How to connect a compatible product using KMIP protocol

Objective

The purpose of this guide is to show you the usage of the KMIP protocol and the different operations and types supported by the OVHcloud KMS.

Requirements

Instructions

Description

KMIP (Key Management Interoperability Protocol) is a protocol designed to standardise the communications with a KMS.

So any products supporting KMIP (such as VMware vSphere, Veeam, Nutanix, etc.) can natively be interfaced with a KMIP compatible KMS such as the OVHcloud KMS, hosted by OVHcloud or not.

It brings an easy connection, and a reversible configuration.

Connection of a KMIP compatible product with the OVHcloud KMS

The configuration depends on the product to integrate, but does not need any specific configuration on the OVHcloud KMS other than generating an access certificate. Softwares editors usually offer dedicated guides for this purpose.

As an example, the following products were validated with the OVHcloud KMS :

Direct use

It's also possible to use the KMIP API directly.

Authentication on this protocol is done with a client certificate, in the same way as for the REST API. It needs to open a TLS channel with a valid access certificate.

Then it's possible to exchange KMIP messages such as defined in the standard. Depending on the technology stack, we recommend the following libraries:

You can use as well our SDK for Go: https://github.com/ovh/kmip-go

IAM Rights

KMIP operations with IAM users need specific authorisations as described below:

KMIP OperationDescriptionAction
CreateCreate managed objectokms:kmip:create
GetGet managed objectokms:kmip:get
RegisterRegister managed objectokms:kmip:register
ActivateActivate managed objectokms:kmip:activate
RevokeRevoke managed objectokms:kmip:revoke
DestroyDestroy managed objectokms:kmip:destroy
CreateKeyPairCreate key pairokms:kmip:createKeyPair
AddAttributeAdd managed object attributeokms:kmip:addAttribute
GetAttributesGet one or more of managed object attributesokms:kmip:getAttributes
GetAttributeListGet list of the attribute namesokms:kmip:getAttributeList
ModifyAttributeModify managed object attributeokms:kmip:modifyAttribute
DeleteAttributeDelete managed object attributeokms:kmip:deleteAttribute
LocateLocate managed objectokms:kmip:locate
ArchiveArchive managed objectokms:kmip:archive
RecoverRecover managed objectokms:kmip:recover
Re-keyRe-key a Keyokms:kmip:rekey
Re-key Key PairRe-key a Key Pairokms:kmip:rekeyKeyPair
ObtainLeaseObtain lease on managed objectokms:kmip:obtainLease
GetUsageAllocationGet Usage Allocation of managed objectokms:kmip:getUsageAllocation
EncryptEncrypt with managed objectokms:kmip:encrypt
DecryptDecrypt with managed objectokms:kmip:decrypt
SignSign with managed objectokms:kmip:sign
Signature VerifyVerify with managed objectokms:kmip:signatureVerify

KMIP coverage

The OVHcloud KMS covers a part of 1.0 to 1.4 versions of the KMIP standard.

Details of the coverage are available here:

Legend:

  • N/A : Not Applicable
  • ✅ : Fully compatible
  • 🚧 : Partially compatible
  • ❌ : Not implemented
  • 🚫 : Deprecated

Messages

v1.0v1.1v1.2v1.3v1.4
Request Message
Response Message

Operations

Operationv1.0v1.1v1.2v1.3v1.4
Create
Create Key Pair
Register
Re-key
DeriveKey
Certify
Re-certify
Locate
Check
Get
Get Attributes
Get Attribute List
Add Attribute
Modify Attribute
Delete Attribute
Obtain Lease
Get Usage Allocation
Activate
Revoke
Destroy
Archive
Recover
Validate
Query
Cancel
Poll
Notify
Put
DiscoverN/A
Re-key Key PairN/A
EncryptN/AN/A
DecryptN/AN/A
SignN/AN/A
Signature VerifyN/AN/A
MACN/AN/A
MAC VerifyN/AN/A
RNG RetrieveN/AN/A
RNG SeedN/AN/A
HashN/AN/A
Create Split KeyN/AN/A
Join Split KeyN/AN/A
ExportN/AN/AN/AN/A
ImportN/AN/AN/AN/A

Managed Objects

Objectv1.0v1.1v1.2v1.3v1.4
Certificate
Symmetric Key
Public Key
Private Key
Split Key
Template🚫🚫
Secret Data
Opaque Object
PGP KeyN/AN/A

Base Objects

Objectv1.0v1.1v1.2v1.3v1.4
Attribute
Credential
Key Block
Key Value
Key Wrapping Data
Key Wrapping Specification
Transparent Key Structures🚧🚧🚧🚧🚧
Template-Attribute Structures
Extension InformationN/A
DataN/AN/A
Data LengthN/AN/A
Signature DataN/AN/A
MAC DataN/AN/A
NonceN/AN/A
Correlation ValueN/AN/AN/A
Init IndicatorN/AN/AN/A
Final IndicatorN/AN/AN/A
RNG ParameterN/AN/AN/A
Profile InformationN/AN/AN/A
Validation InformationN/AN/AN/A
Capability InformationN/AN/AN/A
Authenticated Encryption Additional DataN/AN/AN/AN/A
Authenticated Encryption TagN/AN/AN/AN/A
Transparent Key Structures
Objectv1.0v1.1v1.2v1.3v1.4
Symmetric Key
DSA Private/Public Key
RSA Private/Public Key
DH Private/Public Key
ECDSA Private/Public Key🚫🚫
ECDH Private/Public Key🚫🚫
ECMQV Private/Public🚫🚫
EC Private/PublicN/AN/AN/A

Attributes

Attributev1.0v1.1v1.2v1.3v1.4
Unique Identifier
Name
Object Type
Cryptographic Algorithm
Cryptographic Length
Cryptographic Parameters
Cryptographic Domain Parameters
Certificate Type
Certificate Identifier🚫🚫🚫🚫
Certificate Subject🚫🚫🚫🚫
Certificate Issuer🚫🚫🚫🚫
Digest
Operation Policy Name🚫🚫
Cryptographic Usage Mask
Lease Time
Usage Limits
State
Initial Date
Activation Date
Process Start Date
Protect Stop Date
Deactivation Date
Destroy Date
Compromise Occurence Date
Compromise Date
Revocation Reason
Archive Date
Object Group
Link
Application Specific Information
Contact Information
Last Change Date
Custom Attribute
Certificate LengthN/A
X.509 Certificate IdentifierN/A
X.509 Certificate SubjectN/A
X.509 Certificate IssuerN/A
Digital Signature AlgorithmN/A
FreshN/A
Alternative NameN/AN/A
Key Value PresentN/AN/A
Key Value LocationN/AN/A
Original Creation DateN/AN/A
Random Number GeneratorN/AN/AN/A
PKCS#12 Friendly NameN/AN/AN/AN/A
DescriptionN/AN/AN/AN/A
CommentN/AN/AN/AN/A
SensitiveN/AN/AN/AN/A
Always SensitiveN/AN/AN/AN/A
ExtractableN/AN/AN/AN/A
Never ExtractableN/AN/AN/AN/A

Go further

The OASIS website.

Join our community of users.

Czy ta strona była pomocna?