Open topic with navigation

Configuring KeyControl as a KMIP Client

As a KMIP client, KeyControl can connect to a third-party KMIP server. After the connection has been established, KeyControl saves all new Admin Keys to the KMIP server instead of sending them as parts to the Security Admins in the system. It can then retrieve the required Admin Key from the KMIP server when you need to restore or recover the system. For more details, see Admin Keys.

Before You Begin 

Make sure you have the certificate bundle from your KMIP server.

Procedure 

  1. Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.
  2. In the top menu bar, click Settings.
  3. In the System Settings section, click KMIP Client Settings.

  4. On the Basic tab, enter the following information:

    Field Description
    Server Name The name of the KMIP server. This name is local to the client and can be used as a reminder of what KMIP server you're using.
    Host Name The hostname or IP address of the KMIP server.
    Port The port for the KMIP server. The default is 5696.
    Auto-Reconnect

    If set to On, the KeyControl KMIP client will automatically attempt to reconnect with the KMIP server if required.

    The default is Off.
    Verify If Yes, the client will be authenticated. We recommend that you do not change this option.
    Protocol

    The KMIP protocol supported by the KMIP server to which you are connecting. The default is Version 1.
    Non-blocking I/O

    If set to Yes, the client requires non-blocking I/O.

    The default is No.
    Timeout The length of time, in seconds, after which the client considers its KMIP server request to have timed out. If this field is set to 0, the request never times out. The default is 0.
  5. When you are finished, click the Advanced tab.

  6. On the Cert sub-tab:

    1. Click Load File in the Cert File field and navigate to your user certification file.
    2. In the Cert Format field, enter the certificate format. This can be pem or p12.
    3. Enter the certificate password, if one was specified when the certificate was created.

  7. If you have a separate user Key file, click the Key sub-tab and do the following.

    1. Click Load File in the Key File field and navigate to your user key file.
    2. In the Key Format field, enter the key file format. This can be pem or p12.
    3. Enter the key file password, if one was specified when the key was created.

  8. Click the CA Trusted Cert sub-tab and do the following:

    1. Click Load File in the CA Trusted Cert File field and navigate to your server certificate file.
    2. In the CA Trusted Cert Format field, enter the CA Trusted certificate file format. This can be pem or p12.
    3. Enter the CA Trusted certificate file password, if one was specified when the certificate was created.

  9. If your KMIP server requires a server certification file, click the Server Cert sub-tab and do the following.

    1. Click Load File in the Server Cert File field and navigate to your user key file.
    2. In the Server Cert Format field, enter the server certificate file format. This can be pem or p12.
    3. Enter the key file password, if one was specified when the server certificate was created.

  10. If your KMIP server requires a server certification file, click the Server Key sub-tab and do the following:

    1. Click Load File in the Server Key File field and navigate to your user key file.
    2. In the Server Key Format field, enter the key file format. This can be pem or p12.
    3. Enter the key file password, if one was specified when the key was created.

  11. Click the Credentials sub-tab and enter the following information:

    1. In the Username field, enter the name the client should use when contacting the KMIP server. This username should match the one for which you generated the certificate files.
    2. In the Password field, enter a password if required by your KMIP server.
    3. In the Ciphers field, optionally enter the specific ciphers you want to use. If you leave this field blank, KeyControl uses the default ciphers defined in the KMIP standard.

  12. When you have finished specifiying everything on the Advanced sub-tabs, click the Configuration tab and enter the following information:

    Field

    Description

    Description

    A user-defined description for this KMIP client.

    Disable Entropy Speed

    If set to Yes, seeding of the KeyControl Random Number Generator from the KMIP server is disabled.

    Disable Hardware Signature

    This option is reserved for future use.

    No Split Key

    This option is reserved for future use.
  13. When you are finished, test the connection by clicking Test Connection. KeyControl should display a message that the connection is OK. If there is an issue, see KMIP Errors and Troubleshooting.
  14. After the connection has been verified, test that KeyControl can store a key on that server by clicking Test Key. KeyControl should display a message that the test was successful. If there is an issue, see KMIP Errors and Troubleshooting.
  15. When both tests are successful, click Apply.
  16. Click Proceed at the prompt to save your settings. KeyControl automatically regenerates the Admin key and stores it on the KMIP server. It then displays a message letting you know whether the operation was successful or presenting an error message if it failed. If there is an issue, see KMIP Errors and Troubleshooting.

Open topic with navigation