Administering the Key Management Server

by Collins Timothy Mutesasira

In my previous article, I looked at How to install the Key Management Server, this time I will continue by looking at administering the KM.

The KM (Advanced Security) has now been installed and it is running.

Start admin program, highlight the CA object in the local site on the machine you have had KM installed on. Click file, proprieties. Then the key management server password dialogue box pops up, The user who was logged into Exchange when installing KM server, will appear in the dialogue box and you can not change it, then you are required to key in the password which is "password" by default.

Note that the password required here is neither the User's password nor the KM password, but the password generated by the KM which is "password" by default. You may need to change it to the KM Secure because a Key management server that is not secure is Useless. Advanced security requires this password every time you move from one tab to another and although extremely secure it may gets a bit tedious. After typing in the password, you can select "Remember this password up to 5mins at the bottom of the KM server password dialogue box. This will save you re-entering a password for a few minutes before it asked for again. 'This is the part I personally hate, because the KM doesn't give me my due respect as the Key Management Server administrator!'

You can later tell it to forget a previously remembered password! Interesting stuff!! Then click ok and the CA Properties dialogue box appears with 4 tabs:

General, Administrators, Passwords and enrollment tabs.

General tab

Display name CA

Directory name Ca (nothing much to configure here.)

Administrators tab

Add and remove administrators (give permission to who should administer the KM server) You can also change the KM password "password" from this screen to make the KM more meaningful. (Secure)

Password tab

If you have created multiple administrators this is the dialog when you tell Exchange how many administrator passwords are required for a particular task. This means that one administrator can not break the advanced security of Exchange on his/her own. At least the number of administrators listed here would have to choose to compromise security.

'This is another annoying thing about the KM where the honorable administrator's intelligence is doubted:)'

You will need to specify on this page, how many administrators will have to "sign" before:

1. Adding, deleting administrators or edit multiple password policies.

2. Recover user's security key (will be looked at later on)

3. Revoke user's security keys (will be looked at later on )

Enrollment tab

You can edit the welcome message from here. Specify which users or which group of User will be security enabled. The next step is to enable advanced security on the individual mailboxes concerned. Note that a new dialog tab called security appears on all mailboxes in that site after installing the KM.

All other sites will need to wait until they can see a replica of the CA object appear from the first site when looking in their admin program. Then they can select to use the newly configured security system by configuring the Site Encryption object and selecting the first KM server's site

Mailbox Properties.

Each user that is configured for advanced security has a temporary security key displayed on the administrators' screen. Remember in the configuration of the CA object you could have chosen to mail this to the individual.

* Setting up clients and configuring remote sites.

As pointed out earlier, Key management is only installed on one server in you organization. All other servers in the site can make use of the advanced security features as soon as the directory has replicated.

The administrator needs to manually configure remote sites to use the new key management that has been configured. Before this happens, the directory needs to replicate and the remote sites need to be able to see the new CA object in their replica of the original site's configuration container.

From the Admin program on the KM server You select the remote site object and the CA object appears in our replica of the remote sites configuration container. This could take some time depending on the configuration of the directory replication connectors. You cannot configure the CA object that has not yet replicated. But if the CA object appears, that means the directory has replicated successfully.

As the object has now appeared we need to tell the Remote site to make use of the CA. In earlier versions of Exchange the setup program would need to be run again in these sites to install the relevant schema objects. It is no longer the case with Exchang 5.5. Select the Site Encryption Configuration object from the remote site and double click it to give the Site encryption properties page.

From the Site Encryption configuration dialogue box select 'Choose Site' to specify the Primary KM Server location. Having completed this task the remote site can now use advanced security. Each mailbox object will have a new tab called security as pointed out previously. Each user that is configured for advanced security has a temporary security key displayed on the administrators screen. Remember in the configuration of the CA object you could have chosen to mail this to the client.

The configuration of advanced security has now been completed. What is left is for the clients to now request their keys from the Key Management server and securely store the private key on the client's machine. Remember the private key is used to decrypt and the public key to encrypt. We will now configure advanced security from the Outlook clients.

On the outlook client Select Tools, Options, Security tab, click Get a Digital ID... at the bottom of this dialogue box. In the second option you choose to setup security on the Exchange Server option. Then the client is asked to type in his/her security token in the 'setup advanced security dialogue box', remember earlier on this token was either automatically emails to his/her mailbox or it was securely passed on by the administrator.

The token will need to be entered correctly, but after that the token can be forgotten. This is simply a method to ensure the operator is the person that the key is being requested for, and that the private key is sent securely from the KM server to the client, then click ok. The client is informed that their request has been forwarded to the Key Management server and they now wait for the reply to the KM server.

After a few seconds a strange looking message which has a padlock on it, will appear in the client's inbox. Note that the preview pane cannot show the content, and clicking it brings up a more unusual dialog!

Basically this screen is for choosing how to save the private signing and the private sealing key for this client. It may probably make sense to choose a security setting of high. Choose 'Set Security Level...'. Now that the client has selected High security, will need to use a password every time they need to retrieve their private keys from the storage system on their hard disk.

The password they choose is simply used to unlock the private keys that the KM Server sent to them. If they forget their password the KM server can be told to recover the private keys. We may never know what password the end user was using, but if they go through the same process, choose a new password and lock exactly the same private keys they had before, then they can continue with advanced security and with the ability to read old messages.

At this stage the client(s) has been setup for advanced security and is ready.

To send an encrypted message the recipient's mailbox must be configured for advanced security. Choose the options tab and select Encrypt. This will encrypt the recipient's mail with their public key and only they will be able to decrypt it with the private key. If the recipient has asked for high security in Outlook then they will need to provide a password before they will be able to unlock their private sealing key and decrypt the message. The whole client operation of advanced security is so smooth, the operation takes place without the user requiring a full understanding of advanced security.

At this time, the advanced security has been installed, configured and fully operational. Then next I will looks at the on going security issues in an exchange Organisation. Issues like revoking the Key, recovering a lost Key and so on.