> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Procedures to configure KMES Series 3 for TLS and general integration with CyberArk TPF.

This section shows you how to configure TLS communication between the KMES Series 3 and the Futurex PKCS #11 (**FXPKCS11**) module installed on the computer that runs CyberArk TPF. Then, it covers general configurations on the KMES Series 3 to enable CyberArk TPF to use the KMES as a Root of Trust for storage encryption and to protect private keys through the Futurex PKCS #11 (**FXPKCS11**) module.

## Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the CyberArk TPF instance:

1. Create a certificate authority (CA).
2. Generate a CSR for the System/Host API connection pair.
3. Sign the System/Host API CSR.
4. Export the Root CA and signed System/Host API certificates.
5. Load the exported certificates into the System/Host API connection pair.
6. Issue a client certificate for CyberArk TPF.
7. Export the signed CyberArk TPF certificate.

The following sections describe how to perform these tasks.

### Create a CA

Perform the following steps to create a CA:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a name for the certificate container, leave all other fields set to the default values, and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the certificate container you just created and select **Add** **Certificate** > **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, select the **Classic** preset and set a **Common Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, leave all settings at the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **Certificate Authority** profile and select **\[ OK ]**.

    <Check>
      The root CA certificate now displays under the Certificate Container you created.
    </Check>
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use Futurex Certificates** checkbox and select **\[ Edit ]** next to **PKI Keys** in the **User Certificates** section.
  </Step>

  <Step>
    In the **Application Public Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When warned that S*SL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** window, leave the fields set to the default values and select **\[ OK ]**.

    <Check>
      The Application Public Keys window now shows that a PKI Key Pair is Loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject DN** tab, you can leave the default **Common Name** value set to `System/Host API`.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Server Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, select a save location for the CSR and select **\[ OK ]**.
  </Step>

  <Step>
    When notified that *the certificate signing request was successfully written to the location you specified*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save the **Application Public Keys** settings.

    <Check>
      In the main Network Options window, the System/Host API connection pair now shows Loaded next to PKI keys.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and close the **Network Options** menu.
  </Step>
</Steps>

#### Sign the CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, select the CSR you generated for the System/Host API connection pair.
  </Step>

  <Step>
    After it loads, don't modify any settings for the certificate. Select **\[ OK ]**.

    <Check>
      The signed System/Host API TLS certificate now shows under the System TLS CA Root certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the Root CA certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificates** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the root CA certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location you specified.
    </Check>
  </Step>
</Steps>

### Export the TLS certificate

Perform the following steps to export the signed System/Host API TLS certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System/Host API** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificates** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, navigate to the location where you want to save the signed System/Host API TLS certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location you specified.
    </Check>
  </Step>
</Steps>

### Load the TLS certificate

Perform the following steps to load the exported TLS certificate into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, select the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, select **\[ Edit ]** next to **Certificates** in the **User** **Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import Certificates** window.
  </Step>

  <Step>
    In a file browser, select both the root CA certificate and the signed System/Host API certificate, and select **\[ Open ]**.

    <Check>
      The certificate chain appears in the Verified section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options window, the System/Host API connection pair now shows Signed Loaded next to Certificates in the User Certificates section.
    </Check>
  </Step>
</Steps>

### Issue a client certificate

Perform the following steps to issue a client certificate for CyberArk TPF:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set **Venafi** as the **Common Name** for the certificate.
  </Step>

  <Step>
    Leave all fields on the **Basic Info** tab set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Client Certificate** profile and select **\[ OK ]**\*.

    <Check>
      The Venafi certificate now displays under the System TLS CA Root certificate.

      A later section of the guide shows you how to modify the Futurex PKCS #11 configuration file to use the client certificate you create for CyberArk TPF in this section.
    </Check>
  </Step>
</Steps>

#### Export the certificate

Perform the following steps to export the Venafi client certificate as a PKCS #12 file:

<Note>
  To export the Venafi client certificate as a PKCS #12 file, you must go to Administration > Configuration > Options and enable the Allow export of certificates using passwords setting before continuing.
</Note>

<Steps>
  <Step>
    Go to **PKI** > **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the Venafi certificate and select **Export** > **PKCS#12**.
  </Step>

  <Step>
    Set a password for the PKCS #12 file, select **Export Selected Certificate**, and select **\[ Next ]**.
  </Step>

  <Step>
    In the file browser, select a location for the PKCS #12 file and select **\[ Open ]**.

    <Check>
      A message box notifies you that the PKCS #12 export was successful.
    </Check>
  </Step>

  <Step>
    Move both the **Venafi** certificate and the **root CA** certificate exported in the **Export the Root CA certificate** section to the computer that runs the CyberArk TPF instance.

    The next section shows you how to configure and use them for TLS communication with the KMES Series 3.
  </Step>
</Steps>

## Configure general KMES Series 3 settings for KMES to the CyberArk TPF instance

Perform the following tasks to configure the KMES Series 3 for communication with the CyberArk TPF instance:

1. Create a new role and identity with the required permissions.
2. Create a new instance with the Venafi role.
3. Enable Host API commands.

The following sections show you how to complete these tasks.

### Create a new role

Perform the following steps to create a new role with the permissions Venafi requires:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Roles** and select **\[ Add ]** at the bottom of the page.
  </Step>

  <Step>
    On the **Info** tab of the **Role Editor** window, set the **Type** to **Application**, the **Name** to `Venafi`, select the **Hardened** checkbox, and set the **Logins** **Required** to `1`.
  </Step>

  <Step>
    On the **Permissions** tab, enable the following permissions:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Subpermission</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Certificate Authority</strong> </td>
          <td>Add, Export</td>
        </tr>

        <tr>
          <td><strong>Cryptographic Operations</strong></td>
          <td>Encrypt, Decrypt, Wrap, Unwrap</td>
        </tr>

        <tr>
          <td><strong>Keys</strong></td>
          <td>Add, Export</td>
        </tr>

        <tr>
          <td><strong>Secure Key Functions</strong></td>
          <td>Import PKI, No Usage Wrap, Remove Security, Strength Bypass</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    On the **Advanced** tab, set **Allowed Ports** to **Host API** only.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>
</Steps>

### Create a new identity

Perform the following steps to create a new identity and assign it the Venafi role:

<Steps>
  <Step>
    Go to **Identity Management** > **Identities**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Client** **Application**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity Editor** window, set the **Storage** type to **HSM** and specify a **Name** for the identity.
  </Step>

  <Step>
    On the **Assigned Roles** tab, select the **Venafi** role.
  </Step>

  <Step>
    On the **Authentication** tab, remove the default **Hardened API Key** mechanism and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Configure Credential** window, the **Hardened Password** mechanism populates by default. Select **\[ Change ]**, configure a password, and select **\[ Save ]**. Select **\[ OK ]** to finish configuring the new credential.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity.
  </Step>
</Steps>

### Enable the Host API commands required for CyberArk TPF operation

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for Futurex PKCS #11. To enable the Host API commands required for CyberArk TPF operation, complete the following steps:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Host API Options**.
  </Step>

  <Step>
    Enable the following commands:

    <table>
      <thead>
        <tr>
          <th><em><strong>Command</strong></em></th>
          <th><em><strong>Description  and subcommand (if applicable)</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>ATKG</strong></td>
          <td>Manipulate HSM trusted asymmetric key group<ul><li><strong>add</strong>: Add HSM trusted asymmetric key group</li><li><strong>modify</strong>: Modify HSM trusted asymmetric key group</li><li><strong>delete:</strong> Delete HSM trusted asymmetric key group</li><li><strong>get:</strong> Retrieve HSM trusted asymmetric key group</li></ul></td>
        </tr>

        <tr>
          <td><strong>ATTR</strong></td>
          <td>Generic Attribute Operations<ul><li><strong>get</strong>: Retrieve generic attributes </li><li><strong>put</strong>: Set generic attributes</li><li><strong>patch</strong>: Patch generic attributes</li></ul></td>
        </tr>

        <tr>
          <td><strong>ECHO</strong></td>
          <td>Echo text</td>
        </tr>

        <tr>
          <td><strong>RAFA</strong></td>
          <td>Filter Issuance Policy</td>
        </tr>

        <tr>
          <td><strong>RAND</strong></td>
          <td>Generate Random Number</td>
        </tr>

        <tr>
          <td><strong>RKCK</strong></td>
          <td>Create HSM Trusted Key</td>
        </tr>

        <tr>
          <td><strong>RKCP</strong></td>
          <td>Get Command Permissions<ul><li><strong>get</strong>: Retrieve enabled commands</li><li><strong>modify</strong>: Update enabled commands</li></ul></td>
        </tr>

        <tr>
          <td><strong>RKCS</strong></td>
          <td>Create Symmetric HSM Trusted Key Group</td>
        </tr>

        <tr>
          <td><strong>RKDK</strong></td>
          <td>Delete HSM Trusted Key</td>
        </tr>

        <tr>
          <td><strong>RKDP</strong></td>
          <td>Delete Asymmetric HSM Trusted Key</td>
        </tr>

        <tr>
          <td><strong>RKED</strong></td>
          <td>Encrypt or Decrypt Data</td>
        </tr>

        <tr>
          <td><strong>RKEP</strong></td>
          <td>PKI Encrypt Public Key</td>
        </tr>

        <tr>
          <td><strong>RKGP</strong></td>
          <td>Export Asymmetric HSM Trusted Key</td>
        </tr>

        <tr>
          <td><strong>RKLN</strong></td>
          <td>Lookup Objects</td>
        </tr>

        <tr>
          <td><strong>RKLO</strong></td>
          <td>Login User</td>
        </tr>

        <tr>
          <td><strong>RKPK</strong></td>
          <td>Pop Generated Key</td>
        </tr>

        <tr>
          <td><strong>RKRC</strong></td>
          <td>Get HSM Trusted Key</td>
        </tr>

        <tr>
          <td><strong>RKRW</strong></td>
          <td>Get HSM Trusted Key</td>
        </tr>

        <tr>
          <td><strong>TIME</strong></td>
          <td>Set Time</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Save ]** to finish.
  </Step>
</Steps>

##
