Set up authentication between the KMES Series 3 and Vault

you can authenticate the {{k3}} with vault by using userpass or tls certificates authentication the following sections provide instructions for both methods use the userpass authentication the userpass authentication method allows the {{k3}} to authenticate with vault by using a username and password combination perform the following tasks, which are described in this section configure userpass authentication in vault create a userpass cloud credential on the {{k3}} test userpass authentication configure userpass authentication in vault you can configure userpass authentication by using the vault ui or the cli as described in the following sections use the vault ui perform the following steps to use the vault ui go to the access page in the vault ui and select \[ enable new method ] select the username & password authentication method and select \[ next ] leave the path set to the default value, userpass , and select \[ enable method ] go to the menu for the userpass auth method just created and select \[ create user ] specify a username and password for the new user and select \[ save ] a message displays on the page confirming that the new user was saved successfully use the vault cli perform the following steps to use the vault cli run the following command to enable the userpass auth method $ vault auth enable userpass success! enabled userpass auth method at userpass/ run the following command to configure it with users who are allowed to authenticate $ vault write auth/userpass/users/userpass authentication demo \\ password=futurex123 \\ policies=admins success! data written to auth/userpass/users/userpass authentication demo this creates a new user, userpass authentication demo , with the password, futurex123 , which is associated with the admins policy this is the only configuration necessary create an authentication credential perform the following steps to create a vault userpass authentication cloud credential on the {{k3}} log in to the {{k3}} application interface with the default admin identities go to identity management > cloud credentials and select \[ add cloud credential ] select the service drop down option and select vault userpass authentication you can specify any value in the name field, but the access name value must match the name of the user that you created under the userpass auth method in vault in the password field, select \[ enter ] and set the same password you set for the user created in vault select \[ save ] select \[ ok ] in the add cloud credential window to save your changes test userpass authentication perform the following steps to test userpass authentication go to administration > configuration > vault api options select the enable vault service checkbox set the vault api url to https / /\<ip of your hashicorp vault server> 8210/v1 and select the vault userpass authentication cloud credential created in the previous step leave the rest of the fields set to their default values select \[ test configuration ] if the configuration is correct, a message indicates that the authentication and permission tests were successful select \[ ok ] select \[ save ] to finish modifying the vault api options use the tls certificate authentication the cert authentication method allows the {{k3}} to authenticate with vault by using ssl/tls client certificates signed by a ca or self signed perform the following tasks, which are described in this section configure cert authentication in vault create a vault certificate cloud credential on the {{k3}} test cert authentication configure cert authentication in vault you can configure cert authentication by using the vault ui or the cli as described in the following sections use the vault ui perform the following steps to use the vault ui go to the access page in the vault ui and select \[ enable new method ] select the tls certificates authentication method and select \[ next ] leave the path set to the default value, cert , and select \[ enable new method] go to the menu for the cert auth method you just created and select \[ create certificate ] specify a name for the certificate, upload a single pem file that contains the certificate chain configured for the vault client connection pair on the {{k3}} , and select \[ save ] a message confirms that t he new certificate auth method was saved successfully use the vault cli perform the following steps to use the vault cli run the following command to enable the cert auth method $ vault auth enable cert success! enabled cert auth method at cert/ run the following command to configure it with trusted certificates that are allowed to authenticate $ vault write auth/cert/certs/certificate authentication demo \\ display name=certificate authentication demo \\ policies=web,prod \\ certificate=@chain pem \\ ttl=3600 success! data written to auth/cert/certs/certificate authentication demo this command creates a new trusted certificate, certificate authentication demo , with the same display name and the web and prod policies the chain pem file provides the certificate (public key) used to verify clients you can set an optional ttl value (a number of seconds) to limit the lease duration create a certificate cloud credential perform the following steps to create a vault certificate cloud credential on the {{k3}} go to identity management > cloud credentials and select \[ add cloud credential ] select the service drop down option and select vault certificate authentication you can specify any value in the name field, but the access name value must match the name of the certificate that you created under the cert auth method in vault (in this case, certificate authentication demo ) leave the tls config field set to the default value, vault client , which configures the cloud credential to use the vault client connection pair for authenticating with vault select \[ ok ] in the add cloud credential window to save your changes test cert authentication perform the following steps to test cert authentication go to administration > configuration > vault api options select the enable vault service checkbox set the vault api url to https // \<ip of your hashicorp vault server> 8210/v1 and select the vault certificate authentication cloud credential created in the previous step leave the remaining fields set to their default values select \[ test configuration ] if the configuration completes properly, a message states that the authentication and permission tests were successful select \[ ok ] select \[ save ] to finish modifying the vault api options