Configuring a KMIP Server

Once you have your KeyControl cluster configured, you need to enable the included KMIP server. This server becomes the vSphere KMS (Key Management Server) when you establish a trusted connection between vSphere and KeyControl.

If you have already enabled the KMIP server in the cluster, make sure the configuration settings match the ones given below.

For details about the Entrust KMIP server implementation and how to manage KMIP server objects, or how to configure KMIP with a Hardware Security Module (HSM), see KMIP Server Configuration or Hardware Security Modules with KeyControl.

Important: Make sure that all KeyControl nodes reside on devices that are not encrypted. KeyControl has its own internal encryption, and it must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.

  1. Log into the KeyControl Vault Management webGUI.
  2. Select the Settings icon at the top right of the vault page.

  3. On the KMIP Vault Settings page, complete the following:

    Option Description

    State

    If set to Enabled, clients can connect to this KMIP server.

    Port The server port number. The default port is 5696.
    Auto-Reconnect

    If set to On, clients will automatically try to reconnect with the KMIP server if they encounter certain errors. The default is Off.

    The errors covered by auto-reconnect are defined in the OASIS KMIP standard.
    Verify If set to Yes, the KMIP client identity is verified before the server handles its request. We recommend that you do not turn this option off.
    Non-blocking I/O

    If set to Yes, the KMIP server requires non-blocking I/O.

    The default is No.
    Log Level

    The lowest level of log messages that will be saved in the audit log. The options are:

    • All—Logs all requests to the KMIP server and responses from the KMIP server.
    • Create-Modify—Logs object creation, object modify requests, and object delete requests and responses. This is the default.
    • Create-Get—Logs object creation messages, object fetch requests, and object fetch responses.
    • Create—Logs object creation request and response messages.
    • Get—Logs object fetch and object locate requests and responses.
    • Off—No log messages are stored in the audit log.

    TLS

    Choose which version of TLS you want to support. If set to TLS 1.3, all clients must connect to this KMIP server using TLS 1.3. By default, both TLS 1.2 and TLS 1.3 are supported.

    Timeout

    The length of time, in minutes, after which a client request will time out. If No is selected, client requests never time out. This is the default.

    To change this option, select Yesand select the number of minutes before the requests times out. This can be from 1 to 60 minutes.

    SSL/TSL Ciphers

    Enter the SSL ciphers in a comma-separated list that you want the KMIP server to use.

    Certificate Types

    This can be one of the following: 

    If set to Default, the KMIP server uses a default certificate.

    If set to Custom, you must have a custom SSL certificate generated from KeyControl or from your own CSR, and then provide the following: 

    • SSL CertificatecUpload the SSL certificate file in Base64-encoded pem format. It should be able to function as a server certificate.

    • CA Certificate—Upload the certificate for the CA that signed the custom SSL certificate in Base64-encoded pem format.

      If you want to use the CA certificate to verify the KMIP client certificate select Yes. The default is No.

    • Private Key—Optionally upload the private key file in Base64-encoded pem format. This is required if you used your own CSR and not the CSR generated on the KMIP page.
    • Password—Optionally enter the password for the custom certificate.

  4. Click Apply and confirm your changes when prompted.

What to Do Next 

Create the KMS cluster in vSphere as described in Adding a KMS Cluster in vSphere.