pkcs11_kmip - RSA PKCS#11 provider for the KMIP server
The pkcs11_kmip.so object implements the RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki), v2.20 specification by using the Key Management Interoperability Protocol (KMIP) to communicate to a KMIP server. The following PKCS#11 mechanisms are supported in this provider:
CKM_AES_KEY_GEN CKM_AES_CBC CKM_AES_CBC_PAD
The following PKCS#11 interfaces are supported by this provider:
C_Initialize C_Finalize C_GetInfo C_GetFunctionList C_GetSlotList C_GetSlotInfo C_GetTokenInfo C_GetMechanismList C_GetMechanismInfo C_InitToken C_SetPIN C_OpenSession C_CloseSession C_CloseAllSessions C_GetSessionInfo C_Login C_Logout C_CreateObject C_CopyObject C_DestroyObject C_GetObjectSize C_GetAttributeValue C_SetAttributeValue C_FindObjectsInit C_FindObjects C_FindObjectsFinal C_EncryptInit C_Encrypt C_EncryptUpdate C_EncryptFinal C_DecryptInit C_Decrypt C_DecryptUpdate C_DecryptFinal C_GenerateKey
The pkcs11_kmip provider supports multiple slots. Each slot accommodates a single KMIP server group. That is, a group of KMIP servers represents a token plugged into a PKCS#11 slot. Users are first required to configure a server group with the kmipcfg(1M) command in their KMIP token directory first, before initializing the pkcs11_kmip provider. This step provides the configuration material (including TLS credentials) to establish a connection to a KMIP server. One or more server groups can be configured for a PKCS#11 client.
The default location of the KMIP token directory is /var/user/$USERNAME/kmip. The environment variable $KMIPTOKEN_DIR will override the default location, when in use. Each of the subdirectories under this kmip directory keeps the configuration material as needed by a KMIP client to connect to a KMIP server in the respective KMIP server group.
The pkcs11_kmip provider can only be used on a system which has the pkg:/system/library/security/pkcs11_kmip package installed.
The system administrator needs to perform the following steps to enable the pkcs11_kmip provider:
# pkg install pkcs11_kmip # cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_kmip.so'
A user's KMIP token is initialized using the kmipcfg(1M) command. For example, to create a server group named KMIP_server:
# kmipcfg create -o server_list=kmip-server.example.com:5696 \ -o client_p12=kmip-server.p12 KMIP_server
After a KMIP token is initialized and configured by the kmipcfg create command, the name of the server group can be changed by the pktool inittoken command:
# pktool inittoken slotid=3 currlabel=KMIP_server newlabel=KMIP_newserver
For an initialized KMIP token, the passphrase associated with the PKCS#12 bundle for the respective server group can be changed by the pktool(1) setpin command:
# pktool setpin keystore=pkcs11 token=KMIP_server
The PIN that is provided by using the pktool setpin operation or, by calling the C_Login() and C_SetPIN() functions can be any string of characters with a length between 1 and 256 and with no embedded NULLs.
The return values for each of the implemented functions are defined and listed in the RSA PKCS#11 v2.20 specification, which is available at http://www.rsasecurity.com
All unimplemented functions return CKR_FUNCTION_NOT_SUPPORTED when called.
User's default KMIP token directory
Alternate location for KMIP token directory
See attributes(5) for descriptions of the following attributes:
RSA PKCS#11 v2.20 http://www.rsasecurity.com