Configuring a KeyControl KMIP Server

Any KMIP client can connect to the KeyControl KMIP server and perform all standard KMIP operations with the following restrictions:

Object count (for example, keys) is limited to 5000.
Users cannot be partitioned. That is, all KMIP users have access to all KMIP objects.

For details about the standard KMIP operations and configuration settings, see the Oasis KMIP Technical Committee page or the KMIP wiki page.

Note:

If you are configuring a KMIP server to use with VMware vSphere Encryption, see Configuring a KMIP Server.

Procedure

Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.
In the top menu bar, click KMIP.
On the Basic tab, set the State field to Enabled.

Set the following options as appropriate:

Option	Description
Port	The server port number. Default: 5696.
Advanced Clustering	If set to Enabled, all changes made to the KMIP server on one KeyControl node in the cluster are automatically propagated to all other nodes in the cluster. This results in a restart of the KMIP server on those nodes. This is the default. If disabled, changes to the KMIP server options are sent to the other nodes in the cluster but the KMIP server is not automatically restarted so the other servers will not use the new configuration options until you manually restart them. For details, see Restarting a KMIP Server.
Auto-Reconnect	If set to ON, clients will automatically try to reconnect with the KMIP server if they encounter certain errors. The default is OFF. The errors covered by auto-reconnect are defined in the OASIS KMIP standard.
Verify	If set to Yes, the KMIP client identity is verified before the server handles its request. We recommend that you do not turn this option off.
Protocol	The minimum verison of the KMIP Protocol this server will use.
Nbio	If set to ON, the KMIP server requires non-blocking I/O. The default is OFF.
Timeout	The length of time, in seconds, after which a client request will time out. If the Infinite check box is checked, client requests never time out. This is the default. To change this option, clear the Infinite check box, then click on the number of seconds displayed after the check box. Enter a new value and click Save.
Log Level	The lowest level of log messages that will be saved in the audit log. The options are: All — Logs all requests to the KMIP server and responses from the KMIP server. This is the default. Create-Get — Logs object creation messages, object fetch requests, and object fetch responses. Off — No log messages are stored in the audit log.

When you are finished, click Apply.
At the prompt, click Proceed to confirm the configuration. If this server was already enabled, KeyControl restarts it and refreshes its object list.
If Advanced Clustering is set to Disabled in a multi-node cluster, you need to restart the KMIP servers on the other nodes in the cluster. For details, see Restarting a KMIP Server.

What to Do Next

If desired, set up KMIP user accounts that correspond to the clients that are authorized to use this KMIP server. For details, see Creating KMIP Server User Accounts.

Open topic with navigation