Pre-Integration
This section lists the steps to be performed before starting with the integration.
Creating Certificates
You can create and use the certificate using any of the following methods:
Using ksctl Utility: Use this method if you want to create and use certificates generated on the CipherTrust Manager using the ksctl utility.
Using openssl: Use this method if you want to create and use certificates generated using openssl.
Creating Certificates using ksctl Utility
ksctl is used to create CA and CSRs on the CipherTrust Manager. Refer to the CipherTrust Manager documentation for information on installing and configuring ksctl.
Creating the CA Certificate
The rootCA is available on the CipherTrust Manager by default. If you want to create a Local CA other than rootCA, use the following command:
$ ksctl ca locals create --cn "Test CA" --csr-outfile csrfile
To self-sign the CA for a specific duration, use the id returned in the above command:
$ ksctl ca locals self-sign --id <id of CA> -x <duration>
Example:
$ ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365
Creating Client Certificate
To create the client certificate:
Create CSR and its private key.
$ ksctl ca csr --cn "client" --csr-outfile client.csr --key-outfile client.keyThis command generates a CSR with its private key.
In this document, common name
CN=clientis used. It will be used as a user name on the CipherTrust Manager.Sign the CSR with CA.
ksctl ca locals certs issue --ca-id <id of CA> --csr-infile client.csr -x <duration> -o clientExample:
ksctl ca locals certs issue --ca-id c84d66e1-2101-4a46-ad44-3656354b5097 --csr-infile client.csr -x 700 -o client--ca-id is the id that can be obtained from CA details on the Ciphertrust Manager.
--csr-infile is the CSR name created in the previous step.
Creating Server Certificate
This section is applicable if you want to generate certificates on the CipherTrust Manager and sign them using an external CA.
To create a server certificate, you need to create the CSR and its private key. Run the following command:
ksctl ca csr --cn "server" --csr-outfile server.csr --key-outfile server.key
This command generates a CSR with its private key.
You can sign the CSR created above using external CA. The generated certificate will be uploaded to the CipherTrust Manager. Refer to Adding User and Configuring Interface for details.
Creating Certificates Using openssl
You can use openssl to create external CA and CSRs outside the CipherTrust Manager.
Before creating the CA and CSRs, ensure that the openssl is configured properly.
To create the external CA, client, and server certificate, you need:
bash (version 4.4.20 or above)
openssl (version 1.1.1 or above)
openssl.conffile is available at:/etc/pki/tls for RHEL
/etc/ssl for Ubuntu
Open
openssl.conffile and go to[ v3_ca ]tab and addbasicConstraints = critical, CA:true.
Creating the CA Certificate
To create an external CA and upload it to the CipherTrust Manager:
Create a RSA key using the following openssl command.
openssl genrsa -out rootCAKey.pem 2048This command generates the
rootCAKey.pemfile.Create a CA certificate using the generated RSA key.
openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pemThe above command uses
rootCAKey.pemgenerated in the previous step to generate the CA Certificate,rootCACert.pem.Upload the CA to the CipherTrust Manager:
Log on to the CipherTrust Manager GUI.
Go to CA > External.
On the CA page, click Add External CA.
Paste the contents of the
rootCACert.pemfile and click Save.
Creating Client Certificate
To create a client certificate:
Create a key to be used in the client certificate.
openssl genrsa -out client.key 2048This command generates the RSA key
client.key.Create a client CSR using the key generated above.
openssl req -key client.key -new -sha256 -out client.csr -subj /O=my-org/OU=my-org/OU=client/CN=clientIn this document, common name
CN=clientis used. It will be used as a user name on the CipherTrust Manager.This command uses the
client.keygenerated in the previous step to generate the client CSRclient.csr.Sign the CSR using the RSA key generated above and the CA.
openssl x509 -req -days 360 -in client.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out client.cert -sha256
Creating Server Certificate
To create a server certificate:
Create a server key.
openssl genrsa -out server.key 2048Create a CSR for the server using the key generated above.
openssl req -key server.key -new -sha256 -out server.csr -subj /O=my-org/OU=my-org/OU=server/CN=serverCreate a server certificate.
openssl x509 -req -days 7300 -in server.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server.cert -sha256
Adding User
Username should be the same as the CN (Common Name) specified while creating the client certificate.
Log on to the CipherTrust Manager GUI.
Go to Access Management > Users and create a new user.
Click the newly created user, and then click GROUPS.
Select the Key Users and Key Admins groups.
Registering a KMIP Client
You can register a KMIP client on the CipherTrust Manager in two ways:
Auto Registration
Create a registration token.
Log on to the CipherTrust Manager.
In the left pane, click Access Management > Registration Tokens.
Click Create New Registration Token.
Copy the registration token after it is created.
Turn ON Auto Registration.
Go to Admin Settings > Interfaces.
Click the ellipsis button corresponding to the kmip interface.
Click Edit.
Under Configure KMIP, select Auto Registration.
Paste the registration token copied earlier.
Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Click Update.
Manual Registration
Log on to the CipherTrust Manager GUI.
Go to Products > KMIP.
Create a client profile.
Go to Client Profile and click Add Profile.
Add a Profile Name.
Select CN in Username Location in Certificate.
Click Certificate Details.
Paste the content of
client.csr.Click Save.
Create a registration token.
Go to Registration Token and click New Registration Token > Begin.
Add a Name Prefix.
Click Select CA.
Select CA type as Local if you are using a Local CA or select External if you are using External CA.
Select appropriate CA from the drop-down list and click Select Profile.
From the drop-down list, select the client profile created above.
Click Create Token.
Copy the created token and click Done.
If you are using an external CA, you can select the external CA that was created using openssl and uploaded to the CipherTrust Manager.
Go to Registered Clients and click Add Client.
Specify the client name and paste the Registration Token generated above.
If you are using an external CA, you need to paste the signed client certificate in the Client Certificate field.
Click Save to save the client certificate.
Configuring Interface
To configure a KMIP Interface:
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the ellipsis icon, and click Edit. A Configure KMIP dialog box is displayed.
Select the Auto Registration check box if you are using Auto Registration or leave it cleared if you have registered your client Manually.
Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Specify selections for Local CA for Automatic Server Certificate Generation as desired.
Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of external CA.
Select the CA according to your preference.
If you are using an external CA, select the CA under External Trusted CAs.
If you are using a local CA, select the CA under Local Trusted CAs.
(This step is required if you are using external CA). Expand the Upload Certificate section.
In the Certificate field, paste the content of Server Certificate, CA, and the Server Key file in the same order. Do not introduce any space or character or symbol between the content of these files.
Select certificate Format as PEM.
Password field is optional and can be skipped.
Click Update.