About Multi-Tenant KMIP

You can use KMIP with multiple tenants. This allows security administrators to isolate different tenant environments for security and compliance. To access KMIP, you must create a new KeyControl KMIP Tenant GUIfor each tenant. 

  • Each KMIP tenant has its own KMIP objects, client certificates, access policies, audit logs, Local User Accounts, Active Directory settings, and HSM root key label for KEK wrapping.

  • Each KMIP tenant has access to their own KeyControl KMIP Tenant GUI. KeyControl Vault-managed user accounts and KeyControl Vault Security Administrators do not have access to the KeyControl KMIP Tenant GUI.

  • The KMIP tenant supports Local User Authentication and Managed Authentication. If a KMIP tenant is created with Local User Authentication, usernames and password of all users are stored in KeyControl Vault and the users can be managed in the KeyControl KMIP Tenant GUI. With Managed Authentication, an external authentication service like Active Directory, OpenLDAP, or OIDC can be used.

  • KMIP tenants can only be created by KeyControl Vault Security Administrators in the KeyControl Vault KMIP page.

  • KMIP tenants are created with the following: 

    • Tenant user authentication type. It can be Local User Authentication or Managed Authentication.
    • Initial KMIP Administrator with access to the KeyControl KMIP Tenant GUI. This can be a Local User, an AD User, or an AD group. The initial KMIP Administrator is given the tenant URL by the KeyControl Vault Security Administrator once the KeyControl KMIP Tenant GUI is created.

  • Each KMIP object, for example, symmetric or asymmetric keys, is owned by the specific KMIP tenant and can not be viewed or accessed by any other KMIP tenant.

Note:  

  • Multi-tenant KMIP is only available for fresh KeyControl Vault 5.5 or later installations.

  • If you upgrade from a previous version, only legacy KMIP (without multi-tenancy) is available, whether or not you have ever used KMIP before. KMIP is managed from the KeyControl Vault KMIP page. For more information, see Configuring a KeyControl Vault KMIP Server when Upgrading to Version 5.5.

  • For legacy KMIP, KeyControl Vault-managed user accounts can access KMIP with the KeyControl Vault Security Administrators permission.

Why should you prefer Managed Authentication over Local User Authentication? 

Why is it important for tenants to use Managed Authentication with an external Identity Provider such as Active Directory, OpenLDAP, or OIDC instead of using the KMIP Tenant Local User Authentication?

  • Security

    KeyControl Security administrators can reset the password of the initial tenant administrator account and can access the tenant's KMIP data.

  • Convenience

    Using an external Active Directory account is also much more convenient as tenants could configure access using groups, then simply add individuals requiring access to those groups. KeyControl-managed local accounts do not support groups, so access would have to be configured for each individual.

License limits

The Multi-Tenant KMIP feature is a licensed entitlement in KeyControl Vault. The license sets the maximum number of tenants that can exist in KeyControl Vault at a time. If a tenant is deleted, the deletion frees up a slot for a new tenant in the entitlement. See Checking the Maximum Number of KMIP Tenants.