Overview - Key Management Interoperability Protocol

The IBM Security Key Lifecycle Manager server supports Key Management Interoperability Protocol (KMIP) communication with clients for key management operations on cryptographic material. The material includes symmetric and asymmetric keys, certificates, and templates that are used to create and control their use.

The Key Management Interoperability Protocol is part of an Organization for the Advancement of Structured Information Standards (OASIS) standardization project for encryption of stored data and cryptographic key management.

For more information, see Key Management Interoperability Protocol documentation (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip).

KMIP attributes for keys and certificates

IBM Security Key Lifecycle Manager supports the following tasks:
  • Managing following KMIP information through the IBM Security Key Lifecycle Manager graphical user interface:
    • Whether KMIP ports and timeout settings are configured.
    • Current KMIP certificate, indicating which certificate is in use for secure server or server/client communication.
    • Whether SSL/KMIP or SSL is specified for secure communication.
  • You can update KMIP attributes for keys and certificates.

    For example, you can use the tklmKeyAttributeUpdate command to update:

    name
    Specifies the name that is used to identify or locate the object. This attribute is a Key Management Interoperability Protocol attribute.
    applicationSpecificInformation
    Specifies application namespace information as a Key Management Interoperability Protocol attribute.
    contactInformation
    Specifies contact information as a Key Management Interoperability Protocol attribute.
    cryptoParams cryptoparameter1, cryptoparameter2, …, cryptoparameterN
    Specifies the cryptographic parameters that are used for cryptographic operations by using the object cryptoparameter1, cryptoparameter2, …, cryptoparameterN. This attribute is a Key Management Interoperability Protocol attribute.
    customAttribute
    Specifies a custom attribute in string format as a Key Management Interoperability Protocol attribute. Client-specific attributes must start with the characters "x-" (x hyphen) and server-specific attributes must start with "y-" (y hyphen).
    link
    Specifies the link from one managed cryptographic object to another, closely related target managed cryptographic object. This attribute is a Key Management Interoperability Protocol attribute.
    objectGroup
    Specifies one or more object group names of which this object might be part. This attribute is a Key Management Interoperability Protocol attribute.
    processStartDate
    Specifies the date on which a symmetric key object can be used for process purposes. You cannot change the value after the date occurs. If you specify a date earlier than the current date, the value is set to the current date. This attribute is a Key Management Interoperability Protocol attribute.
    protectStopDate
    Specifies the date on which an object cannot be used for process purposes. You cannot change the value after the date occurs. If you specify a date earlier than the current date, the value is set to the current date. This attribute is a Key Management Interoperability Protocol attribute.
    usageLimits
    Specifies either total bytes (BYTE) or total objects (OBJECT) as a Key Management Interoperability Protocol attribute. You cannot modify this value once this object is used. For example, GetUsageAllocation calls this object.
  • List and delete client-registered KMIP templates.
    Clients use a template to specify the cryptographic attributes of new objects in a standardized or convenient way. The template is a managed object that contains attributes in operations that the client can set for a cryptographic object. For example, the client can set application-specific information.
    tklmKMIPTemplateList
    List KMIP templates that IBM Security Key Lifecycle Manager provides. For example, you might list all templates.
    tklmKMIPTemplateDelete
    Delete KMIP templates that clients registered with IBM Security Key Lifecycle Manager.
  • List and delete secret data such as passwords or a seed that is used to generate keys.
    tklmSecretDataDelete
    Delete secret data that KMIP clients sent to IBM Security Key Lifecycle Manager.
    tklmSecretDataList
    List secret data that KMIP clients sent to IBM Security Key Lifecycle Manager.
  • Set default port and timeout properties
    KMIPListener.ssl.port
    Specifies the port on which the IBM Security Key Lifecycle Manager server listens for requests from libraries. The server communicates over the SSL socket by using Key Management Interoperability Protocol.
    TransportListener.ssl.port
    Specifies the port on which IBM Security Key Lifecycle Manager server listens for requests from tape libraries that communicate by using the SSL protocol.
    TransportListener.ssl.timeout
    Specifies how long the socket waits on a read() before closing. This property is used for the SSL socket.
  • Enable or disable delete requests from KMIP clients.

    An authenticated client can request delete operations that might have a significant impact on the availability of a key, on server performance, and on key security. Specify the enableKMIPDelete attribute with either the tklmDeviceGroupAttributeUpdate or the tklmDeviceGroupCreate command to determine whether IBM Security Key Lifecycle Manager acts on these requests.

Note: User credentials in a KMIP request are not validated by default and can cause the KMIP request to fail. To resolve this issue, ensure that you set the value of the kmipAuthNeeded property in the SKLMConfig.properties file to true (kmipAuthNeeded=true).

To update the property file, use the Update Config Property REST Service.