Configure authentication and permissions for Zettaset on the KMES Series 3

this section shows how to create a role and identity on the {{k3}} to enable zettaset to authenticate with the {{k}} and perform any actions zettaset's xcrypt full disk product requires for integration this configuration uses separate authentication mechanisms for pkcs #11 and kmip connections {{futurex}} pkcs #11 authenticates with a password and kmip authentication occurs through a newly created tls identity provider although pkcs #11 and kmip use separate authentication mechanisms, they use the same client certificate to establish a tls connection add a pki ip this process adds a pki identity provider (ip) and configures it with the tls authentication mechanism this action enables zettaset to authenticate to the {{k3}} through the client certificate it uses to establish the tls connection go to identity management > identity providers right click anywhere in the window and select add > provider > pki in the info tab of the identity provider editor window, specify a name for the ip and uncheck enforce dual factor in the pki options tab, press \[ select ] in the certificate selector window, expand the certificate tree you created, select the ca certificate that signed the zettaset and kmip connection pair certificates, and select \[ ok ] select \[ ok ] to finish creating the pki ip right click on the pki ip you just created and select add > mechanism > tls in the info tab, specify a name for the authentication mechanism in the pki tab, leave all fields set to the default values select \[ ok ] to save create a role and identity you must create a new role and identity on the {{k3}} to grant zettaset the permissions and functionality it requires the name of the identity must match the common name of the zettaset tls client certificate create a role perform the following steps to create a role log in to the {{k}} application interface with the default admin identities go to identity management > roles , and select \[ add ] in the info tab of the role editor window, set the type to application , the name to zettaset , and the logins required to 1 in the permissions tab, select the following permissions permission subpermission certificate authority add, export, modify, upload cryptographic operations sign, verify, encrypt, decrypt, wrap, unwrap, derive keys add, export, modify in the advanced tab, set allowed ports to host api and kmip select \[ ok ] to finish creating the role create an identity perform the following steps to create an identity and assign it to the zettaset role, the password authentication mechanism, and the tls authentication mechanism for tls authentication to work, the identity name must match the common name of the zettaset client certificate go to identity management > identities , right click in the window, and select add > client application on the info tab of the identity editor window, select application for the storage location, and specify a name for the identity matching the common name of the zettaset tls client certificate under assigned roles , select the role you created for zettaset under authentication , remove the default api key mechanism select \[ add ] to add a new credential in the configure credential window, select password in the type drop down menu, local application in the provider drop down menu, and password in the mechanism drop down menu select \[ ok ] to finish configuring the credential select \[ add ] again to add and configure another credential in the configure credential window, select tls certificate in the type drop down menu and select the provider and mechanism you created for this integration select \[ ok ] to finish select \[ ok ] to finish creating the identity grant the role permission perform the following steps to grant the zettaset role the use permission on the pki identity provider and certificate container go to identity management > identity providers right click the pki identity provider you created for this integration and select \[ permission ] set the use permission for the zettaset role and select \[ ok ] to save go to pki > certificate authorities right click the certificate container you created for tls authentication and select \[ permission ] set the use permission for the zettaset role and select \[ ok ] to save