Initial Setup and Configuring License

Password Encryptor

Encrypting Stored Passwords (AES-256)

This section explains how users can upload or generate an AES-256 key, used for encrypting and decrypting passwords. If the sealed AES key is not found in the configured directory, the application will automatically redirect the user to the Encryption/Decryption page.

Steps

  1. Redirect to Encryption/Decryption Page If the application does not find the sealed AES key in the designated directory, it automatically redirects the user to the Encryption/Decryption page.

  2. Provide or Generate AES-256 Key

  • Option A — Provide Your Own Key If you already have a valid AES-256 key, paste the Base64-encoded key into the AES Key field

  • Option B — Generate a New Key If you prefer to generate a new AES-256 key, click on the Generate AES-256 Key button. The application will generate a random key and store it securely in the application’s configured directory, encrypted using a salt mechanism.

  1. Encryption/Decryption

    • Encrypting Passwords After generating or providing the AES key, enter the value to be encrypted in the Input field, and click Encrypt. The encrypted value will appear in the Output field.

    • Decrypting Passwords To verify or migrate existing encrypted data, paste the encrypted value in the Input field and click Decrypt to view the plaintext password in the Output field.

  2. Key Storage and Security

    • The sealed AES key is saved in a secure directory. Ensure the directory is properly secured with restricted access permissions.

    • If the server is restarted or the application is moved, the same AES key must be present in the same directory to ensure continued functionality.

Notes:

  • The key must be properly stored in a secure directory as per the configuration in the emCA.properties file. If it is missing or moved, the application will prompt the user to generate or upload a valid AES-256 key.

  • Ensure that the generated or provided key is backed up securely, as it is critical for decrypting data.

emCA Set up

After successfully deploying the emCA application, follow these steps for the initial setup:

  1. Access the emCA setup by entering the URL provided for the application.

  2. The setup will direct you to the emCA welcome page, which will guide you through the configuration process.

Example: To access the login page, enter the following URL in the address field: https://<ip_address>:<port>/emCA/login.htm

If you have a backup and wish to restore the previous configuration, click Restore to use the backup data and continue from where you left off.

If you are setting up emCA for the first time, click Next to proceed with configuring CA administrator settings and user setup.

When creating a CA Administrator, choose 'Single' or 'Multiple' and specify the number of administrators.

Set Login Attempt Limit Specify the number of incorrect login attempts allowed, with a maximum of 10 attempts.

After selecting the necessary options, click Proceed to move to the Verify and Confirm page.

Confirm and Create Admin Click Confirm to finalize the CA Admin configuration. To create the CA Admin, click Next Step: Create CA Administrators. This will bring up the Create CA Administrator page.

Enter all the necessary information for the CA Admin and select the User Login Type (Password, Hard, or Soft Token) as shown below.

Click on “Proceed” after entering details to proceed, where entered details will be displayed.

“Vierify & Confirm” and simply click on the "Create User" button to create the CA Administrator.

When selected to create “Multiple” Administrators, you can add more before “Proceed to Login”.

Login and Licence Registration

To access the emCA application, the CA Administrator must use the provided User Login Type (Password, Hard, or Soft token).

click on the "Login" button, as shown in the figure below.

Upon login, the following steps need to be performed by the CA Administrator.

Step 1: License Registration

Step 2: Setup Authorization Matrix

Step 3: Generate AES Key

Step 4: Generate Signer Key

License Registration

The CA Administrator must complete the license setup as a one-time activity through the License Registration window.

Follow the prompts to proceed with the license generation and registration process.

After logging in, select No when asked if you have a pre-generated license file. Then, click Generate ID

When you click the "Generate ID" button in the emCA application, a license request file will be generated.

You can then download this file by clicking on the "Download" button as shown below.

Upon downloading the license request, it should be sent to eMudhra for generating the license file.

Please click on the 'Next' button.

After receiving the license file from eMudhra, the CA Administrator can select the ‘Yes’ option.

Please click on the 'Choose File' button to upload the license file that you have received from eMudhra.

After uploading the license file, the CA Administrator must "Authenticate” by entering their Username and Password as shown in the following figure.

After authentication, click Register to complete the license registration process.

A success message will confirm that the registration is complete.

After registration, click Setup Authorization Matrix to proceed to the next configuration step.

Setup Authorization Matrix

Define M of N Authentication: The CA Administrator configures M of N authentication by specifying the minimum and maximum number of users required for each role (Administrator, Officer, Auditor).

Click on “Proceed” after entering the required minimum and maximum number of users in the provided fields, as shown in the setup interface.

The CA Administrator must "Authenticate” by entering their Username and Password as shown in the following figure.

Once you have successfully completed the authentication process, please click on the "Confirm" button.

A success message will confirm the Authorization Metrix setup confirmation.

Click on "Proceed to generate AES Key " for encryption key generation.

Generate AES Key

In this step, the CA Administrator is presented with the option "Are you generating keys on an HSM?" as shown below.

If the CA Administrator selects ‘No’ and clicks ‘Next’, they will be prompted to select the ‘Subscriber Encryption Mode’ on the following page.

On the page, choose whether to store the encryption key in the database or the BYOK and then click on 'Proceed'.

You will see the authentication screen next.

Authenticate by entering your Username and Password. Once authenticated, click 'Generate AES Key'.

A message will confirm AES key generation and “Proceed to dashboard”.

If selected “Yes” …

User can select “Yes” if generating key on HSM and click “Next”.

CA Administrator can enter mentioned HSM configuration details.

Test the HSM connection, confirmation will be provided over a success response.

Authenticate by entering your Username and Password. Once authenticated, click 'Generate AES Key'.

A message will confirm AES key generation and “Proceed to dashboard”.

CA Administrator will be redirected to the Dashboard.

PreviousemCA WebsocketNextManage Users and Roles

Last updated