Configure SafeNet KeySecure
The following steps describe how to configure SafeNet KeySecure to handle KMIP client requests from ThinkAgile CP storage controllers.
Requirements
SafeNet must already be installed. Refer to the SafeNet KeySecure documentation for information about installation and setup.
Generate the KMIP Server Certificate
- Create a local Certificate Authority: .
- Fill out the following:
CA Name: ThinkAgile CP KMIP Server
Certificate Name: ThinkAgile CP KMIP Server
Common Name: ThinkAgile CP KMIP Server
Organization Name: Lenovo
Organizational Unit Name: ThinkAgile CP
Locality Name: Reston
State or Province Name: VA
Country Name: US
Email Address:
Key Size: 2048
Certificate Authority Type:
* Self-signed Root CA
CA Certificate Duration (days): 3650
Maximum User Certificate Duration (days): 3650
Create the SSL Certificate Request
- Create the SSL certificate request: .
- Fill out the following:
CA Name: ThinkAgile CP KMIP Server
Certificate Name: ThinkAgile CP KMIP Server
Common Name: ThinkAgile CP KMIP Server
Organization Name: Lenovo
Organizational Unit Name: ThinkAgile CP
Locality Name: Reston
State or Province Name: VA Country Name: US
Email Address: Key Size: 2048
Create a Self-Signed Certificate
- Under Certificate List, click the name of the Certificate Request you just created.
- Click the Certificate Request link.
- Update the expiration to 3650 days.
- Click the Create Self Sign Certificate button. The list should contain the new Server Certificate ThinkAgile CP KMIP Server-self sign.
- Download this certificate. You will need it for the KMIP client to connect and two-way authentication.
Generate Client Certificates
Follow the KMIP Client Configuration steps for each storage controller as described in this topic, Configure the KMIP client.
Install the Client CA
After the client has been configured, download or copy the client CA to your system. (You will need it for the next step.)
/usr/share/tacp/kmipclient/certs/client_ca.crt
Install the CA Certificate
Install the CA Certificate: .
Certificate Name : ca.crt.<STORAGE CONTROLLER SERIAL NUMBER> (ex: ca.crt.DDVWFB2)
Add Certificates to the Trusted CA List
- Add the certificates to the trusted CA list: .
- Add a new profile called ThinkAgile CP.
- After it has been created, select it and click the Edit button under the Trusted Certificate Authority List.
- Add ThinkAgile CP KMIP Server under Local Certificate Authorities.
- Add the Client certificate CA you just created under CA Certificates.
- Save and verify that the certificates are listed in the list.
Configure Host Access
- Configure host access: .
- Click Add to create a new user/host with the following credentials:
- Username: tacp-<STORAGE CONTROLLER SERIAL NUMBER> (ex: tacp-DDVWFB2)
- Password: ThinkAgileCP
- Click Save.
When authenticating clients, the server will compare this Host Name field with the Common Name field in the client certificate and only allow access if they match exactly.
Configure the KMIP Server
- Configure the KMIP server: .
- Click Add under Cryptographic Key Server Settings.
- Protocol: KMIP IP: [ALL]
- Port: 5696
- Use SSL: Yes
- Server Certificate: ThinkAgile CP KMIP Server-selfsign
Manage Passwords
To manage passwords, navigate to: .
Each Storage Controller will have a password ("Secret Data" in KMIP terminology) associated with it. You can delete the key to remove the key permanently.
Revoke Host Authorization
- To revoke host authorization, navigate to: .
- Select the button next to the User to remove, and click the Delete button. This will deny access to the host indefinitely.