Developing KMIP Client Applications

This section specifies:

KMIP Conformance

UKCClosedUnbound Key Control - The name of Unbound's key management product. server accepts standard KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server messages using HTTPS profile with either TTLV or JSON encoding. In particular, it accepts KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client requests at the TCP/IP port 5696 supporting the following payload formats:

The OASIS Key Management Interoperability Protocol (KMIP) is a network protocol. It defines the content, structure, and semantics of the messages transferred between the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client and server.

UKCClosedUnbound Key Control - The name of Unbound's key management product. supports KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server version V1.4. detailed in the following documents:

KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server profile defines the minimum set of objects, attributes, and messages that the server should support.

Supported KMIP Objects

UKCClosedUnbound Key Control - The name of Unbound's key management product. Server supports the following KMIP Objects:

Supported KMIP Attributes

UKCClosedUnbound Key Control - The name of Unbound's key management product. Server supports the following KMIP Attributes:

Attribute KMIP Spec Get Add Modify Delete Notes
Unique Identifier 3.1        
Name 3.2 1
Object Type 3.3        
Cryptographic Algorithm 3.4        
Cryptographic Length 3.5        
Cryptographic Parameters 3.6       2
State 3.22        
Activation Date 3.24        
Deactivation Date 3.27        
Link 3.35 3
Application Specific Information 3.36  
Contact Information 3.37  

Notes:

  1. Uninterpreted Text String only.

  2. Scope: XTS cipher mode of AES only.
  3. The following link types: Private Key Link, Certificate Link, Replacement Object Link, Replaced Object Link. Cannot change Private Key Link and Certificate Link.

Supported KMIP Operations

UKCClosedUnbound Key Control - The name of Unbound's key management product. Server supports the following KMIP Client to Server Operations :

UKCClosedUnbound Key Control - The name of Unbound's key management product. Server supports the following additional KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server features:

  1. ID Placeholder ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4)
  2. Message Format ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 7)
  3. Authentication ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 8) (using client certificate and credentials)
  4. TTLV encoding ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1)

Note
AES keys may be used with the following Format Types (refer to [KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1.3.2.3): Raw or TransparentSymmetric. When the request omits the Format Type, the chosen format is Raw. Any other format type results in an error.

  1. JSON Encoding
  2. Transport Requirements ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 10)
  3. Error Handling ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 11) for any supported object, attribute, or operation

Preparation

To use UKCClosedUnbound Key Control - The name of Unbound's key management product. as the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server server, perform the following steps in both the UKCClosedUnbound Key Control - The name of Unbound's key management product. server and the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client.

KMIP Server and Client Certificates

  1. By default, the UKCClosedUnbound Key Control - The name of Unbound's key management product. EP server identifies itself on the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server/TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network connection using the certificate created during its bootstrap. This certificate is signed by the UKCClosedUnbound Key Control - The name of Unbound's key management product. Root CA certificate using the SHA256withECDSA method.
  2. Note
    To import your own KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server server certificate for SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. over port 5696, signed by your CA, use the ekm_obfuscate_pfx script.

  3. The UKCClosedUnbound Key Control - The name of Unbound's key management product. Root SOClosedSecurity officer - UKC partition administrator role. creates a partition (hereon "kmip-partition") designated to hold KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client material. This step creates:

KMIP User Credentials

Once a secure HTTPS connection has been established, the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server connection between the client machine and the server is enabled. Based on client implementation, its messages may carry user authentication data.

UKCClosedUnbound Key Control - The name of Unbound's key management product. server evaluates KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client credentials based on the presence of the Credential object in the message and, if present, on the Credential.Type value. The latter must be set to Username and Password. Refer to 2.1.2 Credential in KMIP Specification V1.4.

Without Credentials

If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server message doesn't contain the Credential object or the Credential.Type is NOT "Username and Password", then UKCClosedUnbound Key Control - The name of Unbound's key management product. will act on behalf of the following user:

  • username = "USER"
  • password = ""

By default, each UKCClosedUnbound Key Control - The name of Unbound's key management product. partition has USER with the void password among its allowed users.

Unless you changed USER's password, messages of the specified type are accepted by the UKCClosedUnbound Key Control - The name of Unbound's key management product. server. However, if for some reason you changed the USER's password, you must use messages with the explicit Username and Password fields as described in the next topic.

Username-Password Credentials

If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server message contains the Credential object and the Credential.Type is "Username and Password", then UKCClosedUnbound Key Control - The name of Unbound's key management product. will check that the username and its password are enrolled in the kmip-partition.

If you haven't added new users to the kmip-partition, use the following credentials:

  • username = "USER"
  • password = ""

If you added a new user, use its credentials in the Credential.username and Credential.password.