About Multi-Tenant KMIP

Beginning with version 5.5.1, you can use KMIP with multiple tenants. This allows security administrators to isolate different tenant environments for security and compliance. To access KMIP, you must create a new KeyControl KMIP Tenant GUIfor each tenant. 

  • Each KMIP tenant has its own KMIP objects, client certificates, access policies, audit logs, Local User Accounts, Active Directory settings, and HSM root key label for KEK wrapping.

  • Each KMIP tenant has access to their own KeyControl KMIP Tenant GUI. KeyControl-managed user accounts and KeyControl Security Administrators do not have access to the KeyControl KMIP Tenant GUI.

  • The KMIP tenant supports Local User Authentication and Managed Authentication. If a KMIP tenant is created with Local User Authentication, usernames and password of all users are stored in KeyControl and the users can be managed in the KeyControl KMIP Tenant GUI. With Managed Authentication, an external authentication service like Active Directory, OpenLDAP, or OIDC can be used.

  • KMIP tenants can only be created by KeyControl Security Administrators in the KeyControl KMIP page.

  • KMIP tenants are created with the following: 

    • Tenant user authentication type. It can be Local User Authentication or Managed Authentication.
    • Initial KMIP Administrator with access to the KeyControl KMIP Tenant GUI. This can be a Local User, an AD User, or an AD group. The initial KMIP Administrator is given the tenant URL by the KeyControl Security Administrator once the KeyControl KMIP Tenant GUI is created.

  • Each KMIP object, for example, symmetric or asymmetric keys, is owned by the specific KMIP tenant and can not be viewed or accessed by any other KMIP tenant.

Note:  

  • Multi-tenant KMIP is only available for fresh KeyControl 5.5 or later installations.

  • If you upgrade from a previous version, only legacy KMIP (without multi-tenancy) is available, whether or not you have ever used KMIP before. KMIP is managed from the KeyControl KMIP page. For more information, see Configuring a KeyControl KMIP Server when Upgrading to Version 5.5.

  • For legacy KMIP, KeyControl-managed user accounts can access KMIP with the KeyControl Security Administrators permission.

Why should you prefer Managed Authentication over Local User Authentication? 

Why is it important for tenants to use Managed Authentication with an external Identity Provider such as Active Directory, OpenLDAP, or OIDC instead of using the KMIP Tenant Local User Authentication?

  • Security

    KeyControl Security administrators can reset the password of the initial tenant administrator account and can access the tenant's KMIP data.

  • Convenience

    Using an external Active Directory account is also much more convenient as tenants could configure access using groups, then simply add individuals requiring access to those groups. KeyControl-managed local accounts do not support groups, so access would have to be configured for each individual.

License limits

The Multi-Tenant KMIP feature is a licensed entitlement in KeyControl. The license sets the maximum number of tenants that can exist in KeyControl at a time. If a tenant is deleted, the deletion frees up a slot for a new tenant in the entitlement. See Checking the Maximum Number of KMIP Tenants.