Establishing Trust with CipherTrust Manager
This section provides the following steps to establish trust between CipherTrust Manager and vCenter over KMIP protocol:
- Add a KMS to vCenter Server
- Create Certificate Signing Request (CSR) from vCenter
- Create a Local CA on CipherTrust Manager
- Sign a Certificate Request with Local CA
- Create a New User
- Update KMIP Interface
- Configure an NTP Server (optional step)
- Establishing Trust between CipherTrust Manager and vSphere Trust Authority
After completing the above steps, the server will be able to communicate with the client over KMIP protocol.
As this integration uses KMIP interface:
• Default Mode is Verify client cert
• User name is taken from the client cert
• Auth request is optional
• Default port is 5696
Add a KMS to vCenter Server
This step is to be performed on the vCenter UI. Refer vCenter documentation for relevant steps.
Create Certificate Signing Request (CSR) from vCenter
Generate a CSR from vCenter, and download the CSR (or copy it as text). Refer vCenter Documentation for relevant steps.
Create a Local CA on CipherTrust Manager
You can create a Local CA using the following steps. However, you can also use the default local CA.
Use the following command to create a Local CA:
$ ksctl ca locals create --cn "Test CA" --csr-outfile csrfile
This returns a CSR that can then be signed by an external CA if desired.
To self-sign the CA with a duration of one year, use the id returned in the above call:
$ ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365
Sign a Certificate Request with Local CA
Use the following command in ksctl to issue a certificate:
$ ksctl ca locals certs issue --ca-id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 --csr-infile csrfile -x 700 -o client
A certificate will be generated. Copy this certificate.
Go to the vCenter and paste the certificate in the New Certificate Signing Request window
Click Ok to proceed.
Create a New User
Create a user on CipherTrust Manager with its name exactly same as the CN (Common Name) provided at the time of CSR creation.
Add this user to the Key User group.
For more information, refer to the CipherTrust Manager Administrator Guide.
Update KMIP Interface
Update newly created local CA in KMIP interface. For more information, refer to the CipherTrust Manager Administrator Guide.
Configure an NTP Server (optional step)
Based on your deployment strategy, you may need to configure an NTP (Network Time Protocol) server. Use either of the following commands to add an NTP server:
Command 1:
ksctl ntp servers add --host time.nist.gov
Command 2:
ksctl ntp servers add --host ntp-b.nist.gov --key secret
The trust establishment between vCenter and CipherTrust Manager is now complete, and the server is ready to communicate with the client over KMIP protocol.
Establishing Trust between CipherTrust Manager and vSphere Trust Authority
VMWare has added a new feature named vSphere Trust Authority in 7.0 release onwards and CipherTrust Manager supports this feature. To configure vSphere Trust Authority, refer to the VMWare documentation.
To connect Key Provider Service to KMS, you need to configure the trust setup.
Example:
Set-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp8 -CertificateFilePath <path/to/certfile.pem> -PrivateKeyFilePath <path/to/privatekey.pem>