Configure KMES Series 3

this section starts with the general {{k}} configurations necessary to enable cyberark vault to integrate with the {{k}} and provide the server key then, it covers the necessary steps to configure tls communication between the {{k}} and the vault instance create a role and identity perform the following steps to create a new role and identity for vault withe the required permissions on the {{k3}} (in the {{futurex}} pkcs #11 configuration file section, you need this identity name for the configuration) log in to the {{k3}} application interface with the default admin identities go to identity managemen t > roles and select \[ add ] specify a name for the role, and set the number of logins required to 1 go to the advanced tab and set authentication to the host api port only go to the permissions tab and select the following permissions permission additional modifier cryptographic operations sign, verify, encrypt, decrypt keys add, export select \[ ok ] to finish creating the role go to identity management > identities , right click anywhere on the window, and select add > client application on the info tab, select application for the storage location, and specify a name for the identity on the assigned roles tab, select the role you just created on the authentication tab, configure the password leave all other fields as the default values and select \[ ok ] to finish creating the identity create a key group perform the following steps to create a key group for cyberark vault keys on the {{k3}} where the vault can store the encryption keys (in the {{futurex}} pkcs #11 configuration file section, you need this key group name for the configuration) log in to the {{k3}} application interface with the default admin identities go to key management > keys, right click, and select add > key group select symmetric and trusted in the key group storage in the key group editor window, specify a name for the key group in the owner group drop down menu, select the vault role you created select \[ permissions ], give the vault role you created the use permission, and select \[ ok ] to save select \[ ok ] again to finish creating the key group enable the host api commands because the {{futurex}} pkcs #11 library connects to the host api port on the {{k}} , you must define which host api commands to enable for execution by the fxpkcs11 library to enable the commands, complete the following steps log in to the {{k3}} application interface with the default admin identities go to administration > configuration > host api options and enable the following commands command description echo communication test/retrieve version rafa filter issuance policy rand generate a random number rkck create an hsm trusted key rkcp get command permissions rkcs create a symmetric hsm trusted key group rked encrypt or decrypt data rkhm hmac data rkln lookup objects rklo login user rkrc get an hsm trusted key select \[ save ] configure tls communication this section covers the necessary tasks to set up tls communication between the {{k3}} and the cyberark vault instance create a ca perform the following steps to create a certificate authority (ca) log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities , and select \[ add ca ] in the certificate authority window, enter a name for the certificate container, leave all other fields as the default values, and select \[ ok ] the certificate container you created displays in the certificate authorities menu right click the certificate container and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as system tls ca root on the basic info tab, leave all of the default values set on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate displays under the certificate container you created generate a csr perform the following steps to generate a csr for the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab under the system/host api connection pair, uncheck use futurex certificates, and select \[ edit ] next to pki keys in the user certificates section in the application public keys dialog, select \[ generate ] when prompted that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters dialog, leave the default values set and select \[ ok ] the pki key pair displays in the application public keys window select \[ request ] on the subject dn tab, set a common name for the certificate, such as kmes on the v3 extensions tab, select the tls server certificate profile on the pkcs #10 info tab, select a save location for the csr and select \[ ok ] when prompted that the certificate signing request was successfully written to the selected file location , select \[ ok ] select \[ ok ] again to save the application public keys settings in the main network options dialog, loaded displays next to pki keys for the system/host api connection pair sign the csr perform the following steps to sign the system/host api csr go to pki > certificate authorities right click the root ca certificate you created, and select add certificate > from request in the file browser, find and select the csr generated for the system/host api connection pair after it loads, you don't need to modify any settings for the certificate, so select \[ ok ] the signed system/host api certificate displays under the root ca certificate on the certificate authorities page export the certificate perform the following steps to export the root ca certificate go to pki > certificate authorities right click the system tls ca root certificate, and select export > certificate(s) in the export certificate dialog, change the encoding to pem, and select \[ browse ] in the file browser, go to the location where you want to save the root ca certificate specify a name for the file, and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified export the signed certificate perform the following steps to export the signed system/host api certificate go to pki > certificate authorities right click on the kmes certificate, and select export > certificate(s) in the export certificate dialog, change the encoding to pem, and select \[ browse ] in the file browser, go to the location where you want to save the signed system/host api certificate specify a name for the file, and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified load the exported certificates perform the following steps to load the exported certificates into the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab select \[ edit ] next to certificates in the user certificates section right click the system/host api ssl ca x 509 certificate container, and select \[ import ] in the file browser, select the root ca certificate and the signed system/host api certificate and select \[ open ] the certificate chain appears in the window under verified select \[ ok ] to save the changes in the network options dialog, the system/host api connection pair shows as signed loaded next to certificates in the user certificates section select \[ ok ] to save and exit the network options window issue a client certificate perform the following steps to issue a client certificate for vault go to pki > certificate authorities right click the system tls ca root certificate and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as vault leave all settings on the basic info tab set to the default values on the v3 extensions tab, select the tls client certificate profile, and select \[ ok ] the vault certificate now displays under the system tls ca root certificate a later section shows you how to configure this client certificate in the {{futurex}} pkcs #11 configuration file export the vault certificate perform the following steps to export the vault certificate as a pkcs #12 file before beginning the export, go to configuration > options and enable the allow export of certificates using passwords option go to pki > certificate authorities right click the vault certificate, and select export > pkcs12 select the export selected option, specify a unique name for the export file, and select \[ next ] choose and enter a file password, and select \[ next ] select \[ finish ] to initiate the export you must move both the vault certificate and the root ca certificate you exported previously to the computer running the vault instance in a later section, you can configure and use them for tls communication with the {{k3}}