Administrative operations for KMIP

You can use the Guardium Key Lifecycle Manager server graphical user interface or REST APIs for some KMIP-specific administrative tasks. For example, updating the KMIP listener port, modifying the attributes of the KMIP objects.

IBM Security Guardium Key Lifecycle Manager supports the following KMIP-specific administrative tasks:
  • Managing the following KMIP information through the IBM Security Guardium Key Lifecycle Manager graphical user interface:
    • Configuration of the KMIP ports and timeout settings.
    • Current KMIP certificate, indicating which certificate is in use for secure server or server/client communication.
    • Secure communication configuration, indicating whether TLS/KMIP or TLS is specified.
  • Updating KMIP attributes for keys and certificates.

    For example, you can use the Key Attribute Update REST Service to update specific parameters.

  • Listing and deleting client-registered KMIP templates.
    Clients use a template to specify the cryptographic attributes of new objects in a standardized or convenient way. The template is a managed object that contains attributes in operations that the client can set for a cryptographic object. For example, the client can set application-specific information.
    KMIP Template List REST Service
    List KMIP templates that IBM Security Guardium Key Lifecycle Manager provides. For example, you might list all templates. For more information, see KMIP Template List REST Service.
    KMIP Template Delete REST Service
    Delete KMIP templates that clients registered with IBM Security Guardium Key Lifecycle Manager. For more information, see KMIP Template Delete REST Service.
  • Listing and deleting secret data such as passwords or a seed that is used to generate keys.
    KMIP Secret Data Delete REST Service
    Delete secret data that KMIP clients sent to IBM Security Guardium Key Lifecycle Manager. For more information, see KMIP Secret Data Delete REST Service.
    KMIP Secret Data List REST Service
    List secret data that KMIP clients sent to IBM Security Guardium Key Lifecycle Manager. For more information, see KMIP Secret Data List REST Service.
  • Setting default port and timeout properties.
    KMIPListener.ssl.port
    Specifies the port on which the Guardium Key Lifecycle Manager server listens for requests from libraries. The server communicates over the TLS socket by using Key Management Interoperability Protocol.
    TransportListener.ssl.port
    Specifies the port on which Guardium Key Lifecycle Manager server listens for requests from tape libraries that communicate by using the TLS protocol.
    TransportListener.ssl.timeout
    Specifies how long the socket waits on a read() before closing. This property is used for the TLS socket.
  • Enabling or disabling delete requests from KMIP clients.

    An authenticated client can request delete operations that might have a significant impact on the availability of a key, on server performance, and on key security. Specify the enableKMIPDelete attribute with either the Device Group Attribute Update REST Service or the Device Group Create REST Service to determine whether IBM Security Guardium Key Lifecycle Manager acts on these requests.

Note: User credentials in a KMIP request are not validated by default and can cause the KMIP request to fail. To resolve this issue, ensure that you set the value of the kmipAuthNeeded property in the SKLMConfig.properties file to true (kmipAuthNeeded=true).

To update the property file, use the Update Config Property REST Service.