To complete the registration process and configure system integrations of PEM Administrator, use the Basics tab. Depending on the desired environment, different PK Protect components need to be configured.
The PKWARE support team uses the server status information to diagnose incidents and problems in the PEM Administrator. The screenshot below displays the fields in this panel.
Following is the description for fields.
It displays the name of the product.
It displays the installed version of PEM Administrator.
It displays the linked version of database.
It displays the URL of the running instance.
This field lets you download the server or user logs in a zip format. By default, the package is downloaded in the Downloads folder of the local machine.
Click Download button to download logs for the selected user. These logs include information about devices, assets, and AD groups owned by the user.
This field displays the selected storage type. It is configured before registering the PEM Administrator. During configuration, select from three options in Storage Type drop-down that appears on clicking the selected storage type next to this field.
By default, PK Protect selects the Local Keystore configured during installation. If you are integrating PK Protect with QLabs, choose Trusted Security Foundation.
PEM Administrator needs to be registered before it can be used. The registration process alerts PKWARE that the instance is online and ready for activation and licensing. A public URL is required in this process to direct future traffic to PEM Administrator. Once an instance is registered with PKWARE, users with a PK Protect-associated email domain will be directed to use the server for all actions.
Following is the description for fields.
This field displays name of your company. Click the name to edit it.
Identity (email address)
The PEM Administrator connects to the PK Protect Cloud for licenses and updates through the Identity email. This account also facilitates key management to external users through the PK Protect Cloud. Click the address to edit it.
This field displays the external URL for the server. This value is the publicly routed DNS entry, for the users who are accessing PEM Administrator from outside your organization. Click the URL to edit it.
If a site account has been created, this field displays Yes. If not, one must be created. To learn more about creating site accounts, visit Creating an Online Account and Creating an Isolated Account.
Account Logged In
If the account is connected to PK Protect Cloud, this field displays Yes (online). If the account is isolated, it displays Yes (isolated).
If the value is set to Yes, the domain account is registered.
Authorized for PDE
If the value is set to Yes, Persistent Data Encryption is authorized for use.
Authorized for TDE
If the value is set to Yes, Transparent Data Encryption (TDE) authorized for use.
Authorized for Multi-tenant
If the value is set to Yes, the server is authorized for Multi-tenant administration of TDE.
Authorized for TDE Desktop
If the value is set to Yes, Desktop TDE is authorized for use.
Authorized for Application SDK
If the value is set to Yes, PK Protect Software Development Kit (SDK) is authorized for use.
This field lists all the domain name(s) allowed to share keys externally from PEM Administrator. This field will be populated by a PKWARE representative during PEM Administrator installation. This list controls which users are authorized and which are Guest Accounts.
Creating an Online Account
Creating an online account will allow the PEM Administrator to periodically sync with the PK Protect Cloud.
Create an online account, if:
- You want to allow internal users in a PK Protect environment to create and use Smartkeys with people outside the organization (external users).
- You want external users to create and use Smartkeys with internal users.
- You want to automate the site registration and license acquisition process.
Registering an Online Server
Click the Create Account Online button after filling in the registration details. Your account will be created in the PK Protect Cloud and licenses will be synced down to your environment after the PK Protect Cloud defines them for your site.
Creating an Isolated Account
Creating an isolated account will configure PEM Administrator in such a way that it doesn’t sync with the PK Protect Cloud. Registration and licensing are completed in a manual out-of-band communication. You will need to export some JSON data and send it to PKWARE. Then PKWARE will send back JSON data to import.
Create an isolated account if:
- You do not want to allow PK Protect users to use Smartkeys with external users.
- You do not want PEM Administrator to connect with the PK Protect Cloud.
Registering an Isolated Server
- Under App Registration, enter site registration fields.
- Click Create Account Isolated. This button creates the site account and logs it into the database. The Logged In field will display Yes (Isolated mode).
- Click the Export Satellite Identity link that appears. You will be taken to a separate screen to download server registration file.
- Copy and send that file back to PKWARE to register your PEM Administrator.
- PKWARE will generate an authorization file and send it back to you.
- Click Import Authorizations and specify the location of the authorization file.
Importing an Isolated Server License
As with the registration code, PKWARE will provide a license key to permit your company to use PK Protect (Server and Client). To install this code and make PK Protect operational, follow the below steps:
- Copy the license text.
- Go to Advanced > Licenses.
- Click Import License.
- Paste the license text into this page.
- Click Save to save the license details else click Cancel.
The license will appear under Active Licenses.
Using this panel, you can configure settings that control client activities and can define how PEM Administrator interacts with its ecosystem.
Following is the description for configurable settings:
Site Authentication Certificate(s)
This field allows you to upload certificate(s) for site authentication. The certificate uploaded here gets bundled to the TDE installer. This allows the TDE agent to trust that certificate.
External Polling Interval (seconds)
This field displays time interval (in seconds) that the PEM Administrator connects to the PK Protect Cloud to receive changes. The default value is 60. Click the value to edit the interval.
Internal (Agent) Polling Interval (seconds)
This field displays time interval (in seconds) that the PEM Agents connects with PEM Administrator for changes. The changes can include new Smartkeys, new policy changes, or account access changes. The default value is 20. Click the value to edit time interval.
Administrator Idle Session Timeout (minutes)
This field displays the time (in minutes) after which PEM Administrator automatically logs out an idle administrator's session. The default value is 60. Click the value to edit the time interval.
Enable Service API
It may be necessary to have PEM Administrator online but not accessible to clients. An example is when migrating servers or performing component upgrades. When set to No, only connections from the system are accepted; external web requests will be rejected. This setting applies to all the PEM Administrator in a cluster.
Local Enable Service API
It may be necessary to have PEM online but not accessible to clients. An example is when migrating servers or performing component upgrades
When set to No, only connections from the system are accepted; external web requests will be rejected. This setting only applies to the PEM Administrators on which it is set.
This setting is used for troubleshooting the PEM Administrator. When the value for this field is set to No, database access is suspended for some time. All current users are logged out and only local administrator accounts are available.
API Throttle Percentage
This field displays the percentage of agents allowed to log into PK Protect. Use this setting during troubleshooting when extreme load is preventing administrators to connect with PEM Administrator.
Enable NTP Time Checks
This setting is used to enable or disable the Network Time Protocols (NTP) checks.
NTP Server Address
This setting allows you to enter the NTP time server credentials. Click the Test NTP Server button to test the connectivity to the defined NTP time server and get the desired time details.
Manager Allowed IP Addresses
This setting allows you to enter the IPv4 addresses and ranges for whitelisting.
PEM Administrator can be configured to provide email notifications to manage Smartkey access requests and receipts. To setup email notifications, configure the Mail Settings.
Following is the description for settings.
Enable this setting if you want to use TLS to secure the email messages. The default value is No.
Enter the hostname of the mail server.
By default, the value for this setting is 25 unless TLS is enabled.
If the mail server requires authentication, enter the Active Directory (AD) Domain.
SMTP Username (Optional)
If the mail server requires authentication, enter the AD username.
SMTP Password (Optional)
If the mail server requires authentication, enter the AD user password.
Enter the information you would like to appear in the ‘From:’ line, when an email is sent by PEM Administrator, containing the log reports.
System Event Recipients
Enter the email address(s) of the recipient(s) who will be notified when high priority errors occur within PEM Administrator.
Billing Event Recipients
PEM Administrator periodically checks for license consumption usage. When the allocated license count reaches its limit, the system stops distributing new licenses to agents and PEM Administrator will notify the recipient(s) entered in this field.
Once mail server settings are configured, click Send Test Mail button to verify that everything works.
In large environments, it is recommended to run different PEM Administrator application servers behind a load balancer. Using a load balancer will help the system scale to handle more HTTPS traffic from the clients in the organization.
Memcached is required when using more than one PEM Administrator in an application server cluster. When it is configured, Memcached will store data, instead of in-memory available on single PEM Administrator. It can be configured to be accessed from multiple application servers to create a shared cache pool. This type of configuration is for large-scale deployments where the PEM Administrator would be needed to serve 100,000 clients throughout an organization.
Following is the description for configurable settings.
If the value is set to Yes, Memcached is enabled. If the field is set to No, Memcached is disabled. Enabling Memcached is only required if more than one PEM Administrator is in your cluster.
This is a combination of the server address and the port where Memcached is installed and running. It is important to verify that PEM Administrator has the correct ports opened through any possible firewall. Click the editable fields in this option to add or edit a Memcached server.