> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Configuration steps required on KMES Series 3 before deploying file encryption.

Before deploying file encryption capabilities, perform the following tasks on the KMES Series 3:

1. Enable Host API commands and enable the **FEAS**, **FEDF**, and **FEEF** operations.
2. Configure TLS certificates for the System/Host API connection pair.
3. Generate a client TLS certificate for the File Encryption Agent.
4. Set up PKI, TLS, or password-based application authentication.
5. Create a role and identity with file encryption permissions.
6. Establish key groups, key templates, and key rotation policies.  See the [**File Encryption Agent**](./File_Encryption_Agent) section.

## Enable Host API commands

To enable file encryption, you must enable three Host API commands:**FEAS**,**FEEF**, and **FEDF** through the **Host API Options** page.

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Host API Options**.
  </Step>

  <Step>
    To enable the **FEAS**(manage client-side file encryption session keys), **FEEF**(encrypt file), and **FEDF**(decrypt file) commands, select the checkbox next to them.

    <Note>
      We recommend enabling only necessary functions. By default, all commands are disabled.
    </Note>
  </Step>

  <Step>
    Select **\[ Save ]** to finish.
  </Step>
</Steps>

## Configure TLS certificates

For mutual authentication to occur between the File Encryption Agent and the System/Host API port, you must configure TLS certificates for both. This establishes an encrypted tunnel for all communication between the File Encryption Agent and the KMES Series 3. The KMES Series 3 supports a certificate hierarchy, in which the top of the hierarchy must contain a self-signed root certificate. To import a certificate that is not self-signed, its parent certificate (the certificate that signed it) must be present.

The following example generates a root certificate authority (CA) on the KMES and uses it to issue both the System/Host API TLS certificate and the client TLS certificate for the File Encryption Agent.

<Note>
  You often need to whitelist the System/Host API port on any network firewalls configured in your environment. The default System/Host API port is 2001, but you can modify the system to use a different port.
</Note>

Perform the following tasks to configure the TLS certificates for the connection between the File Encryption Agent and the System/Host API port:

1. Create an X.509 certificate container and generate a root CA certificate.
2. Generate a CSR for the System/Host API connection pair.
3. Sign the System/Host API CSR.
4. Export the System TLS CA Root certificate.
5. Export the signed System/Host API TLS certificate.
6. Load the exported TLS certificates into the System/Host API connection pair.

### Create a certificate container

Perform the following steps to create an X.509 certificate container and generate a root CA certificate:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**, and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate Authority** window, enter a **name** for the certificate container, leave all other fields set to the default values, and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the certificate container that you created and select **Add Certificate**> **New Certificate**.
  </Step>

  <Step>
    In the **Subject DN** tab, select **Classic** in the **Preset** drop-down list and set a **Common Name** for the certificate, such as **System TLS CA Root**.
  </Step>

  <Step>
    In the **Basic Info** tab, change the key size to **4096**. Leave all other settings set to the default values.
  </Step>

  <Step>
    In the **V3 Extensions** tab, select **Certificate Authority** in the profile drop-down list and select **\[ OK ]**.
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Network Options**.
  </Step>

  <Step>
    In the **Network Options** window, select the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use Futurex Certificates** box and select **\[ Edit ]** next to **PKI Keys** in the **User Certificates** section.
  </Step>

  <Step>
    In the **Application Public Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When warned that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** window, leave the default settings and select **\[ OK ]**.

    <Check>
      The Application Public Keys window shows that a PKI Key Pair is loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    In the **Subject DN** tab, leave the default **Common Name** that is set for the certificate.
  </Step>

  <Step>
    In the **Basic Info** tab, leave the default settings.
  </Step>

  <Step>
    In the **V3 Extensions** tab, select **TLS Server Certificate** in the **Profile** drop-down list.
  </Step>

  <Step>
    In the **PKCS #10 Info** tab, select **\[ Browse ]**, select a save location for the CSR, specify a name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to finish generating the CSR. When prompted that *the* *certificate signing request was successfully written to the file location that was selected*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save the **Application Public Keys** settings.

    <Check>
      The main Network Options window now shows Loaded next to PKI Keys for the System/Host API connection pair.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add Certificate**> **From Request**.
  </Step>

  <Step>
    In the file browser, find and select the CSR generated for the System/Host API connection pair, and select **\[ Open ]**.
  </Step>

  <Step>
    After it loads, you don't need to modify the certificate settings. Select **\[ OK ]**.

    <Check>
      The signed System/Host API TLS certificate now shows under the System TLS CA Root certificate in the Certificate Authorities menu.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the System TLS CA Root certificate:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Export**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificate** window, select **PEM** in the **Encoding** drop-down list and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the **System TLS CA Root** certificate, specify a name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**. When notified that *the PEM file was successfully written to the location that you specified*, select **\[ OK ]** again to exit the dialog.
  </Step>
</Steps>

### Export the signed certificate

Perform the following steps to export the signed System/Host API TLS certificate:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the System/Host API certificate and select **Export**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificate** window, select **PEM** in the **Encoding** drop-down list and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the signed System/Host API TLS certificate, specify a name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**. When notified that *the PEM file was successfully written to the location that you specified*, select **\[ OK ]** again to exit the window.
  </Step>
</Steps>

### Load the exported certificates

Perform the following steps to load the exported TLS certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Network Options**.
  </Step>

  <Step>
    In the **Network Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select **\[ Edit ]** next to **Certificates** in the **User Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA X.509** certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import Certificates** window.
  </Step>

  <Step>
    In the file browser, select both the System TLS CA Root certificate and the signed System/Host API certificate, and select **\[ Open ]**.

    <Check>
      The certificate chain appears in the Verified section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network Options** window.
  </Step>
</Steps>

## Generate a certificate

Perform the following steps to generate a client TLS certificate for the File Encryption Agent:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add Certificate**> **New**.
  </Step>

  <Step>
    In the **Subject** **DN** tab, select **Classic** in the **Preset** drop-down list, and set a **Common Name** for the certificate, such as **FileEncryptionAgent**.

    <Warning>
      If you plan to use TLS-based authentication for the File Encryption Agent, ensure there are no spaces in the Common Name. The section covering authentication methods explains why.
    </Warning>
  </Step>

  <Step>
    In the **Basic Info** tab, leave the default settings.
  </Step>

  <Step>
    In the **V3 Extensions** tab, select the **TLS Client Certificate** profile and select
    **\[ OK ]**.

    <Check>
      The FileEncryptionAgent certificate now displays under the System TLS CA Root certificate.
    </Check>
  </Step>
</Steps>

After generating the certificate, you must export it and the private key.

### Export the certificate and private key

Perform the following steps to export the File Encryption Agent TLS certificate and private key as a PKCS #12 file:

<Note>
  To export the File Encryption Agent TLS certificate and private key as a PKCS #12 file, you must enable an option in the Options menu to allow the export of certificates by using passwords.
</Note>

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Options**.
  </Step>

  <Step>
    Select the **Allow export of certificates using passwords** checkbox, and select **\[ Save ]**.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the FileEncryptionAgent certificate and select **Export**>
    **PKCS #12**.
  </Step>

  <Step>
    In the **Export PKCS12** window, select the **Export Selected** radio button, select **AES-192** in the **Cipher Options** drop-down list, change the **File name** to `file_encryption_agent.p12`, and select **\[ Next ]**.
  </Step>

  <Step>
    Enter a password for the PKCS #12 file and select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]** in the final menu to open a file browser.
  </Step>

  <Step>
    Select the directory where you want to save the PKCS #12 file and select **\[ Choose ]**.

    <Note>
      You must copy the File Encryption Agent PKCS #12 file and the System TLS CA Root certificate to the computer running the File Encryption Agent. A later section shows how to configure them in the File Encryption Agent GUI and use them for TLS communication with the KMES Series 3.
    </Note>
  </Step>
</Steps>

## Set up PKI, TLS, or password-based application authentication

The File Encryption Agent on the KMES Series 3 supports the following authentication methods:

* Password-based authentication
* TLS-based authentication
* PKI-based authentication

You can configure each of these authentication methods on the KMES through an identity provider. The KMES supports password-based authentication by default, but you must configure the TLS and PKI-based authentication methods.

<Note>
  We recommend using either TLS or PKI-based authentication, in which you generate certificates on the KMES Series 3 and store them on the server running the File Encryption Agent. This ensures the server is trusted and eliminates relying solely on a username and password to authenticate.
</Note>

To configure the TLS-based and PKI-based methods, select the appropriate option and follow the instructions:

**TLS-based authentication**:

<Note>
  TLS-based authentication works by matching the Common Name of a TLS certificate to a specific KMES identity.
</Note>

<Steps>
  <Step>
    Go to **Identity Management**> **Identity Providers**, right-click the window background, and select **Add**> **Provider**> **PKI**.
  </Step>

  <Step>
    In the **Info** tab of the **Identity Provider Edito** r window, specify a **Name** for the identity provider and de-select the **Enforce Dual-Factor** checkbox.
  </Step>

  <Step>
    In the **PKI Options** tab, select **\[ Select ]**.
  </Step>

  <Step>
    In the **Certificate Selector** window, expand the **System TLS CA** certificate tree, select the **FileEncryptionAgent** certificate, and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity provider.
  </Step>

  <Step>
    Right-click the identity provider you just created and select **Add**> **Mechanism**> **TLS**.
  </Step>

  <Step>
    In the **Info** tab, specify a **Name** for the authentication mechanism.
  </Step>

  <Step>
    In the **PKI** tab, leave the default settings.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the TLS authentication mechanism.
  </Step>
</Steps>

**PKI-based authentication**:

<Note>
  For PKI-based authentication, you should use separate certificates for TLS communication and application authentication.
</Note>

<Steps>
  <Step>
    Go to **Identity Management**> **Identity Providers**, right-click the window background, and select **Add**> **Provider**> **PKI**.
  </Step>

  <Step>
    In the **Info** tab of the **Identity** **Provider Editor**, specify a **Name** for the identity provider and de-select the **Enforce Dual-Factor** checkbox.
  </Step>

  <Step>
    In the **PKI Options** tab, select **\[ Select ]**.
  </Step>

  <Step>
    In the **Certificate Selector** window, select a certificate for application authentication and select **\[ OK ]**\*.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity provider.
  </Step>

  <Step>
    Right-click the identity provider you just created and select **Add**> **Mechanism**> **PKI**.
  </Step>

  <Step>
    In the **Info** tab, specify a **Name** for the authentication mechanism.
  </Step>

  <Step>
    In the **PKI** tab, leave the default settings.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the PKI authentication mechanism.
  </Step>
</Steps>

## Create a role and identity for the File Encryption Agent

Perform the following tasks to create a role to designate the permissions required for file encryption and create an identity for the File Encryption Agent to use when connecting to the KMES Series 3:

1. Create a new role.
2. Grant the new role **Use** permissions for the identity provider and certificate container.
3. Create a new identity.

### Create a new role

Perform the following steps to create a new role:

<Steps>
  <Step>
    Go to **Identity Management**> **Roles** and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Info** tab of the **Role Editor** window, leave the role **Type** set to **Application**, specify a **Name** for the role, and change **Login Required** to **1**.
  </Step>

  <Step>
    In the **Permissions** tab, select **all** of the **File Encryption Permissions**:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Sub-permission </strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>File Encryption</strong></td>
          <td><ul><li>Add</li><li>Decrypt</li><li>Delete</li><li>Encrypt</li><li>Export</li><li>List</li><li>Modify</li><li>Prune</li></ul></td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    In the **Advanced** tab, modify **Allowed Ports** to only allow **Host API**.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>
</Steps>

### Grant the role Use permissions

Perform the following steps to grant the new role **Use** permissions for the identity provider and certificate container:

<Steps>
  <Step>
    Go to **Identity Management**> **Identity Providers**.
  </Step>

  <Step>
    Right-click the identity provider created for File Encryption Agent and select **Permission**.
  </Step>

  <Step>
    Set the **Use** permission for the File Encryption Agent role, and select **\[ OK ]** to save.
  </Step>

  <Step>
    Go to **PKI**> **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the certificate container created for this integration and select **Permission**.
  </Step>

  <Step>
    Set the **Use** permission for the File Encryption Agent role and select **\[ OK ]** to save.
  </Step>
</Steps>

### Create a new identity

Perform the following steps to create a new identity:

<Steps>
  <Step>
    Go to **Identity Management**> **Identities**, then right-click the window background and select **Add**> **Client Application**.
  </Step>

  <Step>
    In the **Info** tab of the **Identity Editor**, leave the **Storage** type set to **Application** and specify a **Name** for the identity.
  </Step>

  <Step>
    In the **Assigned Roles** tab, select the File Encryption Agent role you just created.
  </Step>

  <Step>
    Don't modify the settings in the **Device Info** tab.
  </Step>

  <Step>
    In the **Authentication** tab, select the default **API Key** credential and select **\[ Remove ]**. Then, select **\[ Add ]**.
  </Step>

  <Step>
    In the **Configure** **Credential** window, select the **Type** drop-down option, which lists all available credential types.

    If you configured **TLS-based authentication**, select **TLS Certificate**, and if you configured **PKI-based authentication**, select **PKI Certificate**.
  </Step>

  <Step>
    After selecting the credential type, the **Provider** and **Mechanism** fields auto-populate. Select **\[ OK ]**.

    <Check>
      On the Authentication tab, you should see the TLS Certificate or PKI Certificate credential that you just added.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity.
  </Step>
</Steps>
