version: 2024-03
Prerequisites |
---|
You’re familiar with all the Enterprise Server services. |
Enterprise customers may deploy the FlowCrypt Enterprise Admin Panel (EAP) on their internal LAN to manage users and key pairs in their domain.
Your privileged users may view and export reports, and perform actions on user keys such as expiration, revocation, import, export, or modification of keys, depending on the privileges of the user. You may set different security settings and customization per (sub) domain. Administrative actions are logged and traced onto your logging infrastructure for future audits. Users are authenticated using your own IdP over OIDC.
The EAP Orchestrator handles the lifecycle of encryption keys including expiration, renewals, and automatic key rotation based on your business and security needs.
- Screenshots: see the Enterprise Admin Panel UI Overview guide.
- Requirements: see the Enterprise Server Deployment Requirements guide, plus an IdP must be configured with OIDC to work with the EAP for the authentication of administrators.
Distribution and deployment
FlowCrypt Enterprise Admin Panel is distributed as a zip file containing:
Filename | Description |
---|---|
flowcrypt-enterprise-admin-panel.jar |
Runnable Java JAR |
flowcrypt-enterprise-admin-panel.properties |
Default config for EAP |
flowcrypt-enterprise-admin-panel-docs.md |
Documentation |
LICENSE.txt |
License file (proprietary software) |
For deployment, install OpenJDK 17, unpack all files in a folder, and edit the properties file before running.
Running the application
Start the EAP by running the java -jar flowcrypt-enterprise-admin-panel.jar
command.
The default command is to start the server at the localhost:32327
address. Other commands:
Command | Description |
---|---|
--version |
Print application version |
--help |
Print application help |
--gen-jwk=service-orchestrator |
Generate JWK for authentication when EAP Orchestrator calls EKM |
Command line options:
Argument | Default | Description |
---|---|---|
--config=<cfg.properties> |
flowcrypt-enterprise-admin-panel.properties |
Config file path or an HTTP(S) URL |
Configuration
The sample configuration file appropriate for your software version will come distributed along with the jar file. It
consists of several sections: Common
, Auth
, Logger
, and Orchestrator
. Each is described either in one of
the following links or on this page below.
- General Configuration and HTTPS
- Authentication
- Logging
- High Availability and Scaling
- Deployment Checklist
- Orchestrator
Configuration: Common
General properties relating to basic configuration and how the app REST API is accessed.
Property | Description |
---|---|
web.security.key optional |
Used for encrypting/signing cookies and generating/verifying CSRF tokens. When left empty, a random key will be generated on each startup and users will be logged out when you restart EAP. Example: random string |
web.cookies.secure optional |
Manually overwrite HTTPS secure cookie behavior. Example: true
|
services.eap.url |
The EAP service. This value is used for cookie domain parameter and OIDC redirect_uri . The URL can be set to either the root path (e.g., https://eap.evaluation.org ) or a custom path (e.g., https://evaluation.org/any/path/eap/ ).Example: https://eap.evaluation.org See the previously mentioned Authentication guide. |
services.ekm.url |
Your EKM instance, reachable by the EAP. Example: https://url-of-ekm.evaluation.org
|
services.wkd.url |
Your WKD, normally running on the openpgpkey .Example: https://openpgpkey.evaluation.org subdomain. |
services.fes.url |
Your FES, normally running on the fes subdomain.Example https://fes.evaluation.org
|
Configuration: Usage
Below are the most common usages of the general management that EAP offers:
- Add, rename, and delete end users
- Import and update private keys
- Import and update public keys
- View the list of keys
- Generate key pair
- Search for keys
- Bulk modification of private keys
- Key rotation
- Manage user IDs
- Manage associated users
- Manage key expiration
Sample config file
# https://flowcrypt.com/docs/technical/enterprise-admin-panel/latest/technical-overview.html
######################################################
################ GENERAL - EAP #######################
######################################################
org.id=evaluation.org
api.hostname=0.0.0.0
# Users need to be able to access this server over the HTTPS 443 port:
# - When using a Reverse Proxy for SSL termination, you can leave the port below as is (or choose any port you like)
# and have the Reverse Proxy serve users at the 443 port.
# - When not using a Reverse Proxy, you need to set the 443 port and enable HTTPS below.
api.port=32327
api.accept.hosts=localhost:32327
api.https.enabled=false
#api.https.key.file=enterprise-admin-panel.p12
#api.https.key.password=password
api.error.format=id_only
# A symmetric key (random string) to use for encrypting/signing cookies and generating/verifying CSRF tokens.
# When left empty, a random key will be generated on each startup. Users will be logged out when you restart EAP.
# If you plan to run more than one EAP load-balanced, you must set this property.
#web.security.key=
# EAP uses HTTPS-only cookies when you run with api.https.enabled=true. You can overwrite it below.
#web.cookies.secure=true
#services.eap.url=https://...
#services.ekm.url=https://...
#services.wkd.url=https://openpgpkey.evaluation.org
#services.fes.url=https://fes.evaluation.org
# An optional Truststore to override the default JRE Truststore to verify internal SSL certs.
#truststore.file=truststore.p12
#truststore.password=password
#truststore.include.default=true
################################################
############## AUTHENTICATION ##################
################################################
# See the "Authentication" guide at https://flowcrypt.com/docs/technical/enterprise-admin-panel/latest/technical-overview.html#configuration.
# Once done here, you can log in through the EAP interface. Copy this "auth.admin" section to FES and EKM.
auth.admin.type=OidcAuthenticator
auth.admin.idps=default
auth.admin.default.issuer=
auth.admin.default.jwks=
auth.admin.default.audience=
# Additional properties for OAuth 2.0 authorization (these properties are only required for EAP).
# This is the client secret as defined in your Client Credentials for your OIDC Application.
auth.admin.auth0.oauth.client.secret=
# The following properties should be obtained automatically from the provider's OpenId Connect configuration.
# Optionally set the exact authorize URL.
#auth.admin.default.oauth.authorize.url=
# Optionally set the exact token exchange URL.
#auth.admin.default.oauth.token.url
# Optionally allow the automatic use of OAuth 2.0 refresh tokens.
auth.admin.default.oauth.automatic.session.refresh=true
# If "orchestrator.timer.enabled" is enabled, you should generate this using the "--gen-jwk service-orchestrator" command.
#auth.service.orchestrator.signing.key=
####################################################
################# ORCHESTRATOR #####################
####################################################
orchestrator.timer.enabled=false
orchestrator.timer.seconds=60
orchestrator.batch.size=50
orchestrator.key.pair.lifecycle.processor=ExtendKeyPairExpirationLifecycleProcessor
orchestrator.key.pair.expiration.threshold.days=60
orchestrator.key.pair.expiration.target.months=12
################################################
################### LOGGER #####################
################################################
# A comma-separated list. The possible values are: StdoutLogger | FileLogger | StackdriverLogger | SplunkHttpLogger.
logger.types=StdoutLogger
# The possible values are: trace | debug | info | warn | error.
logger.default.level=info
#logger.stdout.include.datetime=true
#logger.file.folder=/var/logs
#logger.file.history.size=14
#logger.file.history.compression=false
#logger.file.include.datetime=true
#logger.stackdriver.credentials.file=/etc/google/auth/application_default_credentials.json
#logger.splunk.url=https://splunk-instance:8088
#logger.splunk.token=327bfa46-...
#logger.splunk.disable.certificate.validation=true