Integration with CipherTrust Manager
This section lists the steps to integrate FileNet with CipherTrust Manager.
Prerequisites
This section provides the prerequisites for integration of FileNet Content Manager with CipherTrust Manager.
Ensure that the CipherTrust Manager is installed and configured. For more details, refer to the CipherTrust Manager documentation.
FileNet Content Manager communicates with the CipherTrust Manager using the KMIP interface. Ensure that the KMIP interface is configured on the CipherTrust Manager. Refer to CipherTrust Manager Administration Guide for details.
IP address of the CipherTrust Manager and port of the KMIP interface must be accessible from the FileNet Content Manager system.
CipherTrust Manager recognizes only registered KMIP clients. Ensure that each node of the FileNet Content Manager cluster is registered as a KMIP client on the CipherTrust Manager. Refer to KMIP Client Registration for more details.
Configuration on CipherTrust Manager
Creating and Signing Certificates Using KSCTL Utility
Note
KSCTL
is used to create CA and CSRs at the CipherTrust Manager. To know about how to install and configure KSCTL refer to the CipherTrust Manager Documentation.
Creating the CA Certificate
The rootCA is by default available at the CipherTrust Manager. If you want to create a Local CA other than rootCA, use the following command:
ksctl ca locals create --cn "Test CA" --csr-outfile csrfile
To self-sign the CA for a specific duration, use the id returned in the above command:
ksctl ca locals self-sign --id <id of CA> -x <duration>
For Example:
ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365
Creating the Client Certificate
To create the client certificate, use the following steps:
Create CSR and its private key.
ksctl ca csr --cn "FileNet Content Manager" --csr-outfile client.csr --key-outfile client.key
This command generates a CSR along with its private key.
Note
In this document, common name
CN=FileNet Content Manager
is used, which will be further used as a user name on the CipherTrust Manager.Sign the CSR with CA.
ksctl ca locals certs issue --ca-id <id of CA> --csr-infile client.csr -x <duration> -o client
For Example:
ksctl ca locals certs issue --ca-id c84d66e1-2101-4a46-ad44-3656354b5097 --csr-infile client.csr -x 700 -o client
--ca-id is the id which can be obtained from CA details on the Ciphertrust Manager.
Note
--csr-infile is the csr name which is created in the previous step.
Creating the Server Certificate
Note
Server Certificate is needed only in case if you are using external CA instead of Local CA.
To create a server certificate, create CSR and its private key.
ksctl ca csr --cn "server" --csr-outfile server.csr --key-outfile server.key
This command generates a CSR along with its private key.
You can sign the above created CSR using external CA. The generated certificate will be uploaded to the CipherTrust Manager.
Configuring the CipherTrust Manager
Create User on CipherTrust Manager.
In the CipherTrust Manager UI, go to Access Management > Users and create a new user.
Click on the newly created user, click on GROUPS and select the Key Users and Key Admins Group.
Note
Username must be same as common name mentioned above while creating the client certificate.
Register KMIP client.
To perform KMIP client registration follow the steps mentioned in the Appendix.
Configure KMIP Interface.
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the action button (...) and then click Edit.
Configure KMIP popup opens.
Check Auto Registration option if you are going with Auto Registration or uncheck if you are going with the Manual Registration.
Select the mode as TLS, verify client cert, username taken from client cert, auth request is optional.
Specify selections for Local CA for Automatic Server Certificate Generation and Local Trusted CAs as desired.
Note
Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.
Select the CA according to your preference.
If you are using External CA then select the CA under External Trusted CAs
If you are using Local CA then select the CA under Local Trusted CAs
This step is required if you are using external CA.
Expand the Upload Certificate section:
In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.
Select certificate Format as PEM.
Password field is optional and can be skipped.
Click Update.
Configuration on FileNet Content Manager
Connect to the instance using SSH. The FileNet Content Manager shell appears. Perform the following steps on the FileNet Content Manager shell:
Import the External CA root certificate to truststore on application server.
Import the PFX certificate file for FileNet client to certificate store on application server.
On KMIP configuration (Key Management Tab)
Select KMIP for Key Service type dropdown box.
Enter the IP address or hostname on Primary Host field.
Enter the the port for KMIP interface you use on CTM for Primary port.
İf you do not have secondary server, enter the same values to secondary IP and port otherwise FileNet will throw an error.
Click Save button on top left.
This completes the configuration on FileNet Content Manager.