> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES key labels

> Procedural guide to configure key labels on KMES Series 3, including code examples.

Perform the following tasks to configure key labels on the KMES.

## Create a key group

Perform the following steps to create a key group :

<Note>
  If the key group has already been created, skip to the Set permissions section.
</Note>

<Steps>
  <Step>
    Go to **Key** **Management** > **Keys** and select **\[ Create ]** under **Key** **Groups**.
  </Step>

  <Step>
    Select **Symmetric** or **Asymmetric** as the **Key** **type**, and set **HSM** **Trusted** for the storage location. Then, select **\[ OK ]**.
  </Step>

  <Step>
    Enter a **name** for the key group, and select **\[ OK ]**.
  </Step>
</Steps>

## Set permissions

Perform the following steps to set permissions:

<Steps>
  <Step>
    After you create a new key group or select a pre-existing group, select **\[ Permissions ]**.
  </Step>

  <Step>
    Give the user group the **Use** permission, and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save and close the Key Group Editor.
  </Step>
</Steps>

## Connect to a Guardian

To use key labels, you must make an authorized connection to the Guardian Series 3, by using one of the following methods:

1. Log onto a Guardian by using the **RKLG** command in the Remote Host API.
2. Set up a TLS connection to the Guardian by using certificates where the **Common Name** is the name of an identity under the role authorized to access the correct keys through Key Labeling.

### Log on with RLKG

You can execute the **RKLG** command in the remote host API whenever you make a new connection to the Guardian. Issue the command with the following tokens:

<table>
  <thead>
    <tr>
      <th><em><strong>Token</strong></em></th>
      <th><em><strong>Definition</strong></em></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><strong>DA</strong></td>
      <td>User Name</td>
    </tr>

    <tr>
      <td><strong>CH</strong></td>
      <td>Password</td>
    </tr>
  </tbody>
</table>

The following example shows the command using each token:

```shell expandable lines wrap title="Shell" theme={null}
[AORKLG;DATest_User1;CHsafest;]
```

For more information on this command, refer to the Remote Host API technical reference guide.

### Set up a TLS connection

The Guardian can recognize a secure connection between the host application and the Guardian when you use TLS as an authorized connection. However, for the Guardian to recognize the connection as authorized, the client must connect with a valid certificate where the **Common Name** is a valid user on the Guardian.

<Note>
  This method replaces the password authentication method in the following steps.
</Note>

<Steps>
  <Step>
    Ensure the connection for the host application Encryption Device Group for HSMs is set to **SSL** (under **Settings**).
  </Step>

  <Step>
    The host application creates a CSR with the **Common Name** set to a valid user to be signed under a Certificate Authority (CA).
  </Step>

  <Step>
    If the CA is not on the Guardian accepting the connection, you need to import it on the appropriate Guardian device.
  </Step>

  <Step>
    Under **Administration** > **Configuration** > **Network** **Options** > **TLS/SSL Settings**, choose the **TLS setting** defined for the connection on which the host application connects. If you are using the default, this is the **Balancer** setting.
  </Step>

  <Step>
    Under **Certificates**, select **\[ Edit ]**.
  </Step>

  <Step>
    Right-click a trusted CA with nothing loaded, and select **Import**.
  </Step>

  <Step>
    Import the CA from step 3 of this procedure.
  </Step>

  <Step>
    Go to **Identity** **Management** > **Identity** **Providers**, right-click the background of the screen, and select **Add** > **Provider** > **PKI**.
  </Step>

  <Step>
    In the **Info** tab, specify a **name**. If you are using a single user, uncheck **Enforce Dual-Factor**.
  </Step>

  <Step>
    In the **PKI** **Options** tab, press **\[ Select ]**. Choose the certificate for the CA imported in step 3, and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the **identity provider** and select **Add** > **Mechanism** > **PKI**.
  </Step>

  <Step>
    Set a **name** for the **mechanism**, and leave all other values set to the default values. Select **\[ OK ]**.
  </Step>

  <Step>
    Go to **Identity** **Management** > **Identities** and **remove** the previously configured **Password** for the identity. Select **\[ Add ]** and then set the **Type** to **PKI** **Certificate**. Then, select **\[ OK ]**.
  </Step>
</Steps>
