Configure the KMES Series 3

15min
This section covers the general KMES configurations that enable HashiCorp Vault to integrate with the KMES (providing Master Key Wrapping, Automatic Unsealing, Seal Wrapping, and Entropy Augmentation functionality) and describes the necessary steps to configure TLS communication between the KMES and the Vault instance.
Configure the general KMES Series 3 settings
Perform the following tasks to complete the general KMES Series 3 configuration:
Create a role and identity for Vault.
Create a key group for Vault keys.
Enable Host API commands.
Create a role and identity for Vault with the required permissions
 Perform the following steps to create a new role and identity for Vault on the KMES Series 3:
A later section shows you how to configure the name of this user in the Futurex PKCS #11 configuration file.
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management > Roles, and select [ Add ].
3
In the Role Editor window, specify a name for the role and set the number of logins required to 1.
4
Go to the Advanced tab and allow authentication to the Host API port only. Leave all other fields set to the default values.
5
Go to the Permissions tab and select the following permissions:
Permission
Sub-permission
﻿
Cryptographic Operations
Sign, Verify, Encrypt, Decrypt
﻿
Keys
Add, Export
﻿
6
Select [ OK ] to finish creating the role.
7
Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.
8
On the Info tab of the Identity Editor window, select Application for the storage location, and specify a name for the identity.
9
On the Assigned Roles tab, select the role you created.
10
On the Authentication tab, configure the password for the identity.
11
Leave all other fields set to the default values, and select [ OK ] to finish creating the identity.
Create a key group for Vault keys
Perform the following steps to create a key group on the KMES Series 3 so Vault has a place to store the encryption keys that it uses for the Seal Wrap functionality: 
A later section shows you how to configure the name of the key group in the Futurex PKCS #11 configuration file.
1
Log in to the KMES Series 3 application interface with the default Admin identities. 
2
Go to the Key Management > Keys menu, then right-click and select Add > Key Group.
3
Select Symmetric and Trusted in the Key Group Storage.
4
In the Key Group Editor window, specify a name for the key group.
5
In the Owner Group drop-down list, select the Vault role you created.
6
Select [ Permissions ] and give the Vault role you created the Use permission. Select [ OK ] to save.
7
Select [ OK ] again to finish creating the key group.
Enable the Host API commands required for the HashiCorp Vault operation
Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for the FXPKCS11 library. To set the enabled commands, complete the following steps: 
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Host API Options, then enable the following commands:
Command
Description
﻿
ECHO 
Communication test/retrieve version 
﻿
RAFA 
Filter issuance policy 
﻿
RAND 
Generate a random number 
﻿
RKCK 
Create an HSM trusted key 
﻿
RKCP 
Get command permissions 
﻿
RKCS 
Create a symmetric HSM trusted key group 
﻿
RKED 
Encrypt or decrypt data 
﻿
RKHM 
HMAC data 
﻿
RKLN 
Look up objects 
﻿
RKLO 
Login user 
﻿
RKRC 
Get an HSM trusted key 
﻿
3
Select [ Save ] to finish.
Configure TLS communication
Perform the following tasks to configure TLS communications between the KMES Series 3 and Vault:
Create a CA.
Create a CSR for the connection pair.
Sign the CSR.
Export the Root CA certificate.
Export the signed System/Host API certificate.
Load the exported certificates to the connection pair.
Issue a client certificate for Vault.
Export the Vault certificate as a PKCS #12 file.
Create a Certificate Authority (CA)
1
Log in to the KMES Series 3 application interface with the default Admin identities. 
2
Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.
3
In the Certificate Authority window, enter a name for the Certificate Container, leave all other fields set to the default values, and select [ OK ].
The Certificate Container now displays in the Certificate Authorities menu.
4
Right-click the certificate container and select Add Certificate > New Certificate.
5
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
6
On the Basic Info tab, leave all fields set to the default values.
7
On the V3 Extensions tab, select the Certificate Authority profile, then select [ OK ].
The root CA certificate now displays under the previously created Certificate Container.
Generate a CSR for the System/Host API connection pair
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox, and select [ Edit ] next to PKI Keys in the User Certificates section. 
4
In the Application Public Keys window, select [ Generate ].
5
When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
6
In the PKI Parameters window, leave the fields set to the default values and select [ OK ].
The PKI Key pair now shows as loaded in the Application Public Keys window.
7
Select [ Request ].
8
On the Subject DN tab, set a Common Name for the certificate, such as KMES.
9
On the V3 Extensions tab, select the TLS Server Certificate profile.
10
On the PKCS #10 Info tab, select a save location for the CSR, and select [ OK ].
11
When notified that the certificate signing request was successfully written to the file location that was selected, select [ OK ].
12
Select [ OK ] again to save the Application Public Keys settings. 
In the main Network Options window, Loaded now displays next to PKI Keys for the System/Host API connection pair.
Sign the System/Host API CSR
1
Go to PKI > Certificate Authorities.
2
Right-click the root CA certificate you created, and select Add Certificate > From Request.
3
In the file browser, find and select the CSR that you generated for the System/Host API connection pair.
4
After it loads, you don't need to modify any settings for the certificate. Select [ OK ]. 
The signed System/Host API certificate now displays under the root CA certificate on the Certificate Authorities page.
Export the Root CA certificate
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate, and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM, and select [ Browse ]. 
4
In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify tls_ca.pem as the name for the file, and select [ Open ].
5
Select [ OK ]. 
A message box notifies you that the PEM file was successfully written to the location that you specified. 
Export the signed System/Host API certificate
1
Go to PKI > Certificate Authorities.
2
Right-click the KMES certificate, and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM, and select [ Browse ]. 
4
In the file browser, navigate to the location where you want to save the signed System/Host API certificate. Specify tls_kmes.pem as the name for the file, and select [ Open ].
5
Select [ OK ]. 
A message box notifies you that the PEM file was successfully written to the location that you specified. 
Load the exported certificates into the System/Host API connection pair
1
Go to Administration > Configuration > Network Options.
2
In the Network Options window, go to the TLS/SSL Settings tab.
3
Select [ Edit ] next to Certificates in the User Certificates section. 
4
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates dialog. 
6
In the file browser, select both the root CA certificate and the signed System/Host API certificate and select [ Open ]. 
7
Select [ OK ] to save the changes. 
In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.
8
Select [ OK ] to save and exit the Network Options dialog.
Issue a client certificate for Vault
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate. 
3
On the Subject DN tab, set a Common Name for the certificate, such as Vault. 
4
Leave all fields on the Basic Info tab set to the default values.
5
On the V3 Extensions tab, select the TLS Client Certificate profile, and select [ OK ].
The Vault certificate now displays under the System TLS CA Root certificate.
A later section shows you how to configure this client certificate (created for Vault) in the Futurex PKCS #11 configuration file.
Export the Vault certificate as a PKCS #12 file
To perform the following steps, go to Configuration > Options and enable the Allow export of certificates using passwords option.
1
Go to PKI > Certificate Authorities.
2
Right-click the Vault certificate, and select Export > PKCS12.
3
Select the Export Selected option, specify a unique name for the export file, and select [ Next ].
4
Enter a file password of your choosing and select [ Next ].
5
Select [ Finish ] to initiate the export.
6
Move both the Vault certificate and the Root CA certificate exported in a previous section to the computer that runs the Vault instance. 
A later section shows how to configure and use them for TLS communication with the KMES Series 3.
﻿
Updated 27 Feb 2024
Did this page help you?
Install Futurex PKCS #11
Edit the Futurex PKCS #11 configuration file