Configure KMES Series 3

before deploying file encryption capabilities, perform the following tasks on the {{k3}} enable host api commands and enable the feas , fedf , and feef operations configure tls certificates for the system/host api connection pair generate a client tls certificate for the file encryption agent set up pki, tls, or password based application authentication create a role and identity with file encryption permissions establish key groups, key templates, and key rotation policies see the file encryption agent docid\ x38vwf4muewxy9lccg6 3 section enable host api commands to enable file encryption, you must enable three host api commands feas , feef , and fedf through the host api options page go to administration > configuration > host api options to enable the feas (manage client side file encryption session keys), feef (encrypt file), and fedf (decrypt file) commands, select the checkbox next to them we recommend enabling only necessary functions by default, all commands are disabled select \[ save ] to finish configure tls certificates for mutual authentication to occur between the file encryption agent and the system/host api port, you must configure tls certificates for both this establishes an encrypted tunnel for all communication between the file encryption agent and the {{k3}} the {{k3}} supports a certificate hierarchy, in which the top of the hierarchy must contain a self signed root certificate to import a certificate that is not self signed, its parent certificate (the certificate that signed it) must be present the following example generates a root certificate authority (ca) on the {{k}} and uses it to issue both the system/host api tls certificate and the client tls certificate for the file encryption agent you often need to whitelist the system/host api port on any network firewalls configured in your environment the default system/host api port is 2001, but you can modify the system to use a different port perform the following tasks to configure the tls certificates for the connection between the file encryption agent and the system/host api port create an x 509 certificate container and generate a root ca certificate generate a csr for the system/host api connection pair sign the system/host api csr export the system tls ca root certificate export the signed system/host api tls certificate load the exported tls certificates into the system/host api connection pair create a certificate container perform the following steps to create an x 509 certificate container and generate a root ca certificate go to pki > certificate authorities , and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container, leave all other fields set to the default values, and select \[ ok ] right click the certificate container that you created and select add certificate > new certificate in the subject dn tab, select classic in the preset drop down list and set a common name for the certificate, such as system tls ca root in the basic info tab, change the key size to 4096 leave all other settings set to the default values in the v3 extensions tab, select certificate authority in the profile drop down list and select \[ ok ] generate a csr perform the following steps to generate a csr for the system/host api connection pair go to administration > configuration > network options in the network options window, select the tls/ssl settings tab under the system/host api connection pair, uncheck the use futurex certificates box and select \[ edit ] next to pki keys in the user certificates section in the application public keys window, select \[ generate ] when warned that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters window, leave the default settings and select \[ ok ] the application public keys window shows that a pki key pair is loaded select \[ request ] in the subject dn tab, leave the default common name that is set for the certificate in the basic info tab, leave the default settings in the v3 extensions tab, select tls server certificate in the profile drop down list in the pkcs #10 info tab, select \[ browse ] , select a save location for the csr, specify a name for the file, and select \[ open ] select \[ ok ] to finish generating the csr when prompted that the certificate signing request was successfully written to the file location that was selected , select \[ ok ] select \[ ok ] again to save the application public keys settings the main network options window now shows loaded next to pki keys for the system/host api connection pair select \[ ok ] sign the csr perform the following steps to sign the system/host api csr go to pki > certificate authorities right click the system tls ca root certificate and select add certificate > from request in the file browser, find and select the csr generated for the system/host api connection pair, and select \[ open ] after it loads, you don't need to modify the certificate settings select \[ ok ] the signed system/host api tls certificate now shows under the system tls ca root certificate in the certificate authorities menu export the certificate perform the following steps to export the system tls ca root certificate go to pki > certificate authorities right click the system tls ca root certificate and select export > certificate(s) in the export certificate window, select pem in the encoding drop down list and select \[ browse ] in the file browser, go to the location where you want to save the system tls ca root certificate, specify a name for the file, and select \[ open ] select \[ ok ] when notified that the pem file was successfully written to the location that you specified , select \[ ok ] again to exit the dialog export the signed certificate perform the following steps to export the signed system/host api tls certificate go to pki > certificate authorities right click the system/host api certificate and select export > certificate(s) in the export certificate window, select pem in the encoding drop down list and select \[ browse ] in the file browser, go to the location where you want to save the signed system/host api tls certificate, specify a name for the file, and select \[ open ] select \[ ok ] when notified that the pem file was successfully written to the location that you specified , select \[ ok ] again to exit the window load the exported certificates perform the following steps to load the exported tls certificates into the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab select \[ edit ] next to certificates in the user certificates section right click the system/host api ssl ca x 509 certificate container and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select both the system tls ca root certificate and the signed system/host api certificate, and select \[ open ] the certificate chain appears in the verified section select \[ ok ] to save the changes in the network options window, the system/host api connection pair now shows signed loaded next to certificates in the user certificates section select \[ ok ] to save and exit the network options window generate a certificate perform the following steps to generate a client tls certificate for the file encryption agent go to pki > certificate authorities right click the system tls ca root certificate and select add certificate > new in the subject dn tab, select classic in the preset drop down list, and set a common name for the certificate, such as fileencryptionagent if you plan to use tls based authentication for the file encryption agent, ensure there are no spaces in the common name the section covering authentication methods explains why in the basic info tab, leave the default settings in the v3 extensions tab, select the tls client certificate profile and select \[ ok ] the fileencryptionagent certificate now displays under the system tls ca root certificate after generating the certificate, you must export it and the private key export the certificate and private key perform the following steps to export the file encryption agent tls certificate and private key as a pkcs #12 file to export the file encryption agent tls certificate and private key as a pkcs #12 file, you must enable an option in the options menu to allow the export of certificates by using passwords go to administration > configuration > options select the allow export of certificates using passwords checkbox, and select \[ save ] go to pki > certificate authorities right click the fileencryptionagent certificate and select export > pkcs #12 in the export pkcs12 window, select the export selected radio button, select aes 192 in the cipher options drop down list, change the file name to file encryption agent p12 , and select \[ next ] enter a password for the pkcs #12 file and select \[ next ] select \[ finish ] in the final menu to open a file browser select the directory where you want to save the pkcs #12 file and select \[ choose ] you must copy the file encryption agent pkcs #12 file and the system tls ca root certificate to the computer running the file encryption agent a later section shows how to configure them in the file encryption agent gui and use them for tls communication with the {{k3}} set up pki, tls, or password based application authentication the file encryption agent on the {{k3}} supports the following authentication methods password based authentication tls based authentication pki based authentication you can configure each of these authentication methods on the {{k}} through an identity provider the {{k}} supports password based authentication by default, but you must configure the tls and pki based authentication methods we recommend using either tls or pki based authentication, in which you generate certificates on the {{k3}} and store them on the server running the file encryption agent this ensures the server is trusted and eliminates relying solely on a username and password to authenticate to configure the tls based and pki based methods, select the appropriate option and follow the instructions tls based authentication tls based authentication works by matching the common name of a tls certificate to a specific {{k}} identity go to identity management > identity providers , right click the window background, and select add > provider > pki in the info tab of the identity provider edito r window, specify a name for the identity provider and de select the enforce dual factor checkbox in the pki options tab, select \[ select ] in the certificate selector window, expand the system tls ca certificate tree, select the fileencryptionagent certificate, and select \[ ok ] select \[ ok ] to finish creating the identity provider right click the identity provider you just created and select add > mechanism > tls in the info tab, specify a name for the authentication mechanism in the pki tab, leave the default settings select \[ ok ] to finish creating the tls authentication mechanism pki based authentication for pki based authentication, you should use separate certificates for tls communication and application authentication go to identity management > identity providers , right click the window background, and select add > provider > pki in the info tab of the identity provider editor , specify a name for the identity provider and de select the enforce dual factor checkbox in the pki options tab, select \[ select ] in the certificate selector window, select a certificate for application authentication and select \[ ok ] select \[ ok ] to finish creating the identity provider right click the identity provider you just created and select add > mechanism > pki in the info tab, specify a name for the authentication mechanism in the pki tab, leave the default settings select \[ ok ] to finish creating the pki authentication mechanism create a role and identity for the file encryption agent perform the following tasks to create a role to designate the permissions required for file encryption and create an identity for the file encryption agent to use when connecting to the {{k3}} create a new role grant the new role use permissions for the identity provider and certificate container create a new identity create a new role perform the following steps to create a new role go to identity management > roles and select \[ add ] in the info tab of the role editor window, leave the role type set to application , specify a name for the role, and change login required to 1 in the permissions tab, select all of the file encryption permissions permission sub permission file encryption add decrypt delete encrypt export list modify prune in the advanced tab, modify allowed ports to only allow host api select \[ ok ] to finish creating the role grant the role use permissions perform the following steps to grant the new role use permissions for the identity provider and certificate container go to identity management > identity providers right click the identity provider created for file encryption agent and select permission set the use permission for the file encryption agent role, and select \[ ok ] to save go to pki > certificate authorities right click the certificate container created for this integration and select permission set the use permission for the file encryption agent role and select \[ ok ] to save create a new identity perform the following steps to create a new identity go to identity management > identities , then right click the window background and select add > client application in the info tab of the identity editor , leave the storage type set to application and specify a name for the identity in the assigned roles tab, select the file encryption agent role you just created don't modify the settings in the device info tab in the authentication tab, select the default api key credential and select \[ remove ] then, select \[ add ] in the configure credential window, select the type drop down option, which lists all available credential types if you configured tls based authentication , select tls certificate , and if you configured pki based authentication , select pki certificate after selecting the credential type, the provider and mechanism fields auto populate select \[ ok ] on the authentication tab, you should see the tls certificate or pki certificate credential that you just added select \[ ok ] to finish creating the identity