Configure KMES Series 3
This section starts with the general KMES configurations necessary for Oracle Database to store the TDE Master Encryption Key on the KMES. Then, it shows how to configure TLS communication between the KMES Series 3 and the Oracle Database instance.
Perform the following tasks to configure the KMES Series 3 for communication with FXPKCS #11:
- Create an Oracle Database role with the correct assigned permissions.
- Create an Oracle Database identity with the correct role.
- Create the key group for Oracle TDE keys
- Enable Host API commands.
The following sections show you how to complete these tasks.
Log in to the KMES Series 3 with the default Admin identities.
Go to Identity Management > Roles and select [ Add ] at the bottom of the page.
On the Info tab, set the Type to Application, set a name for the role such as Oracle Database, and set Logins Required to 1.
Under the Permissions tab, enable the following permissions:
Permission
Subpermission
Certificate Authority
All subpermissions
Cryptographic Operations
All subpermissions
Device Groups
All subpermissions
Keys
All subpermissions
On the Advanced tab, set Allowed Ports to Host API only.
Select [ OK ] to finish creating the role.
Go to Identity Management > Identities.
Right-click anywhere in the window and select Add > Client Application.
On the Info tab, set the Storage type to Application and set a name for the identity.
On the Assigned Roles tab, select the Oracle Database role you just created.
On the Authentication tab, remove the default API Key mechanism, add the Password authentication mechanism, and configure the password.
Select [ OK ] to finish creating the identity.
A later section shows you how to configure the name of the identity in the fxpkcs11.cfg file to enable the Futurex PKCS #11 library to connect to the KMES Series 3.
Perform the following steps to create a key group for the Oracle TDE – KMES Series 3 integration. This key group contains the created or renewed Master Keys for Oracle TDE.
You can choose any name for the key group, but remember the name because you need to use it later in the <KEYGROUP-NAME> tag in the fxpkcs11.cfg file.
Log in to the KMES Series 3 with the default Admin identities.
Go to Key Management > Keys. In the Key Groups section, select [ Create ].
In the Select Key Group Storage window, set the Key Type to Symmetric, and the Storage Location to HSM Trusted. Then, select [ OK ].
In the Key Group Editor window, set the name of the key group, set the Owner Group to the Oracle Database role, and ensure that the Oracle Database role has Add permissions for the key group.
Select [ OK ] to finish creating the key group.
Because the connection to the FXPKCS11 library uses the Host API port, you must define which commands to enable for execution by the FXPKCS11 library. To set the enabled commands, complete the following steps:
Log in to the KMES Series 3 with the default Admin identities.
Go to Administration > Configuration > Host API Options and enable the following commands:
Command
Description
ECHO
Communication Test/Retrieve Version
RAFA
Filter Issuance Policy
RKCK
Create Key
RKCP
Get Command Permissions
RKCS
Create Symmetric Key Group
RKED
Encrypt or Decrypt Data
RKLN
Lookup Objects
RKLO
Login User
RKRC
Get Key
Select [ Save ] to finish.
Perform the following tasks to configure TLS communication between the KMES Series 3 and the Oracle Database instance:
- Create a Certificate Authority.
- Generate a CSR for the System/Host API connection pair.
- Sign the System/Host API CSR.
- Export the Root CA.
- Export the signed System/Host API TLS certificate.
- Load the exported certificates into the System/Host API connection pair.
- Generate a private key and CSR for the Oracle Database instance by using OpenSSL.
- Sign the CSR for the Oracle Database instance.
- Export the signed Oracle TDE certificate.
The following sections describe how to perform these tasks.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
In the Certificate Authority window, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].
The certificate container that you just created appears in the Certificate Authorities menu.
Right-click the certificate container and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
On the Basic Info tab, leave the fields set to the default values.
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox and select [ Edit ] next to PKI keys.
In the Application Public Keys window, select [ Generate ].
When prompted that SSL will not be functional until you import new certificates, select [ Yes ] to continue.
In the PKI Parameters window, leave the fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI key pair is Loaded.
Select [ Request ].
On the Subject DN tab, you can leave the default System/Host API value set in the Common Name field or change it to a different value.
On the V3 Extensions tab, select the TLS Server Certificate profile.
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
When notified that the certificate signing request was successfully written to the selected file location, select [ OK ].
Select [ OK ] to save the Application Public Keys settings.
The main Network Options window now shows Loaded next to PKI keys for the System/Host API connection pair.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Add Certificate > From Request.
In the file browser, select the CSR for the System/Host API connection pair.
Don't modify any of the settings for the certificate after it loads. Select [ OK ].
The signed System/Host API certificate shows under the root CA certificate on the Certificate Authorities page.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, select the location where you want to save the root CA Certificate. Specify a name for the file and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location you specified.
Go to PKI > Certificate Authorities.
Right-click the System/Host API certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, select the location where you want to save the signed System/Host API certificate. Specify a name for the file and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location you specified.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Select [ Edit ] next to Certificates in the User Certificates section.
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
Select [ Add ] at the bottom of the Import Certificates window.
In the file browser, select both the root CA certificate and the signed System/Host API certificate and select [ Open ].
Select [ OK ] to save changes.
In the Network Options window, the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section.
Select [ OK ] to save and exit the Network Options window.
You must run the commands in this section from a terminal application with OpenSSL.
Open a terminal and run the following command to generate a private key for the Oracle Database instance:
The private key outputs to a file named tls_skey.pem in the current working directory.
Run the following command to generate a CSR for the Oracle Database instance:
When prompted, enter the certificate information, pressing the Enter key at every prompt to set the default value for each field.
The CSR outputs to a file named tls_cert_req.pem in the current working directory.
Move or copy the CSR file (`tls_cert_req.pem`) to the storage medium configured on the KMES.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Add Certificate > From Request.
In the file browser, select the Oracle Database CSR.
Certificate information populates in the Create X.509 From CSR window.
On the Subject DN tab, change the preset drop-down option to Classic, and set a common name for the certificate, such as Oracle TDE.
Leave all fields in the Basic Info tab set to the default values.
On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].
The signed Oracle TDE certificate now displays under the System TLS CA Root certificate.
Go to PKI > Certificate Authorities.
Right-click the Oracle TDE certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, navigate to the location where you want to save the Oracle TDE certificate. Specify a name for the file and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location you specified.
Move both the Oracle TDE certificate and the System TLS CA Root certificate to the computer running the Oracle Database instance.
The next section shows you how to configure the certificates in the Futurex PKCS #11 configuration file and use them for TLS communication with the KMES Series 3.