Managing KMIP Objects

KMIP objects include certificates and symmetric or asymmetric keys. They are created by the external KMIP clients as needed, and can then be fetched by those clients. You can use the KeyControl webGUI to view and manipulate all objects created by all KMIP users in the system.

Note: The KeyControl webGUI supports 35,000 KMIP objects. After this limit, the KMIP server will still create and maintain the objects but the KeyControl webGUI may not display those objects correctly.

If you have linked KeyControl with a HyTrust CloudControl server version 5.1 or later, the Inventory feature in CloudControl provides an identifier that links each VM with its associated KMIP objects. For more information, see Linking KeyControl with CloudControl.

If this KMIP server is being used as a KMS for VMware, the number of KMIP objects may exceed the number of encrypted VMs because:

  • The KMIP objects created when a VM is encrypted are not removed when that VM is decrypted or deleted.
  • Cloned VMs may share the same key if they have the same UUID.
  • A KMIP object is created for each ESXi host when encryption is enabled for that host in vCenter.
  • Stale keys for an ESXi host are not removed unless the ESXi host is detached, rebooted, and then reattached.

For more information about using the KMIP server as a KMS for VMware, see KeyControl with VSAN and VMware vSphere VM Encryption.

Procedure 

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.
  2. In the top menu bar, click KMIP.

  3. Click the Objects tab. The table at the top of the page shows the following information for each object:

    • UUID — The Universally Unique Identifier associated with the KMIP object.
    • State — The state of the KMIP object.
    • Archived — Whether the object has been archived. Archived objects can be recovered if needed.
    • Initial Date — When the object was created.
    • Last Change Date — When the object was last modified.
    • Object Type — The object type.
    • Identifier — The identifier from the HyTrust CloudControl inventory, if available.
    • Description — A user-defined string describing the object, if available.
  4. Click any object in the list to view additional attributes for that object. All attributes are defined in the OASIS KMIP standard.

  5. The Actions menu allows you to perform any of the following actions on the selected object. These actions follow the KMIP standard and some actions require the object to be in a specific state. For details, see the OASIS KMIP standard.

    • Activate — By default, objects are created in PreActive state. Click Activate to enable more transitions for the object. Note: Many KMIP clients change objects to Active state as part of the creation process.
    • Archive — Objects will no longer return keys but they remain in the system. You can use the Recover command to return an archived object to active state and retrieve its keys.
    • Destroy — This operation permanently removes the object. Destroyed objects cannot be retrieved.
    • Recover — Restores an Archived object to the active state so that its keys can be retrieved.

    • Revoke — Revocation is permanent. Objects that are revoked cannot be moved back to Active, but the client can still retrieve any key material. Revocation prompts for a revocation reason, which can be any string. Revocation also prompts for a Reason Code, which is one of the following KMIP standard codes. Any unrecognized value will be considered the same as "1 — Unspecified."

      1 — Unspecified
      2 — Key Compromise
      3 — CA Compromise
      4 — Affiliation Changed
      5 — Superseded
      6 — Cessation of Operation
      7 — Privilege Withdrawn