9700 key manager application manual
TRANSCRIPT
-
8/3/2019 9700 Key Manager Application Manual
1/13
General InformationAbout this Document
MD0006-050February 3, 2010
Page 1 of 13
MICROS 9700 Encryption Key
Management Utility
General Information
About thisDocument
This document is intended as a quick reference guide to provide information
concerning the MICROS 9700 Encryption Key Management Utility. This
document relates specifically to MICROS 9700 Version 3.60 Hospitality
Management System software.
About the 9700
Encryption Key
Management
Utility
The purpose of the 9700 Encryption Key Management Utility is to allow the
user to set the encryption passphrase for the 9700 System. In accordance with
the PCI Data Security Standard, MICROS Systems, Inc. mandates each site
protect encryption keys against both disclosure and misuse.
Secure Key
Practices
To ensure secure distribution, MICROS Systems, Inc. mandates that users
divide knowledge of a specific encryption key among two or three people. Users
should establish dual control of keys so that it requires two to three people, each
knowing only his or her part of the key, to reconstruct the entire key.
A sites management procedures must require the prevention of unauthorized
substitution of keys. 9700 HMS prevents the unauthorized substitution of keys
by employing security measures in the Key Management Utility; for example,
an unencrypted key will not be accepted by the utility. Furthermore, a sitesmanagement procedures must require the replacement of known or suspected
compromised keys.
The site also must require each key custodian to sign a form stating that he or
she understands and accepts his or her key-custodian responsibilities.
-
8/3/2019 9700 Key Manager Application Manual
2/13
MD0006-050February 3, 2010Page 2 of 13
General InformationKey Management Utility Security Enhancements
Key ManagementUtility Security
Enhancements
Previously, the 9700 3.x system stored the encryption keys used to encrypt and
decrypt secure data, such as credit card numbers, in the database.
Now due to a new Payment Card Industry Data Security Standard (PCI DSS)requirement that mandates the secure deletion of unused encryption keys, 9700
version 3.60 and greater uses a new encryption scheme that avoids using
secondary encryption keys.
The New
Encryption
Scheme
The key rotation itself will always require the 9700 system to be brought down
to down state for a very short period of time, and the 9700 system must remain
down while the Key Management Utility tool is used to run the initial key
rotation.
After the initial key rotation, the subsequent process of database re-encryption
runs in the background so that it does not necessarily require system to be down
at the time when re-encryption is running.
The secure deletion of the old encrypted passphrase file is accomplished using
the secure delete application SDelete. For more information on SDelete, see
page 6.
-
8/3/2019 9700 Key Manager Application Manual
3/13
General InformationOperations Considerations
MD0006-050February 3, 2010
Page 3 of 13
OperationsConsiderations
9700 3.60 Fresh
Installation
The following should be noted when conducting a fresh 9700 3.60 installation:
The 9700 3.60 installation process prompts for and requires SDelete
installation before successful completion. For more information on SDelete,
see page 6.
After the fresh install completes, the 3.60 install shield will remind the user
to run the initial key rotation after rebooting the server. If the user forgets to
run the initial key rotation, the 9700 system will refuse to be brought up to
levels equivalent to dbs up or higher and the following message displays.
To ensure PCI compliance, MICROS Systems Inc. mandates that the site
run the initial key rotation after the installation is complete.
Warning: After a key rotation (the initial key rotation and allsubsequent rotations) is performed by the Key ManagementUtility, the database and 9700 application becomessynchronized with new encryption key data.
Because of this reason, users should not swap databases(restoring/replacing the existing database with a different one)until they are absolutely sure that the new database is also insync with the 9700 application.
Generally speaking, there is no way to determine whether anoffline database that is about to be restored by the user is insync with 9700 application.
Therefore, usually the only safe scenario to restore/replace adatabase is to restore/replace the database with a gooddatabase backup that must have been taken prior to performingthe new key rotation. The database can only be restored/replaced if no key rotation has occurred since uploading theexisting database or since the backup database was taken.
-
8/3/2019 9700 Key Manager Application Manual
4/13
MD0006-050February 3, 2010Page 4 of 13
General InformationOperations Considerations
The 9700 system must remain down while the Key Management Utility
tool is used to run the initial key rotation.
If the 9700 system has a backup application server, the user will need to run
the Key Manager Utility with the same pass phrase on the backup serverafter the initial key rotation is completed on the primary server. Note that
this is the same case for all existing 3.10 sites as well (if rotating key occurs
on one server, the same rotation must occur on the backup server in order to
sync the new pass phrases).
After initial key rotation is complete, the 9700 system can be brought up to
operation level. All new secure details will be encrypted using the new key.
Upgrading from
9700 v. 3.10 to
9700 v. 3.60
The following should be noted when upgrading a 9700 v. 3.10 system to 9700 v.
3.60:
SDelete must be installed before running the Key Management Utility. For
more information on SDelete, please see page 6.
To ensure PCI compliancy, MICROS Systems Inc. mandates that the site
run the initial key rotation after the upgrade is complete.
If the 9700 system has a backup application server, the user will need to run
the Key Manager Utility with the same pass phrase on the backup server
after the initial key rotation is completed on the primary server (if rotating
key occurs on one server, the same rotation must occur on the backup server
in order to sync the new pass phrases).
The database re-encryption will run after the initial key rotation.
After initial key rotation is complete, the 9700 system can be brought up to
operation level. All new secure details will be encrypted using the master
key.
-
8/3/2019 9700 Key Manager Application Manual
5/13
General InformationOperations Considerations
MD0006-050February 3, 2010
Page 5 of 13
Periodic Key
Rotation
In order to achieve maximum security, MICROS Systems, Inc. mandates the
system administrator regularly rotate the sites encryption keys.
When periodical key rotation occurs, database re-encryption will not require the
9700 system to be down. The key rotation itself will still require the 9700system to be in down mode, however the rotation (without database re-
encryption) should take only a short period of time.
Encryption key rotations are necessary and must occur periodically, at least
annually. For more information on how to rotate keys, please see the 9700
HMS Version 3.60 and the Key Management Utility section on page 6.
-
8/3/2019 9700 Key Manager Application Manual
6/13
MD0006-050February 3, 2010Page 6 of 13
9700 HMS Version 3.60 and the Key Management UtilityOperating Conditions
9700 HMS Version 3.60 and the Key Management Utility
OperatingConditions
The following conditions must be true for the KeyManager program to run:
The 9700 system is in a down state. When the initial key encryption
process occurs, the 9700 system must remain in the down state.
For any subsequent key rotations after the initial key rotation, the 9700
system must be in a down state but can be bought up to operational mode
once the re-encryption process has started. If a passphrase change is
attempted while 9700 is not in an down state, the following error will
display:
It must be running locally on a 9700 systemit cannot be run remotely.
The EMC web service must be up and runningIIS installed and running.
The Database must be accessible.
SDelete must be downloaded and installed in the following locationC:\SDelete. SDelete is a command line utility that is used to the securely
delete one or more files and/or directories or to cleanse the free space on a
logical disk. For more information on SDelete and to download SDelete, see
the SDelete v1.51 page on the Microsoft TechNet website http://
www.microsoft.com/technet/sysinternals/Security/SDelete.mspx.
http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx -
8/3/2019 9700 Key Manager Application Manual
7/13
9700 HMS Version 3.60 and the Key Management UtilityInitial Key Rotation Considerations
MD0006-050February 3, 2010
Page 7 of 13
Initial KeyRotationConsiderations
The Key Manager Utility automatically detects when the initial key rotation
occurs and prompts the user with dialog noting that the system must remain in a
down state during the initial key rotation. The dialog will say the following:
The software has detected this is the first key rotation after 3.x installation and
will now perform database re-encryption. The process may take considerableamount of time to complete, and the system needs to remain in down state
during the process. Please be patient and DO NOT interrupt the re-encryption
process! Failure to do so may cause unrecoverable loss of encrypted data!
After initial key rotation is complete, the 9700 system can be brought up to
operation level.
Subsequent Key
Rotation
Considerations
The Key Management Utility will always require the 9700 system to initially be
in a down state. Once the re-encryption process starts, the 9700 system can be
brought back to the operations mode.
Note The 9700 3.60 installation process prompts for and requiresSDelete installation before successful completion.
If the site is using a 9700 system below version 3.10 SP6, followthe link above to download and install SDelete.
Please ensure that SDelete is installed on the same drive as theoperating system in a folder named SDelete before using theKey Manager Utility, as the utility will not run successfullywithout it. If SDelete is not installed and the Key ManagerUtility tries to update the passphrase, the following errormessage will display:
-
8/3/2019 9700 Key Manager Application Manual
8/13
MD0006-050February 3, 2010Page 8 of 13
9700 HMS Version 3.60 and the Key Management UtilityLogin Conditions
Login Conditions Only two types of users can log into the KeyManager program:
MICROS super-users.
Employees with access level of 0 who also need system administrator
privileges for the server to run the Key Manager application.
Display Screen There is only one window in the Key Manager program, seen below:
The areas of the window are:
A: The top line displays the current PC Number (useful to determine if you
are running on PC1 or PC2).
B: Update Passphrase entry area.
C: Encryption Key Status.
-
8/3/2019 9700 Key Manager Application Manual
9/13
9700 HMS Version 3.60 and the Key Management UtilityChanging the Passphrase
MD0006-050February 3, 2010
Page 9 of 13
Changing thePassphrase
Changing the passphrase has these restrictions:
The passphrase must be 1 to 24 characters long.
The passphrase and confirm passphrases must match.
The system must be in the down state (database must be brought down
from a Cygwin command line with the micros stop y command).
The database must be accessible.
SDelete must be downloaded and installed in the same drive as the
operating system in a folder named SDelete. For more information on
SDelete and to download SDelete, see the SDelete v1.51 page on the
Microsoft TechNet website http://www.microsoft.com/technet/
sysinternals/Security/SDelete.mspx.
To change the passphrase, follow the directions below.
1. Bring the 9700 system to a down state by entering the command microsstop y in the Cygwin command line.
Warning: If the passphrase is lost, the encrypted data in thedatabase is unrecoverable. There are no backdoors!
http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx -
8/3/2019 9700 Key Manager Application Manual
10/13
MD0006-050February 3, 2010Page 10 of 13
9700 HMS Version 3.60 and the Key Management UtilityChanging the Passphrase
2. Navigate to the 9700/bin directory on the 9700 Server and double-click theKeyManager.exe file. The KeyManager Login Screen opens, seen below.
Enter a valid ID and Password, then click OK.
3. Enter the new passphrase and confirm the passphrase in the UpdatePassphrase section, circled below.
-
8/3/2019 9700 Key Manager Application Manual
11/13
9700 HMS Version 3.60 and the Key Management UtilityChanging the Passphrase
MD0006-050February 3, 2010
Page 11 of 13
4. Click Update. The following warning displays.
5. Click Yes to continue and only if the sites credit card records have beenbatched and settled. Click No if the sites credit card records have not
been batched and settled; do not proceed with the key rotation until the
credit card records have been batched and settled and the database is backed
up.
The Key Management Utility will recognize if the initial key rotation has
occurred. If the initial key rotation has occurred, the utility displays adialog, seen below, informing the user that the 9700 system can be brought
to an operation state while the database re-encryption process occurs.
6. The re-encryption begins and a status bar displays, as seen below. Thepercentage of records being re-encrypted displays in the corner of the status
bar, circled below. Click OK when all records have been successfully re-
encrypted.
-
8/3/2019 9700 Key Manager Application Manual
12/13
MD0006-050February 3, 2010Page 12 of 13
9700 HMS Version 3.60 and the Key Management UtilitySignature Confirmation
7. Once the passphrase has successfully changed, the following windowdisplays. Click OK.
If the Key Management Utility is run after a fresh 9700 installation, the
following message displays instead of the message seen above. No keys are
present in the database, so the passphrase is stored for future use. Click
OK.
8. When the passphrase change/key rotation successfully completes, thefollowing prompt displays. To exit the application, click Yes.
SignatureConfirmation
The passphrase is stored on the 9700 PC. The encryption keys are stored in the
database. In order to determine if the passphrase matches the encryption keys,
a passphrase signature field exists in the database. The signature is a one-way
hash of the passphrase.
This signature field is what KeyManager uses to determine if the passphrase can
be set on the 9700 PC.
The 9700 processes use the signature to determine if the security configuration
is in sync and valid. A PC/database could be out of sync if a 9700 system were
to point to a database using a different passphrase in a support situation, for
example.
-
8/3/2019 9700 Key Manager Application Manual
13/13
9700 HMS Version 3.60 and the Key Management UtilityKey Management Utility Messages
MD0006-050February 3, 2010
Page 13 of 13
Key ManagementUtility Messages
Passphrase same as old passphrase
This message displays when the new passphrase entered is the same as the old
passphrase. Click OK and re-enter a new passphrase.
New passphrase now in sync with database.
A valid passphrase/database combination exists, and a new passphrase is to be
stored. The message will display when the same passphrase is entered when
running the Key Management Utility on the backup application server as was
entered when running the utility on the primary application server. For more
information, see page 4.
Passphrase stored. (Database signature was not preset)
This message displays when the Key Management Utility is run after a fresh
9700 installation. No keys are present in the database, so the passphrase is
stored for future use.