Configure KMES Series 3

this section covers the steps needed to configure tls communication between the {{k3}} and the computer where you installed java jarsigner and the {{futurex}} pkcs #11 library it also includes general {{k}} configurations for the {{k}} to provide code signing and verification functionality for java archive (jar) files configure tls communication perform the following tasks to configure tls communication between the {{k3}} and the computer where you installed jarsigner and fxpkcs11 create a certificate authority (ca) generate a csr for the system/host api connection pair sign the system/host api csr export the root ca and signed system/host api tls certificate load the exported tls certificates into the system/host api connection pair generate a signed client tls certificate for jarsigner/fxpkcs11 allow the export of certificates by using passwords export the signed jarsigner client tls certificate as a pkcs #12 file the following sections describe how to perform these tasks create a ca perform the following steps to create a ca log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities , and select \[ add ca ] at the bottom of the page enter a name for the certificate container , leave all other fields set to the default values, and select \[ ok ] the certificate container you created displays in the certificate authorities menu right click the certificate container and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as system tls ca root on the basic info tab, leave the fields set to the default values on the v3 extensions tab, select the certificate authority profile, and select \[ ok ] the root ca certificate displays now under the previously created certificate container generate a csr perform the following steps to generate a csr for the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab under the system/host api connection pair, uncheck use futurex certificates , and select \[ edit ] next to pki keys in the user certificates section in the application public keys window, select \[ generate ] when warned that ssl will not be functional until new certificates are imported , select \[ yes ] if you want to continue in the pki parameters window, leave the settings set to default values and select \[ ok ] a message window shows that a pki key pair is loaded in the application public keys window select \[ request ] on the subject dn tab, set a common name for the certificate, such as kmes on the v3 extensions tab, select the tls server certificate profile on the pkcs #10 info tab, select a save location for the csr and select \[ ok ] when prompted that the certificate signing request was successfully written to the file location that was selected , select \[ ok ] select \[ ok ] again to save the application public keys settings the main network options window now shows loaded next to pki keys sign the csr perform the following steps to sign the system/host api csr go to pki > certificate authorities right click the root ca certificate you created, and select add certificate > new certificate in the file browser, find and select the csr you generated for the system/host api connection pair after it loads, you don't need to modify any of the settings for the certificate select \[ ok ] the signed system/host api certificate now shows under the root ca certificate on the certificate authorities page export the root ca and certificate perform the following steps to export the root ca and signed system/host api tls certificate right click the root ca certificate and select export > certificate(s) change the encoding to pem select \[ browse ] , specify a save location and name for the export file, and select \[ open ] when prompted that the file was successfully written to the location that was selected, select \[ ok ] right click the signed system/host api certificate and select export > certificate(s) change the encoding to pem select \[ browse ] , specify a save location and name for the export file, and select \[ open ] when prompted that the file was successfully written to the location that was selected , select \[ ok ] load the api connection pair perform the following steps to load the exported tls certificates into the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab select the system/host api connection pair and select \[ edit ] next to certificates in the user certificates section right click the system/host api ssl ca x 509 certificate container and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, find and select both the root ca certificate and signed system/host api certificate, and select \[ open ] when the certificate chain appears in the window, select \[ ok ] to save your changes in the network options window, the system/host api connection pair shows signed loaded next to certificates in the user certificates section select \[ ok ] to save and exit the network options window generate a signed tls certificate perform the following steps to generate a signed client tls certificate for jarsigner/fxpkcs11 go to pki > certificate authorities right click the root ca certificate and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as jarsigner leave all fields on the basic info tab set to the default values on the v3 extensions tab, select the tls client certificate profile and select \[ ok ] the signed jarsigner certificate now displays under the root ca certificate allow export of certificates perform the following steps so you can export the jarsigner client tls certificate as a pkcs #12 file go to administration > configuration > options select the checkbox next to the menu option allow export of certificates using passwords select \[ save ] export the tls certificate perform the following steps to export the signed jarsigner client tls certificate as a pkcs #12 file go to pki > certificate authorities right click the jarsigner certificate and select export > pkcs#12 select \[ set password ], enter a pkcs #12 file password, and select \[ save ] in the export options section, select export selected certificate and select \[ next ] specify a name for the pkcs #12 export file and select \[ open ] a message window states that the pkcs #12 certificate export was successful move this pkcs #12 file to the computer where you installed jarsigner a later section shows you how to configure it in the futurex pkcs #11 configuration file and use it for tls communication with the {{k3}} configure general kmes settings perform the following tasks to configure the {{k3}} for communication with jarsigner/fxpkcs11 enable host api commands create a jarsigner role with the required permissions create a jarsigner identity with the correct assigned roles create a signing approval group and give it appropriate permissions create a jarsigner code signing certificate apply an issuance policy to the jarsigner code signing certificate the following sections show you how to complete these tasks enable the commands perform the following steps to enable the required host api commands go to administration > configuration > host api options enable the following commands command description echo communication test/retrieve version rafa enumerate issuance policies raga retrieve issuance policy details rago retrieve request (hash signing) rauo upload request (hash signing) rkcp get command permissions rkln lookup objects rklo login user rkrk retrieve generated keys time set time select \[ save ] to finish create a jarsigner role perform the following steps to create a jarsigner role with the required permissions go to identity management > roles , and select \[ add ] at the bottom of the page select application as the role type , specify a name for the role, and set the logins required to 1 on the permissions tab, ensure that you select only the following permissions permission additional sub permissions (if applicable) certificate authority export, upload keys top level permission only on the advanced tab, select only host api for allowed ports select \[ ok ] to save and create the role create a jarsigner identity perform the following steps to create a jarsigner identity with the correct assigned roles go to identity management > identities , right click the background, and select add > client application on the info tab, select application for the storage type and specify a name for the identity on the assigned roles tab, select the role you created in the previous section on the authentication tab, remove the api key mechanism, add the password mechanism, and set a password select \[ ok ] to save and create the identity create a signing approval group perform the following steps to create a signing approval group and give it appropriate permissions go to pki > signing workflow and select \[ add approval group ] at the bottom of the page set a name for the approval group , such as jarsigner , and select \[ ok ] to save right click the jarsigner approval group and select \[ permission ] select the show all roles and permissions checkbox, and grant the jarsigner role the use permission select \[ ok ] to save and finish create a certificate this section describes using a ca on the {{k}} to issue a jarsigner code signing certificate go to pki > certificate authorities , and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container , such as jarsigner set the owner of the field to the jarsigner role and select \[ ok ] the new certificate container now displays in the certificate authorities menu right click the jarsigner certificate container and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as code signing go to the v3 extensions tab, select the code signing certificate profile, and select \[ ok ] the code signing certificate now displays under the root ca certificate inside of the jarsigner certificate container apply an issuance policy perform the following steps to apply an issuance policy to the jarsigner code signing certificate go to pki > certificate authorities right click the code signing certificate and select issuance policy > add on the basic info tab, set approvals to 0 to allow anonymous singing select sha 384 as an allowed hash you do not need to specify an alias on the x 509 tab, set the default approval group to jarsigner on the object signing tab, select the allow object signing checkbox select \[ ok ] to apply the issuance policy to the jarsigner code signing certificate