FAOPGP Central Administrator Central Administrator provides corporations with essential management tools for deploying large numbers of FileAssurity OpenPGP across the enterprise.Site Map
Centrally deploy and control users keystores. Define policy rules, key recovery and information recovery, remotely set users passwords and implement simple user revocation.
KEYSTORE GENERATION
Central Administrator lets you generate your own master CA key or you can import one from a suitable Certificate Authority (VeriSign, GeoTrust, etc.) or OpenPGP compliant product. The CA key is used to digitally sign the user keys you issue in your own system. Keystores may be generated manually by the administrator or in batch mode reading commands in from a .csv format file. In manual mode the administrator may set policies for individual keys, whilst in batch mode, policy is the same for the batch of keys.
CENTRAL ISSUE & RE-ISSUE OF KEYSTORES
Once generated, keystores are saved to a central database and can be issued centrally on a network drive or accessed through your Intranet. Keystores can be re-issued to change policy settings, validity dates, etc. This is also handy should you want to bulk add new public keys or trusted authorities to all user keystores. Manual and batch modes are supported.
POLICY RULES
Central Administrator’s policy rules ensure full manageability of user keystores. You can define the following user rights and authorities :
 import, export, generate, delete keys
change their keystore password
encrypt files
digitally sign files
A template is provided where you configure default settings for the master keystore (policy rules, key recovery options, etc.) from which all user keystores are generated. Keystore passwords can be generated automatically at the administrator’s request or can be taken from a supplied list.
KEY RECOVERY
Central Administrator provides a number of recovery mechanisms for both users and administrators :
key (information) recovery
initial keystore password recovery
administrator password recovery
If you have generated an information recovery key it will automatically be added to user keystores and cannot be deleted. Recovery keys can also be hidden from users so that they don’t even know they exist. For security a two-tier recovery system is used where separate administrators are required for information recovery authorization.
USER REVOCATION
User keystores can be verified at administrator specified intervals. If the user does not connect to the central database to verify their keystore (happens automatically) then the client will refuse to operate. This provides a simple method of user revocation without needing to implement LDAP, OCSP or similar technical mechanisms. User keystores can be temporarily removed and restored by the administrator without difficulty or any operational inconvenience.
CENTRAL DATABASE
Central Administrator stores user keystores and other specific user information (user name, email address, public key/certificate) in an SQL database. Any SQL compliant database is supported including MySQL. This database may be used to locate and make available other user’s public keys and allows keystores to be recovered.
|
Central deployment of keystores
