Configure KMES Series 3

15min

this section shows you how to configure tls communication between the {{k3}} and the fx csp module, where you plan to run microsoft ad rms then, it covers general configurations on the {{k3}} to enable ad rms to integrate with the {{k}} to manage certificate authorities in a scalable manner and have secure storage, encryption, and signing through fx csp configure tls communication perform the following tasks to configure tls communication between the {{k3}} and the fx csp module create a certificate authority generate a csr for the system/host api connection pair sign the system/host api csr export the root ca export the signed system/host api tls certificate load the exported certificates into the system/host api connection pair issue a client certificate for microsoft ad rms export the signed microsoft ad rms certificate as a pkcs #12 file the following sections describe how to perform these tasks create a ca perform the following steps to create a certificate authority (ca) log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container , leave all other fields set to the default values, and select \[ ok ] right click the certificate container you just created and select add certificate > new certificate on the subject dn tab, select the classic preset and set a common name for the certificate, such as tls ca root on the basic info tab, leave all fields set to the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the certificate container and the root ca certificate now displays in the certificate authorities window generate a csr perform the following steps to generate a csr for the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab under the system/host api connection pair, uncheck the use futurex certificates checkbox and select \[ edit ] next to pki keys in the user certificates section in the application public keys window, select \[ generate ] when warned that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters window, leave all fields set to the default values and select \[ ok ] you should see that a pki key pair is loaded in the application public keys window select \[ request ] on the subject dn tab, set a common name for the certificate, such as kmes on the v3 extensions tab, select the tls server certificate profile on the pkcs #10 info tab, select a save location for the csr and select \[ ok ] when prompted that the certificate signing request was successfully written to the file location that was selected , select \[ ok ] select \[ ok ] again to save the application public keys settings the main network options window now says loaded next to pki keys for the system/host api connection pair sign the csr perform the following steps to sign the system/host api csr go to pki > certificate authorities right click the system tls ca root certificate you created, and select add certificate > from request in the file browser, find and select the csr generated for the system/host api connection pair after it loads, you don't need to modify the certificate settings select \[ ok ] the signed system/host api tls certificate now shows under the tls root ca certificate on the certificate authorities page export the root ca certificate perform the following steps to export the root ca certificate go to pki > certificate authorities right click the system tls ca root certificate and select export > certificate(s) in the export certificates window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the root ca certificate specify a name for the file, and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified move the root ca certificate to the computer where the microsoft adcs instance is running a later section shows you how to configure and use it for tls communication with the {{k3}} export the signed certificate perform the following steps to export the signed system/host api tls certificate go to pki > certificate authorities right click the {{k}} certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the signed system/host api tls certificate specify a name for the file and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified load the exported certificates perform the following steps to load the exported tls certificates into the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab under the system/host api connection pair, select \[ edit ] next to certificates in the user certificates section right click the system/host api ssl ca x 509 certificate container and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed system/host api certificate, and select \[ open ] the certificate chain appears in the verified section select \[ ok ] to save the changes in the network options window, the system/host api connection pair now shows signed loaded next to certificates in the user certificates section select \[ ok ] to save and exit the network options window issue a client certificate perform the following steps to issue a client certificate for microsoft ad rms from the csr generated from the certreq policy file go to pki > certificate authorities right click the system tls ca root certificate and select add certificate > from request in the file browser, select the adcs csr and select \[ open ] on the subject dn and basic info tabs, leave all fields set to the values that auto populate from the csr on the v3 extensions tab, select the tls client certificate profile and select \[ ok ] the ad rms certificate now displays under the system tls ca root certificate export the signed certificate perform the following steps to export the signed microsoft ad rms certificate go to pki > certificate authorities right click the ad rms certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the signed ad rms certificate specify a name for the file and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location that you specified move the signed microsoft ad rms certificate to the computer where the microsoft ad rms instance is running a later section shows you how to configure and use it for tls communication with the {{k3}} configure general {{k}} settings for {{k}} to ad rms communication perform the following tasks to configure the {{k3}} for communication with microsoft ad rms add a pki identity provider create an ad rms role with the required permissions create an ad rms identity with the correct assigned roles enable host api commands the following sections show you how to complete these tasks add a pki identity provider this section shows you how to create a new pki identity provider, assign it a tls authentication mechanism, and add it to an identity as a credential this allows fx csp to authenticate with the {{k}} by using the signed microsoft ad rms certificate that you exported go to identity management > identity providers right click anywhere in the window and select add > provider > pki on the info tab of the identity provider editor window, specify a name for the identity provider and uncheck the enforce dual factor checkbox on the pki options tab, select \[ select ] in the certificate selector window, expand the certificate tree you created, select the ca certificate that signed the adcs and system/host api connection pair certificates, and select \[ ok ] select \[ ok ] to finish creating the pki identity provider right click the identity provider that you created and select add > mechanism > tls on the pki tab, leave all fields set to the default values select \[ ok ] to save create a role perform the following steps to create a role for microsoft ad rms and grant it permission to use the pki identity provider go to identity management > roles and select \[ add ] at the bottom of the page in the info tab of the role editor window, leave the role type set to application , specify a name for the role, such as microsoft ad rms , and change the number of logins required to 1 leave all other fields set to the default values on the permissions tab, select the following permissions permission subpermissions certificate authority add, export, upload cryptographic operations sign keys add on the advanced tab, set allowed ports to host api only leave the other fields set to the default values and select \[ ok ] to finish creating the role go to identity management > identity providers , right click the pki identity provider, and select \[ permission ] in the set object group permissions window, select the show all roles and permissions checkbox, select the drop down menu next to the microsoft ad rms role, and select the use permission select \[ ok ] to save create a new identity perform the following steps to create a new identity and assign it the microsoft ad rms role and pki authentication credentials go to identity management > identities right click anywhere in the window and select add > client application in the info tab of the identity editor window, leave the storage type set to application , and specify a name for the identity leave all other fields set to the default values the name you specify must match the common name you chose for the adcs certificate in the issue a client certificate section of this guide on the assigned roles tab, select the microsoft ad rms role perform the following steps on the authentication tab select \[ add ] to add a new credential in the configure credential window, select tls certificate in the type drop down list select the provider and mechanism that you created for this integration select \[ ok ] to finish creating a credential remove the default api key mechanism, leaving only the tls certificate credential, and select \[ ok ] to save enable the host api commands because fx csp connects to the host api port on the {{k}} , you must define which host api commands to enable fx csp to execute to set the enabled host api commands for the microsoft ad rms operation, complete the following steps go to administration > configuration > host api options and enable the following commands command description and subcommands (if applicable) atkg manage hsm trusted asymmetric key groups attr manage generic attributes clky manipulate the application key enable all subcommands echo communication test/retrieve version rafa filter for issuance policies with use permissions rkcp retrieve command permissions (enabled commands) rkgp export pki key pair rkgs generate signature rkln lookup objects rkpk pop generated key select \[ save ] to finish

Generate a CSR from a certreq policy file

Create an association between the signed AD RMS certificate and the key pair in the Windows Certificate Store