3. Basics

Use the Smartcrypt Manager Basics tab to complete the registration process and configure system integrations. Depending on the desired environment, different Smartcrypt components will need to be configured.

Viewing the Server Status

PKWARE Support uses the Server Status information to diagnose incidents and problems. Server Status provides a read-only view to the versions of your Smartcrypt Enterprise Manager application and database. The Support field allows you to download a Diagnostic Package with server or user logs in a .ZIP file. When contacting PKWARE for support, please include this package.

Click Server Support to download current logs for this Smartcrypt Enterprise Manager instance.

Click User Support and select a system user to download logs for that user.

Before registering the Smartcrypt Manager, configure your Keystore.  By default, Smartcrypt selects the local keystore configured during the install. Click the pencil to select from a Trusted Security Foundation if you are integrating Smartcrypt with QLabs, or a PKCS#11-based keystore. Paste your PKCS#11 keystore configuration file in the provided area.

Registering the Smartcrypt Manager 

The Smartcrypt Manager needs to be registered before it can function. The registration process alerts PKWARE that your Smartcrypt Manager is online and ready for activation and licenses. A PublicURL is required in this process to direct future traffic to this Smartcrypt Manager. Once the Smartcrypt Manager is registered with PKWARE, all users with a Smartcrypt-associated email domain will be directed to use the server for all Smartcrypt actions.

SettingDescription
Company NameYour company name. Click the pencil to edit this.
Identity (email address)
Your Smartcrypt Enterprise Manager connects to the Smartcrypt Cloud for licenses and updates through the Identity email. This account also facilitates key management to external users through the Smartcrypt Cloud.
Public URLThe external URL for the server. For those who are accessing your Smartcrypt Manager outside of your network, this value is the publicly routable DNS entry.
Account CreatedIs there a site account? When you have created a site account, this field displays Yes. If not, you must create one. See Creating an Online Account and  Creating an Isolated Account for differences in the account types.
Account Logged InConnected to Smartcrypt Cloud (online) or Isolated site account created (isolated).
Account RegisteredDomain account is registered.
Authorized for PDEThis is the basic Smartcrypt service. Your account will zip and encrypt sensitive data based on policy.
Authorized for TDEServer has Transparent Data Encryption enabled.
Authorized for Multi-tenantThis feature permits compartmentalizing administration of a TDE server.
Authorized for Application SDKThe Smartcrypt Software Development Kit permits creating custom applications for Smartcrypt.
Authorized DomainsDomain name(s) allowed to access this Smartcrypt Manager. This will be completed after the initial account is created on the Smartcrypt Cloud. The list also controls which users are authorized users and Guest Accounts.

Creating an Online Account

Creating an online account will allow your Smartcrypt Manager to periodically sync with the Smartcrypt Cloud.

Create an online account if...

  • You would like to allow internal users in your Smartcrypt environment to create and use Smartkeys with people outside the organization (external users).
  • You would like external users to create and use Smartkeys with internal users.
  • You would like to automate the site registration and license acquisition process.

Note: Regardless of whether you choose and Online or Isolated account, Internal users (people inside your organization) can always exchange Smartkey-encrypted files with each other. Depending on the policies you set, internal users can also exchange data encrypted with passphrases or public keys (X.509 or OpenPGP). You must create an online account to use Smartkeys with people outside your organization.

Registering an Online Server

To complete an online registration, just click the Create Account Online button after filling in the registration details. Your account will be created in the Smartcrypt Cloud and licenses will be synced down to your environment after the Smartcrypt Cloud defines them for your site.

Creating an Isolated Account

Creating an isolated account will configure the Smartcrypt Manager to not sync with the Smartcrypt Cloud. Registration and licensing is completed in a manual out-of-band communication. You will need to export some JSON data and send it to PKWARE. Then PKWARE will send back JSON data to import.

Create an isolated account if...

  • You will never allow Smartcrypt users to use Smartkeys with external users.
  • You would like your Smartcrypt Manager to not connect to the Smartcrypt Cloud.

Note: Regardless of whether you choose and Online or Isolated account, Internal users (people inside your organization) can always exchange Smartkey-encrypted files with each other. Depending on the policies you set, internal users can also exchange data encrypted with passphrases or public keys (X.509 or OpenPGP).

Registering an Isolated Server

  1. Under App Registration, enter a site registration fields.
  2. Click Create Account Isolated. This button creates the site account and logs it in to the database. The Logged In field will read Yes (Isolated mode).
  3. Click the Export Satellite Identity link that appears. You will be taken to a separate screen to download a server registration file.
  4.  Copy and send that file back to PKWARE to register your Smartcrypt Enterprise Manager.
  5.    PKWARE will generate an authorization file and send it back to you.
  6.   Click Import Authorizations and specify the location of the authorization file from step 5. 

Importing an Isolated Server License

As with the registration code, PKWARE will provide a license key to permit your company to use Smartcrypt (Server and Client). To install this code and make Smartcrypt operational:

  1. Copy the license text.
  2. Go to Advanced > Licenses .
  3. Click Import License.
  4. Paste the license text into this page.
  5. Click Import License.

The license will appear under Active Licenses.

General Configuration Options

You can configure many Smartcrypt Manager processes here. Some settings control client activities, while others define how Smartcrypt Manager interacts with its ecosystem.

Setting

Description

External Polling Interval (seconds)

How often (in seconds) Smartcrypt Manager connects to the Smartcrypt Cloud to receive changes. Default is 60. Click the pencil to edit this interval.

Internal (Agent) Polling Interval (seconds)

How often the Smartcrypt clients deployed in your organization will check with the Smartcrypt Manager for changes. The changes could be new Smartkeys, new policy changes, or account access changes.

Administrator Idle Session Timeout (minutes)Use this field to specify when (in minutes) the server should automatically logout an administrator's session. The default (999) is unlimited.
Enable Service APISometimes you may need to have the Smartcrypt Manager online, but not accessible to all the clients. The most common time you may need this is when migrating servers, or when performing upgrades on components. When you say No, only connections from the system will be accepted. External web requests will be rejected.
Local Enable Service API 
Local Database PausedUse this for troubleshooting. When you click Yes, database access is temporarily suspended. All current users are logged out. Only locally defined administrator accounts are available.
API Throttle Percentage 
Manager Allowed IP AddressesIdentify IPv4 addresses for a whitelist.

Active Directory

Configure your Active Directory integration here.

SettingDescription
IntegrationEnable this to allows client agents to connect with the user's Active Directory credentials
ConnectorsBy default, Smartcrypt uses the current Internet Information Server (IIS)/Machine account to connect to Active Directory. In this setting, you can (a) identify a different server account and (b) add one or more connected forests to permit searching across multiple forests. See Adding a Connection for details.
Search Options

Match contains (default) allows you to use wildcards at either end of the search term. ?xa* will find EXAMPLE, but not EXCEL

Match starts with only accepts wildcards at the end of the search term. You cannot indicate one or more characters at the start with a wildcard. Searching for ex* will find EXAMPLE and EXCEL, but not AXIS.

We recommend staying with the default search option for its flexibility and ease of use, but if domain searches take too long in your environment, Starts With has better performance.

Group Membership

Choose from Smart (default) or Exhaustive.

We recommend staying with the default Smart option, as the Exhaustive option completely searches through all connectors for any user group membership query and
consumes a high amount of resources.

Adding a Connection

If you have AD users stored across multiple connected forests, you must add those forests to Smartcrypt Enterprise Manager here.

  1. Click Connectors to open the Active Directory Connections page. You'll see the current list of registered domains.
  2. Click Add Connection. The Add Forest Connector page displays.
  3. Enter the full name of the server you want to connect.
  4. Enter the username and password to connect to the server.
  5. Check Use SSL to connect securely. By default, the Enabled box is checked.
  6. The Enabled box enables or disables the connector for use by the manager, checked by default.
  7. Test the connection by searching for a User or SID on the new forest. Click Test to run the search.

  8. When the server passes the connection test, click Save to add this domain account.

Searching Forests

Use the Active Directory Connections page to search for a User or SID on all connected forests.

Note that you can define what forest Smartcrypt searches first with the Order column on the Active Directory Connections page. Drag and drop the icon for each server to change the current order.

Staging Accounts

In a large-scale Smartcrypt deployment you may want to pre-load some user accounts before they connect.  The Stage option on the Active Directory Connections page gives you the ability to decrease load during the initial rollout.

  1. Click Stage next to the Server you want to add accounts to.
  2. Define the path to the Organizational Unit you want to load accounts from.
  3. Use Lightweight Directory Access Protocol (LDAP) filters to specify what accounts to add. See Extracting Files in the Smartcrypt Command Line Interface user guide for more information on using LDAP filters.
  4. Specifiy a limit for the number of accounts to stage.
  5. Click Stage to start the process.

Click  Staged Accounts on the Active Directory Connections page to review the existing Staged Accounts.

Data Security Intelligence 

Data Security Intelligence enables Smartcrypt clients deployed in your organization to report back to the Smartcrypt Manager a file audit log. It will transmit file encryptions, decryptions and different Smartkey access control list changes. See the Reporting (DSI) page for detailed documentation.

This feature will collect data about how your users are using the system. Each file encryption and decryption is logged, so leaving this option enabled without interest in this feature will cause your database to grow very large very fast.

SettingDescription
EnabledServer will perform Data Security Intelligence functions.
SigningClients will transmit information about digitally-signed files as well as encryptions.
TargetIdentifies where DSI data will be sent. Identify an internal location, a Splunk server, or an appropriate system log.
Log all Agent Activity (forensic)Clients will transmit information everything each client does.
Log Unencrypted Archive EventsClients will transmit information about all archives created and extracted, even when the archive is not encrypted.
Log Multi-file Archive Events

Clients will transmit information about all archives created and extracted containing more than one file.

Log Device Last Access TimesClients will transmit when a device was last accessed.
Log Admin Login AttemptsClients will transmit when an atttempt to login to that device as an administrator.

Configuring the Smartcrypt Manager to connect to your mail server

As your users begin to use Smartcrypt and Smartkeys, notifications and alerts can be sent via emails. These emails will alert a user to a request for access to a Smartkey. The requester will receive an email when access is granted, and the owner of the Smartkey will receive an email alerting them to the pending request. To get the email notifications setup within your organization, just configure the mail settings.

SettingDescription

Enable TLS

Require mails to be secure

Server Hostname

Mail Server hostname

Port

25 by default, unless TLS enabled

Domain

If your mail server requires authentication, identify the Active Directory Domain here.

SMTP Username

(Optional) If your mail server requires authentication, enter the Active Directory user name.

SMTP Password

(Optional) If your mail server requires authentication, enter the Active Directory user password.

From Address

Enter what should appear in the From: line when Smartcrypt Manager sends log reports

System Event Recipients

Enter the email addresses for people who should be notified when high priority errors occur on Smartcrypt Manager.

Billing Event Recipients

Smartcrypt Manager checks periodically for license consumption usage and will notify this person when the allocated license count is reached and when the system will stop distributing new licenses to Smartcrypt clients.

When you have configured the Mail Settings, click Send Test Mail to confirm that everything works.

Configuring the Smartcrypt Manager to use Memcached

As your environment may be very large, we recommend running different Smartcrypt Manager application servers behind a load balancer. Using and configuring a load balancer will help the system scale to handle more HTTPS traffic from the clients in your organization. This type of configuration is for large-scale deployments where the Smartcrypt Manager would be needed to serve 100,000 clients throughout an organization. Memcached is required when using more than one Smartcrypt Manager in an application server cluster.  When Memcached is configured, it will store data in itself, instead of in memory on the single Smartcrypt Manager. Memcached can be configured to be accessed from multiple application servers to create a shared cache pool.

Enable

Defaults to No. Only required to enable if you need more than one Smartcrypt Manager in your cluster

Server:Port #

This is a combination of the server address and the port that Memcached is installed and running on. It is important to verify that your Smartcrypt Manager has the correct ports opened on through any possible firewall.