> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Step-by-step instructions for configuring TLS and general KMES settings for SQL Server EKM.

This section shows you how to configure TLS communication between the KMES Series 3 and the Microsoft SQL Server instance. Then, it covers general configurations on the KMES to enable Microsoft SQL Server to integrate with the KMES through the FXCL EKM library, for Transparent Data Encryption.

Every step in this section requires you to log in to the KMES Series 3 application interface with the default Admin identities.

## Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the Microsoft SQL Server instance:

1. Create a certificate authority.
2. Generate a CSR for the System/Host API connection pair.
3. Sign the System/Host API CSR.
4. Export the Root CA and signed System/Host API certificates.
5. Load the exported certificates into the System/Host API connection pair.
6. Issue a client certificate for Microsoft SQL Server.
7. Export the signed Microsoft SQL Server certificate.

The following sections describe how to perform these tasks.

### Create a CA

Perform the following steps to create a Certificate Authority (CA):

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a name for the certificate container, leave all other fields set to the default values, and select **\[ OK ]**\*.

    <Check>
      The certificate container that you just created now displays in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the certificate container and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, change the **Preset** drop-down option to **Classic** and specify a **Common** **Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic** **Info** tab, leave all fields set to the default values.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **Certificate** **Authority** profile and select **\[ OK ]**.

    <Check>
      The root CA certificate now displays under the previously created certificate container.
    </Check>
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use Futurex certificates** checkbox and select **\[ Edit ]** next to **PKI** **keys** in the **User** **Certificates** section.
  </Step>

  <Step>
    In the **Application Public Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When warned that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI** **Parameters** window, leave the fields set to the default values and select **\[ OK ]**\*.

    <Check>
      The Application Public Keys window now shows that an HSM-trusted asymmetric key is loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common** **Name** for the certificate, such as `KMES`.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Server Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, select a save location for the CSR and select **\[ OK ]**.
  </Step>

  <Step>
    When prompted that the certificate signing request was successfully written to the file location that was selected, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save the **Application** **Public** **Keys** settings.

    <Check>
      The main Network Options window now shows Loaded next to PKI keys for the System/Host API connection pair.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the root CA certificate you created and select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, select the CSR that you generated for the System/Host API connection pair.
  </Step>

  <Step>
    After it loads, select **\[ OK ]** without modifying any settings for the certificate.

    <Check>
      The signed System/Host API certificate should now show under the root CA certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

### Export the Root CA and signed System/Host API certificates

Perform the following steps to export the Root CA and signed System/Host API certificates:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the root CA certificate. Specify a unique name for the file, such as `root_cert.pem`, and select **\[ Open ].**
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>

  <Step>
    Move the root CA certificate to the computer where the Microsoft SQL Server instance is running.

    A later section shows you how to configure and use it for TLS communication with the KMES Series 3.
  </Step>

  <Step>
    Right-click the **KMES** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify a unique name for the file, such as `signed_kmes_cert.pem`, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

### Load the System/Host API connection pair certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select **\[ Edit ]** next to **Certificates** in the **User** **Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import** **Certificates** window.
  </Step>

  <Step>
    In the file browser, select both the root CA certificate and the signed System/Host API certificate and select **\[ Open ]**. Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options window,  the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network** **Options** window.
  </Step>
</Steps>

### Issue a client certificate

Perform the following steps to issue a client certificate for Microsoft SQL Server:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add** **Certificate** > **New Certificate**.
  </Step>

  <Step>
    In the **Subject DN** tab, set a Common Name for the certificate.
  </Step>

  <Step>
    Leave all fields in the **Basic Info** tab set to the default values.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **TLS Client Certificate** profile and select **\[ OK ]**.

    <Check>
      The Microsoft SQL Server client certificate now displays under the System TLS CA Root certificate.
    </Check>
  </Step>
</Steps>

### Export the signed client certificate

<Note>
  To perform the following steps, you must go to Administration > Configuration > Options and enable the Allow export of certificates using passwords option.
</Note>

Perform the following steps to export the signed Microsoft SQL Server client certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the Microsoft SQL Server client certificate and select **Export** > **PKCS12**.
  </Step>

  <Step>
    Set a password for the PKCS12 file, select the **Export Selected Certificate** option, and select **\[ Next ]**.
  </Step>

  <Step>
    Enter a name for the file, select a location in the file browser to save to, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>

  <Step>
    Move the signed Microsoft SQL Server client certificate to the computer where the SQL Server instance is running.

    Later we will show you how to define it in the FXCL KMES EKM configuration file for TLS communication with the KMES Series 3.
  </Step>
</Steps>

## Configure general KMES settings

Perform the following tasks to configure the KMES Series 3 for communication with Microsoft SQL Server:

1. Create a Microsoft SQL Server role and identity with the required permissions and settings.
2. Enable Host API commands.
3. Grant the Microsoft SQL Server role the "Use" permission on the CA tree.

The following sections show you how to complete these tasks.

### Create a role and identity

The following sections show you how to create a new role and identity for Microsoft SQL Server on the KMES Series 3:

#### Create a new role

Perform the following steps to create a new role:

<Steps>
  <Step>
    Go to **Identity Management** > **Roles** and select **\[ Add ]**.
  </Step>

  <Step>
    On the **Info** tab of the **Role Editor** window, specify a **Name** for the role and change the number of **logins** **required** to `1`. Leave all other fields set to the default values.
  </Step>

  <Step>
    On the **Permissions** tab, select the following permissions:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Subpermission</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Certificate Authority</strong></td>
          <td>Add, Export</td>
        </tr>

        <tr>
          <td><strong>Cryptographic Operations</strong></td>
          <td>Encrypt, Decrypt</td>
        </tr>

        <tr>
          <td><strong>Keys</strong></td>
          <td>Add, Delete</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    On the **Advanced** tab, set **Allowed** **Ports** to only **Host API**. Leave the other fields set to the default values.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>
</Steps>

#### Create a new identity

Perform the following steps to create a new identity:

<Steps>
  <Step>
    Go to **Identity Management** > **Identities**, right-click anywhere in the window, and select **Add** > **Client Application**.
  </Step>

  <Step>
    On the **Info** tab, specify `SqlServer` in the **Name** field. Leave all other fields set to the default values.

    <Note>
      The name you choose for this identity must match the Common Name that you set for the Microsoft SQL Server client certificate.
    </Note>
  </Step>

  <Step>
    On the **Assigned** **Roles** tab, select the **Microsoft SQL Server** role.
  </Step>

  <Step>
    On the **Authentication** tab, select **\[ Add ]**.
  </Step>

  <Step>
    In the **Configure** **Credential** window, select **Password** in the **Type** drop-down list. Select **\[ Change ]**, set a password for the credential, and select **\[ Save ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to finish configuring the password credential.
  </Step>

  <Step>
    Remove the default **API** **Key** mechanism, leaving only the Password credential, and select **\[ OK ]** to save.
  </Step>
</Steps>

### Enable the Host API commands

Because FXCL EKM connects to the Host API port on the KMES Series 3, you must define which Host API commands to enable for execution by FXCL EKM. To set the enabled commands required for the Microsoft SQL Server operation, complete the following steps:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Host API Options** and enable the following commands:

    <table>
      <thead>
        <tr>
          <th><em><strong>Command</strong></em></th>
          <th><em><strong>Description or subcommand (if applicable)</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>RKGP</strong></td>
          <td>Export Asymmetric Key</td>
        </tr>

        <tr>
          <td><strong>RKLN</strong></td>
          <td>Lookup Objects</td>
        </tr>

        <tr>
          <td><strong>RKDP</strong></td>
          <td>Delete Asymmetric Key</td>
        </tr>

        <tr>
          <td><strong>RKLO</strong></td>
          <td>Login User</td>
        </tr>

        <tr>
          <td><strong>RKCK</strong></td>
          <td>Create Asymmetric Key</td>
        </tr>

        <tr>
          <td><strong>RKRE</strong></td>
          <td>RSA Encrypt</td>
        </tr>

        <tr>
          <td><strong>RKRD</strong></td>
          <td>RSA Decrypt</td>
        </tr>

        <tr>
          <td><strong>RKPK</strong></td>
          <td>Pop Generated Key</td>
        </tr>

        <tr>
          <td><strong>CLKY</strong></td>
          <td>Retrieve HSM protected key<ul><li><strong>Get</strong></li></ul></td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Save ]**.
  </Step>
</Steps>

### Grant the permission

Perform the following steps to grant the Microsoft SQL Server role the Use permission on the CA tree:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the CA container you created in the **Create a Certificate Authority (CA)** section and select **\[ Permission ]**.
  </Step>

  <Step>
    Grant the Microsoft SQL Server role the **Use** permission, select **Apply to children recursively**, and select **\[ OK ]**\* to save.
  </Step>
</Steps>

##

##
