Machine Key Tool
Use this guide to install and use the Machine Key Tool.
Applies to
SecureAuth IdP
Discussion
What is the Machine Key Tool?
The Machine Key Tool enables an administrator to backup, restore, and grant / revoke privileges for a SecureAuth IdP Appliance machine key (NetFrameworkConfigurationKey
). A machine key is used for encrypting / decrypting the SecureAuth IdP web.config
files.
Disclaimer
THIS SOFTWARE IS PROVIDED "AS IS" AND SECUREAUTH CORPORATION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL SECUREAUTH CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHAT SO EVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
System Requirements
The Machine Key Tool works with SecureAuth IdP appliances on supported Windows Server versions.
Note
For complete information on which versions are supported, see the SecureAuth compatibility guide for your release.
Installation
Contact Support for the MachineKeyTool.zip file.
Download the file.
Navigate to the download, right-click on the archive, select Properties, and switch to the General tab.
If there is a button titled Unblock present on the tabbed page, click it and press OK to dismiss the Properties window.
Navigate to the download, right-click on the archive, and select Extract All...
Extract the archive to D:\MFCApp_Bin\Extras.
Usage
To back up the Machine Key, navigate to D:\MFCApp_bin\Extras\MachineKeyTool and run Machine Key Tool.bat.
The Splash page appears.
Press any key and the Legal disclaimer appears.
Type AGREE at the prompt to accept the terms and press Enter.
Note
If the terms are not acceptable, press Enter and the script exits automatically.
If you accepted the disclaimer, the Main Menu appears.
Type 1 and press Enter to start the backup.
Provide a strong password to protect the backup then press Enter to continue.
Warning
Passwords may only contain letters, numbers, and the following special characters @ # $ % * ( ) + ?.
If an unsupported character is used, the backup may fail.
The backup now begins.
The backup process is completed when a screen like this appears:
Press any key to continue.
Decrypt the web.config Files
Before performing a restore, it is necessary to decrypt the web.config
files through the SecureAuth administrative interface. For more details on doing this, refer to the SecureAuth IdP Realm Guide and go to the section, Decrypting / Encrypting Realms.
To decrypt the web.config
files:
To restore a Machine Key from backup, navigate to D:\MFCApp_bin\Extras\MachineKeyTool and run Machine Key Tool.bat.
The Splash page appears. Press any key and the Legal disclaimer page appears.
Type AGREE at the prompt to accept the terms, then press Enter.
Note
If the terms are not acceptable to you, press Enter and the script exits automatically.
The Main Menu appears.
Type 2 and press Enter to start the restore.
Select the backup file to restore by entering its number, then press Enter.
Note
The backup files are located in the D:\MFCApp_Bin\SecureAuth_Archive folder.
Enter the password used to encrypt the backup file.
Type OK to continue with the restore or CANCEL to abort the restore process.
If you select to continue by typing OK, the restore process runs.
Once completed, a screen like the following appears:
To allocate access control via privileges, navigate to D:\MFCApp_bin\Extras\MachineKeyTool and run Machine Key Tool.bat.
The Splash page appears.
Press any key and the Legal disclaimer page appears.
Type AGREE at the prompt to accept the terms, and press Enter.
If the terms are not acceptable to you, press Enter and the script exits automatically.
If you agree to the terms, the Main menu displays.
Type 3 and press Enter to start the restore.
The Privileges menu appears.
Press the letter that specified to the type of rights you want to confer for access to the machine key. This includes the following options:
A
Authenticated Users rights - This option is normally selected to grant Authenticated Users access to the machine key when the SecureAuth IdP appliance hosts a realm utilizing the Windows IWA/SSO functionality. For more on this, refer to Authenticated Users.
D
Domain Users rights - This option grants machine key access to the Domain Users group and should only be selected under the supervision of SecureAuth support staff. For more on this topic, refer to Domain Users.
E
Everyone rights - This option grants machine key access to the Everyone group and should only be used under the supervision of SecureAuth support staff. For more on this topic, refer to Everyone.
For more information on these options, refer to the following subtopics.
Machine Key Tool Release History
1.0.0: 2015-05-15
Initial release of tool
1.1.0: 2016-05-17
Deprecated WebConfigManager
Updated 7Zip library to v16.0.0.0 to address reported security vulnerabilities