Set up authentication between the KMES Series 3 and Vault

You can authenticate the KMES Series 3 with Vault by using userpass or TLS certificates authentication. The following sections provide instructions for both methods.

Use the userpass authentication

The userpass authentication method allows the KMES Series 3 to authenticate with Vault by using a username and password combination. Perform the following tasks, which are described in this section:

Configure userpass authentication in Vault.
Create a userpass cloud credential on the KMES Series 3.
Test userpass authentication.

Configure userpass authentication in Vault

You can configure userpass authentication by using the Vault UI or the CLI as described in the following sections.

Use the Vault UI

Perform the following steps to use the Vault UI:

Go to the Access page in the Vault UI and select [ Enable new method ].

Select the Username & Password authentication method and select [ Next ].

Leave the path set to the default value, userpass, and select [ Enable Method ].

Go to the menu for the userpass auth method just created and select [ Create user ].

Specify a username and password for the new user and select [ Save ].

A message displays on the page confirming that the new user was saved successfully.

Use the Vault CLI

Perform the following steps to use the Vault CLI:

Run the following command to enable the userpass auth method:

Shell

$ vault auth enable userpass

Success! Enabled userpass auth method at: userpass/

Run the following command to configure it with users who are allowed to authenticate:

Shell

$ vault write auth/userpass/users/userpass_authentication_demo \
    password=Futurex123 \
    policies=admins

Success! Data written to: auth/userpass/users/userpass_authentication_demo

This creates a new user, userpass\authentication\demo, with the password, Futurex123, which is associated with the admins policy.

This is the only configuration necessary.

Create an authentication credential

Perform the following steps to create a Vault userpass authentication cloud credential on the KMES Series 3:

Go to Identity Management> Cloud Credentials and select [ Add Cloud Credential ].

Select the Service drop-down option and select Vault Userpass Authentication.

You can specify any value in the Name field, but the Access Name value must match the name of the user that you created under the userpass auth method in Vault.

In the Password field, select [ Enter ] and set the same password you set for the user created in Vault. Select [ Save ].

Select [ OK ] in the Add Cloud Credential window to save your changes.

Test userpass authentication

Perform the following steps to test userpass authentication:

Go to Administration> Configuration> Vault API Options.

Select the Enable Vault service checkbox.

Set the Vault API URL to https:/``/<IP of your HashiCorp Vault Server>``:8210/v1 and select the Vault Userpass Authentication Cloud Credential created in the previous step.

Leave the rest of the fields set to their default values. Select [ Test Configuration ].

If the configuration is correct, a message indicates that the authentication and permission tests were successful.

Select [ OK ].

Select [ Save ] to finish modifying the Vault API Options.

Use the TLS certificate authentication

The cert authentication method allows the KMES Series 3 to authenticate with Vault by using SSL/TLS client certificates signed by a CA or self-signed. Perform the following tasks, which are described in this section:

Configure cert authentication in Vault.
Create a Vault certificate cloud credential on the KMES Series 3.
Test cert authentication.

Configure cert authentication in Vault

You can configure cert authentication by using the Vault UI or the CLI as described in the following sections.

Use the Vault UI

Perform the following steps to use the Vault UI:

Go to the Access page in the Vault UI and select [ Enable new method ].

Select the TLS Certificates authentication method and select [ Next ].

Leave the path set to the default value, cert, and select [ Enable New Method].

Go to the menu for the cert auth method you just created and select [ Create certificate ].

Specify a name for the certificate, upload a single .pem file that contains the certificate chain configured for the Vault Client connection pair on the KMES Series 3, and select [ Save ].

A message confirms that the new certificate auth method was saved successfully.

Use the Vault CLI

Perform the following steps to use the Vault CLI:

Run the following command to enable the cert auth method:

Shell

$ vault auth enable cert

Success! Enabled cert auth method at: cert/

Run the following command to configure it with trusted certificates that are allowed to authenticate:

Shell

$ vault write auth/cert/certs/certificate_authentication_demo \
    display_name=certificate_authentication_demo \
    policies=web,prod \
    certificate=@chain.pem \
    ttl=3600

Success! Data written to: auth/cert/certs/certificate_authentication_demo

This command creates a new trusted certificate, certificate_authentication_demo, with the same display name and the web and prod policies. The chain.pem file provides the certificate (public key) used to verify clients. You can set an optional ttl value (a number of seconds) to limit the lease duration.

Create a certificate cloud credential

Perform the following steps to create a Vault certificate cloud credential on the KMES Series 3:

Go to Identity Management> Cloud Credentials and select [ Add Cloud Credential ].

Select the Service drop-down option and select Vault Certificate Authentication.

You can specify any value in the Name field, but the Access Name value must match the name of the certificate that you created under the cert auth method in Vault (in this case, certificate_authentication_demo).

Leave the TLS Config field set to the default value, Vault Client, which configures the Cloud Credential to use the Vault Client connection pair for authenticating with Vault.

Select [ OK ] in the Add Cloud Credential window to save your changes.

Test cert authentication

Perform the following steps to test cert authentication:

Go to Administration> Configuration> Vault API Options.

Select the Enable Vault Service checkbox.

Set the Vault API URL to https://``<IP of your HashiCorp Vault Server>``:8210/v1 and select the Vault Certificate Authentication Cloud Credential created in the previous step.

Leave the remaining fields set to their default values. Select [ Test Configuration ].

If the configuration completes properly, a message states that the Authentication and permission tests were successful. Select [ OK ].

Select [ Save ] to finish modifying the Vault API Options.

​Use the userpass authentication

​Configure userpass authentication in Vault

​Use the Vault UI

​Use the Vault CLI

​Create an authentication credential

​Test userpass authentication

​Use the TLS certificate authentication

​Configure cert authentication in Vault

​Use the Vault UI

​Use the Vault CLI

​Create a certificate cloud credential

​Test cert authentication

Use the userpass authentication

Configure userpass authentication in Vault

Use the Vault UI

Use the Vault CLI

Create an authentication credential

Test userpass authentication

Use the TLS certificate authentication

Configure cert authentication in Vault

Use the Vault UI

Use the Vault CLI

Create a certificate cloud credential

Test cert authentication