Managing KMIP Users
In this tutorial you will learn how to create and manage KMIP Users.
Background
Part of the Securosys Key Management System is the Securosys KMIP Server. Just like the TSB is a REST-to-JCE proxy, the KMIP Server is a KMIP-to-JCE proxy.
Access to the KMIP Server is controlled via mutual TLS (mTLS). Therefore, there is a need to create an allow-list of which client certificates are allowed to access the KMIP Server (and hence the HSM Partition). These are called "KMIP Users".
The KMIP Server stores this state as data objects on the Partition.
There is an "index-like" data object with label KMIP-USERS as well as
a data object for each KMIP User with label KMIP-User-alice.
To manage (view, create, delete) KMIP Users, you need to edit these data objects. The easiest way to do this is via the Key Manager UI.
Creating New KMIP Users
To manage KMIP Server and download the credential files (mTLS) log in to the Key Manager and navigate to the KMIP Server add-on > User & Trust > Select the User > Download.
-
Go to add-ons: KMIP Server > User & Trust
-
Click: Create User and follow the wizard
-
In the User List click the Download to get the Client KeyStore (.p12)
-
In the User List click the Download to get the Server Truststore (jks)