Configure KMES Series 3 - Futurex Documentation

This section starts with general KMES configurations that enable RHCS to integrate with the KMES to store various keys and certificates used in the CA subsystem operation. Then, it covers the steps to configure TLS communication between the KMES Series 3 and the Futurex PKCS #11 (FXPKCS11) library, which RHCS uses to communicate with the KMES.

Configure general KMES settings for the RHCS integration

Perform the following tasks to configure the KMES Series 3 for communication with FXPKCS #11:

Create an RHCS role and identity with the correct assigned permissions.
Enable Host API commands.

The following sections show you how to complete these tasks.

Create a role and identity for RHCS

After you create a new role on the KMES Series 3, you assign it to the identity, and subsequently, the FXPKCS11 library uses the identity to connect to the KMES.

Go to Identity Management > Roles and select [ Add ] at the bottom of the page.

On the Info tab of the Role Editor window, specify a name for the role, select the Hardened checkbox, and set Logins Required to 1.

On the Permissions tab, enable the following permissions:

Permission	Subpermission
Certificate Authority	Add, Upload, Export
Cryptographic Operations	Sign
Keys	Add

On the Advanced tab, set the Allowed Ports field to Host API only.

Select** [ OK ]**to finish creating the role.

Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.

Change the Storage to HSM and specify a Name for the identity.

On the Assigned Roles tab, select the role that you created previously.

On the Authentication tab, select** [ Add ]** to configure a new credential.

In the Configure Credential window, set the credential Type to Password, Provider to Futurex HSM, and Mechanism to Hardened Password.

Select [ Change ] and set a password for the credential, select [ Save ], and select [ OK ].

The new Password credential now displays under the API Key credential that exists by default.

In the main Identity Editor window, select the API Key credential, select [ Remove ], and select **[ OK ]**to save.

Enable the Host API commands

Because the Futurex PKCS #11 library connects to the Host API port on the KMES Series 3, you must define which Host API commands to enable for the FXPKCS11 library to use for the RHCS operation. To set the enabled commands, complete the following steps:

Go to Administration > Configuration > Host API Options and enable the following commands:

Command	Description or subcommand (if applicable)
ATKG	Manipulate HSM trusted asymmetric key group add: Add HSM trusted asymmetric key group get: Retrieve HSM trusted asymmetric key group
ECHO	Communication Test/Retrieve Version
RKCP	Get command permissions get: Retrieve enabled commands
RKCY	Create Certificate Authority
RKGP	Export Asymmetric HSM Trusted Key
RKGS	Generate Signature
RKIC	Import Certificate
RKLN	Lookup Objects
RKLO	Login User
RKPK	Pop Generated Key
RKRK	Retrieve Certificate

Select** [ Save ]** to finish.

Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the Futurex PKCS #11 (FXPKCS11) Library:

Create an X.509 certificate container and Root CA certificate.
Generate a CSR for the System/Host API connection pair.
Sign the System/Host API CSR.
Export the Root CA.
Export the signed System/Host API TLS certificate.
Load the exported certificates into the System/Host API connection pair.
Generate a TLS private key and CSR for the FXPKCS11 library.
Sign the CSR for the FXPKCS11 library.
Export the signed **FXPKCS11 **TLS certificate.

The following sections describe how to perform these tasks.

Create a container and certificate

Perform the following steps to create an X.509 certificate container and Root CA certificate:

Go to PKI > Certificate Authorities and select **[ Add CA ]**at the bottom of the page.

In the Certificate Authority window, enter a Name for the certificate container, leave all other fields set to the default values, and select [ OK ].

Right-click the certificate container that you created and select Add Certificate > New Certificate.

On the Subject DN tab, select Classic in the Preset drop-down list and set a Common Name for the certificate, such as System TLS CA Root.

On the Basic Info tab, leave all fields set to the default values.

On the V3 Extensions tab, select Certificate Authority in the Profile drop-down list and select [ OK ].

The System TLS CA Root certificate now displays inside the previously created certificate container.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox and select [ Edit ] next to PKI keys in the User Certificates section.

In the Application Public Keys window, select** [ Generate ]**.

When warned that SSL will not be functional until new certificates are imported, select** [ Yes ]** to continue.

In the PKI Parameters window, leave all fields set to the default values and select [ OK ]*.

The Application Public Keys window now shows that a PKI key pair is Loaded.

Select [ Request ].

On the Subject DN tab, set a Common Name for the certificate, such as KMES.

On the Basic Info tab, leave all fields set to the default values.

On the V3 Extensions tab, select TLS Server Certificatein the Profile drop-down list.

On the PKCS #10 Info tab, select [ Browse ], select a save location for the CSR, specify a name for the file, and select [ Open ].

Select **[ OK ]**to finish generating the CSR.

When prompted that* the certificate signing request was successfully written to the file location that was selected*, select [ OK ].

Select [ OK ] again to save the Application Public Keys settings.

The main Network Options window now shows Loaded next to PKI keys under the System/Host API connection pair.

Select [ OK ].

Sign the CSR

Perform the following steps to sign the CSR:

Go to PKI > Certificate Authorities.

Right-click on the System TLS CA Rootcertificate and select Add Certificate > From Request.

In the file browser, select the CSR that you generated for the System/Host API connection pair and select [ Open ].

After it loads, don’t modify any certificate settings. Select [ OK ].

The signed KMES TLS certificate now shows under the System TLS CA Root certificate in the Certificate Authorities menu

Export the Root certificate

Perform the following steps to export the System TLS CA Root certificate:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Rootcertificate and select Export > Certificate(s).

In the Export Certificate window, select PEM in the Encoding drop-down list and select [ Browse ].

In the file browser, go to the location where you want to save the System TLS CA Root certificate, specify a name for the file, and select [ Open ].

Select** [ OK ]**.

A message box states that the PEM file was successfully written to the location that you specified.

Select **[ OK ]**again to exit the window.

Export the API TLS certificate

Perform the following steps to export the signed System/Host API TLS certificate:

Go to PKI > Certificate Authorities.

Right-click the KMES certificate and select Export > Certificate(s).

In the Export Certificate window, select PEM in the Encoding drop-down list and select [ Browse ].

In the file browser, go to the location where you want to save the KMES TLS certificate, specify a name for the file, and select [ Open ].

Select [ OK ].

A message box states that the PEM file was successfully written to the location that you specified.

Select **[ OK ]**again to exit the window.

Load the certificates

Perform the following steps to load the exported TLS certificates into the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Select** [ Edit ]** next to Certificates in the User Certificates section for the System/Host API connection pair.

Right-click the **System/Host API SSL CA **X.509 certificate container and select [ Import ].

Select [ Add ] at the bottom of the Import Certificates window.

In the file browser, select both the System TLS CA Root certificate and the signed {{k}} certificate, and select [ Open ].

The certificate chain appears in the Verified section.

Select** [ OK ]**to save the changes.

In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.

Generate a TLS private key and CSR

Perform the following steps to generate a TLS private key and CSR for the Futurex PKCS #11 (FXPKCS11) library by using OpenSSL:

You must run the commands in this section from a terminal application with OpenSSL.

Open a terminal and run the following command to generate a TLS private key for the FXPKCS11 library:

Shell

openssl genrsa -out fxpkcs11_tls_privatekey.pem 2048

The command outputs the private key to fxpkcs11tlsprivatekey.pem in the same directory where you ran the command.

Run the following command to generate a CSR for the FXPKCS11 library:

Shell

openssl req -new -key fxpkcs11_tls_privatekey.pem -out fxpkcs11_tls_cert_req.pem -days 365

When prompted to enter certificate information, set the default value for each field by pressing the Enter key at every prompt.

The command outputs the CSR to fxpkcs11tlscert_req.pem in the same directory from where you ran the command.

Move or copy the CSR file, fxpkcs11_tls_cert_req.pem, to the storage medium configured on the KMES.

Sign the CSR

Perform the following steps to sign the CSR for the FXPKCS11 library:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Rootcertificate and select Add Certificate > From Request.

In the file browser, select the **FXPKCS11 **CSR, tls_cert_req.pem.

Certificate information populates in the Create X.509 From CSR window.

On the Subject DN tab, select Classic in the Preset drop-down list and set a Common Name for the certificate, such as FXPKCS11.

On the Basic Info tab, leave fields set to the default values.

On the V3 Extensions tab, select the TLS Client Certificateprofile and select [ OK ].

The signed FXPKCS11 certificate now displays under the System TLS CA Root certificate.

Export the TLS certificate

Perform the following steps to export the signed **FXPKCS11 **TLS certificate:

Go to PKI > Certificate Authorities.

Right-click the FXPKCS11certificate and select Export > Certificate(s).

In the Export Certificate window, select PEM in the Encoding drop-down list and select [ Browse ].

In the file browser, go to the location where you want to save the **FXPKCS11 **TLS certificate, specify a name for the file, and select [ Open ].

Select [ OK ].

When prompted that the PEM file was successfully written to the location that you specified, select **[ OK ]**again to exit the window.

Copy the signed **FXPKCS11 **TLS certificate and the System TLS CA Root certificate to the computer where you plan to run the RHCS instance.The next section shows you how to configure them in the FXPKCS11 configuration file and use them for TLS communication in the KMES Series 3.

​Configure general KMES settings for the RHCS integration

​Create a role and identity for RHCS

​Enable the Host API commands

​Configure TLS communication

​Create a container and certificate

​Generate a CSR

​Sign the CSR

​Export the Root certificate

​Export the API TLS certificate

​Load the certificates

​Generate a TLS private key and CSR

​Sign the CSR

​Export the TLS certificate

Configure general KMES settings for the RHCS integration

Create a role and identity for RHCS

Enable the Host API commands

Configure TLS communication

Create a container and certificate

Generate a CSR

Sign the CSR

Export the Root certificate

Export the API TLS certificate

Load the certificates

Generate a TLS private key and CSR

Sign the CSR

Export the TLS certificate