Test a connection from the client to the KMES Series 3
Step-by-step instructions using OpenSSL to verify KMIP client-to-server connectivity via TLS certificates.
The process for configuring and testing certificates on the client side varies between the different types of applications connecting to the KMES Series 3 with KMIP. However, you can use the following OpenSSL commands to confirm that the KMIP client certificate enables a successful connection to the KMIP port on the KMES Series 3.Perform the following steps to test the connection, based on your use case:
1
If you used the KMES as the CA that signed the KMIP client certificate, then you must extract the client certificate, private key, and root CA certificate from the PKCS #12 file before connecting. If you used an external CA to sign the client certificate, run the following OpenSSL command to test connection and authentication to the KMES Series 3:
Adjust the IP address of the KMES Series 3 and the file names in the preceding command to your specific situation.
2
If you used the KMES as a CA to sign the KMIP client certificate, run the following OpenSSL command to first extract the contents of the PKCS #12 file:
Open the pkcs12.pem file that was output from the previous command. Then, copy the signed client certificate, private key, and root CA certificate to individual files for use in the next command.
3
Run the following OpenSSL command to test the connection to the KMES Series 3:
If the SSL handshake is successful, then you have configured the certificates correctly on the KMES Series 3.
If you used the TLS certificate to authenticate, the KMES Series 3 attempts to authenticate the KMIP client immediately after establishing the connection. If the Common Name of the TLS certificate matches the name of a KMES user with the signing CA of that TLS certificate registered, the authentication is successful, and the KMIP client might perform any of the actions that are enabled for that user on the KMES.
The process for authenticating with username and password on the client side is specific to each KMIP client.
Was this page helpful?
⌘I
Assistant
Responses are generated using AI and may contain mistakes.
