Key Manager Plus - Frequently Asked Questions
1. General
- Do I need to install any prerequisite software before using Key Manager Plus?
- What are the operating systems supported by Key Manager Plus?
- What are the user roles available in Key Manager Plus? What are their access levels?
- Can other administrators view the keys added by me?
- How to transfer ownership of private key?
- How to add a new Active Directory (AD) domain in Key Manager Plus?
- How do I troubleshoot when the PostgreSQL server fails to start?
2. SSH Key Management
- Are there any differences in the way SSH user accounts and SSH service accounts are managed using Key Manager Plus?
- Is there a way to view SSH keys that were not rotated?
- Does Key Manager Plus support management of digital keys other than SSH keys and SSL certificates?
3. SSL Certificate Management
- Is there any certificate type that Key Manager Plus is incompatible with?
- Is it possible to automatically identify and update the latest version of certificates in Key Manager Plus certificate repository?
- Does the Linux version of Key Manager Plus support certificate discovery from Active Directory and MS Certificate Store?
- Is it possible to group certificates with same common name?
- Is it possible to track the expiry of certificates with the same common name in Key Manager Plus certificate repository?
- How do I import a private key for a certificate?
- How do I deploy a certificate to the Microsoft Certificate Store and map it to the application that uses the certificate?
- Does Key Manager Plus support subnet-based certificate discovery?
- Does Key Manager Plus support scheduling for certificate discovery from MS Certificate Store?
- Are certificate related alert emails generated for all versions of a certificate (the ones that show in "certificate history" also) or only for those certificates listed in Key Manager Plus certificate repository?
- Are certificates issued by the company's internal Certification Authority (CA) counted for licensing?
1. General
1. Do I need to install any prerequisite software before using Key Manager Plus?
Apart from the standard system requirements (both hardware and software), the following elements are essential for the proper functioning of the Key Manager Plus server.
- An external mail server (SMTP server) for the functioning of Key Manager Plus server and to send various notifications to users.
You need to have the following to utilize the SSH and SSL discovery operations in Key Manager Plus.
- A service account that has domain admin rights in the Key Manager Plus server and in the target systems that you would like to manage.
- Microsoft .NET framework 4.5.2 or above must be installed in the server where Key Manager Plus is installed.
2. What are the operating systems supported by Key Manager Plus?
Windows | Linux |
---|---|
Windows Server 2022 | Ubuntu 9.x and above |
Windows Server 2019 | CentOS 4.x and above |
Windows Server 2016 | Red Hat Linux 9.0 |
Windows Server 2012 R2 | Red Hat Enterprise Linux 5.x and above |
Windows Server 2012 | - |
Windows 11 | - |
Windows 10 | - |
Windows 8 | - |
Windows 7 | - |
Key Manager Plus usually works well with all the flavors of Linux.
Note: Key Manager Plus can also be run on the VMs of all the above operating systems.
3. What are the user roles available in Key Manager Plus? What are their access levels?
Key Manager Plus comes with two pre-defined roles:
- Administrator
- SSL User
- Operator
Click here for details on the access levels of the default roles.
4. Can other administrators view the keys added by me?
Yes, all the Administrators will be able to view all the certificates added by the other Administrators. Note that only the administrator can add certificates to Key Manager Plus. The operator user can only view the certificates shared with them.
5. How to transfer ownership of private key?
All the administrators will be able to view and download the private key added by other administrators. So, it is not necessary to transfer ownership of the private key.
6. How to add a new Active Directory (AD) domain in Key Manager Plus?
Administrators can add new domains for both certificate discovery and user management operations. Follow the below steps for AD User Certificate discovery:
- Navigate to Discovery >> AD User Certificate.
- Here you can click New Domain beside the Domain Name field and add a new domain name.
Refer to this help section for detailed instructions.
To add a new domain for user discovery:
- Navigate to Settings >> User Management >> Active Directory.
- Here you can click New Domain beside the Select Domain Name field and add a new domain name.
Refer to this help section for detailed instructions.
7. How do I troubleshoot when the PostgreSQL server fails to start?
Error Scenarios:
- During Upgrade:
'Trying to start PostgresSQL server failed' error in the command prompt after choosing the PPM file.
- During Service Start up:
- Key Manager Plus service start failure after the upgrade.
- Key Manager Plus service start failure after updating the Key Manager Plus service account in Services console.
For the above two cases, do the following:
Open the <KMP-HOME>\logs\wrapper file with notepad/Notepad++ and move to the very bottom of the file (i.e. most recent time frame) and check if you get the 'Trying to start PostgresSQL server failed' error.
Possible Causes:
The following causes are explained with respect to the above error scenarios:
The 'Trying to start PostgresSQL server failed' error occurs when,
- Key Manager Plus is unable to access few sub-folders inside Key Manager Plus (i.e appropriate permission not given).
- The PostgreSQL DB fails to start because of a background process that was not terminated properly.
- The instant DB port might be occupied by a different process.
Solution:
The solution given below applies to all the above error scenarios. To fix this issue, follow the below steps to provide permission,
- Start the Task Manager and kill all Postgres process (make sure "show process from all users" is selected - For Key Manager Plus).
- Update the Key Manager Plus service with a privileged account in the services console.
- Open command prompt using administrator and execute the below query:
- icacls "installation path" /q /c /t /grant Users:F
installation path - Provide the Manage_Engine folder location.
Users - Provide the Key Manager Plus service account in the following format: <DomainName\user name> or <username@domainname>.
Example: icacls "C:\ProgramFiles\ManageEngine\KMP" /q /c /t /grant ManageEngine\svckmp:F
- If the key is placed outside the Key Manager Plus folder, kindly provide permission for the key's locations using icacls command.
- In the same way, provide full control permission for <KMP>\pgsql\data folder.
- Check the <KMP_Installation_Directory>/pgsql/data folder and ensure if it has inherited that permission.
- Navigate to <KMP_Installation_Directory>/pgsql/data and open pg_hba.conf and search NULL. If you find any, remove the entire line that contains NULL.
- Rename the logs folder present inside the <KMP_Installation_Directory> as logs.old and create a new folder as logs.
- Rename the Patch folder present inside the <KMP_Installation_Directory> as Patch.old and create a new folder as Patch.
- Navigate to <KMP_Installation_Directory>/bin directory and look for files named .lock or lockfile. If present, move both these files to any other directory.
- Go to <KMP_Installation_Directory>/pgsql/data directory and look for files named recovery.conf and postmaster.pid. If present, move this file to any other directory.
- Now, try to apply the PPM or try starting the service.
If the issue still persists, zip and send us the logs from the <KMP_HOME> and also the <KMP-HOME>\pgsql\data\pg_log folder along with the above screen shots to keymanagerplus-support@manageengine.com.
2. SSH Key Management
1. Are there any differences in the way SSH user accounts and SSH service accounts are managed using Key Manager Plus?
No. Key Manager Plus adopts the same approach for managing SSH user accounts and SSH service accounts. The only difference is that during server discovery, if service / root account credentials are provided to establish connection with the server, you acquire extended privileges to import and manage keys from all user accounts in the server. Whereas, when connection to the server is established using user account credentials, you get key management privileges only for SSH keys present in that particular account.
2. Is there a way to view SSH keys that were not rotated?
Yes. We have a dashboard that displays the number of keys that were not rotated for the predefined time period as specified in the notification policy.
3. Does Key Manager Plus support management of digital keys other than SSH keys and SSL certificates?
Key Manager Plus houses a key vault called "KeyStore" which facilitates the storage and management of any type of digital key. However, the option to discover and import is limited to SSH keys, PGP keys and SSL certificates only, and isn't available for other types of digital keys.
3. SSL Certificate Management
1. Is there any certificate type that Key Manager Plus is incompatible with?
No. Key Manager Plus supports all X.509 certificate types.
2. Is it possible to automatically identify and update the latest version of certificates in Key Manager Plus certificate repository?
Yes. You can create scheduled tasks to perform automatic certificate discovery through which you can import and replace old certificates from target systems with their updated versions in Key Manager Plus certificate repository. Click here for a detailed explanation on creating schedules.
3. Does the Linux version of Key Manager Plus support certificate discovery from Active Directory and MS Certificate Store?
No, it doesn't. The AD User Certificate and MS Certificate Store tabs appear only in the Windows version of Key Manager Plus.
4. Is it possible to group certificates with same common name?
Yes, Key Manager Plus allows you to group certificates based on common name.
Navigate to Settings >> SSL >> Certificate History and Enable Group Certificates By CommonName.
5. Is it possible to track the expiry of certificates with the same common name in Key Manager Plus certificate repository?
Key Manager Plus differentiates certificates by their common names and records certificates with the same common name as a single entry in its certificate repository. We've designed it this way because Key Manager Plus licensing is based on the number of certificates and we don't want customers to spend many license keys for the same certificate.
However, if there's a need to manage both the certificates separately, you can do so by listing them as separate entries in Key Manager Plus' certificate repository. Once listed, the newly added certificate will be counted for licensing.
To add a certificate with the same common name as a separate entry in certificate repository,
- Navigate to the SSL tab and click Certificates, and click the Certificate History icon beside the certificate.
- Click the 'Certificate Settings' icon beside the required version of the certificate and click on 'Manage Certificate'.
- The selected version is listed as a separate certificate in the certificate repository.
- In case you want to manage only one version of the certificate, click the 'Certificate Settings' icon beside the required version and choose the 'Set as current certificate' option.
6. How do I import a private key for a certificate?
Follow the steps below to import a certificate's private key into Key Manager Plus.
- Navigate to the SSL tab and click Certificates.
- Select the certificate for which you need to import the private key.
- Click the Import Keys option from the More drop down menu at the top.
Browse for the file that contains the private key, enter the keystore password, and click on 'Import'. The private key will be imported and attached to the selected certificate.
7. How do I deploy a certificate to the Microsoft Certificate Store and map it to the application that uses the certificate?
Key Manager Plus facilitates certificate deployment through which you can deploy certificates from its repository to target server's Microsoft Certificate Store. Click here for a step-by-step explanation on certificate deployment. To map the certificate to its corresponding application, you've to manually restart the server on which the application is running for the change to take effect.
8. Does Key Manager Plus support subnet-based certificate discovery?
Yes. Key Manager Plus supports subnet-based SSL certificate discovery. Click here to learn about SSL certificate discovery.
9. Does Key Manager Plus support scheduling for certificate discovery from MS Certificate Store?
Yes, Key Manager Plus allows administrators to create schedules to periodically discover certificates from the MS Certificate store. Click here to learn about schedules in Key Manager Plus.
10. Are certificate related alert emails generated for all versions of a certificate (the ones that show in "certificate history" also) or only for those certificates listed in Key Manager Plus certificate repository?
Email notifications are generated for certificates listed in Key Manager Plus's certificate repository. You can navigate to Settings >> SSL >> Certificate Renewal and enable Send expiry notification for the previous version after the successful renewal to receive notifications for the previous version of the certificate.
11. Are certificates issued by the company's internal Certification Authority (CA) counted for licensing?
Yes. All types of SSL certificates, SSH keys and any other digital key being managed using Key Manager Plus are taken into account for licensing. There's a dashboard widget "License Details" that provides insights on the type and number of digital identities being managed using Key Manager Plus that will be taken into account for licensing.