Configure authentication and permissions for Zettaset on the KMES Series 3

This section shows how to create a role and identity on the KMES Series 3 to enable Zettaset to authenticate with the KMES and perform any actions Zettaset’s XCrypt Full Disk product requires for integration. This configuration uses separate authentication mechanisms for PKCS #11 and KMIP connections. Futurex PKCS #11 authenticates with a password. and KMIP authentication occurs through a newly created TLS identity provider. Although PKCS #11 and KMIP use separate authentication mechanisms, they use the same client certificate to establish a TLS connection.

Add a PKI IP

This process adds a PKI identity provider (IP) and configures it with the TLS authentication mechanism. This action enables Zettaset to authenticate to the KMES Series 3 through the client certificate it uses to establish the TLS connection.

Go to Identity Management > Identity Providers.

Right-click anywhere in the window and select Add > Provider > PKI.

In the Info tab of the Identity Provider Editorwindow, specify a name for the IP and uncheck Enforce Dual Factor.

In the PKI Options tab, press [ Select ].

In the Certificate Selector window, expand the certificate tree you created, select the CA certificate that signed the Zettaset and KMIP connection pair certificates, and select [ OK ].

Select** [ OK ]**to finish creating the PKI IP.

Right-click on the PKI IP you just created and select Add > Mechanism > TLS.

In the Info tab, specify a name for the authentication mechanism.

In the PKI tab, leave all fields set to the default values.

Select **[ OK ]**to save.

Create a role and identity

You must create a new role and identity on the KMES Series 3 to grant Zettaset the permissions and functionality it requires. The name of the identity must match the Common Name of the Zettaset TLS client certificate.

Create a role

Perform the following steps to create a role:

Go to Identity Management > Roles, and select [ Add ].

In the Info tab of the Role Editor window, set the Type to Application, the name to Zettaset, and the Logins Required to 1.

In the Permissions tab, select the following permissions:

Permission	Subpermission
Certificate Authority	Add, Export, Modify, Upload
Cryptographic Operations	Sign, Verify, Encrypt, Decrypt, Wrap, Unwrap, Derive
Keys	Add, Export, Modify

In the Advanced tab, set Allowed Ports to Host API and KMIP.

Select **[ OK ]**to finish creating the role.

Create an identity

Perform the following steps to create an identity and assign it to the Zettaset role, the password authentication mechanism, and the TLS authentication mechanism:

For TLS Authentication to work, the identity name must match the Common Name of the Zettaset client certificate.

Go to Identity Management > Identities, right-click in the window, and select Add > Client Application.

On the Info tab of the Identity Editor window, select Application for the storage location, and specify a name for the identity matching the Common Name of the Zettaset TLS client certificate.

Under Assigned Roles, select the role you created for Zettaset.

Under Authentication, remove the default API Key mechanism.

Select [ Add ] to add a new credential.

In the Configure Credential window, select Password in the Type drop-down menu, Local Application in the Provider drop-down menu, and Password in the Mechanism drop-down menu.Select [ OK ] to finish configuring the credential.

Select** [ Add ]** again to add and configure another credential.

In the Configure Credential window, select TLS Certificate in the Type drop-down menu and select the Provider and Mechanism you created for this integration.Select [ OK ] to finish

Select **[ OK ]**to finish creating the identity.

Grant the role permission

Perform the following steps to grant the Zettaset role the Use permission on the PKI identity provider and certificate container:

Go to Identity Management > Identity Providers.

Right-click the PKI identity provider you created for this integration and select [ Permission ].

Set the Use permission for the Zettaset role and select **[ OK ]**to save.

Go to PKI > Certificate Authorities.

Right-click the certificate container you created for TLS authentication and select [ Permission ].

Set the Use permission for the Zettaset role and select **[ OK ]**to save.

​Add a PKI IP

​Create a role and identity

​Create a role

​Create an identity

​Grant the role permission

Add a PKI IP

Create a role and identity

Create a role

Create an identity

Grant the role permission