About Multi-Tenant KMIP

Beginning with version 5.5, you can use KMIP with multiple tenants. This allows security administrators to isolate different tenant environments for security and compliance. To access KMIP, you must create new KMIP tenant portals for each tenant. 

  • Each KMIP tenant has its own KMIP objects, client certificates, access policies, audit logs, Active Directory settings, and HSM root key label for KEK wrapping.

  • Each KMIP tenant has access to their own KMIP tenant portal. KeyControl-managed user accounts and KeyControl Security Administrators do not have access to the KMIP tenant portal.

  • KMIP tenants can only be created by KeyControl Security Administrators in the KeyControl KMIP page. KMIP tenants are created with the following: 

    • Active Directory settings

    • Initial KMIP Administrator with access to the KMIP tenant portal. This can be an AD user or an AD group. The initial KMIP Administrator is given the tenant URL by the KeyControl Security Administrator once the tenant portal is created.

  • Each KMIP object, for example, symmetric or asymmetric keys, is owned by the specific KMIP tenant and can not be viewed or accessed by any other KMIP tenant.

Note:  

  • Multi-tenant KMIP is only available for fresh KeyControl 5.5 installations.

  • If you upgrade from a previous version, only legacy KMIP (without multi-tenancy) is available, whether or not you have ever used KMIP before. KMIP is managed from the KeyControl KMIP page. For more information, see Configuring a KeyControl KMIP Server when Upgrading to Version 5.5 .

  • Multi-tenant KMIP uses Active Directory to authenticate the users who will access the KMIP tenant portal.

  • For legacy KMIP, KeyControl-managed user accounts can access KMIP with the KeyControl Security Administrators permission.

License limits

The Multi-Tenant KMIP feature is a licensed entitlement in KeyControl. The license sets the maximum number of tenants that can exist in KeyControl at a time. If a tenant is deleted, the deletion frees up a slot for a new tenant in the entitlement. See Checking the Maximum Number of KMIP Tenants.