Pre-Integration Steps
This section lists the steps to be performed before starting with the integration.
Creating a User on the CipherTrust Manager
Create a user on the CipherTrust Manager and add it to the Key Admins group. For more information, refer to the CipherTrust Manager documentation.
Registering a KMIP Client
You need to switch the domain before performing this operation.
You can register a KMIP client on the CipherTrust Manager using:
Using Auto-Registration
Create a registration token using the following steps:
Log on to the CipherTrust Manager.
Go to Access Management > Registration Tokens in the sidebar.
Click Create New Registration Token.
Copy the
Registration Token
once it is created.Turn ON Auto Registration using the following steps:
Go to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the KMIP interface.
Click Edit.
Under the Configure KMIP window, select Auto Registration.
Paste the
Registration Token
.Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Click Update.
Using Manual Registration
Log on to the CipherTrust Manager.
Go to Products > KMIP.
Create a Client Profile using the following steps:
Go to Client Profile and click Add Profile.
Add a Profile Name.
Select CN in Username Location in Certificate.
For Domain, the CN will be domain||username.
Click Certificate Details.
Paste the content of the generated
client.csr
.Click Save.
Create a Registration Token using the following steps:
Go to Registration Token and click New Registration Token > Begin.
Add a Name Prefix.
Click Select CA.
Select the CA type as Local if you are using Local CA or select external if you are using External CA.
Select appropriate CA from the dropdown menu and click Select Profile.
Select the Client Profile from the dropdown which you have created.
Click Create Token.
Copy the Token value and click Done.
If you are using an external CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.
Go to Registered Clients and click Add Client. Specify the client's name and paste the generated Registration Token.
If you are using an external CA then you need to paste the signed client certificate in the Client Certificate field.
Click Save > Save Certificate to save the Client Certificate.
Configuring your KMIP Interface
Perform the following steps to configure the KMIP interface:
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the ellipsis icon, then click Edit. A Configure KMIP popup is displayed.
Select the Auto Registration check box if you registered your client using Auto Registration. However, if you registered your client manually, clear the check box.
While selecting Auto Registration, ensure that you create a registration token and enter its value in the Registration Token field. Refer to the CipherTrust Manager documentation for details.
Select the mode as TLS, verify client cert, user name taken from client cert, and auth request is optional.
Specify selections for Local CA for Automatic Server Certificate Generation as desired.
In case of an External CA, set Local CA for Automatic Server Certificate Generation to Turn off auto-generation from Local CA.
Select the CA according to your preference.
If you are using an External CA, select the CA under External Trusted CAs.
If you are using a Local CA, select the CA under Local Trusted CAs.
Expand the Upload Certificate section:
In the Certificate field, paste the content of the Server Certificate, CA, and the Server Key file in the same order. Do not introduce any space, characters, or symbols between the content of these files.
Set the certificate Format as PEM.
Specify the Password (Optional).
Click Update.
Creating a Client Certificate
Perform the following steps to generate a Client Certificate:
Log into HPE Primera using the CLI.
Run the
showcert
command to check if there are any existing certs.Remove them using
removecert ekm-server
andremovecert ekm-client
.Generate a new CSR by running the following command:
createcert ekm -client -csr -CN <Common Name> -C <Country> -ST <State> -L <Location> -O <Organisation> -OU <Organisation Unit>
• Ensure you have a user created on the CipherTrust Manager with the same name as mentioned in the Common Name of the client CSR.
• Ensure that your user has proper group-level permissions to perform key operations on the CipherTrust Manager. For more details about groups, refer to the CipherTrust Manager documentation.Navigate to CA > Local > Upload CSR. Specify a name for your certificate.
Paste the content of the CSR and select the Certificate Purpose as Client.
Click Issue Certificate.
Download a copy of this certificate by clicking the ellipsis icon next to the certificate name.
Creating the Server Certificate
Perform the following steps to create the server Certificate:
Log on to the CipherTrust Manager.
Navigate to the Local CA and click Issue Certificate.
Enter the Display Name, followed by the Common Name which should be the IP/Hostname of the Ciphertrust Manager.
Select Algorithm and Size, and click Issue Certificate to save the Private Key and the CSR.
Select Certificate Purpose as server, specify the validity of the certificate in days, and click Issue Certificate.
Navigate to Local CA > Upload CSR.
Paste the content of the CSR and select Certificate Purpose as Server.
Download a copy of this certificate by clicking the ellipsis icon next to the certificate name.