Pre-Integration
This section lists the steps to be performed before integrating Cloud ONTAP with the CipherTrust Manager.
Creating and Signing Certificates Using KSCTL Utility
KSCTL is used to create CA and CSRs at the CipherTrust Manager. To know about how to install and configure KSCTL refer to the CipherTrust Manager Documentation.
Creating the CA Certificate
The rootCA is by default available at the CipherTrust Manager. If you want to create a Local CA other than rootCA, use the following command:
ksctl ca locals create --cn "Test CA" --csr-outfile csrfile
To self-sign the CA for a specific duration, use the id returned in the above command:
ksctl ca locals self-sign --id <id of CA> -x <duration>
For Example:
ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365
Creating the Client Certificate
To create the client certificate, use the following steps:
Create CSR and its private key.
ksctl ca csr --cn "ontap" --csr-outfile client.csr --key-outfile client.keyThis command generates a CSR along with its private key.
In this document, common name
CN=ontapis used, which will be further used as a user name on the CipherTrust Manager.Sign the CSR with CA.
ksctl ca locals certs issue --ca-id <id of CA> --csr-infile client.csr -x <duration> -o clientFor Example:
ksctl ca locals certs issue --ca-id c84d66e1-2101-4a46-ad44-3656354b5097 --csr-infile client.csr -x 700 -o client--ca-id is the id which can be obtained from CA details on the Ciphertrust Manager.
--csr-infile is the csr name which is created in the previous step.
Creating the Server Certificate
Server Certificate is needed only in case if you are using external CA instead of Local CA.
To create a server certificate, create CSR and its private key.
ksctl ca csr --cn "server" --csr-outfile server.csr --key-outfile server.key
This command generates a CSR along with its private key.
You can sign the above created CSR using external CA. The generated certificate will be uploaded to the CipherTrust Manager.
Configuring the CipherTrust Manager
Create User on CipherTrust Manager.
In the CipherTrust Manager UI, go to Access Management > Users and create a new user.
Click on the newly created user, click on GROUPS and select the Key Users and Key Admins Group.
Username must be same as common name mentioned above while creating the client certificate.
Register KMIP client.
To perform KMIP client registration follow the steps mentioned in the Appendix.
Configure KMIP Interface.
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the action button (...) and then click Edit.
Configure KMIP popup opens.
Check Auto Registration option if you are going with Auto Registration or uncheck if you are going with the Manual Registration.
Select the mode as TLS, verify client cert, username taken from client cert, auth request is optional.
Specify selections for Local CA for Automatic Server Certificate Generation and Local Trusted CAs as desired.
Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.
Select the CA according to your preference.
If you are using External CA then select the CA under External Trusted CAs
If you are using Local CA then select the CA under Local Trusted CAs
This step is required if you are using external CA.
Expand the Upload Certificate section:
In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.
Select certificate Format as PEM.
Password field is optional and can be skipped.
Click Update.