Configure TLS certificates

before kmip connections can occur, the netapp ontap instance and {{k3}} must establish a mutual trust relationship by validating their respective digitally signed certificates the following sections demonstrate how to generate and sign certificates for netapp ontap and the kmip server connection pair on the {{k3}} the certificates are registered in both netapp ontap and the kmip server connection pair on the {{k3}} and are used each time a tcp/ip session secured by tls is established generate and sign the netapp ontap certificate there are two optional methods for generating and signing the netapp ontap and kmip server certificates use an external ca use the {{k3}} as the ca it's also possible to use one method for the netapp ontap certificate and the other method for the kmip server certificate method 1 use an external ca for this method, import the external ca certificates into an empty certificate container on the {{k}} then, generate a certificate signing request (csr), which the external ca uses to issue a tls client certificate for the netapp ontap instance finally, import the certificate into the certificate container on the {{k}} that contains the external ca certificate log in to the {{k3}} application interface with the default administrator identities go to pki > certificate authorities and select \[ add ca ] at the bottom of the page specify a name for the certificate container, such as externally issued , and select \[ ok ] the new certificate container displays in the certificate authorities window right click the newly created certificate container and select import > certificate(s) in the import certificates window, select \[ add ] and find and select the external ca certificate that issues the netapp ontap tls certificate the ca certificates populate in the verified section of the import certificates window select \[ ok ] to save the external ca certificates now display in tree form under the certificate container next, create a placeholder tls client certificate to generate a csr right click the lowest level ca certificate in the tree and select add certificate > pending on the subject dn tab of the create x 509 certificate window, set a common name for the certificate, such as netapp ontap leave all other settings set to the default values and select \[ ok ] right click the placeholder netapp ontap certificate and select export > signing request leave all of the settings on the subject dn tab of the create pkcs #10 request window as the default values on the v3 extensions tab, select the tls client certificate profile on the pkcs #10 info tab, specify a save location for the csr and select \[ ok ] a message states the certificate signing request was successfully written to the location you specified then, send the csr file to an external certificate authority the external ca uses the csr to issue a tls client certificate after the external ca issues the tls client certificate, copy it to the storage medium configured on the {{k}} go to pki > certificate authorities , right click the placeholder netapp ontap certificate, and select replace > with signed certificate i n the import certificates window, select \[ add ] then, find and select the externally signed tls client certificate in the file browser the certificate displays under the ca certificates in the verified section of the import certificates window select \[ ok ] to save the remaining steps in this procedure involve exporting the netapp ontap certificate as a pkcs #12 file to do this, go to administration > configuration > options and enable allow export of certificates using passwords after enabling this option, select \[ save ] go to pki > certificate authorities , right click the netapp ontap certificate, and select export > pkcs12 in the export pkcs12 window, select export selected and change the cipher options to aes 256 note and optionally modify the file name, and select \[ next ] set a password for the pkcs #12 file and select \[ next ] select \[ finish ] to save the pkcs #12 file to the specified location this pkcs #12 file contains the signed netapp ontap client certificate, associated private key, and the root certificate, all encrypted under the password set for the file method 2 use the kmes series 3 as the ca perform the following steps to use the {{k3}} as the ca log in to the {{k3}} application interface using the default admin identities go to pki > certificate authorities and select \[ add ca ] at the bottom of the window specify a name for the certificate container, such as kmes issued , and select \[ ok ] the new certificate container displays in the certificate authorities menu right click the newly created certificate container and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as root on the basic info tab, change the key size to 4096 leave all other settings set to the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays under the {{k}} issued certificate container right click the root ca certificate you created and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as netapp ontap on the v3 extensions tab, change the profile to tls client certificate and select \[ ok ] the remaining steps in this procedure involve exporting the netapp ontap certificate as a pkcs #12 file to do this, perform the following steps 1 go to administration > configuration > options 2 enable allow export of certificates using passwords 3 select \[ save ] go to pki > certificate authorities, right click on the netapp ontap certificate, and select export > pkcs12 i n the export pkcs12 window, select export selected and change the cipher options to aes 256 note and optionally modify the file name and select \[ next ] set a password for the pkcs #12 file and select \[ next ] select \[ finish ] to save the pkcs #12 file to the specified location this pkcs #12 file contains the signed netapp ontap client certificate, associated private key, and the root certificate, all encrypted under the password set for the file create and configure the kmip server certificate perform the following tasks to create and configure a tls server certificate for the kmip connection pair on the {{k3}} generate a private key and construct a csr sign the kmip connection pair csr using an external ca or ca generated on the {{k}} get all certificates in the ca tree configure the kmip connection pair to use the signed certificate and ca chain generate a private key and csr perform the following steps to generate a private key and construct a csr log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair enable the kmip connection pair if it is not already enabled uncheck the use system/host api ssl parameters checkbox if it is selected in the user certificates section, select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] when prompted that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters window, leave all fields set to the default values and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] in the subject dn tab, select classic from the preset drop down list and specify the hostname or ip address of the {{k}} in common name on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location , select \[ ok ] select \[ ok ] again in the application public keys window to finish sign the csr perform the following steps to sign the kmip connection pair csr go to pki > certificate authorities right click the root ca certificate and select add certificate > from request in the file browser, select the kmip connection pair csr certificate information populates in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed kmip connection pair certificate now displays under the root ca certificate in the ca tree export all certificates if you signed the kmip server certificate with an external ca, download each individual ca certificate in the ca tree using a mechanism supported by the external ca if you signed the kmip server certificate using a kmes hosted ca, perform the following steps to export each ca certificate in the tree right click the certificates in the certificate tree and select export > certificate(s) on the export certificate window, change the encoding to pem and specify a save location for the file configure the kmip connection pair perform the following steps to configure the kmip connection pair to use the signed certificate and ca chain log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair in the user certificates section, select \[ edit ] next to certificates on the certificate authority window, right click the kmip ssl ca x 509 certificate container and select \[ import ] on the import certificates window, select \[ add ] at the bottom of the window in the file browser, select the signed kmip server certificate and every ca certificate in the ca tree, then select \[ open ] the certificates now display in the verified section of the import certificates window select \[ ok ] to save you now see signed loaded next to certificates in the user certificates section of the network options window under the kmip connection pair select \[ ok ] to save and finish create a role and identity this section covers the following tasks to create a role and identity on the {{k3}} for netapp ontap add a pki identity provider create a netapp ontap role create a netapp ontap identity add a pki identity provider perform the following steps to add a pki identity provider (idp) configured with the tls authentication mechanism log in to the {{k3}} application interface with the default admin identities go to identity management > identity providers right click anywhere in the window and select add > provider > pki on the info tab of the identity provider editor window, specify a name for the identity provider and uncheck enforce dual factor on the pki options tab, select \[ select ] in the certificate selector window, expand the certificate tree you created for mutual authentication, select the root ca certificate for the ca that issued the netapp ontap certificate, and select \[ ok ] select \[ ok ] to finish creating the pki idp right click the identity provider you just created and select add > mechanism > tls on the info tab, specify a name for the authentication mechanism on the pki tab, leave all fields set to the default values select \[ ok ] to save create a role perform the following steps to create a role for netapp ontap go to identity management > roles and select \[ add ] on the info tab of the role editor window, set the type to application , set any name (the role name does not matter) , and logins required to 1 on the permissions tab, enable all of the following permissions (including their sub permissions) certificate authority cryptographic operations keys on the advanced tab, set allowed ports to kmip only select \[ ok ] to finish creating the role create an identity perform the following steps to create an identity for netapp ontap go to identity management > identities right click anywhere in the window and select add > client application on the info tab of the identity editor window, select application for the storage location and specify netapp ontap as the identity name the identity name must match the common name of the netapp ontap tls client certificate if it does not, tls authentication fails on the assigned roles tab, select the role you created for netapp ontap on the authentication tab, remove the default api key mechanism and select \[ add ] in the configure credential window, select the tls certificate drop down option in type and select the provider and mechanism you created select \[ ok ] to finish configuring the credential select \[ ok ] to finish creating the identity