---
canonical: "https://safekit.eviden.com/wp-content/uploads/downloads_safekit/version-82/safekituserguidehtml/documentation/safekituserguideen.htm"
llms_index: "https://safekit.eviden.com/llms.txt"
llms_section: "User Guide"
topics: "10. Advanced administration and setup, 10.1 SafeKit environment variables and directories, 10.1.1 Global, 10.1.2 Application module, 10.2 SafeKit services/daemons and communications, 10.2.1 SafeKit services, 10.2.2 SafeKit daemons per application module, 10.3 Firewall settings, 10.3.1 Firewall settings in Linux, 10.3.2 Firewall settings in Windows, 10.4 Boot and shutdown setup in Windows, 10.4.1 Automatic procedure, 10.4.2 Manual procedure, 10.5 Linux Secure boot settings for SafeKit kernel modules, 10.6 Antivirus settings, 10.7 Encryption of application module communications, 10.7.1 Configuration with the SafeKit Web console, 10.7.2 Configuration with the Command Line Interface, 10.7.3 Advanced configuration, 10.8 Encryption of sensitive files in SafeKit"
---

# 10. Advanced administration and setup

## 10.1 SafeKit environment variables and directories

### 10.1.1 Global

|  |  |
| --- | --- |
| **Variable** | **Description** |
| SAFE  (given by safekit -p) | SafeKit installation directory:  ·         In Windows  C:\safekit on Windows if SystemDrive=C:  ·         In Linux  /opt/safekit |
| SAFEVAR  (given by safekit -p) | SafeKit working files directory: **SAFEVAR=C:\safekit\var** on Windows and **SAFEVAR=/var/safekit** on Linux |
| SAFEBIN  (given by safekit -p) | SafeKit binary installation directory: **C:\safekit\private\bin** on Windows and **/opt/safekit/private/bin** on Linux. Useful to access SafeKit special commands (see section 14.5) |
| SAFE/Application\_Modules | Installable .safe modules directory.  Once a module has been installed, the module is located under **SAFE/modules** |
| SAFE/conf | Contains the SafeKit license file. |

### 10.1.2 Application module

|  |  |
| --- | --- |
| **Variable** | **Description** |
| SAFEMODULE | The name of the application module. The safekit command no longer needs the module name parameter (-m *AM* = -m SAFEMODULE) |
| SAFE/modules/*AM* | The configuration files for a module named *AM* are in the directory **SAFE/modules/*AM***, which includes:  ·         In **SAFE/modules/*AM*/conf****,** the file userconfig.xml  ·         In **SAFE/modules/*AM*/bin**, among other files, the application start and stop scripts:  o    start\_prim, stop\_prim for a mirror setup  o    start\_both, stop\_both for a farm setup  These files can be edited directly or via the SafeKit console. After each modification, the configuration must be applied to all cluster nodes where the module is installed to take effect. |
| SAFEUSERBIN  SAFEUSERCONF | Once the module has been successfully configured, its configuration files are automatically copied to the private directory **SAFE/private/modules/*AM***. This directory is used by the SafeKit runtime and must not be modified under any circumstances.  However, the module's scripts can access it in read-only mode via the following environment variables:  ·         SAFEUSERBIN points to **SAFE/private/modules/*AM*/bin**, providing access to the module’s scripts  ·         SAFEUSERCONF points to **SAFE/private/modules/*AM*/conf**, providing access to the safeconf.xml file, which contains the complete XML configuration of the module after macro instantiation |
| SAFEVAR/modules/*AM* SAFEUSERVAR | The directory **SAFEVAR/modules/*AM***, accessible via the environment variable SAFEUSERVAR, contains the working files of the *AM* module.  This directory notably stores the log files generated by the module's scripts. These files follow the naming format: userlog\_<year>\_<month>\_<day>T<time>\_<script name>.ulog. They allow you to review the script output messages, particularly to check for any errors during application startup or shutdown.   |  |  | | --- | --- | | Commentaire, ajouter contour | the userlog could disabled with <user logging="none"> in userconfig.xml. | |
| SAFEVAR/snapshot/modules/*AM* | Directory of dumps and configurations put in a snapshot of the module named *AM*. See section 9.6 that describes command lines for support. |

The module tree (packaged into a .safe or
installed into SAFE/modules/*AM*) is the following:

|  |  |  |  |
| --- | --- | --- | --- |
| *AM* | | | Application module name |
|  | conf | |  |
|  | | userconfig.xml | User XML configuration file |
|  | | userconfig.xml.template | Internal use only. Obsolete (for the web console < SafeKit 8) |
|  | | modulekey.p12 | Optional. Internal use only (encryption of the module internal communications) |
|  | | modulekey.dat | Optional. Internal use only (encryption of the module internal communications) |
|  | bin | |  |
|  | | prestart | Module script executed on module start |
|  | | start\_prim or start\_both | Module script to start the application in mirror or farm module |
|  | | stop\_prim or stop\_both | Module script to stop the application in mirror or farm module |
|  | | poststop | Module script executed on module stop |
|  | web | |  |
|  | | index.html | Obsolete (for the web console < SafeKit 8) |
|  | manifest.xml | | Obsolete |
|  |  |  |  |

Since SafeKit 8, you cannot anymore customize the module quick
configuration display (since index.html is obsolete).

## 10.2 SafeKit services/daemons and communications

SafeKit relies on different services and
daemons per application module running on SafeKit nodes within a cluster. Communications
between these processes across nodes can be secured using OpenSSL:

- 
On Windows, SafeKit embeds the OpenSSL library
in its package. The installed version can be retrieved using the SAFE\web\bin\openssl.exe
versioncommand where SAFE=C:\safekit (if%SYSTEMDRIVE%=C:).

- 
On Linux, SafeKit relies on the OpenSSL library
provided by the operating system. The installed version can be retrieved using
the openssl version command.

This section lists:

- 
the names of SafeKit processes and their
associated ports for external communications

- 
OpenSSL-based encryption mechanisms

- 
firewall requirements

It
serves as a reference for configuring firewall rules and validating secure
communications between cluster nodes and external clients.

> [!IMPORTANT]
> The OpenSSL library version in Windows and encryption levels used may change with new SafeKit packages. Refer to the [*Software Release Bulletin*](https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/82softwarereleasebulletin.pdf) for the most up-to-date information.

### 10.2.1 SafeKit services

For the commands to control SafeKit
services, refer to section 9.1.

> [!NOTE]
> In Windows, processes names have the .exe extension.

#### 10.2.1.1 safeadmin service

**Process:**safeadmin

**Description:**
Main service required for managing the SafeKit cluster (see section 12.1.3
for port configuration details)

**Protocol / port:** UDP 4800

**Firewall:** Allow communication between cluster nodes

**Encryption:**
Enabled (AES-128-CBC symmetric encryption with SHA256 integrity)

#### 10.2.1.2 safewebserver service

**Process:** httpd (Apache HTTP server) 

**Description:** Provides web services for the SafeKit web console, module checkers,
and distributed CLI(see section 10.9
for configuration details). It also provides module health probe (see section 13.6.3
and section 16)

**Protocol / port:**

- 
TCP 9010 (HTTP, default)

- 
TCP 9453 (HTTPS)

**Firewall:** Allow for distributed command execution between
cluster nodes, for web console clients, and for module checkers

**Encryption:**

- 
HTTP (default): disabled

- 
HTTPS: TLS 1.3 (optional TLS 1.2)

(see section 11.3 for HTTPS
setup)

#### 10.2.1.3 SNMP service

##### 10.2.1.3.1 Net-SNMP Agent service for Windows

**Process:** safeagent

**Description:** Optional SNMP agent for SafeKit monitoring(see section 10.11
for SNMP monitoring setup)

**Protocol / port:**
UDP 3600 (SNMP v2)

**Firewall:** Allow communication with SNMP clients

**Encryption:** -

##### 10.2.1.3.2 snmpd service for Linux

Optional SNMP agent for SafeKit monitoring
based on the standard snmpd Linux service (see section 10.11
for SNMP monitoring setup).

#### 10.2.1.4 safecaserv web service

**Process:** httpd (Apache
HTTP server) 

**Description:** Optional web service for certificate generation using the SafeKit
PKI (see section 11.3.1.8.5 for configuration details)

**Protocol / port:** TCP
9001 (HTTPS)

**Firewall:** Allow communication between cluster nodes

**Encryption:** TLS 1.3

### 10.2.2 SafeKit daemons per application module

By default, inter-nodes application module
communications are not encrypted. Refer to section 10.7 to enable it.

The ports values for one application module
are automatically computed depending on its module id. Run the command safekit module listid to list all the installed modules with their name and id.

#### 10.2.2.1 Mirror application module

To list ports used by the mirror module named *AM*, run safekit module getports -m *AM*. For instance, if the module got the id 1, it returns:

List of the ports used by SafeKit

Process        
Ports

safeadmin

port    UDP 4800

webconsole

port    TCP 9010

heart

port    UDP 8888

rfs

safenfs\_port    TCP 5600     

> [!NOTE]
> In the following, processes names have the .exe extension for Windows.

##### 10.2.2.1.1 Module state and heartbeat management

**Process:** heart

**Description:**
Handles inter-node communications (heartbeat), module state automaton, and
failover control (see section 13.4 for details)

**Protocol / port:** UDP8888 + (id-1) (heart port)

**Firewall:** Allow communication between cluster nodes

**Encryption:**

- 
Default: disabled

- 
Optional: enabled (AES-128-CBC symmetric
encryption with SHA256 integrity)

##### 10.2.2.1.2 File replication management

**Processes:** nfsbox, reintegre

**Description:**
Handles real-time replication and data synchronization between cluster nodes (see section 13.7 for details)

**Protocol / port:** TCP5600 + (id-1) x 4 (safenfs\_port)

**Firewall:** Allow communication between cluster nodes

**Encryption:**

- 
Default: disabled

- 
Optional: enabled (TLS 1.3)

**Process:**nfsadmin

**Description:**
file replication manager

**Protocol / port:** -

**Firewall:** -

**Encryption:** -

##### 10.2.2.1.3 Virtual IP management

**Process:** arpreroute

**Description:**
Automatically broadcasts gratuitous ARP packets for
IPv4 virtual IP addresses to accelerate failover (see section 13.6 for details)

**Protocol / port:** ARP

**Firewall:** -

**Encryption:**
-

#### 10.2.2.2 Farm module

To list ports used by the farm module named *AM*, run safekit module getports -m *AM*. For instance, if the
module got the id 2, it returns:

List of the ports used by SafeKit

Process        
Ports

safeadmin

port    UDP 4800

webconsole

port    TCP 9010

farm

        port    UDP 4806

> [!NOTE]
> In the following, processes names have the .exe extension for Windows.

##### 10.2.2.2.1 Virtual IP and load-balancing management

**Process:** vipd

**Description:**
Manages inter-node communications within the farm and controls load balancing (see section 13.6 for details)

**Protocol / port:** UDP
4803 + (id‑1) × 3 (farm port)

**Firewall:** Allow communication between cluster nodes

**Encryption:**

- 
Default: disabled

- 
Optional: enabled (AES-128-CBC symmetric
encryption with SHA256 integrity)

**Process:** arpreroute

**Description:**
Automatically broadcasts gratuitous ARP packets for
IPv4 virtual IP addresses to accelerate failover (see section 13.6 for details)

**Protocol / port:** ARP

**Firewall:** -

**Encryption:**
-

#### 10.2.2.3 Checkers for mirror or farm module

> [!NOTE]
> In the following, processes names have the .exe or .ps1 extension for Windows.

##### 10.2.2.3.1 Process/service checker

**Process:** errd

**Description:**
Monitors running processes/services (see section 13.10 for details)

**Protocol / port:** -

**Firewall:** -

**Encryption:**
-

##### 10.2.2.3.2 TCP checker

**Process:** tcpcheck

**Description:**
Checks a TCP connection to the configured
address/port (see section 13.12
for details)

**Protocol / port:** TCP target port

**Firewall:** Allow inbound TCP traffic on the target address and port

**Encryption:**
-

##### 10.2.2.3.3 Ping checker

**Process:** pingcheck

**Description:**
Sends ICMP echo requests to the configured address (see
section 13.13 for details)

**Protocol / port:** ICMP

**Firewall:** Allow inbound ICMP traffic to the target address

**Encryption:**
-

##### 10.2.2.3.4 Interface checker

**Process:** intfcheck

**Description:**
Checks a network interface (see section 13.14  for details)

**Protocol / port:** -

**Firewall:** -

**Encryption:**
-

##### 10.2.2.3.5 IP checker

**Process:** ipcheck

**Description:**
Checks the configured IP (see section 13.15  for details)

**Protocol / port:** -

**Firewall:** -

**Encryption:**
-

##### 10.2.2.3.6 Module checker

**Process:** modulecheck

**Description:**
Checks the state of an SafeKit application module (see section 13.17
for details)

**Protocol / port:**

- 
TCP 9010 (HTTP, default)

- 
TCP 9453 (HTTPS)

**Firewall:** Allow inbound traffic to the safewebserver service on the target SafeKit node

**Encryption:**

- 
HTTP (default): disabled

- 
HTTPS: TLS 1.3 (optional TLS 1.2)

##### 10.2.2.3.7 Splitrain checker

**Process:** splitbraincheck

**Description:**
Sends ICMP echo requests to the
witness(es)  (see [section 13.18](#_Splitbrain_Checker_(<splitbrain>)  for
details)

**Protocol / port:** ICMP

**Firewall:** Allow inbound ICMP traffic on the witness(es)

**Encryption:** -

## 10.3 Firewall settings

If a firewall is active on the SafeKit
server, you must add rules to allow network traffic:

- 
between servers for internal
communication (global runtime and module specific)

- 
between servers and
workstations running the SafeKit console

See below the command
to configure the Microsoft
Windows Firewall in Windows; firewalld/iptables
in Linux. If you opted for automatic
firewall configuration during the SafeKit installation, this command has
already been executed.

|  |  |
| --- | --- |
| SAFE/private/bin/firewallcfg add     where  SAFE=C:\safekit (if %SYSTEMDRIVE%=C:) in Windows  SAFE=/opt/safekit in Linux | On all SafeKit servers:  1.    Open a PowerShell/shell window as administrator/root  2.    Run SAFE/private/bin/firewallcfg add  This configures the operating system firewall for SafeKit. |

If you use another firewall or want to
check rules against local policy, refer to the section 10.2. It lists the
SafeKit services and daemons per module that require dedicated firewall
configuration.

### 10.3.1 Firewall settings in Linux

If you opted-in for automatic firewall
configuration during SafeKit installation, you do not have to apply the
following procedure.

If you opted-out for automatic firewall
configuration, you must configure the firewall.

When using
the operating system firewall (firewalld/iptables), you may use the firewallcfg command. It inserts (or remove) the firewall rules required by the SafeKit services and modules.

Administrators should review conflicts with
local policy before applying it.

|  |  |
| --- | --- |
| SAFE/private/bin/firewallcfg add     SAFE/private/bin/firewallcfg del        where SAFE=/opt/safekit | Add (or delete) the firewalld or iptable firewall rules for the SafeKit safeadmin and safewebserver services.  ·         SAFE/private/bin/firewallcfg add  Add firewall rules for safeadmin and safewebserver  ·         SAFE/private/bin/firewallcfg del  Delete firewall rules for safeadmin and safewebserver |
| SAFE/private/bin/firewallcfg add *AM*     SAFE/private/bin/firewallcfg del *AM*        where SAFE=/opt/safekit | Add (or delete) the firewalld or iptable firewall rules for the SafeKit modules.  ·         SAFE/private/bin/firewallcfg add *AM*  Add firewall rules for the module named *AM*  ·         SAFE/private/bin/firewallcfg del *AM*  Delete firewall rules for the module named *AM* |

Since version 8.2.5 of SafeKit, the firewallcfg add command also automatically activates firewall configuration for
modules as soon as they are set up. Prior to this version, it was necessary to
run the command firewallcfg
add *AM* (where *AM* is the name of
the module):

- 
after the initial configuration of the module

- 
after any subsequent configuration if it
modifies the ports used (to be checked with the command safekit module getports -m *AM*)

### 10.3.2 Firewall settings in Windows

> [!IMPORTANT]
> Starting with SafeKit version 8.2.5, on Red Hat, RPM packages are GPG-signed. Thus, the SafeKit GPG public key is automatically imported to allow the installation to continue.

If you opted-in for automatic firewall
configuration during SafeKit installation, you do not have to apply the
following procedures.

If you opted-out for automatic firewall
configuration, you must configure the firewall.

When using the operating system firewall
(Microsoft firewall), you may use the firewallcfg command.  It inserts (or
remove) the firewall rules
required by the SafeKit services (safeadmin,
safewebserver, safeacaserv
and Net-SNMP Agent) and
modules.

Administrators should review conflicts with
local policy before applying it.

|  |  |
| --- | --- |
| SAFE/private/bin/firewallcfg add     SAFE/private/bin/firewallcfg del     where SAFE=C:\safekit (if %SYSTEMDRIVE%=C:) | Add (or delete) the Microsoft firewall rules.  ·         SAFE/private/bin/firewallcfg add  Add firewall rules for SafeKit core and modules processes.  ·         SAFE/private/bin/firewallcfg del  Delete firewall rules for SafeKit core and modules processes. |

## 10.4 Boot and shutdown setup in Windows

safeadmin service is configured for automatically starting on boot and
stopping on shutdown. In turn, this service starts modules configured for
starting at boot and shutdown all modules.

On some Windows platforms, the safeadmin
boot start fails because the network configuration is not ready, and the
modules shutdown does not have time to complete since the timeout for services
shutdown is too short. If you encounter such problems, apply one of the
following procedures.

> [!IMPORTANT]
> When using the SNMP agent, adapt the following procedures to set the manual start of the Net-SNMP Agent service and include its start/stop into SafeKit start-up (safekitbootstart.cmd) and shutdown (safekitshutdown.cmd) scripts.

### 10.4.1 Automatic procedure

You can run the script as follow:

1.    open a PowerShell window as administrator

2.    cd SAFE\private\bin

3.    run addStartupShutdown.cmd

This script sets the manual start for safeadmin
service and adds default SafeKit start-up (safekitbootstart.cmd)
and shutdown (safekitshutdown.cmd) scripts as part of the computer group
policy start-up/shutdown scripts.  If
the script fails, apply the manual procedure below.

### 10.4.2 Manual procedure

You must apply the following procedure that
uses the Group Policy Object Editor.

1.    set manual start for safeadmin service

2.    start the MMC console with the mmc command line

3.    File - Add/Remove Snap-in Add - "Group Policy Object
Editor" - OK

4.    under "Console Root"/"Local Computer
Policy"/"Computer Configuration"/"Windows
Settings"/"Scripts (Start-up/Shutdown)", double click on
"Start-up". Click on Add then set for "Script Name:" c:\safekit\private\bin\safekitbootstart.cmd.
This script launches the safeadmin
service.

5.    under "Console Root"/"Local Computer
Policy"/"Computer Configuration"/"Windows
Settings"/"Scripts (Start-up/Shutdown)", double click on
"Shutdown". Click on Add then set for "Script Name:" c:\safekit\private\bin\safekitshutdown.cmd.
This script shutdowns all running modules.

## 10.5 Linux Secure boot settings for SafeKit kernel modules

When Secure Boot is enabled in Linux, any
kernel module must be signed, and the signing key must be enrolled in UEFI.

> [!NOTE]
> Use the following command to check if Secure Boot is enabled:  mokutil --sb-state  SecureBoot enabled

Since SafeKit relies on vip and tcpseq
kernel modules to implement load-balancing for farm modules, these kernel modules
must also be signed and enrolled.
Otherwise, the kernel modules will fail to load during the module startup with
the following message into the module log:

| vipplug | E | Unable to load vip kernel
extension

Moreover, when trying to load the vip
module with the modprobe
vip command, you’ll get one of the following errors:

modprobe:
ERROR: could not insert 'vip': Required key not available

or

modprobe:
could not insert 'vip': Key was rejected by service

Since SafeKit 8.2.4, to use farm module
with load-balancing with Secure Boot enabled, follow the procedure described
below. This procedure must be applied on all SafeKit nodes and can be done
before or after the farm module configuration.

1.   
Log in as root and open a command shell window

2.    Change to the directory /opt/safekit/kernel

3.    Run the command make
enroll

It will ask for
the creation of a password. Remember this password for the step 5.

4.    Reboot the server

5.    At boot start, UEFI will ask for the enrolling of the new SafeKit
signing key:

Accept
and give the password created in step 3.  
The procedure is needed only after the first reboot.

6.    Once the reboot is completed, you can check that the SafeKit key has
been enrolled by running:

mokutil --list-enroll | grep SafeKit

     … SafeKit …

You can
also check that the SafeKit vip kernel module can be loaded without errors by
running:

modprobe
vip

For SafeKit < 8.2.4, follow the
procedure described in [Q009176](https://customercare.evidian.com/space/KBE).

## 10.6 Antivirus settings

Antiviruses may face detection challenges
with SafeKit due to its close integration with the OS, virtual IP mechanisms,
real-time replication, and restart of critical services. It may then be
necessary to configure the antivirus to exclude certain directories and
processes. The list of directories and processes is provided below.

Directories

|  |  |
| --- | --- |
| SAFE | SafeKit installation directory:  ·         In Windows  C:\safekit on Windows if SystemDrive=C:  ·         In Linux  /opt/safekit |
| SAFEVAR | SafeKit working files directories:  ·         In Windows  C:\safekit\var if SystemDrive=C:  ·         In Linux  /var/safekit |
| Replicated folders | All replicated folders defined into mirror modules |

Processes

The SafeKit processes for services and
daemons are listed into the section 10.2.

Executables are in:

|  |  |
| --- | --- |
| SAFE | safekit command |
| SAFE/private/plugin/\*/\* | Executables that are run on module state changes |
| SAFE/private/bin | SafeKit executables |
| SAFE/web/bin | SafeKit web service executables |

## 10.7 Encryption of application module communications

You can secure internal communications for
the module, such as heartbeats and replication, by creating cryptographic keys
associated with the module. These security mechanisms rely on the OpenSSL
library used by SafeKit for encryption and certificate management.

By default, the keys are generated by
SafeKit using a built-in certification authority (SafeKit PKI). In SafeKit
≤ 7.4.0.31, the generated key has a validity period of 1 year. See section 10.7.3.1 for
solutions when the key expires.

Since SafeKit 7.4.0.16, you can also
provide your own certificates generated with a trusted certification authority
(enterprise PKI or commercial PKI). See section 10.7.3.2 for
details.

Since SafeKit 7.4.0.32, the module can be
reconfigured with new keys while it is in ALONE state (dynamic update).

> [!IMPORTANT]
> When encryption is not properly configured (e.g.: not the same key on all cluster nodes of the module), the module internal communications between nodes are rejected. In this case, the module configuration is not identical on all nodes. You must apply it again on all nodes. Then, you can check it by running on each node the command safekit confinfo -m *AM* where *AM* is the module name (see section 9.5).

The **encryption**
resource reflects the current communication mode of the module: "on"/"off"
when encryption is active/not active. The resource name is usersetting.encryption. To check the state of resources, see section 7.4.

### 10.7.1 Configuration with the SafeKit Web console

When configuring the module with the
SafeKit web console, communication encryption is enabled in the step 3 of the
module configuration wizard (see section 3.3.2).

### 10.7.2 Configuration with the Command Line Interface

The commands line equivalent for
configuring a module, named *AM*, with cryptographic key are:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run safekit
module genkey -m *AM*

4.    Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

The commands line equivalent for
re-configuring a module without cryptographic key are:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run safekit
module delkey -m *AM*

4.    Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

For more details on commands, refer to section 9.5.

### 10.7.3 Advanced configuration

#### 10.7.3.1 Advanced configuration with the SafeKit PKI

In SafeKit <= 7.4.0.31, the key for
encrypting the module communication has a validity period of 1 year. When it
expires in a mirror module with file replication, the secondary fails to
reintegrate. You must re-configure the module with a new key for reverting to
normal behavior.  In SafeKit > 7.4.0.31, the validity period has been set to
20 years.

If you cannot upgrade SafeKit, you can
generate new keys with a longer validity period. For this apply the following
procedure:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run
safekit module genkey -m *AM*

4.    Delete the file SAFE/modules/*AM*/conf/modulekey.p12

5.    Change to the directory SAFE/web/bin

6.    Run ./openssl
req -config ../conf/ssl.conf -subj "/O=SafeKiModule/CN=mirror" -new
-x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout pkey.key -out cert.crt

Set the -days
value to the validity period you want

7.    Run ./openssl
pkcs12 -export -inkey ./pkey.key -in ./cert.crt -name "Module
certificate" -out modulekey.p12

This command
requires to fill a password. Contact SafeKit support to get the correct value
for the password

8.    Delete the files pkey.key
and
cert.crt

9.    Move the file modulekey.p12 into SAFE/modules/*AM*/conf

10. Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

The module is configured, on the 2 nodes,
with the new key and ready to start.

#### 10.7.3.2 Advanced configuration with an external PKI

Since SafeKit 7.4.0.16, you can provide
your own key generated with your trusted certification authority (enterprise
PKI or commercial PKI). For this apply the following procedure:

1.    Stop the *AM* module on all nodes

2.    On one node, Log in as administrator/root and open a command shell
window

3.    Run
safekit module genkey -m *AM*

4.    Delete the file SAFE/modules/*AM*/conf/modulekey.p12

5.    Append the Base-64 encoded X.509 certificate
file (PEM format), for your certification authority (certificate of the CA or
certificate bundle of all the certificate authorities) to the file SAFE/web/conf/cacert.crt

6.    Change to the directory SAFE/web/bin

7.    Generate your certificate with the PKI with the subject set to "/O=SafeKiModule/CN=mirror"

8.    Copy the generated files pkey.key and cert.crt into the
directory SAFE/web/bin

9.    Run ./openssl
pkcs12 -export -inkey ./pkey.key -in ./cert.crt -name "Module
certificate" -out modulekey.p12

This command
requires to fill a password. Contact SafeKit support to get the correct value
for the password

10. Delete the files pkey.key
and
cert.crt

11. Move the file modulekey.p12 into SAFE/modules/*AM*/conf

12. Run safekit
-H "server1,server2" -E *AM*

where
server1 and server2 are the nodes that implement the module

The module is configured, on the 2 nodes, with
the new key and ready to start.

## 10.8 Encryption of sensitive files in SafeKit

Since SafeKit 8.2.4, SafeKit includes a
configurable mechanism for encrypting and decrypting sensitive data used within
its components.

This mechanism enables sensitive data to be
encrypted into a file and later decrypted using a symmetric encryption
algorithm, based on a single root passphrase. The root passphrase is retrieved
and displayed by a dedicated executable. The path of this executable is
configured in the SAFECONF/crypto.json file (where SAFECONF=C:\safekit\private\conf in
Windows, if %SYSTEMDRIVE%=C:, and SAFECONF=/opt/safekit/private/conf in Linux).
Below is the default content of this configuration file (where
SAFEBIN=C:\safekit\private\bin
in Windows, if %SYSTEMDRIVE%=C:, and SAFEBIN=/opt/safekit/private/bin in
Linux):

{

    // ...

"rootPassphraseExecutable": "SAFEBIN/print\_default\_root\_passphrase"

}

It is strongly recommended to replace the
default root passphrase executable with a custom executable of your own that
securely retrieves and outputs the root passphrase. This gives you full control
over the encryption strategy and enhances security by integrating your own
passphrase management logic.

Currently, this feature is used in SafeKit
solely for the secure storage of the SMTP client password. This is achieved
through the procedure described in section 10.10.2. Therefore, if the value of rootPassphraseExecutable changes, you must reapply this procedure.

It relies on the following commands to
encrypt and decrypt:

|  |  |
| --- | --- |
| safekit -r safeenc    -e | -encrypt       [-infile plaintext.txt]     [-outfile cms.pem] | Securely encrypts input from standard input or from the file specified via -infile. Outputs the encrypted text to standard output or saves it to the file specified via -outfile. |
| safekit -r safeenc    -d | -decrypt       [-infile cms.pem]    [-outfile plaintext.txt] | Securely decrypts input from standard input or from the file specified via -infile. Outputs the decrypted text to standard output or saves it to the file specified via -outfile. |

> [!NOTE]
> This encryption mechanism is not intended for securing replicated files.