Configure KMES key labels

10min

perform the following tasks to configure key labels on the {{k}} create a key group perform the following steps to create a key group if the key group has already been created, skip to the set permissions section go to key management > keys and select \[ create ] under key groups select symmetric or asymmetric as the key type , and set hsm trusted for the storage location then, select \[ ok ] enter a name for the key group, and select \[ ok ] set permissions perform the following steps to set permissions after you create a new key group or select a pre existing group, select \[ permissions ] give the user group the use permission, and select \[ ok ] select \[ ok ] again to save and close the key group editor connect to a guardian to use key labels, you must make an authorized connection to the {{guard}} , by using one of the following methods log onto a guardian by using the rklg command in the remote host api set up a tls connection to the guardian by using certificates where the common name is the name of an identity under the role authorized to access the correct keys through key labeling log on with rlkg you can execute the rklg command in the remote host api whenever you make a new connection to the guardian issue the command with the following tokens token definition da user name ch password the following example shows the command using each token \[aorklg;datest user1;chsafest;] for more information on this command, refer to the remote host api technical reference guide set up a tls connection the guardian can recognize a secure connection between the host application and the guardian when you use tls as an authorized connection however, for the guardian to recognize the connection as authorized, the client must connect with a valid certificate where the common name is a valid user on the guardian this method replaces the password authentication method in the following steps ensure the connection for the host application encryption device group for hsms is set to ssl (under settings ) the host application creates a csr with the common name set to a valid user to be signed under a certificate authority (ca) if the ca is not on the guardian accepting the connection, you need to import it on the appropriate guardian device under administration > configuration > network options > tls/ssl settings , choose the tls setting defined for the connection on which the host application connects if you are using the default, this is the balancer setting under certificates , select \[ edit ] right click a trusted ca with nothing loaded, and select import import the ca from step 3 of this procedure go to identity management > identity providers , right click the background of the screen, and select add > provider > pki in the info tab, specify a name if you are using a single user, uncheck enforce dual factor in the pki options tab, press \[ select ] choose the certificate for the ca imported in step 3, and select \[ ok ] right click the identity provider and select add > mechanism > pki set a name for the mechanism , and leave all other values set to the default values select \[ ok ] go to identity management > identities and remove the previously configured password for the identity select \[ add ] and then set the type to pki certificate then, select \[ ok ]

Configure Guardian key label

IT automation and orchestration