SafeNet Key Management

Overview of Integrating HyperFlex and SafeNet

This document describes how to establish certificates or trust between HyperFlex nodes and a SafeNet Key management server. To set up remote key management (KMIP) configuration for the first time, you must configure a local Certificate Authority (CA) on the SafeNet KeySecure Management Console.

Generating a Local Certificate Authority

Procedure


Step 1

Log in to the SafeNet KeySecure Management Console with administrator credentials.

Step 2

Click the Security tab.

Step 3

In the navigation pane, click Local CAs.

Step 4

Under the Create local Certificate Authority section, complete the following fields.

UI Element

Essential Information

Certificate Authority Name field

Name of the certificate authority.

Common Name field

Common name for the certificate authority.

Organizational Name field

The organization requesting the certificate.

Enter up to 32 characters.

Organizational Unit Name field

The organizational unit.

Enter up to 64 characters.

Locality Name field

The city or town in which the company requesting the certificate is headquartered.

Enter up to 32 characters.

State or Province Name field

The state or province in which the company requesting the certificate is headquartered.

Enter up to 32 characters.

Country Name field

The country in which the company resides.

Enter two alphabetic characters in uppercase.

Email Address field

<admin> email address.

Key Size field

Key size for the local certificate authority.

Certificate Authority Type field

Select either Self-signed Root CA or Intermediate CA Request.

If you create a Self-signed Root CA you must specify the CA Certificate Duration (days) and Maximum User Certificate Duration (days).

Step 5

Click Create.


Creating a Self-Signed Root Certificate Authority

Procedure


Step 1

Log in to the SafeNet KeySecure Management Console with administrator credentials.

Step 2

Click the Security tab.

Step 3

In the navigation pane, click Local CAs.

Step 4

Enter the Certificate Authority Name, Common Name, Organization Name, Organizational Unit Name, Locality Name, State or Province Name, Country Name, Email Address, and Key Size.

Step 5

Select Self-Signed Root CA as the Certificate Authority Type.

Step 6

Click Create.

The new Self-Signed CA appears in the Local Certificate Authority List section with a status of CA Certificate Request Pending.

Step 7

Select the newly created Self-Signed Root CA. Click the Properties tab, to access the CA Certificate Information.

Step 8

Copy the CA certificate text to the Public Key field in the HX Connect UI.

Step 9

Add this new local certificate authority to the Trusted CA list.

  1. In the navigation pane, click Trusted CA List.

  2. In the work pane, click Properties.

  3. Click Edit.

  4. From the list of Available CAs, select the newly created Self-Signed Root CA. Click ADD to move it under Trusted CAs.

  5. Click Save.


Creating a Server SSL Certificate

Procedure


Step 1

To create a server SSL certificate, first generate a Certificate Signing Request (CSR).

  1. Log in to the SafeNet KeySecure Management Console with administrator credentials.

  2. Click the Security tab.

  3. In the navigation pane, click Local CAs.

  4. Under the Create local Certificate Authority section, complete the following fields.

    UI Element

    Essential Information

    Certificate Authority Name field

    Name of the certificate authority.

    Common Name field

    Common name for the certificate authority.

    Organizational Name field

    The organization requesting the certificate.

    Enter up to 32 characters.

    Organizational Unit Name field

    The organizational unit.

    Enter up to 64 characters.

    Locality Name field

    The city or town in which the company requesting the certificate is headquartered.

    Enter up to 32 characters.

    State or Province Name field

    The state or province in which the company requesting the certificate is headquartered.

    Enter up to 32 characters.

    Country Name field

    The country in which the company resides.

    Enter two alphabetic characters in uppercase.

    Email Address field

    <admin> email address.

    Key Size field

    Key size for the local certificate authority.

  5. Click Create Certificate Request.

Step 2

Under the Certificate List section, choose the newly created CSR. Click the Properties tab, to access the CA Certificate Information.

Step 3

Copy the CA certificate text.

Step 4

Sign the CSR with the local certificate.

  1. In the navigation pane, click Trusted CA List.

  2. In the work pane, click Sign Request.

  3. Paste the CA certificate information under Certificate Request.

  4. For the Certificate Purpose option, choose Server.

  5. Click Sign Request.


Installing a Certificate Authority

Before you begin

Prior to installing a CA certificate, you must have a copy of the CA certificate.

Procedure


Step 1

Log in to the SafeNet KeySecure Management Console with administrator credentials.

Step 2

Click the Security tab.

Step 3

On the navigation pane, click SSL Certificates.

Step 4

Select the newly created certificate. Click the Properties tab.

Step 5

Click Install Certificate.

Step 6

Paste the certificate information under Certificate Response.

Step 7

Click Save.


Under the Certificate List section in the Security > SSL Certitficates > Certificate and CA Configuration page, the certificate authority now shows up as Certificate Status - Active.

Adding a KMIP Server

Procedure


Step 1

Log in to the SafeNet KeySecure Management Console with administrator credentials.

Step 2

Click the Device tab.

Step 3

In the navigation pane, click Key Server.

Step 4

Under the Cryptographic Key Server Settings section, click Add and complete the following fields.

UI Element

Essential Information

Protocol field

Choose Key Management Interoperability Protocol (KMIP).

IP field

<IP address>

Port field

<Port number>

Use SSL field

Choose to use Secure Socket Layer encryption.

Server Certificate field

Choose the server certificate created for HyperFlex from the drop-down list.

Step 5

Click Save.


Updating KMIP Server Settings

Update the KMIP server settings to use the Client Certificate and specify a common Organizational Unit.

Procedure


Step 1

Log in to the SafeNet KeySecure Management Console with administrator credentials.

Step 2

Click the Device tab.

Step 3

In the navigation pane, click Key Server.

Step 4

Under the Authentication Settings section, click Edit.

Step 5

Set the Trusted CA List Profile as Default from the drop-down list.

Step 6

Set the Username Field in Client Certificate as OU (Organizational Unit) from the drop-down list.

Step 7

Click Save.

Step 8

Create a local user with the common issuer OU that is present in the local and the SSL certificates.

  1. Click the Security tab.

  1. In the navigation pane, click Local Users and Groups.

  2. Under the Local Users section, click Add and complete the following fields.

UI Element

Essential Information

Username field

<admin> username

Password field

<admin> password

User Administration Permission

Check to grant administration permission for this user.

Change Password Permission

Check to grant change password permission for this user.

You can now sign CSRs from the cluster with this user.