Configure certificates for TLS authentication between Zettaset and the KMES

14min

before pkcs #11 and kmip connections can occur between zettaset xcrypt full disk and {{k3}} , both parties must establish a mutual trust relationship by validating their respective digitally signed certificates generate a private key pair and certificate for zettaset use one of the following methods to generate and sign the zettaset tls client certificate use an external ca use the {{k3}} as the ca method 1 use an external ca for this method, import the external ca certificates into an empty certificate container on the {{k3}} then, generate a certificate signing request (csr), which the external ca uses to issue a tls certificate for the zettaset instance then, import the issued certificate into the certificate container on the {{k}} that contains the external ca certificate go to pki > certificate authorities and select \[ add ca ] at the bottom of the page specify a name for the certificate container, such as externally issued , then select \[ ok ] the new certificate container displays in the certificate authorities menu right click the externally issued certificate container and select import > certificate(s) in the import certificates window, select \[ add ] at the lower left corner of the window, and find and select the external ca certificates that should issue the zettaset tls client certificate the ca certificates populate in the verified section of the import certificates window select \[ ok ] to save the external ca certificates display now in tree form under the externally issued certificate container next, create a placeholder tls client certificate from which you can generate a csr right click the lowest level ca certificate in the tree and select add certificate > pending in the subject dn tab of the create x 509 certificate window, set a common name for the certificate, such as zettaset leave all other fields set to the default values and select \[ ok ] the zettaset placeholder certificate now displays under the external ca certificates right click on the placeholder zettaset certificate and select export > signing request in the create pkcs #10 request window, leave all settings in the subject dn tab set to the default values in the v3 extensions tab, select the tls client certificate profile in the pkcs #10 info tab, specify a save location for the csr and select \[ ok ] a message states that the certificate signing request was successfully written to the location you specified take the csr file to an external certificate authority the external ca uses the csr to issue a tls certificate after the external ca issues the signed certificate, copy the certificate to the storage medium configured on the {{k}} in the pki > certificate authorities menu on the {{k}} , right click the placeholder zettaset certificate and select replace > with signed certificate in the import certificates window, select \[ add ] in the lower left corner of the window, and find and select the externally signed tls certificate the certificate populates under the ca certificates in the verified section select \[ ok ] to save the remaining steps in this section involve exporting the zettaset certificate as a pkcs #12 file before proceding, perform the following steps enable a configuration option in the administration > configuration > options menu select the allow export of certificates using passwords checkbox next to the second menu option select \[ save ] right click the zettaset certificate and select export > pkcs12 in the export pkcs12 window, set a password for the pkcs #12 file, set export options to export selected certificate with parents , and select \[ next ] in the file browser, specify a name for the file, select a save location, and select \[ open ] the pkcs #12 file contains the signed zettaset certificate, its associated private key, and the ca certificate(s), all encrypted under the password set for the file copy this file to the machine where the zettaset xcrypt full disk is running method 2 use the {{k3}} as the ca perform the following steps to use the {{k3}} as the ca go to pki > certificate authorities , and select \[ add ca ] at the bottom of the page specify a name for the certificate container, such as kmes issued , and select \[ ok ] the new certificate container displays in the certificate authorities menu right click the newly created kmes issued certificate container and select add certificate > new certificate in the subject dn tab, select the classic preset and set a common name for the certificate, such as root in the basic info tab, change the key size to 4096 leave all other settings at their default values in the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays inside the kmes issued certificate container right click the root ca certificate you just created and select add certificate > new certificate in the subject dn tab, set a common name for the certificate, such as zettaset in the basic info tab, leave all values set to the defaults in the v3 extensions tab, change the profile to tls client certificate and select \[ ok ] to finish generating the certificate the remaining steps in this section involve exporting the zettaset certificate as a pkcs #12 file to be able to do this, enable a configuration option in the administration > configuration > options menu then, select the allow export of certificates using passwords checkbox next to the second menu option then, select \[ save ] right click the zettaset certificate and select export > pkcs12 in the export pkcs12 window, set a password for the pkcs #12 file, set export options to export selected certificate with parents , and select \[ next ] in the file browser, specify a name for the file, select a save location, and select \[ open ] the pkcs #12 file contains the signed zettaset certificate, its associated private key, and the ca certificates, all encrypted under the password set for the file copy it to the machine where the zettaset xcrypt full disk is running configure tls server certificate perform the following tasks to configure a tls server certificate for the system/host api connection pair generate a key pair and csr perform the following steps to generate a new private key pair and csr for the system/host api connection pair go to administration > configuration > network options > tls/ssl settings use the connection drop down menu and select the system/host api connection pair in the user certificates section, uncheck use futurex certificates and select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] in the pki parameters window, leave the default settings and select \[ ok ] the application public keys window now shows that the pki key pair is loaded select \[ request ] in the subject dn tab of the create pkcs #10 request window, change the common name value to the {{k}} ip address or hostname in the v3 extensions tab, set the profile to tls server certificate in the pkcs #10 info tab, specify a save location and name for the csr file, and select \[ ok ] a message box states that the certificate signing request was successfully written to the specified location select \[ ok ] select \[ ok ] in the application public keys window and select \[ ok ] in the main network options window issue a certificate perform the following steps to issue a certificate from the system/host api connection pair csr go to pki > certificate authorities , right click on the root ca certificate that issued the zettaset tls certificate, and select add certificate > from request in the file browser, find and select the system/host api connection pair csr certificate information populates in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed system/host api server certificate now displays under the root ca certificate that issued it export the root ca and certificates perform the following steps to export the root ca and system/host api certificates as pem files right click on the root ca certificate and the signed system/host api connection pair certificate and select export > certificate(s) in the export certificate window for each, change the encoding to pem and specify a save location for the file in addition to configuring the root ca certificate for the system/host api connection pair, you must copy the root ca certificate to the machine where the zettaset xcrypt full disk is running import the certificate perform the following steps to import the signed system/host api connection pair certificate go to administration > configuration > network options > tls/ssl settings in the connection drop down menu, select the system/host api connection pair select \[ edit ] next to certificates in the user certificates section in the certificate authority window, right click on the system/host api ssl ca x 509 certificate container and select import select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed system/host api server certificate, then select \[ open ] the certificates now display in the verified section of the import certificates window select \[ ok ] to save it now says signed loaded next to certificates in the user certificates section of the system/host api connection pair select \[ ok ] again to save configure tls server certificate perform the following tasks to configure a tls server certificate for the kmip server connection pair generate a key pair and csr perform the following steps to generate a new private key pair and csr for the kmip connection pair go to administration > configuration > network options > tls/ssl settings using the connection drop down menu, select the kmip connection pair enable the kmip connection pair if it is not already enabled uncheck use system/host api ssl parameters if it is selected in the user certificates section, uncheck use futurex certificates , and select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] to create a new pki key pair in the pki parameters window, leave the default settings and select \[ ok ] the application public keys window now shows that the pki key pair is loaded select \[ request ] in the subject dn tab of the create pkcs #10 request window, change the common name value to the {{k}} ip address or hostname in the v3 extensions tab, set the profile to tls server certificate in the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] a message states that the certificate signing request was successfully written to the specified location select \[ ok ] select \[ ok ] in the application public keys window, and select \[ ok ] in the main network options window issue a certificate perform the following steps to issue a certificate for the kmip connection pair csr go to pki > certificate authorities , right click on the root ca certificate that issued the zettaset tls certificate, and select add certificate > from request in the file browser, find and select the kmip connection pair csr certificate information populates in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed kmip server certificate now displays under the root ca certificate that issued it export the root ca and kmip certificates perform the following steps to export the root ca and kmip certificates as pem files right click the root ca certificate and the signed kmip connection pair certificate and select export > certificate(s) in the export certificate window for each, change the encoding to pem , and specify a save location for the file import the signed certificate perform the following steps to import the signed kmip connection pair certificate go to administration > configuration > network options > tls/ssl settings in the connection drop down menu, select the kmip connection pair select \[ edit ] next to certificates in the user certificates section in the certificate authority window, right click the kmip ssl ca x 509 certificate container and select import select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed kmip server certificate and select \[ open ] the certificates now displays in the verified section of the import certificates window select \[ ok ] to save you now see signed loaded next to certificates in the user certificates section of the kmip connection pair select \[ ok ] to save

Install Futurex PKCS #11 (FXPKCS11)

Configure authentication and permissions for Zettaset on the KMES Series 3