Configure KMES Series 3
This section starts with the general KMES configurations necessary to enable CyberArk Vault to integrate with the KMES and provide the Server Key. Then, it covers the necessary steps to configure TLS communication between the KMES and the Vault instance.
Perform the following steps to create a new role and identity for Vault on the KMES Series 3 (In the Futurex PKCS #11 configuration file section, you need this identity name for the configuration):
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Identity Management > Roles and select [ Add ].
Specify a name for the role, and set the number of logins required to 1.
Go to the Advanced tab and set authentication to the Host API port only.
Go to the Permissions tab and select the following permissions:
Permission
Additional modifier
Cryptographic Operations
Sign, verify, Encrypt, Decrypt
Keys
Add, export
Select [ OK ] to finish creating the role.
Go to Identity Management > Identities, right-click anywhere on the window and select Add > Client Application.
On the Info tab, select Application for the storage location, and specify a name for the identity.
On the Assigned Roles tab, select the role you just created.
On the Authentication tab, configure the password.
Leave all other fields as the default values and select [ OK ] to finish creating the identity.
Perform the following steps to create a key group on the KMES Series 3 where the Vault can store the encryption keys (In the Futurex PKCS #11 configuration file section, you need this key group name for the configuration):
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Key Management > Keys then right-click and select Add > Key Group.
Select Symmetric and Trusted in the Key Group Storage.
In the Key Group Editor window, specify a name for the key group.
In the Owner Group drop-down menu, select the Vault role you created.
Select [ Permissions ], give the Vault role you created the Use permission, and select [ OK ] to save.
Select [ OK ] again to finish creating the key group.
Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands to enable for execution by the FXPKCS11 library. To enable the commands, complete the following steps:
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Host API Options and enable the following commands:
Command
Description
ECHO
Communication test/Retrieve version
RAFA
Filter issuance policy
RAND
Generate random number
RKCK
Create HSM trusted key
RKCP
Get command permissions
RKCS
Create symmetric HSM trusted key group
RKED
Encrypt or decrypt data
RKHM
HMAC Data
RKLN
Lookup objects
RKLO
Login user
RKRC
Get HSM trusted key
Select [ Save ].
This section covers the necessary tasks to set up communication between the KMES Series 3 and the CyberArk Vault.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities, then select [ Add CA ].
In the Certificate Authority window, enter a name for the certificate container, leave all other fields as the default values, and select [ OK ].
The certificate container you created displays in the Certificate Authorities menu.
Right-click the certificate container and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
On the Basic Info tab, leave all of the default values set.
On the V3 Extensions tab, select the Certificate Authority profile and click [ OK ].
The Root CA certificate displays under the certificate container you created.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Under the System/Host API connection pair, uncheck Use Futurex Certificates, and select [ Edit ] next to PKI Keys in the User Certificates section.
In the Application Public Keys dialog, select [ Generate ].
When prompted that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
In the PKI Parameters dialog, leave the default values set and select [ OK ].
The PKI Key Pair displays in the Application Public Keys window.
Select [ Request ].
On the Subject DN tab, set a Common Name for the certificate, such as KMES.
On the V3 Extensions tab, select the TLS Server Certificate profile.
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
When prompted that the certificate signing request was successfully written to the selected file location, select [ OK ].
Select [ OK ] again to save the Application Public Keys settings.
In the main Network Options dialog, Loaded displays next to PKI Keys for the System/Host API connection pair.
Go to PKI > Certificate Authorities.
Right-click the root CA certificate you created, and select Add Certificate > From Request.
In the file browser, find and select the CSR generated for the System/Host API connection pair.
After it loads, you don't need to modify any settings for the certificate, so select [ OK ].
The signed System/Host API certificate displays under the root CA certificate on the Certificate Authorities page.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate, and select Export > Certificate(s).
In the Export Certificate dialog, change the encoding to PEM, and select [ Browse ].
In the file browser, go to the location where you want to save the Root CA certificate. Specify a name for the file, and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.
Go to PKI > Certificate Authorities.
Right-click on the KMES certificate, and select Export > Certificate(s).
In the Export Certificate dialog, change the encoding to PEM, and select [ Browse ].
In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify a name for the file, and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Select [ Edit ] next to Certificates in the User Certificates section.
Right-click the System/Host API SSL CA X.509 Certificate Container, and select [ Import ].
In the file browser, find and select both the root CA certificate and the signed System/Host API certificate and select [ Open ].
The certificate chain appears in the window under Verified.
Select [ OK ] to save the changes.
In the Network Options dialog, the System/Host API connection pair shows as Signed Loaded next to Certificates in the User Certificates section.
Select [ OK ] to save and exit the Network Options window.
Navigate to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as Vault.
Leave all settings on the Basic Info tab set to the default values.
On the V3 Extensions tab, select the TLS Client Certificate profile, and select [ OK ].
The Vault certificate now displays under the System TLS CA Root certificate.
A later section shows you how to configure this client certificate in the Futurex PKCS #11 configuration file.
Before beginning the export, go to Configuration > Options and enable the Allow export of certificates using passwords option.
Go to PKI > Certificate Authorities.
Right-click the Vault certificate, and select Export > PKCS12.
Select the Export Selected option, specify a unique name for the export file, and select [ Next ].
Choose and enter a file password, and select [ Next ].
Select [ Finish ] to initiate the export.
You must move both the Vault certificate and the Root CA certificate you exported previously to the computer running the Vault instance. In a later section, you can configure and use them for TLS communication with the KMES Series 3.