Configure the KMES Series 3 - Futurex Documentation

This section starts with general configurations you must make on the KMES Series 3 to allow the Futurex PKCS #11 module to integrate with the KMES and then covers the steps required to configure TLS communication between the KMES and the Futurex PKCS #11 library.

General KMES configurations

Perform the tasks in this section to configure the KMES for this integration.

Create a role and identity

Perform the following steps to create a new role and identity for Futurex PKCS #11 (FXPKCS11) with the required permissions on the KMES:

A later section shows you how to configure the identity name and password inside of the Futurex PKCS #11 configuration file.

Go to Identity Management > Roles, and select [ Add ].

In the Role Editor window, specify a Name for the role and set the number of logins required to 1. Then, go to the Advanced tab and allow authentication to the Host API port only. Leave all other fields set to the default values.

Go to the Permissions tab and select the All profile to enable all permissions.

We usually do not recommend enabling all permissions. However, in the case of the Generic FXPKCS11 integration guide, the application being integrated is unknown, so the required permissions are also unknown.

Select **[ OK ]**to finish creating the role.

Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.

In the Info tab of the Identity Editor window, select Application for the storage location and specify a Name for the identity, such as crypto1.

In the Assigned Roles tab, select the role you created in the previous section.

Under Authentication, select the API Key mechanism and then [ Remove ]. Then, select [ Add ] and set the type to Password. Set the password for the identity and then select [ OK ] to finish.

A later section shows you how to configure the password in the Futurex PKCS #11 configuration file.

Select [ OK ] to finish creating the identity.

Enable the Host API commands

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for execution by the FXPKCS11 library. To enable the Host API commands required for PKCS #11, complete the following steps:

Go to Administration > Configuration > Host API Options and select the All preset to enable all commands, then select [ Save ].

We usually do not recommend enabling all commands. However, in the case of the Generic FXPKCS11 integration guide, the application being integrated is unknown, so the required commands are also unknown.

Configure TLS communication

Perform the following tasks to configure TLS communications between the KMES Series 3 and the Futurex PKCS #11 module.

Create a CA

Perform the following steps to create a Certificate Authority (CA):

Select PKI > Certificate Authorities in the left-side menu, and select [ Add CA ] at the bottom of the page.

In the Certificate Authority window, enter a Name for the certificate container, leave all other fields set to the default values, and select [ OK ].

The certificate container you created now displays in the Certificate Authorities menu.

Right-click on the certificate container and select Add Certificate > New Certificate.

In the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.

In the Basic Info tab, leave all fields set to the default values.

In the V3 Extensions tab, select the Certificate Authority profile, and select [ OK ].

The root CA certificate now displays under the previously created certificate container.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Under the System/Host APIconnection pair, uncheck Use Futurex certificates, and select [ Edit ] next to PKI Keys in the User Certificates section.

In the Application Public Keys window, select [ Generate ].

When prompted that* SSL will not be functional until new certificates are imported*, select **[ Yes ]**to continue.

In the PKI Parameters window, leave the fields set to the default values and select [ OK ].

You see that a PKI Key Pair is loaded in the Application Public Keys window.

Select** [ Request ]**.

In the Subject DN tab, set a Common Name for the certificate, such as KMES.

In the V3 Extensions tab, select the TLS Server Certificateprofile.

In the PKCS #10 Info tab, select a save location for the CSR, and select [ OK ].

When prompted that the certificate signing request was successfully written to the file location that was selected, select [ OK ].

Select** [ OK ]** again to save the Application Public Keys settings.

The main Network Options window shows Loaded next to PKI Keys for the System/Host API connection pair.

Sign the CSR

Perform the following steps to sign the System/Host API CSR:

Go to PKI > Certificate Authorities.

Right-click on the root CA certificate you created for this integration, and select Add Certificate > From Request.

In the file browser, find and select the CSR generated for the System/Host API connection pair.

After it loads, you don’t need to modify any settings for the certificate. Select [ OK ].

The signed System/Host API certificate now shows under the root CA certificate on the Certificate Authorities page.

Export the certificate

Perform the following steps to export the Root CA certificate:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate, and select Export > Certificate(s).

In the Export Certificate window, change the encoding to PEM, and select [ Browse ].

In the file browser, go to the location where you want to save the Root CA certificate. Specify a name for the file, and select [ Open ].

Select** [ OK ]**.

Export the certificate

Perform the following steps to export the signed System/Host API certificate:

Go to PKI > Certificate Authorities.

Right-click the KMES certificate, then select Export > ** Certificate(s)**.

In the Export Certificate window, change the encoding to PEM and select [ Browse ].

In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify a name for the file, and select [ Open ].

Select [ OK ].

A message box shows that the PEM file was successfully written to the location that you specified.

Load the exported certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Select [ Edit ] next to Certificates in the User Certificates section.

Right-click on the **System/Host API SSL CA **X.509 certificate container, and select [ Import ].

Select [ Add ] at the bottom of the Import Certificates window.

In the file browser, select both the root CA certificate and the signed System/Host APIcertificate, and select [ Open ].

The certificate chain appears in the Verified section of the window.

Select [ OK ] to save the changes.

In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.

Issue a client certificate

A later section shows you how to configure the client certificate created here inside the Futurex PKCS #11 configuration file.

Perform the following steps to issue a client certificate for the Futurex PKCS #11 module:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.

In the Subject DN tab, set a Common Name for the certificate.

Leave all fields in the Basic Info tab set to the default values.

In the V3 Extensions tab, select the TLS Client Certificate profile, and select [ OK ].

The PKCS #11 client certificate now displays under the System TLS CA Root certificate.

Export the client certificate

To perform the following steps, you must go to Administration > Configuration > Options and enable the Allow export of certificates using password option.

Perform the following steps to export the client certificate as a PKCS #12 file:

Go to PKI > Certificate Authorities.

Right-click the PKCS #11 client certificate, and select Export > PKCS12.

Set a PKCS #12 password, leave Export Selected Certificate with Parents selected, then select [ Next ].

Select the storage device to use and select [ OK ].

Enter a name for the file, select the location where you want to save it, and select [ Open ].

You must move the FXPKCS11 Client certificate to the computer where you installed the Futurex PKCS #11 module. A later section shows you how to configure it inside the FXPKCS11 configuration file and use it for TLS communication with the KMES Series 3.

​General KMES configurations

​Create a role and identity

​Enable the Host API commands

​Configure TLS communication

​Create a CA

​Generate a CSR

​Sign the CSR

​Export the certificate

​Export the certificate

​Load the exported certificates

​Issue a client certificate

​Export the client certificate

General KMES configurations

Create a role and identity

Enable the Host API commands

Configure TLS communication

Create a CA

Generate a CSR

Sign the CSR

Export the certificate

Export the certificate

Load the exported certificates

Issue a client certificate

Export the client certificate