> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Initial setup

> Step-by-step guide to establish mutual trust via certificate validation.

Before you enable RDL on the FlashArray, the array and the KMES Series 3 must establish a mutual trust relationship by validating their respective digitally signed certificates.

The following sections show how to generate and sign certificates for both the FlashArray and the KMIP connection pair on the KMES Series 3. The FlashArray and the KMES register both certificates and use them thereafter each time they establish a TCP/IP session secured by TLS.

<Note>
  Notes about certificates:

  * Certificates used on the FlashArray must be PEM formatted (Base64 encoded).
  * Intermediary certificates are not supported for use with KMIP.
  * Using the Purity internal management certificate for KMIP configuration is not supported.
</Note>

## Create a certificate and CSR

Use the FlashArray Command Line Interface (CLI) to complete the following steps to create a FlashArray certificate and CSR:

### Create a certificate

Perform the following steps to create a FlashArray certificate:

<Steps>
  <Step>
    Run the following `purecert create` CLI command to create a self-signed certificate:

    ```shell expandable lines wrap title="Shell" theme={null}
    pureuser@purefa-ct0:# purecert create cert_1 --self-signed --common-name purefa

    ```
  </Step>

  <Step>
    Display the certificate with the following `purecert list` command.

    ```shell expandable lines wrap title="Shell" theme={null}
    pureuser@purefa-ct0:# purecert list cert_1 --certificate
    ```

    Copy the displayed certificate for use in a later step.
  </Step>
</Steps>

### Create a CSR

Perform the following steps to create a CSR:

<Steps>
  <Step>
    Run the following `purecert construct` command to construct the CSR:

    ```shell expandable lines wrap title="Shell" theme={null}
    pureuser@purefa-ct0:# purecert construct cert_1 --certificate-signing-request
    ```
  </Step>

  <Step>
    Perform the following steps:

    1. Copy the displayed CSR and paste it into a file editor.
    2. Save the file with either the `.pem` or `.csr` extension.
    3. Then, move the file by using SFTP or other means to the external storage device configured on the KMES Series 3.
  </Step>
</Steps>

## Configure KMES Series 3

Log in to the KMES Series 3 application interface with the default Admin identities to complete the following tasks:

1. Create a new CA.
2. Sign the FlashArray CSR.
3. Create and configure the TLS certificate for the KMIP connection pair on the KMES Series 3.
4. Create a role and identity on the KMES Series 3 for FlashArray.

### Create a new CA

Perform the following steps to create a new CA:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities
  </Step>

  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a name for the certificate container, leave all other fields as the default values, and select **\[ OK ]**.

    <Check>
      The certificate container you created now displays in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the certificate container and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, change the key size to **4096**.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **Certificate Authority** profile and select **\[ OK ]**.

    <Check>
      The root CA certificate now displays under the previously created certificate container.
    </Check>
  </Step>
</Steps>

### Sign the FlashArray CSR

Perform the following steps to sign the FlashArray CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the Root CA certificate and select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, select the FlashArray CSR.

    <Check>
      Certificate information populates in the Create X.509 From CSR window.
    </Check>
  </Step>

  <Step>
    Leave all settings exactly as they are and select **\[ OK ]** to save.

    <Note>
      The Common Name of the certificate must match the common name you entered in the `purecert create` command.
    </Note>

    <Check>
      The signed FlashArray certificate now displays under the Root CA certificate in the CA tree.
    </Check>
  </Step>
</Steps>

### Create and configure the TLS certificate

Perform the following tasks to create and configure the TLS certificate for the KMIP connection pair on the KMES Series 3:

1. Generate a private key and construct a CSR.
2. Sign the KMIP connection pair CSR.
3. Export all certificates in the CA tree.
4. Configure the KMIP connection pair to use the signed certificate and CA chain.

#### Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options** and go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select the **Connection** drop-down option and select the **KMIP** connection pair.
  </Step>

  <Step>
    **Enable** the KMIP connection pair if it is not already enabled.
  </Step>

  <Step>
    Uncheck the **Use System/Host API SSL Parameters** checkbox if it is selected.
  </Step>

  <Step>
    In the **User** **Certificates** section, select **\[ Edit ]** next to **PKI** **Keys**.
  </Step>

  <Step>
    In the **Application Public Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When prompted that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** window, leave all fields set to the default values and select **\[ OK ]**.

    <Check>
      The Application Public Keys window now shows that a PKI Key Pair is Loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    In the **Subject DN** tab, select **Classic** from the preset drop-down list and specify the hostname or IP address of the KMES in **Common** **Name**.
  </Step>

  <Step>
    On the **V3 Extensions** tab, set the profile to **TLS Server Certificate**.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, specify a save location and name for the CSR file and select **\[ OK ]**\*.
  </Step>

  <Step>
    When prompted that *the certificate signing request was successfully written to the specified location*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again in the **Application Public Keys** window to finish.
  </Step>
</Steps>

#### Sign the CSR

Perform the following steps to sign the KMIP connection pair CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the Root CA certificate and select **Add Certificate** > **From Request**.
  </Step>

  <Step>
    In the file browser, select the KMIP connection pair CSR.

    <Check>
      Certificate information populates in the Create X.509 From CSR window.
    </Check>
  </Step>

  <Step>
    Leave all settings exactly as they are and select **\[ OK ]** to save.

    <Check>
      The signed KMIP connection pair certificate now displays under the Root CA certificate in the CA tree.
    </Check>
  </Step>
</Steps>

#### Export all certificates

Perform the following steps to export each certificate in the CA tree:

<Steps>
  <Step>
    Right-click the certificates in the certificate tree and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and specify a save location for the file.
  </Step>
</Steps>

#### Configure the connection pair

Perform the following steps to configure the KMIP connection pair to use the signed certificate and CA chain:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options** and go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select the **Connection** drop-down option and select the **KMIP** connection pair.
  </Step>

  <Step>
    In the **User** **Certificates** section, select **\[ Edit ]** next to **Certificates**.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, right-click the **KMIP SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    In the **Import** **Certificates** window, select **\[ Add ]** at the bottom of the window.
  </Step>

  <Step>
    In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate and select **\[ Open ]**.

    <Check>
      The certificates now display in the Verified section of the Import Certificates window.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.

    <Check>
      You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the KMIP connection pair.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and finish.
  </Step>
</Steps>

## **Create a role and identity**

The following sections provide instructions for the following tasks to create a role and identity on the KMES Series 3 for FlashArray:

1. Add a PKI identity provider configured with the TLS authentication mechanism.
2. Create a role for FlashArray.
3. Create an identity for FlashArray.

### Add a PKI IP

Perform the following steps to add a PKI identity provider (IP) configured with the TLS authentication mechanism:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Identity** **Management** > **Identity** **Providers**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Provider** > **PKI**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity Provider Editor** window, specify a **name** for the IP and uncheck **Enforce Dual Factor**.
  </Step>

  <Step>
    On the **PKI** **Options** tab, select **\[ Select ]**.
  </Step>

  <Step>
    In the **Certificate** **Selector** window, expand the certificate tree you created for mutual authentication, select the CA certificate that signed the FlashArray and KMIP connection pair certificates, and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the PKI identity provider.
  </Step>

  <Step>
    Right-click the IP you just created and select **Add** > **Mechanism** > **TLS**.
  </Step>

  <Step>
    On the **Info** tab, specify a name for the authentication mechanism.
  </Step>

  <Step>
    On the **PKI** tab, leave all fields set to the default values.
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>

### Create a role

Perform the following steps to create a role for FlashArray:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Roles** and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Info** tab of the **Role** **Editor** window, set the **Type** to **Application**, the **name** to FlashArray, and **Logins** **Required** to `1`.
  </Step>

  <Step>
    On the **Permissions** tab, enable all permissions.
  </Step>

  <Step>
    On the **Advanced** tab, set **Allowed** **Ports** to **KMIP** only.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>
</Steps>

### Create an identity

Perform the following steps to create an identity for FlashArray:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Identities**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Client** **Application**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity** **Editor** window, select **Application** for the storage location and specify FlashArray as the identity name.
  </Step>

  <Step>
    On the **Assigned** **Roles** tab, select the role you created for FlashArray.
  </Step>

  <Step>
    On the **Authentication** tab, remove the default API Key mechanism and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Configure** **Credential** window, select the **TLS** **Certificate** drop-down option in **Type** and select the Provider and Mechanism you created. Select **\[ OK ]** to finish configuring the credential.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity.
  </Step>
</Steps>
