Integrate KeyControl with StoreEver

Obtain the CA certificate

The Entrust KeyControl KMIP server can accept a certificate from your local root CA or a trusted CA, or can act as local root CA itself. For the purpose of this integration the Entrust KeyControl KMIP server will act as the local root CA. Execute the following steps to obtain the local root CA certificate for the Entrust KeyControl KMIP server.

  1. Sign in to the KMIP Vault with the URL and credentials from Create a KMIP Vault in the Entrust KeyControl.

  2. Go to the Vault Management window by selecting SWITCH TO Manage Vaults / SWITCH TO Appliance Management in the top right corner of the window.

  3. Select the ? icon in the top right corner of the window, then select Download CA certificate.

  4. Save the certificate for later use. Example filename: 240614140352_cacert.pem.

Configure the KMIP server

  1. Log into the StoreEver webGUI using an account with Security Admin privileges.

  2. Select the Configuration box.

  3. Expand the Encryption menu in the right toolbar, then select KMIP Wizard.

    kmip wizard opening window

  4. Select Clear All Wizard Settings to remove any prior configuration.

  5. Select Next twice.

  6. In the Certificate Authority Certificate Entry window, copy-paste the certificate from section Obtain the CA certificate into the Certificate Authority (CA): text box, then select Next.

    kmip wizard copy paste ca cert

  7. Select Next twice.

  8. In the KMIP Client Configuration Window, check Enable KMIP Certificate-only authentication, then select Next.

    kmip wizard certificate only

  9. In the Certificate Generation window, select the Generate New Certificate radio button.

  10. When certificate request has been generated, copy the certificate request to a file, for example, hpe-storeever-3040.csr, then select Next.

    kmip wizard certificate generation

  11. Pause configuring the KMIP server. You will continue further down.

Create the client certificate bundle

  1. Sign in to the KMIP Vault with the URL and credentials from section Create a KMIP Vault in the Entrust KeyControl.

  2. Select Security, then Client Certificates.

    kc securityclientcert

  3. In the Manage Client Certificate page, select the + icon on the right to create a new certificate. The Create Client Certificate dialog box appears.

  4. In the Create Client Certificate dialog box:

    1. Enter the Certificate Name.

    2. Select the Certificate Expiration.

    3. Upload the certificate request created in section Configure the KMIP server.

    4. Select Create.

    For example:

    kc create cert 3040

    The new certificates are added to the Manage Client Certificate pane.

    kc new cert 3040

  5. Select the certificate and select the Download icon to download the certificate.

  6. Unzip the downloaded file. It contains the following:

    • A certname.pem file that includes both the client certificate and private key. In this example, this file is called HPEStoreEver3040.pem.

      The client certificate section of the certname.pem file includes the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and all text between them.

      The private key section of the certname.pem file includes the lines -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- and all text in between them.

    • A cacert.pem file which is the root certificate for the KMS cluster. It is always named cacert.pem.

    kc new cert unzipped 3040

See the following link for additional information Managing KMIP Objects in the KeyControl KMIP Vault webGUI.

Import tenant client certificate into the StoreEver Tape Library

This resumes section Configure the KMIP server.

  1. In the Certificate Generation window, select the Keep Current Certificate radio button this time.

  2. In the Signed Library Certificate, paste the certificate created in section Create the client certificate bundle, then select Next.

    File HPEStoreEver3040.pem contains the certificate.

    kmip wizard sign certificate library 3040

  3. In the KMIP Server Configuration window, enter the IP of the Entrust KeyControl KMIP server nodes. Select Connectivity Check to test connectivity to the nodes, it should check OK, then select Next

    kmip wizard connectivity check 3040

  4. In the Setup Summary windows, select Finish, then select Exit.

    kmip wizard setup summary 3040

Set the default encryption mode

  1. Log into the StoreEver webGUI using an account with Security Admin privileges.

  2. In the Set Default Encryption for new Partitions section, select KMIP (Licensed) from the pull-down menu.

  3. Select Apply to all existing partitions. Notice the change in Set Encryption Mode per Partitions.

    encryption mode set

  4. Select Submit.