Appliance 200v Setup and Configuration
The PEM Administrator Appliance comes in four configurations
- 200v :: A virtual appliance suitable for utilizing within your own virtual infrastructure.
- 300h :: A hardware appliance that contains a hardware security module (HSM) for FIPS 140-2 Level 3 key storage.
- 300r :: A hardware appliance that contains a quantum-powered true random number generator provided by Quintessence Labs.
- 350 :: A hardware appliance that contains both an HSM and a quantum random number generator.
Note: A PEM Administrator can be configured to use a pre-existing, external Quintessence Labs Trusted Security Foundation for HSM backed secure key storage or quantum random number generation.
The following documentation applies to only the 200v
Hypervisor Support (200v only)
The PEM Administrator Appliance is officially supported on VMware vSphere v5.5+ but should run in any hypervisor including Microsoft Hyper-V, Citrix Xen Server and Linux KVM. It will also run in many Type-2 hypervisors including VMware Fusion, Workstation, VirtualBox and Hyper-V on Windows.
Note: For customers wishing to install the PEM Administrator onto their own application and database infrastructure, a software only (non-Appliance) version is available.
Before you set up the SEM Appliance, be sure you have these prerequisites in place:
- VMware virtual machine set up to host the SEM
- Active Directory account to serve as the SEM SuperAdmin
- (Optional) A digital certificate to enable LDAP-S
- PKWARE will supply access to the base OVA file to import into VMware. You will upgrade to the latest SEM version during the setup process.
To set up PEM Administrator in VMware:
Import Smartcrypt OVA file.
- You should have received this file from PKWARE.
Login and Accept End User License Agreement.
Update to current SEM version. (17.7 and below only)
- You'll receive access to the upgrade files from PKWARE. This is a three-step process:
- Upgrade to 17.7 (This will allow large uploads to be enabled, as the base image doesn't allow large uploads)
- Upgrade to the OS Upgrade Pack
- Upgrade to the 18.1.X version
- See "Upgrading the PK Endpoint Manager Appliance" for more information.
Create the Server Identity Account.
- Add username and a master password for SEM.
Acquire evaluation license
Configure Network / Hostname
- Go to System > Network in SEM. Click Configure Network. Check Use DHCP to have the system identify available IP addresses for this PEM Administrator. You can also configure the network manually by filling out the remaining fields. If you do that, be sure to update the system's Hosts File; Click Host File on the Network page to edit this system file.
Join Active Directory Domain
- If you're using Active Directory Integration to allow PEM agent to connect with the user's Active Directory credentials, you can (optionally) join the AD Domain to SEM. Go to System > Domain. Click Join Domain. Fill in the form. Click Join Domain. See the "Active Directory" section of the Basics page for more information.
- See "Security: Public Key Infrastructure and Certificates" for information on why this step is necessary.
Upload Root: You need a root certificate, along with any intermediate certificates between the root and PKCS#12 certificate. Under System > SSL, click Upload Root under Custom Trusted Root Certificates. Browse to the *.cer file containing the fully qualified chain for your certificate. Click Upload.
Upload PKCS#12 certificate. Under System > SSL, click Upload PKCS#12. Browse to the *.pfx file. Click Upload. This file will include at least the certificate’s private key and may include the entire certificate chain.
Confirm connection. The Issuer of the SSL Certificates will have the same label as the Subject of the Custom Trusted Root Certificates on this page.
Configure AD Connection for User Lookups
- Admins need to connect to Active Directory users to identify and manage clients, devices, and policies. Go to Basics and scroll to the Active Directory section. See the "Active Directory" section of the Basics page for more information.
Set Master Database Password
- You cannot back up the database without defining a master database password. Go to System > Database. Click the Not Set line in Password. Type the master password.
- Set up a Cluster. See "Creating a New Cluster" for process.
- See "Adding a new system to an existing Cluster" for process.
After pairing, you will be asked to reboot both systems. Go to System > Operations. Click Reboot. Following the system reboot, go to Advanced > Cluster. Both systems should be listed, and you should see the Polling active information at the bottom of the page.
Advanced | Data Centers
- Setup first data center. See "Creating a New Data Center" for process.