The new pkcs11_kmip provider in the Cryptographic Framework enables PKCS #11 applications to function as KMIP clients and communicate to KMIP-compliant servers. You use the kmipcfg command to initialize and manage states of the pkcs11_kmip provider.
The pkcs11_kmip provider connects PKCS #11 applications to KMIP-compliant servers. In Oracle Solaris, each KMIP server group is implemented as a PKCS #11 token plugged into a PKCS #11 slot. The kmipcfg command is used to configure the KMIP server groups. The pktool command can be used to review the state of these tokens from the PKCS #11 perspective.
To set up KMIP communications for clients in Oracle Solaris, administrators perform the following steps:
$ pkg install pkcs11_kmip
This package loads the software provider into the Cryptographic Framework.
Create and configure a KMIP server group with the kmipcfg command.
See configuration examples in the pkcs11_kmip(7) man page and Example 35, Using kmipcfg to Manage the pkcs11_kmip Provider.
The pkcs11_kmip provider supports a specific set of PKCS #11 interfaces that are useful during KMIP communications, including interfaces such as C_login, C_OpenSession, and C_CreateObject. To review the full list of supported interfaces, see the pkcs11_kmip(7) man page.
In this Oracle Solaris release, the pkcs11_kmip provider supports only symmetric keys with AES algorithms and encryption and decryption operations. The following mechanisms are supported:
For further information, see the pkcs11_kmip(7) man page.
The following example shows one option for using the kmipcfg command. For more examples, see the kmipcfg(8) man page.Example 35 Using kmipcfg to Manage the pkcs11_kmip Provider
This kmipcfg create command creates a server group, cluster1, with three KMIP-compliant servers. The three servers have the following host names:
# kmipcfg create \ -o server_list=server1.example.com,server2.example.com,server3.example.com \ -o client_p12=cluster1_cred.p12 \ -o failover_limit=3 cluster1
Note the following:
Each –o option specifies one property in the server group configuration. See the kmipcfg(8) man page for a full list of configuration properties.
Since the port numbers for the servers in this example are not specified, the default port 5696 will be used.
In this example, the credentials that authenticate and secure the communication are provided in the cluster1_cred.p12 PKCS #12 bundle. For more information about managing certificates, see the pktool(1) man page.
In this example, if one server in the group fails, the connection will fail over to the next server defined in the server_list property. The failover_limit property specifies that up to three failovers will be possible.
This example is non-interactive. For an interactive example, see the kmipcfg(8) man page.
After you create at least one server group, use the kmipcfg list command to view configured parameters for the server groups, as in:
# kmipcfg list Server group: cluster1 State: enabled Hosts: server1.example.com:5696 server2.example.com:5696 server3.example.com:5696 Connection timeout: 5 Cache object time to live: 300 Encoding: TTLV Failover limit: 3 Client keystore: /var/user/testuser/kmip/cluster1 Client PKCS#12 bundle: cluster1_cred.p12 Secondary authentication type: none