Managing KMIP Objects in the KeyControl KMIP Vault webGUI

KMIP objects include certificates and symmetric or asymmetric keys. They are created by the external KMIP clients as needed, and can then be fetched by those clients. You can use the KeyControl KMIP Vault webGUI to view and manipulate all objects created by all KMIP users in the system.

If this KMIP server is being used as a KMS for VMware, the number of KMIP objects may exceed the number of encrypted VMs because:

  • The KMIP objects created when a VM is encrypted are not removed when that VM is decrypted or deleted.
  • Cloned VMs may share the same key if they have the same UUID.
  • A KMIP object is created for each ESXi host when encryption is enabled for that host in vCenter.
  • Stale keys for an ESXi host are not removed unless the ESXi host is detached, rebooted, and then reattached.

For more information about using the KMIP server as a KMS for VMware, see KeyControl Vault with VSAN and VMware vSphere VM Encryption.

Procedure 

  1. Log in to the KeyControl KMIP Vault webGUI.

  2. From the KeyControl KMIP Vault webGUI, click Objects.

  3. The Objects tab shows the following information for each object:

    • UUID—The Universally Unique Identifier associated with the KMIP object.

    • Initial Date—When the object was created.

    • Last Change Date—When the object was last modified.

    • Object Type—The object type.
    • Archived—Whether the object has been archived. Archived objects can be recovered if needed.
    • State—The state of the KMIP object.

    To filter the object based on any of the fields, click the text box next to Filter tab, and select Filter by, and enter the filter value.

  4. Click any object in the list to view additional attributes for that object. All attributes are defined in the OASIS KMIP standard.

  5. The Actions menu in the right corner allows you to perform any of the following actions on the selected object. All actions, except the Rekey All Objects, follow the KMIP standard. Some actions require the object to be in a specific state. For details, see the OASIS KMIP standard.

    • Activate—By default, objects are created in PreActive state. Click Activate to enable more transitions for the object. Note: Many KMIP clients change objects to Active state as part of the creation process.
    • Archive—Objects will no longer return keys but they remain in the system. You can use the Recover command to return an archived object to active state and retrieve its keys.
    • Destroy—This operation will destroy the object and change the object's state to “Destroyed”. Destroyed objects cannot be retrieved, but the object metadata will continue to be listed in the KMIP objects page.
    • Recover—Restores an Archived object to the active state so that its keys can be retrieved.

    • Revoke—Revocation is permanent. Objects that are revoked cannot be moved back to Active, but the client can still retrieve any key material. Revocation prompts for a revocation reason, which can be any string. Revocation also prompts for a Reason Code, which is one of the following KMIP standard codes. Any unrecognized value will be considered the same as "1—Unspecified."

      1—Unspecified
      2—Key Compromise
      3—CA Compromise
      4—Affiliation Changed
      5—Superseded
      6—Cessation of Operation
      7—Privilege Withdrawn

    • Rekey KMIP Objects - This option allows you to rekey all existing KMIP objects using a new KEK, if KMIP KEK wrapping is enabled. See KEK with a KMIP Vault.