Pre-Integration Steps
This section lists the steps to be performed before starting with the integration.
Generating CSR on HPE StoreOnce
Perform the following steps to generate CSR on HPE StoreOnce:
Log in to the StoreOnce Management console using the credentials.
Navigate to Settings >> Security >> Key Manager.
Click Generate CSR.
Click Provide External Key Manager Credentials. Add username and password of the CM user, set the DN values, and click OK.
— To generate a certificate signing request, you must provide the External Key Manager credentials.
— Common Name (CN) must be same as the user name on the CM.Click Generate. A CSR is generated.
Click Select and Copy to copy the content of the generated CSR and save it.
Creating a User on the CipherTrust Manager
Create a user on the CipherTrust Manager and add it to the Key Admins group. For more information, refer to the CipherTrust Manager documentation.
Registering a KMIP Client
You need to switch the domain before performing this operation.
You can register a KMIP client on the CipherTrust Manager using:
Using Auto-Registration
Create a registration token using the following steps:
Log on to the CipherTrust Manager.
Go to Access Management > Registration Tokens in the sidebar.
Click Create New Registration Token.
Copy the
Registration Token
once it is created.Turn ON Auto Registration using the following steps:
Go to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the KMIP interface.
Click Edit.
Under the Configure KMIP window, select Auto Registration.
Paste the
Registration Token
.Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Click Update.
Using Manual Registration
Log on to the CipherTrust Manager.
Go to Products > KMIP.
Create a Client Profile using the following steps:
Go to Client Profile and click Add Profile.
Add a Profile Name.
Select CN in Username Location in Certificate.
For Domain, the CN will be domain||username.
Click Certificate Details.
Paste the content of the generated
client.csr
.Click Save.
Create a Registration Token using the following steps:
Go to Registration Token and click New Registration Token > Begin.
Add a Name Prefix.
Click Select CA.
Select the CA type as Local if you are using Local CA or select external if you are using External CA.
Select appropriate CA from the dropdown menu and click Select Profile.
Select the Client Profile from the dropdown which you have created.
Click Create Token.
Copy the Token value and click Done.
If you are using an external CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.
Go to Registered Clients and click Add Client. Specify the client's name and paste the generated Registration Token.
If you are using an external CA then you need to paste the signed client certificate in the Client Certificate field.
Click Save > Save Certificate to save the Client Certificate.
— This certificate corresponds to the client certificate enrolled on the HPE StoreOnce.
— The generated client csr corresponds to the CSR generated in Generating CSR on HPE StoreOnce.
Creating a Client Certificate
Perform the following steps to use the CSR (created above) on CM to generate the client certificate:
Navigate to CA>>Local CA and select the CA to be used.
Click Upload CSR.
Enter a Display Name.
Paste the content of the CSR and select Certificate Purpose as Client.
Click Issue certificate.
This section applies to KMIP clients registered using Auto Registration.
Configuring the KMIP Interface
Perform the following steps to configure the KMIP interface:
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the ellipsis icon, then click Edit. A Configure KMIP popup is displayed.
Select the Auto Registration check box if you registered your client using Auto Registration. However, if you registered your client manually, clear the check box.
While selecting Auto Registration, ensure that you create a registration token and enter its value in the Registration Token field. Refer to the CipherTrust Manager documentation for details.
Select the mode as required.
Specify selections for Local CA for Automatic Server Certificate Generation as desired.
In case of an External CA, set Local CA for Automatic Server Certificate Generation to Turn off auto-generation from Local CA.
Select the CA according to your preference.
If you are using an External CA, select the CA under External Trusted CAs.
If you are using a Local CA, select the CA under Local Trusted CAs.
Expand the Upload Certificate section (Applicable to External CA):
In the Certificate field, paste the content of the Server Certificate, CA, and the Server Key file in the same order. Do not introduce any space, characters, or symbols between the content of these files.
Set the certificate Format as PEM.
Specify the Password (Optional).
Click Update.