QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 20
The available fields are:
- Password Authentication - determines whether you require users to provide a username and 
password to access the key server when using KMIP. There are two options:
• Optional - (default) no password authentication is required; global sessions are allowed; 
unauthenticated users can create global keys; all users can access global keys; only authenticated 
users can create and access non-global keys. 
• Required - password authentication is required; global sessions are not allowed; only non-global 
keys can be created; authenticated users can access global and non-global keys. 
- Client Certificate Authentication - You must enable this feature to comply with the KMIP standard. 
there are two options.
• Used for SSL session only - clients must provide a certificate signed by a CA trusted by the 
KeySecure in order to establish an SSL connection. When you select this option, you must also 
select a Trusted CA List Profile.
• Used for SSL session and username - clients must provide a certificate signed by a CA trusted by 
the KeySecure in order to establish an SSL connection; additionally, a username is derived from 
the client certificate. That username is the sole means of authentication if password authentication 
is optional and the client does not provide a username and password. If the client does provide a 
username, the key server compares the username derived from the certificate against the 
username in the authentication request. If the usernames match and the password is valid, the 
user is authenticated. If the usernames are not the same, the connection is closed immediately. 
When you select this option, you must also select a Trusted CA List Profile, and you must choose 
the field from which the username is derived. 
- Trusted CA List Profile - select a profile to use to verify that client certificates are signed by a CA 
trusted by the KeySecure. This field is only used if you select Used for SSL session only or Used for 
SSL session and username above. As delivered, the default Trusted CA List profile contains no CAs. 
You must either add CAs to the default profile or create a new profile and populate is with at least 
one trusted CA before the key server can authenticate client certificates. 
- Username Field in Client Certificate - specify the field from which to derive the username. This 
field is only used if you select Used for SSL session and username above. The username can come 
from the UID (user ID), CN (Common Name), SN (Surname), E (Email address), E_ND (Email 
without domain), or OU (Organizational Unit) field.
If you select E_ND, the key server matches against the data to the left of the @ symbol in the email 
address in the certificate request. For example, if the certificate request contains the email address 
User1@company.com, then the key server matches against User1.
- Require Client Certificate to Contain Source IP - determines if the key server expects that the 
client certificate presented by the client application has an IP address in the subjectAltName field. 
The key server obtains the IP address from the subjectAltName and compares that the source IP 
address of the client application; if the two IP addresses match, the key server authenticates the 
user. If the two IP addresses do not match, the key server closes the connection with the client. 
The KeySecure is now ready to manage keys and can handle requests that come through the KMIP 
Interface.