Configure KMES Series 3

this section starts with the general {{k}} configurations necessary for oracle database to store the tde master encryption key on the {{k}} then, it shows how to configure tls communication between the {{k3}} and the oracle database instance configure general {{k}} settings for the oracle database 19c integration perform the following tasks to configure the {{k3}} for communication with fxpkcs #11 create an oracle database role with the correct assigned permissions create an oracle database identity with the correct role create the key group for oracle tde keys enable host api commands the following sections show you how to complete these tasks create a role perform the following steps to create a role for oracle database with the required permissions log in to the {{k3}} with the default admin identities go to identity management > roles and select \[ add ] at the bottom of the page on the info tab, set the type to application , set a name for the role, such as oracle database , and set logins required to 1 under the permissions tab, enable the following permissions permission subpermission certificate authority all subpermissions cryptographic operations all subpermissions device groups all subpermissions keys all subpermissions on the advanced tab, set allowed ports to host api only select \[ ok ] to finish creating the role create an identity perform the following steps to create a new identity and assign it the oracle database role go to identity management > identities right click anywhere in the window and select add > client application on the info tab, set the storage type to application and set a name for the identity on the assigned roles tab, select the oracle database role you just created on the authentication tab, remove the default api key mechanism, add the password authentication mechanism, and configure the password select \[ ok ] to finish creating the identity a later section shows you how to configure the name of the identity in the fxpkcs11 cfg file to enable the futurex pkcs #11 library to connect to the kmes series 3 create the key group perform the following steps to create a key group for the oracle tde – {{k3}} integration this key group contains the created or renewed master keys for oracle tde you can choose any name for the key group, but remember the name because you need to use it later in the \<keygroup name> tag in the fxpkcs11 cfg file log in to the {{k3}} with the default admin identities go to key management > keys in the key groups section, select \[ create ] in the select key group storage window, set the key type to symmetric and the storage location to hsm trusted then, select \[ ok ] in the key group editor window, set the name of the key group, set the owner group to the oracle database role , and ensure that the oracle database role has add permissions for the key group select \[ ok ] to finish creating the key group enable the host api commands because the connection to the fxpkcs11 library uses the host api port, you must define which commands to enable for execution by the fxpkcs11 library to set the enabled commands required for the oracle tde operation, complete the following steps log in to the {{k3}} with the default admin identities go to administration > configuration > host api options and enable the following commands command description echo communication test/retrieve version rafa filter issuance policy rkck create key rkcp get command permissions rkcs create symmetric key group rked encrypt or decrypt data rkln lookup objects rklo login user rkrc get key select \[ save ] to finish configure tls communication perform the following tasks to configure tls communication between the {{k3}} and the oracle database instance create a certificate authority generate a csr for the system/host api connection pair sign the system/host api csr export the root ca export the signed system/host api tls certificate load the exported certificates into the system/host api connection pair generate a private key and csr for the oracle database instance by using openssl sign the csr for the oracle database instance export the signed oracle tde certificate the following sections describe how to perform these tasks create a ca perform the following steps to create a certificate authority (ca) log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container, leave all other fields set to the default values, and select \[ ok ] the certificate container that you just created appears in the certificate authorities menu right click the certificate container and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as system tls ca root on the basic info tab, leave the fields set to the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays under the previously created certificate container generate a csr perform the following steps to generate a csr for the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab under the system/host api connection pair, uncheck the use futurex certificates checkbox and select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] when prompted that ssl will not be functional until you import new certificates , select \[ yes ] to continue in the pki parameters window, leave the fields set to the default values and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] on the subject dn tab, you can leave the default system/host api value set in the common name field or change it to a different value on the v3 extensions tab, select the tls server certificate profile on the pkcs #10 info tab, select a save location for the csr and select \[ ok ] when notified that the certificate signing request was successfully written to the selected file location , select \[ ok ] select \[ ok ] to save the application public keys settings the main network options window now shows loaded next to pki keys for the system/host api connection pair sign the system/host api csr perform the following steps to sign the system/host api csr go to pki > certificate authorities right click the system tls ca root certificate and select add certificate > from request in the file browser, select the csr for the system/host api connection pair don't modify any of the settings for the certificate after it loads select \[ ok ] the signed system/host api certificate shows under the root ca certificate on the certificate authorities page export the ca certificate perform the following steps to export the root ca certificate go to pki > certificate authorities right click the system tls ca root certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, select the location where you want to save the root ca certificate specify a name for the file and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location you specified export the certificate perform the following steps to export the signed system/host api certificate go to pki > certificate authorities right click the system/host api certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, select the location where you want to save the signed system/host api certificate specify a name for the file and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location you specified load the certificates perform the following steps to load the exported certificates into the system/host api connection pair go to administration > configuration > network options in the network options window, go to the tls/ssl settings tab select \[ edit ] next to certificates in the user certificates section right click the system/host api ssl ca x 509 certificate container and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed system/host api certificate and select \[ open ] select \[ ok ] to save changes in the network options window, the system/host api connection pair shows signed loaded next to certificates in the user certificates section select \[ ok ] to save and exit the network options window generate a private key and csr perform the following steps to generate a private key and csr for the oracle database instance by using openssl you must run the commands in this section from a terminal application with openssl open a terminal and run the following command to generate a private key for the oracle database instance openssl genrsa out tls skey pem 2048 the private key outputs to a file named tls skey pem in the current working directory run the following command to generate a csr for the oracle database instance openssl req new key tls skey pem out tls cert req pem days 365 when prompted, enter the certificate information, pressing the enter key at every prompt to set the default value for each field the csr outputs to a file named tls cert req pem in the current working directory move or copy the csr file ( tls cert req pem ) to the storage medium configured on the {{k}} sign the csr perform the following steps to sign the csr for the oracle database instance go to pki > certificate authorities right click the system tls ca root certificate and select add certificate > from request in the file browser, select the oracle database csr certificate information populates in the create x 509 from csr window on the subject dn tab, change the preset drop down option to classic , and set a common name for the certificate, such as oracle tde leave all fields in the basic info tab set to the default values on the v3 extensions tab, select the tls client certificate profile and select \[ ok ] the signed oracle tde certificate now displays under the system tls ca root certificate export the certificate perform the following steps to export the signed oracle tde certificate go to pki > certificate authorities right click the oracle tde certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the oracle tde certificate specify a name for the file and select \[ open ] select \[ ok ] a message box states that the pem file was successfully written to the location you specified move both the oracle tde certificate and the system tls ca root certificate to the computer running the oracle database instance the next section shows you how to configure the certificates in the {{futurex}} pkcs #11 configuration file and use them for tls communication with the {{k3}}