Set up authentication between the KMES Series 3 and Vault
You can authenticate the KMES Series 3 with Vault by using userpass orTLS certificates authentication. The following sections provide instructions for both methods.
The userpass authentication method allows the KMES Series 3 to authenticate with Vault by using a username and password combination.
Perform the following tasks, which are described in this section:
- Configure userpass authentication in Vault.
- Create a userpass cloud credential on the KMES Series 3.
- Test userpass authentication.
You can configure userpass authentication by using the Vault UI or the CLI as described in the following sections.
Go to the Access page in the Vault UI and select [ Enable new method ].
Select the Username & Password authentication method and select [ Next ].
Leave the path set to the default value, userpass, and select [ Enable Method ].
Go to the menu for the userpass auth method just created and select [ Create user ].
Specify a username and password for the new user and select [ Save ].
A message displays on the page confirming that the new user was saved successfully.
Run the following command to enable the userpass auth method:
Run the following command to configure it with users who are allowed to authenticate:
This creates a new user, userpass_authentication_demo, with the password, Futurex123, which is associated with the admins policy.
This is the only configuration necessary.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Identity Management > Cloud Credentials and select [ Add Cloud Credential ].
Select the Service drop-down option and select Vault Userpass Authentication.
You can specify any value in the Name field, but the Access Name value must match the name of the user that you created under the userpass auth method in Vault.
In the Password field, select [ Enter ] and set the same password you set for the user created in Vault. Select [ Save ].
Select [ OK ] in the Add Cloud Credential window to save your changes.
Go to Administration > Configuration > Vault API Options.
Select the Enable Vault service checkbox.
Set the Vault API URL to https://<IP of your HashiCorp Vault Server>:8210/v1 and select the Vault Userpass Authentication Cloud Credential created in the previous step.
Leave the rest of the fields set to their default values. Select [ Test Configuration ].
If all of the configuration is correct, a message shows that the Authentication and permission tests were successful. Select [ OK ].
Select [ Save ] to finish modifying the Vault API Options.
The cert authentication method allows the KMES Series 3 to authenticate with Vault by using SSL/TLS client certificates signed by a CA or self-signed.
Perform the following tasks, which are described in this section:
- Configure cert authentication in Vault.
- Create a Vault certificate cloud credential on the KMES Series 3.
- Test cert authentication.
You can configure cert authentication by using the Vault UI or the CLI as described in the following sections.
Go to the Access page in the Vault UI and select [ Enable new method ].
Select the TLS Certificates authentication method and select [ Next ].
Leave the path set to the default value, cert, and select [ Enable New Method].
Go to the menu for the cert auth method you just created and select [ Create certificate ].
Specify a name for the certificate, upload a single .pem file that contains the certificate chain configured for the Vault Client connection pair on the KMES Series 3, and select [ Save ].
A message confirms that the new certificate auth method was saved successfully.
Run the following command to enable the cert auth method:
Run the following command to configure it with trusted certificates that are allowed to authenticate:
This command creates a new trusted certificate, certificate_authentication_demo, with the same display name and the web and prod policies. The chain.pem file provides the certificate (public key) used to verify clients. You can set optional ttl value in seconds to limit the lease duration.
Go to Identity Management > Cloud Credentials and select [ Add Cloud Credential ].
Select the Service drop-down option and select Vault Certificate Authentication.
You can specify any value in the Name field, but the Access Name value must match the name of the certificate that you created under the cert auth method in Vault (in this case, certificate_authentication_demo).
Leave the TLS Config field set to the default value, Vault Client, which configures the Cloud Credential to use the Vault Client connection pair for authenticating with Vault.
Select [ OK ] in the Add Cloud Credential window to save your changes.
Go to Administration > Configuration > Vault API Options.
Select the Enable Vault Service checkbox.
Set the Vault API URL to https://<IP of your HashiCorp Vault Server>:8210/v1 and select the Vault Certificate Authentication Cloud Credential created in the previous step.
Leave the remaining fields set to their default values. Select [ Test Configuration ].
If the configuration completes properly, a message states that the Authentication and permission tests were successful. Select [ OK ].
Select [ Save ] to finish modifying the Vault API Options.