Skip to main content

Managing KMIP Users

In this tutorial you will learn how to create and manage KMIP Users.

Background

Part of the Securosys Key Management System is the Securosys KMIP Server. Just like the TSB is a REST-to-JCE proxy, the KMIP Server is a KMIP-to-JCE proxy.

Access to the KMIP Server is controlled via mutual TLS (mTLS). Therefore, there is a need to create an allow-list of which client certificates are allowed to access the KMIP Server (and hence the HSM Partition). These are called "KMIP Users".

The KMIP Server stores this state as data objects on the Partition. There is an "index-like" data object with label KMIP-USERS as well as a data object for each KMIP User with label KMIP-User-alice.

To manage (view, create, delete) KMIP Users, you need to edit these data objects. The easiest way to do this is via the Key Manager UI.

Prerequisites

  1. Install the TSB and the Key Manager UI.
  2. Enable KMIP in the User Security Config of the HSM Partition.

Showing KMIP Users

If the Key Manager UI detects that KMIP is enabled in the User Security Config of the HSM Partition, it shows a "KMIP" tab. This tab shows all the registered accounts that can access the KMIP Server for that Partition.

Screenshot of the KMIP User list in the Key Manager UI

Creating New KMIP Users

  1. Click on "Create User" to create a new KMIP User account.

  2. Fill out the requested fields and click "Create User".

  3. Click "Download Exported Key" to download the PKCS#12 bundle file.

    Screenshot of the Create User dialog

Download Client and Server Files

  1. Click the Actions button of your user

  2. Click "Get KMIP Client Keystore" (creates a PKCS12 container file with certificate + key) -> send this file to your ONTAP admin, this file is used to authenticate the client (ONTAP) against the KMIP Server.

  3. Click "Get KMIP Server Truststore" (creates a JKS container with the users certificate) -> send this file to your KMIP Server admin (e.g. Kubernetes admin), the admin shall create a kmip-tls-truststore secret holding this file. More information under Set the KMIP Server Credentials

    Screenshot of Download KMIP files

Create the KMIP Server DB's Data-Object

To onboard users to the KMIP Trust index (database), you need to create a data object on the HSM named "init.json". The Key Manager UI helps you create this object.

warning

You must create this object before you first start the KMIP Server. The server will recognize that the database is empty and needs to be initialized, and it will use the content of the "init.json" data object to initialize trusted KMIP clients.

  1. Click the KMIP Trust button in the KMIP Tab.

  2. Add all KMIP users who should be allowed to connect to the KMIP Server

Screenshot of Create KMIP Data Object

Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?