Business Processes KMS Admin

"KMS Admin" provides methods for the following tasks:

Manage or create HSMs
- Manage the existing HSM profiles of an HSM
Manage or create tenants
- Manage the existing tenant users of a tenant
- Manage the linked HSMs of a tenant as well as create new links
- Manage a tenant’s existing HSM profiles as well as create new links with HSM profiles
- Manage a tenant’s linked issuer certification authorities (CAs) and create new links
- Manage the CMP configuration used by the KMS server to issue certificates
View the (certification authorities) (CAs)
Manage or add KMS roles
Edit the KMS server settings
Manage or add admin users
Manage or apply for licenses
Manage own account (Keycloak etc.)

The necessary identification and authentication towards the KMS Admin application is described in the following process steps:

Table 1. Process steps: Login to KMS Admin
Process steps
01	Call the URL of the KMS-UI application with the browser, e.g. `<ipaddress>:<port>/kms-ui/` select the "Sign in" button and sign in using the admin credentials provided to you by a KMS admin (username and password, e.g. in a sealed envelope or encrypted email) (see chapter P-KMS-ADM-01 - KMS-Admin User (create, change, delete)). One possible login strategy is, for example, Keycloak.
02	After a successful login, the start page ("Dashboard") is displayed. The page features various buttons and a navigation menu (sidebar), which is typical for most pages of the KMS-UI web application and the KMS Admin.
03	It is recommended to change the randomly assigned username and initial password to a meaningful name and a new password during the initial login. Furthermore, the personal information (e-mail, last name, first name) should be completed. To do this, proceed as follows (when using Keycloak): Select "Profile" in the navigation menu; In the configuration interface of your authentication method (e.g. Keycloak), select "Personal information"; Change your username and verify that "Email", "First Name", "Last Name", and "Language" are correct. Click on "Save". In the configuration interface of your authentication method (e.g. Keycloak), select "Account Security" → "Login"; Update your password . Return to "KMS Admin" via the URL of the KMS-UI application and log in again (see step 01).
04	From any page (see step 03), the desired functionality can be selected at any time. The following steps must be performed: Open the sidebar to get to the navigation menu; Select the appropriate menu item in the navigation menu; Select the corresponding submenu item in the drop-down menu. The functionalities offered in the sidebar depend on the selected submenu item. Some functionalities can also be selected directly by selecting the corresponding buttons. From any page, it is also possible to go back to the dashboard by clicking the "Dashboard" button, clicking on the MTG logo, or clicking on the "KMS Admin" button.
05	Other functionalities: Configure authentication method Switch application Log off from the "KMS Admin" application To use these functionalities, proceed as follows: On any page, open the drop-down menu in the upper right corner of the KMS-UI web application by clicking on the "User" icon; Use the drop-down menu: Click "Profile" to go to your authentication method settings (e.g. Keycloak); Select "Applications" to switch to a different available ERS applications, if any are installed; Click "Logout" to log out of the "KMS Admin" application. Alternatively, you can access the "Profile" and "Logout" functionalities from the navigation menu in the sidebar.
06	Change language: To change the language of the KMS-UI web application, please select the drop-down menu in the bottom right of the footer on any page of the web application. Here you can switch between "en" for English and "de" for German.
07	Search, sort and export in list views: All objects that are managed with the KMS-UI web application are displayed as lists in their corresponding "Show" view. The structure of these lists is very similar and is usually characterized by the following features: There is a search bar to search for objects by name; In addition to the search bar, there is the possibility of an advanced search with fine-granular filters; A non-specified ("empty") search means that all corresponding objects are displayed; Using the boxes, individual objects can be selected as targets for the actions (access to them through the "Actions" button); The selected objects can be exported as a CSV file using the "Actions" button; The individual list elements can be sorted by the corresponding column by clicking on the table header; The user pagination, search filtering and visible columns choices for each table are saved. The button next to "Actions" can be used to change the columns to be displayed; For individual objects, a detailed view can be opened by clicking on "Details".

P-KMS-ADM-01 - KMS-Admin User (create, change, delete)

Table 2. Profile: KMS-Admin User (create, change, delete)
Profile
Designation	P-KMS-ADM-01 - KMS-Admin User (create, change, delete)
Purpose	Only admin users are allowed to use the KMS Admin application, which provides methods for managing HSMs, tenants, roles, admin users, and HSM profiles, among other things. The description of admin user management is the subject of P-KMS-ADM-01, which specifically includes managing admin user accounts and creating additional admin users.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS-UI web application
Precondition/ Input	The KMS platform is up and running. The KMS admin is logged into the KMS-UI application with his admin user account.
Postcondition/ Output	A new KMS Admin user has been created, or an existing KMS Admin user has been changed, or an existing KMS Admin user has been deactivated, or a deactivated KMS Admin user has been deleted.
Remarks	After creating a new admin user, the initial password should be sent securely to the responsible person (e.g. via encrypted email). The current administrator should not be able to use and reset this initial password without the new administrator noticing (e.g., to prevent misuse of the new account by the approving KMS Admin). Therefore, the first time the administrator logs in with a newly created KMS Admin account, they will be prompted to change their initial password.

Table 3. Process steps: Admin User (create, change, delete).

Process steps

Display the list of admin users:

In the navigation menu (in the sidebar), select "Admin Users" → "Show" (in the drop-down menu).

Create admin user:

Click on "Create Admin User" above the list of admin users (see step 01) (alternatively: "Create …" → "Admin User" or "Create" in the "Admin User" drop-down menu in the sidebar);
Enter values for "Username", "Email";
Click "Apply".

If the process was successful, an admin user has been created. The new user’s credentials are displayed and should be written down or stored safely.

Change admin user:

In the list of admin users (see step 01), select "Details" at the admin user to be changed;
Edit "First Name", "Last Name", "Email" or activate/deactivate the admin user by selecting the "Deactivate" button.

No status change activate/deactivate is possible for the own KMS Admin (currently logged in KMS Admin user).

Click on "Save" to save the changes.

Delete admin user:

In the list of admin users (see step 01), click the admin user you want to delete;
If the status of the selected admin user is active, the admin user must be disabled first (see step 03);
If the admin user is deactivated, the "Delete" button is active. Continue the process by clicking the "Delete" button.

When deleting a KMS Admin user, at least one (active) KMS Admin user must remain.

P-KMS-ADM-02 - KMS-Tenant (create, change, delete, assign KMS resources)

Table 4. Profile: KMS-Tenant (create, change, delete, assign KMS resources)
Profile
Designation	P-KMS-ADM-02 - KMS-Tenant (create, change, delete, assign KMS resources).
Purpose	The tenant is a logical entity in the KMS platform that separates the managed key material into its own key domains. Tenant management, e.g., creating, modifying, and deleting tenants, and assigning and revoking tenant KMS resources (e.g., KMS tenant users, tenant HSM profiles, HSMs) is the responsibility of the admin. The description of tenant management is the subject of P-KMS-ADM-02.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS-UI web application
Precondition/ Input	The KMS platform is up and running. The KMS admin is logged into the KMS-UI application with his admin user account. HSM (see chapter P-KMS-ADM-03 - HSM object (create, change, delete)) is configured.
Postcondition/ Output	a new tenant has been created, or an existing tenant has been changed, or an existing tenant has been deleted, or a tenant has had resources allocated to it or withdrawn from it.
Remarks	After creating a tenant when clicking "Existing Tenant-Users" → "Edit" action, you will be offered to create at least two new tenant users with the role KMS-Tenant (see steps 05). The access data (UserID and password) generated in this process for access to the KMS Tenant application must be transmitted confidentially by the admin, e.g. in a sealed envelope or in an encrypted e-mail, to the persons responsible for the tenant. This is an organizational process that is carried out individually with the tenants (clients) by the platform operator. With these credentials, the tenant user can then use the KMS Tenant application to configure and edit tenant-specific resources (see KMS012). At least two tenant users are always created. It is important that the tenant is set to "Active" status so that all the functions of the "KMS Tenant" are available to the tenant users. An HSM profile is created for a tenant (see chapter P-KMS-ADM-04 - KMS-Tenant HSM-Profiles (create, delete)). A tenant cannot be deleted until all links to the resources it uses (HSMs, HSM profiles, tenant users) have been deleted. Deleting a tenant is an action that cannot be undone.

Process steps: KMS-Tenant (create, change, delete, assign KMS resources)

Process steps

Display the list of tenants:

In the navigation menu (in the sidebar), select "Tenants" → "Show" (in the drop-down menu).

Create Tenant:

Click on "Create Tenant" above the list of tenants (see step 01) (alternatively: "Create …" → "Tenant" or "Create" in the "Tenants" drop-down menu in the sidebar);
Enter value for "Name";
Click on "Apply" .
Optional: After creation, click "Edit" and then "Activate" to activate the tenant.

The tenant has been created, but more configuration needs to be done to prepare the tenant for use:

Attaching an HSM (see step 04);
Adding at least two tenant users (see step 05);
Linking an HSM profile (see chapter P-KMS-ADM-04 - KMS-Tenant HSM-Profiles (create, delete));
Setting status to "Active" (step 02 or 03).
Attaching issuer CAs (see step 09);

The HSM profile is assigned in a separate process when the HSM profile is created.

Change Tenant:

In the Tenant list (see step 01), click "Details" for the tenant you want to change;
Select "Edit" and edit "Name", "Status" (active/inactive), "Reactivation" (allows/restricts reactivation of deactivated objects);
Select "Edit" in the respective areas and edit:
1. "Existing Tenant Users" (see steps 04, 05, 06),
2. "Linked HSMs" (see step 07),
3. "Linked Issuer CAs" (see step 08),
4. "CMP configuration" (see steps 09, 10, 11),
5. "Audit messages for KMIP operations" (see step 12);
The "Existing HSM-Profiles" section is used to link the tenant and HSM profile and is described in chapter P-KMS-ADM-04 - KMS-Tenant HSM-Profiles (create, delete).

Create tenant user:

Click on "Details" of the corresponding tenant in the list of tenants (see step 01);
Click "Edit" in the "Existing Tenant Users" section;
Select the number of new tenant users (between 2 and 10, e.g. 2);
Click on "Create" and confirm ;
Save the credentials of the new Tenant users securely:

The credentials will not be visible until you click on the corresponding field.

Click on "Copy to clipboard" to copy all access data and save them to the clipboard as follows:
```
 {
    "component": "KMS-Tenant",
    "tenant": "...",
    "users": [
    {
        "username": "...",
        "password": "..."
    },
    {
        "username": "...",
        "password": "..."
    }
    ]
}
```

Click "Back".

Credentials must be submitted confidentially by the admin to the tenant’s responsible parties, e.g., in a sealed envelope or encrypted email.

Delete KMS tenant user:

Click "Details" of the corresponding tenant in the list of tenants (see step 01);
Click "Edit" in the "Existing tenant users" section;
Click on "Delete all" and confirm.

After deleting the tenant users, new ones can be created again. Deleting tenant users may be necessary if the credentials of a tenant user have been lost and new tenant users are to be created.

Delete tenant:

Click on "Details" of the corresponding tenant in the list of tenants (see step 01);
Click "Deactivate" to disable the tenant user (only disabled tenant users can be deleted);
Click on "Delete" and confirm;

Attach or detach tenants with HSM:

Click on "Details" of the corresponding tenant in the list of tenants (see step 01);
Click "Edit" in the "Linked HSMs" section;
Click "Attach" in the "Available HSMs" list to link an HSM;
Click "Detach" in the "Attached HSMs" list to unlink an HSM.

Attach and detach Issuer CAs:

Click "Details" of the corresponding tenant in the list of tenants (see step 01);
Click "Edit" in the "Linked issuer CAs" section;
Click "Attach" in the "Available CAs" list to attach a CA;
Click "Detach" in the "Attached CAs" list to detach a CA.

Create a CMP configuration:

Click "Details" of the corresponding tenant in the list of tenants (see step 01);
Click on "Edit" in the "CMP Configuration" section;

There are three sections that need to be filled in with the required data.

CMP Server

Enter the value for "Address". This is the base URL for the CMP server.
Enter the value for "Request path". The URL path for the certify request.
Enter the value for "Revoke path". The URL path for the revoke request.

CMP server TLS

Select the truststore containing the TLS certificates of the CMP server. This must be a #PKCS12 file.
Enter the value for "Truststore password".
Select the TLS version.

Signer

Select the keystore containing the key pair that the CMP client uses to sign its requests. This must be a #PKCS12 file.
Enter the value for "Keypair alias".
Enter the value for "Keypair password".
Select the root certificate "CMP CA Root (X509, DER)" of the certificate chain that will be used to verify the responses signed by the CMP server.

Click "Create CMP configuration" to save the CMP configuration.

Edit a CMP configuration:

Click "Details" of the corresponding tenant in the list of tenants (see step 01);
Click on "View" in the "CMP Configuration" section;

There are two different sections for editing.

Edit CMP Server

Manage CMP Server configuration
Manage CMP Server TLS configuration
Manage CMP Signer Keystore configuration

Click "Save" to update the CMP configuration.

Edit CMP Root Certificates

Add and/or remove CMP CA Root certificates (and automatically update the CMP Configuration)

Delete a CMP configuration:

Click "Details" of the corresponding tenant in the list of tenants (see step 01);
Click "View" in the "CMP Configuration" section;
Click on "Delete" and confirm.

Edit audited KMIP operations:

Click "Details" of the corresponding tenant in the list of tenants (see step 01);
Click "Edit" in the "Audit messages for KMIP operations" section;
Select for which KMIP operations audit messages should be written and confirm.

P-KMS-ADM-03 - HSM object (create, change, delete)

Table 5. Profile: HSM object (create, change, delete)
Profile
Designation	P-KMS-ADM-03 - HSM object (create, change, delete)
Purpose	HSMs serve as secure containers for private cryptographic key material. The KMS platform can manage multiple HSMs and then use them for cryptographic functions and tenant private key storage. The KMS admin must make the HSM objects known to the platform, modify them, and delete them if necessary. They must work closely with the HSM admin. The description of the management of HSM objects is the subject of P-KMS-ADM-03.
Responsibility	KMS-Admin
Working Tool(s)	Browser, KMS-UI Web Application
Precondition/ Input	The KMS platform is up and running. The KMS admin is logged into the KMS-UI application with his admin user account.
Postcondition/ Output	a new HSM object has been created, or an existing HSM object has been modified, or an existing HSM object has been deleted.
Remarks	None

Process steps: HSM object (create, change, delete)

Process steps

Display the list of HSMs:

In the navigation menu (in the sidebar), select "HSMs" → "Show" (in the drop-down menu).

Create HSM object:

Click on "Create HSM" above the list of HSM objects (see step 01) (alternatively: "Create …" → "HSM" or "Create" in the "HSMs" drop-down menu in the sidebar);
Enter or select attribute values "HSM Name", "Location", "Address", "Type";

Explanation of fields:

Name: Unique name for the HSM

Location: For information purposes only, can be freely chosen

Address: Address of the HSM (e.g. 3001@192.168.138.5). The value must be provided by the HSM admin. Depending on the HSM type, this field may refer to one of the following values:
- the network address for the HSM type [Utimaco, Utimaco EID, Luna SA].
- a logical name for the Java keystore file to be created for the HSM type [keystore]. The location is inside the database.
- the absolute file path to the .so/.dll library for the HSM type [PKCS11].
Type: Type of HSM (Currently supported: [keystore, Utimaco, Utimaco EID, Luna SA, PKCS11]). The value must be specified by the HSM admin. After selecting a type the interface displays a hint with an example address for this particular type of HSM.

Click on "Apply".

Change HSM object:

In the list of HSMs (see step 01), click "Details" for the HSM you want to change;
Select "Edit".
Edit the "Name", "Location", "Address" and "Type" attributes;
Click on "Save".

Delete HSM object:

In the list of HSMs (see step 01), click "Details" for the HSM you want to change;
Select "Delete" and confirm.

An HSM object can only be deleted if there are no links to the object.

P-KMS-ADM-04 - KMS-Tenant HSM-Profiles (create, delete)

Table 6. Profile: KMS-Tenant HSM-Profiles (create, delete)

Profile

Designation

P-KMS-ADM-04 - KMS-Tenant HSM-Profiles (create, delete)

Purpose

HSM profiles are used to manage the relationships between clients and their assigned HSMs, where the clients' KEKs are stored in a protected manner. The "Key Management" and "Key Usage" users set up by the HSM admin for the client on the HSM are stored in the HSM profile, including their authentication information (credentials), in AES-encrypted form.

The HSM users to be entered when an HSM profile is generated must first be created by the HSM admin in the HSMs (and HSM-HA, if installed). They are stored together with their credentials in the KMS database within the HSM profile object encrypted with a Data-Encryption-Key (DEK). The DEK itself is protected by the MTG Secrets Protection Manager workflow (see document Secrets Protection Business Processes for details). The DEK can be used to decrypt the HSM credentials stored in the HSM profile so that KMS applications can log on to the HSM. Key management operations can then be performed on the HSM by the KMS applications (e.g., key generation for the client).

The description of the management of KMS-Tenant HSM profiles is the subject of P-KMS-ADM-04.

Responsibility

KMS-Admin

Working tool(s)

Browser, KMS-UI web application

Precondition/
Input

The KMS platform is up and running.

The KMS admin is logged into the KMS-UI application with his admin user account.

Tenants (see chapter P-KMS-ADM-02 - KMS-Tenant (create, change, delete, assign KMS resources)) and HSMs (see chapter P-KMS-ADM-03 - HSM object (create, change, delete)) are set up.

In an Utimaco HSM, the following HSM users have been created for the KMS client with the name <UserId> by the HSM admin (recommendation).

username

password

ENTITY

authorization

notes

hsm_kms_
<UserId>_km1

<km1-UsrPwd>

ENTITY=
kms_<UserId>

00000010

key management

hsm_kms_
<UserId>_km2

<km2-UsrPwd>

ENTITY=
kms_<UserId>

00000010

key management

hsm_kms_
<UserId>_ku1

<ku1-UsrPwd>

ENTITY=
kms_<UserId>

00000001

key usage

hsm_kms_
<UserId>_ku2

<ku2-UsrPwd>

ENTITY=
kms_<UserId>

00000001

key usage

The KMS Admin must know this authentication information (username, password) of the client and enter it in the corresponding mask fields when creating an HSM profile.

Postcondition/
Output

A new HSM profile has been created, or
an existing HSM profile was deleted.

Remarks

An HSM Profile object cannot be modified after it has been created. It is only possible to delete the object. The creation of the users depend on the chosen HSM Type.

Process steps: KMS-Tenant HSM-Profiles (create, delete)

Process steps
01	Display the list of HSM profiles of a tenant: In the navigation menu (in the sidebar), select "Tenants" → "Show" (in the drop-down menu). In the list of tenants, click "Details" for the tenant whose HSM profiles you want to display; In the "Existing HSM-Profiles" area, all existing HSM profiles for the selected tenant are listed.
02	Link tenant with HSM profile: Click "Connect HSM Profile" in the "Existing HSM-Profiles" area (see step 01); Click "Select" on "HSM" and choose an HSM from the drop-down list; Enter attribute values for "Name" and "Domain". Explanation of fields: Name: Choose any name for the HSM profile. Domain: The domain set up by the HSM Admin for the HSM users. The value must be specified by the HSM Admin. Add at least one HSM user, select its type and enter name and password. The values must be provided by the HSM Admin. You can test if you have entered valid credentials; There should be at least one HSM user with permission for "Key Management" and at least one with permission for "Key Usage". It is also possible for one user to have both permissions ("Key Management and Usage"). It is just important that both privileges are present. HSM users that are already connected can also be removed by clicking the "Remove User" button. However, there must always be at least one HSM user; Click on "Apply". If the operation was successful, an HSM profile will be created.
03	Show HSM profile object: In the list of HSM profiles (see step 01), click the name of the HSM profile to be displayed; The following information is displayed: HSM profile information (HSM profile name, HSM, tenant, domain). HSM user (name, type, authentication method).
04	Delete HSM profile object: In the list of HSM profiles (see step 01), click the name of the HSM profile you want to delete; Click on "Delete HSM profile" and confirm.

P-KMS-ADM-05 - CAs (show, delete)

Table 7. Profile: CAs (show, delete)
Profile
Designation	P-KMS-ADM-05- CAs (show, delete)
Purpose	For a better overview, MTG KMS-UI provides an overview of attached issuer certification authorities (Issuer CAs). These CAs have been generated by the Mini-CA and automatically attached to MTG KMS.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS-UI web application
Precondition/ Input	The KMS platform is up and running. The KMS admin is logged into the KMS-UI application with his admin user account.
Postcondition/ Output	None
Remarks	None

Edit steps: CAs (show, delete)

Process steps
01	Display the list of connected CAs: Select the "CAs" menu item in the navigation menu (in the sidebar).
02	Display the CA details: In the list of connected CAs (see step 01), click "Details" for the corresponding CA. The following information is displayed for the CA: CA information (Name, Subject DN, Valid to). Tenants (attached to CA) KMS-Client certificates (reference the CA)
03	Delete CA: In the list of connected CAs (see step 01), click "Details" for the corresponding CA; Select "Delete" and confirm. A CA can only be deleted if it is not connected to any tenant.

Process steps

Display the list of connected CAs:

Select the "CAs" menu item in the navigation menu (in the sidebar).

Display the CA details:

In the list of connected CAs (see step 01), click "Details" for the corresponding CA.

The following information is displayed for the CA:

CA information (Name, Subject DN, Valid to).
Tenants (attached to CA)
KMS-Client certificates (reference the CA)

Delete CA:

In the list of connected CAs (see step 01), click "Details" for the corresponding CA;
Select "Delete" and confirm. A CA can only be deleted if it is not connected to any tenant.

P-KMS-ADM-06 - KMS Roles (create, change, delete)

Table 8. Profile: KMS Roles (create, change, delete)
Profile
Designation	P-KMS-ADM-06 - KMS Roles (create, change, delete)
Purpose	The KMS Admin can use the KMS Admin application to manage KMS roles. The description of the management of KMS roles is the subject of P-KMS-ADM-06. This includes the creation, modification and deletion of KMS roles.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS-UI web application
Precondition/ Input	The KMS platform is up and running. The KMS admin is logged into the KMS-UI application with his admin user account.
Postcondition/ Output	A new KMS role has been created, or an existing KMS role has been changed, or an existing KMS role has been deleted.
Remarks	None

Process steps: KMS Roles (create, change, delete)

Process steps
01	Display the list of KMS roles: In the navigation menu (in the sidebar), select "KMS Roles" → "Show" (in the drop-down menu).
02	Create KMS role: Click on "Create KMS Role" above the list of KMS roles (see step 01) (alternatively: "Create …" → "KMS Role" or "Create" in the "KMS Roles" drop-down menu in the sidebar); Enter a value at "Role name"; Click "Apply". If the operation was successful, a KMS role has been created and the details of this role are displayed.
03	Change KMS role: In the list of KMS roles (see step 01), select "Details" at the KMS role to be changed; In the "KMS Role information" section, edit the name of the role; In the permissions section, edit the operations that are allowed to be conducted with this role; Click "Save" to save the changes.
04	Delete KMS role: In the list of KMS roles (see step 01), select "Details" at the KMS role to be changed; Click on the "Delete" button and confirm.

P-KMS-ADM-07 - Settings (edit)

Table 9. Profile: Settings (edit)
Profile
Name	P-KMS-ADM-07- Settings (edit)
Purpose	MTG KMS allows the administrator to edit the settings of the KMS server.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS-UI web application
Precondition/ Input	The KMS platform is up and running. The KMS admin is logged into the KMS-UI application with his admin user account.
Postcondition/ Output	None
Remarks	None

Process steps: Settings (edit)

Process steps
01	Edit cron expressions: In the navigation menu (in the sidebar), select the "Settings" menu item; Set the desired cron expressions; Click on "Apply".
02	Switch to debug mode for tracing: Select "Settings" from the navigation menu (in the sidebar); Click "Activate" (or "Deactivate") under "Trace Request".
03	Enable KMIP digest generation: Select "Settings" from the navigation menu (in the sidebar); Under "Digest", click "Activate" (or "Deactivate").
04	Configure the email server for license notifications: Select "Settings" from the navigation menu (in the sidebar); Set the address and port for the SMTP server; Set the username and password for the SMTP server, if required; Set the Email addresses for the sender and the recipient; Click "Apply".
05	Set the SNMP server for license notifications: Select "Settings" from the navigation menu (in the sidebar); Set the address and port for the SNMP server; Click on "Apply".

P-KMS-ADM-08 - Licenses (request, import)

Table 10. Profile: Licenses (request, import)
Profile
Designation	P-KMS-ADM-08 - Licenses (request, import)
Purpose	MTG KMS allows the administrator to request and import KMS application licenses.
Responsibility	KMS-Admin
Working tool(s)	Browser, KMS-UI web application
Precondition/ Input	The KMS platform is up and running. The KMS admin is logged into the KMS-UI application with his admin user account.
Postcondition/ Output	A new license has been requested, or a valid license (signed by MTG AG) has been imported.
Remarks	At least one valid license is required for the KMS application to run correctly. Licenses are checked when the KMS server is started for the first time and every 7 days thereafter.

Process steps: Licenses (request, import)

Process steps
01	Display the list of licenses: Select the "Licenses" menu item in the navigation menu (in the sidebar).
02	Request a license: Click on "Create License" above the list of licenses (see step 01) (alternatively: "Create …" → "License" or "Create" in the "Licenses" drop-down menu in the sidebar); Confirm the action; On the next page, click "Download License Application" to download the license application as a ".csr" file; Send the downloaded license request to MTG AG for signing. This is an out-of-band operation and can be done, for example, by sending an encrypted e-mail with the file attached. MTG AG will then send back the signed license.
03	Import a license: Click "Details" on a requested license in the list of licenses (see step 01); Browse the system and select the signed license file in the file system dialog; Click on "Import License".
04	Download a licence request: Click "Details" on a license or license request in the list of licenses (see step 01); Click on "Download Request".
05	Delete a license or a license application: Click "Details" on a license or license request in the list of licenses (see step 01); Click on "Delete" and confirm.