Integrate Entrust KeyControl with HPE StoreOnce

Follow these steps to register Entrust KeyControl as a KMS in HPE Alletra 5000.

Follow these steps to install and configure KeyControl.

Create the HPE Alletra certificate request

Log into the Alletra 5030 webGUI using an account with Security Admin privileges.
Select Administration in the toolbar.
Select the Security tab and then SSL Certificates from he left-hand menu.
Select the + icon to add a certificate.
Select Generate a certificate signing request (CSR) from the Select an action drop-down list.
Enter the Name and other required information. You can leave all the other values as the defaults.
Select GENERATE.
Select Copy PEM in the Confirmation dialog.
Create a .csr file type with a text editor containing the copied certificate request. If you are using Notepad as your text editor, you might need to rename the file using the Windows CLI to get the correct file type extension.

Sign in to the KMIP Vault with the URL and credentials from Create a KMIP Vault in teh Entrust KeyControl.
Select Security, then Client Certificates.
In the Manage Client Certificate page, select the + icon on the right to create a new certificate. The Create Client Certificate dialog box appears.
In the Create Client Certificate dialog box:
1. Check Add Authentication for Certificate.
2. Enter the User Name on Certificate.
3. Enter the User Password on Certificate.
4. Enter the Certificate Expiration.
5. Upload the certificate request created in Create the HPE Alletra certificate request.
6. Select Create.
For example:

The new certificates are added to the Manage Client Certificate pane.
Select the certificate and select the Download icon to download the certificate.
Unzip the downloaded file. It contains the following:
- A certname.pem file that includes both the client certificate and private key. In this example, this file is called HPEAlletra5030User.pem.
  
  The client certificate section of the certname.pem file includes the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and all text between them.
  
  The private key section of the certname.pem file includes the lines -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- and all text in between them.
- A cacert.pem file which is the root certificate for the KMS cluster. It is always named cacert.pem.

See the following link for additional information Managing KMIP Tenant Client Certificates.

To import tenant client certificate into Alletra:

Log into the Alletra 5030 webGUI using an account with Security Admin privileges.
Select Administration in the toolbar. Then select Security > SSL Certificates.
Select the + icon to add a certificate.
Select Input a CA signed certificate in the Select and action drop-down text box.
Paste the content of the extracted cacert.pem file from Create the client certificate bundle in the Paste the CA Certificate Chain in PEM format text box.
Paste the content of the extracted HPEAlletra5030User.pem file from Create the client certificate bundle in the Paste the Signed Certificate in PEM format text box. Then select Save.

The custom and custom-ca certificates are added.

To register the Entrust KeyControl KMS:

Log into the Alletra 5030 webGUI using an account with Security Admin privileges.
Select Administration in the toolbar. Then select Security > Encryption.
Select the External Key Manager radio button. Then select Add Key Manager.
Enter Name, Description, KeyControl cluster Hostname, and the credential for the certificate authentication in Create the client certificate bundle. Then select Save.

Notice the DNS entry created in Create DNS record for Entrust KeyControl cluster in Hostname of IP Address text box.

The external key manager is added.