Follow

KMIP Server: SafeNet KeySecure Configuration

The following steps describe how to configure SafeNet KeySecure to handle KMIP client requests from Cloudistics storage controllers.

Requirements

  • SafeNet already installed. Refer to the SafeNet KeySecure documentation for information about installation and setup.

Generating the KMIP server certificate

  1. Create a local Certificate Authority: Security Device, CAs & SSL Certificates, Local CAs.
  2. Fill out the following:
    CA Name: Cloudistics Ignite KMIP Server
    Certificate Name: Cloudistics Ignite KMIP Server
    Common Name: Cloudistics Ignite KMIP Server
    Organization Name: Cloudistics
    Organizational Unit Name: Cloudistics
    Locality Name: Reston
    State or Province Name: VA
    Country Name: US
    Email Address:
    Key Size: 2048
    Certificate Authority Type:
    * Self-signed Root CA
    CA Certificate Duration (days): 3650
    Maximum User Certificate Duration (days): 3650

Creating the SSL certificate request

  1. Create the SSL certificate request: Security, Device CAs & SSL Certificates, SSL Certificates.
  2. Fill out the following:
    CA Name: Cloudistics Ignite KMIP Server
    Certificate Name: Cloudistics Ignite KMIP Server
    Common Name: Cloudistics Ignite KMIP Server
    Organization Name: Cloudistics
    Organizational Unit Name: Cloudistics
    Locality Name: Reston
    State or Province Name: VA Country Name: US
    Email Address: Key Size: 2048

Creating a self-signed certificate

  1. Under Certificate List, click the name of the Certificate Request you just created.
  2. Click the Certificate Request link.
  3. Update the expiration to 3650 days.
  4. Click the Create Self Sign Certificate button. The list should contain the new Server Certificate Cloudistics Ignite KMIP Server-self sign.
  5. Download this certificate. You will need it for the KMIP client to connect and two-way authentication.

Generating client certificates

  1. Follow the KMIP Client Configuration steps on each storage controller as described in this topic, KMIP client configuration.

Installing the client CA

  • Install the Client CA: After the client has been configured, download or copy the client CA to your system, you will need it for the next step.
    /usr/share/cloudistics/kmipclient/certs/client_ca.crt
  • Install the CA Certificate: Security, Device CAs & SSL Certificates, Known CAs.
    Certificate Name : ca.crt.<STORAGE CONTROLLER SERIAL NUMBER> (ex: ca.crt.DDVWFB2)
  • Adding certificates to the trusted CA list
    1. Add the certificates to the trusted CA list: Security Device, CAs & SSL Certificates, Trusted CA Lists.
    2. Add a new profile called Cloudistics Ignite.
    3. After it has been created, select it and click the Edit button under Trusted Certificate Authority List.
    4. Add Cloudistics Ignite KMIP Server under Local Certificate Authorities.
    5. Add the Client certificate CA you just created under CA Certificates.
    6. Save, and verify that the certificates are listed in the list.

Configuring host access

  1. Configure host access: Security, Users & Groups, Local Authentication.
  2. Click Add to create a new user/host with these credentials:
    • Username: cloudistics-<STORAGE CONTROLLER SERIAL NUMBER> (ex: cloudistics-DDVWFB2)
    • Password: cloudistics
  3. Click Save.
    Note: When authenticating clients, the server will compare this Host Name field with the Common Name field in the client certificate and only allow access if they match exactly.

Configuring the KMIP Server

  1. Configure the KMIP server: Device, Key Server.
  2. Click Add under Cryptographic Key Server Settings.
    Protocol: KMIP IP: [ALL]
    Port: 5696
    Use SSL: Yes
    Server Certificate: Cloudistics Ignite KMIP Server-selfsign

Managing passwords

  • To manage passwords: Security, Managed Objects, Keys.
    Each Storage Controller will have a password ("Secret Data" in KMIP terminology) associated with it. You can delete the key to forever remove the key.

Revoking host authorization

  1. To revoke host authorization: Security, Users & Groups, Local Authentication.
  2. Select the button next to the User to remove, and click the Delete button. This will deny access to the host indefinitely.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments