Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

VMware vSAN

Establishing Trust with CipherTrust Manager

search

Establishing Trust with CipherTrust Manager

This section provides the following steps to establish trust between CipherTrust Manager and vCenter over KMIP protocol:

After completing the above steps, the server will be able to communicate with the client over KMIP protocol.

As this integration uses KMIP interface:
• Default Mode is Verify client cert
• User name is taken from the client cert
• Auth request is optional
• Default port is 5696

Add a KMS to vCenter Server

This step is to be performed on the vCenter UI. Refer vCenter documentation for relevant steps.

Create Certificate Signing Request (CSR) from vCenter

Generate a CSR from vCenter, and download the CSR (or copy it as text). Refer vCenter Documentation for relevant steps.

Create a Local CA on CipherTrust Manager

You can create a Local CA using the following steps. However, you can also use the default local CA.

Use the following command to create a Local CA:

$ ksctl ca locals create --cn "Test CA" --csr-outfile csrfile

This returns a CSR that can then be signed by an external CA if desired.

To self-sign the CA with a duration of one year, use the id returned in the above call:

$ ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365

Sign a Certificate Request with Local CA

  1. Use the following command in ksctl to issue a certificate:

    $ ksctl ca locals certs issue --ca-id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 --csr-infile csrfile -x 700 -o client

    A certificate will be generated. Copy this certificate.

  2. Go to the vCenter and paste the certificate in the New Certificate Signing Request window

  3. Click Ok to proceed.

Create a New User

  1. Create a user on CipherTrust Manager with its name exactly same as the CN (Common Name) provided at the time of CSR creation.

  2. Add this user to the Key User group.

    For more information, refer to the CipherTrust Manager Administrator Guide.

Update KMIP Interface

Update newly created local CA in KMIP interface. For more information, refer to the CipherTrust Manager Administrator Guide.

Configure an NTP Server (optional step)

Based on your deployment strategy, you may need to configure an NTP (Network Time Protocol) server. Use either of the following commands to add an NTP server:

Command 1:

ksctl ntp servers add --host time.nist.gov

Command 2:

ksctl ntp servers add --host ntp-b.nist.gov --key secret

The trust establishment between vCenter and CipherTrust Manager is now complete, and the server is ready to communicate with the client over KMIP protocol.

Establishing Trust between CipherTrust Manager and vSphere Trust Authority

VMWare has added a new feature named vSphere Trust Authority in 7.0 release onwards and CipherTrust Manager supports this feature. To configure vSphere Trust Authority, refer to the VMWare documentation.

To connect Key Provider Service to KMS, you need to configure the trust setup.

Example:

Set-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp8 -CertificateFilePath <path/to/certfile.pem> -PrivateKeyFilePath <path/to/privatekey.pem>