Configuring a KeyControl KMIP Server

Any KMIP client can connect to the KeyControl KMIP server and perform all standard KMIP operations with the following restrictions:

• Object count (for example, keys) is limited to 35,000. After this limit, the KMIP server will still create and maintain the objects but the KeyControl webGUI may not display those objects correctly.

• Users cannot be partitioned, so all KMIP users have access to all KMIP objects.

For details about the standard KMIP operations and configuration settings, see the Oasis KMIP Technical Committee page or the KMIP wiki page.

When a KMIP client connects to the KeyControl KMIP server, the client must use the certificates associated with a KMIP server user account. The KeyControl KMIP server does not support username/password login credentials. For details about downloading a user account certificate bundle, see Creating KMIP Client Certificate Bundles.

Note:

If you are configuring a KMIP server to use with VMware vSphere encryption or VSAN encryption, see Configuring a KMIP Server.

Procedure 

1. Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.
2. In the top menu bar, click KMIP.
3. On the Basic tab, set the State field to Enabled.

4. Set the rest of the options you want to use.

   Options

   Option	Description
   Port	The server port number. The default port is 5696.
   Auto-Reconnect	If set to ON, clients will automatically try to reconnect with the KMIP server if they encounter certain errors. The default is OFF. The errors covered by auto-reconnect are defined in the OASIS KMIP standard.
   Verify	If set to Yes, the KMIP client identity is verified before the server handles its request. We recommend that you do not turn this option off.
   Protocol	The minimum verison of the KMIP Protocol this server will use.
   Nbio	If set to ON, the KMIP server requires non-blocking I/O. The default is OFF.
   Timeout	The length of time, in seconds, after which a client request will time out. If the Infinite check box is checked, client requests never time out. This is the default. To change this option, clear the Infinite check box, then click on the number of seconds displayed after the check box. Enter a new value and click Save.
   Log Level	The lowest level of log messages that will be saved in the audit log. The options are: All — Logs all requests to the KMIP server and responses from the KMIP server. Create-Get — Logs object creation messages, object fetch requests, and object fetch responses. This is the default. Off — No log messages are stored in the audit log.

5. When you are finished, click Apply.
6. At the prompt, click Proceed to confirm the configuration. If this server was already enabled, KeyControl restarts it and refreshes its object list.

What to Do Next 

Create one or more certificate bundles that clients can use to connect to the KMIP server. For details, see Creating KMIP Client Certificate Bundles.