Configure KMES Series 3 - Futurex Documentation

This section starts with general configurations you must make on the KMES to enable HashiCorp Vault to integrate the KMES with the Managed Keys functionality. Then, it covers the necessary steps to configure TLS communication between the KMES and the Vault instance.

Configure general KMES settings

Perform the following tasks to configure the KMES Series 3 for communication with SignTool:

Create a Vault role and identity with the correct assigned permissions.
Enable Host API commands.

The following sections show you how to complete these tasks.

Create a role and identity for Vault with the required permissions

Perform the following steps to create a new role and identity for Vault on the KMES Series 3:

A later section shows you how to configure the name of this identity in the Futurex PKCS #11 configuration file.

Go to Identity Management > Roles and select [ Add ].

In the Role Editor window, perform the following steps:

Specify a name for the role.
Set the number of logins required to 1.
Go to the Advanced tab and allow authentication to the Host API port only.
Leave all other fields set to the default values.

Go to the Permissions tab and select the following permissions:

Permission	Subpermission
Certificate Authority	Add, Export, Upload
Cryptographic Operations	Sign, Verify, Encrypt, Decrypt
Keys	Add, Export

Select [ OK ] to finish creating the role.

Go to Identity Management> Identities, right-click anywhere, and select Add> Client Application.

Under Info in the Identity Editor window, select Application for the storage location, and specify a name for the identity.

Under Assigned Roles, select the role you created.

Under Authentication, configure the password.

Leave all other fields set to the default values and select [ OK ] to finish creating the identity.

Enable Host API commands for HashiCorp Vault operation

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for the FXPKCS11 library to execute. To set the enabled commands, complete the following steps:

Go to Administration> Configuration> Host API Options and enable the following commands:

Command	Description and subcommand permissions
ATKG	Manipulate HSM trusted asymmetric key group add modify delete get
ATTR	Generic Attribute Operations get put patch
ECHO	Communication Test/Retrieve Version
RAFA	Filter Issuance Policy
RKCP	Get Command Permissions get modify
RKGP	Export Asymmetric HSM Trusted Key
RKGS	Generate Signature
RKLN	Lookup Objects
RKLO	Login User
RKPK	Pop Generated Key
TIME	Get/Set Time

Configure TLS communication between the KMES Series 3 and the Vault instance

To configure TLS communication, you need to perform the following tasks:

Create a Certificate Authority.
Generate a CSR for the System/Host API connection pair.
Sign the System/Host API CSR.
Export the Root CA certificate.
Export the signed System/Host API certificate.
Load the exported certificates into the System/Host API connection pair..
Issue a client certificate for Vault.
Export the Vault certificate as a PKCS #12 file.

The following sections show you how to perform these tasks.

Create a CA

Perform the following steps to create a Certificate Authority (CA):

Go to PKI> Certificate Authorities and select [ Add CA ] at the bottom of the page.

In the Certificate Authority window, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].

The certificate container you created now displays in the Certificate Authorities menu.

Right-click the certificate Container and select Add Certificate> New Certificate.

On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.

On the Basic Info tab, leave all of the fields set to their default values.

On the V3 Extensions tab, select the Certificate Authority profile, and select [ OK ].

The root CA certificate now displays under the previously created certificate Container.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

Go to Administration> Configuration> Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Under the System/Host API connection pair, uncheck Use Futurex certificates, and select [ Edit ] next to PKI Keys in the User Certificates section.

In the Application Public Keys window, select [ Generate ].

When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.

In the PKI Parameters window, leave the fields set to their default values and select [ OK].

When notified that a PKI Key Pair is loaded in the Application Public Keys window, select [ Request ].

On the Subject DN tab, set a Common Name for the certificate, such as KMES.

On the V3 Extension s tab, select the TLS Server Certificate profile.

On the PKCS #10 Info tab, select a save location for the CSR, and select [ OK ]*.

When notified that the certificate signing request was successfully written to the file location that was selected, select [ OK ].

Select [ OK ] again to save the Application Public Keys settings.

The main Network Options window now shows Loaded next to PKI Keys for the System/Host API connection pair.

Sign the CSR

Perform the following steps to sign the System/Host API CSR:

Go to PKI> Certificate Authorities.

Right-click the root CA certificate you created, and select Add Certificate> From Request.

In the file browser, find and select the CSR that you generated for the System/Host API connection pair.

After it loads, you don’t need to modify any settings for the certificate, so select [ OK ].

The signed System/Host API certificate now shows under the root CA certificate on the Certificate Authorities page.

Export the Root CA certificate

Perform the following steps to export the Root CA certificate:

Go to PKI> Certificate Authorities.

Right-click the System TLS CA Root certificate, and select Export> Certificate(s).

In the Export Certificate window, change the encoding to PEM, and select [ Browse ].

In the file browser, go to the location where you want to save the Root CA certificate. Specify tls_ca.pem as the name for the file, and select [ Open ].

Select [ OK ].

A message box displays that the PEM file was successfully written to the location that you specified.

Export the signed certificate

Perform the following steps to export the signed System/Host API certificate:

Go to PKI> Certificate Authorities.

Right-click the KMES certificate, and select Export> Certificate(s).

In the Export Certificate window, change the encoding to PEM, and select [ Browse ].

In the file browser, go to the location where you want to save the Root CA certificate. Specify tls_kmes.pem as the name for the file, and select [ Open ].

Select [ OK ].

A message box displays that the PEM file was successfully written to the location that you specified.

Load the exported certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:

Go to Administration> Configuration> Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Select [ Edit ] next to Certificates in the User Certificates section.

Right-click the System/Host API SSL CA X.509 certificate container, and select Import.

Select [ Add ] at the bottom of the Import Certificates window.

In the file browser, select both the root CA certificate and the signed System/Host API certificate and select [ Open ].

Select [ OK ] to save the changes.

In the Network Options window, the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section.

Issue a client certificate

Perform the following steps to issue a client certificate for Vault:

A later section shows you how to configure this client certificate in the Futurex PKCS #11 configuration file.

Go to PKI> Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate> New Certificate.

IO the Subject DN tab, set a Common Name for the certificate, such as Vault.

Leave all settings on the Basic Info tab set to their default values.

On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].

The Vault certificate now shows under the System TLS CA Root certificate.

Export the Vault certificate

Perform the following steps to export the Vault certificate as a PKCS #12 file:

To perform the following steps, you must go to Configuration > Options and enable the Allow export of certificates using passwords option.

Go to PKI> Certificate Authorities.

Right-click the Vault certificate, and select Export > PKCS12.

Select the Export Selected option, specify a unique name for the export file, and select [ Next ].

Select [ Finish ] to initiate the export.

Move both the Vault certificate and the Root CA certificate you exported to the computer with the Vault instance.

A later section shows how to configure and use them for TLS communication with the KMES Series 3.

​Configure general KMES settings

​Create a role and identity for Vault with the required permissions

​Enable Host API commands for HashiCorp Vault operation

​Configure TLS communication between the KMES Series 3 and the Vault instance

​Create a CA

​Generate a CSR

​Sign the CSR

​Export the Root CA certificate

​Export the signed certificate

​Load the exported certificates

​Issue a client certificate

​Export the Vault certificate

Configure general KMES settings

Create a role and identity for Vault with the required permissions

Enable Host API commands for HashiCorp Vault operation

Configure TLS communication between the KMES Series 3 and the Vault instance

Create a CA

Generate a CSR

Sign the CSR

Export the Root CA certificate

Export the signed certificate

Load the exported certificates

Issue a client certificate

Export the Vault certificate