CSP Compliance Manager 10.5.1 - Installation and Administration

All Cryptographic Security Platform Compliance Manager data are held in an encrypted object store that is shared across all Cryptographic Security Platform Compliance Manager nodes in the cluster.

The object store is ultimately protected (through multiple layers of key wrappings) by an Admin Key that Cryptographic Security Platform Compliance Manager generates and maintains. This key is required if you ever need to restore Cryptographic Security Platform Compliance Manager from a backup or you need to change the hardware configuration of a Cryptographic Security Platform Compliance Manager node. The Admin Key is a 4096 bit RSA asymmetric key pair.

When you install the first Cryptographic Security Platform Compliance Manager node in your system, the system generates an Admin Key as soon as you log into the Cryptographic Security Platform Appliance Management webGUI for the first time. The initial key has a single part and is assigned to the default secroot user account. As you add additional Security Administrator accounts to the system, Cryptographic Security Platform Compliance Manager shifts to an "n of m" Admin Key backup model, where "m" is the number of user accounts with Security Admin privileges and "n" is a user-defined value that states how many key parts must be uploaded before Cryptographic Security Platform Vault considers the Admin Key to be valid.

Procedure

Log into the Cryptographic Security Platform Compliance Manager webGUI with your standard account credentials.
In the top right, click the Switch to Appliance Management link.
In the top menu bar, click Settings.
In the Account Settings section, click Download Key. The Cryptographic Security Platform Appliance Management webGUI downloads a file to your browser's default download location called username_ip-addr.key.gen#, where username is the currently logged in account name, ip-addr is the IP address into which you are currently logged in, and # is the generation count. For example, secroot_10.238.66.235.key.gen8.
If you want to remove the Admin Key part from the Cryptographic Security Platform Compliance Manager encrypted object store, click Clear Key. If you later attempt to download the key part after clearing it, you will get an error stating that the key part does not exist. You will need to regenerate the key as described in Generating the Admin Key.