Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

MySQL

Pre-Integration

search

Pre-Integration

This section lists the steps to be performed before starting with the integration.

  1. Creating Certificates

  2. Adding User

  3. Registering a KMIP Client

  4. Configuring Interface

Creating Certificates

You can create and use the certificate using any of the following methods:

  • Using ksctl Utility: Use this method if you want to create and use certificates generated on the CipherTrust Manager using the ksctl utility.

  • Using openssl: Use this method if you want to create and use certificates generated using openssl.

Creating Certificates using ksctl Utility

Note

ksctl is used to create CA and CSRs on the CipherTrust Manager. Refer to the CipherTrust Manager documentation for information on installing and configuring ksctl.

Creating the CA Certificate

The rootCA is available on the CipherTrust Manager by default. If you want to create a Local CA other than rootCA, use the following command:

$ ksctl ca locals create --cn "Test CA" --csr-outfile csrfile

To self-sign the CA for a specific duration, use the id returned in the above command:

$ ksctl ca locals self-sign --id <id of CA> -x <duration>

Example:

$ ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365

Creating Client Certificate

To create the client certificate:

  1. Create CSR and its private key.

    $ ksctl ca csr --cn "client" --csr-outfile client.csr --key-outfile client.key

    This command generates a CSR with its private key.

    Note

    In this document, common name CN=client is used. It will be used as a user name on the CipherTrust Manager.

  2. Sign the CSR with CA.

    ksctl ca locals certs issue --ca-id <id of CA> --csr-infile client.csr -x <duration> -o client

    Example:

    ksctl ca locals certs issue --ca-id c84d66e1-2101-4a46-ad44-3656354b5097 --csr-infile client.csr -x 700 -o client

    --ca-id is the id that can be obtained from CA details on the Ciphertrust Manager.

    Note

    --csr-infile is the CSR name created in the previous step.

Creating Server Certificate

Note

This section is applicable if you want to generate certificates on the CipherTrust Manager and sign them using an external CA.

To create a server certificate, you need to create the CSR and its private key. Run the following command:

ksctl ca csr --cn "server" --csr-outfile server.csr --key-outfile server.key

This command generates a CSR with its private key.

You can sign the CSR created above using external CA. The generated certificate will be uploaded to the CipherTrust Manager. Refer to Adding User and Configuring Interface for details.

Creating Certificates Using openssl

You can use openssl to create external CA and CSRs outside the CipherTrust Manager.

Before creating the CA and CSRs, ensure that the openssl is configured properly.

  • To create the external CA, client, and server certificate, you need:

    • bash (version 4.4.20 or above)

    • openssl (version 1.1.1 or above)

  • openssl.conf file is available at:

    • /etc/pki/tls for RHEL

    • /etc/ssl for Ubuntu

  • Open openssl.conffile and go to [ v3_ca ] tab and add basicConstraints = critical, CA:true.

Creating the CA Certificate

To create an external CA and upload it to the CipherTrust Manager:

  1. Create a RSA key using the following openssl command.

    openssl genrsa -out rootCAKey.pem 2048

    This command generates the rootCAKey.pem file.

  2. Create a CA certificate using the generated RSA key.

    openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem

    The above command uses rootCAKey.pem generated in the previous step to generate the CA Certificate, rootCACert.pem.

  3. Upload the CA to the CipherTrust Manager:

    1. Log on to the CipherTrust Manager GUI.

    2. Go to CA > External.

    3. On the CA page, click Add External CA.

    4. Paste the contents of the rootCACert.pem file and click Save.

Creating Client Certificate

To create a client certificate:

  1. Create a key to be used in the client certificate.

    openssl genrsa -out client.key 2048

    This command generates the RSA key client.key.

  2. Create a client CSR using the key generated above.

    openssl req -key client.key -new -sha256 -out client.csr -subj /O=my-org/OU=my-org/OU=client/CN=client

    In this document, common name CN=client is used. It will be used as a user name on the CipherTrust Manager.

    This command uses the client.key generated in the previous step to generate the client CSR client.csr.

  3. Sign the CSR using the RSA key generated above and the CA.

    openssl x509 -req -days 360 -in client.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out client.cert -sha256

Creating Server Certificate

To create a server certificate:

  1. Create a server key.

    openssl genrsa -out server.key 2048

  2. Create a CSR for the server using the key generated above.

    openssl req -key server.key -new -sha256 -out server.csr -subj /O=my-org/OU=my-org/OU=server/CN=server

  3. Create a server certificate.

    openssl x509 -req -days 7300 -in server.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server.cert -sha256

Adding User

Note

Username should be the same as the CN (Common Name) specified while creating the client certificate.

  1. Log on to the CipherTrust Manager GUI.

  2. Go to Access Management > Users and create a new user.

  3. Click the newly created user, and then click GROUPS.

  4. Select the Key Users and Key Admins groups.

Registering a KMIP Client

You can register a KMIP client on the CipherTrust Manager in two ways:

Auto Registration

  1. Create a registration token.

    1. Log on to the CipherTrust Manager.

    2. In the left pane, click Access Management > Registration Tokens.

    3. Click Create New Registration Token.

    Copy the registration token after it is created.

  2. Turn ON Auto Registration.

    1. Go to Admin Settings > Interfaces.

    2. Click the ellipsis button corresponding to the kmip interface.

    3. Click Edit.

    4. Under Configure KMIP, select Auto Registration.

    5. Paste the registration token copied earlier.

    6. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    7. Click Update.

Manual Registration

  1. Log on to the CipherTrust Manager GUI.

  2. Go to Products > KMIP.

  3. Create a client profile.

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Click Certificate Details.

    5. Paste the content of client.csr.

    6. Click Save.

  4. Create a registration token.

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Click Select CA.

    4. Select CA type as Local if you are using a Local CA or select External if you are using External CA.

    5. Select appropriate CA from the drop-down list and click Select Profile.

    6. From the drop-down list, select the client profile created above.

    7. Click Create Token.

    8. Copy the created token and click Done.

    Note

    If you are using an external CA, you can select the external CA that was created using openssl and uploaded to the CipherTrust Manager.

  5. Go to Registered Clients and click Add Client.

    • Specify the client name and paste the Registration Token generated above.

      Note

      If you are using an external CA, you need to paste the signed client certificate in the Client Certificate field.

    • Click Save to save the client certificate.

Configuring Interface

To configure a KMIP Interface:

  1. Go to Admin Settings > Interfaces.

  2. On the KMIP Interface, click the ellipsis icon, and click Edit. A Configure KMIP dialog box is displayed.

  3. Select the Auto Registration check box if you are using Auto Registration or leave it cleared if you have registered your client Manually.

  4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of external CA.

  6. Select the CA according to your preference.

    • If you are using an external CA, select the CA under External Trusted CAs.

    • If you are using a local CA, select the CA under Local Trusted CAs.

  7. (This step is required if you are using external CA). Expand the Upload Certificate section.

    • In the Certificate field, paste the content of Server Certificate, CA, and the Server Key file in the same order. Do not introduce any space or character or symbol between the content of these files.

    • Select certificate Format as PEM.

    • Password field is optional and can be skipped.

    • Click Update.

On this page