5 KMIP and PKCS #11 Client Applications
Your PKCS #11 applications can now function as clients that use the Key Management Interoperability Protocol (KMIP). These client applications communicate with KMIP-compliant servers to create and use symmetric keys. Oracle Solaris provides client support for KMIP v1.1: OASIS Standard, enabling clients to communicate with KMIP-compliant servers such as the Oracle Key Vault.
In addition to Version 1.1, Oracle Solaris provides client support for versions 1.2, 1.3, and 1.4. Also see:
- Key Management Interoperability Protocol Specification Version 1.2 (http://docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.html)
- Key Management Interoperability Protocol Specification Version 1.3 (http://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.html)
- Key Management Interoperability Protocol Specification Version 1.4 (http://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.html)
Note that the supported functions and operations are at the 1.1 level.
This chapter covers the following topics:
Using KMIP in Oracle Solaris
The new pkcs11_kmip
provider in the Cryptographic Framework enables PKCS #11 applications to function as KMIP clients and communicate to KMIP-compliant servers. You use the kmipcfg
command to initialize and manage states of the pkcs11_kmip
provider.
The pkcs11_kmip
provider connects PKCS #11 applications to KMIP-compliant servers. In Oracle Solaris, each KMIP server group is implemented as a PKCS #11 token plugged into a PKCS #11 slot. The kmipcfg
command is used to configure the KMIP server groups. The pktool
command can be used to review the state of these tokens from the PKCS #11 perspective.
To set up KMIP communications for clients in Oracle Solaris, administrators perform the following steps:
-
Install the
pkcs11_kmip
package.$ pkg install pkcs11_kmip
This package loads the software provider into the Cryptographic Framework.
-
Create and configure a KMIP server group with the
kmipcfg
command.See configuration examples in the pkcs11_kmip(7) man page and Using kmipcfg to Manage the pkcs11_kmip Provider.
What pkcs11_kmip Supports
The pkcs11_kmip
provider supports a specific set of PKCS #11 interfaces that are useful during KMIP communications, including interfaces such as C_login
, C_OpenSession
, and C_CreateObject
. To review the full list of supported interfaces, see the pkcs11_kmip(7) man page.
In this Oracle Solaris release, the pkcs11_kmip
provider supports only symmetric keys with AES algorithms and encryption and decryption operations. The following mechanisms are supported:
-
CKM_AES_KEY_GEN
-
CKM_AES_CBC_PAD
-
CKM_AES_CBC
For further information, see the pkcs11_kmip(7) man page.
Creating and Configuring a KMIP Server Group
The kmipcfg
command enables you to initialize and manage states of the PKCS#11 KMIP provider by using the Solaris Cryptographic Framework (SCF).
Note:
Thekmipcfg
command does not verify that the configuration is valid or guarantee that libkmip
can connect to the server.
Example 5-1 Using kmipcfg
to Manage the pkcs11_kmip
Provider
The following example shows one way to use the kmipcfg
command. For more examples, see the kmipcfg(8) man page.
This kmipcfg create
command creates a server group, cluster1
, with three KMIP-compliant servers. The three servers have the following host names:
-
server1.example.com
-
server2.example.com
-
server3.example.com
# kmipcfg create \ -o server_list=server1.example.com,server2.example.com,server3.example.com \ -o client_p12=cluster1_cred.p12 \ -o failover_limit=3 cluster1
Note the following:
-
Each ‐o option specifies one property in the server group configuration. See the kmipcfg(8) man page for a full list of configuration properties.
-
KMIP currently supports versions 1.1, 1.2, 1.3, and 1.4. By default, the KMIP library selects the best version match based on the server version, though you can specify the version you want to use for each server group.
-
Since the port numbers for the servers in this example are not specified, the default port
5696
will be used. -
In this example, the credentials that authenticate and secure the communication are provided in the
cluster1_cred.p12
PKCS #12 bundle. For more information about managing certificates, see the pktool(1) man page. -
In this example, if one server in the group fails, the connection will fail over to the next server defined in the
server_list
property. Thefailover_limit
property specifies that up to three failovers will be possible. -
This example is non-interactive. For an interactive example, see the kmipcfg(8) man page.
After you create at least one server group, use the kmipcfg list
command to view configured parameters for the server groups, as in:
# kmipcfg list
Server group: cluster1
State: enabled
Hosts: server1.example.com:5696
server2.example.com:5696
server3.example.com:5696
Required version: auto
Connection timeout: 5
Cache object time to live: 300
Encoding: TTLV
Failover limit: 3
Client keystore: /var/user/testuser/kmip/cluster1
Client PKCS#12 bundle: cluster1_cred.p12
Secondary authentication type: none
kmipcfg info Command
The kmipcfg info
command enables you to obtain information about the server such as the protocol versions and available functionality. See the kmipcfg(8) man page.
The kmipcfg info
command connects to the specified server group and lists the server's supported KMIP versions and their capabilities. Note that this information might include capabilities that are not supported by the Oracle Solaris client (KMIP library).
Example 5-2 Obtaining Information About a KMIP Server
The following example shows how the kmipcfg info
command outputs information about the kmip_vbox
server group:
# kmipcfg info kmip_vbox Enter PIN for kmip_vbox: PIN Server group: kmip_vbox Supported versions: 1.4, 1.3, 1.2, 1.1, 1.0 Server info: Gemalto, Inc. Operations: Create, Create Keypair, Register, Locate, Get, Get Attributes, Get Attribute List, Add Attribute, Modify Attribute, Delete Attribute, Activate, Revoke, Destroy, Query, Rekey, Rekey Keypair, Check, Discover Versions Object types: Symmetric Key, Public Key, Private Key, Secret Data, Opaque
KMIP and the Oracle Key Vault
KMIP version 1.1, enables KMIP clients to communicate with KMIP-compliant servers such as the Oracle Key Vault. To communicate with the Oracle Key Vault, you must first integrate the Oracle Solaris KMIP client with the Oracle Key Vault. In the terminology of the Oracle Key Vault, the Oracle Solaris system must be set up as an Oracle Key Vault endpoint.
For instructions, see About Endpoint Enrollment and Provisioning in Oracle Key Vault Administrator's Guide and Endpoints That Do Not Use the Oracle Key Vault Client Software in Oracle Key Vault Administrator's Guide.
Benefits for Oracle Solaris Clients Using KMIP
In Oracle Solaris, KMIP client support provides the following advantages:
-
KMIP is an industry protocol. KMIP support enables clients to communicate to any server that is KMIP-compliant. In Oracle Solaris, you can use your PKCS #11 applications as KMIP clients. By connecting these applications to KMIP-compliant servers, you reduce the costs and complexity of key management.
Note:
See What pkcs11_kmip Supports for information about the specific PKCS #11 interfaces and mechanisms that are supported in this release. -
With KMIP server groups, you can ensure that a failed connection to a KMIP server will be passed on and completed by one of the backup servers in that group.
-
With multiple server groups, your KMIP clients can open and run multiple KMIP sessions simultaneously. You can access keys from different KMIP-compliant servers on multiple hosts at the same time.