Configure TLS certificates
Before KMIP connections can occur, the TrueNAS instance and must establish a mutual trust relationship by validating their respective digitally signed certificates.
The following sections show how to generate and sign certificates for TrueNAS and the KMIP server connection pair on the . The certificates are registered both in TrueNAS and for the KMIP server connection pair on the and are used each time a TCP/IP session secured by TLS is established.
There are two optional methods for generating and signing the TrueNAS certificate:
- Use an external CA
- Use the KMES Series 3 as the CA
For this method, import the external CA certificates into an empty certificate container on the . Then, generate a Certificate Signing Request (CSR), which the external CA uses to issue a TLS certificate for the TrueNAS instance. Finally, import the certificate into the certificate container on the that contains the external CA certificate.
Log in to the application interface with the default administrator identities.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
Specify a name for the certificate container, such as Externally Issued, then select [ OK ].
The new certificate container displays in the Certificate Authorities window.
Right-click the newly created certificate container and select Import > Certificate(s).
In the Import Certificates window, select [ Add ], and find and select the external CA certificate that issues the TrueNAS TLS certificate. The CA certificates populate in the Verified section of the Import Certificates window.
Select [ OK ] to save.
The external CA certificates now display in tree form under the certificate container.
Next, create a placeholder code signing certificate from which you can generate a CSR. Right-click the lowest-level CA certificate in the tree and select Add Certificate > Pending.
On the Subject DN tab of the Create X.509 Certificate window, set a Common Name for the certificate, such as TrueNAS.
Leave all other settatings set to the default values and select [ OK ].
Right-click the placeholder TrueNAS certificate and select Export > Signing Request. This will open .
Leave all of the settings on the Subject DN tab of the Create PKCS #10 Request window as the default values.
On the V3 Extensions tab, select the TLS Client Certificate profile.
On the PKCS #10 Info tab, specify a save location for the CSR and select [ OK ].
A message states the certificate signing request was successfully written to the location you specified.
Then, send the CSR file to an external certificate authority. The external CA uses the CSR to issue a TLS certificate.
After the external CA issues the code signing certificate, copy it to the storage medium configured on the .
Go to PKI > Certificate Authorities, right-click the placeholder TrueNAS certificate, and select Replace > With Signed Certificate.
On the Import Certificates window, select [ Add ]. Then, find and select the externally signed TLS certificate in the file browser. The certificate displays under the CA certificates in the Verified section of the Import Certificates window.
Select [ OK ] to save.
The remaining steps in this procedure involve exporting the TrueNAS certificate as a PKCS #12 file. To do this, go to Administration > Configuration > Options and enable Allow export of certificates using passwords. After enabling this option, select [ Save ].
Go to PKI > Certificate Authorities, right-click the Truenas certificate, and select Export > PKCS12.
In the Export PKCS12 window, select Export Selected and change the Cipher Options to AES-256. Note and optionally modify the file name, and select [ Next ].
Set a password for the PKCS #12 file and select [ Next ].
Select [ Finish ] to save the PKCS #12 file to the specified location.
This PKCS #12 file contains the signed TrueNAS certificate, associated private key, and the root certificate, all encrypted under the password that was set for the file.
Log in to the application interface using the default Admin identities.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the window.
Specify a name for the certificate container, such as Issued and select [ OK ].
The new certificate container displays in the Certificate Authorities menu.
Right-click the newly created certificate container and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as Root.
On the Basic Info tab, change the key size to 4096. Leave all other settings set to the default values.
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The Root CA certificate now displays under the -issued certificate container.
Right-click the Root CA certificate you created and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as TrueNAS.
On the V3 Extensions tab, change the profile to TLS Client Certificate and select [ OK ].
The remaining steps in this proceure involve exporting the TrueNAS certificate as a PKCS #12 file. To do this, go to Administration > Configuration > Options and enable Allow export of certificates using passwords. After enabling this option, select [ Save ].
Go to PKI > Certificate Authorities, right-click on the Truenas certificate, and select Export > PKCS12.
On the Export PKCS12 window, select Export Selected and change the Cipher Options to AES-256. Note and optionally modify the file name and select [ Next ].
Set a password for the PKCS #12 file and select [ Next ].
Select [ Finish ] to save the PKCS #12 file to the specified location.
This PKCS #12 file contains the signed TrueNAS certificate, associated private key, and the root certificate, all encrypted under the password that was set for the file.
Perform the following tasks:
- Generate a private key and construct a CSR.
- Sign the KMIP connection pair CSR.
- Export all certificates in the CA tree.
- Configure the KMIP connection pair to use the signed certificate and CA chain.
Log in to the application interface with the default Admin identities.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair.
Enable the KMIP connection pair if it is not already enabled.
Uncheck the Use System/Host API SSL Parameters checkbox if it is selected.
In the User Certificates section, select [ Edit ] next to PKI Keys.
In the Application Public Keys window, select [ Generate ].
When prompted that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
Select [ Request ].
In the Subject DN tab, select Classic from the Preset drop-down list and specify the hostname or IP address of the KMES in Common Name.
On the V3 Extensions tab, set the profile to TLS Server Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] again in the Application Public Keys window to finish.
Go to PKI > Certificate Authorities.
Right-click the Root CA certificate and select Add Certificate > From Request.
In the file browser, select the KMIP connection pair CSR.
Certificate information populates in the Create X.509 From CSR window.
Leave all settings exactly as they are and select [ OK ] to save.
The signed KMIP connection pair certificate now displays under the Root CA certificate in the CA tree.
Perform the following steps for each certificate in the certificate tree:
Right-click the certificates in the certificate tree and select Export > Certificate(s).
On the Export Certificate window, change the encoding to PEM and specify a save location for the file.
Log in to the application interface with the default Admin identities.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair.
In the User Certificates section, select [ Edit ] next to Certificates.
On the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select [ Import ].
On the Import Certificates window, select [ Add ] at the bottom of the window.
In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate, and select [ Open ].
The certificates now display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the KMIP connection pair.
Select [ OK ] to save and finish.
This section covers the following tasks:
- Add a PKI IdP.
- Create a TrueNAS role.
- Create a FlashArray identity.
Log in to the application interface with the default Admin identities.
Go to Identity Management > Identity Providers.
Right-click anywhere in the window and select Add > Provider > PKI.
On the Info tab of the Identity Provider Editor window, specify a name for the Identity Provider and uncheck Enforce Dual Factor.
On the PKI Options tab, select [ Select ].
In the Certificate Selector window, expand the certificate tree you created for mutual authentication, select the CA certificate that signed the TrueNAS and KMIP connection pair certificates, and select [ OK ].
Select [ OK ] to finish creating the PKI identity provider.
Right-click the identity provider you just created and select Add > Mechanism > TLS.
On the Info tab, specify a name for the authentication mechanism.
On the PKI tab, leave all fields set to the default values.
Select [ OK ] to save.
Go to Identity Management > Roles and select [ Add ].
On the Info tab of the Role Editor window, set the Type to Application, the name to TrueNAS, and Logins Required to 1.
On the Permissions tab, enable all permissions.
On the Advanced tab, set Allowed Ports to KMIP only.
Select [ OK ] to finish creating the role.
Go to Identity Management > Identities.
Right-click anywhere in the window and select Add > Client Application.
On the Info tab of the Identity Editor window, select Application for the storage location and specify FlashArray as the identity name.
On the Assigned Roles tab, select the role you created for TrueNAS.
On the Authentication tab, remove the default API Key mechanism and select [ Add ].
In the Configure Credential window, select the TLS Certificate drop-down option in Type and select the Provider and Mechanism you created. Select [ OK ] to finish configuring the credential.
Select [ OK ] to finish creating the identity.