Configure KMES key labels
Perform the following tasks to configure key labels on the .
If the key group has already been created, skip to the Set permissions section.
Go to Key Management > Keys and select [ Create ] under Key Groups.
Select Symmetric or Asymmetric as the Key type, and set HSM Trusted for the storage location. Then, select [ OK ].
Enter a name for the key group, and select [ OK ].
After you create a new key group, or select a pre-existing group, select [ Permissions ].
Give the user group the Use permission, and select [ OK ].
Select [ OK ] again to save and close the Key Group Editor.
To use key labels, you must make an authorized connection to the , by using one of the following methods:
- Log onto a Guardian by using the RKLG command in the Remote Host API.
- Set up a TLS connection to the Guardian by using certificates where the Common Name is the name of an identity under the role authorized to access the correct keys through Key Labeling.
You can execute the RKLG command in the remote host API whenever you make a new connection to the Guardian. Issue the command with the following tokens:
Token
Definition
DA
User Name
CH
Password
Here is an example of the command using each token:
For more information on this command, refer to the Remote Host API technical reference guide.
The Guardian can recognize a secure connection between the host application and the Guardian when you use TLS as an authorized connection. However, for the Guardian to recognize the connection as authorized, the client must connect with a valid certificate where the Common Name is a valid user on the Guardian.
This method replaces the password authentication method in the following steps.
Ensure the connection for the host application Encryption Device Group for HSMs is set to SSL (under Settings).
The host application creates a CSR with the Common Name set to a valid user to be signed under a Certificate Authority (CA).
If the CA is not on the Guardian accepting the connection, you need to import it on the appropriate Guardian device.
Under Administration > Configuration > Network Options > TLS/SSL Settings, choose the TLS setting defined for the connection on which the host application connects. If you are using the default, this is the Balancer setting.
Under Certificates, select [ Edit ].
Right-click a trusted CA with nothing loaded, and select Import.
Import the CA from step 3 of this procedure.
Go to Identity Management > Identity Providers, right-click the background of the screen, and select Add > Provider > PKI.
In the Info tab, specify a name. If you are using a single user, uncheck Enforce Dual-Factor.
In the PKI Options tab, press [ Select ]. Choose the certificate for the CA imported in step 3, and select [ OK ].
Right-click the identity provider and select Add > Mechanism > PKI.
Set a name for the mechanism, and leave all other values set to the default values. Select [ OK ].
Go to Identity Management > Identities and remove the previously configured Password for the identity. Select [ Add ] and then set the Type to PKI Certificate. Then, select [ OK ].