> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Configuration steps on KMES to enable CyberArk Vault integration, including roles, key groups, and TLS.

This section starts with the general KMES configurations necessary to enable CyberArk Vault to integrate with the KMES and provide the Server Key. Then, it covers the necessary steps to configure TLS communication between the KMES and the Vault instance.

## Create a role and identity

Perform the following steps to create a new role and identity for Vault withe the required permissions on the KMES Series 3 (In the Futurex PKCS #11 configuration file section, you need this identity name for the configuration):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Identity Managemen** t > **Roles** and select **\[ Add ].**
  </Step>

  <Step>
    Specify a name for the role, and set the number of logins required to `1`.
  </Step>

  <Step>
    Go to the **Advanced** tab and set authentication to the **Host API** port only.
  </Step>

  <Step>
    Go to the **Permissions** tab and select the following permissions:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Additional modifier</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Cryptographic Operations</strong></td>
          <td>Sign, verify, Encrypt, Decrypt</td>
        </tr>

        <tr>
          <td><strong>Keys</strong></td>
          <td>Add, export</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>

  <Step>
    Go to **Identity Management** > **Identities**, right-click anywhere on the window, and select **Add**> **Client Application**.
  </Step>

  <Step>
    On the **Info** tab, select **Application** for the storage location, and specify a name for the identity.
  </Step>

  <Step>
    On the **Assigned Roles** tab, select the role you just created.
  </Step>

  <Step>
    On the **Authentication** tab, configure the password.
  </Step>

  <Step>
    Leave all other fields as the default values and select **\[ OK ]** to finish creating the identity.
  </Step>
</Steps>

## Create a key group

Perform the following steps to create a key group for CyberArk Vault keys on the KMES Series 3 where the Vault can store the encryption keys (In the Futurex PKCS #11 configuration file section, you need this key group name for the configuration):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Key Management** > **Keys,** right-click, and select **Add**> **Key Group**.
  </Step>

  <Step>
    Select **Symmetric** and **Trusted** in the **Key Group Storage**.
  </Step>

  <Step>
    In the **Key Group Editor** window, specify a name for the key group.
  </Step>

  <Step>
    In the **Owner Group** drop-down menu, select the Vault role you created.
  </Step>

  <Step>
    Select **\[ Permissions ],** give the Vault role you created the **Use** permission, and select \*\*\[ OK ]\*\*\*to save.
  </Step>

  <Step>
    Select **\[ OK ]** again to finish creating the key group.
  </Step>
</Steps>

## Enable the Host API commands

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for execution by the **FXPKCS11** library. To enable the commands, complete the following steps:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration**> **Configuration**> **Host API Options** and enable the following commands:

    <table>
      <thead>
        <tr>
          <th><em><strong>Command</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>ECHO</strong></td>
          <td>Communication test/Retrieve version</td>
        </tr>

        <tr>
          <td><strong>RAFA</strong></td>
          <td>Filter issuance policy</td>
        </tr>

        <tr>
          <td><strong>RAND</strong></td>
          <td>Generate a random number</td>
        </tr>

        <tr>
          <td><strong>RKCK</strong></td>
          <td>Create an HSM trusted key</td>
        </tr>

        <tr>
          <td><strong>RKCP</strong></td>
          <td>Get command permissions</td>
        </tr>

        <tr>
          <td><strong>RKCS</strong></td>
          <td>Create a symmetric HSM trusted key group</td>
        </tr>

        <tr>
          <td><strong>RKED</strong></td>
          <td>Encrypt or decrypt data</td>
        </tr>

        <tr>
          <td><strong>RKHM</strong></td>
          <td>HMAC Data</td>
        </tr>

        <tr>
          <td><strong>RKLN</strong></td>
          <td>Lookup objects</td>
        </tr>

        <tr>
          <td><strong>RKLO</strong></td>
          <td>Login user</td>
        </tr>

        <tr>
          <td><strong>RKRC</strong></td>
          <td>Get an HSM trusted key</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Save ].**
  </Step>
</Steps>

## Configure TLS communication

This section covers the necessary tasks to set up TLS communication between the KMES Series 3 and the CyberArk Vault instance.

### Create a CA

Perform the following steps to create a Certificate Authority (CA):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities**, and select **\[ Add CA ]**.
  </Step>

  <Step>
    In the **Certificate Authority** window, enter a name for the certificate container, leave all other fields as the default values, and select **\[ OK ]**.

    <Check>
      The certificate container you created displays in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the certificate container and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, leave all of the default values set.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **Certificate Authority** profile and select **\[ OK ]**.

    <Check>
      The Root CA certificate displays under the certificate container you created.
    </Check>
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration**> **Configuration** > **Network Options**.
  </Step>

  <Step>
    In the **Network Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck **Use Futurex Certificates, and** select **\[ Edit ]** next to **PKI Keys** in the **User Certificates** section.
  </Step>

  <Step>
    In the **Application Public Keys** dialog, select **\[ Generate ]**.
  </Step>

  <Step>
    When prompted that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** dialog, leave the default values set and select **\[ OK ]**.

    <Check>
      The PKI Key Pair displays in the Application Public Keys window.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `KMES`.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Server Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10** **Info** tab, select a save location for the CSR and select **\[ OK ]**.
  </Step>

  <Step>
    When prompted that *the certificate signing request was successfully written to the selected file location*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save the **Application Public Keys** settings.

    <Check>
      In the main Network Options dialog, Loaded displays next to PKI Keys for the System/Host API connection pair.
    </Check>
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the root CA certificate you created, and select **Add Certificate**> **From Request**.
  </Step>

  <Step>
    In the file browser, find and select the CSR generated for the System/Host API connection pair.
  </Step>

  <Step>
    After it loads, you don't need to modify any settings for the certificate, so select **\[ OK ]**.

    <Check>
      The signed System/Host API certificate displays under the root CA certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the Root CA certificate:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate, and select **Export**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificate** dialog, change the encoding to PEM, and select **\[ Browse ].**
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the Root CA certificate. Specify a name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

### Export the signed certificate

Perform the following steps to export the signed System/Host API certificate:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click on the **KMES** certificate, and select **Export**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificate** dialog, change the encoding to PEM, and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify a name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

### Load the exported certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Network Options**.
  </Step>

  <Step>
    In the **Network Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select **\[ Edit ]** next to **Certificates** in the **User Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL** **CA** X.509 certificate container, and select **\[ Import ]**.
  </Step>

  <Step>
    Click **\[ Add  ]** at the bottom of the **Import Certificates** dialog.
  </Step>

  <Step>
    In the file browser, select the root CA certificate and the signed System/Host API certificate and select **\[ Open ].**

    <Check>
      The certificate chain appears in the window under Verified.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options dialog, the System/Host API connection pair shows as Signed Loaded next to Certificates in the User Certificates section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network Options** window.
  </Step>
</Steps>

### Issue a client certificate

Perform the following steps to issue a client certificate for Vault:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA** Root certificate and select **Add Certificate**> **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `Vault`.
  </Step>

  <Step>
    Leave all settings on the **Basic Info** tab set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Client Certificate** profile, and select **\[ OK ]**.

    <Check>
      The Vault certificate now displays under the System TLS CA Root certificate.

      A later section shows you how to configure this client certificate in the Futurex PKCS #11 configuration file.
    </Check>
  </Step>
</Steps>

### Export the Vault certificate

Perform the following steps to export the Vault certificate as a PKCS #12 file:

<Steps>
  <Step>
    Before beginning the export, go to **Configuration > Options** and enable the **Allow export of certificates using passwords** option.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the Vault certificate, and select **Export**> **PKCS12**.
  </Step>

  <Step>
    Select the **Export Selected** option, specify a unique name for the export file, and select **\[ Next ]**.
  </Step>

  <Step>
    Choose and enter a file password, and select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]** to initiate the export.
  </Step>

  <Step>
    You must move both the Vault certificate and the Root CA certificate you exported previously to the computer running the Vault instance. In a later section, you can configure and use them for TLS communication with the KMES Series 3.
  </Step>
</Steps>
