Tenant Setup Guide

This guide walks you through initial configuration of your AnkaSecure tenant after receiving access credentials from AnkaTech.

---

Prerequisites

Before you begin, ensure you have:

• ✅ Tenant ID (received via email from AnkaTech)
• ✅ Admin username and temporary password
• ✅ Access to Admin Console (https://console.ankasecure.com)
• ✅ API endpoint URL (https://api.ankasecure.com)

---

Step 1: First Login

1.1 Access Admin Console

Navigate to: https://console.ankasecure.com

Login Form: - Tenant ID: your-tenant-id - Username: [email protected] (provided by AnkaTech) - Password: [Temporary password from email]

1.2 Change Admin Password

You'll be prompted to change password on first login.

Password Requirements: - Minimum 12 characters - At least 1 uppercase letter - At least 1 lowercase letter - At least 1 number - At least 1 special character (!@#$%^&*)

Example Strong Password: AnkaSecure2025!Quantum

---

1.3 Enable Multi-Factor Authentication (Recommended)

Security Best Practice: Enable MFA for all admin accounts

Setup MFA: 1. Navigate to User Settings → Security 2. Click Enable MFA 3. Scan QR code with authenticator app (Google Authenticator, Authy, Microsoft Authenticator) 4. Enter 6-digit verification code 5. Save backup codes (for account recovery)

---

Step 2: Create Additional Users

2.1 Invite Team Members

Navigate to: Users → Invite User

User Information: - Email: User's email address - Role: Select appropriate role - Tenant Admin: Full tenant management (create users, apps, keys) - Application Admin: Manage applications and API keys - User: Perform cryptographic operations only - Auditor: Read-only access to audit logs - Send Invitation: User receives email with setup link

Example:

Email: [email protected]
Role: Application Admin
Permissions: Can create API keys, cannot manage users

2.2 User Roles & Permissions

Role	Manage Users	Manage Apps	Manage Keys	Crypto Ops	View Logs
Tenant Admin	✅	✅	✅	✅	✅
Application Admin	❌	✅	✅	✅	✅
User	❌	❌	❌	✅	❌
Auditor	❌	❌	❌	❌	✅ (read-only)

---

Step 3: Create Your First Application

Applications = Service accounts for API authentication

3.1 Create Application

Navigate to: Applications → Create Application

Application Details: - Name: Production API (descriptive name) - Description: Primary production service for customer data encryption - Permissions: Select operations allowed (encrypt, decrypt, sign, verify, key management)

Click: Create Application

3.2 Generate API Key

After creation, you'll receive: - Application ID: app-123 - API Key: ask_1234567890abcdef... (shown once - copy immediately!)

⚠️ Important: API key shown only once. Store securely (secret manager, environment variables).

Example API Key Storage (.env file, add to .gitignore):

ANKASECURE_API_KEY=ask_1234567890abcdef...
ANKASECURE_TENANT_ID=your-tenant-id
ANKASECURE_BASE_URL=https://api.ankasecure.com

---

Step 4: Generate Your First Key

Via Admin Console (GUI)

Navigate to: Keys → Generate Key

Key Configuration: - Key ID: customer-data-key (unique identifier) - Algorithm: ML-KEM-768 (recommended, quantum-resistant) - Policy Template: NIST_APPROVED (or your region's template) - Description: Customer PII encryption key

Click: Generate Key

Success: Key status shows ACTIVE

---

Via CLI (Command-Line)

# Configure CLI with tenant credentials
ankasecure-cli config init

# Follow prompts:
# API Endpoint: https://api.ankasecure.com
# API Key: ask_1234567890abcdef...
# Tenant ID: your-tenant-id

# Generate key
ankasecure-cli key generate \
  --algorithm ML-KEM-768 \
  --key-id customer-data-key \
  --policy NIST_APPROVED

# Output:
# ✓ Key generated successfully
# Key ID: customer-data-key
# Algorithm: ML-KEM-768
# Status: ACTIVE

---

Via REST API

curl -X POST https://api.ankasecure.com/api/v1/key-management/keys \
  -H "Authorization: Bearer ask_1234567890abcdef..." \
  -H "X-Tenant-ID: your-tenant-id" \
  -H "Content-Type: application/json" \
  -d '{
    "algorithm": "ML-KEM-768",
    "keyId": "customer-data-key",
    "policy": "NIST_APPROVED"
  }'

# Response:
# {
#   "keyId": "customer-data-key",
#   "algorithm": "ML-KEM-768",
#   "status": "ACTIVE",
#   "createdAt": "2025-12-26T10:00:00Z",
#   "publicKey": "..."
# }

---

Step 5: Test Integration

SDK Integration Test

import co.ankatech.ankasecure.sdk.AnkaSecureClient;
import co.ankatech.ankasecure.sdk.config.ClientConfig;

// Configure client
ClientConfig config = ClientConfig.builder()
    .baseUrl("https://api.ankasecure.com")
    .apiKey(System.getenv("ANKASECURE_API_KEY"))
    .tenant(System.getenv("ANKASECURE_TENANT_ID"))
    .build();

AnkaSecureClient client = new AnkaSecureClient(config);

// Test encryption
EncryptRequest request = EncryptRequest.builder()
    .keyId("customer-data-key")
    .plaintext("Hello AnkaSecure!")
    .build();

EncryptResponse encrypted = client.encrypt(request);
System.out.println("✓ Encryption successful: " + encrypted.getCiphertext());

// Test decryption
DecryptRequest decryptReq = DecryptRequest.builder()
    .ciphertext(encrypted.getCiphertext())
    .build();

DecryptResponse decrypted = client.decrypt(decryptReq);
System.out.println("✓ Decryption successful: " + decrypted.getPlaintext());

Expected Output:

✓ Encryption successful: eyJhbGciOiJNTC1LRU0tNzY4IiwiZW5jIjoiQTI1NkdDTSJ9...
✓ Decryption successful: Hello AnkaSecure!

---

CLI Integration Test

# Encrypt a file
echo "Sensitive data" > test.txt
ankasecure-cli encrypt \
  --key-id customer-data-key \
  --input test.txt \
  --output test.enc

# Output:
# ✓ File encrypted successfully

# Decrypt the file
ankasecure-cli decrypt \
  --input test.enc \
  --output decrypted.txt

cat decrypted.txt
# Sensitive data

---

Step 6: Configure Policies (Optional)

Policy Templates

What are policies?: Pre-configured algorithm availability sets aligned with regulations

Available Templates: - NIST_APPROVED - USA federal compliance - BSI_COMPLIANT - Germany - CRYPTREC - Japan - CHINA_GMT_COMPLIANT - China - PCI_DSS - Finance sector - See all 20 templates →

Example: Enforce only NIST-approved algorithms for all keys

Via Admin Console: 1. Navigate to Settings → Policies 2. Select Default Policy Template: NIST_APPROVED 3. Save Changes

Effect: All new keys must use NIST-approved algorithms (ML-KEM, ML-DSA, AES, etc.)

---

Step 7: Set Up Monitoring (Recommended)

Enable Audit Logging

Navigate to: Settings → Audit Logs

Configuration: - Log Retention: 90 days (default), up to 7 years (compliance) - Log Export: Enable export to external SIEM (Splunk, ELK, Datadog)

Export API (download audit logs):

curl https://api.ankasecure.com/api/v1/audit/logs \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "X-Tenant-ID: your-tenant-id" \
  -G -d "start=2025-12-01" -d "end=2025-12-31"

# Returns JSON array of audit events

---

Configure Alerts

Navigate to: Settings → Alerts

Recommended Alerts: - ✅ Failed authentication attempts (>10 in 1 hour) - ✅ Quota approaching limit (80% of monthly quota) - ✅ New API key generated (security awareness) - ✅ Key deletion (prevent accidental data loss)

Alert Destinations: - Email notifications - Webhook (POST to your endpoint) - Integration with PagerDuty, Slack, Microsoft Teams

---

Tenant Configuration Checklist

Initial Setup

• [ ] First login completed
• [ ] Admin password changed
• [ ] MFA enabled for admin account
• [ ] Additional users invited (if applicable)
• [ ] First application created
• [ ] API key generated and stored securely
• [ ] First cryptographic key generated
• [ ] Integration tested (SDK or CLI)

Security Hardening

• [ ] MFA enforced for all admin users
• [ ] API keys rotated (initial keys from email replaced)
• [ ] IP whitelist configured (if available in your tier)
• [ ] Audit logging enabled
• [ ] Alerts configured (failed auth, quota, key operations)

Compliance (if applicable)

• [ ] BAA signed (HIPAA - healthcare)
• [ ] Data residency verified (GDPR - EU data in EU region)
• [ ] Audit log retention configured (PCI-DSS - 12 months, HIPAA - 6 years)
• [ ] Compliance documentation requested (SOC 2, ISO 27001)

---

Troubleshooting

Cannot Log In to Admin Console

Symptom: "Invalid credentials" error

Solutions: - Verify tenant ID is correct (case-sensitive) - Check username matches email from AnkaTech - Ensure using temporary password (not expired) - Clear browser cache and cookies - Try different browser

Still failing?: Contact support@ankatech.co with tenant ID

---

API Key Authentication Fails

Symptom: 401 Unauthorized when calling API

Solutions: - Verify API key copied correctly (no extra spaces) - Check X-Tenant-ID header matches your tenant - Ensure API key is active (not revoked) - Verify API endpoint URL is correct

Test Authentication:

curl https://api.ankasecure.com/api/v1/key-management/keys \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "X-Tenant-ID: YOUR_TENANT_ID"

# Expected: 200 OK with JSON array of keys

---

Key Generation Fails

Symptom: 422 Unprocessable Entity when generating key

Solutions: - Verify algorithm name is correct (case-sensitive: ML-KEM-768, not ml-kem-768) - Check key ID is unique (not already used) - Ensure algorithm is allowed by tenant policy - Verify quota not exceeded

Check Allowed Algorithms:

curl https://api.ankasecure.com/api/v1/key-management/algorithms \
  -H "Authorization: Bearer YOUR_API_KEY"

# Returns list of allowed algorithms for your tenant

---

Next Steps

Tenant configured? Continue with:

• Quickstart Guide - Your first encryption
• SDK Integration - Complete SDK guide with 28 examples
• CLI Commands - Automate with CLI tools
• Migration Guide - Migrate from classical crypto

---

Documentation Version: 3.0.0 Last Updated: 2025-12-26