Configure authentication and permissions for Zettaset on the KMES Series 3
This section shows how to create a role and identity on the to enable Zettaset to authenticate with the KMES and perform any actions Zettaset's XCrypt Full Disk product requires for integration.
This configuration uses separate authentication mechanisms for PKCS #11 and KMIP connections. PKCS #11 authenticates with a password. and KMIP authentication occurs through a newly created TLS identity provider.
Although PKCS #11 and KMIP use separate authentication mechanisms, they use the same client certificate to establish a TLS connection.
This process adds a PKI identity Provider and configures it with the TLS authentication mechanism. This action enables Zettaset to authenticate to the through the client certificate it uses to establish the TLS connection.
Go to Identity Management > Identity Providers.
Right-click anywhere in the window and select Add > Provider > PKI.
In the Info tab of the Identity Provider Editor window, specify a name for the identity provider and uncheck Enforce Dual Factor.
In the PKI Options tab, press [ Select ].
In the Certificate Selector window, expand the certificate tree you created, select the CA certificate that signed the Zettaset and KMIP connection pair certificates, and select [ OK ].
Select [ OK ] to finish creating the PKI identity provider.
Right-click on the PKI identity provider you just created and select Add > Mechanism > TLS.
In the Info tab, specify a name for the authentication mechanism.
In the PKI tab, leave all fields set to the default values.
Select [ OK ] to save.
You must create a new role and identity on the to grant Zettaset the permissions and functionality it requires. The name of the identity must match the Common Name of the Zettaset TLS client certificate.
Log in to the application interface with the default Admin identities.
Go to Identity Management > Roles, and select [ Add ].
In the Info tab of the Role Editor window, set the Type to Application, the name to Zettaset, and the Logins Required to 1.
In the Permissions tab, select the following permissions:
Permission
Subpermission
Certificate Authority
Add, Export, Modify, Upload
Cryptographic Operations
Sign, Verify, Encrypt, Decrypt, Wrap, Unwrap, Derive
Keys
Add, Export, Modify
In the Advanced tab, set Allowed Ports to Host API and KMIP.
Select [ OK ] to finish creating the role.
This section creates an identity and assigns it to the Zettaset role, the password authentication mechanism, and the TLS authentication mechanism.
For TLS Authentication to work, the identity name must match the Common Name of the Zettaset client certificate.
Go to Identity Management > Identities, right-click in the window and select Add > Client Application.
On the Info tab of the Identity Editor window, select Application for the storage location, and specify a name for the identity matching the Common Name of the Zettaset TLS client certificate.
Under Assigned Roles, select the role you created for Zettaset.
Under Authentication, remove the default API Key mechanism.
Select [ Add ] to add a new credential.
In the Configure Credential window, select Password in the Type drop-down menu, Local Application in the Provider drop-down menu, and Password in the Mechanism drop-down menu.
Select [ OK ] to finish configuring the credential.
Select [ Add ] again to add another credential. configuring the credential.
In the Configure Credential window, select TLS Certificate in the Type drop-down menu, and select the Provider and Mechanism you created for this integration.
Select [ OK ] to finish
Select [ OK ] to finish creating the identity.
Go to Identity Management > Identity Providers.
Right-click the PKI identity provider you created for this integration and select [ Permission ].
Set the Use permission for the Zettaset role and select [ OK ] to save.
Go to PKI > Certificate Authorities.
Right-click the certificate container you created for TLS authentication and select [ Permission ].
Set the Use permission for the Zettaset role and select [ OK ] to save.