Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section starts with the general KMES configurations necessary for Oracle Database to store the TDE Master Encryption Key on the KMES. Then, it shows how to configure TLS communication between the KMES Series 3 and the Oracle Database instance.

Configure general KMES settings for the Oracle Database 19C integration

Perform the following tasks to configure the KMES Series 3 for communication with FXPKCS #11:
  1. Create an Oracle Database role with the correct assigned permissions.
  2. Create an Oracle Database identity with the correct role.
  3. Create the key group for Oracle TDE keys
  4. Enable Host API commands.
The following sections show you how to complete these tasks.

Create a role

Perform the following steps to create a role for Oracle Database with the required permissions:
1
Log in to the KMES Series 3 with the default Admin identities.
2
Go to Identity Management > Roles and select [ Add ] at the bottom of the page.
3
On the Info tab, set the Type to Application, set a name for the role, such as Oracle Database, and set Logins Required to 1.
4
Under the Permissions tab, enable the following permissions:
PermissionSubpermission
Certificate AuthorityAll subpermissions
Cryptographic OperationsAll subpermissions
Device GroupsAll subpermissions
KeysAll subpermissions
5
On the Advanced tab, set Allowed Ports to Host API only.
6
Select [ OK ] to finish creating the role.

Create an identity

Perform the following steps to create a new identity and assign it the Oracle Database role:
1
Go to Identity Management > Identities.
2
Right-click anywhere in the window and select Add > Client Application.
3
On the Info tab, set the Storage type to Application and set a name for the identity.
4
On the Assigned Roles tab, select the Oracle Database role you just created.
5
On the Authentication tab, remove the default API Key mechanism, add the Password authentication mechanism, and configure the password.
6
Select [ OK ] to finish creating the identity.A later section shows you how to configure the name of the identity in the fxpkcs11.cfg file to enable the Futurex PKCS #11 library to connect to the KMES Series 3.

Create the key group

Perform the following steps to create a key group for the Oracle TDE – KMES Series 3 integration. This key group contains the created or renewed Master Keys for Oracle TDE.
You can choose any name for the key group, but remember the name because you need to use it later in the <KEYGROUP-NAME> tag in the fxpkcs11.cfg file.
1
Log in to the KMES Series 3 with the default Admin identities.
2
Go to Key Management > Keys. In the Key Groups section, select [ Create ].
3
In the Select Key Group Storage window, set the Key Type to Symmetric and the Storage Location to HSM Trusted. Then, select [ OK ]*.
4
In the Key Group Editor window, set the name of the key group, set the Owner Group to the Oracle Database role, and ensure that the Oracle Database role has Add permissions for the key group.
5
Select [ OK ] to finish creating the key group.

Enable the Host API commands

Because the connection to the FXPKCS11 library uses the Host API port, you must define which commands to enable for execution by the FXPKCS11 library. To set the enabled commands required for the Oracle TDE operation, complete the following steps:
1
Log in to the KMES Series 3 with the default Admin identities.
2
Go to Administration > Configuration > Host API Options and enable the following commands:
CommandDescription
ECHOCommunication Test/Retrieve Version
RAFAFilter Issuance Policy
RKCKCreate Key
RKCPGet Command Permissions
RKCSCreate Symmetric Key Group
RKEDEncrypt or Decrypt Data
RKLNLookup Objects
RKLOLogin User
RKRCGet Key
3
Select [ Save ] to finish.

Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the Oracle Database instance:
  1. Create a Certificate Authority.
  2. Generate a CSR for the System/Host API connection pair.
  3. Sign the System/Host API CSR.
  4. Export the Root CA.
  5. Export the signed System/Host API TLS certificate.
  6. Load the exported certificates into the System/Host API connection pair.
  7. Generate a private key and CSR for the Oracle Database instance by using OpenSSL.
  8. Sign the CSR for the Oracle Database instance.
  9. Export the signed Oracle TDE certificate.
The following sections describe how to perform these tasks.

Create a CA

Perform the following steps to create a Certificate Authority (CA):
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
3
In the Certificate Authority window, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ]*.
The certificate container that you just created appears in the Certificate Authorities menu.
4
Right-click the certificate container and select Add Certificate > New Certificate.
5
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
6
On the Basic Info tab, leave the fields set to the default values.
7
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ]*.
The root CA certificate now displays under the previously created certificate container.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox and select [ Edit ] next to PKI keys.
4
In the Application Public Keys window, select [ Generate ].
5
When prompted that SSL will not be functional until you import new certificates, select [ Yes ] to continue.
6
In the PKI Parameters window, leave the fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI key pair is Loaded.
7
Select [ Request ].
8
On the Subject DN tab, you can leave the default System/Host API value set in the Common Name field or change it to a different value.
9
On the V3 Extensions tab, select the TLS Server Certificate profile.
10
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
11
When notified that the certificate signing request was successfully written to the selected file location, select [ OK ].
12
Select [ OK ] to save the Application Public Keys settings.
The main Network Options window now shows Loaded next to PKI keys for the System/Host API connection pair.

Sign the System/Host API CSR

Perform the following steps to sign the System/Host API CSR:
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Add Certificate > From Request.
3
In the file browser, select the CSR for the System/Host API connection pair.
4
Don’t modify any of the settings for the certificate after it loads. Select [ OK ].
The signed System/Host API certificate shows under the root CA certificate on the Certificate Authorities page.

Export the CA certificate

Perform the following steps to export the Root CA certificate:
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, select the location where you want to save the root CA Certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message box states that the PEM file was successfully written to the location you specified.

Export the certificate

Perform the following steps to export the signed System/Host API certificate:
1
Go to PKI > Certificate Authorities.
2
Right-click the System/Host API certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, select the location where you want to save the signed System/Host API certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message box states that the PEM file was successfully written to the location you specified.

Load the certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Select [ Edit ] next to Certificates in the User Certificates section.
4
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates window.
6
In the file browser, select both the root CA certificate and the signed System/Host API certificate and select [ Open ].
7
Select [ OK ] to save changes.
In the Network Options window, the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section.
8
Select [ OK ] to save and exit the Network Options window.

Generate a private key and CSR

Perform the following steps to generate a private key and CSR for the Oracle Database instance by using OpenSSL:
You must run the commands in this section from a terminal application with OpenSSL.
1
Open a terminal and run the following command to generate a private key for the Oracle Database instance:
Shell
openssl genrsa -out tls_skey.pem 2048
The private key outputs to a file named tls_skey.pem in the current working directory.
2
Run the following command to generate a CSR for the Oracle Database instance:
Shell
openssl req -new -key tls_skey.pem -out tls_cert_req.pem -days 365
When prompted, enter the certificate information, pressing the Enter key at every prompt to set the default value for each field.
The CSR outputs to a file named tlscertreq.pem in the current working directory.
3
Move or copy the CSR file (tls_cert_req.pem) to the storage medium configured on the KMES.

Sign the CSR

Perform the following steps to sign the CSR for the Oracle Database instance:
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Add Certificate > From Request.
3
In the file browser, select the Oracle Database CSR.
Certificate information populates in the Create X.509 From CSR window.
4
On the Subject DN tab, change the preset drop-down option to Classic, and set a common name for the certificate, such as Oracle TDE.
5
Leave all fields in the Basic Info tab set to the default values.
6
On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].
The signed Oracle TDE certificate now displays under the System TLS CA Root certificate.

Export the certificate

Perform the following steps to export the signed Oracle TDE certificate:
1
Go to PKI > Certificate Authorities.
2
Right-click the Oracle TDE certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, go to the location where you want to save the Oracle TDE certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message box states that the PEM file was successfully written to the location you specified.
6
Move both the Oracle TDE certificate and the System TLS CA Root certificate to the computer running the Oracle Database instance.The next section shows you how to configure the certificates in the Futurex PKCS #11 configuration file and use them for TLS communication with the KMES Series 3.