Configure KMES Series 3 - Futurex Documentation

This section covers the necessary KMES Series 3 configurations for this integration.

Configure the Futurex PKCS #11 integration

This section covers general configurations you must make on the KMES Series 3 to enable the Futurex PKCS #11 module to integrate for SSH Key Offloading.

Create a role and identity

Perform the following steps to create a new role and identity for SSH on the KMES Series 3:

A later section configures the identity name and password in the Futurex PKCS #11 configuration file.

Go to Identity Management > Roles, and select [ Add ].

In the Role Editor window, configure the following settings:

Specify a name for the role.
Set the number of logins required to 1.
Go to the Advanced tab.
Allow authentication to the Host API port only.
Leave all other fields set to the default values.

Go to the Permissions tab and select the following permissions:

Permission	Subpermission
Certificate Authority	Export, Upload
Keys	Top-level permission only
Signing Approval	Add

Select **[ OK ]**to finish creating the role.

Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.

In the Info tab of the Identity Editor window, select Application for the storage location and specify a name for the identity, such as crypto1.

In the Assigned Roles tab, select the role you created in the previous section.

Under Authentication, select the API Key mechanism and then [ Remove ]. Then select [ Add ] and set the type to Password. Set the password for the identity and then select [ OK ] to finish.

A later section configures the password in the Futurex PKCS #11 configuration file.

Select [ OK ] to finish creating the identity.

Enable the Host API commands required for PKCS #11

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for execution by the FXPKCS11 library. To set the allowed commands, complete the following steps:

Go to Administration > Configuration > Host API Options, select the All preset to enable all commands, and then select [ Save ].

Configure TLS communication

This section covers the steps required to configure TLS communication between the KMES and the Futurex PKCS #11 library.

Create a CA

Perform the following steps to create a certificate authority (CA):

Select PKI > Certificate Authorities in the left menu, and select [ Add CA ] at the bottom of the page.

In the Certificate Authority window, enter a name for the certificate container, leave all other fields as the default values, and then select [ OK ].

The new certificate container now displays in the Certificate Authorities menu.

Right-click the certificate container and select Add Certificate > New Certificate.

In the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.

On the Basic Info tab, leave all fields set to the default values.

In the V3 Extensions tab, select the Certificate Authority profile, and select [ OK ].

The root CA certificate now displays under the previously created certificate container.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Under the System/Host APIconnection pair, uncheck Use Futurex certificates, and select [ Edit ] next to PKI Keys in the User Certificates section.

In the Application Public Keys window, select [ Generate ].

When warned that SSL will not be functional until new certificates are imported, select **[ Yes ]**to continue.

In the PKI Parameters window, leave the default values set and select [ OK ].

A message states that a PKI Key Pair is loaded in the Application Public Keys window.

Select** [ Request ]**.

In the Subject DN tab, set a Common Name for the certificate, such as KMES.

In the V3 Extensions tab, select the TLS Server Certificateprofile.

In the PKCS #10 Info tab, select a save location for the CSR, and select [ OK ].

A message states that the certificate signing request was successfully written to the file location selected.

Select [ OK ].

Select** [ OK ]** again to save the Application Public Keys settings.

The main Network Options window shows Loaded next to PKI Keys for the System/Host API connection pair.

Sign the System/Host API CSR

Perform the following steps to sign the System/Host API CSR:

Go to PKI > Certificate Authorities.

Right-click on the root CA certificate you created for this integration, and select Add Certificate > From Request.

Select the CSR generated for the System/Host API connection pair in the file browser.

After it loads, you don’t need to modify any certificate settings. Select [ OK ].

The signed System/Host API certificate now displays under the root CA certificate on the Certificate Authorities page.

Export the Root CA certificate

Perform the following steps to export the Root CA certificate:

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate, and select Export > Certificate(s).

In the Export Certificate window, change the encoding to PEM, and select [ Browse ].

In the file browser, go to the directory to save the Root CA certificate. Specify a name for the file and select [ Open ].

Select** [ OK ]**.

A message box states that the PEM file was successfully written to your specified location.

Export the signed certificate

Perform the following steps to export the signed System/Host API certificate:

Go to PKI > Certificate Authorities.

Right-click the KMES certificate and select Export > ** Certificate(s)**.

In the Export Certificate window, change the encoding to PEM and select [ Browse ].

In the file browser, go to the directory where you want to save the signed System/Host API certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

A message states that the PEM file was successfully written to your specified location.

Load the exported certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Select [ Edit ] next to Certificates in the User Certificates section.

Right-click on the **System/Host API SSL CA **X.509 certificate container and select [ Import ].

Select [ Add ] at the bottom of the Import Certificates window.

Select the root CA certificate and the signed System/Host APIcertificate in the file browser and select [ Open ].

The certificate chain displays in the Verified section of the window.

Select [ OK ] to save the changes.

In the Network Options window, the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section.

Issue a client certificate

Perform the following steps to issue a client certificate for the Futurex PKCS #11 module:

You configure the client certificate created here in the Futurex PKCS #11 configuration file.

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.

In the Subject DN tab, set a Common Name for the certificate.

Leave all settings in the Basic Info tab set to the default values.

In the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].

The PKCS #11 client certificate will now be listed under the System TLS CA Root certificate.

Export the client certificate

Perform the following steps to export the client certificate as a PKCS #12 file:

To perform the following steps, go to Administration > Configuration > Options and enable the Allow export of certificates using password option.

Go to PKI > Certificate Authorities.

Right-click the PKCS #11 client certificate, and select Export > PKCS12.

Set a PKCS #12 password, leave Export Selected Certificate with Parents selected, and select [ Next ].

Select the storage device to use and select [ OK ].

Enter a name for the file, select the location where you want to save it, and select [ Open ].

You must move the FXPKCS11 Client certificate to the computer where the Futurex PKCS #11 module is installed. A later section configures it in the FXPKCS11 configuration file and uses it for TLS communication with the KMES Series 3.

General KMES configurations for SSH key offloading

This section covers general KMESSSH key offloading configuration.

Create a CA for the SSH key pair

Perform the following steps to create a CA for the SSH key pair:

Go to PKI> Certificate Authorities, then select [ Add CA ] at the bottom of the page.

Set the name of the certificate container, such as SSH Key Offloading, and set the Owner group to the role you created for this integration. Then select [ OK ].

Right-click the certificate container you created and select Add Certificate > New Certificate.

In the Subject DN tab of the Create X.509 Certificate window, select the Classic Preset in the drop-down list and specify SSH as the certificate Common Name.

In the Basic Info tab, you can leave the default values set.

In the V3 Extensions tab, leave the default value of None in the profile drop-down menu.

Select [ OK ] to finish creating the SSH client key pair.

Create an Approval Group

Perform the following steps to create an Approval Group for PKI Signing:

Go to PKI > ** Signing Workflow** and select [ Add Approval Group ] at the bottom of the page.

Specify SSH as the Name of the Approval Group and select [ OK ].

Right-click on the newly created Approval Group and select Permission.

Give the role created for SSH Key Offloading the Use permission, and select [ OK ].

Add an Issuance Policy

Perform the following steps to add an Issuance Policy to the SSH certificate:

Go to PKI > Certificate Authorities.

Right-click the SSH certificate and select Issuance Policy > Add.

In the Basic Info tab, set Approvals to 0 and Allowed Hashes to SHA-512.

In the X.509 tab, set the Default Approval Group to SSH.

In the Object Signing tab, select the Allow Object signing checkbox.

Select [ OK ] to apply the Issuance Policy to the SSH client certificate.

Right-click the SSH certificate and select Change Security Usage.

In the Security Usage drop-down menu, select Anonymous Signing.

Select [ OK ] to apply the change.

Export the public key

Perform the following steps to export the public key for the SSH key pair:

Go to PKI > Certificate Authorities.

Right-click on the SSH certificate and select Export > Public Key(s).

Browse for where you want to save the file and select [ Choose ].

Select [ OK ] in the dialog box that says, Successfully exported certificate public key(s).

​Configure the Futurex PKCS #11 integration

​Create a role and identity

​Enable the Host API commands required for PKCS #11

​Configure TLS communication

​Create a CA

​Generate a CSR

​Sign the System/Host API CSR

​Export the Root CA certificate

​Export the signed certificate

​Load the exported certificates

​Issue a client certificate

​Export the client certificate

​General KMES configurations for SSH key offloading

​Create a CA for the SSH key pair

​Create an Approval Group

​Add an Issuance Policy

​Export the public key

Configure the Futurex PKCS #11 integration

Create a role and identity

Enable the Host API commands required for PKCS #11

Configure TLS communication

Create a CA

Generate a CSR

Sign the System/Host API CSR

Export the Root CA certificate

Export the signed certificate

Load the exported certificates

Issue a client certificate

Export the client certificate

General KMES configurations for SSH key offloading

Create a CA for the SSH key pair

Create an Approval Group

Add an Issuance Policy

Export the public key