Configure KMES Series 3

This section shows you how to configure TLS communication between the KMES Series 3 and the Futurex PKCS #11 (FXPKCS11) module installed on the computer that runs CyberArk TPF. Then, it covers general configurations on the KMES Series 3 to enable CyberArk TPF to use the KMES as a Root of Trust for storage encryption and to protect private keys through the Futurex PKCS #11 (FXPKCS11) module.

Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the CyberArk TPF instance:

Create a certificate authority (CA).
Generate a CSR for the System/Host API connection pair.
Sign the System/Host API CSR.
Export the Root CA and signed System/Host API certificates.
Load the exported certificates into the System/Host API connection pair.
Issue a client certificate for CyberArk TPF.
Export the signed CyberArk TPF certificate.

The following sections describe how to perform these tasks.

Create a CA

Perform the following steps to create a CA:

Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.

In the Certificate Authority window, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].

Right-click the certificate container you just created and select Add Certificate > New Certificate.

On the Subject DN tab, select the Classic preset and set a Common Name for the certificate, such as System TLS CA Root.

On the Basic Info tab, leave all settings at the default values.

On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].

The root CA certificate now displays under the Certificate Container you created.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Under the System/Host API connection pair, uncheck the Use Futurex Certificates checkbox and select [ Edit ] next to PKI Keys in the User Certificates section.

In the Application Public Keys window, select [ Generate ].

When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.

In the PKI Parameters window, leave the fields set to the default values and select [ OK ].

The Application Public Keys window now shows that a PKI Key Pair is Loaded.

Select [ Request ].

On the Subject DN tab, you can leave the default Common Name value set to System/Host API.

On the V3 Extensions tab, select the TLS Server Certificate profile.

On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].

When notified that the certificate signing request was successfully written to the location you specified, select [ OK ].

Select [ OK ] again to save the Application Public Keys settings.

In the main Network Options window, the System/Host API connection pair now shows Loaded next to PKI keys.

Select [ OK ] to save and close the Network Options menu.

Sign the CSR

Perform the following steps to sign the System/Host API CSR:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate > From Request.

In the file browser, select the CSR you generated for the System/Host API connection pair.

After it loads, don’t modify any settings for the certificate. Select [ OK ].

The signed System/Host API TLS certificate now shows under the System TLS CA Root certificate on the Certificate Authorities page.

Export the certificate

Perform the following steps to export the Root CA certificate:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Export > Certificate(s).

In the Export Certificates window, change the encoding to PEM and select [ Browse ].

In the file browser, go to the location where you want to save the root CA certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

A message box states that the PEM file was successfully written to the location you specified.

Export the TLS certificate

Perform the following steps to export the signed System/Host API TLS certificate:

Go to PKI > Certificate Authorities.

Right-click the System/Host API certificate and select Export > Certificate(s).

In the Export Certificates window, change the encoding to PEM and select [ Browse ].

In the file browser, navigate to the location where you want to save the signed System/Host API TLS certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

A message box states that the PEM file was successfully written to the location you specified.

Load the TLS certificate

Perform the following steps to load the exported TLS certificate into the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, select the TLS/SSL Settings tab.

Under the System/Host API connection pair, select [ Edit ] next to Certificates in the User Certificates section.

Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].

Select [ Add ] at the bottom of the Import Certificates window.

In a file browser, select both the root CA certificate and the signed System/Host API certificate, and select [ Open ].

The certificate chain appears in the Verified section.

Select [ OK ] to save the changes.

In the Network Options window, the System/Host API connection pair now shows Signed Loaded next to Certificates in the User Certificates section.

Issue a client certificate

Perform the following steps to issue a client certificate for CyberArk TPF:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.

On the Subject DN tab, set Venafi as the Common Name for the certificate.

Leave all fields on the Basic Info tab set to the default values.

On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ]*.

The Venafi certificate now displays under the System TLS CA Root certificate.A later section of the guide shows you how to modify the Futurex PKCS #11 configuration file to use the client certificate you create for CyberArk TPF in this section.

Export the certificate

Perform the following steps to export the Venafi client certificate as a PKCS #12 file:

To export the Venafi client certificate as a PKCS #12 file, you must go to Administration > Configuration > Options and enable the Allow export of certificates using passwords setting before continuing.

Go to PKI > Certificate Authorities.

Right-click the Venafi certificate and select Export > PKCS#12.

Set a password for the PKCS #12 file, select Export Selected Certificate, and select [ Next ].

In the file browser, select a location for the PKCS #12 file and select [ Open ].

A message box notifies you that the PKCS #12 export was successful.

Move both the Venafi certificate and the root CA certificate exported in the Export the Root CA certificate section to the computer that runs the CyberArk TPF instance.The next section shows you how to configure and use them for TLS communication with the KMES Series 3.

Configure general KMES Series 3 settings for KMES to the CyberArk TPF instance

Perform the following tasks to configure the KMES Series 3 for communication with the CyberArk TPF instance:

Create a new role and identity with the required permissions.
Create a new instance with the Venafi role.
Enable Host API commands.

The following sections show you how to complete these tasks.

Create a new role

Perform the following steps to create a new role with the permissions Venafi requires:

Go to Identity Management > Roles and select [ Add ] at the bottom of the page.

On the Info tab of the Role Editor window, set the Type to Application, the Name to Venafi, select the Hardened checkbox, and set the Logins Required to 1.

On the Permissions tab, enable the following permissions:

Permission	Subpermission
Certificate Authority	Add, Export
Cryptographic Operations	Encrypt, Decrypt, Wrap, Unwrap
Keys	Add, Export
Secure Key Functions	Import PKI, No Usage Wrap, Remove Security, Strength Bypass

On the Advanced tab, set Allowed Ports to Host API only.

Select [ OK ] to finish creating the role.

Create a new identity

Perform the following steps to create a new identity and assign it the Venafi role:

Go to Identity Management > Identities.

Right-click anywhere in the window and select Add > Client Application.

On the Info tab of the Identity Editor window, set the Storage type to HSM and specify a Name for the identity.

On the Assigned Roles tab, select the Venafi role.

On the Authentication tab, remove the default Hardened API Key mechanism and select [ Add ].

In the Configure Credential window, the Hardened Password mechanism populates by default. Select [ Change ], configure a password, and select [ Save ]. Select [ OK ] to finish configuring the new credential.

Select [ OK ] to finish creating the identity.

Enable the Host API commands required for CyberArk TPF operation

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for Futurex PKCS #11. To enable the Host API commands required for CyberArk TPF operation, complete the following steps:

Go to Administration > Configuration > Host API Options.

Enable the following commands:

Command	Description and subcommand (if applicable)
ATKG	Manipulate HSM trusted asymmetric key group add: Add HSM trusted asymmetric key group modify: Modify HSM trusted asymmetric key group delete: Delete HSM trusted asymmetric key group get: Retrieve HSM trusted asymmetric key group
ATTR	Generic Attribute Operations get: Retrieve generic attributes put: Set generic attributes patch: Patch generic attributes
ECHO	Echo text
RAFA	Filter Issuance Policy
RAND	Generate Random Number
RKCK	Create HSM Trusted Key
RKCP	Get Command Permissions get: Retrieve enabled commands modify: Update enabled commands
RKCS	Create Symmetric HSM Trusted Key Group
RKDK	Delete HSM Trusted Key
RKDP	Delete Asymmetric HSM Trusted Key
RKED	Encrypt or Decrypt Data
RKEP	PKI Encrypt Public Key
RKGP	Export Asymmetric HSM Trusted Key
RKLN	Lookup Objects
RKLO	Login User
RKPK	Pop Generated Key
RKRC	Get HSM Trusted Key
RKRW	Get HSM Trusted Key
TIME	Set Time

Select [ Save ] to finish.

Overview

Certificate Authority

Cloud key management

Code signing

Credential management

Certificate management

Data protection

Data storage

Database

Endpoint management

DNS

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

Secure printing

SSH

Virtualization

VPN

Configure TLS communication

Create a CA

Generate a CSR

Sign the CSR

Export the certificate

Export the TLS certificate

Load the TLS certificate

Issue a client certificate

Export the certificate

Configure general KMES Series 3 settings for KMES to the CyberArk TPF instance

Create a new role

Create a new identity

Enable the Host API commands required for CyberArk TPF operation

Overview

Certificate Authority

Cloud key management

Code signing

Credential management

Certificate management

Data protection

Data storage

Database

Endpoint management

DNS

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

Secure printing

SSH

Virtualization

VPN

Documentation Index

​Configure TLS communication

​Create a CA

​Generate a CSR

​Sign the CSR

​Export the certificate

​Export the TLS certificate

​Load the TLS certificate

​Issue a client certificate

​Export the certificate

​Configure general KMES Series 3 settings for KMES to the CyberArk TPF instance

​Create a new role

​Create a new identity

​Enable the Host API commands required for CyberArk TPF operation

​

Configure TLS communication

Create a CA

Generate a CSR

Sign the CSR

Export the certificate

Export the TLS certificate

Load the TLS certificate

Issue a client certificate

Export the certificate

Configure general KMES Series 3 settings for KMES to the CyberArk TPF instance

Create a new role

Create a new identity

Enable the Host API commands required for CyberArk TPF operation