Pre-Integration Steps
This section lists the steps to be performed before starting with the integration.
Creating a User on the CipherTrust Manager
Create a user on the CipherTrust Manager and add it to the Key Admins group. For more information, refer to the CipherTrust Manager documentation.
Registering a KMIP Client
You need to switch the domain before performing this operation.
You can register a KMIP client on the CipherTrust Manager using:
Using Auto-Registration
Create a registration token using the following steps:
Log on to the CipherTrust Manager.
Go to Access Management > Registration Tokens in the sidebar.
Click Create New Registration Token.
Copy the
Registration Token
once it is created.Turn ON Auto Registration using the following steps:
Go to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the KMIP interface.
Click Edit.
Under the Configure KMIP window, select Auto Registration.
Paste the
Registration Token
.Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Click Update.
Using Manual Registration
Log on to the CipherTrust Manager.
Go to Products > KMIP.
Create a Client Profile using the following steps:
Go to Client Profile and click Add Profile.
Add a Profile Name.
Select CN in Username Location in Certificate.
For Domain, the CN will be domain||username.
Click Certificate Details.
Paste the content of the generated
client.csr
.Click Save.
Create a Registration Token using the following steps:
Go to Registration Token and click New Registration Token > Begin.
Add a Name Prefix.
Click Select CA.
Select the CA type as Local if you are using Local CA or select external if you are using External CA.
Select appropriate CA from the dropdown menu and click Select Profile.
Select the Client Profile from the dropdown which you have created.
Click Create Token.
Copy the Token value and click Done.
If you are using an external CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.
Go to Registered Clients and click Add Client. Specify the client's name and paste the generated Registration Token.
If you are using an external CA then you need to paste the signed client certificate in the Client Certificate field.
Click Save > Save Certificate to save the Client Certificate.
Configuring the KMIP Interface
Perform the following steps to configure the KMIP interface:
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the ellipsis icon, then click Edit. A Configure KMIP popup is displayed.
Select the Auto Registration check box if you registered your client using Auto Registration. However, if you registered your client manually, clear the check box.
While selecting Auto Registration, ensure that you create a registration token and enter its value in the Registration Token field. Refer to the CipherTrust Manager documentation for details.
Select the mode as TLS, verify client cert, user name taken from client cert, and auth request is optional.
Specify selections for Local CA for Automatic Server Certificate Generation as desired.
In case of an External CA, set Local CA for Automatic Server Certificate Generation to Turn off auto-generation from Local CA.
Select the CA according to your preference.
If you are using an External CA, select the CA under External Trusted CAs.
If you are using a Local CA, select the CA under Local Trusted CAs.
Expand the Upload Certificate section (Applicable to External CA):
In the Certificate field, paste the content of the Server Certificate, CA, and the Server Key file in the same order. Do not introduce any space, characters, or symbols between the content of these files.
Set the certificate Format as PEM.
Specify the Password (Optional).
Click Update.
Creating a Client Certificate
Perform the following steps to create a Client Certificate:
Log in to the Nimble Storage using the credentials.
Navigate to Administration >> Security >> SSL Certificate.
Create a CSR by selecting the right option from the dropdown.
Generate your CSR by filling up the required fields and click Generate. Once the CSR is generated, copy the contents of the
.pem
file to get it signed by the CA on the CipherTrust Manager.While using domains, switch to the required domain on CipherTrust Manager and get it signed from the CA of the domain.
Download a copy of this freshly issued certificate along with a copy of the CA that issued it.