Configure KMES Series 3
This section shows you how to configure TLS communication between the and the FXCL CNG module, where you plan to run Microsoft AD CS. Then, it covers general configurations on the to enable Microsoft AD CS to integrate with the to manage certificate authorities in a scalable manner and have secure storage, encryption, and signing through FXCL CNG.
Perform the following tasks to configure TLS communication between the and the FXCL CNG module:
- Create a certificate authority.
- Generate a CSR for the System/Host API connection pair.
- Sign the System/Host API CSR.
- Export the Root CA.
- Export the signed System/Host API TLS certificate.
- Load the exported certificates into the System/Host API connection pair.
- Issue a client certificate for Microsoft AD CS.
- Export the signed Microsoft AD CS certificate as a PKCS #12 file.
The following sections describe how to perform these tasks.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
In the Certificate Authority window, enter a name for the Certificate Container, leave all other fields set to the default values, and select [ OK ].
Right-click the certificate container you just created and select Add Certificate > New Certificate.
On the Subject DN tab, select the Classic preset and set a Common Name for the certificate, such as TLS CA Root.
On the Basic Info tab, leave all fields set to the default values.
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The Certificate Container and the root CA certificate now display in the Certificate Authorities window.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Under the System/Host API connection pair, uncheck the Use Futurex Certificates checkbox and select [ Edit ] next to PKI keys in the User Certificates section.
In the Application Public Keys window, select [ Generate ].
When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
You should see that a PKI Key Pair is loaded in the Application Public Keys window
Select [ Request ].
On the Subject DN tab, set a Common Name for the certificate, such as KMES.
On the V3 Extensions tab, select the TLS Server Certificate profile.
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
When prompted that the certificate signing request was successfully written to the file location that was selected, select [ OK ].
Select [ OK ] again to save the Application Public Keys settings.
The main Network Options window now says Loaded next to PKI keys for the System/Host API connection pair.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate you created, then select Add Certificate > From Request.
In the file browser, find and select the CSR that was generated for the System/Host API connection pair.
After it loads, you don't need to modify any settings for the certificate. Select [ OK ].
The signed System/Host API TLS certificate now shows under the TLS root CA certificate on the Certificate Authorities page.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Export > Certificate(s).
In the Export Certificates window, change the encoding to PEM and select [ Browse ].
In the file browser, go to the location where you want to save the root CA certificate. Specify a name for the file, and select [ Open ].
Select [ OK ].
A message box says that the PEM file was successfully written to the location that you specified.
Move the Root CA certificate to the computer where the Microsoft ADCS instance is running. A later section shows you how to configure and use it for TLS communication with the KMES Series 3.
Go to PKI > Certificate Authorities.
Right-click the certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, go to the location where you want to save the signed System/Host API TLS certificate. Specify a name for the file and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Under the System/Host API connection pair, select [ Edit ] next to Certificates in the User Certificates section.
Right-click the System/Host API SSL CA X.509 Certificate Container and select [ Import ].
Select [ Add ] at the bottom of the Import Certificates window.
In the file browser, select both the root CA certificate and the signed System/Host API certificate, and select [ Open ].
The certificate chain appears in the Verified section.
Select [ OK ] to save the changes.
In the Network Options window, the System/Host API connection pair now shows Signed Loaded next to Certificates in the User Certificates section
Select [ OK ] to save and exit the Network Options window.
7| Issue a client certificate for Microsoft AD CS from the CSR generated from the certreq policy file
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Add Certificate > From Request.
In the file browser, select the ADCS CSR and select [ Open ].
On the Subject DN and Basic Info tabs, leave all fields set to the values that auto-populate from the CSR.
On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].
The AD CS certificate now displays under the System TLS CA Root certificate.
Go to PKI > Certificate Authorities.
Right-click the AD CS certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, navigate to the location where you want to save the signed AD CS certificate. Specify a name for the file and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.
Move the signed Microsoft AD CS certificate to the computer where the Microsoft AD CS instance is running. A later section shows you how to configure and use it for TLS communication with the KMES Series 3.
Perform the following tasks to configure the KMES Series 3 for communication with Microsoft AD CS:
- Add a PKI identity provider.
- Create an AD CS role with the required permissions.
- Create an AD CS identity with the correct assigned roles.
- Enable Host API commands.
The following sections show you how to complete these tasks.
This section shows you how to create a new PKI Identity Provider, assign it a TLS authentication mechanism, and add it to an identity as a credential. This allows FXCL CNG to authenticate with the KMES by using the signed Microsoft AD CS certificate that you exported.
Go to Identity Management > Identity Providers.
Right-click anywhere in the window and select Add > Provider > PKI.
On the Info tab of the Identity Provider Editor window, specify a name for the Identity Provider and uncheck the Enforce Dual Factor checkbox.
On the PKI Options tab, select [ Select ]. In the Certificate Selector window, expand the certificate tree you created, select the CA certificate that signed the ADCS and System/Host API connection pair certificates, and select [ OK ].
Select [ OK ] to finish creating the PKI identity provider.
Right-click the identity provider that you created and select Add > Mechanism > TLS.
On the PKI tab, leave all fields set to the default values.
Select [ OK ] to save.
Go to Identity Management > Roles and select [ Add ] at the bottom of the page.
In the Info tab of the Role Editor window, leave the Role Type set to Application, specify a Name for the role, such as Microsoft AD CS, and change the number of Logins Required to 1. Leave all other fields set to the default values.
On the Permissions tab, select the following permissions:
Permission
Subpermissions
Certificate Authority
Add, Export, Upload
Cryptographic Operations
Sign
Keys
Add
On the Advanced tab, set Allowed Ports to Host API only. Leave the other fields set to the default values and select [ OK ] to finish creating the role.
Go to Identity Management > Identity Providers, right-click the PKI identity provider, and select [ Permission ].
In the Set Object-Group Permissions window, select the Show all roles and permissions checkbox, select the drop-down menu next to the Microsoft AD CS role, and select the Use permission.
Select [ OK ] to save.
Go to Identity Management > Identities.
Right-click anywhere in the window and select Add > Client Application.
In the Info tab of the Identity Editor window, leave the Storage Type set to Application, and specify a Name for the identity. Leave all other fields set to the default values.
The name you specify must match the Common Name you chose for the ADCS certificate in the Issue a client certificate for Microsoft AD CS from the CSR generated from the certreq policy file section.
On the Assigned Roles tab, select the Microsoft AD CS role.
Perform the following steps on the Authentication tab:
- Select [ Add ] to add a new credential.
- In the Configure Credential window, select TLS Certificate in the Type drop-down list.
- Select the Provider and Mechanism that you created for this integration.
- Select [ OK ] to finish creating a credential.
Remove the default API Key mechanism, leaving only the TLS Certificate credential, and select [ OK ] to save.
Because FXCL CNG connects to the Host API port on the KMES, you must define which Host API commands to enable for FXCL CNG to execute. To set the enabled commands, complete the following steps:
Go to Administration > Configuration > Host API Options and enable the following commands:
Command
Description and subcommands (If applicable)
CLKY
Manipulate application key
Enable all subcommands
ECHO
Communication Test/Retrieve Version
RKGP
Export PKI key pair
RKGS
Generate Signature
RKLN
Lookup Objects
RKPK
Pop Generated Key
Select [ Save ] to finish.