Configuring a new Multi-Tenant KMIP Server

Beginning with KeyControl Vault 5.5, all fresh 5.5 installations contain Multi-Tenant KMIP.

Any KMIP client can connect to the multi-tenant KeyControl Vault KMIP server and perform all standard KMIP operations with the following restrictions:

The KeyControl Vault KMIP server supports KMIP versions 1.0, 1.1,1.2,1.3,1.4, 2.0, 2.1, and 3.0. The KMIP server protocol version is configured automatically and set between 1.0 to 3.0, as requested by the client.
Object count (for example, keys) is limited to 1 million KMIP objects per KeyControl Vault cluster. After this limit, the KMIP server will still create and maintain the objects but the KeyControl webGUI may not display those objects correctly.
KMIP users and clients and can be grouped into tenants and they will have access to only KMIP objects that are part of the tenant.

Important: KeyControl Vault includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first KeyControl Vault node is installed, it creates a Public CA that it also stores in the KeyControl Vault object store. For more information, see KeyControl Vault Certificates.
By default, the KMIP server uses a default certificate signed by the CA inside KeyControl Vault. This can be changed by installing a custom SSL certificate for the KMIP server. To generate a custom SSL certificate, you can use a CSR created from KeyControl Vault for the KMIP server (see Creating a Certificate Signing Request for KMIP Server) or you can use your own CSR. If you use your own CSR, you must upload a private key for that custom certificate.

For details about the standard KMIP operations and configuration settings, see the Oasis KMIP Technical Committee page or the KMIP wikipedia page.

When a KMIP client connects to the KeyControl Vault KMIP server, the client must use the certificates associated with a KMIP server user account. The KeyControl Vault KMIP server does not support username/password login credentials. For details about downloading a user account certificate bundle, see Creating KMIP Client Certificate Bundles.

Note:

If you are configuring a KMIP server to use with VMware vSphere encryption or VSAN encryption, see the Entrust KeyControl with VMware VSAN and vSphere VM Encryption guide.
If you are using a KMIP server with KEK enabled, please ensure that the KEK cache timeout is enabled. Set the value to anything other than 0.

Procedure

Log into the KeyControl webGUI using an account with Security Admin privileges.
In the top menu bar, click KMIP.

On the Settings tab, specify the options you want to use.

Option	Description
State	If set to Enabled, clients can connect to this KMIP server.
Host Name	The external IP address for the KeyControl Vault node. This address cannot be changed.
Port	The server port number. The default port is 5696.
Auto-Reconnect	If set to ON, clients will automatically try to reconnect with the KMIP server if they encounter certain errors. The default is OFF. The errors covered by auto-reconnect are defined in the OASIS KMIP standard.
Verify	If set to Yes, the KMIP client identity is verified before the server handles its request. We recommend that you do not turn this option off.
Certificate Type	This can be one of the following: If set to Default, the KMIP server uses a default certificate. If set to Custom, you must have a custom SSL certificate generated from KeyControl Vault or from your own CSR, and then provide the following: SSL Certificate—Upload the SSL certificate file in Base64-encoded pem format. It should be able to function as a server certificate. CA Certificate—Upload the certificate for the CA that signed the custom SSL certificate in Base64-encoded pem format. Private Key—Optionally upload the private key file in Base64-encoded pem format. This is required if you used your own CSR and not the CSR generated on the KMIP page. Password—Optionally enter the password for the custom certificate. The KMIP certificate is replicated to all nodes in the cluster. Important: If you have changed the certificate type from Default to Custom, or if you have changed the CA certificate, you must redownload the KMIP Client Certificate bundles and reconfigure all of your KMIP Clients. For details on configuring a custom SSL certificate for KMIP server, see Creating a Certificate Signing Request for KMIP Server.
Nbio	If set to ON, the KMIP server requires non-blocking I/O. The default is OFF.
Timeout	The length of time, in seconds, after which a client request will time out. If the Infinite check box is checked, client requests never time out. This is the default. To change this option, clear the Infinite check box, then click on the number of seconds displayed after the check box. Enter a new value and click Save.
Log Level	The lowest level of log messages that will be saved in the audit log. The options are: All—Logs all requests to the KMIP server and responses from the KMIP server. Create-Modify—Logs object creation, object modify requests, and object delete requests and responses. This is the default. Create-Get—Logs object creation messages, object fetch requests, and object fetch responses. Create—Logs object creation request and response messages. Get—Logs object fetch and object locate requests and responses. Off—No log messages are stored in the audit log.
Restrict TLS	If set to Enabled, all clients must connect to this KMIP server using TLS 1.2.
SSL/TSL Ciphers	Enter the SSL ciphers in a comma-separated list that you want the KMIP server to use.

When you are finished, click Apply.
At the prompt, click Proceed to confirm the configuration. If this server was already enabled, KeyControl Vault restarts it and refreshes its object list.

What to Do Next

Create new KMIP tenant and create one or more certificates bundles that clients can use to connect to KMIP server. For details, see Creating a KMIP Tenant and Managing KMIP Tenant Client Certificates.