Configuring a KeyControl KMIP Server

Any KMIP client can connect to the KeyControl KMIP server and perform all standard KMIP operations with the following restrictions:

  • Object count (for example, keys) is limited to 35,000. After this limit, the KMIP server will still create and maintain the objects but the KeyControl webGUI may not display those objects correctly.

  • Users cannot be partitioned, so all KMIP users have access to all KMIP objects.

Important: KeyControl includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first KeyControl node is installed, it creates a Public CA that it also stores in the KeyControl object store. For more information, see KeyControl Certificates.

By default, the KMIP server uses a default certificate signed by the CA inside KeyControl. This can be changed by installing a custom SSL certificate for the KMIP server. To generate a custom SSL certificate, you can use a CSR created from KeyControl for the KMIP server (see Creating a Certificate Signing Request for KMIP Server) or you can use your own CSR. If you use your own CSR, you must upload a private key for that custom certificate.

For details about the standard KMIP operations and configuration settings, see the Oasis KMIP Technical Committee page or the KMIP wiki page.

When a KMIP client connects to the KeyControl KMIP server, the client must use the certificates associated with a KMIP server user account. The KeyControl KMIP server does not support username/password login credentials. For details about downloading a user account certificate bundle, see Creating KMIP Client Certificate Bundles.

Note: If you are configuring a KMIP server to use with VMware vSphere encryption or VSAN encryption, see Configuring a KMIP Server.

Procedure 

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.
  2. In the top menu bar, click KMIP.

  3. On the Basic tab, specify the options you want to use.

    Option Description

    Host Name

    The external IP address for the KeyControl node. This address cannot be changed.
    Port The server port number. The default port is 5696.

    State

    If set to Enabled, clients can connect to this KMIP server.
    Auto-Reconnect

    If set to ON, clients will automatically try to reconnect with the KMIP server if they encounter certain errors. The default is OFF.

    The errors covered by auto-reconnect are defined in the OASIS KMIP standard.
    Verify If set to Yes, the KMIP client identity is verified before the server handles its request. We recommend that you do not turn this option off.
    Protocol

    The minimum version of the KMIP Protocol this server will use.
    Certificate Type

    This can be one of the following: 

    If set to Default, the KMIP server uses a default certificate.

    If set to Custom, you must have a custom SSL certificate generated from KeyControl or from your own CSR, and then provide the following: 

    • SSL Certificate—Upload the SSL certificate file in Base64-encoded pem format.
    • CA Certificate—Upload the certificate for the CA that signed the custom SSL certificate in Base64-encoded pem format.
    • Private Key—Optionally upload the private key file in Base65-encoded pem format. This is required if you used your own CSR and not the CSR generated on the KMIP page.
    • Password—Optionally enter the password for the custom certificate.

    The KMIP certificate is replicated to all nodes in the cluster.

    Important: If you have changed the certificate type from Default to Custom, or if you have changed the CA certificate, you must redownload the KMIP Client Certificate bundles and reconfigure all of your KMIP Clients.

    Nbio

    If set to ON, the KMIP server requires non-blocking I/O.

    The default is OFF.
    Timeout

    The length of time, in seconds, after which a client request will time out.

    If the Infinite check box is checked, client requests never time out. This is the default.

    To change this option, clear the Infinite check box, then click on the number of seconds displayed after the check box. Enter a new value and click Save.
    Log Level

    The lowest level of log messages that will be saved in the audit log. The options are:

    • All — Logs all requests to the KMIP server and responses from the KMIP server.
    • Create-Modify — Logs object creation, object modify requests, and object delete requests and responses. This is the default.
    • Create-Get — Logs object creation messages, object fetch requests, and object fetch responses.
    • Create — Logs object creation request and response messages.
    • Get — Logs object fetch and object locate requests and responses.
    • Off — No log messages are stored in the audit log.

    Restrict TLS

    If set to Enabled, all clients must connect to this KMIP server using TLS 1.2.
  4. When you are finished, click Apply.
  5. At the prompt, click Proceed to confirm the configuration. If this server was already enabled, KeyControl restarts it and refreshes its object list.

What to Do Next 

Create one or more certificate bundles that clients can use to connect to the KMIP server. For details, see Creating KMIP Client Certificate Bundles.