Skip to content

Create a new Common KeyStore machine

Creating a new machine is the initial step in enabling TLS Protect Cloud to connect directly to application keystores for certificate management. Once you have created machines, you can move on to provisioning certificates to those machines.

Before you begin

  • SSH Protocol

    • IP Address or hostname
    • Port
    • Credentials. Choose between user credentials or shared credentials.
      • User credentials: The account you use must have admin permission.
      • Shared credentials: Optionally, you can use shared credentials from your credential provider (CyberArk is the only credential provider currently supported by TLS Protect Cloud). To use this option, first set up the connection to CyberArk.

  • Windows remote management

    • IP address or hostname
    • Windows Remote Management (WinRM) port
    • Domain name (Kerberos authentication only)
    • Key distribution center address or hostname (Kerberos authentication only)
    • Service Principal Name (Kerberos authentication only)
    • Credentials: Choose between user credentials or shared credentials.
      • User credentials: The account you use must have admin permission.
      • Shared credentials: Optionally, you can use shared credentials from your credential provider (CyberArk is the only credential provider currently supported by TLS Protect Cloud). To use this option, first set up the connection to CyberArk.

  • Supported Windows versions

    • Windows Server 2019 and 2022
  • Supported Linux versions
    • Ubuntu 18.04 LTS (or later), Red Hat Enterprise Linux 7.9, and Oracle Linux 8 (or later)

From the Protocol drop-down, select either SSH or Windows Remote Management.

  1. From the Authentication Type drop-down, select either password or private key.
  2. Enter the IP Address/Hostname and Port number.

  3. (Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.

    Important

    Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.

    Note

    • Enter Credentials - Is used to enter your admin credentials manually.
    • Select Credentials - Is used to select your shared credentials from CyberArk.
    • If you choose Enter Credentials, enter your Common KeyStore admin credentials in the Username and Password fields.
    • If choose Select Credentials. From the Credential drop-down, select your shared credentials.

  4. Enter your Common KeyStore admin credentials in the Username and Password fields.

  5. Click Test Access, and then click Create. Note that Create is only enabled if the Test Access is successful.

From the Authentication Type, select either Basic Authentication or Kerberos Authentication, the follow the steps below.

Basic Authentication

  1. Enter the IP Address/Hostname and the Port.

  2. Enable Use TLS for WinRM to secure the username and password when TLS Protect Cloud communicates with the IIS server.

    Warning

    Disabling this option will send the username and password in plaintext over the network.

  3. (Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.

    Important

    Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.

    Note

    • Enter Credentials - Is used to enter your admin credentials manually.
    • Select Credentials - Is used to select your shared credentials from CyberArk.
    • If you choose Enter Credentials, enter your Common KeyStore admin credentials in the Username and Password fields.
    • If choose Select Credentials. From the Credential drop-down, select your shared credentials.

  4. Enter your Common KeyStore admin credentials in the Username and Password fields.

  5. Click Test Access, the click Create. Note that Create is only enabled if the Test Access is successful.

Kerberos Authentication

  1. Enter the IP Address/Hostname and the WinRM Port.

  2. Enable Use TLS for WinRM if you want TLS to be used when TLS Protect Cloud communicates with the IIS server.

    Tip

    Since kerberos already has built-in encryption, this option isn't necessary to secure data sent over the network.

  3. Enter the Domain Name, Key Distribution Center Address/Hostname, and Service Principal Name. You can get these from your Active Directory administrator.

  4. (Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.

    Important

    Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.

    Note

    • Enter Credentials - Is used to enter your admin credentials manually.
    • Select Credentials - Is used to select your shared credentials from CyberArk.
    • If you choose Enter Credentials, enter your Common KeyStore admin credentials in the Username and Password fields.
    • If choose Select Credentials. From the Credential drop-down, select your shared credentials.

  5. Enter your Common KeyStore admin credentials in the Username and Password fields.

  6. Click Test Access, then click Create. Note that Create is only enabled if the Test Access is successful.

What's next?

Now that you have one or more machines created, you can provision certificates to those machines.