Skip to main content

Preparing for Installation

Check and execute the following steps before starting the installation:

  • You need an empty database for the Key Manager system. Remember the name of the empty database, as well as the credentials of the database user you set up for the Key Manager. When using remote databases, also remember the address of the database machine, and the database port number. You will be prompted for this information during Key Manager Server setup.

    • For production environments, we recommend that you set up the database on its own remote machine. The remote database must be set up before you set up any Key Manager Servers. Additionally, the database must be configured so that all Key Manager back ends and front ends can access it as the database user.

    • For evaluation environments it is possible to set up the database on one of the Key Manager Server machines. You will need to set up a local database on the first Key Manager Server machine before setting up Key Manager Server software.

      The installation package provides example utilities for configuring a local PostgreSQL database on a Key Manager Server. Instructions for using the provided utilities are detailed in Setting Up a Local Database for Key Manager Use.

For the sake of simplicity, the database user can be given full permissions (access, creation, and modification) to the database.

On Oracle, the database user requires permissions for the initial Key Manager Database setup, and for Key Manager system upgrade. The following SQL commands allow you to create an Oracle tablespace suitable for Key Manager use, and to configure a database user that can perform maintenance tasks:

CREATE BIGFILE TABLESPACE tablespace_name \
    DATAFILE 'tablespace_name' \
    SIZE tablespace_size AUTOEXTEND ON NEXT 100M MAXSIZE max_tablespace_size \
    LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO;

CREATE USER database_user PROFILE "DEFAULT" IDENTIFIED BY database_user_password \
    DEFAULT TABLESPACE tablespace_name ACCOUNT UNLOCK;
ALTER USER database_user quota unlimited on tablespace_name;
            
GRANT   CREATE SESSION, \
        CREATE SEQUENCE, \
        CREATE TRIGGER, \
        CREATE TABLE, \
        CREATE VIEW, \
        CREATE PROCEDURE TO database_user;
            
GRANT EXECUTE ON SYS.DBMS_LOB TO database_user; 
GRANT EXECUTE ON SYS.DBMS_RANDOM TO database_user;
GRANT EXECUTE ON SYS.DBMS_UTILITY TO database_user;
GRANT SELECT ON V_$SESSION TO database_user;

In the example SQL commands, adjust the database size, tablespace, and user credentials to suit your environment:

  • database_user: The name of the database-user account.

  • database_user_password: The password of the database user.

  • max_tablespace_size: Maximum tablespace size.

  • tablespace_name: The name of the tablespace that is to be used by Key Manager.

  • tablespace_size: The initial size of the tablespace.

For more information about setting up an Oracle database, refer to its documentation at http://www.oracle.com.

On PostgreSQL, you need to create a user and database to be used by PKM, and allow connections to the database.

As postgres user, set up the contents of the database with following commands, where keymanager is your chosen name for the database user, and where keymanagerdb is your chosen name for the database:

[root@postgres~]# su - postgres
# createuser -S keymanager
# createdb keymanagerdb

In psql, run these commands to create a password for the user, and to grant privileges to the database created in the previous step:

If you are using PostgreSQL 14:

ALTER USER keymanager with encrypted password 'insert_chosen_password';
GRANT ALL PRIVILEGES ON DATABASE keymanagerdb TO keymanager;

If you are using PostgreSQL 15 or 16:

ALTER USER keymanager with encrypted password 'insert_chosen_password';
GRANT ALL PRIVILEGES ON SCHEMA PUBLIC TO keymanager;

Also configure the PostgreSQL to allow md5 connections to the database (the default is ident).

If you are using PostgreSQL 14:

Manually edit the /var/lib/pgsql/14/data/pg_hba.conf file to change it. Restart PostgreSQL database service:

service postgresql-14 restart

If you are using PostgreSQL 15 or 16:

Manually edit the /var/lib/pgsql/data/pg_hba.conf file to change it. Restart PostgreSQL database service:

service postgresql restart

For information about setting up a PostgreSQL database, refer to its documentation at http://www.postgresql.org/.

  • When using an Oracle database as the Key Manager Database, you may optionally enable Oracle Advanced Security Transparent Data Encryption (TDE) to protect the sensitive data contained in the Key Manager Database. The following database fields contain sensitive information that may be additionally protected using Oracle TDE:

    • sshmgr_credentials.passphrase

    • sshmgr_ldapdomain.bind_password

    • sshmgr_hostkey._passphrase

    • sshmgr_privatekey._passphrase

    • sshmgr_agentconf._secret_identity

      Alternatively, the whole Key Manager Database may be protected, Oracle TDE should be enabled before Key Manager Server software setup. If only single fields are to be encrypted, the Key Manager Database can be altered to encrypt those fields after the initial Key Manager Server is set up.

  • Ensure that you have the necessary packages and licenses for installing Key Manager. You will need the following:

    • PrivX Key Manager license.

    • Tectia SSH Server licenses (required for Key Manager back ends).

    • The Key Manager installation package version 7.0.0. The package is named as follows:

      sshmgr-7.0.0-*.x86_64.tar

    • The GPG key used for verifying the sshmgr rpm package.

  • Determine whether you want to use secure connections for database connections (connections between the Key Manager Servers and the Key Manager Database).

    We strongly suggest that you use secure database connections. This installation manual provides instructions for securing the database connection using SSL. The instructions are provided in Setting Up SSL Connection to Oracle Databases and Setting Up SSL Connection to PostgreSQL Databases for Oracle and PostgreSQL respectively.

    Note that SSL configurations for PostgreSQL must be performed before Key Manager Server setup. Whereas for Oracle, SSL configuration must be performed after Key Manager Server setup. We recommend that you familiarize yourself with the SSL-setup instructions before configuring any Key Manager Servers.

  • Key Manager front ends serve the Key Manager GUI over HTTPS, which uses X.509 certificates for server-side authentication. If you have an external Certificate Authority (CA), and if you are setting up servers for a production deployment, you should acquire trusted server certificates for the Key Manager front ends you're setting up. For more information about the required certificates, see Setting Up GUI and API services (Front End Only).

  • Make sure that the machine on which the Key Manager system component is to be installed meets the system requirements. For more information about system requirements, see System Requirements for Key Manager Components.

    Normal operations require disk space for event logging, and key information storage. The Key Manager Server stores all collected event and key data in the Key Manager Database, and large managed environments with many hosts may produce considerable amounts of data over time. Reserve enough space for the log data and monitor the growth of the database.

    In Key Manager deployments that use an Oracle database, Key Manager Servers use an Oracle client to communicate with the database. The Oracle client generates logs that may take up considerable disk space over time. To prevent the Oracle client log from consuming too much disk space, we recommend that you set up Oracle client-log rotation on all the Key Manager Servers. For instructions regarding Oracle log rotation, please refer to the Oracle documentation.

    The Oracle client-log file is typically located in a custom path similar to the following:

    /var/tmp/oradiag_sshmgr/diag/clients/user_sshmgr/host_3676580564_80/trace/sqlnet.log

  • Make sure that the operating-system and software packages are up-to-date on the target machine. You can update all the packages by running:

    # yum update

    If the target machine does not have repository access, you need to manually install the following dependencies before Key Manager setup:

    • nginx
    • supervisor
    • dialog

  • For Key Manager Server machines, make sure that there are no other web servers running on the HTTPS port (443) of the host. These instructions assume that the Nginx web server is used exclusively for running the Key Manager Server. If this is not the case, please refer to the Nginx documentation for configuring the web server for running multiple sites.

  • The locale of the machine must be set to an UTF-8-compliant locale, such as en_US.UTF-8. The us_ascii locale, which is default to many distributions, is not supported.

  • Parts of the setup are performed using a web-based interface. Check that your web browser is supported, and allows the use of cookies and JavaScript. The recommended browsers are as follows:

    • Latest & stable Mozilla Firefox
    • Latest & stable Chrome
    • Latest & stable Chromium-based Microsoft Edge