Configuring TLS mutual authentication between FlashArray and CryptoHub

before enabling rdl on the flasharray, the array and the {{ch}} must establish a mutual trust relationship by validating their respective digitally signed certificates notes about certificates certificates used on the flasharray must be pem formatted (base64 encoded) intermediary certificates are not supported for use with kmip using the purity internal management certificate for kmip configuration is not supported perform the following tasks to configure tls mutual authentication create a flasharray certificate and construct a csr configure certificates in the flasharray cli create a certificate and csr use the flasharray command line interface (cli) to perform the following tasks to create a certificate and certificate signing request (csr) generate a flasharray certificate construct a csr sign the flasharray csr with a ca created on the {{ch}} generate a flasharray certificate perform the following steps to generate a flasharray certificate use the following purecert create cli command to create a self signed certificate pureuser\@purefa ct0 # purecert create cert 1 self signed common name purefa display the certificate by using the following purecert list command (copy the displayed certificate for use in a later step ) pureuser\@purefa ct0 # purecert list cert 1 certificate construct a csr perform the following steps to construct a csr use the following purecert construct command to construct a csr pureuser\@purefa ct0 # purecert construct cert 1 certificate signing request copy the csr that is displayed in the terminal and paste it into a file editor save the file with either the pem or csr extension then, move the file via sftp or other means to the external storage device configured on the {{ch}} sign the csr refer to the {{ch}} user guide for guidance on creating a certificate authority and issuing a certificate from the flasharray csr configure certificates in the flasharray cli copy the contents of the flasharray and the ca certificates to your clipboard for use in the following configuration tasks define the kmip server and import the kmip server ca certificate import the signed flasharray certificate test connection and authentication from the flasharray to the {{ch}} import the ca certificate the purekmip create command enables the creation of a kmip server and provides a way to import the ca certificate for the kmip server after executing the command, you must paste in the kmip server's ca certificate when prompted be sure to copy the entire certificate, including the begin and end lines perform the following step to define the kmip server and import the kmip server ca certificate run the purekmip create command as shown in the following example in the uri field, specify the ip or hostname of the {{ch}} and the kmip port number pureuser\@purefa ct0 # purekmip create kmip srvr – uri 10 0 5 127 5696 certificate cert 1 ca certificate please enter ca certificate followed by enter and then ctrl d \ begin certificate miidejccafoccqd5srlgfudwrzanbgkqhkig9w0baqsfadblmrswgqydvqqldbjq \ pasted lines omitted 8mmbeua8iyyihhiqd6nj03k0aesmta== \ end certificate if the command succeeds, the output shows the name and uri of the kmip server, the name of the flasharray certificate associated with it, and a boolean value of true or false indicating whether the ca certificate is configured import the certificate the purecert setattr command imports the signed flasharray certificate after executing the command, paste in the signed flasharray certificate when prompted be sure to copy the entire certificate, including the begin and end lines perform the following step to import the signed flasharray certificate run the purecert setattr command as shown in the following example pureuser\@purefa ct0 # purecert setattr certificate cert 1 please enter certificate followed by enter and then ctrl d \ begin certificate miidpdccaisgawibagiiangthwaaaicwdqyjkozihvcnaqelbqawdzenmasga1ue \ pasted lines omitted sqpnmlbdt1c7dn4yp0pk7g== \ end certificate if the command succeeds, the output lists the certificate name, and the status field shows imported test connection the following purekmip test command verifies that the configured credentials successfully contact and authenticate flasharray to the kmip port on the {{ch}} pureuser\@purefa ct0 # purekmip test kmip srvr if the command succeeds, the output lists the name of the kmip server, and the status field displays ok be sure to run the purekmip test command to test the server array communication path before enabling rdl