Using the key management interoperability protocol (KMIP)

To better facilitate the use of IBM® Key Protect for IBM Cloud® keys to create key management interoperability protocol (KMIP) adapters for use with VMWare, Key Protect now directly offers the ability to create adapters and upload certificates using the Key Protect control plane (UI).

This solution architecture describes the Key Protect Native KMIP support architecture for protecting your VMware® instances. Many storage encryption options are available to protect your VMware workload. Key Protect Native KMIP support works together with VMware native vSphere encryption and vSAN™ encryption. The vSphere and vSAN encryption provides simplified storage encryption management together with the security and flexibility of IBM Cloud® Key Protect customer-managed keys.

This solution is an alternative to the KMIP for VMWare solution offering on IBM Cloud. As a result, this document doesn't cover the existing configuration of these foundation solutions on IBM Cloud. To understand more about the foundation solution architecture, see Overview of VMware Solutions.

This feature works in parallel with the current KMIP for VMWare solution. It is not currently possible to import adapters created using the VMWare solution into Key Protect (or vice versa).

Benefits

While many storage encryption solutions are available for your VMware workload, Key Protect Native KMIP support offers the following benefits:

Integration with VMware vSAN encryption and vSphere encryption, both of which are implemented in the hypervisor layer rather than the storage or virtual machine layer. This approach allows easy management and transparency to your storage solution and application.
Fully managed key management server available in many IBM Cloud multizone regions (MZRs).
Integrating your VMware cluster with IBM Cloud Key Protect provides you with fully customer-managed keys that you can revoke at any time.

Creating an adapter

A maximum of 200 adapters can be created on a single instance. Each adapter can have a maximum of 200 certificates associated with it.

KMIP adapters are created using Key Protect root keys. If you do not have a root key, create one.

To create an adapter:

Navigate to the KMIP Adapters panel using the left navigation. If this is your first adapter, the table should be empty. Note that you must either have the Manager role or the KmipAdapterManager role on the instance in order to create an adapter.
Find the Create Adapter button and click it.
In the open side panel, give the adapter a Name and, optionally, a Description. Note that names must contain at least two and no more than 40 characters. If you choose to give it a description, it must be at least two and no more than 240 characters. After that has been completed, you can choose the root key you want to use to create this adapter and to encrypt the KMIP keys it creates. Choosing a root key is mandatory. Note that your root key must be in an active state for your adapter to function correctly.
Adding a public TLS certificate allows the holder of its corresponding private certificate to communicate with Key Protect via its associated KMIP adapter. Only certificates authorized under a KMIP adapter will be permitted to make KMIP protocol requests against your instance. Note that resources managed via the KMIP protocol cannot be accessed via HTTP API.

While you do not need to add any certificates during the creation of the adapter, if you know which certificates you want to add, you can do so by clicking the Add certificates (optional) tab in the panel. In the resulting screen, click the Upload certificate button, give the certificate a name, and input the contents of the certificate (the material must be in PEM format and contain the BEGIN CERTIFICATE and END CERTIFICATE tags). Note that it can take a few minutes for the certificate to be associated. Also, a certificate can only be associated with a single adapter in a Key Protect region.

Keep the private key of any uploaded certificates secure, as any certificate uploaded to a KMIP adapter will have the ability to make all supported KMIP operations.

Configuring a KMIP client to communicate with an adapter

To communicate with your adapter, you must either setup VMWare (which will take care of your communications to your client, once you have associated the certificate provided by VMWare to it), or have created a KMIP client that can communicate over TCP with mTLS and can send messages using the TTLV message format as described in KMIP specifications.

For VMWare vSphere, follow the steps outlined in Add a Standard Key Provider Using the vSphere Client. When adding a standard key provider, use the Key Protect endpoint specific to your instance's region. For example, for the Key Protect instance in region us-south , use us-south.kms.cloud.ibm.com as the address and 5696 as the port, which is the default for the KMIP server.

As described in step 4 above, the vSphere client needs to upload its client certificate in the adapter in order for it to communicate with the KMIP adapter. Follow the steps outlined in Use the Certificate Option to Establish a Standard Key Provider Trusted Connection guide to download the client certificate. This certificate can be uploaded into the adapter.

Granting access to KMIP

Review roles and permissions to learn how IBM Cloud IAM roles map to Key Protect actions.

The following IAM actions govern resources that will be used to manage access to KMIP resources:

kms.kmip-management.create
kms.kmip-management.list
kms.kmip-management.read
kms.kmip-management.delete

Each action grants the mentioned behavior to all kmip_adapter certificate and kmip_object resources in the instance, without granularity.

Viewing and updating adapter details

The adapter details panel allows you to learn about an adapter (for example, through its description) and also allows you to do actions like adding certificates.

To view the adapter details, click the ⋯ icon. This shows all of the details about the adapter. Here you can see its name, its description, any KMIP symmetric keys associated with the adapter, and certificates that have been uploaded to it. You can also use this panel to upload more certificates, as desired.

KMIP symmetric keys cannot be deleted using the UI. To delete keys, you must use the CLI. Only KMIP symmetric keys that are in a state other than the Active (state 1) can be deleted. An adapter cannot be deleted if it contains keys that are in the Active state.

Each adapter's resources are protected with a CRK. You cannot delete a CRK that is active and associated with an adapter.

Each KMIP symmetric key that is created counts as a single key version and may incur a charge, depending on the number of key versions you have. If you want to delete a KMIP symmetric key, you can only do so using the API, CLI, or SDK. You cannot use the UI. Note that deletions of a KMIP symmetric is permanent.

KMIP supported objects and operations

Refer to Result Reason in the KMIP Version 1.4 documentation for the reasons for expected failures, such as a request against an unsupported operation.

KMIP supported operations

Only these operations are supported.

	Operation	Summary
4.1	Create	Creates a KMIP object
4.11	Get	Retrieve object information, specifically the key material.
4.12	Get Attributes	Retrieve attribute metadata about the object.
4.14	Add Attribute	Add attribute metadata to the object.
4.19	Activate	Sets the object into an "Active" state. The object may not be destroyed while the state is active.
4.20	Revoke	Sets the object into a "Compromised" state, if the revocation reason code given is "Key Compromise" or "CA Compromise". Otherwise sets the object into a "Deactivated" state.
4.21	Destroy	Destroys the key material of the object. This action cannot be reversed
4.26	Discover Versions	Requests supported KMIP protocol versions from the server. Only v1.4 will be returned.
4.9	Locate	Search for objects matching the given criteria or attribute metadata.

Supported objects

	Object
2.2	Symmetric Key

Creating and using KMIP adapters in the API

This will walk through using KMIP adapters of profile native_1.0 using the API, adding and removing KMIP client certificates from the adapter, then viewing and deleting KMIP objects associated with the adapter.

You can create a KMIP adapter by making a POST call to the following endpoint.

https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters

Operations on KMIP adapter subresources, including KMIP client certificates and KMIP objects will be in the following endpoints:

https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>/certificates
https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>/kmip_objects

Retrieve authentication credentials to work with keys in the service.
Copy the ID of the root key that you want to use to create your KMIP adapter.

You can find the ID for a key in your Key Protect instance by retrieving a list of your keys, or by accessing the Key Protect dashboard.

Create a KMIP adapter with the following curl command:

$ curl -X POST \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters" \
    -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.kmip_adapter+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.kmip_adapter+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                "name": "<adapter_name>",
                "description": "<adapter_description>",
                "profile": "native_1.0",
                "profile_data": {
                    "crk_id": "<root_keyID_or_alias>"
                }
                }
            ]
        }'

Replace the variables in the example request according to the following table.

Table 1. Describes the variables that are needed to create a KMIP adapter in Key Protect.
Variable	Description
region	Required. The region abbreviation, such as `us-south` or `eu-gb`, that represents the geographic area where your Key Protect instance resides. For more information, see Regional service endpoints.
root_keyID_or_alias	Required. The unique identifier or alias for the root key that you want to use for the adapter.
IAM_token	Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the curl request. For more information, see Retrieving an access token.
instance_ID	Required. The unique identifier that is assigned to your Key Protect service instance. For more information, see Retrieving an instance ID.
adapter_name	Optional. A human-readable name of the KMIP adapter unique within the kms instance. If one is not specified, one will be autogenerated of the format `kmip_adapter_<random_string>`. To protect your privacy do not use personal data, such as your name or location, as a name for your KMIP adapter. The name must be alphanumeric and cannot contain spaces or special characters other than - or _. The name cannot be a UUID.
adapter_description	Optional The KMIP adapter's description. The maximum length is 240 characters. To protect your privacy, do not use personal data, such as your name or location, as a description for your KMIP adapter.

Optional: you can list KMIP adapters that exist in an instance with the following curl command:

$ curl -X GET \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters" \
    -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.kmip_adapter+json"

You can also get a specific KMIP adapter by using the following curl command:

$ curl -X GET \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>" \
    -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.kmip_adapter+json"

Note that you can use either the adapter's UUID or the adapter's name to get a specific adapter.

You can delete a KMIP adapter with the following curl command:

$ curl -X DELETE \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>" \
    -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.kmip_adapter+json"

You can only delete the KMIP adapter if all the KMIP objects under the adapter are deleted.

Adding a KMIP client certificate to a KMIP adapter

Now that a KMIP adapter has been created, you can add a KMIP client certificate to be associated with the KMIP adapter. Once a certificate has been registered, you can use that certificate to communicate with the KMIP server with mTLS as described by the KMIP specifications. It may take up to five minutes from the certificate being registered to the certificate being usable with the KMIP server. Certificates must be unique within the same region.

Retrieve authentication credentials to work with keys in the service.
Identify the KMIP adapter you want to add your certificate to.

Add the KMIP client certificate with the following curl command:

$ curl -X POST \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/certificates" \
    -H "accept: application/vnd.ibm.kms.kmip_client_certificate+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.kmip_client_certificate+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.kmip_client_certificate+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                "certificate": "<certificate_pem>",
                "name": "<certificate_name>"
                }
            ]
        }'

Replace the variables in the example request according to the following table.

Table 2. Describes the variables that are needed to create a KMIP client certificate in Key Protect.
Variable	Description
region	Required. The region abbreviation, such as `us-south` or `eu-gb`, that represents the geographic area where your Key Protect instance resides. For more information, see Regional service endpoints.
adapter_id	Required. The unique identifier or name for KMIP adapter you want to register the certificate with.
IAM_token	Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the curl request. For more information, see Retrieving an access token.
instance_ID	Required. The unique identifier that is assigned to your Key Protect service instance. For more information, see Retrieving an instance ID.
certificate_pem	Required The contents of the KMIP client certificate. It must be in the x509 PEM format. It should explicitly have the BEGIN CERTIFICATE and END CERTIFICATE tags.
certificate_name	Optional. A human-readable name that uniquely identifies a certificate within the given adapter. If one is not specified, one will be autogenerated of the format `kmip_cert_<random_string>`. To protect your privacy do not use personal data, such as your name or location, as a name for your KMIP adapter. The name must be alphanumeric and cannot contain spaces or special characters other than - or _. The name cannot be a UUID.

Optional: you can list KMIP client certificates associated with an adapter with the following curl command:

$ curl -X GET \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/certificates" \
    -H "accept: application/vnd.ibm.kms.kmip_client_certificate+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"

You can also get a specific KMIP client certificate by using the following curl command:

$ curl -X POST \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/certificates/<certificate_name_or_id>" \
    -H "accept: application/vnd.ibm.kms.kmip_client_certificate+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"

Note that you can use either the certificate's UUID or the certificate's name to get a specific adapter.

You can delete a KMIP client certificate with the following curl command:

$ curl -X DELETE \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name_or_ID>" \
    -H "accept: application/vnd.ibm.kms.kmip_adapter+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"

You can only delete the KMIP adapter if all the KMIP objects under the adapter are deleted.

Viewing and deleting KMIP objects within an adapter

KMIP objects cannot be created through the REST API, but they can be viewed and deleted.

Retrieve authentication credentials to work with keys in the service.
Identify the KMIP adapter you want to add your certificate to.

You can view KMIP objects within a KMIP adapter with the following curl command:

$ curl -X GET \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/kmip_objects" \
    -H "accept: application/vnd.ibm.kms.kmip_object+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"

You can view a specific KMIP object within a KMIP adapter with the following curl command:

$ curl -X GET \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/kmip_objects/<object_id>" \
    -H "accept: application/vnd.ibm.kms.kmip_object+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"

You can delete a specific KMIP object within a KMIP adapter with the following curl command:

$ curl -X DELETE \
    "https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_id>/kmip_objects/<object_id>" \
    -H "accept: application/vnd.ibm.kms.kmip_object+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"

Where the <object_id> is the UUID of the KMIP object. You cannot delete KMIP objects in the Active (state=2) state.