Integrating with KMIP-Based Applications

This section specifies:

Developing with KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server can be found in the CORE KMIP Guide.

KMIP Conformance

CORE server accepts standard KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server messages using HTTPS profile with either TTLV or JSON encoding. In particular, it accepts KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client requests at the TCP/IP port 5696 supporting the following payload formats:

The OASIS Key Management Interoperability Protocol (KMIP) is a network protocol. It defines the content, structure, and semantics of the messages transferred between the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client and server.

CORE supports KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server version V1.4. detailed in the following documents:

KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server profile defines the minimum set of objects, attributes, and messages that the server should support.

Supported KMIP Objects

CORE Server supports the following KMIP Objects:

Supported KMIP Attributes

CORE Server supports the following KMIP Attributes:

Attribute KMIP Spec Get Add Modify Delete Notes
Unique Identifier 3.1        
Name 3.2 1
Object Type 3.3        
Cryptographic Algorithm 3.4        
Cryptographic Length 3.5        
Cryptographic Parameters 3.6       2
State 3.22        
Activation Date 3.24        
Deactivation Date 3.27        
Link 3.35 3
Application Specific Information 3.36  
Contact Information 3.37  

Notes:

  1. Uninterpreted Text String only.

  2. Scope: XTS cipher mode of AES only.
  3. The following link types: Private Key Link, Certificate Link, Replacement Object Link, Replaced Object Link. Cannot change Private Key Link and Certificate Link.

Supported KMIP Operations

CORE Server supports the following KMIP Client to Server Operations :

CORE Server supports the following additional KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server features:

  1. ID Placeholder ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 4)
  2. Message Format ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 7)
  3. AuthenticationClosedProcess used to achieve sufficient confidence in the binding between the Entity and the presented Identity. ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 8) (using client certificate and credentials)
  4. TTLV encoding ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1)

Note
AES keys may be used with the following Format Types (see [KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 9.1.3.2.3): Raw or TransparentSymmetric. When the request omits the Format Type, the chosen format is Raw. Any other format type results in an error.

  1. JSON Encoding
  2. Transport Requirements ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 10)
  3. Error Handling ([KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server-SPEC] 11) for any supported object, attribute, or operation

Supported KMIP Curves

See Recommended Curve Enumeration.

P-256, P-384, P-521, SECP256K1, CURVE25519, CURVE448

Supported Cryptographic Algorithm

See Cryptographic Algorithm Enumeration.

Supported Block Cipher Mode

See Block Cipher Mode Enumeration.

  • CBC
  • ECB
  • CFB
  • OFB
  • CTR
  • CMAC
  • GCM
  • CCM
  • AESKeyWrapPadding
  • NISTKeyWrap
  • AEAD

Preparation

To use CORE as the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server server, perform the following steps in both the CORE server and the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client.

KMIP Server and Client Certificates

  1. By default, the CORE EP server identifies itself on the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server/TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network connection using the certificate created during its bootstrap. This certificate is signed by the CORE Root CA certificate using the SHA256withECDSA method.
  2. Note
    To import your own KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server server certificate for SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. over port 5696, signed by your CA, use the ekm_obfuscate_pfx script.

  3. The CORE Root SOClosedSecurity officer - UKC partition administrator role. creates a partition (hereon "kmip-partition") designated to hold KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client material. This step creates:

KMIP User Credentials

Once a secure HTTPS connection has been established, the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server connection between the client machine and the server is enabled. Based on client implementation, its messages may carry user authentication data.

CORE server evaluates KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server client credentials based on the presence of the CredentialClosedData presented as evidence of the right to use an identity. object in the message and, if present, on the CredentialClosedData presented as evidence of the right to use an identity..Type value. The latter must be set to Username and Password. See 2.1.2 CredentialClosedData presented as evidence of the right to use an identity. in KMIP Specification V1.4.

Without Credentials

If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server message does not contain the CredentialClosedData presented as evidence of the right to use an identity. object or the CredentialClosedData presented as evidence of the right to use an identity..Type is NOT "Username and Password", then CORE will act on behalf of the following user:

  • username = "USER"
  • password = ""

By default, each CORE partition has USER with the void password among its allowed users.

Unless you changed USER's password, messages of the specified type are accepted by the CORE server. However, if for some reason you changed the USER's password, you must use messages with the explicit Username and Password fields as described in the next topic.

Username-Password Credentials

If a KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server message contains the CredentialClosedData presented as evidence of the right to use an identity. object and the CredentialClosedData presented as evidence of the right to use an identity..Type is "Username and Password", then CORE will check that the username and its password are enrolled in the kmip-partition.

If you haven't added new users to the kmip-partition, use the following credentials:

  • username = "USER"
  • password = ""

If you added a new user, use its credentials in the CredentialClosedData presented as evidence of the right to use an identity..username and CredentialClosedData presented as evidence of the right to use an identity..password.