Set up TLS and authentication on the KMES Series 3

this section covers configuration tasks you must make on the {{k3}} for google ekm to access externally managed keys for all the tasks in this section, you must log in to the {{k}} application interface with the default admin identities configure tls certificates perform the following steps to configure tls certificates for the rest api connection pair go to administration > configuration > network options in the network options dialog, go to the tls/ssl settings tab select the rest api connection pair in the drop down menu ensure that the rest api connection pair is enabled and configure the tls settings as needed add jwt identity provider you must configure a json web token (jwt) to allow google to authenticate against the {{k}} by using the google generated jwt go to identity management > identity providers , right click the background, and select add > provider > json web token go to the info tab of the identity provider editor window, specify a name for the identity provider, and de select enforce dual factor go to the jwt options tab and specify https //accounts google com as the issuer set leeway and max validity according to your requirements go to the jwt key tab, select jwks, and specify https //www googleapis com/oauth2/v3/certs in the jwks url field leave the tls pki field blank and select \[ ok ] to save right click the identity provider that you created and select add > mechanism > google external key manager go to the info tab and specify a name for the authentication mechanism go to the audience tab and specify the hostname of your {{k}} and the rest api port number ( 8081 by default) in the following format https //\<host name> \<port> select \[ ok ] to save the newly added identity provider and authentication mechanism display create an identity for the google service account perform the following tasks to create an identity for the google service account and grant it the required permissions create a new role navigate to the identity management > roles menu and add a new role in the role editor window, name the role google key management and change the number of logins required to 1 leave all other fields set as the default values on the info tab on the permissions tab, select the following cryptographic operations permissions sign wrap unwrap select \[ ok ] to save create an identity perform the following steps to create a new identity and assign it to the google key management role go to the identity management > identities menu right click the background and select add > client application to add a new identity on the info tab of the identity editor window, specify a name for the identity on the assigned roles tab, select the google key management role on the device info tab, enter the google service account email address (for example, service 54255661635\@gcp sa ekms iam gserviceaccount com ) that you noted in the key creation wizard into the email field on the authentication tab, select \[ add ] to add a new credential in the configure credential window, select google external key manager as the credential type, and then select the provider and mechanism configured in the previous selection select \[ ok ] remove the default api key mechanism, leaving only the google external key manager credential, and select \[ ok ] to save