Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021
 
 

Using KMIP in Oracle Solaris

The new pkcs11_kmip provider in the Cryptographic Framework enables PKCS #11 applications to function as KMIP clients and communicate to KMIP-compliant servers. You use the kmipcfg command to initialize and manage states of the pkcs11_kmip provider.

The pkcs11_kmip provider connects PKCS #11 applications to KMIP-compliant servers. In Oracle Solaris, each KMIP server group is implemented as a PKCS #11 token plugged into a PKCS #11 slot. The kmipcfg command is used to configure the KMIP server groups. The pktool command can be used to review the state of these tokens from the PKCS #11 perspective.

To set up KMIP communications for clients in Oracle Solaris, administrators perform the following steps:

  1. Install the pkcs11_kmip package.

    $ pkg install pkcs11_kmip

    This package loads the software provider into the Cryptographic Framework.

  2. Create and configure a KMIP server group with the kmipcfg command.

    See configuration examples in the pkcs11_kmip(7) man page and Example 35, Using kmipcfg to Manage the pkcs11_kmip Provider.

What pkcs11_kmip Supports

The pkcs11_kmip provider supports a specific set of PKCS #11 interfaces that are useful during KMIP communications, including interfaces such as C_login, C_OpenSession, and C_CreateObject. To review the full list of supported interfaces, see the pkcs11_kmip(7) man page.

In this Oracle Solaris release, the pkcs11_kmip provider supports only symmetric keys with AES algorithms and encryption and decryption operations. The following mechanisms are supported:

  • CKM_AES_KEY_GEN

  • CKM_AES_CBC_PAD

  • CKM_AES_CBC

For further information, see the pkcs11_kmip(7) man page.

Creating and Configuring a KMIP Server Group

The following example shows one option for using the kmipcfg command. For more examples, see the kmipcfg(8) man page.

Example 35  Using kmipcfg to Manage the pkcs11_kmip Provider

    This kmipcfg create command creates a server group, cluster1, with three KMIP-compliant servers. The three servers have the following host names:

  • server1.example.com

  • server2.example.com

  • server3.example.com

# kmipcfg create \
  -o server_list=server1.example.com,server2.example.com,server3.example.com \
  -o client_p12=cluster1_cred.p12 \
  -o failover_limit=3 cluster1

Note the following:

  • Each –o option specifies one property in the server group configuration. See the kmipcfg(8) man page for a full list of configuration properties.

  • Since the port numbers for the servers in this example are not specified, the default port 5696 will be used.

  • In this example, the credentials that authenticate and secure the communication are provided in the cluster1_cred.p12 PKCS #12 bundle. For more information about managing certificates, see the pktool(1) man page.

  • In this example, if one server in the group fails, the connection will fail over to the next server defined in the server_list property. The failover_limit property specifies that up to three failovers will be possible.

  • This example is non-interactive. For an interactive example, see the kmipcfg(8) man page.

After you create at least one server group, use the kmipcfg list command to view configured parameters for the server groups, as in:

# kmipcfg list
Server group: cluster1
State: enabled
Hosts:  server1.example.com:5696
        server2.example.com:5696
        server3.example.com:5696
Connection timeout: 5
Cache object time to live: 300
Encoding: TTLV
Failover limit: 3
Client keystore: /var/user/testuser/kmip/cluster1
Client PKCS#12 bundle: cluster1_cred.p12
Secondary authentication type: none