Configure KMES Series 3

before kmip connections can occur, the mongodb instance and {{k3}} must establish a mutual trust relationship by validating their respective digitally signed certificates the following sections outline how to generate tls certificates for mongodb and the kmip server connection pair on the {{k3}} in addition to securing tls communication, mongodb also uses certificates to authenticate to the {{k}} , and you create a role and identity on the {{k}} to give mongodb the permissions it needs to generate the master key and use it for encryption operations configure tls communication perform the following tasks to configure tls communication between the {{k3}} and the mongodb generate and sign a mongodb certificate configure tls certificates for the kmip server connection pair the following sections describe how to perform these tasks generate and sign the certificate perform one of the following optional methods to generate and sign the mongodb client certificate use an external ca use the {{k3}} as the ca method 1 use an external ca for this method, you must import the external ca certificates into an empty certificate container on the {{k}} then, generate a certificate signing request (csr), which the external ca uses to issue a tls certificate for the mongodb instance finally, import the certificate into the certificate container on the {{k}} that contains the external ca certificate go to pki > certificate authorities and select \[ add ca ] at the bottom of the page specify a name for the certificate container, such as externally issued , and select \[ ok ] the new certificate container displays in the certificate authorities menu right click the certificate container and select import > certificate(s) in the import certificates window, select \[ add ] and select the external ca certificates that issue the mongodb tls certificate the ca certificates display in the verified section of the import certificates window select \[ ok ] to save the external ca certificates now display in tree form under the externally issued certificate container to create a placeholder code signing certificate, from which you can generate a csr, right click the lowest level ca certificate in the tree and select add certificate > pending on the subject dn tab of the create x 509 certificate window, set a common name for the certificate, such as mongodb leave all other fields set to the default values and select \[ ok ] the mongodb placeholder certificate now displays under the external ca certificate(s) right click the placeholder mongodb certificate and select export > signing request on the subject dn tab of the create pkcs #10 request window, leave all fields set to the default values on the v3 extensions tab, select the tls client certificate profile on the pkcs #10 info tab, specify a save location for the csr and select \[ ok ] a message box states that the certificate signing request was successfully written to the location you specified send the csr file to an external certificate authority after the external ca uses the csr to issue a tls certificate, copy the certificate to the storage medium configured on the {{k}} in the pki > certificate authorities menu on the {{k}} , right click the placeholder mongodb certificate and select replace > with signed certificate in the import certificates window, select \[ add ] and select the externally signed tls certificate the certificate displays under the ca certificates in the verified section select \[ ok ] to save to enable exporting the mongodb certificate as a pkcs #12 file, go to administration > configuration > options and select the checkbox next to the menu option allow export of certificates using passwords then select \[ save ] right click the mongodb certificate and select export > pkcs12 in the export pkcs12 window, set a password for the pkcs #12 file and set export options to export selected certificate , then select \[ next ] in the file browser, specify a name for the file, select a save location, and select \[ open ] copy the pkcs #12 file (which contains the signed mongodb certificate and its associated private key, encrypted under the password set for the file) and the external ca certificate chain that signed it to the mongodb server method 2 use the {{k3}} as the ca perform the following steps to use the {{k3}} as the ca go to pki > certificate authorities and select \[ add ca] at the bottom of the page specify a name for the certificate container, such as kmes issued , and select \[ ok ] the new certificate container displays in the certificate authorities menu right click the newly created certificate container and select add certificate > new certificate on the subject dn tab, select the classic preset and set a common name for the certificate, such as root on the basic info tab, leave all fields set to the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays in the kmes issued certificate container right click the root ca certificate you just created and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as mongodb on the basic info tab, leave all fields set to the default values on the v3 extensions tab, change the profile to tls client certificate and select \[ ok ] to finish generating the certificate to enable exporting the mongodb certificate as a pkcs #12 file, go to administration > configuration > options and select the checkbox next to the menu option allow export of certificates using passwords then, select \[ save ] right click the mongodb certificate and select export > pkcs12 in the export pkcs12 window, set a password for the pkcs #12 file, set export options to export selected certificate , and select \[ next ] in the file browser, specify a name for the file, select a save location, and select \[ open ] copy the pkcs #12 file (which contains the signed mongodb certificate and its associated private key, encrypted under the password set for the file) and the external ca certificate chain that signed it to the mongodb server configure tls certificates to configure tls certificates for the kmip server connection pair, perform the following tasks, as shown in the following sections generate a new pki key pair and csr issue a certificate from the kmip connection pair csr export the root ca and kmip certificates as pem files import the signed kmip connection pair certificate generate a key pair and csr perform the following steps to generate a new pki key pair and csr for the kmip connection pair go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair enable the kmip connection pair if it is not already enabled uncheck use system/host api ssl parameters if it is selected in the user certificates section, uncheck use futurex certificates if it is selected and select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] in the pki parameters window, leave all fields set to the defaults and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] on the subject dn tab of the create pkcs #10 request window, change the common name value to the ip address of the kmes on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location, select \[ ok ] select \[ ok ] in the application public keys window, then select \[ ok ] in the main network options window issue a certificate perform the following steps to issue a certificate from the kmip connection pair csr go to pki > certificate authorities right click the root ca certificate that issued the mongodb tls certificate and select add certificate > from request in the file browser, select the kmip connection pair csr certificate information should populate in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed kmip server certificate now displays under the root ca certificate that issued it export the root ca and kmip certificates perform the following steps to export both the root ca certificate and the signed kmip connection pair certificate as pem files right click the certificate and select export > certificate(s) in the export certificate window for each, change the encoding to pem , then specify a save location for the file you must copy the root ca certificate to the machine that is running mongodb import the certificate perform the following steps to import the signed kmip connection pair certificate go to administration > configuration > network options and select the tls/ssl settings tab select the connection drop down option and select the kmip connection pair select \[ edit ] next to certificates in the user certificate section in the certificate authority window, right click the kmip ssl ca x 509 certificate container and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed kmip server certificate and select \[ open ] the certificates should now display in the verified section of the import certificates window select \[ ok ] to save it now shows signed loaded next to certificates in the user certificates section for the kmip connection pair select \[ ok ] to save configure general {{k}} settings perform the following tasks to configure the {{k3}} for communication with mongodb add a pki identity provider create a mongodb role and identity with the required permissions grant the mongodb role the use permission the following sections show you how to complete these tasks add a pki identity provider perform the following steps to create a new pki identity provider, assign it a tls authentication mechanism, and add it to an identity as a credential this enables mongodb to authenticate with the {{k}} by using its tls certificate go to identity management > identity providers right click anywhere in the window and select add > provider > pki on the info tab of the identity provider editor window, specify a name for the identity provider and uncheck the enforce dual factor checkbox on the pki options tab, select \[ select ] to open the certificate selector window expand the certificate tree you created, select the ca certificate that signed the mongodb and kmip connection pair certificates, and select \[ ok ] select \[ ok ] to finish creating the pki identity provider right click the identity provider you just created and select add > mechanism > tls on the info tab, specify a name for the authentication mechanism on the pki tab, leave all fields set to the default values select \[ ok ] to save create a role and identity perform the following steps to create a new role and identity for mongodb with the required permissions on the {{k3}} , which mongodb uses for authentication during kmip connections the name of this identity must match exactly what you set later as the common name for the signed mongodb certificate the {{k3}} uses the role an didentity to authenticate the mongodb device connecting through kmip create a role perform the following steps to create a role log in to the {{k3}} application interface with the default admin identities go to identity management > roles and select \[ add ] on the info tab of the role editor window, set the type to application , set a name for the role, such as mongodb , and set the logins required to 1 on the permissions tab, enable the following permissions permissions subpermissions cryptographic operations sign, verify, encrypt, decrypt keys add, export on the advanced tab, set the allowed ports to kmip only select \[ ok ] to finish creating the role create an identity perform the following steps to create an identity go to identity management > identities , right click anywhere in the window, and select add > client application on the info tab of the identity editor window, select application for the storage location and specify a name for the identity under assigned roles , select the role you created for mongodb under authentication , remove the default api key mechanism and select \[ add ] to add a new credential in the configure credential window, select tls certificate in the type drop down menu and select the provider and mechanism you created for this integration select \[ ok ] to finish configuring the credential grant the permissions grant the mongodb role use permissions on the pki identity provider and the certificate container go to identity management > identity providers right click the pki identity provider created for this integration and select \[ permission ] set the use permission for the mongodb role and select \[ ok ] to save go to pki > certificate authorities right click the certificate container created for this integration and select \[ permission ] set the use permission for the mongodb role and select \[ ok ] to save