Pre-Integration Steps

This section lists the steps to be completed before starting with the integration.

1. Creating a User on the CipherTrust Manager

2. Registering a KMIP Client

3. Creating a Client Certificate

4. Creating a Server Certificate

5. Configuring the KMIP Interface

Creating a User on the CipherTrust Manager

Create a User on the CipherTrust Manager and add it to the Key Users group. Refer to the CipherTrust Manager documentation for details.

Registering a KMIP Client

You can register a KMIP client on the CipherTrust Manager using:

• Auto Registration

• Manual Registration

Using Auto-Registration

1. Create a registration token using the following steps:

   1. Log on to the CipherTrust Manager.

   2. Go to Access Management > Registration Tokens in the sidebar.

   3. Click Create New Registration Token.

2. Copy the Registration Token once it is created.

3. Turn ON Auto Registration using the following steps:

   1. Go to Admin Settings > Interfaces.

   2. Click the ellipsis icon corresponding to the KMIP interface.

   3. Click Edit.

   4. Under the Configure KMIP window, select Auto Registration.

   5. Paste the Registration Token.

   6. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

   7. Click Update.

Using Manual Registration

1. Log on to the CipherTrust Manager.

2. Go to Products > KMIP.

3. Create a Client Profile using the following steps:

   1. Go to Client Profile and click Add Profile.

   2. Add a Profile Name.

   3. Select CN in Username Location in Certificate.

      Note

      For Domain, the CN will be domain||username.

   4. Click Certificate Details.

   5. Paste the content of the generated client.csr.

   6. Click Save.

4. Create a Registration Token using the following steps:

   1. Go to Registration Token and click New Registration Token > Begin.

   2. Add a Name Prefix.

   3. Click Select CA.

   4. Select the CA type as Local if you are using Local CA or select external if you are using External CA.

   5. Select appropriate CA from the dropdown menu and click Select Profile.

   6. Select the Client Profile from the dropdown which you have created.

   7. Click Create Token.

   8. Copy the Token value and click Done.

   Note

   If you are using an external CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.

5. Go to Registered Clients and click Add Client. Specify the client's name and paste the generated Registration Token.

   Note

   If you are using an external CA then you need to paste the signed client certificate in the Client Certificate field.

6. Click Save > Save Certificate to save the Client Certificate.

Creating a Client Certificate

1. Log on to the CipherTrust Manager.

2. Navigate to the Local CA and click Issue Certificate.

3. Enter the Display Name, followed by Common Name which should be the name of the User you created on the Ciphertrust Manager in the previous step.

4. Select the Algorithm and Size, and click Issue Certificate to save the Private Key and the CSR.

5. Select Certificate Purpose as client, specify the validity of the certificate in days, and click Issue Certificate.

6. Navigate to Local CA > Upload CSR.

7. Paste the content of the CSR and select the Certificate Purpose as Client.

8. Download a copy of this certificate by clicking the ellipsis icon next to the certificate name.

Creating a Server Certificate

1. Log on to the CipherTrust Manager.

2. Navigate to the Local CA and click Issue Certificate.

3. Enter the Display Name, followed by the Common Name which should be the IP/Hostname of the Ciphertrust Manager.

4. Select Algorithm and Size, and click Issue Certificate to save the Private Key and the CSR.

5. Select Certificate Purpose as server, specify the validity of the certificate in days, and click Issue Certificate.

6. Navigate to Local CA > Upload CSR.

7. Paste the content of the CSR and select Certificate Purpose as Server.

8. Download a copy of this certificate by clicking the ellipsis icon next to the certificate name.

Configuring the KMIP Interface

To configure the KMIP interface:

1. Go to Admin Settings > Interfaces.

2. On the KMIP Interface, click the ellipsis icon, then click Edit. A Configure KMIP popup is displayed.

3. Select the Auto Registration check box if you registered your client using Auto Registration. However, if you registered your client manually, clear the check box.

   Note

   While selecting Auto Registration, ensure that you create a registration token and enter its value in the Registration Token field. Refer to the CipherTrust Manager documentation for details.

4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

   Note

   In case of an External CA, set Local CA for Automatic Server Certificate Generation to Turn off auto generation from Local CA.

6. Select the CA according to your preference.

   • If you are using an External CA, select the CA under External Trusted CAs.

   • If you are using a Local CA, select the CA under Local Trusted CAs.

7. (Applicable to External CA) Expand the Upload Certificate section:

   1. In the Certificate field, paste the content of the Server Certificate, CA, and the Server Key file in the same order. Do not introduce any space, characters, or symbols between the content of these files.

   2. Set the certificate Format as PEM.

   3. (Optional) Specify the Password.

   4. Click Update.