5 KMIP and PKCS #11 Client Applications

Your PKCS #11 applications can now function as clients that use the Key Management Interoperability Protocol (KMIP). These client applications communicate with KMIP-compliant servers to create and use symmetric keys. Oracle Solaris provides client support for KMIP v1.1: OASIS Standard, enabling clients to communicate with KMIP-compliant servers such as the Oracle Key Vault.

In addition to Version 1.1, Oracle Solaris provides client support for versions 1.2, 1.3, and 1.4. Also see:

• Key Management Interoperability Protocol Specification Version 1.2 (http://docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.html)
• Key Management Interoperability Protocol Specification Version 1.3 (http://docs.oasis-open.org/kmip/spec/v1.3/kmip-spec-v1.3.html)
• Key Management Interoperability Protocol Specification Version 1.4 (http://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.html)

Note that the supported functions and operations are at the 1.1 level.

This chapter covers the following topics:

• Using KMIP in Oracle Solaris

• KMIP and the Oracle Key Vault

• Benefits for Oracle Solaris Clients Using KMIP

Using KMIP in Oracle Solaris

The new pkcs11_kmip provider in the Cryptographic Framework enables PKCS #11 applications to function as KMIP clients and communicate to KMIP-compliant servers. You use the kmipcfg command to initialize and manage states of the pkcs11_kmip provider.

The pkcs11_kmip provider connects PKCS #11 applications to KMIP-compliant servers. In Oracle Solaris, each KMIP server group is implemented as a PKCS #11 token plugged into a PKCS #11 slot. The kmipcfg command is used to configure the KMIP server groups. The pktool command can be used to review the state of these tokens from the PKCS #11 perspective.

To set up KMIP communications for clients in Oracle Solaris, administrators perform the following steps:

1. Install the pkcs11_kmip package.

   $ pkg install pkcs11_kmip

   This package loads the software provider into the Cryptographic Framework.

2. Create and configure a KMIP server group with the kmipcfg command.

   See configuration examples in the pkcs11_kmip(7) man page and Using kmipcfg to Manage the pkcs11_kmip Provider.

What pkcs11_kmip Supports

The pkcs11_kmip provider supports a specific set of PKCS #11 interfaces that are useful during KMIP communications, including interfaces such as C_login, C_OpenSession, and C_CreateObject. To review the full list of supported interfaces, see the pkcs11_kmip(7) man page.

In this Oracle Solaris release, the pkcs11_kmip provider supports only symmetric keys with AES algorithms and encryption and decryption operations. The following mechanisms are supported:

• CKM_AES_KEY_GEN

• CKM_AES_CBC_PAD

• CKM_AES_CBC

For further information, see the pkcs11_kmip(7) man page.

Creating and Configuring a KMIP Server Group

The kmipcfg command enables you to initialize and manage states of the PKCS#11 KMIP provider by using the Solaris Cryptographic Framework (SCF).

Note:

The kmipcfg command does not verify that the configuration is valid or guarantee that libkmip can connect to the server.

Example 5-1 Using kmipcfg to Manage the pkcs11_kmip Provider

The following example shows one way to use the kmipcfg command. For more examples, see the kmipcfg(8) man page.

This kmipcfg create command creates a server group, cluster1, with three KMIP-compliant servers. The three servers have the following host names:

• server1.example.com

• server2.example.com

• server3.example.com

# kmipcfg create \
-o server_list=server1.example.com,server2.example.com,server3.example.com \
-o client_p12=cluster1_cred.p12 \
-o failover_limit=3 cluster1

Note the following:

• Each ‐o option specifies one property in the server group configuration. See the kmipcfg(8) man page for a full list of configuration properties.

• KMIP currently supports versions 1.1, 1.2, 1.3, and 1.4. By default, the KMIP library selects the best version match based on the server version, though you can specify the version you want to use for each server group.

• Since the port numbers for the servers in this example are not specified, the default port 5696 will be used.

• In this example, the credentials that authenticate and secure the communication are provided in the cluster1_cred.p12 PKCS #12 bundle. For more information about managing certificates, see the pktool(1) man page.

• In this example, if one server in the group fails, the connection will fail over to the next server defined in the server_list property. The failover_limit property specifies that up to three failovers will be possible.

• This example is non-interactive. For an interactive example, see the kmipcfg(8) man page.

After you create at least one server group, use the kmipcfg list command to view configured parameters for the server groups, as in:

# kmipcfg list
Server group: cluster1
State: enabled
Hosts:  server1.example.com:5696
        server2.example.com:5696
        server3.example.com:5696
Required version: auto
Connection timeout: 5
Cache object time to live: 300
Encoding: TTLV
Failover limit: 3
Client keystore: /var/user/testuser/kmip/cluster1
Client PKCS#12 bundle: cluster1_cred.p12
Secondary authentication type: none

kmipcfg info Command

The kmipcfg info command enables you to obtain information about the server such as the protocol versions and available functionality. See the kmipcfg(8) man page.

The kmipcfg info command connects to the specified server group and lists the server's supported KMIP versions and their capabilities. Note that this information might include capabilities that are not supported by the Oracle Solaris client (KMIP library).

Example 5-2 Obtaining Information About a KMIP Server

The following example shows how the kmipcfg info command outputs information about the kmip_vbox server group:

# kmipcfg info kmip_vbox
Enter PIN for kmip_vbox: PIN
Server group:
	kmip_vbox
Supported versions:
	1.4, 1.3, 1.2, 1.1, 1.0
Server info:
	Gemalto, Inc.
Operations:
	Create, Create Keypair, Register, Locate, Get, Get Attributes,
	Get Attribute List, Add Attribute, Modify Attribute,
	Delete Attribute, Activate, Revoke, Destroy, Query, Rekey,
	Rekey Keypair, Check, Discover Versions
Object types:
	Symmetric Key, Public Key, Private Key, Secret Data, Opaque

KMIP and the Oracle Key Vault

KMIP version 1.1, enables KMIP clients to communicate with KMIP-compliant servers such as the Oracle Key Vault. To communicate with the Oracle Key Vault, you must first integrate the Oracle Solaris KMIP client with the Oracle Key Vault. In the terminology of the Oracle Key Vault, the Oracle Solaris system must be set up as an Oracle Key Vault endpoint.

For instructions, see About Endpoint Enrollment and Provisioning in Oracle Key Vault Administrator's Guide and Endpoints That Do Not Use the Oracle Key Vault Client Software in Oracle Key Vault Administrator's Guide.

Benefits for Oracle Solaris Clients Using KMIP

In Oracle Solaris, KMIP client support provides the following advantages:

• KMIP is an industry protocol. KMIP support enables clients to communicate to any server that is KMIP-compliant. In Oracle Solaris, you can use your PKCS #11 applications as KMIP clients. By connecting these applications to KMIP-compliant servers, you reduce the costs and complexity of key management.

  Note:

  See What pkcs11_kmip Supports for information about the specific PKCS #11 interfaces and mechanisms that are supported in this release.

• With KMIP server groups, you can ensure that a failed connection to a KMIP server will be passed on and completed by one of the backup servers in that group.

• With multiple server groups, your KMIP clients can open and run multiple KMIP sessions simultaneously. You can access keys from different KMIP-compliant servers on multiple hosts at the same time.