Configure KMES Series 3

14min
This section starts with the general KMES configurations necessary to enable the Futurex PKCS #11 module to integrate with the KMES Series 3. Then, it covers the necessary steps to configure TLS communication between the KMES and the Futurex PKCS #11 Library.
Configure general KMES settings for KMES to FXPKCS #11 communication
Perform the following tasks to configure the KMES Series 3 for communication with FXPKCS #11:
Create an FXPKCS #11 role and identity with the correct assigned permissions.
Enable Host API commands.
The following sections show you how to complete these tasks.
Create a role and identity for FXPKCS #11 with the required permissions
Perform the folllowing steps to create new role and identity for Futurex PKCS #11 (FXPKCS11) on the KMES Series 3. A later section shows you how to configure the identity name and password in the Futurex PKCS #11 configuration file.
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management > Roles and select [ Add ] at the bottom of the page. 
3
In the Info tab of the Role Editor window, specify a name for the role and set the number of logins required to 1.
4
On the Permissions tab, select the following permissions:
Permission
Subpermission
﻿
Cryptographic Operations
Sign, Verify, Encrypt, Decrypt, Wrap, Unwrap, Derive
﻿
Keys
Add, Export
﻿
Certificate Authority 
Add, Export, Upload
﻿
5
On the Advanced tab, allow authentication to the Host API port only.
6
Select [ OK ] to finish creating the role.
7
Go to Identity Management > Identities.
8
Right-click anywhere in the window and select Add > Client Application.
9
On the Info tab of the Identity Editor window, select Application for the storage location and specify a name for the identity.
10
On the Assigned Roles tab, select the Nginx role you just created.
11
On the Authentication tab, select Password and then select [ Configure ]. 
12
In the Configure Credential window, select [ Change ]. Enter a password and select [ Save ].
13
Select [ OK ] to finish creating the identity.
Enable the Host API commands required for FXPKCS #11 operation
Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for execution by the FXPKCS11 library. To set the allowed commands, complete the following steps:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Host API Options and enable the following commands:
Command
Description or subcommand (if applicable)
﻿
ECHO
Communication Test or Retrieve Version
﻿
TIME
Set time
﻿
RAFA
Filter Issuance Policy
﻿
RAND
Generate Random Number
﻿
RKCK
Create HSM Trusted Key
﻿
RKCP
Get Command Permissions
﻿
RKCS
Create Symmetric HSM Trusted Key Group
﻿
RKED
Encrypt or Decrypt Data
﻿
RKGP
Export Asymmetric HSM Trusted Key
﻿
RKGS
Generate Signature
﻿
RKHM
HMAC Data
﻿
RKLN
Lookup Objects
﻿
RKLO
Login User
﻿
RKRC
Get HSM Trusted Key
﻿
ATTR
Generic Attribute Operations 
Get: Retrieve generic attributes
﻿
ATKG
Add HSM trusted asymmetric key group
﻿
RKPK
Pop Generated Key
﻿
3
Select [ Save ] to finish.
Configure TLS communication
Perform the following tasks to configure TLS communication between the KMES Series 3 and the Futurex PKCS #11 module:
Create a Certificate Authority.
Generate a CSR for the System/Host API connection pair.
Sign the System/Host API CSR.
Export the Root CA.
Export the signed System/Host API TLS certificate.
Load the exported certificates into the System/Host API connection pair.
Issue a client certificate for the Futurex PKCS #11 module.
Export the client certificate as a PKCS #12 file.
The following sections describe how to perform these tasks.
Create a Certificate Authority (CA)
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
3
In the Certificate Authority window, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].
The certificate container you just created now displays in the Certificate Authorities menu.
4
Right-click the certificate container you just created and select Add Certificate > New Certificate.
5
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
6
On the Basic Info tab, leave all fields set to the default values.
7
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.
Generate a CSR for the System/Host API connection pair
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox and select [ Edit ] next to PKI keys in the User Certificates section.
4
In the Application Public Keys window, select [ Generate ].
5
When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
6
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
You should see that a PKI Key Pair is loaded now in the Application Public Keys window.
7
Select [ Request ].
8
On the Subject DN tab, set a Common Name for the certificate, such as KMES.
9
On the V3 Extensions tab, select the TLS Server Certificate profile.
10
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
11
When prompted that the certificate signing request was successfully written to the file location that was selected, select [ OK ].
12
Select [ OK ] again to save the Application Public Keys settings.
The main Network Options window now shows Loaded next to PKI keys for the System/Host API connection pair.
Sign the System/Host API CSR
1
Go to PKI > Certificate Authorities.
2
Right-click the root CA certificate you created and select Add Certificate > From Request.
3
In the file browser, select the CSR that you generated for the System/Host API connection pair.
4
After it loads, don't modify any settings for the certificate. Select [ OK ].
The signed System/Host API certificate now shows under the root CA certificate on the Certificate Authorities page.
Export the Root CA certificate
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, go to the location where you want to save the Root CA certificate. Specify the name of the file and select [ Open ].
5
Select [ OK ].
A message box confirms that the PEM file was successfully written to the location that you specified.
Export the signed System/Host API certificate
1
Go to PKI > Certificate Authorities.
2
Right-click the KMES System/Host API certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, navigate to the location where you want to save the Root CA certificate. Specify the name of the file and select [ Open ].
5
Select [ OK ].
A message box confirms that the PEM file was successfully written to the location that you specified.
Load the exported certificates into the System/Host API connection pair
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, select [ Edit ] next to Certificates in the User Certificates section.
4
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates window.
6
In the file browser, select both the root CA certificate and the signed System/Host API certificate, and select [ Open ]. 
7
Select [ OK ] to save the changes. 
In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.
Issue a client certificate for the Futurex PKCS #11 module
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.
3
On the Subject DN tab, set a Common Name for the certificate.
4
Leave all fields in the Basic Info tab set to the default values.
5
On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].
The PKCS #11 client certificate now displays under the System TLS CA Root certificate.
Export the client certificate as a PKCS #12 file
To perform the following steps, you must go to Configuration > Options and enable the Allow export of certificates using passwords option.
1
Go to PKI > Certificate Authorities.
2
Right-click the PKCS #11 client certificate and select Export > PKCS12.
3
Set a PKCS12 password, leave Export Selected Certificate with Parents selected, and select [ Next ].
4
Enter a name for the file, select the location where you want to save it, and select [ Open ] to start the export.
5
Move the FXPKCS11 Client certificate to the computer where you installed the Futurex PKCS #11 module. 
A later section shows you how to configure it in the FXPKCS11 configuration file and use it for TLS communication with the KMES Series 3.
﻿
﻿
﻿
﻿
﻿
Install Futurex PKCS #11 (FXPKCS11)
Edit the Futurex PKCS #11 configuration file
Configure KMES Series 3

Configure general KMES settings for KMES to FXPKCS #11 communication

Create a role and identity for FXPKCS #11 with the required permissions

Enable the Host API commands required for FXPKCS #11 operation

Configure TLS communication

Create a Certificate Authority (CA)

Generate a CSR for the System/Host API connection pair

Sign the System/Host API CSR

Export the Root CA certificate

Export the signed System/Host API certificate

Load the exported certificates into the System/Host API connection pair

Issue a client certificate for the Futurex PKCS #11 module

Export the client certificate as a PKCS #12 file

﻿
