> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Step-by-step instructions to configure KMES Series 3 for Oracle TDE, including TLS setup.

This section starts with the general KMES configurations necessary for Oracle Database to store the TDE Master Encryption Key on the KMES. Then, it shows how to configure TLS communication between the KMES Series 3 and the Oracle Database instance.

## Configure general KMES settings for the Oracle Database 19C integration

Perform the following tasks to configure the KMES Series 3 for communication with FXPKCS #11:

1. Create an Oracle Database role with the correct assigned permissions.
2. Create an Oracle Database identity with the correct role.
3. Create the key group for Oracle TDE keys
4. Enable Host API commands.

The following sections show you how to complete these tasks.

### Create a role

Perform the following steps to create a role for Oracle Database with the required permissions:

<Steps>
  <Step>
    Log in to the KMES Series 3 with the default Admin identities.
  </Step>

  <Step>
    Go to **Identity** **Management** > **Roles** and select **\[ Add ]** at the bottom of the page.
  </Step>

  <Step>
    On the **Info** tab, set the **Type** to **Application**, set a **name** for the role, such as `Oracle Database`, and set **Logins** **Required** to `1`.
  </Step>

  <Step>
    Under the **Permissions** tab, enable the following permissions:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Subpermission</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Certificate</strong> <strong>Authority</strong></td>
          <td>All subpermissions </td>
        </tr>

        <tr>
          <td><strong>Cryptographic</strong> <strong>Operations</strong></td>
          <td>All subpermissions </td>
        </tr>

        <tr>
          <td><strong>Device</strong> <strong>Groups</strong></td>
          <td>All subpermissions </td>
        </tr>

        <tr>
          <td><strong>Keys</strong></td>
          <td>All subpermissions </td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    On the **Advanced** tab, set **Allowed** **Ports** to **Host** **API** only.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>
</Steps>

### Create an identity

Perform the following steps to create a new identity and assign it the Oracle Database role:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Identities**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Client** **Application**.
  </Step>

  <Step>
    On the **Info** tab, set the **Storage** type to **Application** and set a name for the identity.
  </Step>

  <Step>
    On the **Assigned** **Roles** tab, select the Oracle Database role you just created.
  </Step>

  <Step>
    On the **Authentication** tab, remove the default **API Key** mechanism, add the **Password** authentication mechanism, and configure the password.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity.

    A later section shows you how to configure the name of the identity in the `fxpkcs11.cfg` file to enable the Futurex PKCS #11 library to connect to the KMES Series 3.
  </Step>
</Steps>

### Create the key group

Perform the following steps to create a key group for the Oracle TDE – KMES Series 3 integration. This key group contains the created or renewed Master Keys for Oracle TDE.

<Note>
  You can choose any name for the key group, but remember the name because you need to use it later in the `<KEYGROUP-NAME>` tag in the `fxpkcs11.cfg` file.
</Note>

<Steps>
  <Step>
    Log in to the KMES Series 3 with the default Admin identities.
  </Step>

  <Step>
    Go to **Key** **Management** > **Keys**. In the **Key Groups** section, select **\[ Create ]**.
  </Step>

  <Step>
    In the **Select Key Group Storage** window, set the **Key** **Type** to **Symmetric** and the **Storage** **Location** to **HSM Trusted**. Then, select **\[ OK ]**\*.
  </Step>

  <Step>
    In the **Key Group Editor** window, set the **name** of the key group, set the **Owner** **Group** to the **Oracle Database role**, and ensure that the **Oracle Database role** has **Add** permissions for the key group.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the key group.
  </Step>
</Steps>

### Enable the Host API commands

Because the connection to the **FXPKCS11** library uses the Host API port, you must define which commands to enable for execution by the **FXPKCS11** library. To set the enabled commands required for the Oracle TDE operation, complete the following steps:

<Steps>
  <Step>
    Log in to the KMES Series 3 with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration** > **Configuration** >
    **Host API Options** and enable the following commands:

    <table>
      <thead>
        <tr>
          <th><em><strong>Command</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>ECHO</strong></td>
          <td>Communication Test/Retrieve Version</td>
        </tr>

        <tr>
          <td><strong>RAFA</strong></td>
          <td>Filter Issuance Policy</td>
        </tr>

        <tr>
          <td><strong>RKCK</strong></td>
          <td>Create Key</td>
        </tr>

        <tr>
          <td><strong>RKCP</strong></td>
          <td>Get Command Permissions</td>
        </tr>

        <tr>
          <td><strong>RKCS</strong></td>
          <td>Create Symmetric Key Group</td>
        </tr>

        <tr>
          <td><strong>RKED</strong></td>
          <td>Encrypt or Decrypt Data</td>
        </tr>

        <tr>
          <td><strong>RKLN</strong></td>
          <td>Lookup Objects</td>
        </tr>

        <tr>
          <td><strong>RKLO</strong></td>
          <td>Login User</td>
        </tr>

        <tr>
          <td><strong>RKRC</strong></td>
          <td>Get Key</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Save ]** to finish.
  </Step>
</Steps>

## Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the Oracle Database instance:

1. Create a Certificate Authority.
2. Generate a CSR for the System/Host API connection pair.
3. Sign the System/Host API CSR.
4. Export the Root CA.
5. Export the signed System/Host API TLS certificate.
6. Load the exported certificates into the System/Host API connection pair.
7. Generate a private key and CSR for the Oracle Database instance by using OpenSSL.
8. Sign the CSR for the Oracle Database instance.
9. Export the signed Oracle TDE certificate.

The following sections describe how to perform these tasks.

### Create a CA

Perform the following steps to create a Certificate Authority (CA):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a name for the certificate container, leave all other fields set to the default values, and select **\[ OK ]**\*.

    <Check>
      The certificate container that you just created appears in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the certificate container and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, set a **Common Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic** **Info** tab, leave the fields set to the default values.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **Certificate Authority** profile and select **\[ OK ]**\*.

    <Check>
      The root CA certificate now displays under the previously created certificate container.
    </Check>
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use Futurex certificates** checkbox and select **\[ Edit ]** next to **PKI keys**.
  </Step>

  <Step>
    In the **Application Public Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When prompted that *SSL will not be functional until you import new certificates*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** window, leave the fields set to the default values and select **\[ OK ]**.

    <Check>
      The Application Public Keys window now shows that a PKI key pair is Loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, you can leave the default System/Host API value set in the **Common Name** field or change it to a different value.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **TLS Server Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, select a save location for the CSR and select **\[ OK ]**.
  </Step>

  <Step>
    When notified that *the certificate signing request was successfully written to the selected file location*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to save the **Application Public Keys** settings.

    <Check>
      The main Network Options window now shows Loaded next to PKI keys for the System/Host API connection pair.
    </Check>
  </Step>
</Steps>

### Sign the System/Host API CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the System TLS CA Root certificate and select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, select the CSR for the System/Host API connection pair.
  </Step>

  <Step>
    Don't modify any of the settings for the certificate after it loads. Select **\[ OK ]**.

    <Check>
      The signed System/Host API certificate shows under the root CA certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

### Export the CA certificate

Perform the following steps to export the Root CA certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, select the location where you want to save the root CA Certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location you specified.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the signed System/Host API certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System/Host API** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, select the location where you want to save the signed System/Host API certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location you specified.
    </Check>
  </Step>
</Steps>

### Load the certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select **\[ Edit ]** next to **Certificates** in the **User** **Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA** X.509 certificate container and select **\[ Import ].**
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import Certificates** window.
  </Step>

  <Step>
    In the file browser, select both the root CA certificate and the signed System/Host API certificate and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to save changes.

    <Check>
      In the Network Options window, the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network** **Options** window.
  </Step>
</Steps>

### Generate a private key and CSR

Perform the following steps to generate a private key and CSR for the Oracle Database instance by using OpenSSL:

<Note>
  You must run the commands in this section from a terminal application with OpenSSL.
</Note>

<Steps>
  <Step>
    Open a terminal and run the following command to generate a private key for the Oracle Database instance:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl genrsa -out tls_skey.pem 2048
    ```

    <Check>
      The private key outputs to a file named `tls_skey.pem` in the current working directory.
    </Check>
  </Step>

  <Step>
    Run the following command to generate a CSR for the Oracle Database instance:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl req -new -key tls_skey.pem -out tls_cert_req.pem -days 365
    ```

    When prompted, enter the certificate information, pressing the **Enter** key at every prompt to set the default value for each field.

    <Check>
      The CSR outputs to a file named `tlscertreq.pem` in the current working directory.
    </Check>
  </Step>

  <Step>
    Move or copy the CSR file (`tls_cert_req.pem`) to the storage medium configured on the KMES.
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the CSR for the Oracle Database instance:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, select the Oracle Database CSR.

    <Check>
      Certificate information populates in the Create X.509 From CSR window.
    </Check>
  </Step>

  <Step>
    On the **Subject DN** tab, change the preset drop-down option to **Classic**, and set a common name for the certificate, such as `Oracle TDE`.
  </Step>

  <Step>
    Leave all fields in the **Basic Info** tab set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Client Certificate** profile and select **\[ OK ]**.

    <Check>
      The signed Oracle TDE certificate now displays under the System TLS CA Root certificate.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the signed Oracle TDE certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the Oracle TDE certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the Oracle TDE certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location you specified.
    </Check>
  </Step>

  <Step>
    Move both the **Oracle TDE** certificate and the **System TLS CA Root** certificate to the computer running the Oracle Database instance.

    The next section shows you how to configure the certificates in the Futurex PKCS #11 configuration file and use them for TLS communication with the KMES Series 3.
  </Step>
</Steps>

##

##
