Skip to main content
This section shows you how to create on the KMES a user with the permissions that vCenter requires to generate keys that you can use for various encryption tasks within vSphere.
The name of the user you create needs to match exactly the Common Name of the vCenter TLS certificate. This enables vCenter to authenticate with the KMES through the certificate.

Add a PKI Identity provider

Perform the following steps to create a new PKI Identity Provider (IdP), assign a TLS authentication mechanism, and add it to an identity as a credential. This enables vSphere to authenticate with the KMES by using its TLS certificate.
1
Go to Identity Management > Identity Providers.
2
Right-click anywhere in the window and select Add > Provider > PKI.
3
On the Info tab of the Identity Provider Editor window, specify a name for the IdP and uncheck Enforce Dual Factor.
4
On the PKI Options tab, select [ Select ]. In the Certificate Selector window, expand the certificate tree you created for this integration for TLS and select the CA certificate that signed the vSphere and KMIP connection pair certificates. Then, select [ OK ].
5
Select [ OK ] to finish creating the PKI IdP.
6
Right-click the IdP you just created and select Add > Mechanism > TLS.
7
On the Info tab, specify a name for the authentication mechanism.
8
On the PKI tab, leave all fields set to the default values.
9
Select [ OK ] to save.

Create a role

Perform the following steps to create a role:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management > Roles and select [ Add ] at the bottom of the page.
3
In the Info tab of the Role Editor window, set the Type to Application, the Name to vCenter, and Logins Required to 1.
4
On the Permissions tab, enable all of the Keys permissions for the role.
5
On the Advanced tab, set Allowed Ports to KMIP only.
6
Select [ OK ] to finish creating the role.

Create an identity

Perform the following steps to create an identity:
1
Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.
2
On the Info tab of the Identity Editor window, select Application for the storage location and specify a name for the identity.
3
Under Assigned Roles, select the role you created for vCenter.
4
Under Authentication, remove the default API Key mechanism and select [ Add ]. In the Configure Credential window, select TLS Certificate in the Type drop-down menu, and select the Provider and Mechanism you created for this integration. Select [ OK ] to finish configuring the credential.
5
Select [ OK ] to finish creating the identity.