KMIP Fundamentals
CADP for Java offers support for KMIP usage profiles as defined by OASIS standards for the Key Management Interoperability Protocol (KMIP). It provides a complete and consistent set of CADP for Java API managed objects and supports attributes across the object lifecycle. The Java documents covering KMIP are located in CADP_for_JAVA/documentation/javadoc. The KMIP samples are available on Github.
CADP for Java provides support for:
KMIP Managed Object
KMIP Operations
KMIP Attribute
KMIP Multi-Operation
KMIP protocol and session fundamentals
KMIP support is implemented through CADP for Java objects and methods.
Each managed object has a name and a session.
The type of session – XML or KMIP – defines the protocol and the port used in communicating with the server. KMIPSession objects communicate via the KMIP protocol to the KMIP server port.
Construction of KMIP sessions requires client certificate authentication to the KMIP Server.
KMIP uses SSL ONLY.
KMIP v1.2 protocol is used for communicating with the server.
KMIP managed objects use some of the same attributes as NAE objects, such as Name and Algorithm but KMIP managed objects and NAE objects each use unique attributes that are not shared. For example, KMIP used application-specific attributes (e.g., Object Type, Cryptographic Usage Mask); NAE uses permissions and other attributes not supported by KMIP.
Working with KMIP requires attention to the unique attributes, capabilities and constraints imposed by the KMIP specification on managed objects.
Key versioning and group key permission are not supported by the Key Manager with the KMIP protocol.
KMIP installation requirements
Key operations using KMIP require an appropriately configured Key Manager server.
CADP for Java provides a subset of KMIP functionality. When used with Key Manager, it is limited to capabilities supported by Key Manager. KMIP interoperability enables you to use other servers as well.
KMIP Key Lifecycle operations and objects do not map 1-to-1 to CADP for Java Key Lifecycle operations and objects manipulated over the XML protocol.
KMIP is delivered as an integral part of CADP for Java. However, KMIP uses a binary protocol and requires its own dedicated port. It does not use proprietary XML for communications between client and server. To use this protocol, set the
KMIP_Portparameter in theCADP_for_JAVA.propertiesfile.Starting version 6.2.0, CADP for Java provides KMIP support for certificate managed objects.
Setting the
KMIP_Portparameter creates one connection pool for each IP Address and port to the KMIP Port on the NAE server, and also causes Key operations to use KMIP binary. All Crypto operations will continue to use the XML port and XML protocol. KMIP does not support crypto operations, so you must use an NAESession (as opposed to a KMIPSession) for cryptographic operations on the server. If you want to use KMIP for Key operations and you also want to perform Crypto operations, you must set up both KMIP and XML ports in theCADP_for_JAVA.propertiesfile.
Configure KMIP settings
A client certificate and a key store are required for communication between a CADP for Java client and a KMIP server. To authenticate a KMIPSession to a KMIP server, set the following required and optional properties in the CADP_for_JAVA.properties file.
Required Parameters
Protocol=ssl
KMIP_Port - the port on the server which is configured for the KMIP protocol
Client_Cert_Alias
Client_Cert_Passphrase
Key_Store_Location
Key_Store_Password
Optional Parameters
KMIP_Private_Suffix
KMIP_Public_Suffix
For description of these parameters, refer to Configuration Parameters.
The KMIP-related tasks are mentioned in KMIP Tasks.
In the subsequent articles, you will learn about:
