Configuring KeyControl as a KMIP Client

As a KMIP client, KeyControl can connect to a third-party KMIP server. After the connection has been established, KeyControl saves any new Admin Keys to the KMIP server instead of sending them as parts to the Security Admins in the system. It can then retrieve the required Admin Key from the KMIP server when you need to restore or recover the system. For more details, see Admin Keys.

Before You Begin

Make sure you have the certificate bundle from your KMIP server.

Procedure

Log into the KeyControl webGUI using an account with Security Admin privileges.
In the top menu bar, click Settings.
In the System Settings section, click KMIP Client Settings.
If you want to change the settings for an existing KMIP client connection, select the client connection you want to change from the External KMIP Server drop-down list. If you want to add a new KMIP client connection, click the blue + (Plus sign) .

On the Basic tab, specify the options you want to use.

Field	Description
Server Name	The name of the KMIP server. This name is local to the client and can be used as a reminder of what KMIP server you're using.
Host Name	The hostname or IP address of the KMIP server.
Port	The port for the KMIP server. The default is 5696.
Auto-Reconnect	If set to On, the KeyControl KMIP client will automatically attempt to reconnect with the KMIP server if required. The default is Off.
Verify	If Yes, the client will be authenticated. We recommend that you do not change this option.
Protocol	The KMIP protocol supported by the KMIP server to which you are connecting. The default is Version 1.
Non-blocking I/O	If set to Yes, the client requires non-blocking I/O. The default is No.
Timeout	The length of time, in seconds, after which the client considers its KMIP server request to have timed out. If this field is set to 0, the request never times out. The default is 0.

When you are finished, click the Advanced tab.
On the Cert sub-tab:
1. Click Load File in the Cert File field and navigate to your user certification file.
2. In the Cert Format field, enter the certificate format. This can be pem or p12.
3. Enter the certificate password, if one was specified when the certificate was created.
If you have a separate user Key file, click the Key sub-tab and do the following.
1. Click Load File in the Key File field and navigate to your user key file.
2. In the Key Format field, enter the key file format. This can be pem or p12.
  
  Note: If you want to use an encrypted private key, it must be in PKCS#8 format. Unencrypted private keys can use either PKCS#1 or PKCS#8.
3. Enter the key file password, if one was specified when the key was created.
Click the CA Trusted Cert sub-tab and do the following:
1. Click Load File in the CA Trusted Cert File field and navigate to your server certificate file.
2. In the CA Trusted Cert Format field, enter the CA Trusted certificate file format. This can be pem or p12.
3. Enter the CA Trusted certificate file password, if one was specified when the certificate was created.
If your KMIP server requires a server certificate, click the Server Cert sub-tab and do the following.
1. Click Load File in the Server Cert File field and navigate to your server certificate file.
2. In the Server Cert Format field, enter the server certificate file format. This can be pem or p12.
3. Enter the certificate file password, if one was specified when the server certificate was created.
If your KMIP server requires a server key file, click the Server Key sub-tab and do the following:
1. Click Load File in the Server Key File field and navigate to your user key file.
2. In the Server Key Format field, enter the key file format. This can be pem or p12.
3. Enter the key file password, if one was specified when the key was created.
Click the Credentials sub-tab and enter the following information:
1. In the Username field, enter the name the client should use when contacting the KMIP server. This username should match the one for which you generated the certificate files.
2. In the Password field, enter a password if required by your KMIP server.
3. In the Ciphers field, optionally enter the specific ciphers you want to use. If you leave this field blank, KeyControl uses the default ciphers defined in the KMIP standard.

When you have finished specifiying everything on the Advanced sub-tabs, click the Configuration tab and specify the options you want to use.

Field	Description
Description	A user-defined description for this KMIP client.
Disable Entropy Speed	If set to Yes, seeding of the KeyControl Random Number Generator from the KMIP server is disabled.
Disable Hardware Signature	This option is reserved for future use.
FIPS Disabled	If this option is set to Yes, the KMIP server does not check the specified user key for FIPS 140-2 compliance. If this option is set to No, the user key must use a FIPS-compliant cipher or hash. If it does not, the connection will fail with error code 8 (bad key file). The default is No.
No Split Key	This option is reserved for future use.

When you are finished, test the connection by clicking Test Connection. KeyControl should display a message that the connection is OK. If there is an issue, see KMIP Errors and Troubleshooting.
After the connection has been verified, test that KeyControl can store a key on that server by clicking Test Key. KeyControl should display a message that the test was successful. If there is an issue, see KMIP Errors and Troubleshooting.
When both tests are successful, click Apply.
Click Proceed at the prompt to save your settings. KeyControl automatically regenerates the Admin key and stores it on the KMIP server. It then displays a message letting you know whether the operation was successful or presenting an error message if it failed. If there is an issue, see KMIP Errors and Troubleshooting.