KMIP Configuration

By default,

  1. The EP server
    1. identifies itself on the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server/TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network connection using the certificate signed by the CORE Root CA. The validation of its certificate requires the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client to apply ECDSAClosedElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. SHA256 signature verification.
    2. expects the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client to use TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network 1.2 ciphers.
  2. The KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client
    1. uses the certificate that is created by EP and signed by the CORE Root CA.

If the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client:

then the default KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server configuration described hereon must be followed by the corresponding steps in KMIP Configuration.

Default KMIP Service Configuration

Fresh System

Steps:

  1. Select two or three servers based on the Minimal Cluster Requirement.
  2. Install. Follow the Install CORE Server Software instructions on each server.
  3. Bootstrap. Bootstrap the First Triplet.
  4. Activate the triplet. See EKM Service Management.
  5. Create a partition that will serve a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client. See ucl partition create.

Quickstart

In the following example, we create a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server server using two server machines (EP and Partner) with one partition (kmip) and one key.

Note
We work from the ground up without assuming previous CORE experience.

This example targets Linux servers. It uses the following entities:

Step Run on Command
1 EP,
Partner

Install the CORE Server software on the RHEL platform.

sudo rpm -ivh <CORE Server Software>.rpm
2 EP

Bootstrap the software.

sudo /opt/ekm/bin/ekm_boot_ep.sh --self ep1 -p partner1 -f -w Password1!

It also creates the Root SOClosedSecurity officer - UKC partition administrator role. with credentials (so, Password1!).
Partner

sudo /opt/ekm/bin/ekm_boot_partner.sh --self partner1 -p ep1 -f
3

EP,
Partner

Start the EKMClosedEnterprise Key Management - previous name of the product. service on the EP, Partner, and Aux servers.

sudo service ekm start
4 EP

Make sure that the system is up and running.

ucl server test
5 EP

Continue to the Existing System.

Existing System

Create a partition "kmip5". Add one key.

Step Run on Command
1 EP

Create a CORE partition, for example, "kmip5".

sudo ucl partition create -p kmip5 --so_password Password2! -w Password1!

The credentials of the new partition's SOClosedSecurity officer - UKC partition administrator role. are: (so, Password2!).
2 EP

Optionally, create an RSA key (rsa1) with the default attributes and show them.

ucl generate -t rsa --name rsa1 -p kmip5

ucl show --name rsa1 -p kmip5

Default KMIP Client Configuration

This section addresses the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Client authentication that is required by CORE.

KMIP Client Certificate

Note
If you can’t use KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client certificate issued by CORE CA, skip to Custom KMIP Client Certificate.

Steps:

  1. In the selected partition, define the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client's name and create its certificate.
    See Full Client.
  2. Obtain the CORE CA certificate in PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format. See ucl root_ca.
  3. Deliver the certificates to KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client admin.
  4. Run the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Query command.

Quickstart

Continuing the previous example:

  • The client's name will be "kmip-client".
  • Its certificate will be stored in the "kmip-client.pfx" file. It will be protected by "KmipPassword1!".
  • The CORE CA certificate will be stored in the "ukc_ca.pem" file.
Step Run on Command
1 EP 

Create the partition's client (kmip-client) and its certificate (kmip-client.pfx) protected by (KmipPassword1!). Allow this certificate to be used by any IP (--check-ip 0 ).

ucl client create -n kmip-client -p kmip5 -m FULL -o ./kmip-client.pfx --pfx_password KmipPassword1! --check_ip 0
2 EP

Obtain the CORE CA certificate in the PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format.

ucl root_ca -o ./ukc-ca.pem

To obtain the certificate in the P7B format, specify file type as .p7b.
3 KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Client Obtain and install the kmip-client.pfx and ukc-ca.pem (or ukc-ca.p7b) certificates.
4 KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Client Run the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Query command.

KMIP Client Credentials

For most KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-based applications, authentication using the client certificate is sufficient. In the rare cases where additional credentials are used by the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client application, follow the steps specified in Appendix: Applying KMIP Client Credentials.

Customization of the Default Configuration

If any of the following restrictions are applicable, complement the default configuration steps with the specified additional steps:

Custom KMIP Client Certificate

If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client must identify itself using a certificate issued by its CA:

  1. Generate such a certificate (e.g., my-kmip-client.cer) and as needed, convert it to PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format.
    The Subject of the certificate must be "CN=<client name>, OU=<partition name>, O=CLIENT". See External Client Cert Details.
  2. On EP:
    1. Install the certificate
    2. Install the certificate of CA that issued this certificate (e.g. ext-ca.pem)
Step Run on Command
1 KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client

Obtain the client certificate with the following Subject.

"CN=<client name>, OU=<partition name>, O=CLIENT"
2 KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Client

Install the certificate and the corresponding private key as specified by the client's vendor.
3 EP

Create an external client in the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server partition using my-kmip-client.cer.

sudo ucl client create -m EXTERNAL -n <client-name> -p kmip5 -c my-kmip-client.cer

The <client-name> must match the CN value in the certificate.
4 EP 

Obtain the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Ext-CA certificate (ext-ca.pem) and add it to the EP KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server trust store:

sudo /opt/ekm/bin/ekm_config_kmip_cert.sh -c <path>/ext-ca.pem -a

The certificate is stored in/etc/ekm/ssl/external-kmip-cert.ks

Custom KMIP Server Certificate

If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client cannot validate the EP certificate signed by CORE Root CA, it must produce an EP certificate signed by its CA and the matching private key that will be installed on EP. If CORE contains several EPs, this procedure must be performed for each EP in the cluster.

Step Run on Command
1 EP

Perform the steps in Default KMIP Service Configuration
2 KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Client

Prepare the certificate that will be used by EP to identify itself on the 5696 port and the matching private key that EP will use in the TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network connection setup.

The key and the certificate must be stored in a secured PFX file.

Let's assume that the PFXClosedAn archive file format for storing cryptography objects using Base64 encoding file is EP-ext-key.pfx and the password is "EPextKey1!".
3 EP 

Install the EP-ext-key.pfx using ekm_obfuscate_pfx

sudo /opt/ekm/bin/ekm_obfuscate_pfx.sh --pfx EP-ext-key.pfx -w EPextKey1!

It creates the external-key.pfx that is used by EP on KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server port.

Extended Cipher Suite on EP

By default, the EP server expects its KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server clients to use the TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network 1.2 cipher suites.

To also support the TLS1.1 and TLS1.o cipher suites on port 5696, set the system property enable.kmip.tls1 to true on all EP servers:

On Linux EP:Closed 
  1. Open or create the /opt/ekm/bin/setenv.sh file.
  2. Add the following line:
    export JAVA_OPTS="$JAVA_OPTS -Denable.kmip.tls1=true
  3. Restart the EKMClosedEnterprise Key Management - previous name of the product. service.
On Windows EP:Closed 
  1. Open or create the C:\Program Files\Dyadic\ekm\tomcat\bin\setenv.bat file.
  2. Add the following line:
    set JAVA_OPTS="%JAVA_OPTS% -Denable.kmip.tls1=true
  3. Restart the EKMClosedEnterprise Key Management - previous name of the product. service.

Appendix: Applying KMIP Client Credentials

CORE server evaluates KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client credentials based on the presence of the CredentialClosedData presented as evidence of the right to use an identity. object in the message using the specified CredentialClosedData presented as evidence of the right to use an identity..Type. The CredentialClosedData presented as evidence of the right to use an identity..Type may be omitted or set to Username and Password. See 2.1.2 CredentialClosedData presented as evidence of the right to use an identity. in KMIP Specification V1.4.

Message Without Credentials
If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server message does not contain the CredentialClosedData presented as evidence of the right to use an identity. object or the CredentialClosedData presented as evidence of the right to use an identity..Type is NOT "Username and Password", then CORE will act on behalf of the default user of the partition. Its password must be unchanged or reset back to the default void password ("").
 
Message With Credentials
If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server message contains the CredentialClosedData presented as evidence of the right to use an identity. object and the CredentialClosedData presented as evidence of the right to use an identity..Type is "Username and Password", then CORE will check that the username and the specified password are registered in the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server partition. For example, you may use the credentials of the default user: