FlowCrypt Enterprise Admin Panel

version: 2024-02

Prerequisites
You’re familiar with all the Enterprise Server services.

Enterprise customers may deploy the FlowCrypt Enterprise Admin Panel (EAP) on their internal LAN to manage users and key pairs in their domain.

The Enterprise Admin Panel is meant to be deployed together with Email Key Manager for ease of management.

Your privileged users may view and export reports, and perform actions on user keys such as expiration, revocation, import, export, or modification of keys, depending on the privileges of the user. You may set different security settings and customization per (sub) domain. Administrative actions are logged and traced onto your logging infrastructure for future audits. Users are authenticated using your own IdP over OIDC.

The EAP Orchestrator handles the lifecycle of encryption keys including expiration, renewals, and automatic key rotation based on your business and security needs.

Screenshots: see the Enterprise Admin Panel UI Overview guide.
Requirements: see the Enterprise Server Deployment Requirements guide, plus an IdP must be configured with OIDC to work with the EAP for the authentication of administrators.

Distribution and deployment

FlowCrypt Enterprise Admin Panel is distributed as a zip file containing:

Filename	Description
`flowcrypt-enterprise-admin-panel.jar`	Runnable Java JAR
`flowcrypt-enterprise-admin-panel.properties`	Default config for EAP
`flowcrypt-enterprise-admin-panel-docs.md`	Documentation
`LICENSE.txt`	License file (proprietary software)

For deployment, install OpenJDK 17, unpack all files in a folder, and edit the properties file before running.

Running the application

Start the EAP by running the java -jar flowcrypt-enterprise-admin-panel.jar command.

The default command is to start the server at the localhost:32327 address. Other commands:

Command	Description
`--version`	Print application version
`--help`	Print application help
`--gen-jwk=service-orchestrator`	Generate JWK for authentication when EAP Orchestrator calls EKM

Command line options:

Argument	Default	Description
`--config=<cfg.properties>`	`flowcrypt-enterprise-admin-panel.properties`	Config file path or an HTTP(S) URL

Configuration

The sample configuration file appropriate for your software version will come distributed along with the jar file. It consists of several sections: Common, Auth, Logger, and Orchestrator. Each is described either in one of the following links or on this page below.

Configuration: Common

General properties relating to basic configuration and how the app REST API is accessed.

Property	Description
`web.security.key` optional	Used for encrypting/signing cookies and generating/verifying CSRF tokens. When left empty, a random key will be generated on each startup and users will be logged out when you restart EAP. Example: random string
`web.cookies.secure` optional	Manually overwrite HTTPS secure cookie behavior. Example: `true`
`services.eap.url`	The EAP service. This value is used for cookie domain parameter and OIDC `redirect_uri`. The URL can be set to either the root path (e.g., `https://eap.evaluation.org`) or a custom path (e.g., `https://evaluation.org/any/path/eap/`). Example: `https://eap.evaluation.org` See the previously mentioned Authentication guide.
`services.ekm.url`	Your EKM instance, reachable by the EAP. Example: `https://url-of-ekm.evaluation.org`
`services.wkd.url`	Your WKD, normally running on the `openpgpkey`. Example: `https://openpgpkey.evaluation.org` subdomain.
`services.fes.url`	Your FES, normally running on the `fes` subdomain. Example`https://fes.evaluation.org`

Configuration: Usage

Below are the most common usages of the general management that EAP offers:

What’s next? Navigate to the Enterprise Admin Panel (EAP) UI page to learn how you can use its functionality.

Sample config file

# https://flowcrypt.com/docs/technical/enterprise-admin-panel/latest/technical-overview.html

######################################################
################ GENERAL - EAP #######################
######################################################

org.id=evaluation.org

api.hostname=0.0.0.0
# Users need to be able to access this server over the HTTPS 443 port:
#  - When using a Reverse Proxy for SSL termination, you can leave the port below as is (or choose any port you like)
#    and have the Reverse Proxy serve users at the 443 port.
#  - When not using a Reverse Proxy, you need to set the 443 port and enable HTTPS below.
api.port=32327
api.accept.hosts=localhost:32327
api.https.enabled=false
#api.https.key.file=enterprise-admin-panel.p12
#api.https.key.password=password
api.error.format=id_only

# A symmetric key (random string) to use for encrypting/signing cookies and generating/verifying CSRF tokens.
# When left empty, a random key will be generated on each startup. Users will be logged out when you restart EAP.
# If you plan to run more than one EAP load-balanced, you must set this property.
#web.security.key=

# EAP uses HTTPS-only cookies when you run with api.https.enabled=true. You can overwrite it below.
#web.cookies.secure=true

#services.eap.url=https://...
#services.ekm.url=https://...
#services.wkd.url=https://openpgpkey.evaluation.org
#services.fes.url=https://fes.evaluation.org

# An optional Truststore to override the default JRE Truststore to verify internal SSL certs.
#truststore.file=truststore.p12
#truststore.password=password
#truststore.include.default=true

################################################
############## AUTHENTICATION ##################
################################################

# See the "Authentication" guide at https://flowcrypt.com/docs/technical/enterprise-admin-panel/latest/technical-overview.html#configuration.
# Once done here, you can log in through the EAP interface. Copy this "auth.admin" section to FES and EKM.
auth.admin.type=OidcAuthenticator
auth.admin.idps=default
auth.admin.default.issuer=
auth.admin.default.jwks=
auth.admin.default.audience=

# Additional properties for OAuth 2.0 authorization (these properties are only required for EAP).
# This is the client secret as defined in your Client Credentials for your OIDC Application.
auth.admin.auth0.oauth.client.secret=
# The following properties should be obtained automatically from the provider's OpenId Connect configuration.
# Optionally set the exact authorize URL.
#auth.admin.default.oauth.authorize.url=
# Optionally set the exact token exchange URL.
#auth.admin.default.oauth.token.url
# Optionally allow the automatic use of OAuth 2.0 refresh tokens.
auth.admin.default.oauth.automatic.session.refresh=true

# If "orchestrator.timer.enabled" is enabled, you should generate this using the "--gen-jwk service-orchestrator" command.
#auth.service.orchestrator.signing.key=

####################################################
################# ORCHESTRATOR #####################
####################################################

orchestrator.timer.enabled=false
orchestrator.timer.seconds=60
orchestrator.batch.size=50
orchestrator.key.pair.lifecycle.processor=ExtendKeyPairExpirationLifecycleProcessor
orchestrator.key.pair.expiration.threshold.days=60
orchestrator.key.pair.expiration.target.months=12

################################################
################### LOGGER #####################
################################################

# A comma-separated list. The possible values are: StdoutLogger | FileLogger | StackdriverLogger | SplunkHttpLogger.
logger.types=StdoutLogger
# The possible values are: trace | debug | info | warn | error.
logger.default.level=info
#logger.stdout.include.datetime=true
#logger.file.folder=/var/logs
#logger.file.history.size=14
#logger.file.history.compression=false
#logger.file.include.datetime=true
#logger.stackdriver.credentials.file=/etc/google/auth/application_default_credentials.json
#logger.splunk.url=https://splunk-instance:8088
#logger.splunk.token=327bfa46-...
#logger.splunk.disable.certificate.validation=true