Pre-Integration

This section lists the steps to be performed before integrating Cloud ONTAP with the CipherTrust Manager.

Creating and Signing Certificates Using KSCTL Utility

Creating the CA Certificate

The rootCA is by default available at the CipherTrust Manager. If you want to create a Local CA other than rootCA, use the following command:

ksctl ca locals create --cn "Test CA" --csr-outfile csrfile

To self-sign the CA for a specific duration, use the id returned in the above command:

ksctl ca locals self-sign --id <id of CA> -x <duration>

For Example:

ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365

Creating the Client Certificate

To create the client certificate, use the following steps:

1. Create CSR and its private key.

   ksctl ca csr --cn "ontap" --csr-outfile client.csr --key-outfile client.key
   

   This command generates a CSR along with its private key.

   Note

   In this document, common name CN=ontap is used, which will be further used as a user name on the CipherTrust Manager.

2. Sign the CSR with CA.

   ksctl ca locals certs issue --ca-id <id of CA> --csr-infile client.csr -x <duration> -o client
   

   For Example:

   ksctl ca locals certs issue --ca-id c84d66e1-2101-4a46-ad44-3656354b5097 --csr-infile client.csr -x 700 -o client
   

   --ca-id is the id which can be obtained from CA details on the Ciphertrust Manager.
   

   Note

   --csr-infile is the csr name which is created in the previous step.

Creating the Server Certificate

To create a server certificate, create CSR and its private key.

ksctl ca csr --cn "server" --csr-outfile server.csr --key-outfile server.key

This command generates a CSR along with its private key.

You can sign the above created CSR using external CA. The generated certificate will be uploaded to the CipherTrust Manager.

Configuring the CipherTrust Manager

1. Create User on CipherTrust Manager.

   1. In the CipherTrust Manager UI, go to Access Management > Users and create a new user.

   2. Click on the newly created user, click on GROUPS and select the Key Users and Key Admins Group.

   Note

   Username must be same as common name mentioned above while creating the client certificate.

2. Register KMIP client.

   To perform KMIP client registration follow the steps mentioned in the Appendix.

3. Configure KMIP Interface.

   1. Go to Admin Settings > Interfaces.

   2. On the KMIP Interface, click the action button (...) and then click Edit.

      Configure KMIP popup opens.

   3. Check Auto Registration option if you are going with Auto Registration or uncheck if you are going with the Manual Registration.

   4. Select the mode as TLS, verify client cert, username taken from client cert, auth request is optional.

   5. Specify selections for Local CA for Automatic Server Certificate Generation and Local Trusted CAs as desired.

      Note

      Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

   6. Select the CA according to your preference.

      • If you are using External CA then select the CA under External Trusted CAs

      • If you are using Local CA then select the CA under Local Trusted CAs

   7. This step is required if you are using external CA.

      Expand the Upload Certificate section:

      • In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.

      • Select certificate Format as PEM.

      • Password field is optional and can be skipped.

      • Click Update.