Set up TLS and authentication on the KMES Series 3
This section covers configuration tasks you must make on the KMES Series 3 for Google EKM to access externally managed keys.
For all the tasks in this section, you must log in to the KMES application interface with the default Admin identities.
Go to Administration > Configuration > Network Options.
In the Network Options dialog, go to the TLS/SSL Settings tab.
Select the REST API connection pair in the drop-down menu.
Ensure that the REST API connection pair is Enabled and configure the TLS settings as needed.
You must configure a JSON Web Token (JWT) to allow Google to authenticate against the KMES by using the Google-generated JWT.
Go to Identity Management > Identity Providers, right-click the background, and select Add > Provider > JSON Web Token.
Go to the Info tab of the Identity Provider Editor window, specify a name for the identity provider, and de-select Enforce Dual Factor.
Go to the JWT Options tab and specify https://accounts.google.com as the issuer. Set leeway and max validity according to your requirements.
Go to the JWT Key tab, select JWKS, and specify https://www.googleapis.com/oauth2/v3/certs in the JWKS URL field. Leave the TLS PKI field blank and select [ OK ] to save.
Right-click the identity provider that you created and select Add > Mechanism > Google External Key Manager.
Go to the Info tab and specify a name for the authentication mechanism.
Go to the Audience tab and specify the hostname of your KMES and the REST API port number (8081 by default) in the following format: https://<host name>:<port>.
Select [ OK ] to save.
The newly added Identity Provider and authentication mechanism display.
Perform the following tasks to create an identity for the Google Service Account and grant it the required permissions:
Navigate to the Identity Management > Roles menu and add a new role.
In the Role Editor window, name the role Google Key Management and change the number of logins required to 1. Leave all other fields set as the default values on the Info tab.
On the Permissions tab, select the following Cryptographic Operations permissions:
- Sign
- Wrap
- Unwrap
Select [ OK ] to save.
Go to the Identity Management > Identities menu. Right-click the background and select Add > Client Application to add a new identity.
On the Info tab of th Identity Editor window, specify a name for the identity.
On the Assigned Roles tab, select the Google Key Management role.
On the Device Info tab, enter the Google service account email address (for example, [email protected]) that you noted in the key creation wizard into the Email field.
On the Authentication tab, select [ Add ] to add a new credential. In the Configure Credential window, select Google External Key Manager as the credential type, and then select the provider and mechanism configured in the previous selection. Select [ OK ].
Remove the default API Key mechanism, leaving only the Google External Key Manager credential, and select [ OK ] to save.