Configuring TLS mutual authentication between FlashArray and CryptoHub

before enabling rdl on the flasharray, the array and the {{ch}} must establish a mutual trust relationship by validating their respective digitally signed certificates notes about certificates certificates used on the flasharray must be pem formatted (base64 encoded) intermediary certificates are not supported for use with kmip using the purity internal management certificate for kmip configuration is not supported perform the following tasks to configure tls mutual authentication 1 | create a flasharray certificate and construct a csr use the flasharray command line interface (cli) to perform the following tasks to create a certificate signing request (csr) a | generate a flasharray certificate use the following purecert create cli command to create a self signed certificate pureuser\@purefa ct0 # purecert create cert 1 self signed common name purefa display the certificate by using the following purecert list command (copy the displayed certificate for use in a later step ) pureuser\@purefa ct0 # purecert list cert 1 certificate b | construct a csr use the following purecert construct command to construct a csr pureuser\@purefa ct0 # purecert construct cert 1 certificate signing request copy the csr that is displayed in the terminal and paste it into a file editor save the file with either the pem or csr extension then, move the file via sftp or other means to the external storage device configured on the {{ch}} c | sign the flasharray csr with a ca created on the {{ch}} refer to the {{ch}} user guide for guidance on creating a certificate authority and issuing a certificate from the flasharray csr 2 | configure certificates in the flasharray cli copy the contents of the flasharray and the ca certificates to your clipboard for use in the following configuration tasks a | define the kmip server and import the kmip server's ca certificate the purekmip create command allows for the creating of a kmip server and provides a way for importing the ca certificate for the kmip server after executing the command, you are prompted to paste in the kmip server's ca certificate be sure to copy the entire certificate including " begin" and " end" lines in the uri field, the ip or hostname of the {{ch}} and the kmip port number must be specified pureuser\@purefa ct0 # purekmip create kmip srvr – uri 10 0 5 127 5696 certificate cert 1 ca certificate please enter ca certificate followed by enter and then ctrl d \ begin certificate miidejccafoccqd5srlgfudwrzanbgkqhkig9w0baqsfadblmrswgqydvqqldbjq \ pasted lines omitted 8mmbeua8iyyihhiqd6nj03k0aesmta== \ end certificate if the command is successful, there will be output showing the name and uri of the kmip server, the name of the flasharray certificate associated with it, and a boolean value of true or false for whether the ca certificate is configured b | import the signed flasharray certificate the purecert setattr command will be used to import the signed flasharray certificate after executing the command, you are prompted to paste in the signed flasharray certificate be sure to copy the entire certificate including " begin" and " end" lines pureuser\@purefa ct0 # purecert setattr certificate cert 1 please enter certificate followed by enter and then ctrl d \ begin certificate miidpdccaisgawibagiiangthwaaaicwdqyjkozihvcnaqelbqawdzenmasga1ue \ pasted lines omitted sqpnmlbdt1c7dn4yp0pk7g== \ end certificate if the command succeeds, the output lists the certificate name, and the status field shows imported c | test connection and authentication from the flasharray to the {{ch}} the following purekmip test command verifies that the configured credentials successfully contact and authenticate to the kmip port on the {{ch}} pureuser\@purefa ct0 # purekmip test kmip srvr if the command succeeds, the output lists the name of the kmip server, and the status field displays ok be sure to run the purekmip test command to test the server array communication path before enabling rdl