Configure KMES Series 3

this section starts with general {{k}} configurations that enable apache to integrate with the {{k}} to store the private key used for https connections the second half of this section covers the steps to configure tls communication between the {{k3}} and the {{futurex}} pkcs #11 library that apache uses to communicate with the {{k}} create a role and identity perform the following steps to create a new role and identity for apache on the device and assign the role to the identity that the {{futurex}} pkcs #11 library uses to connect to the {{k}} log in to the {{k}} application interface with the default admin identities go to the identity management > roles menu and select \[ add ] in the role editor window, specify a name for the role, select the hardened checkbox, and set the number of logins required to 1 on the permissions tab, select the following permissions category permissions certificate authority add, export cryptographic operations sign keys add on the advanced tab, set the allowed ports field to host api select \[ ok ] to finish creating the role go to the identity management > identities menu, then right click the pane background and select add > client application change the storage type to hsm and specify a name for the identity on the assigned roles tab, select the hardened role that you just created on the authentication tab, select \[ add ] to configure a new credential in the configure credential window, set the credential type to password , enter a password for the credential, and select \[ ok ] the new password credential now displays with the api key credential that exists by default select the api key credential and select \[ remove ] in the main identity editor dialog, select \[ ok ] to save the new identity now displays in the list with the other identities that exist on the device enable the host api commands because the futurex pkcs #11 library connects to the host api port on the {{k}} , you must determine which host api commands are eligible for execution by the fxpkcs11 library to enable the commands required for the apache http server operation, perform the following steps go to administration > configuration > host api options and enable the following commands command description and additional modifiers atkg manipulate hsm trusted asymmetric key group add add hsm trusted asymmetric key group modify modify hsm trusted asymmetric key group delete delete hsm trusted asymmetric key group get retrieve hsm trusted asymmetric key group echo communication test/retrieve version rafa filter issuance policy rand generate random number rkck create hsm trusted key rkcp get command permissions rkcs create symmetric hsm trusted key group rkgp export asymmetric hsm trusted key rkgs generate signature rkln lookup objects rklo login user rkpk pop generated key time set time after enabling the preceding commands, select \[ save ] configure tls communication to configure tls communication between the {{k}} and pkcs #11 library, you need to perform the following tasks create a certificate authority create a csr pair for the system/host api connection pair sign the system/host api csr export the tls root ca certificate export the signed system/host api tls certificate load the exported tls certificates into the system/host api connection pair generate a tls private key and certificate signing request for the futurex pkcs #11 library by using openssl sign the certificate signing request (csr) for the fxpkcs11 library export the signed fxpkcs11 tls certificate the following sections detail these task procedures create a certificate authority go to the pki > certificate authorities menu and select \[ add ca ] at the bottom of the window in the certificate authority dialog, enter a name for the certificate container, leave all other fields set to the default values, and select \[ ok ] right click the certificate container that you created and select add certificate > new certificate on the subject dn tab, select the classic preset and set a common name for the certificate, such as system tls ca root on the basic info tab, leave all fields set to the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays under the previously created certificate container generate a csr perform the following steps to generate a csr for the system/host api connection pair go to administration > configuration > network options in the network options dialog, go to the tls/ssl settings tab under the system/host api connection pair, uncheck the use futurex certificates checkbox and select \[ edit ] next to the pki keys in the user certificates section in the application public keys window, select \[ generate ] when the ssl will not be functional until new certificates are imported warning displays, select \[ yes ] to continue in the pki parameters window, leave the default settings and select \[ ok ] when you see that a pki key pair is loaded in the application public keys dialog, select \[ request ] on the subject dn tab, set a common name for the certificate, such as kmes on the v3 extensions tab, select the tls server certificate profile on the pkcs #10 info tab, select a save location for the csr and select \[ ok ] when the save successful message displays, select \[ ok ] select \[ ok ] again to save the application public keys settings the main network options dialog now shows loaded next to pki keys for the system/host api connection pair sign the csr perform the following steps to sign the system/host api csr go to the pki > certificate authorities menu right click the system tls ca root certificate created previously and select add certificate > from request in the file browser, select the csr generated for the system/host api connection pair after it loads, you don't need to modify any certificate settings select \[ ok ] the signed system/host api tls certificate should now show under the tls root ca certificate on the certificate authorities page export the certificate perform the following steps to export the tls root ca certificate go to the pki > certificate authorities menu right click the system tls ca root certificate and select export > certificate(s) in the export certificate window, select the pem encoding and select \[ browse ] in the file browser, navigate to the location where you want to save the tls root ca certificate specify a name for the file and select \[ open ] select \[ ok ] a message box says that the pem file was successfully written to the location that you specified export the tls certificate perform the following steps to export the signed system/host api tls certificate go to the pki > certificate authorities menu right click the {{k}} certificate and select export > certificates(s) in the export certificate dialog, select the pem encoding and select \[ browse ] in the file browser, go to the location where you want to save the signed system/host api tls certificate specify a name for the file and select \[ open ] select \[ ok ] a message box says that the pem file was successfully written to the location that you specified load the exported certificates perform the following steps to load the exported tls certificates into the system/host api connection pair go to administration > configuration > network options in the network options dialog, go to the tls/ssl settings tab select \[ edit ] next to certificates in the user certificates section right click the system/host api ssl ca x 509 certificate container and then select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select the tls root ca certificate and the signed system/host api tls certificate, and select \[ open ] the certificate chain appears in the verified section select \[ ok ] to save the changes in the network options window, the system/host api connection pair now shows signed loaded next to certificates in the user certificates section select \[ ok ] to save and exit the network options window generate a private key and csr execute the following commands from a terminal application with openssl to generate a tls private key and certificate signing request (csr) for the futurex pkcs #11 library open a terminal and run the following command to generate a tls private key for the fxpkcs11 library $ openssl genrsa out fxpkcs11 tls privatekey pem 2048 run the following command to generate a csr for the fxpkcs11 library $ openssl req new key fxpkcs11 tls privatekey pem out fxpkcs11 tls cert req pem days 365 it prompts you to enter certificate information the csr outputs to a file named fxpkcs11 tls cert req pem in the same directory where you ran the command move or copy the csr file to the storage medium configured on the {{k}} sign the csr perform the following steps to sign the csr for the fxpkcs11 library go to the pki > certificate authorities menu right click the system tls ca root certificate and select add certificate > from request in the file browser, locate and select the fxpkcs11 csr certificate information populates in the create x 509 from csr window on the subject dn tab, change the preset drop down option to classic , and set a common name for the certificate, such as fxpkcs11 on the basic info tab, leave all settings set to the default values on the v3 extensions tab, select the tls client certificate profile, and then select \[ ok ] the signed fxpkcs11 certificate now displays in the list under the tls root certificate export the signed certificate perform the following steps to export the signed fxpkcs11 tls certificate go to the pki > certificate authorities menu right click the fxpkcs11 certificate and select export > certificate(s) in the export certificate dialog, change the pem encoding and select \[ browse ] in the file browser, go to the location where you want to save the fxpkcs11 tls certificate specify a name for the file and select \[ open ] select \[ ok ] a message box says that the pem file was successfully written to the location that you specified move both the signed fxpkcs11 tls certificate and the tls root ca certificate to the computer that hosts the apache http server instance the next section shows how to configure and use them for tls communication with the {{k3}}