Tenant Setup Guide

This guide walks you through initial configuration of your AnkaSecure tenant after receiving access credentials from AnkaTech.

Prerequisites

Before you begin, ensure you have:

• ✅ Tenant ID (received via email from AnkaTech)
• ✅ Admin username and temporary password
• ✅ Access to Admin Console (https://console.ankasecure.com)
• ✅ API endpoint URL (https://api.ankasecure.com)

Step 1: First Login

1.1 Access Admin Console

Navigate to: https://console.ankasecure.com

Login Form:

• Tenant ID: your-tenant-id
• Username: [email protected] (provided by AnkaTech)
• Password: [Temporary password from email]

1.2 Change Admin Password

You'll be prompted to change password on first login.

Password Requirements:

• Minimum 12 characters
• At least 1 uppercase letter
• At least 1 lowercase letter
• At least 1 number
• At least 1 special character (!@#$%^&*)

Example Strong Password: AnkaSecure2025!Quantum

1.3 Enable Multi-Factor Authentication (Recommended)

Security Best Practice: Enable MFA for all admin accounts

Setup MFA: 1. Navigate to User Settings → Security 2. Click Enable MFA 3. Scan QR code with authenticator app (Google Authenticator, Authy, Microsoft Authenticator) 4. Enter 6-digit verification code 5. Save backup codes (for account recovery)

Step 2: Create Additional Users

2.1 Invite Team Members

Navigate to: Users → Invite User

User Information:

• Email: User's email address
• Role: Select appropriate role
• Tenant Admin: Full tenant management (create users, apps, keys)
• Application Admin: Manage applications and API keys
• User: Perform cryptographic operations only

• Auditor: Read-only access to audit logs

• Send Invitation: User receives email with setup link

Example:

Email: [email protected]
Role: Application Admin
Permissions: Can create API keys, cannot manage users

2.2 User Roles & Permissions

Step 3: Create Your First Application

Applications = Service accounts for API authentication

3.1 Create Application

Navigate to: Applications → Create Application

Application Details:

• Name: Production API (descriptive name)
• Description: Primary production service for customer data encryption
• Permissions: Select operations allowed (encrypt, decrypt, sign, verify, key management)

Click: Create Application

3.2 Generate API Key

After creation, you'll receive:

• Application ID: app-123
• API Key: ask_1234567890abcdef... (shown once - copy immediately!)

⚠️ Important: API key shown only once. Store securely (secret manager, environment variables).

Example API Key Storage (.env file, add to .gitignore):

ANKASECURE_API_KEY=ask_1234567890abcdef...
ANKASECURE_TENANT_ID=your-tenant-id
ANKASECURE_BASE_URL=https://api.ankasecure.com

Step 4: Generate Your First Key

Via Admin Console (GUI)

Navigate to: Keys → Generate Key

Key Configuration:

• Key ID: customer-data-key (unique identifier)
• Algorithm: ML-KEM-768 (recommended, quantum-resistant)
• Policy Template: NIST_APPROVED (or your region's template)
• Description: Customer PII encryption key

Click: Generate Key

Success: Key status shows ACTIVE

Via CLI (Command-Line)

# Configure CLI with tenant credentials
ankasecure-cli config init

# Follow prompts:
# API Endpoint: https://api.ankasecure.com
# API Key: ask_1234567890abcdef...
# Tenant ID: your-tenant-id

# Generate key
ankasecure-cli key generate \
  --algorithm ML-KEM-768 \
  --key-id customer-data-key \
  --policy NIST_APPROVED

# Output:
# ✓ Key generated successfully
# Key ID: customer-data-key
# Algorithm: ML-KEM-768
# Status: ACTIVE

Via REST API

curl -X POST https://api.ankasecure.com/api/v1/key-management/keys \
  -H "Authorization: Bearer ask_1234567890abcdef..." \
  -H "X-Tenant-ID: your-tenant-id" \
  -H "Content-Type: application/json" \
  -d '{
    "algorithm": "ML-KEM-768",
    "keyId": "customer-data-key",
    "policy": "NIST_APPROVED"
  }'

# Response:
# {
#   "keyId": "customer-data-key",
#   "algorithm": "ML-KEM-768",
#   "status": "ACTIVE",
#   "createdAt": "2025-12-26T10:00:00Z",
#   "publicKey": "..."
# }

Step 5: Test Integration

SDK Integration Test

import co.ankatech.ankasecure.sdk.AnkaSecureClient;
import co.ankatech.ankasecure.sdk.config.ClientConfig;

// Configure client
ClientConfig config = ClientConfig.builder()
    .baseUrl("https://api.ankasecure.com")
    .apiKey(System.getenv("ANKASECURE_API_KEY"))
    .tenant(System.getenv("ANKASECURE_TENANT_ID"))
    .build();

AnkaSecureClient client = new AnkaSecureClient(config);

// Test encryption
EncryptRequest request = EncryptRequest.builder()
    .keyId("customer-data-key")
    .plaintext("Hello AnkaSecure!")
    .build();

EncryptResponse encrypted = client.encrypt(request);
System.out.println("✓ Encryption successful: " + encrypted.getCiphertext());

// Test decryption
DecryptRequest decryptReq = DecryptRequest.builder()
    .ciphertext(encrypted.getCiphertext())
    .build();

DecryptResponse decrypted = client.decrypt(decryptReq);
System.out.println("✓ Decryption successful: " + decrypted.getPlaintext());

Expected Output:

✓ Encryption successful: eyJhbGciOiJNTC1LRU0tNzY4IiwiZW5jIjoiQTI1NkdDTSJ9...
✓ Decryption successful: Hello AnkaSecure!

CLI Integration Test

# Encrypt a file
echo "Sensitive data" > test.txt
ankasecure-cli encrypt \
  --key-id customer-data-key \
  --input test.txt \
  --output test.enc

# Output:
# ✓ File encrypted successfully

# Decrypt the file
ankasecure-cli decrypt \
  --input test.enc \
  --output decrypted.txt

cat decrypted.txt
# Sensitive data

Step 6: Configure Policies (Optional)

Policy Templates

What are policies?: Pre-configured algorithm availability sets aligned with regulations

Available Templates:

• NIST_APPROVED - USA federal compliance
• BSI_COMPLIANT - Germany
• CRYPTREC - Japan
• CHINA_GMT_COMPLIANT - China
• PCI_DSS - Finance sector
• See all 20 templates →

Example: Enforce only NIST-approved algorithms for all keys

Via Admin Console: 1. Navigate to Settings → Policies 2. Select Default Policy Template: NIST_APPROVED 3. Save Changes

Effect: All new keys must use NIST-approved algorithms (ML-KEM, ML-DSA, AES, etc.)

Step 7: Set Up Monitoring (Recommended)

Enable Audit Logging

Navigate to: Settings → Audit Logs

Configuration:

• Log Retention: 90 days (default), up to 7 years (compliance)
• Log Export: Enable export to external SIEM (Splunk, ELK, Datadog)

Export API (download audit logs):

curl https://api.ankasecure.com/api/v1/audit/logs \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "X-Tenant-ID: your-tenant-id" \
  -G -d "start=2025-12-01" -d "end=2025-12-31"

# Returns JSON array of audit events

Configure Alerts

Navigate to: Settings → Alerts

Recommended Alerts:

• ✅ Failed authentication attempts (>10 in 1 hour)
• ✅ Quota approaching limit (80% of monthly quota)
• ✅ New API key generated (security awareness)
• ✅ Key deletion (prevent accidental data loss)

Alert Destinations:

• Email notifications
• Webhook (POST to your endpoint)
• Integration with PagerDuty, Slack, Microsoft Teams

Tenant Configuration Checklist

Initial Setup

• [ ] First login completed
• [ ] Admin password changed
• [ ] MFA enabled for admin account
• [ ] Additional users invited (if applicable)
• [ ] First application created
• [ ] API key generated and stored securely
• [ ] First cryptographic key generated
• [ ] Integration tested (SDK or CLI)

Security Hardening

• [ ] MFA enforced for all admin users
• [ ] API keys rotated (initial keys from email replaced)
• [ ] IP whitelist configured (if available in your tier)
• [ ] Audit logging enabled
• [ ] Alerts configured (failed auth, quota, key operations)

Compliance (if applicable)

• [ ] BAA signed (HIPAA - healthcare)
• [ ] Data residency verified (GDPR - EU data in EU region)
• [ ] Audit log retention configured (PCI-DSS - 12 months, HIPAA - 6 years)
• [ ] Compliance documentation requested (SOC 2, ISO 27001)

Troubleshooting

Cannot Log In to Admin Console

Symptom: "Invalid credentials" error

Solutions:

• Verify tenant ID is correct (case-sensitive)
• Check username matches email from AnkaTech
• Ensure using temporary password (not expired)
• Clear browser cache and cookies
• Try different browser

Still failing?: Contact support@ankatech.co with tenant ID

API Key Authentication Fails

Symptom: 401 Unauthorized when calling API

Solutions:

• Verify API key copied correctly (no extra spaces)
• Check X-Tenant-ID header matches your tenant
• Ensure API key is active (not revoked)
• Verify API endpoint URL is correct

Test Authentication:

curl https://api.ankasecure.com/api/v1/key-management/keys \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Tenant-ID: YOUR_TENANT_ID"

# Expected: 200 OK with JSON array of keys

Key Generation Fails

Symptom: 422 Unprocessable Entity when generating key

Solutions:

• Verify algorithm name is correct (case-sensitive: ML-KEM-768, not ml-kem-768)
• Check key ID is unique (not already used)
• Ensure algorithm is allowed by tenant policy
• Verify quota not exceeded

Check Allowed Algorithms:

curl https://api.ankasecure.com/api/v1/key-management/algorithms \
  -H "Authorization: Bearer YOUR_API_KEY"

# Returns list of allowed algorithms for your tenant

Next Steps

Tenant configured? Continue with:

• Quickstart Guide - Your first encryption
• SDK Integration - Complete SDK guide with 28 examples
• CLI Commands - Automate with CLI tools
• Migration Guide - Migrate from classical crypto

Documentation Version: 3.0.0
Last Updated: 2025-12-26