Configuring a KeyControl KMIP Server
Any KMIP client can connect to the KeyControl KMIP server and perform all standard KMIP operations with the following restrictions:
-
Object count (for example, keys) is limited to 35,000. After this limit, the KMIP server will still create and maintain the objects but the KeyControl webGUI may not display those objects correctly.
- Users cannot be partitioned, so all KMIP users have access to all KMIP objects.
Important: KeyControl includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first KeyControl node is installed, it creates a Public CA that it also stores in the KeyControl object store. For more information, see KeyControl Certificates.
By default, the KMIP server uses a default certificate signed by the CA inside KeyControl. This can be changed by installing a custom SSL certificate for the KMIP server. To generate a custom SSL certificate, you can use a CSR created from KeyControl for the KMIP server (see Creating a Certificate Signing Request for KMIP Server) or you can use your own CSR. If you use your own CSR, you must upload a private key for that custom certificate.
For details about the standard KMIP operations and configuration settings, see the Oasis KMIP Technical Committee page or the KMIP wiki page.
When a KMIP client connects to the KeyControl KMIP server, the client must use the certificates associated with a KMIP server user account. The KeyControl KMIP server does not support username/password login credentials. For details about downloading a user account certificate bundle, see Creating KMIP Client Certificate Bundles.
Note:
- If you are configuring a KMIP server to use with VMware vSphere encryption or VSAN encryption, see
- If you are using a KMIP server with KEK enabled, please ensure that the KEK cache timeout is enabled. Set the value to anything other than 0.
Procedure
- Log into the KeyControl webGUI using an account with Security Admin privileges.
- In the top menu bar, click KMIP.
-
On the Basic tab, specify the options you want to use.
Options
Option Description State
If set to Enabled, clients can connect to this KMIP server.
Host Name
The external IP address for the KeyControl node. This address cannot be changed.
Port The server port number. The default port is 5696. State
If set to Enabled, clients can connect to this KMIP server.
Auto-Reconnect If set to ON, clients will automatically try to reconnect with the KMIP server if they encounter certain errors. The default is OFF.
The errors covered by auto-reconnect are defined in the OASIS KMIP standard.
Verify If set to Yes, the KMIP client identity is verified before the server handles its request. We recommend that you do not turn this option off. Protocol The minimum version of the KMIP Protocol this server will use.
Certificate Type This can be one of the following:
If set to Default, the KMIP server uses a default certificate.
If set to Custom, you must have a custom SSL certificate generated from KeyControl or from your own CSR, and then provide the following:
- SSL Certificate—Upload the SSL certificate file in Base64-encoded pem format.
- CA Certificate—Upload the certificate for the CA that signed the custom SSL certificate in Base64-encoded pem format.
- Private Key—Optionally upload the private key file in Base64-encoded pem format. This is required if you used your own CSR and not the CSR generated on the KMIP page.
- Password—Optionally enter the password for the custom certificate.
The KMIP certificate is replicated to all nodes in the cluster.
Important: If you have changed the certificate type from Default to Custom, or if you have changed the CA certificate, you must redownload the KMIP Client Certificate bundles and reconfigure all of your KMIP Clients.
Nbio If set to ON, the KMIP server requires non-blocking I/O.
The default is OFF.
Timeout The length of time, in seconds, after which a client request will time out.
If the Infinite check box is checked, client requests never time out. This is the default.
To change this option, clear the Infinite check box, then click on the number of seconds displayed after the check box. Enter a new value and click Save.
Log Level The lowest level of log messages that will be saved in the audit log. The options are:
- All — Logs all requests to the KMIP server and responses from the KMIP server.
- Create-Modify — Logs object creation, object modify requests, and object delete requests and responses. This is the default.
- Create-Get — Logs object creation messages, object fetch requests, and object fetch responses.
- Create — Logs object creation request and response messages.
- Get — Logs object fetch and object locate requests and responses.
- Off — No log messages are stored in the audit log.
Restrict TLS
If set to Enabled, all clients must connect to this KMIP server using TLS 1.2.
KMIP Key Wrapping
Select the type of key wrapping that you want to use. This can be one of the following:
- Disabled — No key wrapping is used.
-
System HSM — Uses the HSM configured to work with KeyControl. This can be either the SafeNet Luna HSM or nShield Connect HSM.
You must configure the HSM before it will display here. See Configuring KeyControl as an HSM Client using nShield Connect or Configuring KeyControl as an SafeNet Luna HSM Client with a Single Cluster Certificate .
- IBM HPCS — Uses the IBM HPCS HSM for key wrapping.
HSM Root Key Label
If you selected System HSM, the identifier to identify the root key on the HSM that is used to wrap and unwrap keys. If the root key label already exists, it will be used. If it does not create, KeyControl creates a new one. At this point, all existing KMIP objects and all new Key creation requests will be encrypted using the key.
HPCS URL
If you selected IBM HPCS, the URL for the IBM HPCS server to be used by the Cloud VM Set.
HPCS Api Key
If you selected IBM HPCS, the API key to be used to connect to the IBM HPCS server.
HPCS Instance ID
If you selected IBM HPCS, the instance ID for your IBM HPCS server.
HPCS Root Key
If you selected IBM HPCS, the Key ID in the IBM HPCS server to be used for generating a KEK.
Note: This value is optional. If you do not include the root key, then KeyControl will create one in HPCS.
KEK Cache Timeout
If you enabled KMIP Key wrapping, this is cache timeout for the KEK. Because connecting frequently to the System HSM or IBM HPCS to fetch the KEK and encrypt the object can affect performance, you can select how long you'd like to keep the KEK cached in KeyControl. When the timeout period ends, the KEK is deleted from the KeyControl cache.
The default value is 30 minutes. Set 0 to disable KEK cache timeout.
- When you are finished, click Apply.
- At the prompt, click Proceed to confirm the configuration. If this server was already enabled, KeyControl restarts it and refreshes its object list.
What to Do Next
- Create one or more certificate bundles that clients can use to connect to the KMIP server. For details, see Creating KMIP Client Certificate Bundles.
- If you have enabled KMIP Key wrapping with the System HSM, you can select Actions > ReKey to do a full rekey of all KMIP objects with a new KEK.
- If you want to switch between different Key Wrapping choices, you must select Disabled and click Apply to revert all the changes that were made. After that you can switch between System HSM and IBM HPCS.
