Overview - Key Management Interoperability Protocol
The IBM Security Key Lifecycle Manager server supports Key Management Interoperability Protocol (KMIP) communication with clients for key management operations on cryptographic material. The material includes symmetric and asymmetric keys, certificates, and templates that are used to create and control their use.
The Key Management Interoperability Protocol is part of an Organization for the Advancement of Structured Information Standards (OASIS) standardization project for encryption of stored data and cryptographic key management.
For more information, see Key Management Interoperability Protocol documentation (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip).
KMIP attributes for keys and certificates
- Managing following KMIP information
through the IBM Security Key Lifecycle Manager graphical user interface:
- Whether KMIP ports and timeout settings are configured.
- Current KMIP certificate, indicating which certificate is in use for secure server or server/client communication.
- Whether SSL/KMIP or SSL is specified for secure communication.
- You can update KMIP attributes for keys
and certificates.
For example, you can use the tklmKeyAttributeUpdate command to update:
- name
- Specifies the name that is used to identify or locate the object. This attribute is a Key Management Interoperability Protocol attribute.
- applicationSpecificInformation
- Specifies application namespace information as a Key Management Interoperability Protocol attribute.
- contactInformation
- Specifies contact information as a Key Management Interoperability Protocol attribute.
- cryptoParams cryptoparameter1, cryptoparameter2, …, cryptoparameterN
- Specifies the cryptographic parameters that are used for cryptographic operations by using the object cryptoparameter1, cryptoparameter2, …, cryptoparameterN. This attribute is a Key Management Interoperability Protocol attribute.
- customAttribute
- Specifies a custom attribute in string format as a Key Management Interoperability Protocol attribute. Client-specific attributes must start with the characters "x-" (x hyphen) and server-specific attributes must start with "y-" (y hyphen).
- link
- Specifies the link from one managed cryptographic object to another, closely related target managed cryptographic object. This attribute is a Key Management Interoperability Protocol attribute.
- objectGroup
- Specifies one or more object group names of which this object might be part. This attribute is a Key Management Interoperability Protocol attribute.
- processStartDate
- Specifies the date on which a symmetric key object can be used for process purposes. You cannot change the value after the date occurs. If you specify a date earlier than the current date, the value is set to the current date. This attribute is a Key Management Interoperability Protocol attribute.
- protectStopDate
- Specifies the date on which an object cannot be used for process purposes. You cannot change the value after the date occurs. If you specify a date earlier than the current date, the value is set to the current date. This attribute is a Key Management Interoperability Protocol attribute.
- usageLimits
- Specifies either total bytes (BYTE) or total objects (OBJECT) as a Key Management Interoperability Protocol attribute. You cannot modify this value once this object is used. For example, GetUsageAllocation calls this object.
- List and delete client-registered KMIP
templates.Clients use a template to specify the cryptographic attributes of new objects in a standardized or convenient way. The template is a managed object that contains attributes in operations that the client can set for a cryptographic object. For example, the client can set application-specific information.
- tklmKMIPTemplateList
- List KMIP templates that IBM Security Key Lifecycle Manager provides. For example, you might list all templates.
- tklmKMIPTemplateDelete
- Delete KMIP templates that clients registered with IBM Security Key Lifecycle Manager.
- List and delete secret data such as passwords or a seed that is used to generate keys.
- tklmSecretDataDelete
- Delete secret data that KMIP clients sent to IBM Security Key Lifecycle Manager.
- tklmSecretDataList
- List secret data that KMIP clients sent to IBM Security Key Lifecycle Manager.
- Set default port and timeout properties
- KMIPListener.ssl.port
- Specifies the port on which the IBM Security Key Lifecycle Manager server listens for requests from libraries. The server communicates over the SSL socket by using Key Management Interoperability Protocol.
- TransportListener.ssl.port
- Specifies the port on which IBM Security Key Lifecycle Manager server listens for requests from tape libraries that communicate by using the SSL protocol.
- TransportListener.ssl.timeout
- Specifies how long the socket waits on a read() before closing. This property is used for the SSL socket.
- Enable or disable delete requests from KMIP clients.
An authenticated client can request delete operations that might have a significant impact on the availability of a key, on server performance, and on key security. Specify the enableKMIPDelete attribute with either the tklmDeviceGroupAttributeUpdate or the tklmDeviceGroupCreate command to determine whether IBM Security Key Lifecycle Manager acts on these requests.
kmipAuthNeeded=true
). To update the property file, use the Update Config Property REST Service.