First Run | Utimaco Integration Guides

To configure the time zone, IP address, netmask, gateway, host name, and port number used for the ESKM Management Console interface, the following procedure must be performed once for each ESKM server. Ensure that the ESKM server is powered off before starting this procedure.

Power on the ESKM server by pressing the Power On/Standby button located behind the front bezel door.
When the startup sequence completes, the following prompt displays on the PC or laptop that is running the terminal emulator program (such as PuTTY):

To setup and configure PuTTY, please refer Accessing serial console via PuTTY.

Are you ready to begin setup? (y/halt):

Enter y.

Follow the prompts to enter the necessary information:

Press Enter to accept the default.

a) Admin account password. Be sure to record this value and store it in a safe place. The Security Officer will use the admin account to configure the ESKM servers.

Utimaco has no ability to assist or recover access if administrator credentials (username, password) are lost.

b) Time zone.

c) Date.

d) Time. The time is based on a 24–hour clock; there is no a.m. or p.m. designation. For example, 1:20 p.m. is 13:20:00.

e) The static IPv4 address of the ESKM server. The ESKM server cannot obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server.

f) Subnet mask.

g) Default gateway.

h) Hostname, including the domain. For example, eskm.example.com. The screen displays the information you entered and the message “Is this correct? (y/n):”If the information displayed is correct, enter y; if not, enter n and make the necessary corrections.

i) Enable IPv6. If the ESKM server will be installed in an IPv6 network, enter y to the prompt and also the confirmation prompt. If the ESKM server will not be installed in an IPv6 network, or you wish to enable IPv6 later, enter n. If you entered y, you will be prompted to specify the IPv6 address. If you know the IPv6 address enter y, and then at the next prompt enter the IPv6 address with prefix in this format.

IPv6 address/prefix. The default prefix is /64.

If you do not know the IPv6 address, enter n. You can enter IPv6 addresses later using either the ESKM Management Console or Command Line Interface.

Only enable IPv6 if you are certain that the ESKM server is required to operate on an IPv6 network. Once enabled it cannot be disabled via the ESKM Management Console or the Command Line Interface.

Client systems can use IPv4 addresses to connect to the KMS and KMIP services running on the ESKM system. ESKM supports IPv6 addresses for clients that use either the KMIP or ESKM XML protocols and are on the same subnet as the ESKM server. The following ESKM features, which utilize SCP to move files, support IPv6 addresses:

backup, restore, scheduled backup, transfer logs, and software upgrade/install
In addition, you can also use a server which has an IPv6 address to perform the following functions:
- remotely administer the ESKM server via the ESKM Management Console or the command line interface
- perform network diagnostics (ping and netstat)

If you decide later, after completing the setup process, that you need to enable IPv6 support, you can use the Command Line Interface command ipv6 enable, to enable IPv6. You can then use the ipv6 address command or the ESKM Management Console interface to specify the IPv6 address.

j) Web interface port number.

k) Press Enter to complete and save the configuration settings.

At this point, you have given the setup program everything it needs. The ESKM creates SSH keys and also a self-signed Web Admin server certificate. They are used to authenticate the ESKM to users making SSH and Web Admin connections to the ESKM. Because the actual key is large, the ESKM displays the key fingerprint on the console, as shown below.

›_ Console
Creating certificate for Web administration server... Creating certificate for signing logs... Creating SSH host keys... SSH RSA key fingerprint: 2048 SHA256:aTp6A447vp8dOj43FTT5B/aux6V7zddPzNXxZB0C1SE SSH ECDSA key fingerprint: 521 SHA256:BKO/EfVUKSFpIzVn/WiJ4fS+8CqLyGJSawoQAsvmUoM SSH ed25519 key fingerprint: 256 SHA256:/hWJGM+7hzDRWPsyCP6/gKqWR99cgMh9/TV5WLTFIrs Webadmin certificate fingerprint (SHA-1): 2048 64:50:e2:01:fb:2a:28:54:1a:3b:30:94:3b:25:b7:ff:97:73:13:70 Initializing key store. This could take several minutes. Performing KMIP setup Starting services... The Web-based Management Console will now be available at this URL: <https://xxx.xxx.xxx.xxx:9443> This device has now been configured. Press Enter to continue.

›_ Console

Creating certificate for Web administration server... 
Creating certificate for signing logs... 
Creating SSH host keys... 
SSH RSA key fingerprint: 
2048 SHA256:aTp6A447vp8dOj43FTT5B/aux6V7zddPzNXxZB0C1SE 
SSH ECDSA key fingerprint: 
521 SHA256:BKO/EfVUKSFpIzVn/WiJ4fS+8CqLyGJSawoQAsvmUoM 
SSH ed25519 key fingerprint: 
256 SHA256:/hWJGM+7hzDRWPsyCP6/gKqWR99cgMh9/TV5WLTFIrs 
Webadmin certificate fingerprint (SHA-1): 
2048 64:50:e2:01:fb:2a:28:54:1a:3b:30:94:3b:25:b7:ff:97:73:13:70 
Initializing key store. This could take several minutes. 
Performing KMIP setup 
Starting services... 
The Web-based Management Console will now be available at this URL: 
<https://xxx.xxx.xxx.xxx:9443> 
This device has now been configured. 
Press Enter to continue.

A log-in prompt display.

To prevent a "man-in-the-middle" attack when connecting to the ESKM, Utimaco recommends that you write down these fingerprints and compare them with what is presented when you connect to the ESKM via SSH or HTTPS.

If necessary, you can install and specify a different server certificate for remote Web Administration. See the sub-section Configuring the web admin server certificate, which is located in section 4 of the Enterprise Secure Key Manager 8.2.0 User Guide.

4. Unplug the null modem cable from the laptop or PC and from the ESKM server. All additional configurations will be done from the ESKM Management Console.