---
canonical: https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/safekituserguidehtml/documentation/safekituserguideen.htm
---

# 10.          Advanced administration and setup

![*](safekituserguideen_fichiers/image001.png)      
Section 10.1 “SafeKit environment variables and directories”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.2 “SafeKit services”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.3 “Firewall settings”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.4 “Boot and shutdown setup in Windows”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.5 “Linux Secure boot settings for SafeKit kernel modules”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.6 “Antivirus settings”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.7 “Encryption of application module communications”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.8 “Encryption of sensitive files in SafeKit”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.9 “SafeKit web service”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.10 “SafeKit email notification agent”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.11 “SNMP monitoring”

![*](safekituserguideen_fichiers/image001.png)      
Section 10.12 “Commands log of the SafeKit server”

## 10.1          SafeKit environment variables and directories

### 10.1.1      Global

|  |  |
| --- | --- |
| **Variable** | **Description** |
| SAFE  (given by safekit -p) | SafeKit installation directory:  ·         In Windows  C:\safekit on Windows if SystemDrive=C:  ·         In Linux  /opt/safekit |
| SAFEVAR  (given by safekit -p) | SafeKit working files directory: **SAFEVAR=C:\safekit\var** on Windows and **SAFEVAR=/var/safekit** on Linux |
| SAFEBIN  (given by safekit -p) | SafeKit binary installation directory: **C:\safekit\private\bin** on Windows and **/opt/safekit/private/bin** on Linux. Useful to access SafeKit special commands (see section 14.5) |
| SAFE/Application\_Modules | Installable .safe modules directory.  Once a module has been installed, the module is located under **SAFE/modules** |
| SAFE/conf | Contains the SafeKit license file. |

### 10.1.2      Application module

|  |  |
| --- | --- |
| **Variable** | **Description** |
| SAFEMODULE | The name of the application module. The safekit command no longer needs the module name parameter (-m *AM* = -m SAFEMODULE) |
| SAFE/modules/*AM* | The configuration files for a module named *AM* are in the directory **SAFE/modules/*AM***, which includes:  ·         In **SAFE/modules/*AM*/conf****,** the file userconfig.xml  ·         In **SAFE/modules/*AM*/bin**, among other files, the application start and stop scripts:  o    start\_prim, stop\_prim for a mirror setup  o    start\_both, stop\_both for a farm setup  These files can be edited directly or via the SafeKit console. After each modification, the configuration must be applied to all cluster nodes where the module is installed to take effect. |
| SAFEUSERBIN  SAFEUSERCONF | Once the module has been successfully configured, its configuration files are automatically copied to the private directory **SAFE/private/modules/*AM***. This directory is used by the SafeKit runtime and must not be modified under any circumstances.  However, the module's scripts can access it in read-only mode via the following environment variables:  ·         SAFEUSERBIN points to **SAFE/private/modules/*AM*/bin**, providing access to the module’s scripts  ·         SAFEUSERCONF points to **SAFE/private/modules/*AM*/conf**, providing access to the safeconf.xml file, which contains the complete XML configuration of the module after macro instantiation |
| SAFEVAR/modules/*AM* SAFEUSERVAR | The directory **SAFEVAR/modules/*AM***, accessible via the environment variable SAFEUSERVAR, contains the working files of the *AM* module.  This directory notably stores the log files generated by the module's scripts. These files follow the naming format: userlog\_<year>\_<month>\_<day>T<time>\_<script name>.ulog. They allow you to review the script output messages, particularly to check for any errors during application startup or shutdown.   |  |  | | --- | --- | | Commentaire, ajouter contour | the userlog could disabled with <user logging="none"> in userconfig.xml. | |
| SAFEVAR/snapshot/modules/*AM* | Directory of dumps and configurations put in a snapshot of the module named *AM*. See section 9.6 that describes command lines for support. |

 

The module tree (packaged into a .safe or
installed into SAFE/modules/*AM*) is the following:

|  |  |  |  |
| --- | --- | --- | --- |
| *AM* | | | Application module name |
|  | conf | |  |
|  | | userconfig.xml | User XML configuration file |
|  | | userconfig.xml.template | Internal use only. Obsolete (for the web console < SafeKit 8) |
|  | | modulekey.p12 | Optional. Internal use only (encryption of the module internal communications) |
|  | | modulekey.dat | Optional. Internal use only (encryption of the module internal communications) |
|  | bin | |  |
|  | | prestart | Module script executed on module start |
|  | | start\_prim or start\_both | Module script to start the application in mirror or farm module |
|  | | stop\_prim or stop\_both | Module script to stop the application in mirror or farm module |
|  | | poststop | Module script executed on module stop |
|  | web | |  |
|  | | index.html | Obsolete (for the web console < SafeKit 8) |
|  | manifest.xml | | Obsolete |
|  |  |  |  |

 

Since SafeKit 8, you cannot anymore customize the module quick
configuration display (since index.html is obsolete).

## 10.2          SafeKit services and daemons

See section
10.3.3.1 and section 10.3.3.2 for full details on SafeKit
processes name and ports used.

### 10.2.1      SafeKit services

|  |  |
| --- | --- |
| Commentaire, ajouter contour | In Windows, processes names have the .exe extension. |

|  |  |
| --- | --- |
| **safeadmin**  (safeadmin process) | SafeKit main service mandatory and started automatically at boot. |
| **safewebserver**   (httpd process) | Service used by the web console, module checkers and distributed command line interface. |
| **Net-SNMP Agent**   (safeagent process) | In Windows  Service that implements the SafeKit SNMP agent |

 

For the commands to control SafeKit
services, refer to section 9.1.

### 10.2.2      SafeKit daemons per module

|  |  |
| --- | --- |
| Commentaire, ajouter contour | In Windows, processes names have the .exe extension. |

|  |  |
| --- | --- |
| heart | Manages the state automaton of the module and the recovery procedures |
| errd  ipcheck  intfcheck  tcpcheck  pingcheck  modulecheck | Checkers that manage error detection |
| vipd | Synchronizes a farm of servers |
| arpreroute | Manages arp requests for the virtual IP address (sends ARP packet) |
| nfsadmin  nfsbox  reintegre | Manages the real-time replication and data synchronization |

## 10.3          Firewall settings

If a firewall is active on the SafeKit
server, you must add rules to allow network traffic:

·        
between servers for internal
communication (global runtime and module specific)

·        
between servers and
workstations running the SafeKit console

See below the command
to configure the Microsoft
Windows Firewall in Windows; firewalld/iptables
in Linux. If you opted for
automatic firewall configuration during the SafeKit installation, this command
has already been executed.

|  |  |
| --- | --- |
| SAFE/private/bin/firewallcfg add     where  SAFE=C:\safekit (if %SYSTEMDRIVE%=C:) in Windows  SAFE=/opt/safekit in Linux | On all SafeKit servers:  1.    Open a PowerShell/shell window as administrator/root  2.    Run SAFE/private/bin/firewallcfg add  This configures the operating system firewall for SafeKit. |

 

For configuring other firewalls, refer to section 10.3.3 that details SafeKit processes name
and ports used.

### 10.3.1      Firewall settings in Linux

If you opted-in for automatic firewall
configuration during SafeKit installation, you do not have to apply the
following procedure.

If you opted-out for automatic firewall
configuration, you must configure the firewall.

When using
the operating system firewall (firewalld/iptables), you may use the firewallcfg command. It inserts (or remove) the firewall rules required by the SafeKit services and modules.

Administrators should review conflicts with
local policy before applying it.

|  |  |
| --- | --- |
| SAFE/private/bin/firewallcfg add     SAFE/private/bin/firewallcfg del        where SAFE=/opt/safekit | Add (or delete) the firewalld or iptable firewall rules for the SafeKit safeadmin and safewebserver services.  ·         SAFE/private/bin/firewallcfg add  Add firewall rules for safeadmin and safewebserver  ·         SAFE/private/bin/firewallcfg del  Delete firewall rules for safeadmin and safewebserver |
| SAFE/private/bin/firewallcfg add *AM*     SAFE/private/bin/firewallcfg del *AM*        where SAFE=/opt/safekit | Add (or delete) the firewalld or iptable firewall rules for the SafeKit modules.  ·         SAFE/private/bin/firewallcfg add *AM*  Add firewall rules for the module named *AM*  ·         SAFE/private/bin/firewallcfg del *AM*  Delete firewall rules for the module named *AM* |

 

Since version 8.2.5 of SafeKit, the firewallcfg add command also automatically activates firewall configuration for
modules as soon as they are set up. Prior to this version, it was necessary to
run the command firewallcfg
add *AM* (where *AM* is the name of
the module):

·        
after the initial configuration of the module

·        
after any subsequent configuration if it
modifies the ports used (to be checked with the command safekit module getports -m *AM*)

### 10.3.2      Firewall settings in Windows

|  |  |
| --- | --- |
| Commentaire important contour | Starting with SafeKit version 8.2.5, on Red Hat, RPM packages are GPG-signed. Thus, the SafeKit GPG public key is automatically imported to allow the installation to continue. |

 

If you opted-in for automatic firewall
configuration during SafeKit installation, you do not have to apply the
following procedures.

If you opted-out for automatic firewall
configuration, you must configure the firewall.

When using the operating system firewall
(Microsoft firewall), you may use the firewallcfg command.  It inserts (or
remove) the firewall rules
required by the SafeKit services (safeadmin,
safewebserver, safeacaserv
and Net-SNMP Agent) and
modules.

Administrators should review conflicts with
local policy before applying it.

|  |  |
| --- | --- |
| SAFE/private/bin/firewallcfg add     SAFE/private/bin/firewallcfg del     where SAFE=C:\safekit (if %SYSTEMDRIVE%=C:) | Add (or delete) the Microsoft firewall rules.  ·         SAFE/private/bin/firewallcfg add  Add firewall rules for SafeKit core and modules processes.  ·         SAFE/private/bin/firewallcfg del  Delete firewall rules for SafeKit core and modules processes. |

### 10.3.3      Other firewalls

If you use another firewall or want to
check rules against local policy, the following lists processes and ports used by
SafeKit services and modules that may be useful to configure the firewall.

#### 10.3.3.1  List of processes

##### 10.3.3.1.1             Processes performing local-only network exchanges

Processes for a mirrormodule

·        
errd: manages detection of process death

·        
nfsadmin, nfscheck: manage the file replication

 

Processes for a farm module

·        
errd: manages detection of process death

·        
heart: manages the recovery procedures

##### 10.3.3.1.2             Processes performing external network exchanges

Processes common to all the SafeKit
servers, one process by server, started at boot:

·        
safeadmin service (safeadmin process): main and mandatory administration
service

·        
safewebserver service (httpd
process): web service for the console, for <module> checkers and the
distributed commands

·        
safecaserv (httpd process): web service for securing the web console with the SafeKit
PKI (optional)

·        
In Windows, Net-SNMP Agent service (safeagent process):
SafeKit SNMP v2 agent (optional)

 

Processes for a mirrormodule
(depending on its configuration):

·        
heart: manages the recovery procedures

·        
arpreroute: manages arp requests (sends ARP packet)

·        
nfsadmin, nfsbox, reintegre: manage the file replication and reintegration

·        
splitbraincheck: manage the split-brain detection (sends ICMP ping packets)

 

Processes for a farm module (depending on
its configuration):

·        
vipd: synchronizes a farm of servers

·        
arpreroute: manages
arp requests (sends ARP packet)

 

Processes for a mirror or a farm
module depending on checkers configuration:

·        
intfcheck: for
checking interface (interface checker configuration automatically generated
when <interface check=on>)

·        
pingcheck: for
pinging an address (<ping> configuration)

·        
ipcheck: for
checking a locally defined ip address (virtual ip checker automatically
generated when <virtual\_addr
check=on>)

·        
modulecheck: for
checking a SafeKit module (<module>
configuration)

·        
tcpcheck: for
checking a TCP connection ( <tcp>
configuration) 

#### 10.3.3.2  List of ports

The following list ports used by SafeKit
services and modules.

##### 10.3.3.2.1             Ports used by services

·        
safeadmin

By default, remote access on UDP port 4800 (to communicate
with safeadmin instances on other SafeKit servers)

For changing this value , see section 12.1.3.

·        
safewebserver

Local and remote TCP access, by default, on port 9010 for HTTP
or port 9453 for HTTPS. For the ports value definition, see section 10.9.

This service is accessed locally and from remote SafeKit
servers and remote workstation running the SafeKit console. 

·        
safecaserv (optional)

Local and remote access on TCP port 9001 by default. For
the port value definition, see section 11.3.1.8.5.

This service is accessed locally, and from remote SafeKit
servers and remote workstation running the HTTPS configuration wizard with the SafeKit PKI.

·        
Net-SNMP
Agent (Windows only, optional)

Local and remote
access on UDP port 3600 by default. For
the port value definition, see section 10.11. 

##### 10.3.3.2.2              Ports used by application modules

When an application module is
configured on a SafeKit server, you can run the command safekit module
getports -m *AM* to
list the external ports used by the module *AM*.
For firewall configuration, you must configure all SafeKit servers to enable
communications targeted at these ports.

The ports values for one module
are automatically computed depending on its module id. Run the command safekit
module listid to list all the installed modules with their name and id.

The following gives rules for
computing ports values depending on the module id. When checkers are configured
for the module, you may also need to change the firewall configuration
according to the checkers configuration. You must enable all communications on
localhost between SafeKit processes.

For a mirror module

·        
Port used by heart  
UDP port used for sending heartbeats between SafeKit servers  
port=8888 +(id-1)

·        
Ports used by rfs (file
replication)  
TCP port used for replications requests between SafeKit servers  
safenfs\_port=5600 +(id-1)x4

To
list ports used by the mirror module with id 1, run safekit module getports -m mirror. It returns:

List of the ports used by SafeKit

 

Process         Ports

safeadmin

        port    UDP 4800

 

webconsole

        port    TCP 9010

heart

        port    UDP 8888

rfs

       
safenfs\_port    TCP 5600     

For a farm module

·        
Port used by farm: UDP port
used for communications between all SafeKit nodes  
port    4803 + (id-1)x3

To
list ports used by the farm module with id 2, run safekit module getports -m farm. It returns:

List of the ports used by SafeKit

 

Process         Ports

safeadmin

        port    UDP 4800

webconsole

        port    TCP 9010

farm

        port    UDP 4806

For configured checkers

·        
Ping checker for mirror or farm module  
Change ICMP settings to allow ping at destination to the address defined into
the configuration.

·        
TCP checker for mirror or farm module   
Allow TCP connections at destination to the address defined into the
<tcp> configuration if this address is not local.

·        
Module checker   
Allow TCP connections at destination to 9010 port of the node running the
module that is checked.

·        
Split-brain checker   
Change ICMP settings to allow ping at destination to the witness defined into
the <splitbrain> configuration.

## 10.4          Boot and shutdown setup in Windows

safeadmin service is configured for automatically starting on boot and
stopping on shutdown. In turn, this service starts modules configured for
starting at boot and shutdown all modules.

On some Windows platforms, the safeadmin
boot start fails because the network configuration is not ready, and the
modules shutdown does not have time to complete since the timeout for services
shutdown is too short. If you encounter such problems, apply one of the
following procedures.

|  |  |
| --- | --- |
| Commentaire important contour | When using the SNMP agent, adapt the following procedures to set the manual start of the Net-SNMP Agent service and include its start/stop into SafeKit start-up (safekitbootstart.cmd) and shutdown (safekitshutdown.cmd) scripts. |

### 10.4.1      Automatic procedure

You can run the script as follow:

1.    open a PowerShell window as administrator

2.    cd SAFE\private\bin

3.    run addStartupShutdown.cmd

This script sets the manual start for safeadmin
service and adds default SafeKit start-up (safekitbootstart.cmd)
and shutdown (safekitshutdown.cmd) scripts as part of the computer group
policy start-up/shutdown scripts.  If
the script fails, apply the manual procedure below.

### 10.4.2      Manual procedure

You must apply the following procedure that
uses the Group Policy Object Editor.

1.    set manual start for safeadmin service

2.    start the MMC console with the mmc command line

3.    File - Add/Remove Snap-in Add - "Group Policy Object
Editor" - OK

4.    under "Console Root"/"Local Computer
Policy"/"Computer Configuration"/"Windows
Settings"/"Scripts (Start-up/Shutdown)", double click on
"Start-up". Click on Add then set for "Script Name:" c:\safekit\private\bin\safekitbootstart.cmd.
This script launches the safeadmin
service.

5.    under "Console Root"/"Local Computer
Policy"/"Computer Configuration"/"Windows
Settings"/"Scripts (Start-up/Shutdown)", double click on
"Shutdown". Click on Add then set for "Script Name:" c:\safekit\private\bin\safekitshutdown.cmd.
This script shutdowns all running modules.

## 10.5          Linux Secure boot settings for SafeKit kernel modules

When Secure Boot is enabled in Linux, any
kernel module must be signed, and the signing key must be enrolled in UEFI.

|  |  |
| --- | --- |
| Commentaire, ajouter contour | Use the following command to check if Secure Boot is enabled:  mokutil --sb-state  SecureBoot enabled |

Since SafeKit relies on vip and tcpseq
kernel modules to implement load-balancing for farm modules, these kernel modules
must also be signed and enrolled.
Otherwise, the kernel modules will fail to load during the module startup with
the following message into the module log:

| vipplug | E | Unable to load vip kernel
extension

Moreover, when trying to load the vip
module with the modprobe
vip command, you’ll get one of the following errors:

modprobe:
ERROR: could not insert 'vip': Required key not available

or

modprobe:
could not insert 'vip': Key was rejected by service

Since SafeKit 8.2.4, to use farm module
with load-balancing with Secure Boot enabled, follow the procedure described
below. This procedure must be applied on all SafeKit nodes and can be done
before or after the farm module configuration.

1.   
Log in as root and open a command shell window

2.    Change to the directory /opt/safekit/kernel

3.    Run the command make
enroll

It will ask for
the creation of a password. Remember this password for the step 5.

4.    Reboot the server

5.    At boot start, UEFI will ask for the enrolling of the new SafeKit
signing key:

![](safekituserguideen_fichiers/image311.jpg)

Accept
and give the password created in step 3.  
The procedure is needed only after the first reboot.

6.    Once the reboot is completed, you can check that the SafeKit key has
been enrolled by running:

mokutil --list-enroll | grep SafeKit

     … SafeKit …

You can
also check that the SafeKit vip kernel module can be loaded without errors by
running:

modprobe
vip

For SafeKit < 8.2.4, follow the
procedure described in Q009176.

## 10.6          Antivirus settings

Antiviruses may face detection challenges
with SafeKit due to its close integration with the OS, virtual IP mechanisms,
real-time replication, and restart of critical services. It may then be
necessary to configure the antivirus to exclude certain directories and
processes. The list of directories and processes is provided below.

Directories

|  |  |
| --- | --- |
| SAFE | SafeKit installation directory:  ·         In Windows  C:\safekit on Windows if SystemDrive=C:  ·         In Linux  /opt/safekit |
| SAFEVAR | SafeKit working files directories:  ·         In Windows  C:\safekit\var if SystemDrive=C:  ·         In Linux  /var/safekit |
| Replicated folders | All replicated folders defined into mirror modules |

Processes

The SafeKit processes for services and
daemons are listed into the section 10.2.

Executables are in:

|  |  |
| --- | --- |
| SAFE | safekit command |
| SAFE/private/plugin/\*/\* | Executables that are run on module state changes |
| SAFE/private/bin | SafeKit executables |
| SAFE/web/bin | SafeKit web service executables |

## 10.7          Encryption of application module communications

You can secure internal communications for
the module, such as heartbeats and replication, by creating cryptographic keys
associated with the module. By default, these keys are generated by SafeKit
with a “private” certification authority (SafeKit PKI). In SafeKit <=
7.4.0.31, the generated key has a validity period of 1 year. See section 10.7.3.1 for solutions
when the key expires.

Since SafeKit 7.4.0.16, you can also
provide your own certificates generated with your trusted certification
authority (enterprise PKI or commercial PKI). See section 10.7.3.2 for
details.

Since SafeKit 7.4.0.32, the module can be
reconfigured with new keys while it is in ALONE state (dynamic update).

|  |  |
| --- | --- |
| Commentaire important contour | When encryption is not properly configured (e.g.: not the same key on all cluster nodes of the module), the module internal communications between nodes are rejected. In this case, the module configuration is not identical on all nodes. You must apply it again on all nodes. Then, you can check it by running on each node the command safekit confinfo -m *AM* where *AM* is the module name (see section 9.5). |

 

The **encryption**
resource reflects the current communication mode of the module: "on"/"off"
when encryption is active/not active. The resource name is usersetting.encryption. To check the state of resources, see section 7.4.

### 10.7.1      Configuration with the SafeKit Web console

When configuring the module with the
SafeKit web console, communication encryption is enabled in the step 3 of the
module configuration wizard (see section 3.3.2).

### 10.7.2      Configuration with the Command Line Interface

The commands line equivalent for
configuring a module, named *AM*, with cryptographic key are:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run safekit
module genkey -m *AM*

4.    Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

 

The commands line equivalent for
re-configuring a module without cryptographic key are:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run safekit
module delkey -m *AM*

4.    Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

 

For more details on commands, refer to section 9.5.

### 10.7.3      Advanced configuration

#### 10.7.3.1  Advanced configuration with the SafeKit PKI

In SafeKit <= 7.4.0.31, the key for
encrypting the module communication has a validity period of 1 year. When it
expires in a mirror module with file replication, the secondary fails to
reintegrate. You must re-configure the module with a new key for reverting to
normal behavior.  In SafeKit > 7.4.0.31, the validity period has been set to
20 years.

If you cannot upgrade SafeKit, you can
generate new keys with a longer validity period. For this apply the following
procedure:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run
safekit module genkey -m *AM*

4.    Delete the file SAFE/modules/*AM*/conf/modulekey.p12

5.    Change to the directory SAFE/web/bin

6.    Run ./openssl
req -config ../conf/ssl.conf -subj "/O=SafeKiModule/CN=mirror" -new
-x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout pkey.key -out cert.crt

Set the -days
value to the validity period you want

7.    Run ./openssl
pkcs12 -export -inkey ./pkey.key -in ./cert.crt -name "Module certificate"
-out modulekey.p12

This command
requires to fill a password. Contact SafeKit support to get the correct value
for the password

8.    Delete the files pkey.key
and
cert.crt

9.    Move the file modulekey.p12 into SAFE/modules/*AM*/conf

10. Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

 

The module is configured, on the 2 nodes,
with the new key and ready to start.

#### 10.7.3.2  Advanced configuration with an external PKI

Since SafeKit 7.4.0.16, you can provide
your own key generated with your trusted certification authority (enterprise
PKI or commercial PKI). For this apply the following procedure:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run
safekit module genkey -m *AM*

4.    Delete the file SAFE/modules/*AM*/conf/modulekey.p12

5.    Append the Base-64 encoded X.509 certificate
file (PEM format), for your certification authority (certificate of the CA or
certificate bundle of all the certificate authorities) to the file SAFE/web/conf/cacert.crt

6.    Change to the directory SAFE/web/bin

7.    Generate your certificate with the PKI with the subject set to "/O=SafeKiModule/CN=mirror"

8.    Copy the generated files pkey.key and cert.crt into the
directory SAFE/web/bin

9.    Run ./openssl
pkcs12 -export -inkey ./pkey.key -in ./cert.crt -name "Module
certificate" -out modulekey.p12

This command
requires to fill a password. Contact SafeKit support to get the correct value
for the password

10. Delete the files pkey.key
and
cert.crt

11. Move the file modulekey.p12 into SAFE/modules/*AM*/conf

12. Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

 

The module is configured, on the 2 nodes, with
the new key and ready to start.

## 10.8          Encryption of sensitive files in SafeKit

Since SafeKit 8.2.4, SafeKit includes a
configurable mechanism for encrypting and decrypting sensitive data used within
its components.

This mechanism enables sensitive data to be
encrypted into a file and later decrypted using a symmetric encryption
algorithm, based on a single root passphrase. The root passphrase is retrieved
and displayed by a dedicated executable. The path of this executable is
configured in the SAFECONF/crypto.json file (where SAFECONF=C:\safekit\private\conf in
Windows, if %SYSTEMDRIVE%=C:, and SAFECONF=/opt/safekit/private/conf in Linux).
Below is the default content of this configuration file (where
SAFEBIN=C:\safekit\private\bin
in Windows, if %SYSTEMDRIVE%=C:, and SAFEBIN=/opt/safekit/private/bin in
Linux):

{

    // ...

   
"rootPassphraseExecutable": "SAFEBIN/print\_default\_root\_passphrase"

}

It is strongly recommended to replace the
default root passphrase executable with a custom executable of your own that
securely retrieves and outputs the root passphrase. This gives you full control
over the encryption strategy and enhances security by integrating your own
passphrase management logic.

Currently, this feature is used in SafeKit
solely for the secure storage of the SMTP client password. This is achieved
through the procedure described in section 10.10.2. Therefore, if the value of rootPassphraseExecutable changes, you must reapply this procedure.

It relies on the following commands to
encrypt and decrypt:

|  |  |
| --- | --- |
| safekit -r safeenc    -e | -encrypt       [-infile plaintext.txt]     [-outfile cms.pem] | Securely encrypts input from standard input or from the file specified via -infile. Outputs the encrypted text to standard output or saves it to the file specified via -outfile. |
| safekit -r safeenc    -d | -decrypt       [-infile cms.pem]    [-outfile plaintext.txt] | Securely decrypts input from standard input or from the file specified via -infile. Outputs the decrypted text to standard output or saves it to the file specified via -outfile. |

 

|  |  |
| --- | --- |
| Commentaire, ajouter contour | This encryption mechanism is not intended for securing replicated files. |