IBM Cloud Docs
Configuring KMIP for key management and distribution in Hyper Protect Crypto Services Standard Plan

Configuring KMIP for key management and distribution in Hyper Protect Crypto Services Standard Plan

Key Management Interoperability Protocol (KMIP) is a communication protocol for the storage and maintenance of key, certificate, and secret objects. The standard is governed by the Organization for the Advancement of Structured Information Standards (OASIS). Hyper Protect Crypto Services provides a dedicated single-tenant KMIP adapter so that VMware vCenter server instances can use Hyper Protect Crypto Services as the Key Management Service (KMS) for VMware vSphere encryption and vSAN encryption.

This tutorial is based on the Standard Plan instance setup only.

The following diagram illustrates the overall workflow of how the KMIP adapter that is provided in the Hyper Protect Crypto Services instance works with a VMWare customer environment.

KMIP workflow with VMWare customer environment
Figure 1. KMIP workflow with VMWare customer environment

The overall workflow includes the following steps:

  1. Create a Hyper Protect Crypto Services Standard Plan instance and your root key.
  2. Configure the VMWare Solution Service KMIP for VMWare with the Hyper Protect Crypto Services service instance. The KMIP for VMware service manages the lifecycle of the KMIP adapter and KMIP client certificates.
  3. Connect your VMware vCenter server to KMIP and enable vSphere encryption or vSAN encryption.

Objectives

This tutorial shows how you can configure KMIP with VMWare solution in IBM Cloud.

Before you begin

To complete this tutorial, you need to meet the following prerequisites:

Task flow

To complete this solution, we'll walk through the following steps:

  1. Grant the service-to-service authorization in IAM.
  2. Configure KMIP for VMWare with Hyper Protect Crypto Services instance.
  3. Configure a trusted connection between the vCenter Server and KMIP adapter.

Let's start with the service authorization process.

Grant the service-to-service authorization in IAM

  1. Click Manage>Access(IAM) on the menu after you log in to IBM Cloud.

  2. Select Authorizations on the left navigation pane.

  3. Click the Create button.

  4. On the Grant a service authorization page, fill in the following information:

    • Under the Source service drop-down list, select VMWare Solutions, and then select the KMIP for VMWare service instance ID.
    • Under the Target service drop-down list, select Hyper Protect Crypto Services services, and then select the Hyper Protect Crypto Services instance ID.
    • In the Platform access pane, select the Viewer option.
    • In the Service Access pane, select the VMWare KMIP Manager option.

  5. Click the Authorize button to complete the service to service authorization.

Configure KMIP for VMWare with Hyper Protect Crypto Services instance

  1. In the IBM Cloud for VMware Solutions UI, click Resources from the left navigation pane.

  2. Scroll down to the KMIP for VMware Instances table, click the instance that you want to configure the Hyper Protect Crypto Services with. The status of the KMIP for VMware instance is Inactive because it is not configured yet.

  3. Select Getting started from the left navigation pane on the next page.

  4. Select the Initialize service instance option and Hyper Protect as the key management type.

    • Select the Hyper Protect Crypto Services instance ID that stores your root key and key encryption key. You can click the Retrieve button to get a list of Hyper Protect Crypto Services instances under your IBM Cloud account.

      Only IDs of Hyper Protect Crypto Services instances that contain at least one root key are to be listed. Make sure to create a root key first.

    • Select the root key to wrap the key encryption key for your data encryption key. You can click the Retrieve button to get a list of root keys stored on the selected Hyper Protect Crypto Services instance.

      Make sure not to delete the root key that you select for key wrapping. Otherwise, the data encryption keys stored for VMWare solutions by the KMIP adapter cannot be accessed.

  5. Click Configure to complete the configuration. Optionally, you can add client certificates if you have an existing VMWare or vCenter environment that you like to reuse.

  6. Click Refresh and ensure that the status of the KMIP for VMware instance is Installed.

  7. Identify the KMIP server endpoints information for the next step. For example, kmip.private.us-south.hs-crypto.cloud.ibm.com:10073.

Configure a trusted connection between the vCenter Server and KMIP adapter

  1. In your vSphere client UI, complete the following steps:

    a. Add the KMS to your vCenter Server by using the KMIP server address and port information from the previous step during the configuration.

    b. Configure the appropriate trust method between the KMS instance and your vCenter Server, and download the generated certificate.

  2. On the KMIP for VMware instance page, add the certificate from the vCenter Server.

  3. Verify the connection status of the KMS for your vCenter server is Connected.

  4. Optional: Create an encrypted virtual machine to check that the encryption key from the KMS is used.

In this tutorial, you learned how to configure VMWare with KMIP in Hyper Protect Crypto Services.

What's next

The following demo video is for you to better understand the process.