Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section starts with general configurations you must make on the KMES to enable Versasec vSEC:CMS to integrate with the KMES for storing the master key(s) used when performing administration key operations with the vSEC:CMS, such as registering a credential or PIN unblock operations. Then, it covers the necessary steps to configure TLS communication between the KMES and the vSEC:CMS instance.

Configure general KMES settings for integration with vSEC:CMS

Perform the following tasks to configure the KMES Series 3 for communication with SignTool:
  1. Create a Verasec role and identity with the correct assigned permissions.
  2. Enable Host API commands.
The following sections show you how to complete these tasks.

Create a role and identity

Perform the following steps to create a new role and identity for vSEC on the KMES Series 3 with the required permissions. A later section shows you how to configure them in the Futurex PKCS #11 configuration file.
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management > Roles and select [ Add ] at the bottom of the page.
3
On the Info tab of the Role Editor window, specify a name for the role and set the number of Logins Required to 1.
4
On the Permissions tab, enable the following permissions:
PermissionSubpermission
Cryptographic OperationsSign, Verify, Encrypt, Decrypt
KeysAdd, Export
5
On the Advanced tab, configure Allowed Ports to Host API only
6
Select [ OK ] to finish creating the role.
7
Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.
8
On the Info tab of the Identity Editor window, select Application for the storage location and specify a name for the identity.
9
On the Assigned Roles tab, select the role you just created.
10
On the Authentication tab, configure the password.
11
Select [ OK ] to finish creating the identity.

Enable the Host API commands

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for the FXPKCS11 library. To enable the eHost API commands required for vSEC:CMS operation, complete the following steps:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Host API Options and enable the following commands:
CommandDescription or subcommand (if applicable)
ATKGManipulate HSM trusted asymmetric key group
  • add: Add HSM Trusted asymmetric key group
  • modify: Modify HSM trusted asymmetric key group
  • delete: Delete HSM trusted asymmetric key group
  • get: Retrieve HSM trusted asymmetric key group
ECHOCommunication Test/Retrieve Version
RAFAFilter Issuance Policy
RKCPGet Command Permissions
  • get: Retrieve enabled commands
  • modify: Update enabled commands
RKCSCreate Symmetric HSM Trusted Key Group
RKDPDelete Asymmetric HSM Trusted Key
RKEDEncrypt or Decrypt Data
RKLNLookup Objects
RKLOLogin User
RKPKPop Generated Key
RKRCGet HSM Trusted Key
RKRURSA unwrap the symmetric key
TIMESet Time
3
Select [ Save ] to finish.

Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the vSEC:CMS instance:
  1. Create a Certificate Authority.
  2. Generate a CSR for the System/Host API connection pair.
  3. Sign the System/Host API CSR.
  4. Export the Root CA certificate.
  5. Export the signed System/Host API TLS certificate.
  6. Load the exported certificates into the System/Host API connection pair.
  7. Issue a client certificate for vSEC:CMS.
  8. Export the vSEC:CMS certificate as a PKCS #12 file.
The following sections describe how to perform these tasks.

Create a Certificate Authority

Perform the following steps to create a Certificate Authority (CA):
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
3
In the Certificate Authority window, enter a name for the certificate container, leave all other fields as the default values, and select [ OK ].
The certificate container you created now displays in the Certificate Authorities menu.
4
Right-click the certificate container and select Add Certificate > New Certificate.
5
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
6
On the Basic Info tab, leave all of the default values set.
7
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox and select [ Edit ] next to PKI keys in the User Certificates section.
4
In the Application Public Keys window, select [ Generate ].
5
When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
6
In the PKI Parameters window, leave the fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
7
Select [ Request ].
8
On the Subject DN tab, set a Common Name for the certificate, such as KMES.
9
On the V3 Extensions tab, select the TLS Server Certificate profile.
10
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
11
When notified that the certificate signing request was successfully written to the file location that was selected, select [ OK ]*.
12
Select [ OK ] again to save the Application Public Keys settings.
The main Network Options window now shows Loaded next to PKI keys for the System/Host API connection pair.

Sign the CSR

Perform the following steps to sign the System/Host API CSR:
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS Root CA certificate you created and select Add Certificate > From Request.
3
Select the CSR you generated for the System/Host API connection pair in the file browser.
4
After it loads, don’t modify any settings for the certificate. Select [ OK ].
The signed System/Host API certificate now shows under the root CA certificate on the Certificate Authorities page.

Export the Root CA certificate

Perform the following steps to export the Root CA certificate:
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, go to the location where you want to save the Root CA certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.

Export the Host API certificate

Perform the following steps to export the signed System/Host API certificate:
1
Go to PKI > Certificate Authorities.
2
Right-click the System/Host API TLS certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, go to the location where you want to save the System/Host API certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.

Load the exported certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, select [ Edit ] next to Certificates in the User Certificates section.
4
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates window.
6
In the file browser, select both the root CA certificate and the signed System/Host API certificate, and select [ Open ].
7
Select [ OK ] to save the changes.
In the Network Options window, the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section.
8
Select [ OK ] to save and exit the Network Options window.

Issue a client certificate

Perform the following steps to issue a client certificate for vSEC:CMS. A later section shows how to configure it in the Futurex PKCS #11 configuration file.
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.
3
On the Subject DN tab, set a Common Name for the certificate, such as vSEC.
4
Leave all fields on the Basic Info tab set to the default values.
5
On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].
The vSEC certificate now displays under the System TLS CA Root certificate.

Export the vSEC:CMS certificate

To perform the following steps, you must go to Administration > Configuration > Options and enable the Allow export of certificates using passwords option.
Perform the following steps to export the vSEC:CMS certificate as PKCS #12 file:
1
Go to PKI > Certificate Authorities.
2
Right-click the vSEC certificate and select Export > PKCS12.
3
Select the Export Selected option, specify a unique name for the export file, and select [ Next ].
4
Choose and enter a file password and select [ Next ].
5
Select [ Finish ] to initiate the export.
6
Move both the vSEC certificate and the Root CA certificate that was exported in the Export the Root CA certificate section to the computer that runs the vSEC:CMS instance.A later section shows how to configure and use them for TLS communication with the KMES Series 3.