Terminology

The following terms are used throughout the documentation.

administrative interface

Key Manager provides many administrative interfaces for performing management actions. These include the web-based graphical user interface (simply referred to as the Key Manager GUI), the Key Manager API, and the Key Manager clients.

access request

An access-request describes new authorizations needed by application owners.

active authorized key

Authorized keys that can be used to authorize to destination accounts. In other words, a key that is both present and in the SSH server configuration on a host.

active private key

A private key that is both present and in the SSH client configuration on a host.

application key

Any SSH key that is used to enable application performance. In the scope of application-key signoff using User Portal, any user key that is associated to an application in the Key Manager system is called an application key.

application-key signoff

A process for increasing the security and the compliance of SSH keys in the network environment. Involves both Key Manager administrators and application owners.

application owner

A person responsible for any application that uses SSH keys. Application owners are also responsible for reviewing and signing off user keys used by their applications, as well as for creating and approving access requests.

authorization

SSH authorization established with a SSH key pair. May refer to the SSH keys that enable the authorization. In some situations, used synonymously with authorized key.

authorized key

An SSH public key that is used for user authentication, and is included in the authorized-keys file on at least one host. The authorized-keys files are specified by the SSH-server configuration on each host.

command-line client

The command-line client is a small python application that is used to access the Key Manager API through the command-line interface. The command-line client can be used to perform most of the management operations supported by the Key Manager system.

hosts in the managed environment

All the hosts in the managed environment. Not to be confused with managed hosts, which is a host in the managed environment that is in the managed state.

Initial Configuration Block (ICB)

An ICB is a configuration file required by the Key Manager agent. It contains parameters for setting up a connection from the agent-based host to the Key Manager Server. The ICB is created by the Key Manager Server and should be delivered to the managed host along with the Key Manager agent.

Key Manager administrator

A Key Manager administrator is a person who has permissions to use Key Manager for performing management tasks. The exact permissions of each Key Manager administrator are defined by the Key Manager account they use. Key Manager administrators manage and audit the managed environment.

Key Manager agent

A Key Manager agent is a software component installed on a managed host machine. Key Manager agents are responsible for communicating with the Key Manager Server. The Key Manager agent runs transparently in the background on the managed host.

Key Manager back end

A Key Manager Server that runs a Key Manager back end. Key Manager back ends run the management engine, store the configuration and environment information, and provide management communications to the managed hosts.

Key Manager Database

The Key Manager Database is a database that stores the Key Manager management information.

Key Manager GUI

Key Manager Graphical User Interface. See administrative interface.

Key Manager Server

The Key Manager Server is a machine that runs a Key Manager back end, and/or a Key Manager front end.

Key Manager front end

A Key Manager Server that runs a Key Manager front end. Key Manager front ends provide the web- based administration-interface and API services.

Key Manager User Portal

A Key Manager User Portal provides services for users to submit access requests. Key Manager User Portals also provide functionality for signing off keys.

key remediation

Key remediation is the process of bringing the SSH keys within the managed environment under control. The actual processes involved in key remediation depend heavily on the security criteria and policies of your corporation. As some examples, key remediation can include tasks such as gaining increased visibility into the SSH-key environment, moving all user keys to secure central locations, formalizing key provisioning, and unifying SSH-software configurations.

key request

A key request describes what actions must be performed for an existing application key to increase its security and compliance.

key signoff

Key signoff is the structured process of reviewing and maintaining SSH keys. The objective of key signoff is to guarantee that the purpose of the keys in the managed environment is understood, and that they conform to established policies.

managed environment

The environment consisting of all those hosts that are in the Key Manager host environment, and the user accounts and the SSH keys under those hosts. Those hosts that are in a monitored or a managed state belong in the managed environment.

management account

Key Manager runs management actions as an user on the managed host. This account is called the management account. To allow Key Manager to perform management actions, the management account must be sufficiently privileged: either the account must be a privileged (such as root), or the management account must be given the necessary sudo permissions.

management connection

Management connection refers to the connection between the Key Manager Servers and hosts in the managed environment. It is used to secure the management traffic. In agent-based connections, the connection is initiated by the Key Manager agent on the agent-based host. In agentless connections, the connection is initiated by the Key Manager Server. The management connection is secured using SSH.

monitored host

Hosts machines in the managed environment that are put in a monitored state. The monitored state can be regarded as a read-only mode for hosts: Management actions that modify trust relationships or SSH configurations are disabled on monitored hosts.

managed host

Host machines in the managed environment that are in a managed state. Not to be confused with hosts in a managed environment, which also includes monitored hosts.

user key

SSH keys that are used for account authentication and authorization. This includes private and public keys that are used for the described purpose. These can be used by actual people and/or by automated processes. Does not include host keys.

request

In Key Manager and User Portal context, requests include access requests and key requests. An access- request describes new authorizations needed by application owners. A key request describes what actions must be performed for an existing application key to increase its security and compliance.

administrative interface​

access request​

active authorized key​

active private key​

application key​

application-key signoff​

application owner​

authorization​

authorized key​

command-line client​

hosts in the managed environment​

Initial Configuration Block (ICB)​

Key Manager administrator​

Key Manager agent​

Key Manager back end​

Key Manager Database​

Key Manager GUI​

Key Manager Server​

Key Manager front end​

Key Manager User Portal​

key remediation​

key request​

key signoff​

managed environment​

management account​

management connection​

monitored host​

managed host​

user key​

request​