Configure KMES Series 3

20min
This section covers the steps needed to configure TLS communication between the KMES Series 3 and the computer where you installed Java Jarsigner and the Futurex PKCS #11 library. It also includes general KMES configurations for the KMES to provide code signing and verification functionality for Java ARchive (JAR) files.
Configure TLS communication 
Perform the following tasks to configure TLS communication between the KMES Series 3 and the computer where you installed Jarsigner and FXPKCS11:
Create a certificate authority.
Generate a CSR for the System/Host API connection pair.
Sign the System/Host API CSR.
Export the Root CA and signed System/Host API TLS certificate.
Load the exported TLS certificates into the System/Host API connection pair.
Generate a signed client TLS certificate for Jarsigner/FXPKCS11.
Allow export of certificates by using passwords.
Export the signed Jarsigner client TLS certificate as a PKCS #12 file.
The following sections describe how to perform these tasks.
Create a certificate authority
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.
3
Enter a name for the Certificate Container, leave all other fields set to the default values, and select [ OK ].
The Certificate Container you created displays in the Certificate Authorities menu.
4
Right-click the Certificate Container and select Add Certificate > New Certificate.
5
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
6
On the Basic Info tab, leave the settings set th the default values.
7
On the V3 Extensions tab, select the Certificate Authority profile, and select [ OK ].
The root CA certificate displays now under the previously created Certificate Container.
Generate a CSR for the System/Host API connection pair
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, uncheck Use Futurex certificates, and select [ Edit ] next to PKI Keys in the User Certificates section.
4
In the Application Public Keys window, select [ Generate ].
5
When warned that SSL will not be functional until new certificates are imported, select [ Yes ] if you want to continue.
6
In the PKI Parameters window, leave the settings set to default values and select [ OK ].
 A message window shows that a PKI Key Pair is loaded in the Application Public Keys window.
7
Select [ Request ].
8
On the Subject DN tab, set a Common Name for the certificate, such as KMES.
9
On the V3 Extensions tab, select the TLS Server Certificate profile.
10
On the PKCS #10 Info tab, select a save location for the CSR, and select [ OK ].
11
When prompted that the certificate signing request was successfully written to the file location that was selected, select [ OK ]. 
12
Select [ OK ] again to save the Application Public Keys settings.
The main Network Options window now shows Loaded next to PKI Keys.
Sign the System/Host API CSR
1
Go to PKI > Certificate Authorities.
2
Right-click the root CA certificate you created, and select Add Certificate > New Certificate.
3
In the file browser, find and select the CSR that you generated for the System/Host API connection pair.
4
After it loads, you don't need to modify any of the settings for the certificate. Select [ OK ].
The signed System/Host API certificate now shows under the root CA certificate on the Certificate Authorities page.
Export the Root CA and signed System/Host API TLS certificate
1
Right-click the root CA certificate, and select Export > Certificate(s).
2
Change the encoding to PEM. Select [ Browse ], specify a save location and name for the export file, and select [ Open ].
3
When prompted that the file was successfully written to the location that was selected, select [ OK ].
4
Right-click the signed System/Host API certificate and select Export > Certificate(s).
5
Change the encoding to PEM. Select [ Browse ], specify a save location and name for the export file, and select [ Open ].
6
When prompted that the file was successfully written to the location that was selected, select [ OK ].
Load the exported TLS certificates into the System/Host API connection pair
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Select the System/Host API connection pair and select [ Edit ] next to Certificates in the User Certificates section.
4
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates window.
6
In the file browser, find and select both the root CA certificate and signed System/Host API certificate, and select [ Open ]. 
7
When the Certificate chain appears in the window, select [ OK ] to save your changes.
In the Network Options window, the System/Host API connection pair shows Signed Loaded next to Certificates in the User Certificates section.
8
Select [ OK ] to save and exit the Network Options window.
Generate a signed client TLS certificate for Jarsigner/FXPKCS11
1
Go to PKI > Certificate Authorities.
2
Right-click the root CA certificate and select Add Certificate > New Certificate.
3
On the Subject DN tab, set a Common Name for the certificate, such as Jarsigner.
4
Leave all fields on the Basic Info tab set to the default values.
5
On the V3 Extensions tab, select the TLS Client Certificate profile, and select [ OK ].
The signed Jarsigner certificate now displays under the root CA certificate.
Allow export of certificates by using passwords
Perform the following steps so you can export the Jarsigner client TLS certificate as a PKCS #12 file:
1
Go to Administration > Configuration > Options.
2
Select the checkbox next to the menu option Allow export of certificates using passwords.
3
Select [ Save ].
Export the signed Jarsigner client TLS certificate as a PKCS #12 file.
1
Go to PKI > Certificate Authorities.
2
Right-click the Jarsigner certificate and select Export > PKCS#12.
3
Select [ Set Password ], enter a password for the PKCS #12 file and select [ Save ].
4
In the Export Options section, select Export Selected Certificate and select [ Next ].
5
Specify a name for the PKCS #12 export file and select [ Open ]. 
A message window states that the PKCS #12 certificate export was successful. 
6
Move this PKCS #12 file to the computer where you installed Jarsigner. 
A later section shows you how to configure it in the Futurex PKCS #11 configuration file and use it for TLS communication with the KMES Series 3.
Configure general KMES settings for Jarsigner/FXPKCS11 to KMES communication
Perform the following tasks to configure the KMES Series 3 for communication with Jaesigner/FXPKCS11:
Enable Host API commands.
Create a Jarsigner role with the required permissions.
Create a Jarsigner identity with the correct assigned roles.
Create a signing approval group and give it appropriate permissions.
Create a Jarsigner code signing certificate.
Apply an issuance policy to the Jarsigner code signing certificate.
Create a Jarsigner key group.
The following sections show you how to complete these tasks.
Enable the required Host API commands
1
Go to Administration > Configuration > Host API Options.
2
Enable the following commands:
Command
Description
﻿
ECHO
Communication Test/Retrieve Version
﻿
RAFA
Enumerate issuance policies
﻿
RAGA
Retrieve issuance policy details
﻿
RAGO
Retrieve Request (Hash Signing)
﻿
RAUO
Upload Request (Hash Signing)
﻿
RKCP
Get Command Permissions
﻿
RKLN
Lookup Objects
﻿
RKLO
Login User
﻿
RKRK
Retrieve Generated Keys
﻿
TIME
Set Time
﻿
3
Select [ Save ] to finish.
Create a Jarsigner role with the required permissions
1
Go to Identity Management > Roles, and select [ Add ] at the bottom of the page.
2
Select Application as the role Type, specify a name for the role, and set the Logins Required to 1.
3
On the Permissions tab, ensure that you select only the following permissions:
Permission
Additonal subpermissions (if applicable)
﻿
Certificate Authority
Export, Upload
﻿
Keys
Top-level permission only
﻿
4
On the Advanced tab, select only Host API for Allowed Ports.
5
Select [ OK ] to save and create the role.
Create a Jarsigner identity with the correct assigned roles
1
Go to Identity Management > Identities, right-click the background, and select Add > Client Application.
2
On the Info tab, select Application for the storage type and specify a name for the identity.
3
On the Assigned Roles tab, select the role you created in the previous section.
4
On the Authentication tab, remove the API Key mechanism, add the password mechanism, and set a password.
5
Select [ OK ] to save and create the identity.
Create a signing approval group and give it appropriate permissions
1
Go to PKI > Signing Workflow, and select [ Add Approval Group ] at the bottom of the page.
2
Set a name for the Approval Group, such as Jarsigner, and select [ OK ] to save.
3
Right-click the Jarsigner Approval Group and select [ Permission ].
4
Select the Show all roles and permissions checkbox, and grant the Jarsigner role the Use permission. Select [ OK ] to save and finish.
Create a Jarsigner code signing certificate
This section describes the following methods for issuing a code signing certificate:
KMES CA
External CA
Issue it by using a CA on the KMES
1
Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.
2
In the Certificate Authority window, enter a name for the Certificate Container, such as Jarsigner. Set the owner of the field to the Jarsigner role, and select [ OK ].
The new certificate container now displays in the Certificate Authorities menu.
3
Right-click the Jarsigner Certificate Container and select Add Certificate > New Certificate.
4
On the Subject DN tab, set a Common Name for the certificate, such as Code Signing.
5
Go to the V3 Extensions tab, select the Code Signing Certificate profile, and select [ OK ].
The code signing certificate now displays under the Root CA certificate inside of the Jarsigner certificate container.
Issue it by using an External CA
For this method, you must import all the external CA certificates into an empty certificate container on the KMES. Then generate a CSR, which the external CA uses to issue a code signing certificate. Finally, import the code signing certificate into the certificate container on the KMES that contains the external CA certificate.
To complete these tasks, perform the following steps:
1
Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.
2
In the Certificate Authority window, enter a name for the Certificate Container, such as Jarsigner. Set the owner field to the Jarsigner role, and select [ OK ].
The new certificate container now displays in the Certificate Authorities menu.
3
Right-click the Jarsigner certificate container and select Import > Certificate(s).
4
In the Import Certificates window, select [ Add ]. Locate and select the external CA certificates that issue the code signing certificate. 
The CA certificates display in the Verified section of the Import Certificates window.
5
Select [ OK ] to save.
The external CA certificates now display in tree form under the Jarsigner Certificate Container.
6
Create a placeholder code signing certificate, from which you can generate a CSR. Right-click the lowest level CA certificate in the tree and select Add Certificate > Pending. 
7
On the Subject DN tab, set a Common Name for the certificate, such as Code Signing.
8
On the V3 Extensions tab, select the Code Signing Certificate profile.
9
Select [ OK ].
The Code Signing placeholder certificate now displays under the external CA certificate(s).
10
Right-click the placeholder Code Signing certificate and select Export > Signing Request.
11
In the Create PKCS #10 Request window, leave all of the settings on the Subject DN tab set to the default values.
12
On the V3 Extensions tab, select the Code Signing Certificate profile.
13
In the PKCS# 10 Info tab, specify a save location for the CSR and select [ OK ].
A message window states that the certificate signing request was successfully written to the location you specified.
14
Send the CSR file to an external certificate authority. Using the CSR, the external CA issues a code signing certificate.
15
After the external CA issues the code signing certificate, copy the certificate to the storage medium configured on the KMES.
16
In the PKI > Certificate Authorities menu on the KMES, right-click the placeholder Code Signing certificate and select Replace > With Signed Certificate.
17
In the Import Certificates window, select [ Add ], and select the externally signed code signing certificate in the file browser. 
The code signing certificate populates under the CA certificate(s) in the Verified section of the Import Certificates window.
18
Select [ OK ] to save and finish.
Apply an issuance policy to the Jarsigner code signing certificate
1
Go to PKI > Certificate Authorities.
2
Right-click the Code Signing certificate and select Issuance Policy > Add.
3
On the Basic Info tab, set Approvals to 0 to allow anonymous singing. Select any hashes that you want to allow. You do not need to specify an Alias.
4
On the X.509 tab, set the Default approval group to Jarsigner.
5
On the Object Signing tab, select the Allow object signing checkbox.
6
Select [ OK ] to apply the issuance policy to the Jarsigner code signing certificate.
Create a Jarsigner key group
1
Go to Key Management > Keys. In the Key Groups section, select [ Create ].
2
Select Symmetric for Key Type.
3
Select HSM Trusted for Storage Location.
4
Specify a name for the Key Group, such as Jarsigner.
5
Select Permissions and give the Jarsigner role Use permissions.
6
Select [ OK ] to finish creating the Jarsigner key group.
﻿
﻿
﻿
﻿
﻿
Updated 27 Feb 2024
Did this page help you?
Configure SunPKCS11 to use the Futurex PKCS #11 module
Edit the Futurex PKCS #11 configuration file