the uninstall program.

To configure the batch file:

1Open the

2 Save the file and copy it to the

start.bat file in a text editor and modify the variables described in Table 10 .

\Programs\Startup folder for the management PC user. A typical

path might be something like this:

C:\Documents and Settings\username.domainname\Start Menu\Programs\Startup\.

The next time that you log in to the management PC, the ETKMS software will start and open a command line window.

Table 10 Local ETKMS Batch file variables

Variable Description

installDir The EncrypTight installation directory. The default path is

Name The name as configured in ETEMS.

IpAddress The IP address as configured in ETEMS

C:\Program Files\EncrypTight.

Related topics:

● “About Local ETKMSs” on page 44

● “Adding a Local ETKMS” on page 44

● “Launching and Stopping a Local ETKMS” on page 45

Configuring External ETKMSs

The minimum required steps to configure an external ETKMS include configuring the network connection (which includes the IP address and hostname) and specifying an NTP server for time synchronization.

46 EncrypTight User Guide

This section includes the following topics:

● “Logging Into the ETKMS” on page 47

● “Changing the Admin Password” on page 47

● “Changing the Root Password” on page 48

● “Configure the Network Connection” on page 49

● “Configure Time and Date Properties” on page 51

● “Starting and Stopping the ETKMS Service” on page 53

● “Checking the Status of the ETKMS” on page 54

● “Secure the Server with the Front Bezel” on page 54

Logging Into the ETKMS

To configure the ETKMS, you must connect the monitor, keyboard, and mouse and log into the server directly.

The ETKMS has two default user accounts, admin and root. The default password for the admin account is admin. The default password for the root user is password. You can use the admin account to log into the ETKMS remotely using SSH for troubleshooting and management purposes. The root user can only log into the ETKMS directly. You must log in as root to configure the ETKMS.

Configuring ETKMSs

To maintain the security of your system and networks, it is strongly recommended that you change the default admin password and the default root password as one of your first tasks, and periodically after that.

To log into the ETKMS:

1 At the login prompt, enter a user name and press Enter.

2 At the Password prompt, enter the password and press Enter.

Related topics:

● “Changing the Admin Password” on page 47

● “Changing the Root Password” on page 48

Changing the Admin Password

The first time you log into the ETKMS as admin, you must change the password. Changing the default admin password is an essential step in maintaining the security of the ETKMS and EncrypTight. After that first log in, use the following procedure to change the admin password.

To change the admin password:

1 Log in as admin.

2Type

3 At the prompt, type the current password and press Enter.

4 At the prompt, type the new password and press Enter.

5 At the prompt, retype the new password and press Enter.

passwd and press Enter.

It is recommended that the new password must be at least six characters long, contain a sufficient number of different characters, and must not be a common dictionary word.

EncrypTight User Guide 47

Installation and Configuration

CAUTION

6Type exit to log out from the admin account.

For example:

Localhost login: admin

Password:

[admin@localhost ~] $

(current) UNIX password:

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[admin@localhost ~]

passwd

exit

Related topics:

● “Logging Into the ETKMS” on page 47

● “Changing the Root Password” on page 48

Changing the Root Password

It is strongly recommended that you change the default root password when you initially set up the ETKMS server. It is recommended that the new password for the root user be at least eight characters long and contain a variety of different characters. Passwords are case sensitive and can include spaces. Do not use common words or phrases. You can use all printable keyboard characters and symbols. To create a strong password, consider the following:

● Use at least one uppercase and at least one lowercase alphabetic character.

● Use at least one numeric digit.

● Use at least one non-alphanumeric symbol.

The default password for the root user is password.

To change the root password:

1 Log in as root.

2Type

passwd and press Enter.

3 Follow the prompts to change the root password.

Remain logged in as root to complete the ETKMS configuration.

Keep track of the passwords you assign. If you lose these passwords, you can lose the ability to communicate with and manage the ETKMS. In some cases, restoring the unit to working order can require factory service.

● “Logging Into the ETKMS” on page 47

● “Changing the Admin Password” on page 47

48 EncrypTight User Guide

Configure the Network Connection

NOTE

The eth0 connection is the network connection with a path to the management workstation running ETPM and to the PEPs’ management port. The eth1 connection is inactive and unavailable. Set the network connection as required by your network configuration, but it is recommended that you set a static IP address. You can assign both an IPv4 address and IPv6 address, if needed.

If any of your ETEPs are configured with IPv6 addresses, you must configure the ETKMS and the management workstation to use an IPv6 address instead of, or in addition to, an IPv4 address. If the ETKMS software is configured with an IPv4 address only, it cannot initiate connections to ETEPs that have IPv6 addresses. ETPM will not allow you to deploy a policy that includes an IPv4 ETKMS and IPv6 ETEPs.

IPv4

Setting up the network connection requires running two scripts.

To configure the network connection and hostname:

1 At the command prompt, type

2Tab to the Edit Devices option and press Enter.

3Tab to the eth0 device and press Enter.

4 Make sure that DHCP is not selected (use the spacebar to clear any selection) and then enter the:

● Static IP

● Netmask

● Default Gateway IP address

5Tab to OK and press Enter.

6Tab to Save and press Enter.

7Tab to Edit DNS configuration and press Enter.

8 Enter the Hostname, Primary DNS, Secondary DNS, and Search information.

9Tab to OK and press Enter.

10 Tab to Save & Quit and press Enter.

11 At the command prompt, type

12 At the command line, restart the network service by typing

Enter.

13 At the command line, restart the ETKMS service by typing

Enter.

system-config-network.

/opt/etkms/bin/etc-hosts-config.sh and press Enter.

Configuring ETKMSs

service network restart and press

service etkms restart and press

Verify the IP Address and Hostname Changes

You can use the following commands to verify the IP address and hostname changes:

● At the command line, type ifconfig and press Enter to view the IP address.

● At the command line, type hostname and press Enter to view the full hostname, such as

serv4.company.com.

● Type hostname -s and press Enter to view the short hostname. In this example, if the full

hostname is

EncrypTight User Guide 49

serv4.company.com, the short name is serv4.

Installation and Configuration

IPv6

Setting up the network connections to use IPv6 addresses requires modifying several files.

To configure the network interface:

1 Using a text editor of your choice, edit the file:

/etc/sysconfig/network-scripts/ifcfg-eth0

2 To add an IPv6 address, add the following lines:

IPV6INIT=yes

IPV6ADDR=<IPv6 Address>

Where <IPv6 Address> is the IPv6 address that you want to assign to the ETKMS. If you are using an IPv6 address, you also need to edit the etkmsParams.sh file (see “To specify the IPv6 address

of the ETKMS in the parameters script:” on page 50).

3 Save and close the file.

To specify the IPv6 address of the ETKMS in the parameters script:

1 Edit the file:

/opt/etkms/bin/etkmsParams.sh

2 Edit the ETKMS_IP parameter to add the IPv6 address of the ETKMS.

Do not make any other changes to this file.

3 Save and close the file.

To set the hostname and IPv6 default gateway address:

1 Edit the file:

/etc/sysconfig/network

2 For an IPv6 address, add the following lines:

NETWORKING_IPV6=yes

IPV6_DEFAULTGW=<gateway address>

Where <gateway address> is the IPv6 address of the default gateway.

Whether you are using IPv4 or IPv6 addresses, if this ETKMS is a backup ETKMS, the hostname must be the same as the primary ETKMS with backup appended to the name. For example, the backup ETKMS for a primary ETKMS named

ETKMS1backup.mycompany.com.

ETKMS1.mycompany.com must be named

3 Save and close the file.

To set the default DNS server and configure the hosts file:

1 At the command prompt, type

system-config-network.

2Tab to Edit DNS configuration and press Enter.

3 Enter the Hostname, Primary DNS, Secondary DNS, and Search information.

4Tab to OK and press Enter.

5Tab to Save & Quit and press Enter.

6 At the command prompt, type

7 At the command line, restart the network service by typing

/opt/etkms/bin/etc-hosts-config.sh and press Enter.

service network restart and press

Enter.

50 EncrypTight User Guide

Configuring ETKMSs

NOTE

TIP

8 At the command line, restart the ETKMS service by typing service etkms restart and press

Enter.

Verify the IP address and hostname changes (see “Verify the IP Address and Hostname Changes” on

page 49).

● Make a note of the eth0 IP address and the hostname. You will need this information in order to add

the ETKMS in ETEMS.

● It is strongly recommended that you set a static IP address and turn off DHCP. Do not use DHCP to

obtain an IP address.

● If you are configuring a backup ETKMS, you must use the same type of IP address for the backup as

you used for the primary. For example, if the primary ETKMS was assigned an IPv6 address, you must assign an IPv6 address to the backup.

● When you add the ETKMS in ETEMS, use the short hostname. For example, if the full hostname is

etkms1.mycompany.com, the ETKMS name is etkms1. In addition, the ETKMS name is case sensitive.

Related topics:

● “Configure Time and Date Properties” on page 51

● “Check the Status of the Hardware Security Module” on page 53

● “Starting and Stopping the ETKMS Service” on page 53

Configure Time and Date Properties

All EncrypTight components, including the ETKMS, should be synchronized with a time server, preferably the same time server. Configure the time and date properties and then check the status of the connection with the time source. You must be logged into the ETKMS as root to make these changes.

Before you configure the NTP service, you might want to use the Linux date command to set the system clock. If there is a large difference between the hardware clock and the NTP server, it can take significantly longer for the clock to synchronize with the server. You can learn about the Linux date command from many online sources.

To set the time zone:

1 Edit the file

/etc/sysconfig/clock

2For the Zone value, specify the appropriate filename. Zone files are located in:

/usr/share/zoneinfo

Include the parent directory in the entry (for example, America/New_York).

3 Save and close the file.

To set up time synchronization:

1 Edit the file:

/etc/ntp.conf

EncrypTight User Guide 51

Installation and Configuration

2 Replace the defaults with your preferred time server. You can specify multiple time servers and use

either IPv4 or IPv6 addresses. For example, the new section should look similar to the following:

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

server 192.168.2.22

3 Save and close the file.

4 To set up the NTP daemon to start every time the server starts, at the command line, type:

chkconfig ntpd on

Changes to the NTP settings do not take affect until you restart the NTP daemon or the entire server.

To restart the NTP daemon:

1 At the command line, type:

service ntpd restart

To check the time source connection status:

1 At the command line, type:

ntpq -p

The result of this command should be similar to the following:

remote refid st t when poll reach delay offset jitter

==============================================================================

*ns.unc.edu 129.6.15.28 2 u 222 512 37 25.160 -173753 83.394

The fields described in Table 11 can help you determine if there is a time sync problem.

Table 11 ntpq -p command output

Field Description

remote IP address of the NTP server.

st (stratum) A stratum value of 16 indicates a time synchronization failure.

when Number of seconds since the last poll. This value should be less than or equal to

poll Polling interval in seconds. The “poll” value will be greater than the “when” value

jitter A value of 4000.00 indicates a time synchronization failure.

the poll value. A “when” value that exceeds the “poll” value indicates a time sync problem.

when the time server is synchronizing successfully.

The ETKMS server may initially report as unsynchronized. The synchronization may take several minutes. After multiple attempts, if the output of the ntpq -p command continues to indicate a time synchronization problem check the following:

● Verify that the NTP server IP address is a valid address

● If you are using a local NTP server, check to see if the NTP server is powered on

● Check for network problems that may prevent the ETKMS from reaching the NTP server

52 EncrypTight User Guide

Related topics:

● “Configure the Network Connection” on page 49

● “Check the Status of the Hardware Security Module” on page 53

● “Starting and Stopping the ETKMS Service” on page 53

Check the Status of the Hardware Security Module

A Hardware Security Module (HSM) for the ETKMS is available. The HSM physically secures the encryption keys used for communications between EncrypTight components. Before installing and starting the ETKMS service, make sure that the HSM device driver is running. If the HSM device driver is not running, you need to start it before running the ETKMS service.

To check the HSM device driver status:

1 At the command line, type

The results should be:

HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=0%

If the HSM driver is not running, you need to start it.

hsmstate and press Enter.

Configuring ETKMSs

To start the HSM device driver:

1 At the command line, type

e8k start and press Enter.

Related topics:

● “Configure the Network Connection” on page 49

● “Configure Time and Date Properties” on page 51

● “Starting and Stopping the ETKMS Service” on page 53

Starting and Stopping the ETKMS Service

The ETKMS runs as a service in Linux. Once the ETKMS is started, the ETKMS restarts after each reboot of the Linux server.

To start the ETKMS service:

1 At the command line, type:

service etkms start

To stop the ETKMS service:

1 At the command line, type:

service etkms stop

Related topics:

● “Configure the Network Connection” on page 49

● “Configure Time and Date Properties” on page 51

● “Check the Status of the Hardware Security Module” on page 53

EncrypTight User Guide 53

Installation and Configuration

Checking the Status of the ETKMS

You should check that the ETKMS service is running before you proceed to use EncrypTight.

To check the status of the ETKMS service:

1 At the command line, type:

service etkms status

Secure the Server with the Front Bezel

The bezel prevents access to the CD ROM drive, front panel USB ports, and power switch.

Black Box strongly recommends that you install the front system bezel, secure the bezel with the key provided, and store the key in a secure location. Refer to the server manufacturer’s documentation about this feature.

Configuring Syslog Reporting on the ETKMSs

You configure syslog reporting on the ETKMS by editing the ETKMS properties file,

kdist.properties. A complete discussion of all of the options for syslog reporting is beyond the

scope of this manual. You can find more information from a variety of online resources. If you are using IPv6 addresses in your system, you need to make sure that the syslog server that you use also supports IPv6 addresses.

● On local ETKMSs, this file is located in <InstallDir>\tools\kdist\bin directory, where

InstallDir is the directory in which you installed the EncrypTight software.

● On external ETKMSs, the file is located in the /opt/etkms/conf directory. You will need to log

into the ETKMS as root in order to make changes to this file.

To configure syslog reporting on a ETKMS:

1 In a text editor, open the

kdist.properties file.

2 Find the line near the beginning of the file that begins with:

log4j.rootLogger=ALL,R

3 Edit this line to read:

log4j.rootLogger=INFO, stdout, var, Syslog

4 Locate the section that begins with:

#Alternate logger using Remote Syslog server.

5 Uncomment the following lines by deleting the “#” symbols:

#log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender

#log4j.appender.Syslog.Threshold=INFO

#log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout

#log4j.appender.Syslog.ConversionPattern=%d [%t] %-5p %c{1} - %m%n

#log4j.appender.Syslog.SyslogHost=x.x.x.x.

#log4j.appender.Syslog.Syslog.Facility=USER

#log4j.appender.Syslog.FacilityPrinting=true

6 In the line:

log4j.appender.Syslog.SyslogHost

54 EncrypTight User Guide

Policy Enforcement Point Configuration

Replace x.x.x.x with the IP address or the hostname of the syslog server.

7 Save and close the file.

8 Shut down and restart the ETKMS:

● On external ETKMSs, restart the ETKMS service by typing:

service etkms restart

● On local ETKMSs, close the command line window for the ETKMS software and in the

EncrypTight window, select Tools > Launch ETKMS LM.

Policy Enforcement Point Configuration

EncrypTight Policy Enforcement Points (PEPs) can be configured for Layer 2 or Layer 3/4 operation. Models include:

● ET0010A

● ET1000A

In most cases, when you install and configure the PEPs, you do not need to make addressing changes or other routing changes. The PEPs implement a network mode ESP transport mechanism that preserves all header information. The entire original packet is encrypted and a copy of the original header is used as the header for the new packet. This allows the PEPs to operate transparently, without requiring changes to your existing network addressing. You should maintain your existing network gateways as configured. You should not configure the local port on a PEP as a gateway address.

To prepare the PEPs for operation with EncrypTight:

● Perform basic installation tasks.

Perform initial setup as directed in the PEP’s Installation Guide. At a minimum, this consists of connecting cables to the PEP’s communication ports and setting the management port IP address.

When they are first installed, ETEP PEPs pass all traffic in the clear until they receive policies. Refer to the documentation for your PEPs for more information on initial behavior and how to make sure the PEPs are properly installed.

If you plan to use a PEP with EncrypTight distributed key policies, you should not configure any other types of policies on the PEP before you enable EncrypTight. Doing so can have undesirable effects.

● Configure the appliances in the EncrypTight software.

Using the ETEMS Appliance Manager feature in EncrypTight, add and configure each PEP. Refer to the sections below for configuration settings that are required for distributed key and negotiated key polices.

● For distributed key policies, see “Adding a New PEP in ETEMS” on page 148

● For point-to-point negotiated policies, see “Creating Layer 2 Point-to-Point Policies” on page 335

Related topics:

● “Provisioning Basics” on page 95

● “Adding a New PEP in ETEMS” on page 148

● “Creating Layer 2 Point-to-Point Policies” on page 335

EncrypTight User Guide 55

Installation and Configuration

NOTE

Default User Accounts and Passwords

Changing the default passwords for all of the EncrypTight components is an important step in maintaining the security of your network. This list is a reminder of the default passwords that you should change.

Table 12 Passwords to change

Component Passwords

ETEP PEPs Administrator password (admin)

Network Manager/Ops password (ops)

ETKMSs admin password

Root password

Keystore password, if you use certificates and strict authentication. The file is named etkms.keystore on an external ETKMS, and kdist.keystore on a local ETKMS.

ETEMS Administrator password, if you enable User Authentication

User account passwords, if you enable User Authentication

For instructions on how to change the passwords, see the documentation for each component.

Managing Licenses

The use and functionality of EncrypTight components are controlled through licenses. How the licenses work and the features available depend on the component.

● Licenses are required for ETEPs with software version 1.6 and later. Previous versions of ETEP

software do not require licenses.

● A license is required for EncrypTight 1.9 and later. Previous versions of the EncrypTight software do

not require a license.

Each ETEP is capable of transmitting traffic at a range of speeds that varies by model. Licenses control the throughput speed. This allows you to upgrade your existing ETEPs to transmit traffic at higher speeds as your network grows and your needs change. Table 13 lists the available speeds for each ETEP model. You can specify the throughput speed of the ETEP on the Interfaces tab in the appliance editor.

Table 13 ETEP Throughput Speeds

Model Available Throughput

ET0010A 3, 6, 10, 25, 50 Mbps

ET0100A 100, 155, 250 Mbps

ET1000A 500, 650 Mbps, 1 Gbps

You need to install a license on each ETEP that you use. Licenses are linked to the serial number of the ETEP on which they are installed. You cannot install a license intended for one ETEP on a different ETEP.

56 EncrypTight User Guide

Before you begin adding PEPs and using the EncrypTight software, contact Customer Support to acquire

NOTE

your license key (see “Contacting Black Box Technical Support” on page 14). You need to provide the EncrypTight ID. To view the EncrypTight ID, choose Edit > License.

If you upgrade from a command line-only installation to a full EncrypTight deployment, you can no longer use the command line-only license and must acquire an EncrypTight license.

You cannot install licenses on your ETEPs until you install a license for EncrypTight. The EncrypTight license specifies the maximum number of ETEPs that can be managed in your deployment and the speeds at which they are licensed to run. The license specifically controls how many ETEPs can be configured to run at each throughput speed. For example, one EncrypTight deployment might run 10 ET0100As at 100 Mbps and an additional four ET0100As at 250 Mbps. When your needs change, you can easily upgrade the EncrypTight software to support a larger number of ETEPs.

Related topics:

● “Installing Licenses” on page 57

● “Upgrading Licenses” on page 58

Installing Licenses

Managing Licenses

You install and update licenses using the License Manager.

To enter EncrypTight licenses:

1 In the Appliance Manager, choose Edit > License.

2 In the License Manager, click Enter EncrypTight License.

3In the EncrypTight License box, type the license key, or copy and paste it.

4Click OK.

5Click OK to close the License Manager.

After you enter a license for EncrypTight, you can install licenses on your ETEPs. The ETEP license specifies the speed at which the ETEP can transmit traffic.

To install a license on the ETEP:

1 In the Appliance Manager, select the ETEPs on which you want to install licenses.

2 Choose Tools > Put License.

You can also install the license on the ETEP when you push configurations by selecting the Put Throughput License option.

● You can check to see if a license is installed and the throughput speed configuration by clicking Tools

> Compare Config to Appliance.

● Be aware that CLI commands that affect the file system such as restore-filesystem will erase the

currently installed license and you will need to re-install the license to regain full functionality.

EncrypTight User Guide 57

Installation and Configuration

Upgrading Licenses

When your needs change, you can easily upgrade the number of ETEPs that EncrypTight can manage and you can also upgrade your ETEPs to run at faster throughput speeds.

This section includes the following topics:

● “Upgrading the EncrypTight License” on page 58

● “Upgrading ETEP Licenses” on page 58

Upgrading the EncrypTight License

When you upgrade the EncrypTight license, a new license replaces the old one. Contact Customer Support to acquire a new license. When you receive the new license, follow the procedure for entering EncrypTight licenses (see “To enter EncrypTight licenses:” on page 57).

For information on how to contact Customer Support, see “Contacting Black Box Technical Support” on

page 14.

Upgrading ETEP Licenses

You can upgrade ETEP licenses in order to configure the ETEPs to run at faster throughput speeds. After you install a new EncrypTight license, use the same procedure for installing a license on the ETEP to upgrade the ETEPs. After installing the licenses, open the appliance editor for each affected ETEP and change the Throughput Speed to the new value. For more information about configuring ETEPs, see

“Provisioning Appliances” on page 95 and “ETEP Configuration” on page 299.

You can upgrade the ETEP whenever you have unused licenses for speeds that a selected ETEP can support. Once a license for a specific throughput speed is installed on a specific ETEP it cannot be used on any other ETEP.

Next Steps

After the EncrypTight components have been installed, use ETEMS and ETPM to configure your PEPs and policies as summarized below. See the ETEMS and ETPM sections of this user guide for more information.

If you plan on using enhanced security options such as certificates, refer to “Using Enhanced Security

Features” on page 261 before you proceed.

1 In ETEMS, configure the ETKMSs and PEPs, and push the configurations to the PEPs.

2 In ETEMS, check the communications link and status of the ETKMSs.

3 In ETEMS, make sure all PEPs are synchronized in time. You can view the date and time in the

Appliance Manager view.

4 If you are using external ETKMSs, log in to the web interface for each ETKMS and make sure that

the time is in sync with the PEPs and the management workstation.

5 In ETPM, add the policy components such as networks or VLAN ID Ranges.

58 EncrypTight User Guide

6 In ETPM, create your policies.

7 In ETPM, deploy the policies to the ETKMSs and PEPs.

Next Steps

EncrypTight User Guide 59

Installation and Configuration

60 EncrypTight User Guide

4 Managing EncrypTight Users

This section includes the following topics:

● Working with EncrypTight User Accounts

● Configuring EncrypTight User Authentication

● Managing EncrypTight Accounts

● Changing an EncrypTight User Password

● How EncrypTight Users Work with ETEP Users

Working with EncrypTight User Accounts

This chapter discusses user accounts for the EncrypTight software. These accounts are unique to EncrypTight and should not be confused with user accounts on the appliance or external ETKMS.

EncrypTight is able to authenticate users when they start the application. This authentication check is intended to prevent an unauthorized person from adding, deleting, or modifying appliance configurations or policies. User authentication is enabled by default. When you first start EncrypTight, use the default user name admin and password admin to log in.

The following list summarizes how user accounts work:

● EncrypTight has two user types: administrator and user. The EncrypTight administrator controls

access to the EncrypTight application by managing its users and passwords. The administrator can create, modify, and delete other users, while the user can change only its own password.

● User verification is enabled by default.

● An administrator account exists by default with the user name admin and password admin.

● You must have at least one administrator account. If you have only one administrator account,

EncrypTight prevents you from deleting it until you create a replacement.

● Multiple user and administrator accounts are allowed. User names must be unique.

● When authentication is enabled, the default password expiration period is set to zero, which means

“do not expire.”

EncrypTight User Guide 61

Managing EncrypTight Users

NOTE

Table 14 EncrypTight account types and privileges

Task Administrator User

Enable user ID/password authentication Yes No

Set password expiration period Yes No

Create EncrypTight users Yes No

Modify EncrypTight user names and passwords Yes No

Delete EncrypTight users Yes No

Change own password Yes Yes

Configure appliances and policies Yes Yes

View logs and performance statistics Yes Yes

If EncrypTight is managing ETEP 1.4 and later appliances, we recommend creating a user account in EncrypTight that matches the user name and password that you plan to use on the ETEP appliances. See

“How EncrypTight Users Work with ETEP Users” on page 67 for more information.

Related topics:

● “Configuring EncrypTight User Authentication” on page 62

● “Managing EncrypTight Accounts” on page 65

● “Changing an EncrypTight User Password” on page 66

● “How EncrypTight Users Work with ETEP Users” on page 67

● “Appliance User Management” on page 102

Configuring EncrypTight User Authentication

The EncrypTight administrator can set the following authentication preferences for EncrypTight users:

● User ID and password authentication

● Password expiration period

● Login session inactivity timer

● Common Access Card authentication

● US government login banner displayed upon application startup

62 EncrypTight User Guide

Configuring EncrypTight User Authentication

Figure 15 Login preferences

To set login preferences:

1 From the Edit menu, click Preferences.

2 In the Preferences window, expand the ETEMS tree and click Login.

3 In the Login area, configure the preferences. The options are described in the rest of this section.

4Click Apply and then click OK.

Password Authentication and Expiration

User authentication is enabled by default. When authentication is enabled, the default password expiration period is set to zero, which means “do not expire.”

When using a finite password expiration period, the expiration date is set to the current date plus the number of expiration days. When the specified number of days elapses, the application notifies the EncrypTight user of the expiration and asks for an updated password. The password expiration field accepts values from 0–999999999.

The login session inactivity timer lets you set a session timer for the EncrypTight software. When the time is set, the application is closed if no user activity is detected in the EncrypTight software in a specified amount of time.

As the timer approaches expiration, EncrypTight presents a warning message. If the message is acknowledged, the session timer resets. If the message is not acknowledged, the session terminates.

The timer is set to zero by default, which means that the session does not expire. The inactivity timer is specified in minutes, with valid values ranging from 0–10,080 minutes (168 hours).

The timer does not affect the local ETKMS, which continues to run regardless of whether the EncrypTight application is open.

Common Access Card Authentication

The administrator can also require that EncrypTight use a Common Access Card. When this is enabled, users must possess a Common Access Card to access the system and insert the card into the reader before they start EncrypTight. When EncrypTight opens:

● You are prompted for your EncrypTight user name.

● The software for the CAC reader will prompt you for your PIN.

● If user authentication is also enabled (the default setting), you are prompted for your EncrypTight user

account password.

EncrypTight User Guide 63

Managing EncrypTight Users

■ If your EncrypTight deployment includes ETEPs running software version 1.6 or later, entering a

password is optional.

■ If your deployment includes ETEPs with software previous to 1.6, or other models of PEPs, you

must enter a valid password.

● If user authentication is not enabled, you are logged into the system immediately.

This feature is used in conjunction with strict authentication in your EncrypTight deployment. To learn how to set up your system to use strict authentication with a Common Access Card, see “Using a

Common Access Card” on page 294.

U.S. DoD Login Banner

The U.S. DoD login banner contains the U.S. government-supplied text shown in Figure 16. The login banner is disabled by default. When enabled, the login banner appears after a user enters the EncrypTight login credentials. A user must acknowledge the terms of usage to successfully log in. The banner text cannot be modified or replaced.

Figure 16 U.S. DoD login banner

Important Information about Login Preferences and Upgrades

When EncrypTight is uninstalled prior to upgrading to a new version, Login preferences are not saved. When you start the new version of EncrypTight you will need to reset your Login preferences if you use something other than the defaults. Default settings are shown in Table 15.

64 EncrypTight User Guide

Managing EncrypTight Accounts

Table 15 Login preferences default settings

Preference Setting

User ID / Password Authentication Enabled

Password Expiration 0

Common Access Card Authentication Disabled

U.S. DoD Login Banner Disabled

Although the Login preferences are not saved, user data is preserved through an upgrade (user ID and password). If user authentication was disabled prior to the upgrade, it will be enabled in the new software version. You will be required to enter a user ID and password when starting EncrypTight after the upgrade. Take one of the following actions to avoid being locked out of the application after upgrading to a new version of EncrypTight.

● Make sure that you know a valid EncrypTight administrator user name and password prior to

upgrading.

● Delete all users prior to upgrading. The default user ID and password of admin/admin will remain as

a valid account after all other users are deleted.

You can see existing accounts in the User Accounts editor (Edit > User Accounts). If you have any doubts about how to log in to an existing account, reset the administrator password.

Related topics:

● “Managing EncrypTight Accounts” on page 65

● “Changing an EncrypTight User Password” on page 66

● “Using a Common Access Card” on page 294

Managing EncrypTight Accounts

The EncrypTight administrator can manage user accounts as follows:

● Create new EncrypTight users

● Modify EncrypTight user names and passwords

● Delete EncrypTight user accounts

Table 16 EncrypTight user name and password conventions

Parameter User Name Password

Length 1-32 characters 1-256 characters

Case sensitive Yes Yes

Invalid characters

Spaces allowed Yes Yes

Must be unique Yes No

Other conventions N/A N/A

< > & “ < > & “

EncrypTight User Guide 65

Managing EncrypTight Users

To add an EncrypTight user account:

1 From the Edit menu, click User Accounts.

2 In the User Accounts editor, click Add.

3 In the User dialog box, enter the user name, password, and select a group ID (admin or user). If

Common Access Card Authentication is enabled, you also need to enter the common name from the user’s certificate.

4Click OK.

To modify an EncrypTight user account:

1 From the Edit menu, click User Accounts.

2 In the User Accounts editor, select a user from the list and click Modify.

3 Make the desired changes and click OK. Password changes takes effect immediately.

To delete an EncrypTight user account:

1 From the Edit menu, click User Accounts.

2 In the User Accounts editor, select a user from the list and click Delete.

Figure 17 Add, modify, and delete users in the User Accounts editor

Related topics:

● “Configuring EncrypTight User Authentication” on page 62

● “Configuring the Password Enforcement Policy” on page 103

Changing an EncrypTight User Password

Users and administrators can change their own passwords using the Change User Password option in the Edit menu. See Table 16 for a summary of password conventions.

To change a password:

1 From the Edit menu, click Change User Password.

2 In the Change Password window, enter the current password. Then enter the new password and

reenter to confirm.

3Click Apply. The password change takes effect immediately.

66 EncrypTight User Guide

How EncrypTight Users Work with ETEP Users

EncrypTight manages ETEP user accounts. In order for EncrypTight to communicate with the ETEP, it needs to know the ETEP’s user name and password. It will try to use the credentials that you used to log in to EncrypTight. If that doesn’t match the credentials that are configured on the ETEP, EncrypTight will ask you to enter the appliance user name and password. EncrypTight will remember these appliance credentials for the duration of the EncrypTight session.

To avoid having to enter the ETEP credentials each session, create an EncrypTight account with credentials that match the ETEP user accounts. Then log in to EncrypTight using the account that matches the ETEPs that you are managing.

Table 17 summarizes the relationship between EncrypTight users and ETEP users, which is explained in

more detail in the examples that follow.

Table 17 Relationship between EncrypTight users and ETEP users

Situation

Default users

(“Example 1: Default

EncrypTight user and default ETEP user”)

Custom users

(“Example 2: Setting

up new EncrypTight and ETEP users”)

Mismatched users

(“Example 3: Adding

a new ETEP user to EncrypTight”)

EncrypTight user ID and password

admin/admin admin/admin OK. EncrypTight can manage

beacon/lighthouse beacon/lighthouse OK. EncrypTight can manage

beacon/lighthouse admin/admin Failed communication.

ETEP user ID and password

Result

the ETEP.

EncrypTight prompts you to enter the ETEP credentials so that it can manage the ETEP.

Example 1: Default EncrypTight user and default ETEP user

In a new installation of EncrypTight, the default user name and password is admin/admin. The default user name and password on the ETEP is also admin/admin.

Without any changes to EncrypTight user accounts or ETEP appliance users, EncrypTight is able to manage the ETEP using the default user names and passwords. Log in to EncrypTight as admin/admin and manage the ETEP.

Example 2: Setting up new EncrypTight and ETEP users

Set up new EncrypTight and ETEP user names and passwords as follows:

1 Log in to EncrypTight as admin/admin.

2 Add an EncrypTight administrator user to match the user name and password that you plan to set up

on the ETEPs. In this example we plan to set up an ETEP admin account with the user name beacon and password lighthouse. The first step is add a new EncrypTight account for a user called beacon, with password lighthouse and group ID admin.

Do not delete the default EncrypTight account of admin/admin until you have set up the new user on the ETEP (step 4).

EncrypTight User Guide 67

Managing EncrypTight Users

3 In EncrypTight, add a new ETEP appliance and refresh its status. Because EncrypTight and the ETEP

are both using their default user names and passwords of admin/admin, EncrypTight can successfully contact the ETEP.

4 From EncrypTight, select the new ETEP and add a new appliance user with the name beacon,

password lighthouse, and role admin.

The next time you start EncrypTight, log in with the User ID beacon to manage the new ETEPs.

Example 3: Adding a new ETEP user to EncrypTight

This example adds a new ETEP appliance to an existing version of EncrypTight. The EncrypTight user is logged in to EncrypTight with the user name beacon and password lighthouse. The new ETEP has its default user name and password of admin/admin.

1 Log in to EncrypTight as beacon/lighthouse.

2 In EncrypTight, add a new ETEP appliance and refresh its status.

3 When you refresh the status, EncrypTight notifies you that the EncrypTight credentials don’t match

those on the ETEP. To continue, enter the ETEP’s default user name and password when prompted (admin/admin).

4 From EncrypTight, add the new user name beacon and password lighthouse to the ETEP (Tools >

Appliance Users > Add User). The EncrypTight and ETEP accounts now match, allowing EncrypTight to communicate with the ETEP without requiring any additional verification.

Related topics:

● “Working with EncrypTight User Accounts” on page 61

● “Appliance User Management” on page 102

68 EncrypTight User Guide

5 Maintenance Tasks

This section includes the following topics:

● Working with the EncrypTight Workspace

● Installing Software Updates

● Upgrading External ETKMSs

Working with the EncrypTight Workspace

The EncrypTight workspace contains all the elements that EncrypTight is managing, such as appliance configurations, data associated with ETPM and certificate information. The following topics describe how the EncrypTight workspace is structured, and how it is used to store workspace contents:

● “About the EncrypTight Workspace” on page 69

● “Saving a Workspace to a New Location” on page 70

● “Loading an Existing Workspace” on page 71

● “Moving a Workspace to a New PC” on page 72

● “Deleting a Workspace” on page 72

About the EncrypTight Workspace

The workspace directory contains directories for appliances, factory configurations, defaults, and policy templates. Data generated by ETPM is also stored in the workspace directory. Note that no ETPM data is saved until you add at least one PEP in the ETEMS Appliance Manager.

EncrypTight considers the most recently opened workspace to be the active one. The file name and path are displayed in the application’s title bar. New and changed appliance configurations are saved to the active workspace.

By default the configuration files are stored in <InstallDIR>\data, where InstallDIR is the top-level EncrypTight directory. You can store your workspace in the default directory or choose one of your own.

EncrypTight User Guide 69

Maintenance Tasks

CAUTION

Appliance configurations and policy files are stored as .xml files. These files are not encrypted or password protected. They can be opened and edited using a basic text editor. Take precautions to protect these files from unauthorized access.

EncrypTight allows you to save more than one workspace. This can be useful for backup purposes, or to segregate your work in a complex deployment. Although the EncrypTight workspace is opened and saved using the management workstation’s file system, individual appliances and policies should be added and deleted only in the EncrypTight application.

Related topics:

● “Saving a Workspace to a New Location” on page 70

● “Loading an Existing Workspace” on page 71

● “Moving a Workspace to a New PC” on page 72

Saving a Workspace to a New Location

The following items are saved in a workspace:

● The EncrypTight license (EncrypTight software version 1.9 and later)

● Appliance configurations

● Data that pertains to ETPM

Factory configurations and customized default configurations are considered global settings, and therefore are not saved with a workspace. The most recently defined default configuration for each appliance model/software combination is considered the active one, and is applied across workspaces.

When you save a workspace to a new location, the original workspace remains active. To make the backup workspace the active one, you need to explicitly load it (see “Loading an Existing Workspace” on

page 71). To verify which workspace is active, check the directory path in the title bar.

To save a workspace to a new location:

1On the File menu, click Save Workspace To.

2 Select a location for the saved workspace, using one of the methods listed below.

● To create a new directory, navigate to the location of the new directory and click New Folder.

Highlight the New Folder and rename it, and then click OK. This creates a duplicate workspace. The new folder can be located anywhere except under the EncrypTight home directory.

● To select an existing directory in which to save the appliance configurations, locate the directory

and select it. Click OK. This adds new appliances to an existing workspace.

If you save the current workspace to a directory that contains a pre-existing workspace, be aware of duplicate appliance names. If any of the appliance names are duplicated, the new appliance configuration in the current workspace will overwrite the configuration of that appliance in the pre-existing directory. In

Figure 18, when Workspace_2 is saved to Workspace_1, Configuration A from Workspace_2 overwrites

Configuration A in Workspace_1. Configs E and F are added to Workspace_1.

70 EncrypTight User Guide

Figure 18 Saving one workspace to another

Loading an Existing Workspace

Reasons for loading an existing workspace are:

● To load a saved workspace on a new management station

● To restore a backup copy if the active workspace is damaged

● To revert to previous appliance configurations and policies

● To work on a different group of appliances in a network that has been segmented into several

workspaces.

Working with the EncrypTight Workspace

To load an existing workspace:

1On the File menu, click Load Workspace.

2 Browse for the location of the saved workspace and click the directory name to select it.

Be sure to select the top level workspace directory and not the directory of an individual appliance or subdirectory within the group. In the figure above, the workspace name is contains a subdirectory named London, Phoenix, and Raleigh. The

factory.configurations, and policyTemplates.

appliances with appliance configurations named Chicago, Denver,

data directory also contains directories named defaults,

data. The data directory

3Click OK. The new workspace is loaded, replacing the previously active workspace. The appliances’

status appears as .

EncrypTight User Guide 71

Maintenance Tasks

NOTE

4 Refresh the appliances’ status. From the Edit menu click Select All, then click .

Related topic:

“Moving a Workspace to a New PC” on page 72

Moving a Workspace to a New PC

To transfer your workspace to a new management PC, save the data folder to an interim location and then load it into the application on the new PC.

To move a workspace to a new PC:

1 On the old PC, click File > Save Workspace To and browse to an interim storage location such as a

network drive or USB drive. Click OK to save a copy of the

2 Install the EncrypTight software on the new PC and start the application.

3 In the Appliance Manager, click File > Load Workspace to load the

storage device into ETEMS. When prompted by Windows Explorer, browse to the location of the saved

data folder, select it, and click OK.

The workspace is loaded into EncrypTight. However, EncrypTight assumes that the interim storage location is the active workspace.

4 To copy the workspace from the interim storage device to the new PC, click File > Save Workspace

To. Browse to the top level EncrypTight installation directory, typically

Files\EncrypTight

it.

5 To change the location of the active workspace from the interim storage device to the EncrypTight

installation directory, click File > Load Workspace, browse to the location you selected in the previous step, and click OK.

. Select the EncrypTight directory and click OK to copy the data folder to

data folder.

data folder from the interim

\Program

EncrypTight 1.9 and later is a licensed product. Because EncrypTight licenses are specific to the computer on which they are installed, you will need to acquire and install a new EncrypTight license for the new computer. Contact Customer Support to acquire a new license key (see “Contacting Black Box Technical

Support” on page 14).

Related topics:

● “Saving a Workspace to a New Location” on page 70

● “Loading an Existing Workspace” on page 71

Deleting a Workspace

Workspaces are deleted in the same way that you delete any other folder or directory on your PC. The only time that you should use your PC’s file system to manipulate EncrypTight files is to delete workspaces. Use EncrypTight to delete individual appliances and policies from a workspace.

To delete a workspace:

1 On your PC’s hard drive, locate the workspace that you want to delete.

2 Delete the workspace directory.

72 EncrypTight User Guide

Installing Software Updates

Software updates for EncrypTight are available separately from the PEP software. You might need to update all of the components in your system, or only specific components. This procedure assumes that you are updating all of the components of EncrypTight. If you are upgrading from software versions that are several years old, contact customer support for assistance with your upgrade path.

To upgrade EncrypTight to a new release, take the following steps:

● Step 1: Schedule the Upgrade

● Step 2: Prepare ETPM Status and Renew Keys

● Step 3: Upgrade the EncrypTight Software

● Step 4: Verify ETKMS Status and Deploy Policies

● Step 5: Upgrade PEP Software

● Step 6: Change the PEP Software Version and Check Status

● Step 7: Return Status Refresh and Key Renewal to Original Settings

Step 1: Schedule the Upgrade

Installing Software Updates

Proper scheduling of your upgrade is imperative to minimize traffic disruptions. ETKMSs communicate with PEPs to deploy policies, and to renew keys and refresh policy lifetimes. The upgrade process for the ETKMSs and the EncrypTight software can interrupt this communication, and the upgrade for a PEP interrupts data traffic when the PEP reboots.

Review the following guidelines prior to scheduling an upgrade:

● Schedule the upgrade during a planned and approved maintenance window

● Do not deploy policies during the upgrade process

● Do not perform upgrades when keys are scheduled to be renewed.

To prevent key renewal during the upgrade process, check the Renew Keys/Refresh Lifetime setting on each policy defined in ETPM. There are two types of settings: daily at a specific time and periodically at an interval between 0 to 65535 hours.

● For policies that renew and refresh at a specific time of day, find a period when there is enough time

to complete the upgrade before the scheduled key renewal.

● For policies that renew periodically, temporarily change these policies to provide enough time to

complete the upgrade. Consider using zero lifetime policies, which don’t rekey, until the upgrade process is complete.

The upgrade process should take about 30 minutes for each external ETKMS, 15 minutes for the EncrypTight software, and 5-15 minutes for each PEP. You can upgrade multiple PEPs at the same time, which can shorten the total length of time it takes to perform the full upgrade process.

Once you start, the ETKMSs and the EncrypTight software must be upgraded in sequence. After these upgrades are complete, you need to deploy your policies in order to trigger the ETKMSs to generate a new policy database. You should take this step before you upgrade the PEPs. Because this will interrupt traffic on the PEPs briefly, you should consider the timing of this step as you plan your upgrade.

After these upgrades are complete, you can upgrade the PEPs.

EncrypTight User Guide 73

Maintenance Tasks

You can schedule the upgrade for each PEP at different time, depending on the rekey settings and data traffic requirements. Because a reboot is required, the upgrade of each PEP interrupts traffic through that PEP for several minutes.

Step 2: Prepare ETPM Status and Renew Keys

To prepare ETPM status and renew keys:

1 To ensure that status information is not communicated during the upgrade, disable the ETPM

automatic status refresh.

a From the ETPM main menu bar, click Edit > Preferences.

b In the Preferences window, expand the ETPM listing and select St atus.

c Note the current status settings and then disable the automatic status refresh.

2 To initialize the key interval settings and allocate the longest possible time for the upgrade, manually

renew the keys. From the ETPM main menu bar, click Tools > Renew Keys.

Step 3: Upgrade the EncrypTight Software

EncrypTight has a combined software installation that includes ETEMS, ETPM, and local software ETKMS.

To upgrade to the new version of EncrypTight:

1 If you use a local ETKMS, stop it before you proceed. To stop the local ETKMS, display the ETKMS

window and press CTRL + C, or close the window. For more information, see “Launching and

Stopping a Local ETKMS” on page 45.

2 Uninstall the old version of EncrypTight or ETEMS.

a In the Microsoft Windows Control Panel, click Add or Remove Programs.

b From the list of programs, select the program to uninstall (EncrypTight). Click Change/Remove.

c The uninstall wizard asks if you want to save the appliance configurations. Click Ye s to save the

configurations for use in the new version. This saves your appliance configurations, policies, and default configurations. It also saves your current EncrypTight license (software version 1.9 and later). If you do not choose to save, you will need to reinstall the EncrypTight license.

3 Install the new version of EncrypTight. Insert the EncrypTight CD into the management station’s CD-

ROM drive and follow the instructions in the installation wizard. If the installation program does not start automatically, open the CD and double-click

EncrypTight.exe.

Step 4: Verify ETKMS Status and Deploy Policies

After EncrypTight is upgraded, check the status of the ETKMSs and deploy the policies.

To check the ETKMS status:

1 From ETEMS, select all ETKMSs and select Tools > Refresh.

All ETKMSs should return a status.

74 EncrypTight User Guide

To deploy policies:

1Click Tools > Deploy to synchronize the EncrypTight components with the current policies. Note that

this will interrupt traffic on the PEP briefly.

Step 5: Upgrade PEP Software

After you upgrade the ETKMSs and ETPM, you can upgrade the PEPs to a new software version. Using ETEMS, you can download new software from an FTP server to one or many PEPs of the same product family. For example, ETEMS can upgrade a mix of ETEP models, such as ET0010As, ET0100As, and ET1000As, in a single operation.

When upgrading software on ETEP 1.6 and later appliances, you have the option of using FTP or SFTP for secure file transfer. If you choose SFTP as the connection method, all of the selected appliances must support SFTP.

Figure 19 Upgrade remote appliances first when managing appliances in-line, where

management traffic flows through the data path

Installing Software Updates

If you are managing your PEPs in-line as shown in Figure 19, we recommend performing a software upgrade in two stages. First, upgrade all the PEPs at remote sites and reboot them. When the remote site PEPs are up and operational, upgrade the local site PEP, which is co-located with the EncrypTight management station. Upgrading the local site PEP at the same time as the remote PEPs can cause connectivity with the management station to be lost and the remote site upgrades to fail.

EncrypTight User Guide 75

Maintenance Tasks

CAUTION

Software upgrades require a reboot to take effect. Rebooting the PEP interrupts data traffic for approximately two minutes. During this time all packets are discarded.

To upgrade software on the PEPs:

1 From the EncrypTight Enforcement Point CD for the PEPs that you want to upgrade, copy the folder

for your appliance model to your default FTP directory.

For example, if you are upgrading ETEP PEPs, copy the ETEP folder to your FTP directory.

2 In the Appliance Manager, select the PEPs to upgrade. If you are managing the PEPs in-line, upgrade

the remote site PEPs first before upgrading the data center PEP, as shown in Figure 19.

3On the Tools menu, click Upgrade Software.

4 Enter the FTP server site information for the upgrade software, as described in Table 18. Do not use

the following special characters in the FTP user name and password: @ : ? # < > &.

Optional. Click Verify to confirm that the site is reachable. If it is not, ETEMS displays a message indicating the nature of the problem.

ETEP PEPs automatically back up the file system prior to upgrading. If you experience a problem with an upgrade, you can then restore the PEP’s file system from the backup copy.

5 Select the Reboot after upgrade check box to automatically reboot the PEPs immediately following

a successful upgrade. To reboot at a later time, clear the check box.

6Click Upgrade. Upgrade results for each appliance are displayed in the Result column of the Upgrade

Appliances table.

7 Upgrading the software version on the appliance does not automatically update the ETEMS

configuration. After the appliances have been rebooted, you can edit the ETEMS configurations to reflect the new software version running on the appliances (Edit > Multiple Configurations > Software Version).

Table 18 FTP server site information for appliance software upgrades

Field Description

Host IP address of the management workstation running the FTP server software.

Path The directory on the FTP server that contains the files of interest. Valid

User User ID of a user on the FTP server. Do not use the following characters: @

Password Password associated with the user name. Do not use the following

Connection Method FTP is the default file transfer protocol and is supported on all appliance

If you are retrieving log files from a host that has already been configured, you can select its IP address from the Host box. ETEMS completes the remaining FTP server information for you based on the selected host IP address.

ETEP 1.6 and later appliances support IPv4 and IPv6 addresses. If you are using an IPv6 host address, all of the selected appliances must support IPv6.

entries are the default FTP directory and its subdirectories. Enter the directory listing relative to the default directory. If the files are located in the default directory, leave this field blank.

: ? # < > &

characters: @ : ? # < > &

models and software revisions.

SFTP provides secure file transfer. It is supported on ETEP appliances running version 1.6 and later software.

76 EncrypTight User Guide

Installing Software Updates

NOTE

● You must reboot the ETEP PEPs after you upgrade. If you make any configuration changes to the

ETEP PEPs after you upgrade and before you reboot, those changes will be lost when the PEP reboots.

● If you decide later to undo the upgrade and restore a previous file system to the PEPs, you could

inadvertently restore expired policies and out of date keys. You should redeploy your policies from ETPM to make sure that all of your PEPs have current policies and keys.

Step 6: Change the PEP Software Version and Check Status

To enable access to any new features available with the upgrade and avoid inconsistent status indicators, you must change the software version in the Appliance Manager for each of your PEPs. In order to check for the correct operation and connectivity of all EncrypTight components, check the status of the PEPs and policies.

To change the software version of the PEPs:

1 In the Appliance Manager, select the target appliances in the Appliances view. The selected appliances

must all be the same hardware model, for example ET0100A.

2Click Edit > Multiple Configurations > Software Version.

3 In the Modify Software Version window, select the software version from the list and then click

Apply.

4 From the Appliances view, select the target appliances and push the new configuration to the

appliances (Tools > Put Configuration).

To check the status of the PEPs:

1 In the Appliance Manager, highlight all PEPs and select Too ls > Refresh.

All PEPs should return a status. If you see other status indicators, refer to Chapter 18 for troubleshooting information to help resolve the issues.

To check the policy status:

1 From ETPM, click Deploy Policies.

All policies should return a status. If you see other status indicators, refer to Chapter 18 for troubleshooting information to help resolve the issues.

EncrypTight User Guide 77

Maintenance Tasks

Step 7: Return Status Refresh and Key Renewal to Original Settings

To return status refresh and key renewal to their original settings:

1 If you disabled the automatic status refresh in ETPM in “Step 2: Prepare ETPM Status and Renew

Keys” on page 74, select Edit > Preferences and select ETPM Status. Click the Enable automatic

status refresh check box and set the Refresh interval (in minutes).

2 If you changed the Renew keys/Refresh lifetime setting for any policies, edit each policy to reset the

Renew keys/Refresh lifetime to the previous value and deploy the modified policies (To o l s > Deploy).

Upgrading External ETKMSs

Local ETKMSs are upgraded when you install a new version of the EncrypTight software. See “Step 3:

Upgrade the EncrypTight Software” on page 74 for the local ETKMS upgrade procedure. The following

information is provided in the event that you need to upgrade the software for external ETKMSs.

Because you might need to restore some settings after the upgrade, record the following:

● The IP address and name of the ETKMS in the /opt/etkms/bin/etkmsParams.sh file.

● Any custom settings you made in the /opt/etkms/conf/kdist.properties file.

If you use backup ETKMSs, upgrade the primary and backup ETKMSs at the same time.

The general steps to upgrade a ETKMS are:

1 Stop and remove the current ETKMS software.

2 Install the new ETKMS software.

3 Configure the new software.

4 Start the ETKMS software.

To stop and remove the current ETKMS software:

1 Login as the root user.

2 Type the following to stop the ETKMS service:

service etkms stop

If you use a backup ETKMS, stop the backup ETKMS first and then stop the primary ETKMS service.

3 Type the following to uninstall the ETKMS software:

rpm -e etkms

The rpm -e command moves the old ETKMS software to the /opt/etkms.backup file. This includes the directory.

4 Type the following to move the etkms.backup directory to etkms.orig (in case you need to

restore the original software later):

mv /opt/etkms.backup /opt/etkms.orig

bin/etkms.params.sh file, the conf/kdist.properties file, and the keys/

78 EncrypTight User Guide

Upgrading External ETKMSs

NOTE

TIP

To mount the CDROM drive:

1 Insert the disk in the drive and close it.

2 If it doesn’t already exist, create the directory

mkdir /media/cdrom

/media/cdrom.

3 Enter the following command:

mount -t iso9660 /dev/scd0 /media/cdrom

To install the new ETKMS software:

1 Install ETKMS RPM with the following commands:

cd /media/cdrom

rpm -ivh etkms.rpm

2 Verify that the ETKMS RPM is installed and unmount the CD with the following commands:

rpm -qi etkms

cd /

umount /media/cdrom

eject

To configure the new ETKMS software:

1 Edit

2 Edit

/opt/etkms/bin/etkmsParams.sh for the correct IP address and ETKMS name.

/opt/etkms/conf/kdist.properties for any custom settings.

If you have custom certificates installed, use the following command to copy the etkms.keystore file from etkms.orig directory to the /keys directory.

cp /opt/etkms.orig/keys/etkms.keystore /opt/etkms/keys/etkms.keystore

To start the ETKMS software:

1 Type the following to start the ETKMS service.

service etkms start

If you use a backup ETKMS, start the primary ETKMS first and then start the backup ETKMS.

To verify that the ETKMS is running, type:

service etkms status

EncrypTight User Guide 79

Maintenance Tasks

80 EncrypTight User Guide

Part II Working with Appliances using

ETEMS

82 EncrypTight User Guide

6 Getting Started with ETEMS

This section includes the following topics:

● ETEMS Quick Tour

● Understanding the ETEMS Workbench

● Understanding Roles

● Modifying Communication Preferences

ETEMS Quick Tour

ETEMS is the appliance management feature of EncrypTight. ETEMS provides the ability to provision and manage multiple EncrypTight appliances from a central location. The primary tasks that ETEMS supports are:

● “Defining Appliance Configurations” on page 83

● “Pushing Configurations to Appliances” on page 84

● “Upgrading Appliance Software” on page 85

● “Comparing Configurations” on page 85

● “Maintenance and Troubleshooting” on page 86

● “Policy and Certificate Support” on page 87

Defining Appliance Configurations

When configuring a new appliance (File > New Appliance), the first thing to do is select the product family and software version. ETEMS displays a configuration screen tailored to the specified appliance model and software version. On most appliance models the Interfaces tab contains the fields required to identify an appliance: its name, password access to the appliance, and the interface IP addresses.

Select other tabs to configure additional items on the appliance, such as EncrypTight features, SNMP or logging. The availability of specific tabs and configuration options varies depending on your appliance model and software version.

Most of the information contained on the additional tabs will be the same for all of the appliances of a particular model that you configure. To streamline the configuration of a large number of appliances, use

EncrypTight User Guide 83

Getting Started with ETEMS

the factory default configurations or define your own template for these common values (Edit > Default Configurations).

Figure 20 Interface configuration for a new ET1000A appliance

Pushing Configurations to Appliances

Use the Put Configurations window to push the configurations defined in ETEMS to the appliances. In the Appliance Manager, select the target appliances in the Appliances view. Then in the Tools menu, choose Put Configurations. During the “put” operation, when ETEMS pushes the configurations to the appliances, ETEMS displays the status of the operation.

Figure 21 Status is shown for each target appliance when configurations are pushed

84 EncrypTight User Guide

Upgrading Appliance Software

New revisions of appliance software can be loaded on the appliances from an FTP server. Simply copy the new software to an FTP server, select the target appliances, and point to the FTP server site. Results for each appliance are displayed as they are upgraded. The new software takes effect upon appliance reboot.

Figure 22 Upgrade software on appliances from a central location

ETEMS Quick Tour

Comparing Configurations

The Compare Config to Appliance feature on the Tools menu displays the configuration stored in ETEMS and the configuration running on the appliance. If the configurations differ, this feature can help you discover and resolve discrepancies. A green check mark indicates that ETEMS and appliance settings are the same. If the settings are unequal, you can synchronize them by copying appliance settings to ETEMS or pushing the ETEMS configuration to the appliance.

EncrypTight User Guide 85

Getting Started with ETEMS

Figure 23 Compare the ETEMS configuration to the appliance to discover discrepancies

Maintenance and Troubleshooting

ETEMS includes tools for monitoring and maintaining EncrypTight appliances. Some of ETEMS’s capabilities include:

● Retrieving appliance log files

● Displaying performance and diagnostic statistics (Figure 24)

● Accessing the appliance CLI to perform administrative tasks and issue diagnostic commands.

86 EncrypTight User Guide

Understanding the ETEMS Workbench

Figure 24 Statistics view displays a snapshot of performance data on the ET0100A

Policy and Certificate Support

ETEMS’s policy feature is limited to the creation of point-to-point policies. For larger, more complex deployments use the Management and Policy Server (ETPM) to create, manage and deploy distributed key policies.

ETEMS’s policy and certificate management capabilities vary by appliance model. On some models point-to-point policy and certificate management is available directly in ETEMS; other models support these functions only from the appliance’s web interface. See the configuration chapter for your appliance model for details about specific features and functions.

Understanding the ETEMS Workbench

The ETEMS workbench contains all the elements that ETEMS is managing, such as appliance configurations, policy information, and any data associated with ETEMS perspectives, which are essentially task-specific features. This section explains the main sections of the workbench and how to navigate among them.

EncrypTight User Guide 87

Getting Started with ETEMS

Figure 25 Appliance Manager perspective

Views

Views display information about items that ETEMS manages, such as appliance configurations or certificates. When you start ETEMS, the Appliance Manager opens and displays the Appliances view. Initially the Appliances view is empty. After you add appliances to ETEMS, the appliances appear in the view along with their operational status, IP addresses, product family and software version, the timestamp of when ETEMS last communicated with the appliance, and the appliance’s date and time.

From the Appliances view you can select appliances to edit, delete, or upgrade with a new version of software. Sort appliances by clicking the table column headers. Click and drag the Appliances tab to reposition the Appliances view around the editor. To focus on a specific subset of appliances, you can filter them based on management IP address.

Some ETEMS actions can be applied to a group of target appliances:

● To select a contiguous block of appliances, click the first appliance to select it. Then press and hold

the Shift key and click the last appliance in the block.

● To select several non-contiguous appliances, click the first appliance to select it. Then press and hold

the CTRL key while selecting the other appliances.

Editors

Editors in ETEMS allow you to add and change configuration information. Each editor is task-specific, such as an appliance configuration editor or a policy editor. You can arrange the views and editors to suit your needs, as described below.

88 EncrypTight User Guide

Understanding the ETEMS Workbench

● You can open multiple appliance editors at the same time. The editors are stacked in a tabbed panel.

Tabbed editor windows allow you to work on more than one appliance or switch to editors from addon features.

● Editors can be stacked on top of other editors or positioned left to right. When multiple appliance

editors are open, you can drag one editor next to another for a side-by-side or top-to-bottom comparison.

● Click and drag a view or editor tab to move it. Or, right-click a view or editor tab to move, size,

maximize or minimize the view or editor. You can also maximize views and editors by doubleclicking their tabs. Double-clicking a tab again restores the previous layout.

● File menu options allow you to save, save all, close, or close all open editors.

Perspectives

Perspectives show the functionality associated with a task, such as appliance configuration, certificate management, or policy management. Each perspective has its own unique set of editors, views, and toolbars that are relevant to its task. Only one perspective is visible at any time. ETEMS includes the following perspectives:

● Appliance Manager is a tool for defining appliance configurations, pushing configurations to

appliances, comparing configurations, and upgrading appliance software.

● Certificate Manager is a tool for managing certificates on appliances, including generating certificate

requests and installing certificates.

● Policy Manager (ETPM) is a tool for creating and distributing security policies and encryption keys.

To open a perspective:

1 There are two ways to open a perspective. Do one of the following:

● In the Window menu, click Open. Select a perspective from the list or click Other for a complete

● On the Perspective tab in the upper right corner of the screen, click the Open Perspective button

Related topics:

● “Toolbars” on page 89

● “Status Indicators” on page 90

Toolbars

The ETEMS toolbar provides shortcuts to frequently performed tasks.

Table 19 ETEMS toolbar

Button Description

list of perspectives, including those installed as plug-ins.

. Select a perspective from the list or click Other for a complete list of perspectives.

Save appliance configuration.

Refresh appliance status.

Compare ETEMS and appliance configurations.

Push ETEMS configurations to appliances.

EncrypTight User Guide 89

Getting Started with ETEMS

Table 19 ETEMS toolbar

Button Description

The Appliance Manager has its own toolbar that lets you minimize and maximize the view, and filter the appliances that are displayed.

Table 20 Appliance Manager toolbar

Button Description

Launch the web interface for an appliance.

Filter appliances based on management IP address. Only those matching the filter pattern are shown in the Appliances view.

Display the menu of Appliance toolbar actions. This provides an alternate method of displaying the Filter Appliances dialog box.

Minimize the Appliances view.

Maximize the Appliances view.

The Certificate Manager toolbar has buttons for generating, installing, and managing certificates. Mouse over each button to see a tooltip indicating its function.

Table 21 Certificate Manager toolbar

Button Description

• View certificates

• View CRLs

View certificate signing requests.

Generate certificate signing request.

• Install external certificate

• Install signed certificate

• Install CRL

Status Indicators

The Appliances view displays the appliances that are being managed by ETEMS and their operational status. To get the current status of the appliances, refresh the view. You can sort the status column to display all devices that are in an error state at the top of the list.

Table 22 Appliance status indicators

Status Indicator

90 EncrypTight User Guide

Description

Unequal configurations.The ETEMS and appliance configurations are different.

OK. The ETEMS and appliance configurations are the same, and the appliance is reachable.

Table 22 Appliance status indicators

Status Indicator

Description

Appliance reboot required.

Reload policies required.

Status unknown. The appliance is not responding to ETEMS’s attempts to communicate with it or ETEMS hasn’t yet queried the appliance status.

Appliance unmanageable due to an incompatible hardware/software combination or runtime exception error.

The appliance is in an error state.

Understanding Roles

EncrypTight and the EncrypTight appliances each have unique roles that control different aspects of the product. The following sections describe the roles and how they differ:

Understanding Roles

● “EncrypTight User Types” on page 91

● “ETEP Appliance Roles” on page 91

EncrypTight User Types

EncrypTight has two user types: administrator and user. The EncrypTight administrator controls access to the EncrypTight application; it does not control access to the EncrypTight appliances. The EncrypTight administrator can create, modify, and delete other users and passwords, while the user can change only its own password.

Related topics:

● “Managing EncrypTight Users” on page 61

● “ETEP Appliance Roles” on page 91

ETEP Appliance Roles

Roles on the appliance are associated with a set of privileges and tasks that a user is able to perform on the appliance, such as assigning passwords, defining configuration settings, or creating polices.

User management is performed using ETEMS or the CLI commands. Roles can be associated with specific user names and passwords. This allows the ETEP to track which user performed an action on the appliance as opposed to simply the role that performed the action. Each role can be associated with more than one user name.

ETEPs have two roles: Administrator and Ops.

● The Administrator has access to all of the appliance functionality. This includes assigning roles, user

names and passwords to all appliance users, defining appliance configurations, and defining and

EncrypTight User Guide 91

Getting Started with ETEMS

deploying policies. ETEMS uses the Administrator user to log in to the appliance. The Administrator also has access to all of the CLI commands.

● The Ops user logs in to the appliance only through the CLI and has access to a subset of the CLI

commands.

Table 23 Appliance roles for ETEPs

Function Administrator Ops

Manage passwords and users Yes, in ETEMS No

ETEMS access Yes No

CLI access Yes Yes (subset of commands)

To learn more about using ETEMS for ETEP user management, see “Appliance User Management” on

page 102.

Modifying Communication Preferences

ETEMS communication preferences pertain to the communication between ETEMS and an appliance. Communication preferences fall into two categories.

● General communications between ETEMS and the appliances (Tab l e 24).

● Preferences that apply only when using strict authentication for EncrypTight components (Table 25).

When strict authentication is enabled, all TLS communications between EncrypTight components is authenticated using certificates.

To change communication preferences:

1On the Edit menu, click Preferences.

2Click ETEMS to expand the tree, and then click Communications.

92 EncrypTight User Guide

Modifying Communication Preferences

3 In the Communications window, modify any of the communication preferences (see Table 24 and

Table 25).

4 Do one of the following:

● Click Apply to set the new value.

● Click Restore Defaults to reset the timeout to the factory setting.

5Click OK.

Table 24 General communication preferences

Preference Description

Communication timeout

Software upgrade timeout

Use TLS By default, ETEMS uses TLS to encrypt communications between the

Sets the amount of time that ETEMS waits for a response from an appliance during a standard communication attempt (refreshing status, comparing configurations, loading configurations). The valid range is 1-180 seconds.

Sets the amount of time that ETEMS allows for a software upgrade on an appliance to complete. The valid range is 60-1,296,000 seconds (15 days).

management workstation and the appliance’s management port. When TLS is enabled, communication between ETEMS and the appliance is encrypted.

If you are managing ETEP appliances, TLS must be enabled. ETEMS cannot communication with the ETEP when TLS is disabled.

Table 25 Strict authentication communication preferences

Use Strict Certificate Authentication

Enable Online Certificate Status Protocol (OCSP)

OCSP Responder Certificate Distinguished Name

Verify OCSP Responder

Ignore Failure to Respond

Revert to CRL on OCSP Responder Failure

Check OCSP Responder Certificate Chain

OCSP URL Specifies a URL to use for the OCSP responder. This option overrides the

When enabled, all management communications between EncrypTight components is authenticated using certificates. EncrypTight can use TLS with encryption only, or TLS with encryption and strict authentication for added security. For more information about strict authentication, see “Using

Enhanced Security Features” on page 261.

When enabled, EncrypTight uses the online certificate status protocol (OCSP) to check the validity of certificates. OCSP is an alternative to using CRLs. For more information about OCSP, see “Validating Certificates Using

OCSP” on page 289.

Specifies the subject name of the certificate for the OCSP responder.

Verifies OCSP responses by authenticating the response message with the installed certificate. To use this option, you must install the certificate from the OCSP responder.

When checked, this option allows ETEMS to accept a certificate even when a response to an OCSP query is not received in a timely manner.

When checked, if EncrypTight does not receive a reply from the OCSP responder or it cannot be reached, EncrypTight reads the certificate to determine the location of a CRL and uses that instead of OCSP to validate the certificate. In this case, if the CRL cannot be accessed, authentication fails.

When checked, this option specifies that ETEMS should check every certificate in the responder’s chain of trust.

URL that may be included in the certificate.

EncrypTight User Guide 93

Getting Started with ETEMS

Table 25 Strict authentication communication preferences

Ignore CRL access failure

When enabled, allows EncrypTight to set up communication with a component even when it cannot access the certificate revocation list (CRL) associated with the certificate presented by the component. This option is enabled by default. Note that if OCSP is enabled, this option is invalid and not available. For more information about CRLs, see “Validating Certificates

Using CRLs” on page 287.

CRL File Location Specifies the location on the management workstation where you want to

store CRLs.

Enable Certificate Policy Extensions

Specifies that EncrypTight checks certificates for the presence of the certificate policies extension and enforces the restrictions specified, if any. For more information on certificate policy extensions, see “Configuring the

Certificate Policies Extension” on page 269.

Certificate Policy Extension OIDs

After you enable certificate policies extension, enter the allowed OIDs in the box, separating each with a comma.

94 EncrypTight User Guide

7 Provisioning Appliances

This section includes the following topics:

● Provisioning Basics

● Appliance User Management

● Working with Default Configurations

● Provisioning Large Numbers of Appliances

● Shutting Down Appliances

Provisioning Basics

ETEMS is the appliance management component of the EncrypTight software. It is a configuration and management tool that lets you provision all of your EncrypTight appliances from a central location.

There are two basic steps to perform when setting up a new appliance. First, add the appliance to ETEMS and define its configuration settings. Then, push the configuration settings to the appliance.

When configuring a new appliance, the first thing to do is select its product family and software version. ETEMS displays a configuration screen tailored to the specified appliance model and software version. On most appliance models the Interfaces tab contains the fields required to identify an appliance: its name, password access to the appliance (on applicable models), and the interface IP addresses. On ETEPs with software version 1.6 and later, you can also specify the licensed throughput speed on the Interfaces tab.

Select other tabs to configure additional items on the appliance, such as EncrypTight settings or logging. The availability of specific tabs and configuration options varies depending on your appliance model and software version.

Other than the interface IP addresses, many appliance settings will be the same for all EncrypTight appliances in your network. For these cases ETEMS lets you customize the default configuration to use on your appliances. This offers a significant time savings if you are provisioning a large number of appliances. Another time-saving feature that is useful in large deployments is ETEMS’s ability to import configurations from a comma-separated values (CSV) file.

Related topics:

● “Adding a New Appliance” on page 96

EncrypTight User Guide 95

Provisioning Appliances

● “Pushing Configurations to Appliances” on page 97

● “Working with Default Configurations” on page 110

● “Provisioning Large Numbers of Appliances” on page 111

Adding a New Appliance

Adding a new appliance in ETEMS is the first step in being able to manage it remotely. Configuration screens are tailored to a particular combination of hardware and software, so it is important to select the correct product family and software version when adding a new appliance.

Figure 26 New Appliance editor for the ET1000A

To add a new appliance:

1On the File menu, click New Appliance.

2 In the appliance editor, select the product family and software version of the new appliance. The

appropriate configuration screen appears for your selection.

3 Enter the appliance name, which uniquely identifies the appliance in ETEMS.

4 For ETEPs with software version 1.6 or later, enter the throughput speed at which you want the ETEP

to run. The throughput speed varies according to the ETEP model and the license that you purchased. For more information about licenses, see “Managing Licenses” on page 56.

5 Define the appliance configuration and save it. For information about appliance-specific settings see

the appliance configuration chapters of this document.

6 Push configurations to the appliances.

7 Refresh the appliance status.

8 Add users and passwords.

Related topics:

● “Saving an Appliance Configuration” on page 97

● “Pushing Configurations to Appliances” on page 97

● “Viewing Appliance Status” on page 98

● “Appliance User Management” on page 102

96 EncrypTight User Guide

● “Provisioning Large Numbers of Appliances” on page 111

NOTE

● “Provisioning PEPs” on page 147

Saving an Appliance Configuration

You can save an appliance configuration at any time during the configuration process. Appliance configurations are saved as part of the EncrypTight workspace. Unsaved changes are indicated with an asterisk on the editor tab.

ETEMS provides several ways to save appliance configurations.

Table 26 Saving appliance configurations

Action Description

Save and New (in the New Appliance editor)

Save (in the New Appliance editor) Saves the configuration in the active appliance editor.

Saves the configuration in the active appliance editor and opens a fresh New Appliance editor.

The second appliance editor window retains the settings from the first appliance with the exception of the appliance name and management IP address, which must be unique for each appliance.

Saves the configuration in the active appliance editor.

Provisioning Basics

File > Save Saves the configuration in the active appliance editor.

File > Save all Saves pending changes in all open appliance editors.

To close open editors without saving the configurations, click File > Close or File > Close All. Click no when prompted to save your changes.

ETEMS will not save a configuration that contains an error. ETEMS indicates the tab and the field that contains the error with .

Related topic:

● “Working with the EncrypTight Workspace” on page 69

Pushing Configurations to Appliances

After defining the configuration for each EncrypTight appliance, you will push the configurations to the targeted appliances in a put operation. On some appliance models you can also push a policy file during a put operation.

To push ETEMS configurations to appliances:

1 In the Appliance Manager, select the target appliances in the Appliances view. Use SHIFT+click to

select a contiguous block of appliances; use CTRL+click to select non-contiguous appliances.

2On the Tools menu, click Put Configurations.

EncrypTight User Guide 97

Provisioning Appliances

3 Optionally, for ETEP appliances with software version 1.6 and later, click Put Throughput License

to install a license as part of the operation. You can also install a license separately from the Put Configuration operation. To learn more about licenses and throughput speeds, see “Managing

Licenses” on page 56.

4 In the Put Configurations window, click Put to push configurations, and policies if applicable. The

results are shown in the Result column. Common results are shown in Tabl e 27.

5Click Close to return to the Appliances view, and then refresh the appliance status (Tools > R ef r e s h

Status). If you chose to reboot the appliances after loading the configurations, wait a few minutes for the reboot operation to complete before refreshing the status.

Table 27 Put configuration status

Result Description

Pending The appliance is selected, but the configuration has not yet been

pushed.

OK The configuration was successfully pushed to the appliance.

Operation failed: [reason] A problem was encountered during the put operation. ETEMS provides

Reboot Needed Some configuration items require a reboot to take effect.

a brief description of the reason for the failure.

Related topics:

● “Viewing Appliance Status” on page 98

● “Comparing Configurations” on page 100

Viewing Appliance Status

The Appliance Manager lists the appliances that ETEMS is managing. It shows information about each appliance, such as its operational status, IP addresses, product family and software version, and date and time. See Tabl e 29 for a description of these fields.

98 EncrypTight User Guide

Provisioning Basics

Figure 27 Appliances view

By default, automatic status refresh is disabled. You can refresh the status manually by selecting the target appliances and clicking the Refresh Status button . If you prefer, you can have ETEMS automatically poll the status of the appliances. If the appliance status is anything other than , take action as described in Table 28.

To configure automatic status checking:

1On the Edit menu, click Preferences.

2 In the Preferences window, expand the ETEMS listing and select Status.

3Click Enable automatic status refresh to have ETEMS automatically refresh the status of the

appliances. Clear the check box to disable the feature.

4 If you enabled automatic status checking, enter the interval in minutes in the Refresh Interval box.

The default refresh interval is 60 minutes and can be changed in one minute increments from 1 to 10,080 minutes (7 days).

5Click Apply, and then click OK. .

Table 28 Appliance status indicators

Status Indicator

Description

Unequal configurations. The ETEMS configuration differs from the configuration stored on an appliance. Compare configurations to view discrepancies (see page 100).

OK. The ETEMS and appliance configurations are the same, and the appliance is reachable.

Appliance reboot required (see page 101).

Reload policies required for policies to take effect (see page 412).

Status unknown. The appliance is not responding to ETEMS’s attempts to communicate with it (see page 224), or ETEMS hasn’t yet queried the appliance status.

Appliance unmanageable due to an incompatible hardware/software combination (see

page 226).

The appliance is in an error state. See the Installation Guide for your appliance model for information about error recovery.

EncrypTight User Guide 99

Provisioning Appliances

Table 29 The Appliances view summarizes the appliance configurations stored in

Field Description

Name A unique name that identifies an appliance to ETEMS.

Management IP The IP address assigned to the appliance’s management port. This is the

Remote IP The IP address assigned to the appliance’s remote port, which connects the

Last Comm Attempt Indicates the date and time that ETEMS most recently communicated with

Sys Location The system location is configured on the SNMP tab in the Appliance editor.

Model The hardware model of the EncrypTight appliance.

Software Revision The software version of the appliance. With a new appliance configuration,

Date/Time

ETEMS

address that ETEMS uses to manage the appliance.

appliance to an untrusted network. This setting is displayed only for appliance models on which the remote IP address is user-configurable.

the appliance, whether to refresh status, perform a compare operation, push configurations, or upgrade software. This information persists across ETEMS sessions.

It is an optional configuration item used to describe the location of the appliance.

the software version reflects the two-digit version selected in ETEMS. After ETEMS has communicated with the appliance, this field displays the third digit of the software version that is running on the appliance, when available.

For example, a new appliance may be added to ETEMS as an ETEP running software version 1.4. After ETEMS communicates with the ETEP it will display the third digit of the software version, such as 1.4.3. ETEMS does not automatically reflect software updates between two digit software versions because of differences in the feature sets (1.4 to 1.5, for example). For feature update releases, you can update the software version in ETEMS using the Multiple Configurations editor.

The appliance’s date and time.

Related topics:

● “Comparing Configurations” on page 100

● “Filtering Appliances Based on Address” on page 101

Comparing Configurations

When the ETEMS configuration differs from the appliance configuration, the appliance status is . ETEMS provides a side-by-side comparison so you can see how the two configurations differ and determine which is correct. After determining the correct configuration, you can either copy settings from the appliance to ETEMS or push the ETEMS configuration to the appliance.

100 EncrypTight User Guide

Provisioning Basics

Figure 28 Compare the ETEMS and appliance configurations

To compare and update configurations:

1 In the Appliance Manager, select an appliance in the Appliances view.

2In the To ol s menu, click Compare Config to Appliance to see a comparison of the ETEMS and

appliance configurations. The items that differ are listed first. Click to toggle between a display of all settings and only those that are different. Some configuration items contain too much information to display on a single line. To view complete information for a truncated item, highlight the item and click Details at the bottom of the window.

3 Do one of the following:

● To copy configuration settings from the appliance to ETEMS, select the items to copy and click

. The status changes to to indicate that the configuration items are synchronized.

● To copy the ETEMS configuration to an appliance, select the appliance and click To o ls > P ut

Configurations.

4Click OK to save the updated ETEMS configuration.

Related topic:

● “Pushing Configurations to Appliances” on page 97

Filtering Appliances Based on Address

To limit the number of appliances that are displayed in the Appliances view, you can filter them based on management IP addresses. This allows you to focus on appliances in a particular network segment.

To apply a filter to the appliances in the Appliances view:

1 In the Appliances view, click the filter button in the upper right corner .

2 In the Filter Appliances window, enter the filter criteria and then click OK. Only the appliances that

match the filtering criteria are displayed.

When entering a filter pattern, use an asterisk to filter on any string, and a question mark to filter on any character. You can enter a list of filter expressions, separating each with a comma.

EncrypTight User Guide 101

Black Box ET1000A, ET0100A, ET0010A User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Preface

1 EncrypTight Overview

Distributed Key Topologies

EncrypTight Elements

EncrypTight Element Management System

Policy Manager

Key Management System

Policy Enforcement Point

Point-to-Point Negotiated Topology

Security within EncrypTight

Secure Communications Between Devices

Secure Key Storage within the ETKMS

2 EncrypTight Deployment Planning

EncrypTight Component Connections

Management Station Connections

ETPM to ETKMS Connections

ETPM and ETKMS on the Same Subnetwork

ETPM and ETKMS on Different Subnetworks

External ETKMS to ETKMS Connections

Connections for Backup ETKMSs

Connecting Multiple ETKMSs in an IP Network

ETKMS to ETKMS Connections in Ethernet Networks

ETKMS to PEP Connections

ETKMS to PEP Connections in IP Networks

ETKMS to PEP Connections in Ethernet Networks

Network Clock Synchronization

IPv6 Address Support

Certificate Support

Network Addressing for IP Networks

3 Installation and Configuration

Before You Start

Hardware Requirements

Software Requirements

Firewall Ports

EncrypTight Software Installation

Installing EncrypTight Software for the First Time

Upgrading to a New Version of EncrypTight

Uninstalling EncrypTight Software

Starting EncrypTight

Management Station Configuration

Exiting EncrypTight

Securing the Management Interface

Enabling the Microsoft FTP Server

Configuring the Syslog Server

Installing ETKMSs

Configuring ETKMSs

Basic Configuration for Local ETKMSs

About Local ETKMSs

Adding a Local ETKMS

Launching and Stopping a Local ETKMS

Starting the Local ETKMS Automatically

Configuring External ETKMSs

Logging Into the ETKMS

Changing the Admin Password

Changing the Root Password

Configure the Network Connection

Configure Time and Date Properties

Check the Status of the Hardware Security Module

Starting and Stopping the ETKMS Service

Checking the Status of the ETKMS

Secure the Server with the Front Bezel

Configuring Syslog Reporting on the ETKMSs

Policy Enforcement Point Configuration

Default User Accounts and Passwords

Managing Licenses

Installing Licenses

Upgrading Licenses

Upgrading the EncrypTight License

Upgrading ETEP Licenses

Next Steps

4 Managing EncrypTight Users

Working with EncrypTight User Accounts

Configuring EncrypTight User Authentication

Managing EncrypTight Accounts

Changing an EncrypTight User Password