Initial setup

16 min

before you enable rdl on the flasharray, the array and the {{k3}} must establish a mutual trust relationship by validating their respective digitally signed certificates the following sections show how to generate and sign certificates for both the flasharray and the kmip connection pair on the {{k3}} the flasharray and the {{k}} register both certificates and use them thereafter each time they establish a tcp/ip session secured by tls notes about certificates certificates used on the flasharray must be pem formatted (base64 encoded) intermediary certificates are not supported for use with kmip using the purity internal management certificate for kmip configuration is not supported create a certificate and csr use the flasharray command line interface (cli) to complete the following steps to create a flasharray certificate and csr create a certificate perform the following steps to create a flasharray certificate run the following purecert create cli command to create a self signed certificate pureuser\@purefa ct0 # purecert create cert 1 self signed common name purefa display the certificate with the following purecert list command pureuser\@purefa ct0 # purecert list cert 1 certificate copy the displayed certificate for use in a later step create a csr perform the following steps to create a csr run the following purecert construct command to construct the csr pureuser\@purefa ct0 # purecert construct cert 1 certificate signing request perform the following steps copy the displayed csr and paste it into a file editor save the file with either the pem or csr extension then, move the file by using sftp or other means to the external storage device configured on the {{k3}} configure {{k3}} log in to the {{k3}} application interface with the default admin identities to complete the following tasks create a new ca sign the flasharray csr create and configure the tls certificate for the kmip connection pair on the {{k3}} create a role and identity on the {{k3}} for flasharray create a new ca perform the following steps to create a new ca log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container, leave all other fields as the default values, and select \[ ok ] the certificate container you created now displays in the certificate authorities menu right click the certificate container and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as system tls ca root on the basic info tab, change the major key to pmk and the key size to 4096 leave all other settings as the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays under the previously created certificate container sign the flasharray csr perform the following steps to sign the flasharray csr go to pki > certificate authorities right click the root ca certificate and select add certificate > from request in the file browser, select the flasharray csr certificate information populates in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the common name of the certificate must match the common name you entered in the purecert create command the signed flasharray certificate now displays under the root ca certificate in the ca tree create and configure the tls certificate perform the following tasks to create and configure the tls certificate for the kmip connection pair on the {{k3}} generate a private key and construct a csr sign the kmip connection pair csr export all certificates in the ca tree configure the kmip connection pair to use the signed certificate and ca chain generate a private key and csr perform the following steps to generate a private key and construct a csr log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair enable the kmip connection pair if it is not already enabled uncheck the use system/host api ssl parameters checkbox if it is selected in the user certificates section, select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] when prompted that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters window, leave all fields set to the default values and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] in the subject dn tab, select classic from the preset drop down list and specify the hostname or ip address of the {{k}} in common name on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location , select \[ ok ] select \[ ok ] again in the application public keys window to finish sign the csr perform the following steps to sign the kmip connection pair csr go to pki > certificate authorities right click the root ca certificate and select add certificate > from request in the file browser, select the kmip connection pair csr certificate information populates in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed kmip connection pair certificate now displays under the root ca certificate in the ca tree export all certificates perform the following steps to export each certificate in the ca tree right click the certificates in the certificate tree and select export > certificate(s) in the export certificate window, change the encoding to pem and specify a save location for the file configure the connection pair perform the following steps to configure the kmip connection pair to use the signed certificate and ca chain log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair in the user certificates section, select \[ edit ] next to certificates in the certificate authority window, right click the kmip ssl ca x 509 certificate container and select \[ import ] in the import certificates window, select \[ add ] at the bottom of the window in the file browser, select both the root ca certificate and the signed kmip connection pair certificate and select \[ open ] the certificates now display in the verified section of the import certificates window select \[ ok ] to save you now see signed loaded next to certificates in the user certificates section of the network options window under the kmip connection pair select \[ ok ] to save and finish create a role and identity the following sections provide instructions for the following tasks to create a role and identity on the {{k3}} for flasharray add a pki identity provider configured with the tls authentication mechanism create a role for flasharray create an identity for flasharray add a pki ip perform the following steps to add a pki identity provider (ip) configured with the tls authentication mechanism log in to the {{k3}} application interface with the default admin identities go to identity management > identity providers right click anywhere in the window and select add > provider > pki on the info tab of the identity provider editor window, specify a name for the ip and uncheck enforce dual factor on the pki options tab, select \[ select ] in the certificate selector window, expand the certificate tree you created for mutual authentication, select the ca certificate that signed the flasharray and kmip connection pair certificates, and select \[ ok ] select \[ ok ] to finish creating the pki identity provider right click the ip you just created and select add > mechanism > tls on the info tab, specify a name for the authentication mechanism on the pki tab, leave all fields set to the default values select \[ ok ] to save create a role perform the following steps to create a role for flasharray go to identity management > roles and select \[ add ] in the info tab of the role editor window, set the type to application , the name to flasharray, and logins required to 1 on the permissions tab, enable all permissions on the advanced tab, set allowed ports to kmip only select \[ ok ] to finish creating the role create an identity perform the following steps to create an identity for flasharray go to identity management > identities right click anywhere in the window and select add > client application on the info tab of the identity editor window, select application for the storage location and specify flasharray as the identity name on the assigned roles tab, select the role you created for flasharray on the authentication tab, remove the default api key mechanism and select \[ add ] in the configure credential window, select the tls certificate drop down option in type and select the provider and mechanism you created select \[ ok ] to finish configuring the credential select \[ ok ] to finish creating the identity

Data-at-rest encryption and Rapid Data Locking (RDL)

Configure certificates in the FlashArray CLI