Skip to main content
This section shows you how to create a role and identity on the KMES Series 3 and assign it the permissions MySQL Server needs to generate the master encryption key used for TDE. When MySQL Server initiates a connection to the KMES through KMIP, authentication occurs through the TLS certificate. By matching a KMES identity name to the Common Name configured for the MySQL Server certificate, MySQL can authenticate and assume the permissions granted to that identity.

Add a PKI identity provider

Perform the following steps to add a PKI identity provider (IdP) configured with the TLS authentication mechanism:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management > Identity Providers.
3
Right-click anywhere in the window and select Add > Provider > PKI.
4
On the Info tab of the Identity Provider Editor window, specify a name for the IdP and uncheck Enforce Dual Factor.
5
On the PKI Options tab, select [ Select ].
6
In the Certificate Selector window, expand the certificate tree you created for mutual authentication, select the CA certificate that signed the MySQL Server and KMIP connection pair certificates, and select [ OK ].
7
Select [ OK ] to finish creating the PKI IdP.
8
Right-click the IdP you just created and select Add > Mechanism > TLS.
9
On the Info tab, specify a name for the authentication mechanism.
10
On the PKI tab, leave all fields set to the default values.
11
Select [ OK ] to save.

Create a role

Perform the following steps to create a role for MySQL Server:
1
Go to Identity Management > Roles and select [ Add ].
2
In the Info tab of the Role Editor window, set the Type to Application, the name to MySQL, and Logins Required to 1.
3
On the Permissions tab, enable the following permissions for the role:
PermissionSubpermission
Cryptographic OperationsEncrypt, Decrypt
KeysAdd
4
On the Advanced tab, set Allowed Ports to KMIP only.
5
Select [ OK ] to finish creating the role.

Create an identity

Perform the following steps to create an identity for MySQL Server:
1
Go to Identity Management > Identities.
2
Right-click anywhere in the window and select Add > Client Application.
3
On the Info tab of the Identity Editor window, select Application for the storage location and specify MySQL as the identity name.
4
On the Assigned Roles tab, select the role you created for MySQL Server.
5
On the Authentication tab, remove the default API Key mechanism and select [ Add ].
6
In the Configure Credential window, select the TLS Certificate drop-down option in Type and select the Provider and Mechanism you created. Select [ OK ] to finish configuring the credential.
7
Select [ OK ] to finish creating the identity.