Steps to Configure a KeySecure Server for KMIP
Posted by Jim Susoy on 11 November 2019 10:07 AM
Configuring a SafeNet KeySecure Server for KMIP
- Navigate to "Security -> Local CAs" and create a local CA to use for the KMIP server.
- Navigate to "Security ->Trusted CA Lists" and add the certificate authority you created to the trusted list.
- Create a server certificate.
- Navigate to "Security -> SSL Certificates" and create a Certificate Signing Request (CSR). Be sure that the "Common Name" and the "Subject Alternative Name" are set to the hostname that you will use for your KMIP server.
- Navigate to "Security -> Local CAs" and click on the "Sign Request" button to sign the CSR you just created.
- Goto "Security -> Local Authentication" and create a user. The username MUST be used as the CN of the client certificate.
- Create a Certificate Signing Request (CSR) for your client cert locally (the CN MUST be identical to the username created in step 4).
You can create a CSR locally using the following OpenSSL commands:
- Create a private key (just hit "Enter" when requested to provide a passkey):
$ openssl genrsa -out /path/to/www_server_com.key
- Create the Certificate Signing Request
$ openssl req -new -key /path/to/www_server_com.key -out /path/to/www_server_com.csr
You will now be prompted to enter the information which will be incorporated into your CSR. This information is also known as the Distinguished Name, or DN. Some fields are required, while others are optional and can be left blank.
Hit Enter to move forward through each item:
- The Country Name is mandatory and takes a two-letter country code.
- The State or Province Name field requires a full name – do not use an abbreviation.
- The Locality Name field is for your city or town.
- In the Organization Name field, add your company or organization.
- Organizational Unit Name is an optional field for your department or section.
- The Common Name field (this MUST be set to the username created in step 4).
- Email address is an optional field for this request. (You can hit Enter to skip forward.)
- The challenge password and optional company name fields are optional and can be skipped as well.
- Next naviagte to "Security -> Local CAs" and select your CA and click "Sign Request". Paste your certificate into the textbox and sign the request.
- Navigate to "Device -> Key Servers" and add/edit a KMIP server. Set the server certificate to the one you created in Step 2 above.
- Set "Client Certificate Authentication" to "Used for SSL session and username".
- Set "Trusted CA Profile" to the correct profile.
- Set "Username field in client certificate" to "CN (Common Name)"
- Check "Allow Key Export"
- Check "Allow Key and Policy Configuration Operations"
- Click "Save"