9700 Key Manager Application Manual

8/3/2019 9700 Key Manager Application Manual

1/13

General InformationAbout this Document

MD0006-050February 3, 2010

Page 1 of 13

MICROS 9700 Encryption Key

Management Utility

General Information

About thisDocument

This document is intended as a quick reference guide to provide information

concerning the MICROS 9700 Encryption Key Management Utility. This

document relates specifically to MICROS 9700 Version 3.60 Hospitality

Management System software.

About the 9700

Encryption Key

Management

Utility

The purpose of the 9700 Encryption Key Management Utility is to allow the

user to set the encryption passphrase for the 9700 System. In accordance with

the PCI Data Security Standard, MICROS Systems, Inc. mandates each site

protect encryption keys against both disclosure and misuse.

Secure Key

Practices

To ensure secure distribution, MICROS Systems, Inc. mandates that users

divide knowledge of a specific encryption key among two or three people. Users

should establish dual control of keys so that it requires two to three people, each

knowing only his or her part of the key, to reconstruct the entire key.

A sites management procedures must require the prevention of unauthorized

substitution of keys. 9700 HMS prevents the unauthorized substitution of keys

by employing security measures in the Key Management Utility; for example,

an unencrypted key will not be accepted by the utility. Furthermore, a sitesmanagement procedures must require the replacement of known or suspected

compromised keys.

The site also must require each key custodian to sign a form stating that he or

she understands and accepts his or her key-custodian responsibilities.


2/13

MD0006-050February 3, 2010Page 2 of 13

General InformationKey Management Utility Security Enhancements

Key ManagementUtility Security

Enhancements

Previously, the 9700 3.x system stored the encryption keys used to encrypt and

decrypt secure data, such as credit card numbers, in the database.

Now due to a new Payment Card Industry Data Security Standard (PCI DSS)requirement that mandates the secure deletion of unused encryption keys, 9700

version 3.60 and greater uses a new encryption scheme that avoids using

secondary encryption keys.

The New

Encryption

Scheme

The key rotation itself will always require the 9700 system to be brought down

to down state for a very short period of time, and the 9700 system must remain

down while the Key Management Utility tool is used to run the initial key

rotation.

After the initial key rotation, the subsequent process of database re-encryption

runs in the background so that it does not necessarily require system to be down

at the time when re-encryption is running.

The secure deletion of the old encrypted passphrase file is accomplished using

the secure delete application SDelete. For more information on SDelete, see

page 6.


3/13

General InformationOperations Considerations

MD0006-050February 3, 2010

Page 3 of 13

OperationsConsiderations

9700 3.60 Fresh

Installation

The following should be noted when conducting a fresh 9700 3.60 installation:

The 9700 3.60 installation process prompts for and requires SDelete

installation before successful completion. For more information on SDelete,

see page 6.

After the fresh install completes, the 3.60 install shield will remind the user

to run the initial key rotation after rebooting the server. If the user forgets to

run the initial key rotation, the 9700 system will refuse to be brought up to

levels equivalent to dbs up or higher and the following message displays.

To ensure PCI compliance, MICROS Systems Inc. mandates that the site

run the initial key rotation after the installation is complete.

Warning: After a key rotation (the initial key rotation and allsubsequent rotations) is performed by the Key ManagementUtility, the database and 9700 application becomessynchronized with new encryption key data.

Because of this reason, users should not swap databases(restoring/replacing the existing database with a different one)until they are absolutely sure that the new database is also insync with the 9700 application.

Generally speaking, there is no way to determine whether anoffline database that is about to be restored by the user is insync with 9700 application.

Therefore, usually the only safe scenario to restore/replace adatabase is to restore/replace the database with a gooddatabase backup that must have been taken prior to performingthe new key rotation. The database can only be restored/replaced if no key rotation has occurred since uploading theexisting database or since the backup database was taken.


4/13



The 9700 system must remain down while the Key Management Utility

tool is used to run the initial key rotation.

If the 9700 system has a backup application server, the user will need to run

the Key Manager Utility with the same pass phrase on the backup serverafter the initial key rotation is completed on the primary server. Note that

this is the same case for all existing 3.10 sites as well (if rotating key occurs

on one server, the same rotation must occur on the backup server in order to

sync the new pass phrases).

After initial key rotation is complete, the 9700 system can be brought up to

operation level. All new secure details will be encrypted using the new key.

Upgrading from

9700 v. 3.10 to

9700 v. 3.60

The following should be noted when upgrading a 9700 v. 3.10 system to 9700 v.

3.60:

SDelete must be installed before running the Key Management Utility. For

more information on SDelete, please see page 6.

To ensure PCI compliancy, MICROS Systems Inc. mandates that the site

run the initial key rotation after the upgrade is complete.

If the 9700 system has a backup application server, the user will need to run

the Key Manager Utility with the same pass phrase on the backup server

after the initial key rotation is completed on the primary server (if rotating

key occurs on one server, the same rotation must occur on the backup server

in order to sync the new pass phrases).

The database re-encryption will run after the initial key rotation.


operation level. All new secure details will be encrypted using the master

key.


5/13


MD0006-050February 3, 2010

Page 5 of 13

Periodic Key

Rotation

In order to achieve maximum security, MICROS Systems, Inc. mandates the

system administrator regularly rotate the sites encryption keys.

When periodical key rotation occurs, database re-encryption will not require the

9700 system to be down. The key rotation itself will still require the 9700system to be in down mode, however the rotation (without database re-

encryption) should take only a short period of time.

Encryption key rotations are necessary and must occur periodically, at least

annually. For more information on how to rotate keys, please see the 9700

HMS Version 3.60 and the Key Management Utility section on page 6.


6/13


9700 HMS Version 3.60 and the Key Management UtilityOperating Conditions

9700 HMS Version 3.60 and the Key Management Utility

OperatingConditions

The following conditions must be true for the KeyManager program to run:

The 9700 system is in a down state. When the initial key encryption

process occurs, the 9700 system must remain in the down state.

For any subsequent key rotations after the initial key rotation, the 9700

system must be in a down state but can be bought up to operational mode

once the re-encryption process has started. If a passphrase change is

attempted while 9700 is not in an down state, the following error will

display:

It must be running locally on a 9700 systemit cannot be run remotely.

The EMC web service must be up and runningIIS installed and running.

The Database must be accessible.

SDelete must be downloaded and installed in the following locationC:\SDelete. SDelete is a command line utility that is used to the securely

delete one or more files and/or directories or to cleanse the free space on a

logical disk. For more information on SDelete and to download SDelete, see

the SDelete v1.51 page on the Microsoft TechNet website http://

www.microsoft.com/technet/sysinternals/Security/SDelete.mspx.
http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx


7/13

9700 HMS Version 3.60 and the Key Management UtilityInitial Key Rotation Considerations

MD0006-050February 3, 2010

Page 7 of 13

Initial KeyRotationConsiderations

The Key Manager Utility automatically detects when the initial key rotation

occurs and prompts the user with dialog noting that the system must remain in a

down state during the initial key rotation. The dialog will say the following:

The software has detected this is the first key rotation after 3.x installation and

will now perform database re-encryption. The process may take considerableamount of time to complete, and the system needs to remain in down state

during the process. Please be patient and DO NOT interrupt the re-encryption

process! Failure to do so may cause unrecoverable loss of encrypted data!


operation level.

Subsequent Key

Rotation

Considerations

The Key Management Utility will always require the 9700 system to initially be

in a down state. Once the re-encryption process starts, the 9700 system can be

brought back to the operations mode.

Note The 9700 3.60 installation process prompts for and requiresSDelete installation before successful completion.

If the site is using a 9700 system below version 3.10 SP6, followthe link above to download and install SDelete.

Please ensure that SDelete is installed on the same drive as theoperating system in a folder named SDelete before using theKey Manager Utility, as the utility will not run successfullywithout it. If SDelete is not installed and the Key ManagerUtility tries to update the passphrase, the following errormessage will display:


8/13


9700 HMS Version 3.60 and the Key Management UtilityLogin Conditions

Login Conditions Only two types of users can log into the KeyManager program:

MICROS super-users.

Employees with access level of 0 who also need system administrator

privileges for the server to run the Key Manager application.

Display Screen There is only one window in the Key Manager program, seen below:

The areas of the window are:

A: The top line displays the current PC Number (useful to determine if you

are running on PC1 or PC2).

B: Update Passphrase entry area.

C: Encryption Key Status.


9/13

9700 HMS Version 3.60 and the Key Management UtilityChanging the Passphrase

MD0006-050February 3, 2010

Page 9 of 13

Changing thePassphrase

Changing the passphrase has these restrictions:

The passphrase must be 1 to 24 characters long.

The passphrase and confirm passphrases must match.

The system must be in the down state (database must be brought down

from a Cygwin command line with the micros stop y command).

The database must be accessible.

SDelete must be downloaded and installed in the same drive as the

operating system in a folder named SDelete. For more information on

SDelete and to download SDelete, see the SDelete v1.51 page on the

Microsoft TechNet website http://www.microsoft.com/technet/

sysinternals/Security/SDelete.mspx.

To change the passphrase, follow the directions below.

1. Bring the 9700 system to a down state by entering the command microsstop y in the Cygwin command line.

Warning: If the passphrase is lost, the encrypted data in thedatabase is unrecoverable. There are no backdoors!
http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspxhttp://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx


10/13



2. Navigate to the 9700/bin directory on the 9700 Server and double-click theKeyManager.exe file. The KeyManager Login Screen opens, seen below.

Enter a valid ID and Password, then click OK.

3. Enter the new passphrase and confirm the passphrase in the UpdatePassphrase section, circled below.


11/13


MD0006-050February 3, 2010

Page 11 of 13

4. Click Update. The following warning displays.

5. Click Yes to continue and only if the sites credit card records have beenbatched and settled. Click No if the sites credit card records have not

been batched and settled; do not proceed with the key rotation until the

credit card records have been batched and settled and the database is backed

up.

The Key Management Utility will recognize if the initial key rotation has

occurred. If the initial key rotation has occurred, the utility displays adialog, seen below, informing the user that the 9700 system can be brought

to an operation state while the database re-encryption process occurs.

6. The re-encryption begins and a status bar displays, as seen below. Thepercentage of records being re-encrypted displays in the corner of the status

bar, circled below. Click OK when all records have been successfully re-

encrypted.


12/13


9700 HMS Version 3.60 and the Key Management UtilitySignature Confirmation

7. Once the passphrase has successfully changed, the following windowdisplays. Click OK.

If the Key Management Utility is run after a fresh 9700 installation, the

following message displays instead of the message seen above. No keys are

present in the database, so the passphrase is stored for future use. Click

OK.

8. When the passphrase change/key rotation successfully completes, thefollowing prompt displays. To exit the application, click Yes.

SignatureConfirmation

The passphrase is stored on the 9700 PC. The encryption keys are stored in the

database. In order to determine if the passphrase matches the encryption keys,

a passphrase signature field exists in the database. The signature is a one-way

hash of the passphrase.

This signature field is what KeyManager uses to determine if the passphrase can

be set on the 9700 PC.

The 9700 processes use the signature to determine if the security configuration

is in sync and valid. A PC/database could be out of sync if a 9700 system were

to point to a database using a different passphrase in a support situation, for

example.


13/13

9700 HMS Version 3.60 and the Key Management UtilityKey Management Utility Messages

MD0006-050February 3, 2010

Page 13 of 13

Key ManagementUtility Messages

Passphrase same as old passphrase

This message displays when the new passphrase entered is the same as the old

passphrase. Click OK and re-enter a new passphrase.

New passphrase now in sync with database.

A valid passphrase/database combination exists, and a new passphrase is to be

stored. The message will display when the same passphrase is entered when

running the Key Management Utility on the backup application server as was

entered when running the utility on the primary application server. For more

information, see page 4.

Passphrase stored. (Database signature was not preset)

This message displays when the Key Management Utility is run after a fresh

9700 installation. No keys are present in the database, so the passphrase is

stored for future use.

Documents

9700 Key Manager Application Manual