Kms server authentication settings, 80 kms server settings section components, Server authentication settings – HP Secure Key Manager User Manual

Table 80 KMS Server Settings section components

Component

Description

IP

This field specifies the IP address(es) on which the KMS Server is enabled on the SKM.

The drop-down box consists of all IP addresses bound to the SKM.

IMPORTANT:

We strongly recommend that you select a specific IP address instead of

specifying [All]. If you have four IP addresses bound to the SKM, then the KMS

Server listens for traffic on four different IP addresses; whereas, if you specify a

single IP address, the KMS Server listens for traffic on only one IP address. This

can greatly reduce system vulnerability to outside attacks.

Port

Port on which the KMS Server is listening for client requests. The default port is 9000;

however, you can use any available port.

Use SSL

Specify whether you want to require that clients connect to the KMS Server using an

SSL connection. A check mark in the box indicates that the KMS Server only accepts

traffic on an SSL connection. If the Use SSL option is not enabled, the KMS Server

will not accept SSL connections.

Server Certificate

If you are requiring SSL, you must provide the certificate that will be used to

authenticate the KMS Server to clients.

Connection Timeout

(sec)

The Connection Timeout value specifies in seconds how long client connections can

remain idle before the KMS Server begins closing them. The default value is 60; the

maximum value is 7200 (2 hours). Specifying a value of 0 means that the KMS Server

will not close client connections due to inactivity.

Allow Key and

Policy Configuration

Operations

When this feature is enabled, the KMS Server allows the following actions:

•

key creation and deletion.

•

key import.

•

users with User Administration Permission can create, delete, and modify users and

groups (available only through the XML interface.)

When this feature is disabled, only authentication, cryptographic, and random

number generation requests are available. By default, this feature is disabled.
When using the multiple credentials feature, enabling this option allows users (and

unauthenticated sessions) to perform the actions listed without being subjected to the

multiple credentials rule.

IMPORTANT:

This feature may pose a security loophole. You might allow this access for

automated scripts, or you might disallow it to tighten security.

IMPORTANT:

Enabling this feature on a FIPS-compliant device will take the device out of FIPS

compliance - possibly in a manner that does not comply with FIPS standards.

For information on disabling FIPS compliance, see

FIPS Compliance

.

Allow Key Export

When this feature is enabled, the KMS Server allows key export.

IMPORTANT:

Enabling this feature on a FIPS-compliant device will take the device out of FIPS

compliance - possibly in a manner that does not comply with FIPS standards.

For information on disabling FIPS compliance, see

FIPS Compliance

.

Edit

Click Edit to modify the KMS Server settings.

KMS Server Authentication Settings

The KMS Server Authentication Settings section, shown here, allows you to specify whether and how

clients authenticate to the KMS Server.

170

Using the Management Console