Configuring a KMIP Server

Once you have your Cryptographic Security Platform Vault cluster configured, you need to enable the included KMIP server. This server becomes the vSphere KMS (Key Management Server) when you establish a trusted connection between vSphere and Cryptographic Security Platform Vault.

If you have already enabled the KMIP server in the cluster, make sure the configuration settings match the ones given below.

For details about the Entrust KMIP server implementation and how to manage KMIP server objects, or how to configure KMIP with a Hardware Security Module (HSM), see KMIP Server Configuration or Hardware Security Modules with Cryptographic Security Platform Vault.

Important: Make sure that all Cryptographic Security Platform Vault nodes reside on devices that are not encrypted. Cryptographic Security Platform Vault has its own internal encryption, and it must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.

  1. Log into the Cryptographic Security Platform Vault Management webGUI.
  2. Select the Settings icon at the top right of the vault page.

  3. On the KMIP Vault Settings page, complete the following:

    Option Description

    State

    If set to Enabled, clients can connect to this KMIP server.

    Port The server port number. The default port is 5696.
    Verify If set to Yes, the KMIP client identity is verified before the server handles its request. We recommend that you do not turn this option off.
    Log Level

    The lowest level of log messages that will be saved in the audit log. The options are:

    • All—Logs all requests to the KMIP server and responses from the KMIP server.
    • Create-Modify—Logs object creation, object modify requests, and object delete requests and responses. This is the default.
    • Create-Get—Logs object creation messages, object fetch requests, and object fetch responses.
    • Create—Logs object creation request and response messages.
    • Get—Logs object fetch and object locate requests and responses.
    • Off—No log messages are stored in the audit log.

    TLS

    Choose which version of TLS you want to support. If set to TLS 1.3, all clients must connect to this KMIP server using TLS 1.3. By default, both TLS 1.2 and TLS 1.3 are supported.

    Timeout

    The length of time, in minutes, after which a client request will time out. If No is selected, client requests never time out. This is the default.

    To change this option, select Yesand select the number of minutes before the requests times out. This can be from 1 to 60 minutes.

    KMIP Locate Operation: Maximum Items Default

    Choose the maximum number of items to be returned from the KMIP server Locate operation.

    Note: The KMIP client allows you to set an offset items value (the record number the return starts with) and a maximum items value (how many items are returned) when you run the KMIP locate operation. If you set 1000 as the default value in the Cryptographic Security Platform Vault for KMIP, then the maximum items value will be ignored, and the server will return items starting with the offset number until the limit of 1000 items is reached.

    The maximum number of items can be one of the following:  

    • The default value (1000 items).

    • The value set to the maximum items value from the KMIP client.

    For more information on the KMIP Locate command, see https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html#_Toc6497553.

    SSL/TSL Ciphers

    Enter the SSL ciphers in a comma-separated list that you want the KMIP server to use.

    Certificate Types

    This can be one of the following: 

    If set to Default, the KMIP server uses a default certificate.

    If set to Custom, you must have a custom SSL certificate generated from Cryptographic Security Platform Vault or from your own CSR, and then provide the following: 

    • SSL CertificatecUpload the SSL certificate file in Base64-encoded pem format. It should be able to function as a server certificate.

    • CA Certificate—Upload the certificate for the CA that signed the custom SSL certificate in Base64-encoded pem format.

      If you want to use the CA certificate to verify the KMIP client certificate select Yes. The default is No.

    • Private Key—Optionally upload the private key file in Base64-encoded pem format. This is required if you used your own CSR and not the CSR generated on the KMIP page.
    • Password—Optionally enter the password for the custom certificate.

  4. Click Apply and confirm your changes when prompted.

What to Do Next 

Create the KMS cluster in vSphere as described in Adding a KMS Cluster in vSphere.