Using KMIP to manage and serve keys, certificates, and other cryptographic objects

The IBM® Security Guardium® Key Lifecycle Manager server supports Key Management Interoperability Protocol (KMIP) communication with clients for key management operations on cryptographic and cryptographic objects.

Before you begin

Ensure that the client is KMIP compliant.

About this task

Key Management Interoperability Protocol (KMIP) is a client/server communication protocol for the storage and maintenance of key, certificate, and secret objects. The standard is governed by the Organization for the Advancement of Structured Information Standards (OASIS).

IBM Security Guardium Key Lifecycle Manager supports some KMIP operations on the cryptographic objects. For example, generating cryptographic keys, registering cryptographic objects with the server, retrieving objects from the server, or destroying objects from the server. Cryptographic objects also have associated attributes, which are named values stored by the key management system and are obtained from the system via operations. You can use operations to add, modify, or delete certain attributes. For the complete list of supported operations, see KMIP objects and profiles.

Before you can use the KMIP operations, you need to register the client in the IBM Security Guardium Key Lifecycle Manager server, and associate a certificate with the client for secure communication with the server. If you accept a pending client certificate, it is imported into the database and marked as trusted. The certificate can then be used for secure communication between the client device and IBM Security Guardium Key Lifecycle Manager.

Procedure

  1. Secure communication between the KMIP client and the IBM Security Guardium Key Lifecycle Manager server
    1. Create or use an existing TLS or KMIP certificate.
      For detailed instructions, see Creating a server certificate.
    2. Export the TLS or KMIP certificate to the client.
      For detailed instructions, see Exporting a server certificate.
    3. Import the KMIP client certificate in the IBM Security Guardium Key Lifecycle Manager server or accept a pending client certificate.
      A client is created and registered in the IBM Security Guardium Key Lifecycle Manager server. The alias that is provided while importing or accepting the pending client certificate is associated with the name of the client. For detailed instructions, see Importing a client communication certificate. You can also use the Certificate Import REST Service.
    4. Verify the connection between the KMIP client and the IBM Security Guardium Key Lifecycle Manager server.
      For detailed instructions, see Querying IBM Security Guardium Key Lifecycle Manager server for KMIP.
  2. Add cryptographic objects.
    For detailed instructions, see Adding cryptographic objects by using the graphical user interface.

Results

You can now perform the required KMIP operations on the cryptographic objects. For a list of KMIP operations, see http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip.