For the latest version, please use Key Management System 3.12.0!

Business Processes

This chapter describes the processes and tasks performed by the KMS-Admin via the KMS-Admin.

The KMS-Admin provides methods for the following tasks:

Manage or add KMS-Admin users
Manage the own KMS-Admin account
Manage or add KMS-Tenants
Manage or add HSM devices
Manage or add Tenant-HSM-Profiles
Manage KMS licenses

The necessary identification and authentication against the KMS-Admin application is outlined in the following process steps:

Table 1. Process steps: Log in to KMS-Admin

Process steps

Call the URL of the KMS-Admin application with the browser, e.g.

<ipaddress>:<port>/kms/auth/login

and log in with username and password provided by the KMS-Admin (e.g. in a sealed envelope or in an encrypted e-mail) (see chapter P-KMS-ADM-01 – KMS-Admin account (create, modify, delete)):

When logging in for the first time, the user is automatically prompted to change his initial password:

The administrator should make sure that the dialog is really displayed at his first login. Otherwise, the used password is not an initial password. There is also the risk that another person may know the password for this account.

After a successful login, the start page is displayed. If there are any open proposals, they will be listed.

The workspace is shown in the image below. The page is divided into different areas, which are highlighted in color. The partitioning is typical for most pages of the KMS-Admin.

From any page (see step 03), the desired functionality can be selected at any time. The following steps must be performed:

Select the appropriate menu item in the navigation menu;
Select the appropriate submenu item in the drop-down menu (see image below).

The functions offered in the sidebar depend on the selected submenu item. A functionality can also be selected via the sidebar.

P-KMS-ADM-01 – KMS-Admin account (create, modify, delete)

Table 2. Profile: KMS-Admin account (create, modify, delete)
Profile
Designation	P-KMS-ADM-01 – KMS-Admin account (create, modify, delete)
Purpose	Only KMS-Admins may use the KMS-ADMIN, which provides methods to manage KMS-Admins accounts, KMS-Tenants, HSM devices and HSM-Profiles. The description of the management of KMS-Admin accounts is the subject of P-KMS-ADM-01. This includes in particular the management of the own account as well as the creation of further KMS-Admin accounts.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS web application for KMS-Admin (KMS-Admin)
Precondition/ input	The KMS platform is up and running. The KMS-Admin is logged into KMS-Admin.
Postcondition/ output	A new KMS-Admin user was created, or an existing KMS-Admin user has been modified, or an existing KMS-Admin user has been deleted, or the own Admin password has been changed.
Remarks	In order to support the principle of dual control, it must be possible for orders to be entered by one KMS-Administrator and released by another KMS-Administrator (see chapter [managing-dual-control-orders]). Therefore, at least two administrator users should be predefined during installation (with default UserID/Password). These must be replaced by the actual administrator users during commissioning. When deleting a KMS-Admin, at least two (active) administrator users must remain. After creating a new KMS-Admin, the initial password should be sent securely to the responsible person (e.g., via e-mail). The current administrator should not be able to use and reset this initial password without the new administrator noticing (e.g., to avoid abusing the new account by the approving KMS-Admin). Therefore, when logging in for the first time with a newly created KMS-Admin account, the administrator is prompted to change his initial password. Creating a new administrator account as well as deleting an administrator account are treated as dual-control orders. This means that the order remains in an open state until a second administrator finally unlocks the order (see chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)).

Table 3. Process steps: KMS-Admin account (Create, Modify, Delete)

Process steps

Display the list of KMS-Admins:

In the navigation menu, select the menu item "System" → “Administrators” (or "Overview" → "System" → “Administrator” in the sidebar).

Create KMS-Admin account – Step 1: Create creation request (proposal):

Click on "Create" in the list of KMS-Admins (see step 01);
Enter values for "Username", "Email";
Click on "Propose an administrator".

If the process was successful, an open order (proposal) has been created waiting to be accepted by a second administrator (see step 03 or chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)).

The first vote is automatically given when the proposal is entered.

Create KMS-Admin account – Step 2: Vote for creation request (proposal):

Log into the KMS-Admin as second administrator;
Select the proposal for creation via menu item "System" → "Available proposals" in the navigation menu and give the second vote. The process is described in detail in chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject).

A missing vote can be submitted any time via the voting system (see chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)).

Modify KMS-Admin account:

In the list of KMS-Admins (see step 01), click on "Edit" for the KMS-Admin that should be modified;
Edit "E-Mail" or activate/deactivate the KMS-Administrator by checking/unchecking the “Status”-Checkbox.

For the own KMS-Admin (actually logged in KMS-Admin), no status change is possible.

Click on “Save”, to save the changes.

Delete KMS-Admin account – Step 1: Create deletion request (proposal):

In the list of KMS-Admins (see step 01), click on "Edit" for the KMS-Admin that should be deleted;
If the status of the selected KMS-Admin is active, the KMS-Admin must first be deactivated (see step 4).
If the KMS-Admin is deactivated, the “Delete” button is active. Continue the process by clicking on the “Delete” button.
An intermediate page informs the administrator, that the operation is a “dual control” order. Click on “Send request” and confirm the action.

If the process was successful, an open order (proposal) has been created waiting to be accepted by a second administrator (see step 06 or chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)).

When deleting a KMS-Admin user, at least two (active) KMS-Admin users must remain.

Delete KMS-Admin account – Step 2: Confirm deletion request by a second administrator:

Log into the KMS-Admin as second administrator;
Select the proposal for deletion via menu item "System" → "Available proposals" in the navigation menu and give the second vote. The process is described in detail in chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject).

A missing vote can be submitted at any time via the voting system (see chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)).

Change own password:

In the navigation menu, select menu item "Account" → “Change Passwort”;
Enter the new password and repeat the choice;
Click on “Submit” and the password is changed.

P-KMS-ADM-02 – KMS-Tenant (create, modify, delete, assign KMS resources)

Table 4. Profile: KMS-Tenant (create, modify, delete, assign KMS resources)
Profile
Designation	P-KMS-ADM-02 – KMS-Tenant (create, modify, delete, assign KMS resources).
Purpose	The tenant is a logical entity in the KMS platform separating the managed key material in own key domains. The administration of tenants, e.g., creating, changing and deleting tenants and assigning and withdrawing of the tenant’s KMS resources (e.g. KMS-Tenant-Users, Tenant-HSM-Profile, HSMs) is the task of the KMS-Admin. The description of the management of KMS-Tenants is the subject of P-KMS-ADM-02.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS web application for KMS-Admin (KMS)
Precondition/ input	The KMS platform is up and running. The KMS-Admin is logged into KMS-Admin. HSM (see chapter P-KMS-ADM-03 – HSM-Object (create, modify, delete)) is configured.
Postcondition/ output	A new tenant has been created, or an existing tenant has been modified, or an existing tenant has been deleted, or resources have been assigned to or withdrawn from a tenant.
Remarks	When creating a KMS-Tenant, the first time the "Manage existing tenant user" action is called, several tenant users with the KMS-Tenant role will be created (see steps 05). The access data generated by this process (userID and password) for access to the KMS-Tenant component must be transmitted by the KMS-Admin to the responsible persons of the Tenant in a confidential manner, e.g., in a sealed envelope or in an encrypted e-mail. This is an organizational process that is individually agreed by the platform operator with tenants. With these credentials the tenant user can then use the KMS-Tenant component to configure and edit tenant-specific resources (see [User-Manual]). Due to the principle of dual control when generating the private keys of the client, at least two tenant users are required and created. It is important that the KMS-Tenant is set to the status "Active" so that all functions of the KMS-Tenant are available to the KMS-Tenant Users. An HSM-Profile is created to a tenant (see chapter P-KMS-ADM-04 – KMS-Tenant-HSM-Profiles (create, delete)). A KMS-Tenant cannot be deleted until all links to the resources it uses (HSMs, HSM-Profile, KMS-Tenant-Users) have been deleted. Deleting a tenant is an action that cannot be undone and must therefore be authorized by a second KMS-Admin according to the dual control principle (see step 07,08).

Table 5. Process steps: KMS-Tenant (create, modify, delete, assign KMS resources)

Process steps

Displaying the list of tenants:

Select menu item "Overview" → "Tenants" → “All tenants” in the navigation menu (or alternatively "KMS" → "Tenants").

Create tenant:

Click on „Create Tenant” in the list of tenants (step 1);
Enter value for „Name“;
Click on „Create Tenant“;
Optional: Click on “activate“ after the creation to activate the tenant.

The tenant has been created, but further configurations are still to be done to prepare the tenant for full use:

Attach HSM (see step 04);
Add at least two tenant users (see step 05);
Link HSM-Profiles (see chapter P-KMS-ADM-04 – KMS-Tenant-HSM-Profiles (create, delete));
Set status to active (step 02 or 03).
Attach Issuer CAs (see step 09);

The HSM-Profile is assigned in a separate process when generating the HSM-Profile.

Modify tenant:

Click on "Edit" in the list of tenants (see step 01);
Edit "Name;
Manage linked HSM (see step 05);
Manage KMS-Tenant-Client Users. (see steps 05, 07)

Link or unlink tenant to HSM:

Click on "Edit" in the list of tenants (see step 01);
Click "Edit" in the Overview of the "Attached HSMs";
Click on "Attach" in the list of available HSMs to attach an HSM;
Click on "Detach" in the list of attached HSMs to detach an HSM.

Create KMS-Tenant-User (with KMS-Tenant role):

Click on "Edit" in the list of tenants (see step 01);
Click on "Edit" in the section "Existing Tenant-Users";
Enter the number of new tenant users (between 2 and 10, e.g. 2) in the input field;
Click on "Create" and confirm;
Safely store the access data of the new tenant users:

The access data will only become visible when you click on the corresponding field.

By clicking on "Copy access data" all access data will be copied and stored in the clipboard as follows:
```
 {
    "component": "KMS-Tenant",
    "tenant": "…",
    "users": [
    {
        "username": "…",
        "password": "…"
    },
    {
        "username": "…",
        "password": "…"
    }
    ]
}
```

Click on "Back".

The credentials must be transmitted by the KMS-Admin to the responsible persons of the Tenant in a confidential manner, e.g. in a sealed envelope or in an encrypted e-mail.

Delete KMS-Tenant-User:

Click on "Edit" in the list for a tenant;
Click on "Edit" for "Existing Tenant Users";
Click on "Delete all" and confirm.

After deleting the tenant users, new ones can be created again. The deletion of tenant users may be necessary if credentials of a tenant user have been lost and new tenant users should be created.

Delete tenant - Step 1: Create deletion request (proposal):

Click on "Edit" in the list of existing tenant users;
Click on "Deactivate" to deactivate the tenant user (only deactivated tenant user can be deleted);
Click on "Delete";
Click on "Orderly decommissioning" to create a request for deletion.

The deletion request must now be confirmed by a second admin user (see step 08)

Delete tenant – Step 2: Confirm deletion request by a second administrator:

Log into the KMS-Admin as second administrator;
Select the proposal for deletion via menu item "System" → "Available proposals" in the navigation menu and give the second vote. The process is described in detail in chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject).

A missing vote can be submitted any time via the voting system (see chapter P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)).

Attach CA:

Click on "Edit" in the list of tenants (see step 01);
Click "Edit" in the Overview of the "Attached Issuer CAs";
Click on "Attach" in the list of available CAs to attach a CA;

Click on "Detach" in the list of attached CAs to detach a CA.

Attach a CMP Configuration:

Click on "Edit" in the list of tenants (see step 01);
Click on "Create" or "Edit" in the "CMP configuration" section;

There are three section which must be filled with the required data.

CMP-Server

Enter the value for "Address". This is the base URL for the CMP server.
Enter the value for "Request path". The URL path for the certify request.
Enter the value for "Revoke path". The URL path for the revoke request.

CMP Server TLS

Select the truststore with the TLS certificates of the CMP server. This must be a #PKCS12 file.
Enter the value for "Truststore password".
Select the TLS version.

Signer

Select the keystore with the signing key pair that the CMP client uses to sign its requests. This must be a #PKCS12 file.
Enter the value for "Keystore alias".
Enter the value for "Keystore password".
Select the root certificate of the certificate chain used to verify the responses signed by the CMP server.

Click on "Save" to store the CMP configuration.

Delete a CMP Configuration:

Click on "Edit" in the list of tenants (see step 01);
Click on "Edit" in the "CMP configuration" section;
Click on "Delete";
Click on "Delete" in the confirmation dialog;

P-KMS-ADM-03 – HSM-Object (create, modify, delete)

Table 6. Profile: HSM-Object (create, modify, delete)
Profile
Designation	P-KMS-ADM-03 – HSM-Object (create, modify, delete)
Purpose	The HSMs serve as secure containers for private cryptographic key material. The KMS platform can manage multiple HSMs and then use them for cryptographic functions and storage of private keys of KMS-Tenants. The KMS-Admin must make the HSM objects known to the platform, modify them and delete them if necessary. They must work closely with the HSM-Admin (see chapter [architecture-overview]). The description of the management of HSM-Objects is the subject of P-KMS-ADM-03.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS web application for KMS-Admin (KMS)
Precondition/ input	The KMS platform is up and running. The KMS-Admin is logged into KMS-Admin.
Postcondition/ output	A new HSM object was created, or an existing HSM object has been modified, or an existing HSM object has been deleted.
Remarks	None

Process steps

Display the list of HSM objects:

Select the menu item "Overview" → "Navigation" → “HSMs” in the navigation menu (or alternatively "KMS" → "HSMs").

Create HSM object:

Click on "Create HSM" (e.g. in the list of HSM objects);
Enter attribute values "Name", "Location", "Address", "Type";

Field explanations:

Name: Unique name for the HSM

Location: For informational purposes only, freely selectable

Address: Address of the HSM (e.g. 3001@192.168.138.5). The value must be provided by the HSM-Admin.
Depending on the HSM type this field can refer to one of:
- the network address for HSM type [smartHSM, Utimaco, Utimaco EID, Luna SA].
- the absolute filepath to the to-be-created Java keystore file (.jks) for HSM type [Keystore]. The location must be writable.
- the absolute filepath to the .so/.dll library for HSM type [PKCS11].

Type: Type of the HSM (Currently supported: [smartHSM, Keystore, Utimaco, Utimaco EID, Luna SA, PKCS11]). The value must be provided by the HSM-Admin.

Click on "Create HSM".

Modify HSM object:

In the list of HSMs, click on "Edit" for the HSM that should be modified (e.g. in the HSM’s Object List);
Edit "Name", "Location", "Address", "Type" attributes;
Click on "Save HSM".

Delete HSM object:

In the list of HSMs, click on "Edit" for the HSM that should be deleted (e.g. in the HSM’s Object List);
Click on "Delete HSM" and confirm.

An HSM object can only be deleted if there are no links to the object.

P-KMS-ADM-04 – KMS-Tenant-HSM-Profiles (create, delete)

Table 8. Profile: KMS-Tenant-HSM-Profiles (create, delete)

Profile

Designation

P-KMS-ADM-04 – KMS-Tenant-HSM-Profiles (create, delete)

Purpose

HSM-Profiles are used to manage the relationships between tenants and their assigned HSMs, in which the tenant’s KEKs are stored in a protected manner. The "key management" and "key usage" users set up on the HSM by the HSM-Admin for the tenant, including their authentication information (credentials), are stored AES-encrypted in the HSM-Profile (see also chapter [tenant-hsm-profiles]).

The HSM users to be entered when generating a HSM-Profile must first be created in the HSMs (and HSM-HA, if installed) by the HSM-Admin. They are stored together with their credentials in the KMS database within the HSM-Profile object encrypted using a data-encryption-key (DEK). The DEK itself is protected using the MTG Secrets Protection Manager workflow (see Secrets Protection Business Processes for details). With the help of the DEK the HSM credentials stored in the HSM-Profile can be decrypted so that the KMS applications can log into the HSM. Afterwards, key management operations on the HSM (e.g. key generation for the client, chapter [tenant-hsm-profiles]) can be performed by the KMS applications.

Additionally, "key management" operations on the HSM are only possible using the "four-eyes principle" via the KMS-Tenant application (see chapter [managing-dual-control-orders] for details).

The description of the management of KMS-Tenant-HSM-Profiles is the subject of P-KMS-ADM-04.

Responsibility

KMS-Admin

Working tool(s)

Browser, KMS web application for KMS-Admin (KMS)

Precondition/
input

The KMS platform is up and running.

The KMS-Admin is logged into KMS-Admin.

Tenants (see chapter P-KMS-ADM-02 – KMS-Tenant (create, modify, delete, assign KMS resources)) and HSMs (see chapter P-KMS-ADM-03 – HSM-Object (create, modify, delete)) are set up.

In the HSM, the following HSM users have been created for the KMS tenant with the name <UserId> by the HSM-Admin (recommendation).

Username

Password

ENTITY

Permission

Notes

hsm_kms_
<UserId>_km1

<km1-UsrPwd>

ENTITY=
kms_<UserId>

00000010

key management

hsm_kms_
<UserId>_km2

<km2-UsrPwd>

ENTITY=
kms_<UserId>

00000010

key management

hsm_kms_
<UserId>_ku1

<ku1-UsrPwd>

ENTITY=
kms_<UserId>

00000001

key usage

hsm_kms_
<UserId>_ku2

<ku2-UsrPwd>

ENTITY=
kms_<UserId>

00000001

key usage

The KMS-Admin must know this authentication information (username, password) of the tenant and enter it into the corresponding mask fields when creating an HSM-Profile.

Postcondition/
output

A new HSM-Profile has been created, or
an existing HSM-Profile has been deleted

Remarks

A HSM-Profile object cannot be changed after its creation. It is only possible to delete the object.

Table 9. Process Steps: KMS-Tenant-HSM-Profiles (create, delete)
Process steps
01	Display the list of HSM-Profiles: Select menu item "KMS" → "Tenants" in the navigation menu. Select a tenant from the list and click on the "Edit" button. All existing HSM-Profiles for the selected tenant will be listed in the "Existing HSM-Profiles" section.
02	Link HSM-Profile object: Click on the "+ Link" button in the "Existing HSM-Profiles" section (see step 01); Click on "Select" at "HSM" and select an HSM from the selection list; Enter attribute values for "Name" and “Domain”. Field explanations: Name: Freely selectable name for the HSM-Profile. Domain: The domain which was set up by the HSM-Admin for the HSM users. The value must be provided by the HSM-Admin. Enter credentials of the "Key Management" HSM users (the number of users depends on the HSM configuration). The values must be provided by the HSM-Admin. Enter credentials of the "Key Usage" HSM users (the number of users depends on the HSM configuration). The values must be provided by the HSM-Admin. Click on "Create HSM-Profile". If the process was successful, the following message will be displayed: "HSM-Profile was successfully created."
03	Display HSM-Profile object: Click on "Details" in the list of HSM-Profiles; The following information is displayed: HSM users (user ID, user type, type of authentication) Configuration (name, HSM, tenant, domain)
05	Delete HSM-Profile object: Click on "Details" in the list of HSM-Profiles; Click on "Delete HSM-Profile" and confirm.

P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)

Table 10. Profile: “Dual control” orders (edit, accept, reject, withdraw)
Profile
Designation	P-KMS-ADM-05 – “Dual control” orders (vote, retract, reject)
Purpose	For security reasons, the principle of dual control (see chapter [managing-dual-control-orders]) is applied to certain processes executed by the KMS-Admin. This means that when a proposal is created, it has to be accepted (voted) by another administrator. The following proposals are handled separately in the KMS: Available proposals: A proposal made by an administrator other than the current (logged in) administrator. These proposals can be voted or rejected by the current administrator (see below). Your proposal: A proposal made by the currently logged in administrator. These proposals can only be retracted (see below). In summary, the following actions can be performed upon a proposal: Vote for an available proposal: Voting for a proposal means accepting the proposal. An administrator can only vote once for a proposal. The first vote is assigned directly when the proposal is created. The second vote must be given by another administrator. After a proposal has received the required two votes, the proposal is automatically completed. Retract your proposals: Own proposals can be retracted. The proposal is then deleted and is no longer appearing in any list of proposals. Reject available proposal: A proposal can be rejected by the second administrator. The proposal is then deleted and no longer appears in the list of proposals. A proposal has the following properties, which are displayed to the administrator during editing: Proposed by: Administrator who originally placed the order. Proposal type: Type of the proposal, e.g. CREATE or DELETE. Vote count: Number of received or missing votes. Actions that require the 4-eye principle: Create Administrator (see chapter P-KMS-ADM-01 – KMS-Admin account (create, modify, delete) ) Delete Administrator (see chapter P-KMS-ADM-01 – KMS-Admin account (create, modify, delete) ) Delete Tenant (see chapter P-KMS-ADM-02 – KMS-Tenant (create, modify, delete, assign KMS resources))
Responsibility	KMS-ADMIN
Working tool(s)	Browser, KMS web application for KMS-Admin (KMS-Admin)
Precondition/ input	The KMS platform is up and running. The KMS-Admin is logged in the KMS-Admin.
Postcondition/ output	An available dual order is accepted, or an available dual order is rejected, or an own dual order is withdrawn
Remarks	None

Table 11. Process steps: “Dual control” orders (edit, accept, reject, withdraw)

Process steps

Display the list of “your proposals”:

Select menu item "System" → "Your proposals" in the navigation menu.

Retract “your proposal“:

Click on "Details" in the list of your own proposal (see step 1);
Click on "Retract" and confirm your action;

Display the list of “available proposals”:

Select menu item "System" → "Available proposals" in the navigation menu.

The available proposals will be also displayed on the start page, when the KMS-Admin has just logged in.

Accept “available proposal“:

Click on "Edit" in the list of available proposals (see step 3);
Check the displayed data;
Click on "Accept" and confirm the action;
Depending on the proposal type, further final steps are necessary before the process is completed.
- Create Administrator: The password is generated and offered in a response page. To make the password visible, the corresponding field must be clicked. The password can also be saved to the clipboard by clicking the "Copy" button. With the creation of the admin and the corresponding password the process is finished. The access data generated must be handed over to the responsible person in a secure manner.
  
  Please note that the password is only displayed once and cannot be recovered.
- Delete Administrator: The action will be performed immediately.
- Delete Tenant: The action will be performed immediately.

Reject “available proposal“:

Click on "Edit" in the list of available proposals (see step 3);
Click on "Reject" and confirm the action;

P-KMS-ADM-06 – “CAs” orders (display)

Table 12. Profile: “CAs” orders (edit, accept, reject, withdraw)
Profile
Designation	P-KMS-ADM-06– “CAs” orders (display)
Purpose	For a better overview MTG KMS provides an overview about attached Issuer CAs. Those CAs were generated by the Mini-CA and automatically attached to the MTG KMS.
Responsibility	KMS-ADMIN
Working tool(s)	Browser, KMS web application for KMS-Admin (KMS-Admin)
Precondition/ input	The KMS platform is up and running. The KMS-Admin is logged in the KMS-Admin.
Postcondition/ output	None
Remarks	None

Table 13. Process steps: “CAs” orders (display)
Process steps
01	Display the list of attached CAs: Select menu item "KMS" → "CAs" in the navigation menu.
02	Display CA Details: Select menu item "KMS" → "CAs" in the navigation menu. Click on “Details” for the appropriate CA.

P-KMS-ADM-07 – “Settings” orders (edit)

Table 14. Profile: “Settings” orders (edit)
Profile
Designation	P-KMS-ADM-07– “Settings” orders (edit)
Purpose	MTG KMS allows the Administrator to set multiple options about automated tasks for managed objects or debug tracing.
Responsibility	KMS-ADMIN
Working tool(s)	Browser, KMS web application for KMS-Admin (KMS-Admin)
Precondition/ input	The KMS platform is up and running. The KMS-Admin is logged in the KMS-Admin.
Postcondition/ output	None
Remarks	None

Table 15. Process steps: “Settings” orders (edit)
Process steps
01	Edit Cron expressions: Select menu item "Settings" → “Edit Settings”; Set the preferred Cron Expressions; Click on “Save”.
02	Switch to Debug mode for tracing: Select menu item "Settings" → “Edit settings”; Click on “true” (or “false”); Click on “Continue” in the upcoming Pop-Up Window.
03	Enable the KMIP Digest generation: Select menu item "Settings" → “Edit settings”; Click on “true” (or “false”); Click on “Continue” in the upcoming Pop-Up Window.
04	Set the email server for license notification: Select menu item "Settings" → “Edit settings”; Set the address and port for the SMTP server; Set the username and password for the SMTP server, if they are necessary; Set the mail addresses for the sender and receiver; Click on “Save”.
05	Set the SNMP server for license notification: Select menu item "Settings" → “Edit settings”; Set the address and port for the SNMP server; Click on “Save”.

P-KMS-ADM-08 – “Licenses” (request, import)

Table 16. Profile: “Licenses” orders (request, import)
Profile
Designation	P-KMS-ADM-08– “Licenses” orders (request, import)
Purpose	MTG KMS allows the Administrator to request and import KMS application licenses.
Responsibility	KMS-ADMIN
Working tool(s)	Browser, KMS web application for KMS-Admin (KMS-Admin)
Precondition/ input	The KMS platform is up and running. The KMS-Admin is logged in the KMS-Admin.
Postcondition/ output	A new license has been requested, or a valid license (signed by the MTG Licensing PKI) has been imported
Remarks	At least one valid license is required for the KMS application to run correctly. Licenses are checked initially at KMS-Server startup and once every 7 days afterward.

Table 17. Process steps: “Licenses” orders (request, import)
Process steps
01	Request a license: Select menu item "KMS" → “Licenses”; Click on “Request a new License” and confirm the action; On the next page, click on “Download” to download the license request as a “.csr” file. Send the downloaded license request to MTG for signing. This is an out-of-band operation and can be performed by f.i. sending an encrypted email with the file attached. As a result, MTG will send back the signed license.
02	Import a license: Select menu item "KMS" → “Licenses”; Click on “Choose File” and select the signed license file in the file system dialog; Click on “Import License”.