Creating KMIP Server User Accounts

Each client that you want to connect to the KeyControl KMIP server must have a user certificate, a user key, and a server certificate. To obtain this information, create a user account for the client and download the certificate bundle.

We recommend that you create a separate user account for each client for tracking purposes, but that is not required. Because all KMIP users can see all KMIP objects, you could use the same account for all clients.

Note:

If you are creating a KMIP user account to use with VMware vSphere Encryption, see Creating a User for VMware Encryption.

Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.
In the top menu bar, click KMIP.
On the Basic tab, make sure that the state is set to Enabled. The server must be enabled before you can add user accounts.
Click the Users tab.
Select Actions > Create User.

In the Create a New User dialog box, specify the options you want to use.

Options

Field	Description
Username	The username associated with this account. If you are going to create multiple KMIP accounts, this name should be descriptive enough that you can tell the KMIP clients apart. The username can contain only alphanumeric characters and it must start with a letter. You cannot include any special characters or spaces. The username cannot be changed after the account is created.
Cert Expiration	The date on which the certificate will expire. If the certificate expires, communication between the KeyControl KMIP server and the client will be disrupted until a new certificate is uploaded to the client.
Password/Confirm Password	An optional password associated with this user account. Whether the account needs a password depends on the way your security is configured and the type of implementation you are using. In most cases, the user certificate/key and server certificate files should be sufficient security. In other cases, such as the KeyControl integration with VMware vSphere Encryption, you cannot specify a user password due to limitations with vSphere.

Field

Description

Username

The username associated with this account. If you are going to create multiple KMIP accounts, this name should be descriptive enough that you can tell the KMIP clients apart.

The username can contain only alphanumeric characters and it must start with a letter. You cannot include any special characters or spaces. The username cannot be changed after the account is created.

Cert Expiration

The date on which the certificate will expire. If the certificate expires, communication between the KeyControl KMIP server and the client will be disrupted until a new certificate is uploaded to the client.

Password/Confirm Password

An optional password associated with this user account.

Whether the account needs a password depends on the way your security is configured and the type of implementation you are using. In most cases, the user certificate/key and server certificate files should be sufficient security.

In other cases, such as the KeyControl integration with VMware vSphere Encryption, you cannot specify a user password due to limitations with vSphere.

Select the user you just created.
Select Actions > Download Certificate. The webGUI downloads <username_datetimestamp>.zip, which contains a user certification/key file called <username>.pem and a server certification file called cacert.pem.
Upload the certificates on the KMIP client. You can now use standard API calls to interact with the KMIP server.

HyTrust DataControl v 4.1