PKWARE Support Details

Support Hours and Contact Information 

• Monday through Friday 8:00AM - 6:00PM Eastern Time Zone 
• Technical Support 937-847-2687 
• Customer Service 937-847-2374 
• Request Tech Support Form
  

Support Links 

• Online Order Lookup 
• Maintenance Renewal Form 
• Report a Security Vulnerability 
• Purchase PKWARE Software 
• Remote Help Utilities 
• FTPS & SFTP options for sending data to us securely 
• FTP Server Info
  

About This Guide

Planning a PKWARE Installation

The following table lists sizing recommendations for PK Endpoint Manager instances based on your average use cases and hardware demands. The specific recommendations for your company depend on the specific growth type, intensity and use cases. We recommend that you collaborate with one of our Sales Engineers to receive a specific recommendation. If you're interested in more information, please contact us.

• PoC / Small Scale: Suitable for proof-of-concept, test or development environment.  App/DB server on same system is fine. 
• Medium Scale: Consider using medium App/DB server instances with multiple cores and fast access to disk. 
• Large Scale: Recommend using high processing power (e.g. dual quad core or higher) and ensuring high I/O performance to disk.

Appliance 200v: Deployment Strategy

For proof-of-concept and lab environments, a single appliance is supported. For production use, a minimum of two appliances is required. PKWARE recommends two appropriately-sized appliances per physical data center. For example:

• A 10,000-user enterprise with east and west coast data centers could deploy a 4-appliance cluster. Virtual Data Centers would be defined to partition west coast and east coast users to the two appliances closest to them, with appropriate considerations made for an organization's Active Directory Organization Unit configuration strategy.
• A 50,000-user enterprise with a large US production data center, US disaster recovery (DR) site and branch offices in Germany and and the UK could deploy six units. Two in the production data center, two at the DR site and one in each of the branch offices. The master database would reside in the production data center and during DR testing / recovery one of the slave units in the DR site would be promoted to master.

Installing a PKWARE Enterprise Manager

Windows Server Installation and Setup

Overview

 The purpose of this guide is to describe the environmental requirements and steps required to configure the PK Endpoint Manager and associated Smartcrypt Application (Agent).

What you will need:

1. A Windows Server to host the PK Endpoint Manager. This server should be joined to an Active Directory domain.

2. A SQL Server or PostgreSQL 9.5 Database where PK Endpoint Manager application data will live. Before installing you should obtain:

   1. Database server instance name

   2. Database name

   3. Database username with access to the above database

   4. Database user password

   5. The port the database server connects to

3. An SSL certificate that matches the hostname you wish to use for the PK Endpoint Manager 

4. (optional) A DNS record for "pkwareops.[domain.ext]" published into your internal/external DNS. The Smartcrypt application will look for this record by default.

5. (optional) To test local search, install Java 11 (AdoptOpenJDK) and ElasticSearch

What this guide will cover:

1. Scripted installation.
2. SQL database requirements and setup.
3. IIS website / application pool requirements and setup.
4. TLS / SSL configuration and connectivity.
5. Deployment of the PK Endpoint Manager.

Active Directory Authentication Note:

Note

The Windows Server that will host the PK Endpoint Manager site/application needs to have access to authenticate with your Active Directory. This authentication occurs over the standard Active Directory Domain Services protocols. For more information about ports that are needed for the Windows Server to have access to the domain, see:  https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Windows Server Core Installations:

Looking for instructions for installing on Windows Server Core? We've got you covered here: Windows Server Core Installation and Setup Guide

Scripted Installation

Since v15.3, you have the option to perform a scripted installation of the PK Endpoint Manager. Contact your PKWARE account representative to obtain the appropriate package for your platform.

Steps performed

The script performs the following steps, in order:

1. Checks numerous system dependencies.
2. Installs and configures appropriate Internet Information Services (IIS) Roles and Features.
3. Allows the Administrator to select a database type for PK Endpoint Manager. Choose from:
   1. A local database instance of PostgreSQL. The script will install and configure the database while prompting the Administrator to set a DB Instance Master password and DB access password.
   2. An external MS-SQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
   3. An external PostgreSQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
4. Configures the PK Endpoint Manager website and an associated Application Pool in IIS.
5. Generates and binds a Self-Signed Certificate to the website.
6. Prompts the administrator to supply a default encryption master password.
7. Prompts the administrator to supply a default system administration account for the Smartycrypt Manager.

Notes for the scripted deployment option:

• The use of the Self-Signed Certificate created during the scripted installation is intended for Smartcrypt use in lab or non-production environments for a proof of concept or evaluation purposes. To install a trusted, rooted or other certificate, please follow the steps below
  

  • To import a certificate in Windows 2012
    

    1. Open the Certificates snap-in for the local machine's certificate store: Start | Run | certlm.msc
    2. In the console tree, click the Personal store
    3. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
    4. Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.)
    5. This certificate should have a private key (PKCS #12 file)
    6. Type the password used to encrypt the private key.
    7. (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.
    8. Select Place all certificates in the following store, click Browse, and choose the Personal store.
• When this process is completed, a Hosts file (Windows/System32/driver/etc/hosts) or DNS entry, pointing directly to one or more IP addresses (an A record), will be required for client machines to connect back to the Manager.

Running the installation script

1. Log in to the Windows Server environment and copy the SEM installation package to the Windows Server. Extract the .ZIP package.
2. Run Microsoft PowerShell as an Administrator.
3. Change to the directory location where you extracted the SEM installer.
4. Execute ./sc_install.ps1.
5. Press R when asked "Do you want to run <install.ps1>?

The system (if network connected) will attempt to download/install all Windows features required to run the SEM, including all prerequisite Microsoft Internet Information Server (IIS) modules and .NET Core Server.

PS C:\Windows\system32> cd C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152

PS C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152> .\install.ps1

Checking Prerequisites...

Checked Prerequisites.

Enabling IIS-WebServerRole...

Enabled IIS-WebServerRole.

IIS-WebServer is enabled.

IIS-CommonHttpFeatures is enabled.

IIS-DefaultDocument is enabled.

IIS-HttpErrors is enabled.

IIS-StaticContent is enabled.

IIS-HealthAndDiagnostics is enabled.

IIS-HttpLogging is enabled.

IIS-Performance is enabled.

IIS-HttpCompressionStatic is enabled.

IIS-Security is enabled.

Enabling IIS-WindowsAuthentication...

Enabled IIS-WindowsAuthentication.

IIS-ApplicationDevelopment is enabled.

Enabling NetFx4Extended-ASPNET45...

Enabled NetFx4Extended-ASPNET45.

Enabling IIS-NetFxExtensibility45...

Enabled IIS-NetFxExtensibility45.

Enabling IIS-ASPNET45...

Enabled IIS-ASPNET45.

IIS-ISAPIExtensions is enabled.

IIS-ISAPIFilter is enabled.

IIS-WebServerManagementTools is enabled.

IIS-ManagementConsole is enabled.

Installing .NET Core 2.1.7 Server Hosting...

Installed .NET Core 2.1.7 Server Hosting.

Installing PostgreSQL

PK Endpoint Manager supports Microsoft SQL Server and PostgreSQL 9.5 database management systems. The SEM installation script will prompt you to "install postgres to use later." Press enter to skip installation, or Y to install and configure PostgreSQL locally.

If you choose not to install PostgreSQL, it is assumed a remote database server will be used.

Below is the sample output from a basic installation. The installation script will also prompt for hostname. This is used to generate a self-signed certificate and set up the hostname and SSL bindings for the site that is created

Would you like to install postgres to use later?

[Y] Yes  [N] No (default is N): n

Expanding Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-18.0.152.zip"->"C:\PKWARE\SmartcryptEnterpri

seManager")...

Expanded Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-18.0.152.zip"->"C:\PKWARE\SmartcryptEnterpris

eManager").

Expanding Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-tde-18.0.152.zip"->"C:\PKWARE\SmartcryptEnte

rpriseManager")...

Expanded Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-tde-18.0.152.zip"->"C:\PKWARE\SmartcryptEnter

priseManager").

Configuring PK Endpoint Manager

The script continues to create the PK Endpoint Manager database.

You'll be asked to configure S\PEM.

• Existing or New site: Default is New, but if you have already set up SEM on IIS, type E.
• Name the Site: Default is Smartcrypt
• Physical Site Location: Default is c:\inetpub\wwwroot. Edit as required.
• Application Name: Default is mds.

Existing Sites:

Name              Physical Path

----              -------------

Default Web Site  C:\inetpub\wwwroot

Configure Smartcrypt Enterprise Manager

Would you like to configure an existing or create a new Smartcrypt enterprise manager site?

[E] Existing  [N] New  [Escape] Cancel (default is "N"): N

Confirm Configure New Smartcrypt Enterprise Manager Site

Are you sure you want to configure a new Smartcrypt enterprise manager site?

[Y] Yes  [N] No (default is "Y"): Y

Setting Up New Smartcrypt Site...

Confirm Site Name

Configure site name to be "Smartcrypt"?

[Y] Yes  [N] No (default is "Y"):

Confirm Physical Site Location

Configure physical site location to be "C:\inetpub\wwwroot"?

[Y] Yes  [N] No (default is "Y"):

Confirm Application Name

Configure application name to be "mds"?

[Y] Yes  [N] No (default is "Y"):

The script will display the existing Application Pools on IIS.

• New Application Pool: Default is New. Highly recommended.
• Application Pool Name: Default is Smartcrypt.
• Hostname: Default is the current machine.
• HTTPS Certificate: Default is to create a new self-signed X.509 certificate for the host.

The script will create a new self-signed certificate, and ask you to confirm that you want to use it.

Existing AppPools:

Name               Runtime Version

----               ---------------

DefaultAppPool     v4.0

.NET v4.5 Classic  v4.0

.NET v4.5          v4.0

Configure Smartcrypt Enterprise Manager

Would you like to configure an existing or create a new application pool?

[E] Existing  [N] New  [Escape] Cancel (default is "N"):

Confirm Configure New Application Pool

Are you sure you want to configure a new application pool?

[Y] Yes  [N] No (default is "Y"):

Confirm Application Pool Name

Configure application pool name to be "Smartcrypt"?

[Y] Yes  [N] No (default is "Y"):

Hostname: mkesrv-jd01.qanet.dom

Confirm Hostname

Set hostname to be "mkesrv-jd01.qanet.dom"?

[Y] Yes  [N] No (default is "Y"): y

Current Certificates:

Thumbprint  Subject  Friendly Name

----------  -------  -------------

Https Certificate

Would you like to create a new certificate, import a certificate, or use an existing installed certificate?

[N] New  [E] Existing (default is "N"):

Confirm Certificate

Are you sure you want to create a new self signed certificated for host=mkesrv-jd01.qanet.dom

[Y] Yes  [N] No (default is "Y"):

Creating New Self Signed Certificate...

Created New Self Signed Certificate.

Confirm Certificate

Do you want to use this certificate?

Thumbprint                                Subject                   Friendly Name

----------                                -------                   -------------

07C844B4E67F4F9D3929D3DD20510571B8F51F09  CN=mkesrv-jd01.qanet.dom  Smartcrypt

[Y] Yes  [N] No (default is "Y"):

Connecting to the Database

The script then checks for a connection to the database, and allows you to configure the connection.

• Confirm Database Platform: Default is SQL Server. To change to PostgreSQL, type N and enter postgresql.
• Database Server: Identify the location of the database server.
• Confirm Port: Enter the port for the database.
• Database: Name the database.
• User Id: Identify the owner of the SEM database.
• Password: Supply the database server password for the user you just identified.
• Add Extra Parameter: Default is No. If you want to set an additional required string to access the database, define that here.

The script displays the Connection Information you've entered, and tries to connect. If the database connection is valid, you are asked to confirm the configuration.

Database Connection Information:

  Platform:  SQLServer

  Server:

  Database:

  User Id:

Database connection is invalid.

Confirm Database Platform

Set database platform to be "SQLServer"?

[Y] Yes  [N] No (default is "Y"):

Database Server: qasrv-db01.qanet.dom

Confirm Database Server

Set database server to be "qasrv-db01.qanet.dom"?

[Y] Yes  [N] No (default is "Y"): y

Confirm Port

Set port to be "1433"?

[Y] Yes  [N] No (default is "Y"):

Database: 180

Confirm Database

Set database to be "180"?

[Y] Yes  [N] No (default is "Y"):

User Id: qa

Confirm User Id

Set user id to be "qa"?

[Y] Yes  [N] No (default is "Y"):

Password:

Add Extra Parameter

Would you like to add an extra connection string parameter?

[Y] Yes  [N] No (default is "N"):

Database Connection Information:

  Platform:  SQLServer

  Server:    qasrv-db01.qanet.dom

  Database:  180

  User Id:   qa

  Port:      1433

Testing Connection... [                    ]   100 %

Database connection is valid.

Confirm Database Connection Configuration

Would you like to use this database connection configuration?

[Y] Yes  [N] No (default is "Y"): y

Configuring Smartcrypt Enterprise Manager in IIS

Enter the Smartcrypt Enterprise Manager Account Password to access SEM.

You'll next be asked to configure the local Administrator user. Supply a username (default is Administrator) and password.

The script will set up an Application Pool, Site and Application in IIS on the server.

Smartcrypt Enterprise Manager Account Password:

Smartcrypt Enterprise Manager Account Password (confirmation):

Confirm Local Administrator User

Configure local administrator user to be "Administrator"?

[Y] Yes  [N] No (default is "Y"): y

Local Administrator Password:

Local Administrator Password (confirmation):

Creating New AppPool "Smartcrypt"...

Created New AppPool "Smartcrypt".

Creating New Site "Smartcrypt"...

Created New Site "Smartcrypt".

Setting Application "/" AppPool...

Set Application "/" AppPool.

Creating New Application "mds"...

Created New Application "mds".

Setting Application "mds" AppPool...

Set Application "mds" AppPool.

Setting Application "mds" Windows Authentication...

Set Application "mds" Windows Authentication.

Upgrading database

INFO:  Database is currently at version: 0.0

INFO:  Current version is not equal to the target version

INFO:  Upgrading to version: 1.0.60

INFO:  Upgrading to version: 1.0.61

INFO:  Upgrading to version: 1.0.62

INFO:  Upgrading to version: 1.0.63

INFO:  Upgrading to version: 1.64

INFO:  Upgrading to version: 1.65

INFO:  Upgrading to version: 1.66

INFO:  Upgrading to version: 1.67

INFO:  Upgrading to version: 1.68

INFO:  Upgrading to version: 1.69

INFO:  Upgrading to version: 1.70

INFO:  Upgrading to version: 1.71

INFO:  Upgrading to version: 1.72

INFO:  Upgrading to version: 1.72.1

INFO:  Upgrading to version: 1.72.2

INFO:  Upgrading to version: 1.73

INFO:  Upgrading to version: 1.74

INFO:  Upgrading to version: 1.75

INFO:  Upgrading to version: 1.76

INFO:  Upgrading to version: 1.77

INFO:  Upgrading to version: 1.78

INFO:  Upgrading to version: 1.79

INFO:  Upgrading to version: 1.80

INFO:  Upgrading to version: 1.80.1

INFO:  Upgrading to version: 1.81

INFO:  Upgrading to version: 1.82

INFO:  Upgrading to version: 1.83

INFO:  Upgrading to version: 1.83.1

INFO:  Upgrading to version: 1.84

INFO:  Upgrading to version: 1.85

INFO:  Upgrading to version: 1.86

INFO:  Upgrading to version: 1.87

INFO:  Upgrading to version: 1.88

INFO:  Upgrading to version: 1.89

INFO:  Upgrading to version: 1.90

INFO:  Upgrading to version: 1.91

INFO:  Upgrading to version: 1.92

INFO:  Upgrading to version: 1.93

INFO:  Upgrading to version: 1.94

INFO:  Upgrading to version: 1.95

INFO:  Upgrading to version: 1.96

INFO:  Upgrading to version: 1.97

INFO:  Upgrading to version: 1.98

INFO:  Upgrading to version: 1.99

INFO:  Upgrading to version: 2.0

INFO:  Upgrading to version: 2.1

INFO:  Upgrading to version: 2.1.1

INFO:  Upgrading to version: 2.2

INFO:  Upgrading to version: 2.3

INFO:  Upgrading to version: 2.4

INFO:  Upgrading to version: 2.5

INFO:  Upgrading to version: 2.6

INFO:  Upgrading to version: 2.7

INFO:  Upgrading to version: 2.8

INFO:  Upgrading to version: 2.9

INFO:  Database is currently at version: 0.0

INFO:  Current version is not equal to the target version

INFO:  Upgrading to version: 1.0

INFO:  Upgrading to version: 1.1

INFO:  Upgrading to version: 1.2

INFO:  Upgrading to version: 1.3

INFO:  Upgrading to version: 1.4

INFO:  Upgrading to version: 1.5

INFO:  Upgrading to version: 1.6

INFO:  Upgrading to version: 1.7

Saving IIS Changes

Starting AppPool

Attempting stop...

Internet services successfully stopped

Attempting start...

Internet services successfully restarted

You are now able to open SEM on https://<hostname>/mds. If you are not able to reach the site, confirm the hostname is routeable via DNS or a hostfile.

Troubleshooting

Mobile and IOS devices cannot connect to the SMDS when it has been configured with this script. This is because these devices cannot use the self-signed certificate created by the setup script. Installing a trusted certificate will allow these types of devices to connect to SMDS.

SQL Server database requirements and setup: 

The Smartcrypt Enterprise Manager requires an empty database, appropriate authentication credentials and permissions.  Please perform the following actions, consulting the documentation for your version of SQL Server, if necessary.

1. 1. 1. Login to your SQL Server and create an empty database

         1. Give the database a name and note the name down for later (e.g. "Smartcrypt")
         2. Set the database collation to:  Latin1_General_CI_AS
      2. Create a database user which the Smartcrypt Enterprise Manager will use to authenticate to this instance (e.g. smartcrypt-user)
         1. Set a database user password and be sure to uncheck options for "Must change password at next logon
         2. Give the database user the "db_owner" right to the Smartcrypt database you created above

For More Information about how to authenticate to Microsoft SQL Server, see:

• • • Windows Server: Using Windows Authentication with SQL Server or
    • Windows Server: Using SQL Authentication with SQL Server

IIS website / application pool requirements and setup:

Perform the following steps on the Windows Server running IIS:

1. 1. 1. Install the Visual C++ 2012 Runtime
      2. Configure Internet Information Server (IIS) for Smartcrypt
      3. Install Web Deploy with Microsoft Web Platform Installer
      4. Configure Windows Authentication
      5. Adding an Application Pool
      6. Adding a Website
      7. Configuring the website for SSL

Install the Visual C++ 2012 Runtime 

Smartcrypt is developed with Microsoft^® Visual Studio^® 2012. The Microsoft Visual C++ redistributable enables some required features for Smartcrypt. Since Smartcrypt was created using Visual Studio 2012, the 2012 redistributables are required.

1. 1. 1. Download and install the 64-bit version of the redistributable found here: https://www.microsoft.com/en-us/download/details.aspx?id=30679

Configure Internet Information Server for Smartcrypt 

Prior to installing the Smartcrypt Enterprise Manager website, you must have two features installed and configured on IIS. There are important, if slight, differences in the setups depending on which version of Windows Server you are running.

If you already have these features installed and configured, no changes are required. Skip to “Install Smartcrypt Enterprise Manager.”

Setting up IIS in Windows Server 2012 R2

Setting up IIS in Windows Server 2008 R2

Launch the Server Manager and select IIS Click Add Roles and Features Skip the Before you begin page. Click Next On the Installation Type page, select Role-based or feature-based installation. Click Next On the Select destination server page, choose the server you will install Smartcrypt on. Click Next Existing installations of IIS, Skip to Step 10 On the Server Roles page, select Web Server (IIS) On the Features page, expand .NET Framework 4.5 Features and check: ASP.NET 4.5 On the Roles Services page Expand Security and check Windows Authentication Expand Application Development and check .NET Extensibility 4.5, ASP.NET 4.5, ISAPI Extensions and ISAPI Filters. New installations of IIS, Skip to Step 11 Existing Installations of IIS, verify that the following Server Roles are enabled: Web Server (IIS) | Web Server | Security | Windows Authentication Web Server (IIS) | Application Development | .NET Extensibility 4.5, ASP.NET 4.5, ISAPI Extensions, ISAPI Filters Confirm your installation selections and click Install.

Launch the Server Manager and select Web Server (IIS). If ASP.NET and/or Windows Authentication appear as Not Installed in the Role Services list, click Add Role Services Under Application Development, check ASP.NET Click Add Required Role Services and add: .NET Extensibility ISAPI Extensions ISAPI Filters Expand Security and check the Windows Authentication box Click Install Enabling .NET Framework 4 Support in IIS (Windows Server 2008) After installing the ASP.NET features in the Server Manager, you must still enable the .NET Framework in Windows Server 2008. This is done from an Administrator command prompt. Open the Command Prompt. Go to C:\Windows\Microsoft.NET\Framework64\v4.0.xxxx Run the following command: aspnet_regiis.exe -i CODE ASP.NET RegIIS will install ASP.NET.

Install Web Deploy with Microsoft Web Platform Installer 

Install Web Deploy through the Microsoft Web Platform Installer (WPI), a free Microsoft tool to install a variety of products into IIS. Download WPI from http://www.iis.net/downloads/microsoft/web-deploy

After you download wpilauncher.exe, run it to see the Web Platform Installer screen. Click the Search box in the upper right corner and type "Web Deploy." Several options may appear, depending on what applications are supported. For your initial installation, we recommend you select the most recent version of Web Deploy with bundled SQL support. At the time this was written, 3.5 was the latest version so for example, Click Add on Web Deploy 3.5 with bundled SQL support. WPI will install everything you need.

Configure Windows Authentication 

After adding Windows Authentication to the Windows Server configuration, you must further configure the IIS Manager to permit this. The steps to allow single sign on are the same for both Windows Server 2008 and 2012:

1. 1. 1. Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager)
      2. In the Management section, select Feature Delegation
      3. Change the Authentication - Windows setting to Read/Write
         
      4. From the main window, click Authentication.
         
      5. Right click on Windows Authentication and select Enable (it not already enabled)
         
         

Adding an Application Pool 

1. 1. 1. Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager).
      2. Click View Application Pools to display existing pools.
      3. Click Add Application Pool.
      4. Give the Application Pool a name (possibly something like “MDS"). It is appropriate to accept the remaining default options.

Adding a website 

1. 1. 1. Download the latest package ZIP file from PKWARE to your server. Note: Do not extract the contents of the ZIP archive.
      2. In IIS Manager, go to Sites.
      3. Click Add Website. Name it Smartcrypt Manager. The Add Website dialog will open.
         
      4. Choose a Site name. This can be the same as the Application Pool.
      5. Use the Select button to make sure you select the application pool you created in the previous section.
      6. Define the physical path to the content directory
      7. (Optional) Select a host name for the site. If you give the website a host name, make sure your domain has proper routing for the host defined in DNS.

If you are accessing Smartcrypt Enterprise Manager from outside your internal network domain, you also need to create a public DNS entry.
Make sure that the DNS entry points to one or more defined IP addresses (an A Record). Smartcrypt Enterprise Manager needs a fully qualified domain name to authenticate agents.

Click OK to complete this step and add the website.

Configuring the website for SSL 

The Smartcrypt Enterprise Manager requires an SSL connection to protect data being posted to the server. We need to add a binding to enable SSL for this website.

1. 1. 1. Highlight the website you created in the earlier section. Select Bindings from the Edit Site options on the right. 
      2. The Add Site Binding screen appears. Select https from the Type: dropdown menu.
      3. Click Select to choose the SSL Certificate to use for this site.

Verify SSL is working properly!

Verify the site is working properly by pointing your browser to https://<server>/ – you should see the IIS Welcome Page.

Verify the certificate is trusted on your other devices!

If you are using a self-signed certificate, this will require additional steps. Learn how to trust any certificate here.

Installing Smartcrypt Enterprise Manager 

Now that the prerequisites are fulfilled, we are ready to install the Smartcrypt Enterprise Manager.

Note: The next section assumes you have a .ZIP file containing the Smartcrypt Enterprise Manager deployment package.

Importing the .ZIP file containing the Smartcrypt Enterprise Manager web application with Web Deploy 

1. 1. 1. Highlight the website created above
      2. In the Action menu on the right side of the screen, select Import Application from the Deploy section
         
      3. Web Deploy will launch and ask you to select the Smartcrypt Enterprise Manager .ZIP file. Browse to the directory where the Smartcrypt package is located, select the ZIP, and click Next
         
      4. Web Deploy will scan the ZIP package contents and display them. Review the contents of the package, and click Next to confirm
         
      5. Web Deploy will prompt for some application configuration options on the Enter Application Package Information page:
         
      6. Set the Application Path to "mds" without the quotes. This is the name of the web application. This name the will appear in the URL you will use to access the Manager
      7. Set the Smartcrypt Manager Server Password. This password is used to encrypt your encryption keys. It should be securely backed up and not shared with PKWARE.
      8. Define a root administrator account for the Smartcrypt Enterprise Manager. This can be a domain account or a local account.  
         1. Domain Account: set a username (AD SysAdmin) only and leave the next two fields blank.
         2. Local Account: set a username (Local SysAdmin) and a password (Local SysAdmin Password) and leave the AD SysAdmin field blank.
      9. Set the parameters of the connection string with the information from your database administrator. This value connects Smartcrypt Manager to the database you initially setup
         1. datasource: The database server name or IP
         2. initial catalog: The name of the database to be used by the Smartcrypt Manager
         3. dbuser: The database server username
         4. dbpassword: The database user password
            
         5. Click Next to install Smartcrypt Manager via Web Deploy

Creating the Smartcrypt database schema 

Now that the web application is set up and deployed with SSL configured, the last item we need to complete is populating the Smartcrypt database with the initial schema. Smartcrypt comes with a tool to complete this task for you called SmartcryptDB.exe.  From the application server running IIS:

1. 1. 1. Open a command window (cmd).
      2. Change directory to the location you installed the website to (above) and look for the bin directory.
      3. Now execute SmartcryptDB.exe.
      4. The tool should run and set up the required scheme for the version of the PK Endpoint Manager you have.

Make sure your Application Pool is started and your website is started in IIS. Next, point your browser to https://<server>/<ApplicationPath>/SuperUser to login with the System Administrator credentials (Active Directory or Local) and start using Smartcrypt.

e.g.: https://smartcrypt.pkware.com/mds/SuperUser

General Appliance Overview

Configurations

The PK Endpoint Manager Appliance comes in four configurations

• 200v :: A virtual appliance suitable for utilizing within your own virtual infrastructure.
• 300h :: A hardware appliance that contains a hardware security module (HSM) for FIPS 140-2 Level 3 key storage.
• 300r :: A hardware appliance that contains a quantum-powered true random number generator provided by Quintessence Labs.
• 350 :: A hardware appliance that contains both an HSM and a quantum random number generator.

Note: A PK Endpoint Manager can be configured to use a pre-existing, external Quintessence Labs Trusted Security Foundation for HSM backed secure key storage or quantum random number generation.

The following documentation applies to only the 200v

Hypervisor Support (200v only)

The PK Endpoint Manager Appliance is officially supported on VMware vSphere v5.5+ but should run in any hypervisor including Microsoft Hyper-V, Citrix Xen Server and Linux KVM. It will also run in many Type-2 hypervisors including VMware Fusion, Workstation, VirtualBox and Hyper-V on Windows.

Note: For customers wishing to install the PK Endpoint Manager onto their own application and database infrastructure, a software only (non-Appliance) version is available.

Appliance Setup and Configuration Quick Start

Before you set up the SEM Appliance, be sure you have these prerequisites in place:

• VMware virtual machine set up to host the SEM
• Active Directory account to serve as the SEM SuperAdmin
• (Optional) A digital certificate to enable LDAP-S
• PKWARE will supply access to the base OVA file to import into VMware. You will upgrade to the latest SEM version during the setup process.

To set up PK Endpoint Manager in VMware:

1. Import PK Protect OVA file.

   1. You should have received this file from PKWARE.

2. Login and Accept End User License Agreement.

3. Update to current SEM version. (17.7 and below only)

   1. You'll receive access to the upgrade files from PKWARE. This is a three-step process:
   2. Upgrade to 17.7 (This will allow large uploads to be enabled, as the base image doesn't allow large uploads)
   3. Upgrade to the OS Upgrade Pack
   4. Upgrade to the 18.1.X version
   5. See "Upgrading the PK Endpoint Manager Appliance" for more information.

4. Create the Server Identity Account.

   1. Add username and a master password for SEM.

5. Acquire evaluation license

6. Configure Network / Hostname

   1. Go to System > Network in SEM. Click Configure Network. Check Use DHCP to have the system identify available IP addresses for this SEM. You can also configure the network manually by filling out the remaining fields. If you do that, be sure to update the system's Hosts File; Click Host File on the Network page to edit this system file.

7. Join Active Directory Domain

   1. If you're using Active Directory Integration to allow client agents to connect with the user's Active Directory credentials, you can (optionally) join the AD Domain to SEM. Go to System > Domain. Click Join Domain. Fill in the form. Click Join Domain. See the "Active Directory" section of the Basics page for more information.

8. Configure TLS/SSL

   1. See "Security: Public Key Infrastructure and Certificates" for information on why this step is necessary.

   2. Upload Root: You need a root certificate, along with any intermediate certificates between the root and PKCS#12 certificate. Under System > SSL, click Upload Root under Custom Trusted Root Certificates. Browse to the *.cer file containing the fully qualified chain for your certificate. Click Upload.

   3. Upload PKCS#12 certificate. Under System > SSL, click Upload PKCS#12. Browse to the *.pfx file. Click Upload. This file will include at least the certificate’s private key and may include the entire certificate chain.

   4. Confirm connection. The Issuer of the SSL Certificates will have the same label as the Subject of the Custom Trusted Root Certificates on this page.

9. Configure AD Connection for User Lookups

   1. Admins need to connect to Active Directory users to identify and manage clients, devices, and policies. Go to Basics and scroll to the Active Directory section. See the "Active Directory" section of the Basics page for more information.

10. Set Primary Database Password

    1. You cannot back up the database without defining a primary database password. Go to System > Database. Click the Not Set line in Password. Type the master password.
11. Set up a Cluster. See "Creating a New Cluster" for process.

12. Join Replica

    1. See "Adding a new system to an existing Cluster" for process.

13. Verify connectivity

    1. After pairing, you will be asked to reboot both systems. Go to System > Operations. Click Reboot. Following the system reboot, go to Advanced > Cluster. Both systems should be listed, and you should see the Polling active information at the bottom of the page.

14. Advanced | Data Centers

    1. Setup first data center. See "Creating a New Data Center" for process.

Security: Public Key Infrastructure and Certificates

Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public key infrastructure (PKI). These elements include software applications such as PK Protect that work with certificates and keys as well as underlying technologies and services.

The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures. The keys look like long character strings but represent very large numbers. 

End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.

How the Keys Are Used

With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt.

With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer.

Authentication for an X.509 key has one additional step. As an assurance that the signer is who he says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self-signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys

Installing PKWARE Agents

Windows Installation

Command Line Installation

You can install Smartcrypt from the Windows command-line prompt or a batch file. In the command line, you can set values for various properties to customize the installation.

The command line looks like this:

<name of smartcrypt installation file> /S /v"<properties>"

CODE

where:

• /S is a switch that tells InstallShield^® to run silently and not to display various initial screens (that say, for example,  Preparing to install )

• /v is a switch that must be used to pass any specified Smartcrypt properties to the Windows installer.

• <properties> is a list of property settings

You can also optionally pass in a switch to specify either the Basic UI, that displays a dialog containing only a Cancel button to allow canceling of the installation; or No UI, that displays no dialog. Both Basic UI and No UI can run unattended. The default is the full, graphical UI, which is interactive and so cannot run unattended.

Switch	Specifies
/qb	Basic UI
/qn	No UI

Any quotes (") in the parameters must be escaped with a backslash (\).

<name of smartcrypt installation file> /S /v/qb
<name of smartcrypt installation file> /S /v"/qb PKPGPASSOC=0"

CODE

The properties you can set or change are described below:

 Disable add to Path...

By default, the Smartcrypt installer adds the command line program to the system's PATH. To disable the Smartcrypt command line interface from being added to the system PATH environment variable, type a command like this:

<name of smartcrypt installation file> /S /v"ADD_TO_PATH=0"

CODE

 Disable Command Line Interface (CLI)...

By default, the command line interface is included in your Smartcrypt installation. If you prefer to only use the graphical interface, use this command:

<name of smartcrypt installation file> /S /v"CLI=0"

CODE

 Do not install graphical (GUI) components...

If you want to only run Smartcrypt through its command-line interface, you can disable all graphical elements by setting the GUI property to 0 using a command line like this:

<name of smartcrypt installation file> /S /v"GUI=0"

CODE

Caution: Disabling the graphical interface also turns off Smartcrypt Attachments, SaveSecure Office Integration and all file associations.

 Associate file types with Smartcrypt…

By default, the installation associates with Smartcrypt the types of files listed in the following table. These file associations enable you to open a file of any of these types in Smartcrypt by double-clicking it in Windows Explorer.

File Type	Property
ZIP	PKZIPASSOC
UUEncode/XXencoded	PKUUEASSOC
GZIP and TAR	PKGZASSOC
BZIP2	PKBZ2ASSOC
ARJ	PKARJASSOC
RAR	PKRARASSOC
LZH	PKLZHASSOC
OpenPGP	PKPGPASSOC
CAB	PKCABASSOC
Z (UNIX compress)	PKZASSOC
7Zip	PK7ZASSOC

If you do not want a particular file type associated with Smartcrypt, set the corresponding property to 0 in the command line. For example:

<name of smartcrypt installation file> /S /v"PKPGPASSOC=0"

CODE

 Shortcuts...

 By default, the installation creates shortcuts to Smartcrypt. If you do not want a shortcut created in one of the places listed in the table below, set the corresponding property to 0.

Location	Property
Program group on start menu	PKSTARTMENU
Desktop	PKDESKTOP

 Do not install Smartcrypt Attachments...

Smartcrypt Attachments, the extension module for zipping email messages and attachments, installs by default if Outlook is detected. To not install Smartcrypt Attachments, set the MAIL property to No using a command line like this:

<name of smartcrypt installation file> /S /v"MAIL=0"

CODE

macOS Installation

Screens	Instructions
	Double click the Smartcrypt installer package provided from your PKWARE representative.
	Press, "Continue" to be guided through the steps necessary to install the Smartcrypt Client for Mac.
	Read through the software license agreement. Click, "Continue" to progress through the installation.
	After pressing, "Continue" a prompt will show to verify that you agree to the terms of the software license agreement. Click "Agree" to continue the software installation.
	Click, "Install" to perform a standard installation of Smartcryt for Mac.
	Enter the administrative password to authorize the installation of Smartcrypt for Mac
	Verify the installation has completed by seeing this prompt and click, "Close"

Linux/Unix Installation and Removal

 [user@deb-host ~]# dpkg -i Smartcrypt_CLI-15.10.0034-x86_64.deb

[user@deb-host ~]# dpkg -r pkzip-server

[user@rhel-host ~]# rpm -i Smartcrypt_CLI-15.10.0034-x86_64.rpm

[user@rhel-host ~]# rpm -qa | grep PK
PKZIP_Server-15.10.0034-1.x86_64
[user@rhel-host ~]# rpm -e PKZIP_Server

SPARC
# pkgadd -d Smartcrypt_CLI-15.10.0034-sun4u.pkg all
x86
# pkgadd -d Smartcrypt_CLI-15.10.0034-i86pc.pkg all

# pkgrm PKWpkzs

# installp -a -d <filename>.bff all

# installp -u pkzip-server.\*

Starting and Stopping the Agent

[user@rhel-host ~]$ pkzipc

[user@rhel-host ~]$ /usr/pkware/pkzip/bin/pkagent --stop
PKWARE pkagent for Linux 15.10.0034
Portions copyright (C) 1989-2016 PKWARE, Inc.
Stopping agent, PID=2991

$ /opt/pkware/pkzip/bin/pkagent --stop
PKWARE pkagent for Solaris 15.10.0034
Portions copyright (C) 1989-2016 PKWARE, Inc.
Stopping agent, PID=2991

[user@rhel-host ~]$ pkzipc -help
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2016 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending  
Usage: PKZIPC [command] [options] zipfile [@list] [files...]
   View .zip file contents: PKZIPC zipfile
   Create a .zip file:      PKZIPC -add zipfile file(s)...
   Extract files from .zip: PKZIPC -extract zipfile
The above usages are only basic examples of Smartcrypt's capability.

Enter 'C' to list Commands, 'O' to list Options or <Esc> to exit

Login Credentials

/usr/pkware/pkzip/bin/pkagent --config --interactive

PKWARE pkagent for Linux 17.10.0017
Portions copyright (C) 1989-2021 PKWARE, Inc.

Enter your Smartcrypt Server URL (optional): https://<SEMURL>/mds
Enter the email address: michael@supportad.int
Does the account "michael@supportad.int" authenticate with Active Directory
credentials [y/n]: y
Enter the Active Directory credentials for "michael@supportad.int": **********
PKMeta Initializing - Built Jan 13 2022 at 15:35:25
PKMeta initialized
Initialized Cluster Evaluator
Would you like to use a Smartcard for Multi-factor authentication (MFA)? [y/N]:
n

 Click here to expand...

This method is not recommended as it can leave passwords exposed in history.

Creating your managed login credentials in the settings.json file

/usr/pkware/pkzip/bin/pkagent --config --email user@domain.ext --iwa password

CODE

Creating your unmanaged login credentials in the settings.json file

 /usr/pkware/pkzip/bin/pkagent --config --email user@domain.ext --master password

CODE

Listing Current Smartkeys

ubuntu@ip-172-31-55-199:~$ pkzipc -listsm
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending

 ---------------------------------------------------------------- 
                             Smartkeys                            
 -------------------------------  ------------------------------- 
             Name/URN                        Owner                
 -------------------------------  ------------------------------- 
 ubuntu's Shareable Smartkey      ubuntu@smartcrypt.com           
 default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU=
 ---------------------------------------------------------------- 
 Personal Smartkey                ubuntu@smartcrypt.com           
 priv--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU=
 ---------------------------------------------------------------- 

ubuntu@test-box:~$ pkzipc -add ~/sc-installs/file1.zip ~/sc-installs/test-smartkey.txt -smartkey=default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU=
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending
* Strongly encrypting files with a passphrase using AES (256-bit)
* Using UTF-8 file names and comments
* Using default compression method
Creating .ZIP: /home/ubuntu/sc-installs/file1.zip
  Adding File: test-smartkey.txt Deflating    ( 0.0%), Encrypting, done.

ubuntu@test-box:~$ pkzipc -test -smartkeypass ~/sc-installs/file1.zip</p><pre>Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending

Testing files from .ZIP: /home/ubuntu/sc-installs/file1.zip


Smartkey passphrase: P4EhUuGKuaoDIJk3YKM4LVyhH0Qhin/aHjPSkwUgMRo=

Testing: test-smartkey.txt  OK

ubuntu@test-box:~$ pkzipc -add ~/sc-installs/file3.zip ~/sc-installs/test-smartkey.txt -smartkey=default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU= -smartkeypass

Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending
* Strongly encrypting files with a passphrase using AES (256-bit)
* Using UTF-8 file names and comments
* Using default compression method

Creating .ZIP: /home/ubuntu/sc-installs/file3.zip

Smartkey passphrase: YKlOSQMq7opMbPwKRBEin/PGQ9vBoVPaxMOvdO+n5ZI=

  Adding File: test-smartkey.txt Deflating    ( 0.0%), Encrypting, done.

Uninstalling PKWARE Agents