Using the key management interoperability protocol (KMIP)

IBM® Key Protect for IBM Cloud® provides native support for the key management interoperability protocol (KMIP), allowing you to create KMIP adapters and upload certificates directly through the Key Protect console.

This solution describes the Key Protect native KMIP support architecture for protecting your VMware® instances. Key Protect native KMIP support works with VMware native vSphere encryption and vSAN™ encryption to provide simplified storage encryption management with the security and flexibility of IBM Cloud® Key Protect customer-managed keys.

This solution is an alternative to the KMIP for VMware offering on IBM Cloud. This document does not cover the configuration of these foundation solutions. For more information about the foundation solution architecture, see Overview of VMware Solutions.

This feature works in parallel with the current KMIP for VMware solution. You cannot import adapters created with the VMware solution into Key Protect, or vice versa.

Benefits

Key Protect native KMIP support offers the following benefits:

VMware certification
KMIP support in Key Protect is certified by VMware and can be directly integrated with any service or platform that accepts encryption through a KMIP KMS server. KMIP support is integrated and managed by Key Protect, eliminating the need for third-party KMIP server support.
Hypervisor-level encryption
Integration with VMware vSAN encryption and vSphere encryption provides encryption at the hypervisor layer rather than the storage or virtual machine layer. This approach simplifies management and provides transparency to your storage solution and application.
Fully managed service
Key management server is fully managed and available in many IBM Cloud multizone regions (MZRs).
Customer-managed keys
You maintain full control over your encryption keys and can revoke them at any time.
Cost-effective
KMIP symmetric keys are charged as a single key version, so you only pay for what you use.

Creating an adapter

A maximum of 200 adapters can be created on a single instance. Each adapter can have a maximum of 200 certificates associated with it.

KMIP adapters are created using Key Protect root keys. If you do not have a root key, create one.

Before you begin, ensure that you have the Manager role or the KmipAdapterManager role on the instance.

To create an adapter:

  1. In the navigation menu, click KMIP adapters. If this is your first adapter, the table is empty.

  2. Click Create.

  3. In the side panel, provide the following information:

    • Name - Enter a name for the adapter (2-40 characters).
    • Description (optional) - Enter a description for the adapter (2-240 characters).
    • Root key - Select the root key to use for this adapter. The root key encrypts the KMIP keys that the adapter creates. Your root key must be in an active state for your adapter to function correctly.
  4. Optional: Add a public TLS certificate to allow the holder of the corresponding private certificate to communicate with Key Protect through the KMIP adapter. Only authorized certificates can make KMIP protocol requests against your instance.

    To add a certificate:

    1. Click Add.
    2. Enter a name for the certificate.
    3. Enter the certificate contents in PEM format, including the BEGIN CERTIFICATE and END CERTIFICATE tags.
    4. Click Add certificate.

    Certificate association can take a few minutes. A certificate can only be associated with a single adapter in a Key Protect region.

Resources managed through the KMIP protocol cannot be accessed through the HTTP API.

Keep the private key of any uploaded certificates secure. Any certificate uploaded to a KMIP adapter can make all supported KMIP operations.

Configuring a KMIP client to communicate with an adapter

To communicate with your adapter, you must either set up VMware or create a KMIP client that can communicate over TCP with mTLS and send messages using the TTLV message format as described in the KMIP specifications.

For VMware vSphere, follow the steps in Add a Standard Key Provider Using the vSphere Client. When you add a standard key provider, use the Key Protect endpoint specific to your instance's region. For example, for a Key Protect instance in the us-south region, use us-south.kms.cloud.ibm.com as the address and 5696 as the port.

The vSphere client must upload its client certificate to the adapter to communicate with the KMIP adapter. Follow the steps in Use the Certificate Option to Establish a Standard Key Provider Trusted Connection to download the client certificate, then upload it to the adapter.

Granting access to KMIP

Review roles and permissions to learn how IBM Cloud IAM roles map to Key Protect actions.

The following IAM actions govern resources that will be used to manage access to KMIP resources:

  • kms.kmip-management.create
  • kms.kmip-management.list
  • kms.kmip-management.read
  • kms.kmip-management.delete

Each action grants the mentioned behavior to all kmip_adapter certificate and kmip_object resources in the instance, without granularity.

Viewing and updating adapter details

The adapter details panel displays information about an adapter and allows you to perform actions such as adding certificates.

To view adapter details:

  1. Click the actions menu (⋯) for the adapter.
  2. Select Details.

The details panel displays the adapter's name, description, associated KMIP symmetric keys, and uploaded certificates. You can also upload additional certificates from this panel.

KMIP symmetric keys cannot be deleted using the console. To delete keys, use the CLI. Only KMIP symmetric keys that are not in the Active state (state 1) can be deleted. You cannot delete an adapter if it contains keys in the Active state.

Each adapter's resources are protected with a root key. You cannot delete a root key that is active and associated with an adapter.

Each KMIP symmetric key that is created counts as a single key version and incurs a charge of one key version. Deletion of a KMIP symmetric key is permanent.

KMIP supported objects and operations

Refer to Result Reason in the KMIP Version 1.4 documentation for the reasons for expected failures, such as a request against an unsupported operation.

KMIP supported operations

Only the following operations are supported.

Supported KMIP operations
Section Operation Summary
4.1 Create Creates a KMIP object.
4.9 Locate Searches for objects matching the given criteria or attribute metadata.
4.11 Get Retrieves object information, specifically the key material.
4.12 Get Attributes Retrieves attribute metadata about the object.
4.14 Add Attribute Adds attribute metadata to the object.
4.19 Activate Sets the object to an "Active" state. The object cannot be destroyed while in the active state.
4.20 Revoke Sets the object to a "Compromised" state if the revocation reason code is "Key Compromise" or "CA Compromise". Otherwise, sets the object to a "Deactivated" state.
4.21 Destroy Destroys the key material of the object. This action cannot be reversed.
4.26 Discover Versions Requests supported KMIP protocol versions from the server. Only v1.4 is returned.

Supported objects

Supported KMIP objects
Section Object
2.2 Symmetric Key

Creating and using KMIP adapters in the API

This section describes how to use KMIP adapters of profile native_1.0 with the API, including adding and removing KMIP client certificates and viewing and deleting KMIP objects.

You can create a KMIP adapter by making a POST call to the following endpoint.

https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters

Operations on KMIP adapter subresources, including KMIP client certificates and KMIP objects will be in the following endpoints:

https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>/certificates
https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>/kmip_objects
  1. Retrieve authentication credentials to work with keys in the service.

  2. Copy the ID of the root key that you want to use to create your KMIP adapter.

    You can find the ID for a key in your Key Protect instance by retrieving a list of your keys, or by accessing the Key Protect dashboard.

  3. Create a KMIP adapter with the following curl command:

    $ curl -X POST \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters" \
        -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>" \
        -H "content-type: application/vnd.ibm.kms.kmip_adapter+json" \
        -d '{
                "metadata": {
                    "collectionType": "application/vnd.ibm.kms.kmip_adapter+json",
                    "collectionTotal": 1
                },
                "resources": [
                    {
                    "name": "<adapter_name>",
                    "description": "<adapter_description>",
                    "profile": "native_1.0",
                    "profile_data": {
                        "crk_id": "<root_keyID_or_alias>"
                    }
                    }
                ]
            }'
    

    Replace the variables in the example request according to the following table.

Describes the variables that are needed to create a KMIP adapter in Key Protect.
Variable Description
region Required. The region abbreviation, such as us-south or eu-gb, that represents the geographic area where your Key Protect instance resides.

For more information, see Regional service endpoints.
root_keyID_or_alias Required. The unique identifier or alias for the root key that you want to use for the adapter.
IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the curl request.
For more information, see Retrieving an access token.
instance_ID Required. The unique identifier that is assigned to your Key Protect service instance.

For more information, see Retrieving an instance ID.
adapter_name Optional. A human-readable name of the KMIP adapter unique within the kms instance. If one is not specified, one will be autogenerated of the format kmip_adapter_<random_string>. To protect your privacy do not use personal data, such as your name or location, as a name for your KMIP adapter. The name must be alphanumeric and cannot contain spaces or special characters other than - or _. The name cannot be a UUID.
adapter_description Optional The KMIP adapter's description. The maximum length is 240 characters. To protect your privacy, do not use personal data, such as your name or location, as a description for your KMIP adapter.
  1. Optional: you can list KMIP adapters that exist in an instance with the following curl command:

    $ curl -X GET \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters" \
        -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>" \
        -H "content-type: application/vnd.ibm.kms.kmip_adapter+json"
    

    You can also get a specific KMIP adapter by using the following curl command:

    $ curl -X GET \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>" \
        -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>" \
        -H "content-type: application/vnd.ibm.kms.kmip_adapter+json"
    

    Note that you can use either the adapter's UUID or the adapter's name to get a specific adapter.

  2. You can delete a KMIP adapter with the following curl command:

    $ curl -X DELETE \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>" \
        -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>" \
        -H "content-type: application/vnd.ibm.kms.kmip_adapter+json"
    

    You can only delete the KMIP adapter if all the KMIP objects under the adapter are deleted.

Adding a KMIP client certificate to a KMIP adapter

After you create a KMIP adapter, you can add a KMIP client certificate to associate with the adapter. After a certificate is registered, you can use it to communicate with the KMIP server with mTLS as described in the KMIP specifications. Certificate registration can take up to five minutes. Certificates must be unique within the same region.

  1. Retrieve authentication credentials to work with keys in the service.

  2. Identify the KMIP adapter you want to add your certificate to.

  3. Add the KMIP client certificate with the following curl command:

    $ curl -X POST \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/certificates" \
        -H "accept: application/vnd.ibm.kms.kmip_client_certificate+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>" \
        -H "content-type: application/vnd.ibm.kms.kmip_client_certificate+json" \
        -d '{
                "metadata": {
                    "collectionType": "application/vnd.ibm.kms.kmip_client_certificate+json",
                    "collectionTotal": 1
                },
                "resources": [
                    {
                    "certificate": "<certificate_pem>",
                    "name": "<certificate_name>"
                    }
                ]
            }'
    

    Replace the variables in the example request according to the following table.

Describes the variables that are needed to create a KMIP client certificate in Key Protect.
Variable Description
region Required. The region abbreviation, such as us-south or eu-gb, that represents the geographic area where your Key Protect instance resides.

For more information, see Regional service endpoints.
adapter_id Required. The unique identifier or name for KMIP adapter you want to register the certificate with.
IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the curl request.
For more information, see Retrieving an access token.
instance_ID Required. The unique identifier that is assigned to your Key Protect service instance.

For more information, see Retrieving an instance ID.
certificate_pem Required The contents of the KMIP client certificate. It must be in the x509 PEM format. It should explicitly have the BEGIN CERTIFICATE and END CERTIFICATE tags.
certificate_name Optional. A human-readable name that uniquely identifies a certificate within the given adapter. If one is not specified, one will be autogenerated of the format kmip_cert_<random_string>. To protect your privacy do not use personal data, such as your name or location, as a name for your KMIP adapter. The name must be alphanumeric and cannot contain spaces or special characters other than - or _. The name cannot be a UUID.
  1. Optional: you can list KMIP client certificates associated with an adapter with the following curl command:

    $ curl -X GET \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/certificates" \
        -H "accept: application/vnd.ibm.kms.kmip_client_certificate+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>"
    

    You can also get a specific KMIP client certificate by using the following curl command:

    $ curl -X POST \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/certificates/<certificate_name_or_id>" \
        -H "accept: application/vnd.ibm.kms.kmip_client_certificate+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>" 
    

    Note that you can use either the certificate's UUID or the certificate's name to get a specific adapter.

  2. You can delete a KMIP client certificate with the following curl command:

    $ curl -X DELETE \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>" \
        -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>"
    

    You can only delete the KMIP adapter if all the KMIP objects under the adapter are deleted.

Viewing and deleting KMIP objects within an adapter

KMIP objects cannot be created through the REST API, but they can be viewed and deleted.

  1. Retrieve authentication credentials to work with keys in the service.

  2. Identify the KMIP adapter you want to add your certificate to.

  3. You can view KMIP objects within a KMIP adapter with the following curl command:

    $ curl -X GET \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/kmip_objects" \
        -H "accept: application/vnd.ibm.kms.kmip_object+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>"
    
  4. You can view a specific KMIP object within a KMIP adapter with the following curl command:

    $ curl -X GET \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/kmip_objects/<object_id>" \
        -H "accept: application/vnd.ibm.kms.kmip_object+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>"
    
  5. You can delete a specific KMIP object within a KMIP adapter with the following curl command:

    $ curl -X DELETE \
        "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/kmip_objects/<object_id>" \
        -H "accept: application/vnd.ibm.kms.kmip_object+json" \
        -H "authorization: Bearer <IAM_token>" \
        -H "bluemix-instance: <instance_ID>"
    

    Where the <object_id> is the UUID of the KMIP object. You cannot delete KMIP objects in the Active (state=2) state.