Install Guide
PKWARE Support Details
Support Hours and Contact Information
- Monday through Friday 8:00AM - 6:00PM Eastern Time Zone
- Technical Support 937-847-2687
- Customer Service 937-847-2374
- Request Tech Support Form
Support Links
- Online Order Lookup
- Maintenance Renewal Form
- Report a Security Vulnerability
- Purchase PKWARE Software
- Remote Help Utilities
- FTPS & SFTP options for sending data to us securely
- FTP Server Info
About This Guide
Welcome to PKWARE® Smartcrypt®. You have taken an important step to take control of sensitive data across your enterprise. This guide will help you to deploy Smartcrypt throughout your enterprise. In this guide, you’ll learn to:
- Plan your Smartcrypt Installation: What you need to know, and have on hand before setting up Smartcrypt.
- Install the Smartcrypt Enterprise Manager: Whether you’re using Windows Server or a Linux-based appliance.
- Set up system backups and restores to ensure the Smartcrypt database is always available
- Deploying PKWARE agents: Sensitive data lives on a variety of remote client devices. This chapter helps you get Smartcrypt running on Windows, Mac and Linux/UNIX.
- Uninstall agents from client devices: Smartcrypt users and their devices are always changing. Ensure that sensitive data stays with you when a device goes out of service.
Planning a PKWARE Installation
The following table lists sizing recommendations for PK Endpoint Manager instances based on your average use cases and hardware demands. The specific recommendations for your company depend on the specific growth type, intensity and use cases. We recommend that you collaborate with one of our Sales Engineers to receive a specific recommendation. If you're interested in more information, please contact us.
- PoC / Small Scale: Suitable for proof-of-concept, test or development environment. App/DB server on same system is fine.
- Medium Scale: Consider using medium App/DB server instances with multiple cores and fast access to disk.
- Large Scale: Recommend using high processing power (e.g. dual quad core or higher) and ensuring high I/O performance to disk.
High availability and fail over recommendations:
Smartcrypt Application
- Configure a farm (two or more identical application servers running in separate operating system server instances)
- Use memcached for real time sharing of authentication tokens and other time-sensitive data between servers in the farm
- Use a load balancer that can detect and react to lost application server instances quickly. Alternatively you can load balance with DNS. Note: this still requires memcached.
For memcached failover (if required), configure a memecached farm.
- Setup MS SQL Server cluster
Sizing | PoC / Small Scale | Medium Scale | Large Scale |
---|---|---|---|
Data Security Intelligence Enabled | |||
Active / Concurrent Users | <100 | 10,000+ | 100,000+ |
Smartkeys | 500 | 10,000+ | 1,000,000+ |
Security Policies | ~5 | 500 | 1000 |
Application Server CPU | 2vCPU | 2x 4vCPU | 4x 4vCPU |
Application Server Memory | 4GB | >8GB | >16GB |
Database Server CPU | 2vCPU | 4vCPU | 8vCPU |
Database Server Memory | 4GB | 16GB | 64GB |
Database Server Disk Space | ~ | 4GB/mo | 40GB/mo |
Data Security Intelligence Disabled | |||
Active / Concurrent Users (Assumes 2.5 devices per user) | 100+ | 2000+ | 10,000+ |
Smartkeys | 500+ | 10,000+ | 1,000,000+ |
Smartkeys created per month | 200 | 4000 | 20,000 |
Secuirty Policies | 5 | 50 | 100 |
Application Server CPU | 2vCPU | 2vCPU | 2vCPU |
Application Server Memory | 4GB | 4GB | 4GB |
Database Server CPU | 2vCPU | 2vCPU | ~2vCPU |
Database Server Memory | > 100MB | 1-5GB | 10GB |
Database Server Disk Space | ~ | 1GB | 2GB |
Appliance 200v: Deployment Strategy
For proof-of-concept and lab environments, a single appliance is supported. For production use, a minimum of two appliances is required. PKWARE recommends two appropriately-sized appliances per physical data center. For example:
- A 10,000-user enterprise with east and west coast data centers could deploy a 4-appliance cluster. Virtual Data Centers would be defined to partition west coast and east coast users to the two appliances closest to them, with appropriate considerations made for an organization's Active Directory Organization Unit configuration strategy.
- A 50,000-user enterprise with a large US production data center, US disaster recovery (DR) site and branch offices in Germany and and the UK could deploy six units. Two in the production data center, two at the DR site and one in each of the branch offices. The master database would reside in the production data center and during DR testing / recovery one of the slave units in the DR site would be promoted to master.
Installing a PKWARE Enterprise Manager
Windows Server Installation and Setup
Overview
The purpose of this guide is to describe the environmental requirements and steps required to configure the PK Endpoint Manager and associated Smartcrypt Application (Agent).
What you will need:
A Windows Server to host the PK Endpoint Manager. This server should be joined to an Active Directory domain.
A SQL Server or PostgreSQL 9.5 Database where PK Endpoint Manager application data will live. Before installing you should obtain:
Database server instance name
Database name
Database username with access to the above database
Database user password
- The port the database server connects to
An SSL certificate that matches the hostname you wish to use for the PK Endpoint Manager
(optional) A DNS record for "pkwareops.[domain.ext]" published into your internal/external DNS. The Smartcrypt application will look for this record by default.
- (optional) To test local search, install Java 11 (AdoptOpenJDK) and ElasticSearch
What this guide will cover:
- Scripted installation.
- SQL database requirements and setup.
- IIS website / application pool requirements and setup.
- TLS / SSL configuration and connectivity.
- Deployment of the PK Endpoint Manager.
Active Directory Authentication Note:
Note
The Windows Server that will host the PK Endpoint Manager site/application needs to have access to authenticate with your Active Directory. This authentication occurs over the standard Active Directory Domain Services protocols. For more information about ports that are needed for the Windows Server to have access to the domain, see: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
Windows Server Core Installations:
Looking for instructions for installing on Windows Server Core? We've got you covered here: Windows Server Core Installation and Setup Guide
Scripted Installation
Since v15.3, you have the option to perform a scripted installation of the PK Endpoint Manager. Contact your PKWARE account representative to obtain the appropriate package for your platform.
Steps performed
The script performs the following steps, in order:
- Checks numerous system dependencies.
- Installs and configures appropriate Internet Information Services (IIS) Roles and Features.
- Allows the Administrator to select a database type for PK Endpoint Manager. Choose from:
- A local database instance of PostgreSQL. The script will install and configure the database while prompting the Administrator to set a DB Instance Master password and DB access password.
- An external MS-SQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
- An external PostgreSQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
- Configures the PK Endpoint Manager website and an associated Application Pool in IIS.
- Generates and binds a Self-Signed Certificate to the website.
- Prompts the administrator to supply a default encryption master password.
- Prompts the administrator to supply a default system administration account for the Smartycrypt Manager.
Notes for the scripted deployment option:
- The use of the Self-Signed Certificate created during the scripted installation is intended for Smartcrypt use in lab or non-production environments for a proof of concept or evaluation purposes. To install a trusted, rooted or other certificate, please follow the steps below
To import a certificate in Windows 2012
- Open the Certificates snap-in for the local machine's certificate store: Start | Run | certlm.msc
- In the console tree, click the Personal store
- On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
- Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.)
- This certificate should have a private key (PKCS #12 file)
- Type the password used to encrypt the private key.
- (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.
- Select Place all certificates in the following store, click Browse, and choose the Personal store.
- When this process is completed, a Hosts file (Windows/System32/driver/etc/hosts) or DNS entry, pointing directly to one or more IP addresses (an A record), will be required for client machines to connect back to the Manager.
Running the installation script
- Log in to the Windows Server environment and copy the SEM installation package to the Windows Server. Extract the .ZIP package.
- Run Microsoft PowerShell as an Administrator.
- Change to the directory location where you extracted the SEM installer.
- Execute
./sc_install.ps1
. - Press R when asked "Do you want to run <
install.ps1
>?
The system (if network connected) will attempt to download/install all Windows features required to run the SEM, including all prerequisite Microsoft Internet Information Server (IIS) modules and .NET Core Server.
PS C:\Windows\system32> cd C:\Users\jack_d\Desktop\SmartcryptMgrTDE-
18.0
.
152
PS C:\Users\jack_d\Desktop\SmartcryptMgrTDE-
18.0
.
152
> .\install.ps1
Checking Prerequisites...
Checked Prerequisites.
Enabling IIS-WebServerRole...
Enabled IIS-WebServerRole.
IIS-WebServer is enabled.
IIS-CommonHttpFeatures is enabled.
IIS-DefaultDocument is enabled.
IIS-HttpErrors is enabled.
IIS-StaticContent is enabled.
IIS-HealthAndDiagnostics is enabled.
IIS-HttpLogging is enabled.
IIS-Performance is enabled.
IIS-HttpCompressionStatic is enabled.
IIS-Security is enabled.
Enabling IIS-WindowsAuthentication...
Enabled IIS-WindowsAuthentication.
IIS-ApplicationDevelopment is enabled.
Enabling NetFx4Extended-ASPNET45...
Enabled NetFx4Extended-ASPNET45.
Enabling IIS-NetFxExtensibility45...
Enabled IIS-NetFxExtensibility45.
Enabling IIS-ASPNET45...
Enabled IIS-ASPNET45.
IIS-ISAPIExtensions is enabled.
IIS-ISAPIFilter is enabled.
IIS-WebServerManagementTools is enabled.
IIS-ManagementConsole is enabled.
Installing .NET Core
2.1
.
7
Server Hosting...
Installed .NET Core
2.1
.
7
Server Hosting.
Installing PostgreSQL
PK Endpoint Manager supports Microsoft SQL Server and PostgreSQL 9.5 database management systems. The SEM installation script will prompt you to "install postgres to use later." Press enter to skip installation, or Y to install and configure PostgreSQL locally.
If you choose not to install PostgreSQL, it is assumed a remote database server will be used.
Below is the sample output from a basic installation. The installation script will also prompt for hostname. This is used to generate a self-signed certificate and set up the hostname and SSL bindings for the site that is created
Would you like to install postgres to use later?
[Y] Yes [N] No (
default
is N): n
Expanding Archive (
"C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-18.0.152.zip"
->"C:\PKWARE\SmartcryptEnterpri
seManager")...
Expanded Archive (
"C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-18.0.152.zip"
->"C:\PKWARE\SmartcryptEnterpris
eManager").
Expanding Archive (
"C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-tde-18.0.152.zip"
->"C:\PKWARE\SmartcryptEnte
rpriseManager")...
Expanded Archive (
"C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-tde-18.0.152.zip"
->"C:\PKWARE\SmartcryptEnter
priseManager").
Configuring PK Endpoint Manager
The script continues to create the PK Endpoint Manager database.
You'll be asked to configure S\PEM.
- Existing or New site: Default is New, but if you have already set up SEM on IIS, type E.
- Name the Site: Default is Smartcrypt
- Physical Site Location: Default is
c:\inetpub\wwwroot
. Edit as required. - Application Name: Default is
mds
.
Existing Sites:
Name Physical Path
---- -------------
Default Web Site C:\inetpub\wwwroot
Configure Smartcrypt Enterprise Manager
Would you like to configure an existing or create a
new
Smartcrypt enterprise manager site?
[E] Existing [N] New [Escape] Cancel (
default
is
"N"
): N
Confirm Configure New Smartcrypt Enterprise Manager Site
Are you sure you want to configure a
new
Smartcrypt enterprise manager site?
[Y] Yes [N] No (
default
is
"Y"
): Y
Setting Up New Smartcrypt Site...
Confirm Site Name
Configure site name to be
"Smartcrypt"
?
[Y] Yes [N] No (
default
is
"Y"
):
Confirm Physical Site Location
Configure physical site location to be
"C:\inetpub\wwwroot"
?
[Y] Yes [N] No (
default
is
"Y"
):
Confirm Application Name
Configure application name to be
"mds"
?
[Y] Yes [N] No (
default
is
"Y"
):
The script will display the existing Application Pools on IIS.
- New Application Pool: Default is New. Highly recommended.
- Application Pool Name: Default is Smartcrypt.
- Hostname: Default is the current machine.
- HTTPS Certificate: Default is to create a new self-signed X.509 certificate for the host.
The script will create a new self-signed certificate, and ask you to confirm that you want to use it.
Existing AppPools:
Name Runtime Version
---- ---------------
DefaultAppPool v4.
0
.NET v4.
5
Classic v4.
0
.NET v4.
5
v4.
0
Configure Smartcrypt Enterprise Manager
Would you like to configure an existing or create a
new
application pool?
[E] Existing [N] New [Escape] Cancel (
default
is
"N"
):
Confirm Configure New Application Pool
Are you sure you want to configure a
new
application pool?
[Y] Yes [N] No (
default
is
"Y"
):
Confirm Application Pool Name
Configure application pool name to be
"Smartcrypt"
?
[Y] Yes [N] No (
default
is
"Y"
):
Hostname: mkesrv-jd01.qanet.dom
Confirm Hostname
Set hostname to be
"mkesrv-jd01.qanet.dom"
?
[Y] Yes [N] No (
default
is
"Y"
): y
Current Certificates:
Thumbprint Subject Friendly Name
---------- ------- -------------
Https Certificate
Would you like to create a
new
certificate,
import
a certificate, or use an existing installed certificate?
[N] New [E] Existing (
default
is
"N"
):
Confirm Certificate
Are you sure you want to create a
new
self signed certificated
for
host=mkesrv-jd01.qanet.dom
[Y] Yes [N] No (
default
is
"Y"
):
Creating New Self Signed Certificate...
Created New Self Signed Certificate.
Confirm Certificate
Do you want to use
this
certificate?
Thumbprint Subject Friendly Name
---------- ------- -------------
07C844B4E67F4F9D3929D3DD20510571B8F51F09 CN=mkesrv-jd01.qanet.dom Smartcrypt
[Y] Yes [N] No (
default
is
"Y"
):
Connecting to the Database
The script then checks for a connection to the database, and allows you to configure the connection.
- Confirm Database Platform: Default is SQL Server. To change to PostgreSQL, type N and enter
postgresql
. - Database Server: Identify the location of the database server.
- Confirm Port: Enter the port for the database.
- Database: Name the database.
- User Id: Identify the owner of the SEM database.
- Password: Supply the database server password for the user you just identified.
- Add Extra Parameter: Default is No. If you want to set an additional required string to access the database, define that here.
The script displays the Connection Information you've entered, and tries to connect. If the database connection is valid, you are asked to confirm the configuration.
Database Connection Information:
Platform: SQLServer
Server:
Database:
User Id:
Database connection is invalid.
Confirm Database Platform
Set database platform to be
"SQLServer"
?
[Y] Yes [N] No (
default
is
"Y"
):
Database Server: qasrv-db01.qanet.dom
Confirm Database Server
Set database server to be
"qasrv-db01.qanet.dom"
?
[Y] Yes [N] No (
default
is
"Y"
): y
Confirm Port
Set port to be
"1433"
?
[Y] Yes [N] No (
default
is
"Y"
):
Database:
180
Confirm Database
Set database to be
"180"
?
[Y] Yes [N] No (
default
is
"Y"
):
User Id: qa
Confirm User Id
Set user id to be
"qa"
?
[Y] Yes [N] No (
default
is
"Y"
):
Password:
Add Extra Parameter
Would you like to add an extra connection string parameter?
[Y] Yes [N] No (
default
is
"N"
):
Database Connection Information:
Platform: SQLServer
Server: qasrv-db01.qanet.dom
Database:
180
User Id: qa
Port:
1433
Testing Connection... [ ]
100
%
Database connection is valid.
Confirm Database Connection Configuration
Would you like to use
this
database connection configuration?
[Y] Yes [N] No (
default
is
"Y"
): y
Configuring Smartcrypt Enterprise Manager in IIS
Enter the Smartcrypt Enterprise Manager Account Password to access SEM.
You'll next be asked to configure the local Administrator user. Supply a username (default is Administrator) and password.
The script will set up an Application Pool, Site and Application in IIS on the server.
Smartcrypt Enterprise Manager Account Password:
Smartcrypt Enterprise Manager Account Password (confirmation):
Confirm Local Administrator User
Configure local administrator user to be
"Administrator"
?
[Y] Yes [N] No (
default
is
"Y"
): y
Local Administrator Password:
Local Administrator Password (confirmation):
Creating New AppPool
"Smartcrypt"
...
Created New AppPool
"Smartcrypt"
.
Creating New Site
"Smartcrypt"
...
Created New Site
"Smartcrypt"
.
Setting Application
"/"
AppPool...
Set Application
"/"
AppPool.
Creating New Application
"mds"
...
Created New Application
"mds"
.
Setting Application
"mds"
AppPool...
Set Application
"mds"
AppPool.
Setting Application
"mds"
Windows Authentication...
Set Application
"mds"
Windows Authentication.
Upgrading database
INFO: Database is currently at version:
0.0
INFO: Current version is not equal to the target version
INFO: Upgrading to version:
1.0
.
60
INFO: Upgrading to version:
1.0
.
61
INFO: Upgrading to version:
1.0
.
62
INFO: Upgrading to version:
1.0
.
63
INFO: Upgrading to version:
1.64
INFO: Upgrading to version:
1.65
INFO: Upgrading to version:
1.66
INFO: Upgrading to version:
1.67
INFO: Upgrading to version:
1.68
INFO: Upgrading to version:
1.69
INFO: Upgrading to version:
1.70
INFO: Upgrading to version:
1.71
INFO: Upgrading to version:
1.72
INFO: Upgrading to version:
1.72
.
1
INFO: Upgrading to version:
1.72
.
2
INFO: Upgrading to version:
1.73
INFO: Upgrading to version:
1.74
INFO: Upgrading to version:
1.75
INFO: Upgrading to version:
1.76
INFO: Upgrading to version:
1.77
INFO: Upgrading to version:
1.78
INFO: Upgrading to version:
1.79
INFO: Upgrading to version:
1.80
INFO: Upgrading to version:
1.80
.
1
INFO: Upgrading to version:
1.81
INFO: Upgrading to version:
1.82
INFO: Upgrading to version:
1.83
INFO: Upgrading to version:
1.83
.
1
INFO: Upgrading to version:
1.84
INFO: Upgrading to version:
1.85
INFO: Upgrading to version:
1.86
INFO: Upgrading to version:
1.87
INFO: Upgrading to version:
1.88
INFO: Upgrading to version:
1.89
INFO: Upgrading to version:
1.90
INFO: Upgrading to version:
1.91
INFO: Upgrading to version:
1.92
INFO: Upgrading to version:
1.93
INFO: Upgrading to version:
1.94
INFO: Upgrading to version:
1.95
INFO: Upgrading to version:
1.96
INFO: Upgrading to version:
1.97
INFO: Upgrading to version:
1.98
INFO: Upgrading to version:
1.99
INFO: Upgrading to version:
2.0
INFO: Upgrading to version:
2.1
INFO: Upgrading to version:
2.1
.
1
INFO: Upgrading to version:
2.2
INFO: Upgrading to version:
2.3
INFO: Upgrading to version:
2.4
INFO: Upgrading to version:
2.5
INFO: Upgrading to version:
2.6
INFO: Upgrading to version:
2.7
INFO: Upgrading to version:
2.8
INFO: Upgrading to version:
2.9
INFO: Database is currently at version:
0.0
INFO: Current version is not equal to the target version
INFO: Upgrading to version:
1.0
INFO: Upgrading to version:
1.1
INFO: Upgrading to version:
1.2
INFO: Upgrading to version:
1.3
INFO: Upgrading to version:
1.4
INFO: Upgrading to version:
1.5
INFO: Upgrading to version:
1.6
INFO: Upgrading to version:
1.7
Saving IIS Changes
Starting AppPool
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
You are now able to open SEM on https://<hostname>/mds
. If you are not able to reach the site, confirm the hostname is routeable via DNS or a hostfile.
Troubleshooting
Mobile and IOS devices cannot connect to the SMDS when it has been configured with this script. This is because these devices cannot use the self-signed certificate created by the setup script. Installing a trusted certificate will allow these types of devices to connect to SMDS.
SQL Server database requirements and setup:
The Smartcrypt Enterprise Manager requires an empty database, appropriate authentication credentials and permissions. Please perform the following actions, consulting the documentation for your version of SQL Server, if necessary.
Login to your SQL Server and create an empty database
- Give the database a name and note the name down for later (e.g. "Smartcrypt")
- Set the database collation to: Latin1_General_CI_AS
- Create a database user which the Smartcrypt Enterprise Manager will use to authenticate to this instance (e.g. smartcrypt-user)
- Set a database user password and be sure to uncheck options for "Must change password at next logon
- Give the database user the "db_owner" right to the Smartcrypt database you created above
For More Information about how to authenticate to Microsoft SQL Server, see:
IIS website / application pool requirements and setup:
Perform the following steps on the Windows Server running IIS:
Install the Visual C++ 2012 Runtime
Smartcrypt is developed with Microsoft® Visual Studio® 2012. The Microsoft Visual C++ redistributable enables some required features for Smartcrypt. Since Smartcrypt was created using Visual Studio 2012, the 2012 redistributables are required.
- Download and install the 64-bit version of the redistributable found here: https://www.microsoft.com/en-us/download/details.aspx?id=30679
Configure Internet Information Server for Smartcrypt
Prior to installing the Smartcrypt Enterprise Manager website, you must have two features installed and configured on IIS. There are important, if slight, differences in the setups depending on which version of Windows Server you are running.
If you already have these features installed and configured, no changes are required. Skip to “Install Smartcrypt Enterprise Manager.”
Setting up IIS in Windows Server 2012 R2 | Setting up IIS in Windows Server 2008 R2 |
---|---|
Launch the Server Manager and select IIS
| Launch the Server Manager and select Web Server (IIS).
Enabling .NET Framework 4 Support in IIS (Windows Server 2008)After installing the ASP.NET features in the Server Manager, you must still enable the .NET Framework in Windows Server 2008. This is done from an Administrator command prompt.
|
Install Web Deploy with Microsoft Web Platform Installer
Install Web Deploy through the Microsoft Web Platform Installer (WPI), a free Microsoft tool to install a variety of products into IIS. Download WPI from http://www.iis.net/downloads/microsoft/web-deploy
After you download wpilauncher.exe, run it to see the Web Platform Installer screen. Click the Search box in the upper right corner and type "Web Deploy." Several options may appear, depending on what applications are supported. For your initial installation, we recommend you select the most recent version of Web Deploy with bundled SQL support. At the time this was written, 3.5 was the latest version so for example, Click Add on Web Deploy 3.5 with bundled SQL support. WPI will install everything you need.
Configure Windows Authentication
After adding Windows Authentication to the Windows Server configuration, you must further configure the IIS Manager to permit this. The steps to allow single sign on are the same for both Windows Server 2008 and 2012:
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager)
- In the Management section, select Feature Delegation
- Change the Authentication - Windows setting to Read/Write
- From the main window, click Authentication.
- Right click on Windows Authentication and select Enable (it not already enabled)
Adding an Application Pool
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager).
- Click View Application Pools to display existing pools.
- Click Add Application Pool.
- Give the Application Pool a name (possibly something like “MDS"). It is appropriate to accept the remaining default options.
Adding a website
- Download the latest package ZIP file from PKWARE to your server. Note: Do not extract the contents of the ZIP archive.
- In IIS Manager, go to Sites.
- Click Add Website. Name it Smartcrypt Manager. The Add Website dialog will open.
- Choose a Site name. This can be the same as the Application Pool.
- Use the Select button to make sure you select the application pool you created in the previous section.
- Define the physical path to the content directory
- (Optional) Select a host name for the site. If you give the website a host name, make sure your domain has proper routing for the host defined in DNS.
If you are accessing Smartcrypt Enterprise Manager from outside your internal network domain, you also need to create a public DNS entry.
Make sure that the DNS entry points to one or more defined IP addresses (an A Record). Smartcrypt Enterprise Manager needs a fully qualified domain name to authenticate agents.
Click OK to complete this step and add the website.
Configuring the website for SSL
The Smartcrypt Enterprise Manager requires an SSL connection to protect data being posted to the server. We need to add a binding to enable SSL for this website.
- Highlight the website you created in the earlier section. Select Bindings from the Edit Site options on the right.
- The Add Site Binding screen appears. Select https from the Type: dropdown menu.
- Click Select to choose the SSL Certificate to use for this site.
Verify SSL is working properly!
Verify the site is working properly by pointing your browser to https://<server>/ – you should see the IIS Welcome Page.
Verify the certificate is trusted on your other devices!
If you are using a self-signed certificate, this will require additional steps. Learn how to trust any certificate here.
Installing Smartcrypt Enterprise Manager
Now that the prerequisites are fulfilled, we are ready to install the Smartcrypt Enterprise Manager.
Note: The next section assumes you have a .ZIP file containing the Smartcrypt Enterprise Manager deployment package.
Importing the .ZIP file containing the Smartcrypt Enterprise Manager web application with Web Deploy
- Highlight the website created above
- In the Action menu on the right side of the screen, select Import Application from the Deploy section
- Web Deploy will launch and ask you to select the Smartcrypt Enterprise Manager .ZIP file. Browse to the directory where the Smartcrypt package is located, select the ZIP, and click Next
- Web Deploy will scan the ZIP package contents and display them. Review the contents of the package, and click Next to confirm
- Web Deploy will prompt for some application configuration options on the Enter Application Package Information page:
- Set the Application Path to "mds" without the quotes. This is the name of the web application. This name the will appear in the URL you will use to access the Manager
- Set the Smartcrypt Manager Server Password. This password is used to encrypt your encryption keys. It should be securely backed up and not shared with PKWARE.
- Define a root administrator account for the Smartcrypt Enterprise Manager. This can be a domain account or a local account.
- Domain Account: set a username (AD SysAdmin) only and leave the next two fields blank.
- Local Account: set a username (Local SysAdmin) and a password (Local SysAdmin Password) and leave the AD SysAdmin field blank.
- Set the parameters of the connection string with the information from your database administrator. This value connects Smartcrypt Manager to the database you initially setup
- datasource: The database server name or IP
- initial catalog: The name of the database to be used by the Smartcrypt Manager
- dbuser: The database server username
- dbpassword: The database user password
- Click Next to install Smartcrypt Manager via Web Deploy
Creating the Smartcrypt database schema
Now that the web application is set up and deployed with SSL configured, the last item we need to complete is populating the Smartcrypt database with the initial schema. Smartcrypt comes with a tool to complete this task for you called SmartcryptDB.exe. From the application server running IIS:
- Open a command window (cmd).
- Change directory to the location you installed the website to (above) and look for the bin directory.
- Now execute SmartcryptDB.exe.
- The tool should run and set up the required scheme for the version of the PK Endpoint Manager you have.
Make sure your Application Pool is started and your website is started in IIS. Next, point your browser to https://<server>/<ApplicationPath>/SuperUser to login with the System Administrator credentials (Active Directory or Local) and start using Smartcrypt.
General Appliance Overview
Configurations
The PK Endpoint Manager Appliance comes in four configurations
- 200v :: A virtual appliance suitable for utilizing within your own virtual infrastructure.
- 300h :: A hardware appliance that contains a hardware security module (HSM) for FIPS 140-2 Level 3 key storage.
- 300r :: A hardware appliance that contains a quantum-powered true random number generator provided by Quintessence Labs.
- 350 :: A hardware appliance that contains both an HSM and a quantum random number generator.
Note: A PK Endpoint Manager can be configured to use a pre-existing, external Quintessence Labs Trusted Security Foundation for HSM backed secure key storage or quantum random number generation.
The following documentation applies to only the 200v
Hypervisor Support (200v only)
The PK Endpoint Manager Appliance is officially supported on VMware vSphere v5.5+ but should run in any hypervisor including Microsoft Hyper-V, Citrix Xen Server and Linux KVM. It will also run in many Type-2 hypervisors including VMware Fusion, Workstation, VirtualBox and Hyper-V on Windows.
Note: For customers wishing to install the PK Endpoint Manager onto their own application and database infrastructure, a software only (non-Appliance) version is available.
Appliance Setup and Configuration Quick Start
Before you set up the SEM Appliance, be sure you have these prerequisites in place:
- VMware virtual machine set up to host the SEM
- Active Directory account to serve as the SEM SuperAdmin
- (Optional) A digital certificate to enable LDAP-S
- PKWARE will supply access to the base OVA file to import into VMware. You will upgrade to the latest SEM version during the setup process.
To set up PK Endpoint Manager in VMware:
Import PK Protect OVA file.
- You should have received this file from PKWARE.
Login and Accept End User License Agreement.
Update to current SEM version. (17.7 and below only)
- You'll receive access to the upgrade files from PKWARE. This is a three-step process:
- Upgrade to 17.7 (This will allow large uploads to be enabled, as the base image doesn't allow large uploads)
- Upgrade to the OS Upgrade Pack
- Upgrade to the 18.1.X version
- See "Upgrading the PK Endpoint Manager Appliance" for more information.
Create the Server Identity Account.
- Add username and a master password for SEM.
Acquire evaluation license
Configure Network / Hostname
- Go to System > Network in SEM. Click Configure Network. Check Use DHCP to have the system identify available IP addresses for this SEM. You can also configure the network manually by filling out the remaining fields. If you do that, be sure to update the system's Hosts File; Click Host File on the Network page to edit this system file.
Join Active Directory Domain
- If you're using Active Directory Integration to allow client agents to connect with the user's Active Directory credentials, you can (optionally) join the AD Domain to SEM. Go to System > Domain. Click Join Domain. Fill in the form. Click Join Domain. See the "Active Directory" section of the Basics page for more information.
Configure TLS/SSL
- See "Security: Public Key Infrastructure and Certificates" for information on why this step is necessary.
Upload Root: You need a root certificate, along with any intermediate certificates between the root and PKCS#12 certificate. Under System > SSL, click Upload Root under Custom Trusted Root Certificates. Browse to the *.cer file containing the fully qualified chain for your certificate. Click Upload.
Upload PKCS#12 certificate. Under System > SSL, click Upload PKCS#12. Browse to the *.pfx file. Click Upload. This file will include at least the certificate’s private key and may include the entire certificate chain.
Confirm connection. The Issuer of the SSL Certificates will have the same label as the Subject of the Custom Trusted Root Certificates on this page.
Configure AD Connection for User Lookups
- Admins need to connect to Active Directory users to identify and manage clients, devices, and policies. Go to Basics and scroll to the Active Directory section. See the "Active Directory" section of the Basics page for more information.
Set Primary Database Password
- You cannot back up the database without defining a primary database password. Go to System > Database. Click the Not Set line in Password. Type the master password.
- Set up a Cluster. See "Creating a New Cluster" for process.
Join Replica
- See "Adding a new system to an existing Cluster" for process.
Verify connectivity
After pairing, you will be asked to reboot both systems. Go to System > Operations. Click Reboot. Following the system reboot, go to Advanced > Cluster. Both systems should be listed, and you should see the Polling active information at the bottom of the page.
Advanced | Data Centers
- Setup first data center. See "Creating a New Data Center" for process.
Security: Public Key Infrastructure and Certificates
Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public key infrastructure (PKI). These elements include software applications such as PK Protect that work with certificates and keys as well as underlying technologies and services.
The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures. The keys look like long character strings but represent very large numbers.
End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.
How the Keys Are Used
With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt.
With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer.
Authentication for an X.509 key has one additional step. As an assurance that the signer is who he says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self-signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys
Installing PKWARE Agents
Windows Installation
- Right click on the Windows Installer and choose "Run as administrator".
- Review and accept the license agreement.
- Select a setup type of either typical or custom.
- Typical will install all program features.
- Custom allows you to choose which programs and features you wish to install.
- Launch Smartcrypt by double clicking on the Smartcrypt icon from the desktop.
You can install Smartcrypt from the Windows command-line prompt or a batch file. In the command line, you can set values for various properties to customize the installation.
The command line looks like this:
<name of smartcrypt installation file> /S /v"<properties>"
where:
/S is a switch that tells InstallShield® to run silently and not to display various initial screens (that say, for example, Preparing to install )
/v is a switch that must be used to pass any specified Smartcrypt properties to the Windows installer.
<properties> is a list of property settings
You can also optionally pass in a switch to specify either the Basic UI, that displays a dialog containing only a Cancel button to allow canceling of the installation; or No UI, that displays no dialog. Both Basic UI and No UI can run unattended. The default is the full, graphical UI, which is interactive and so cannot run unattended.
Switch | Specifies |
---|---|
/qb | Basic UI |
/qn | No UI |
Any quotes (") in the parameters must be escaped with a backslash (\).
<name of smartcrypt installation file> /S /v/qb
<name of smartcrypt installation file> /S /v"/qb PKPGPASSOC=0"
The properties you can set or change are described below:
By default, the Smartcrypt installer adds the command line program to the system's PATH. To disable the Smartcrypt command line interface from being added to the system PATH environment variable, type a command like this:
<name of smartcrypt installation file> /S /v"ADD_TO_PATH=0"
By default, the command line interface is included in your Smartcrypt installation. If you prefer to only use the graphical interface, use this command:
<name of smartcrypt installation file> /S /v"CLI=0"
If you want to only run Smartcrypt through its command-line interface, you can disable all graphical elements by setting the GUI property to 0 using a command line like this:
<name of smartcrypt installation file> /S /v"GUI=0"
Caution: Disabling the graphical interface also turns off Smartcrypt Attachments, SaveSecure Office Integration and all file associations.
By default, the installation associates with Smartcrypt the types of files listed in the following table. These file associations enable you to open a file of any of these types in Smartcrypt by double-clicking it in Windows Explorer.
File Type | Property |
---|---|
ZIP | PKZIPASSOC |
UUEncode/XXencoded | PKUUEASSOC |
GZIP and TAR | PKGZASSOC |
BZIP2 | PKBZ2ASSOC |
ARJ | PKARJASSOC |
RAR | PKRARASSOC |
LZH | PKLZHASSOC |
OpenPGP | PKPGPASSOC |
CAB | PKCABASSOC |
Z (UNIX compress) | PKZASSOC |
7Zip | PK7ZASSOC |
If you do not want a particular file type associated with Smartcrypt, set the corresponding property to 0 in the command line. For example:
<name of smartcrypt installation file> /S /v"PKPGPASSOC=0"
By default, the installation creates shortcuts to Smartcrypt. If you do not want a shortcut created in one of the places listed in the table below, set the corresponding property to 0.
Location | Property |
---|---|
Program group on start menu | PKSTARTMENU |
Desktop | PKDESKTOP |
Smartcrypt Attachments, the extension module for zipping email messages and attachments, installs by default if Outlook is detected. To not install Smartcrypt Attachments, set the MAIL property to No using a command line like this:
<name of smartcrypt installation file> /S /v"MAIL=0"
macOS Installation
Screens | Instructions |
---|---|
Double click the Smartcrypt installer package provided from your PKWARE representative. | |
Press, "Continue" to be guided through the steps necessary to install the Smartcrypt Client for Mac. | |
![]() | Read through the software license agreement. Click, "Continue" to progress through the installation. |
After pressing, "Continue" a prompt will show to verify that you agree to the terms of the software license agreement. Click "Agree" to continue the software installation. | |
![]() | Click, "Install" to perform a standard installation of Smartcryt for Mac. |
Enter the administrative password to authorize the installation of Smartcrypt for Mac | |
Verify the installation has completed by seeing this prompt and click, "Close" |
Linux/Unix Installation and Removal
Installing on Debian Linux based distribution
[user@deb-host ~]# dpkg -i Smartcrypt_CLI-15.10.0034-x86_64.deb
Removing on Debian Linux based distribution
[user@deb-host ~]# dpkg -r pkzip-server
Installing on RPM Linux based distribution
[user@rhel-host ~]# rpm -i Smartcrypt_CLI-15.10.0034-x86_64.rpm
Removing on RPM Linux based distribution
[user@rhel-host ~]# rpm -qa | grep PK
PKZIP_Server-15.10.0034-1.x86_64
[user@rhel-host ~]# rpm -e PKZIP_Server
Installing on Solaris
SPARC
# pkgadd -d Smartcrypt_CLI-15.10.0034-sun4u.pkg all
x86
# pkgadd -d Smartcrypt_CLI-15.10.0034-i86pc.pkg all
Removing from Solaris
# pkgrm PKWpkzs
Installing on AIX
# installp -a -d <filename>.bff all
Removing from AIX
# installp -u pkzip-server.\*
Starting and Stopping the Agent
Running the program will automatically start the agent. If you wish the agent to start with a specific set of credentials, please see the next section on managing login credentials.
Starting the Agent
[user@rhel-host ~]$ pkzipc
Stopping the Agent on Linux
[user@rhel-host ~]$ /usr/pkware/pkzip/bin/pkagent --stop
PKWARE pkagent for Linux 15.10.0034
Portions copyright (C) 1989-2016 PKWARE, Inc.
Stopping agent, PID=2991
Stopping the Agent on Solaris
$ /opt/pkware/pkzip/bin/pkagent --stop
PKWARE pkagent for Solaris 15.10.0034
Portions copyright (C) 1989-2016 PKWARE, Inc.
Stopping agent, PID=2991
Help
[user@rhel-host ~]$ pkzipc -help
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version
Portions copyright (C) 1989-2016 PKWARE, Inc. All Rights Reserved.
Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 7,793,099 7,844,579
7,890,465 7,895,434; Other patents pending
Usage: PKZIPC [command] [options] zipfile [@list] [files...]
View .zip file contents: PKZIPC zipfile
Create a .zip file: PKZIPC -add zipfile file(s)...
Extract files from .zip: PKZIPC -extract zipfile
The above usages are only basic examples of Smartcrypt's capability.
Enter 'C' to list Commands, 'O' to list Options or <Esc> to exit
Login Credentials
Creating your managed login credentials in the settings.json file
/usr/pkware/pkzip/bin/pkagent --config --email user@domain.ext --iwa password
Creating your unmanaged login credentials in the settings.json file
/usr/pkware/pkzip/bin/pkagent --config --email user@domain.ext --master password
Listing Current Smartkeys
Listing current Smartkeys
ubuntu@ip-172-31-55-199:~$ pkzipc -listsm
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version
Portions copyright (C) 1989-2015 PKWARE, Inc. All Rights Reserved.
Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 7,793,099 7,844,579
7,890,465 7,895,434; Other patents pending
----------------------------------------------------------------
Smartkeys
------------------------------- -------------------------------
Name/URN Owner
------------------------------- -------------------------------
ubuntu's Shareable Smartkey ubuntu@smartcrypt.com
default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU=
----------------------------------------------------------------
Personal Smartkey ubuntu@smartcrypt.com
priv--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU=
----------------------------------------------------------------
Encrypting a file to a Smartkey encrypted archive
ubuntu@test-box:~$ pkzipc -add ~/sc-installs/file1.zip ~/sc-installs/test-smartkey.txt -smartkey=default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU=
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version
Portions copyright (C) 1989-2015 PKWARE, Inc. All Rights Reserved.
Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 7,793,099 7,844,579
7,890,465 7,895,434; Other patents pending
* Strongly encrypting files with a passphrase using AES (256-bit)
* Using UTF-8 file names and comments
* Using default compression method
Creating .ZIP: /home/ubuntu/sc-installs/file1.zip
Adding File: test-smartkey.txt Deflating ( 0.0%), Encrypting, done.
View passphrase on Smartkey encrypted archive
ubuntu@test-box:~$ pkzipc -test -smartkeypass ~/sc-installs/file1.zip</p><pre>Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version
Portions copyright (C) 1989-2015 PKWARE, Inc. All Rights Reserved.
Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 7,793,099 7,844,579
7,890,465 7,895,434; Other patents pending
Testing files from .ZIP: /home/ubuntu/sc-installs/file1.zip
Smartkey passphrase: P4EhUuGKuaoDIJk3YKM4LVyhH0Qhin/aHjPSkwUgMRo=
Testing: test-smartkey.txt OK
Create new Smartkey encrypted archive and output passphrase
ubuntu@test-box:~$ pkzipc -add ~/sc-installs/file3.zip ~/sc-installs/test-smartkey.txt -smartkey=default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU= -smartkeypass
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version
Portions copyright (C) 1989-2015 PKWARE, Inc. All Rights Reserved.
Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 7,793,099 7,844,579
7,890,465 7,895,434; Other patents pending
* Strongly encrypting files with a passphrase using AES (256-bit)
* Using UTF-8 file names and comments
* Using default compression method
Creating .ZIP: /home/ubuntu/sc-installs/file3.zip
Smartkey passphrase: YKlOSQMq7opMbPwKRBEin/PGQ9vBoVPaxMOvdO+n5ZI=
Adding File: test-smartkey.txt Deflating ( 0.0%), Encrypting, done.
Command | Description | Example |
---|---|---|
-SmartkeyCreate | Create a new smartkey | pkzipc -smartkeycreate=test |
-SmartkeyModify | Use SmartkeyModify to change a Smartkey’s name, and access rights to data encrypted with this Smartkey. | pkzipc -smartkeymodify=Test -smartkeyn="Test A" -smartkeya=a@example.com pkzipc -smartkeymodify="Test AB" -smartkeyn="Test AC" -smartkeya=c@example.org -smartkeyd=b@example.net pkzipc -smartkeymodify="urn=smartcrypt--something-something" -smartkeys |
-SmartkeyRemove | Delete any Smartkey with the SmartkeyRemove command | pkzipc -smartkeyremove=”urn=Smartcrypt--something-something” |
-Listsmartkeys | Displays a list of your Smartkeys and with =, displays a list of the users allowed to use that smartkey. | pkzipc -listsm pkzipc -listsm="Accounting" |
Command | Description | Example |
---|---|---|
-Smartkey | Specify a smartkey to be used | pkzipc -add -smartkey="urn=smartcrypt--something-something" save.zip * pkzipc -add -smartkey="Accounting" save.zip * |
-SmartkeyAllow | Allows specified recipient(s) access to the Smartkey. | pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeya=a@example.com -smartkeya=b@example.net |
-SmartkeyDeny | Denies specified recipient(s) access to the Smartkey. | pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeyd=a@example.com -smartkeyd=b@example.net pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeyd=@file.txt |
-SmartkeyName | Renames the specified Smartkey | pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeyn="Test123" pkzipc -smartkeym="Test 123" -smartkeyn="Test 12345" |
-SmartkeyPass | Display or write the random passphrase used in Smartkey based encryption to the console or a file. | pkzipc -add -smartkey="Sales Materials" -smartkeypass |
-SmartkeySet | Specifies recipients allowed access to the Smartkey, denying all others. | pkzipc -smartkeym="urn=smartcrypt--something-something"-smartkeys=a@example.com -smarkeys=b@example.net pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeys=@file.txt pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeys |