Creating a KMIP Tenant

The feature license for Multi-Tenant KMIP limits the number of KMIP tenants that can be created in KeyControl Vault. See Checking the Maximum Number of KMIP Tenants.

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.

  2. In the top menu bar, click KMIP.

  3. Select Actions > Create a KMIP Tenant.

  4. On the About tab, enter the name and optional description for the KMIP tenant.

    Note: The tenant name cannot be edited after the KMIP tenant is created.

  5. Click Next.

  6. In the Authentication tab, select the KMIP Tenant User authentication type.

    Field

    Description
    Local User Authentication Authenticates KMIP tenant users to the KeyControl KMIP Tenant GUI using password stored in KeyControl Vault.
    Managed Authentication Uses an external authentication services like AD, OpenLDAP, or OIDC to authenticate users.

  7. Click Next.

  8. On the Admin tab, select the initial user account who will have administrative access to the KeyControl KMIP Tenant GUI.

  9. Specify your Local User Authentication or Managed Authentication details.

    • Local User Authentication: 

      This will create a new local user exclusive to the KMIP tenant.

      Field

      Description
      User Name The login name for the KMIP tenant-managed user account.
      Full Name The full name of the user associated with the account.

      Email

      If your system is configured to send email alerts, they will be sent to this email address.

      Password

      Password for the user.

      Confirm Password

      Confirm password of the user.

      Password Expiration

      The maximum number of days that a password can be used before it expires. When the password has expired, the user is prompted to change it the next time they log in to the KeyControl KMIP Tenant GUI.

    • For Managed Authentication, select the Directory Service that you want to use for the KMIP tenant. This can be the LDAP Server already configured in KeyControl Vault or you can provide new LDAP server information for this KMIP tenant.

      If you choose Other LDAP, please complete the following: 

      1. Click the blue + (Plus sign) in the Directory Service Domain field.

        Enter the following and then click Save & Close

        Field

        Description

        Domain Name

        Enter the LDAP domain controller IP address or hostname.

        Domain Netbios Name

        Enter the netbios or subdomain of the DNS domain.

        Domain Controllers

        Enter the domain controller that you want to use. You can have one or two domain controllers.

      2. Optionally click the Show Advanced Domain settings link to enter a UID attribute.

        Tip: This is the attribute of the user or group object that would be queried during search.

  10. Choose whether to use a User or Group for the Admin user. This user or group is automatically assigned the Administrator role.

    You can only add one user or one group at this time. Additional administrators can be added after the KMIP tenant is created by editing the admin access policy. Also, the initial Admin account used for creating the tenant can not be disabled. If the initial Admin user needs to be changed, then it can be replaced in the access policy with another user.

    Tip: You need the CN and DN attributes of the non-system domain for the user or group. Retrieve the following attributes from the AD or OpenLDAP administrator and make sure that they are set correctly for the KMIP tenant:

    • Active Directory: cn and distinguishedName.
    • OpenLDAP: cn and dn.

  11. Choose the email address to use for communication.

    Ensure you have SMTP configured in KeyControl Vault if you choose to proceed with this option. See Setting Email Server Preferences.

  12. Click Create.