Database
Microsoft SQL Server
Configure KMES Series 3
16min
this section shows you how to configure tls communication between the {{k3}} and the microsoft sql server instance then, it covers general configurations on the {{k}} to enable microsoft sql server to integrate with the {{k}} through the fxcl ekm library, for transparent data encryption every step in this section requires you to log in to the {{k3}} application interface with the default admin identities configure tls communication perform the following tasks to configure tls communication between the {{k3}} and the microsoft sql server instance create a certificate authority generate a csr for the system/host api connection pair sign the system/host api csr export the root ca and signed system/host api certificates load the exported certificates into the system/host api connection pair issue a client certificate for microsoft sql server export the signed microsoft sql server certificate the following sections describe how to perform these tasks create a ca perform the following steps to create a certificate authority (ca) go to pki > certificate authorities and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container, leave all other fields set to the default values, and select \[ ok ] the certificate container that you just created now displays in the certificate authorities menu right click the certificate container and select add certificate > new certificate on the subject dn tab, change the preset drop down option to classic and specify a common name for the certificate, such as system tls ca root on the basic info tab, leave all fields set to the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays under the previously created certificate container generate a csr perform the following steps to generate a csr for the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab under the system/host api connection pair, uncheck the use futurex certificates checkbox and select \[ edit ] next to pki keys in the user certificates section in the application public keys window, select \[ generate ] when warned that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters window, leave the fields set to the default values and select \[ ok ] the application public keys window now shows that an hsm trusted asymmetric key is loaded select \[ request ] on the subject dn tab, set a common name for the certificate, such as kmes on the v3 extensions tab, select the tls server certificate profile on the pkcs #10 info tab, select a save location for the csr and select \[ ok ] when prompted that the certificate signing request was successfully written to the file location that was selected, select \[ ok ] select \[ ok ] again to save the application public keys settings the main network options window now shows loaded next to pki keys for the system/host api connection pair select \[ ok ] to save sign the csr perform the following steps to sign the system/host api csr go to pki > certificate authorities right click the root ca certificate you created and select add certificate > from request in the file browser, select the csr that you generated for the system/host api connection pair after it loads, select \[ ok ] without modifying any settings for the certificate the signed system/host api certificate should now show under the root ca certificate on the certificate authorities page export the root ca and certificates perform the following steps to export the root ca and signed system/host api certificates go to pki > certificate authorities right click the system tls ca root certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the root ca certificate specify a unique name for the file, such as root cert pem , and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified move the root ca certificate to the computer where the microsoft sql server instance is running a later section shows you how to configure and use it for tls communication with the {{k3}} right click the kmes certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the signed system/host api certificate specify a unique name for the file, such as signed kmes cert pem , and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified load the certificates perform the following steps to load the exported certificates into the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab select \[ edit ] next to certificates in the user certificates section right click the system/host api ssl ca x 509 certificate container and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed system/host api certificate and select \[ open ] select \[ ok ] to save the changes in the network options window, the system/host api connection pair shows signed loaded next to certificates in the user certificates section select \[ ok ] to save and exit the network options window issue a client certificate perform the following steps to issue a client certificate for microsoft sql server from the csr generated from the certreq policy file go to pki > certificate authorities right click the system tls ca root certificate and select add certificate > from request in the file browser, select the microsoft sql server csr file and select \[ open ] on the subject dn and basic info tabs, leave all fields set to the values that auto populate from the csr on the v3 extensions tab, select the tls client certificate profile and select \[ ok ] the sqlserver certificate now displays under the system tls ca root certificate export the signed certificate perform the following steps to export the signed microsoft sql server certificate go to pki > certificate authorities right click the sqlserver certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the signed microsoft sql server certificate specify a name for the file and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified move the signed microsoft sql server certificate to the computer where the sql server instance is running a later section shows you how to configure and use it for tls communication with the {{k3}} configure general kmes settings perform the following tasks to configure the {{k3}} for communication with microsoft sql server create an ad cs role and identity with the required permissions and settings enable host api commands grant the microsoft sql server role the use permission on the ca tree the following sections show you how to complete these tasks create a role and identity the following sections show you how to create a new role and identity for microsoft sql server on the {{k3}} create a new role perform the following steps to create a new role go to identity management > roles and select \[ add ] on the info tab of the role editor window, specify a name for the role and change the number of logins required to 1 leave all other fields set to the default values on the permissions tab, select the following permissions permission subpermission certificate authority add, export cryptographic operations encrypt, decrypt keys add, delete on the advanced tab, set allowed ports to only host api leave the other fields set to the default values select \[ ok ] to finish creating the role create a new identity perform the following steps to create a new identity go to identity management > identities , right click anywhere in the window, and select add > client application on the info tab, specify sqlserver in the name field leave all other fields set to the default values the name you choose for this identity must match the common name that you set for the microsoft sql server client certificate on the assigned roles tab, select the microsoft sql server role on the authentication tab, select \[ add ] in the configure credential window, select password in the type drop down list select \[ change ] , set a password for the credential, and select \[ save ] select \[ ok ] to finish configuring the password credential remove the default api key mechanism, leaving only the password credential, and select \[ ok ] to save enable the host api commands because fxcl ekm connects to the host api port on the {{k}}, you must define which host api commands to enable for execution by fxcl ekm to set the enabled commands required for the microsoft sql server operation, complete the following steps go to administration > configuration > host api options and enable the following commands command description or subcommand (if applicable) rkgp export asymmetric key rkln lookup objects rkdp delete asymmetric key rklo login user rkck create asymmetric key rkre rsa encrypt rkrd rsa decrypt rkpk pop generated key clky retrieve hsm protected key get select \[ save ] grant the permission perform the following steps to grant the microsoft sql server role the use permission on the ca tree go to pki > certificate authorities right click the ca container you created in the create a certificate authority (ca) section and select \[ permission ] grant the microsoft sql server role the use permission, select apply to children recursively , and select \[ ok ] to save