KMIP Attribute
CADP for Java supports and tests the KMIP Attribute lifecycle to the same level of support provided by the Key Manager Server.
This article includes two tables and a list of attribute definitions, as follows:
Operations supported by KMIP attributes
| KMIP Attribute | Create | Get | Add | Modify | Delete |
|---|---|---|---|---|---|
| Application Specific Information | ✔ | ✔ | ✔ | ✔ | ✔ |
| Contact Information | ✔ | ✔ | X | ✔ | ✔ |
| Certificate Issuer | X | ✔ | X | X | X |
| Certificate Identifier | X | ✔ | X | X | X |
| Certificate Type | X | ✔ | X | X | X |
| Certificate Subject | X | ✔ | X | X | X |
| Cryptographic Algorithm | ** | ✔ | NA | NA | NA |
| Cryptographic Length | ** | ✔ | NA | NA | NA |
| Custom KMIP Attributes | ✔ | ✔ | ✔ | ✔ | ✔ |
| Digest | ✔ | No server support | No server support | NA | |
| Initial Date | ** | ✔ | NA | NA | NA |
| Link | ✔ | ✔ | ✔ | ✔ | ✔ |
| Name | ** | ✔ | see note below | ✔ | NA |
| Object Group | ✔ | ✔ | ✔ | ✔ | ✔ |
| Object Type | ** | ✔ | NA | NA | NA |
| Unique Identifier | ** | ✔ | NA | NA | NA |
Important notes
** The KMIP attribute is set by the server from values generated on the server, such as the Unique Identifier. Parameters are passed by the NAEParameterSpec and the object initializer.
If the attribute allows multiple indexed values of the attribute, you can add more than one. Where allowed, indexes can be specified to distinguish instances for multi-instance attributes.
Modify is applicable only for non-read-only KMIP attributes.
Delete is only applicable for optional KMIP attributes.
Name is supported on an NAE server supports for only one name per managed object.
Supported KMIP attributes for managed object types
In the table below, a check mark (✔) underneath a managed object indicates that the named attribute (in the leftmost column) exists for that object. Note that some attributes have constraints or qualified support.
Managed Object
| Attribute Name | Certificate | Symmetric Key | Public Key | Private Key | Secret Data | Template |
|---|---|---|---|---|---|---|
| Application Specific Information | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Contact Information | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Cryptographic Algorithm* | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Cryptographic Domain Parameters | ++ | ++ | ||||
| Cryptographic Length* | ** | ✔ | ✔ | ✔ | ✔ | ✔ |
Cryptographic Parameters
| Attribute Name | Certificate | Symmetric Key | Public Key | Private Key | Secret Data | Template |
|---|---|---|---|---|---|---|
| Certificate Type* | ✔ | |||||
| Certificate Identifier* | ✔ | |||||
| Certificate Issuer* | ✔ | |||||
| Certificate Subject* | ✔ | |||||
| Cryptographic Usage Mask+ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Custom Attribute | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Digest* | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Last Change Date | ||||||
| Link | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Name* | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Object Group | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Object Type* | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Operation Policy Name
| Attribute Name | Certificate | Symmetric Key | Public Key | Private Key | Secret Data | Template |
|---|---|---|---|---|---|---|
| Unique Identifier* | ✔ |
Note:
— * - Read only.
— * - For KMIP 1.0, certificates have the cryptographic length attribute; for KMIP 1.1, they do not.
— *++ - Supported only for HSM management.
KMIP attribute definitions
Application Specific Information: A structure used to store data specific to the application(s) using the managed object. The maximum length of the ASI namespace is 64 characters. The maximum ASI data length is 256 characters.
Contact Information*: User-defined contact information. This information is not used for policy enforcement.
Certificate Issuer: This is from the Issuer field of the certificate. This value is based on the information extracted from a certificate. It is set during Register, Certify, or Re-certify operations.
Certificate Identifier: For X.509 certificates, this identifier contains the Issuer Distinguished Name (i.e., from the Issuer field of the certificate) and the Certificate Serial Number (i.e., from the Serial Number field of the certificate). The Certificate Serial Number is sometimes supplied as the sole identifier data.
Certificate Type: The type of a certificate (e.g., X.509, PGP, etc). The Type value is set by the server when the certificate is created or registered.
Certificate Subject: The focus of the Certificate Properties. Usually the Subject's Distinguished Name (DN). May contain the Certificate Subject Alternative Name.
Cryptographic Algorithm: The algorithm used by the object, e.g., DES, AES.
Cryptographic Length: The length, in bits, of the cleartext cryptographic key material, e.g., 1024.
Cryptographic Usage Mask: The Cryptographic Usage Mask defines the cryptographic usage of a key. This is a bit mask that indicates to the client which cryptographic functions MAY be performed using the key, and which ones SHALL NOT be performed.
Custom Attributes: Client- or server-defined attributes intended for vendor-specific purposes. Custom attribute structures are not supported. The following types are supported: Big Integer, Boolean, Byte String, Date-Time, Enumeration, Integer, Interval, Long Integer, Text String.
Digest: Contains the digest value of the key or secret data. The Key Manager only creates a SHA-256 digest. Digest is composed of a hashing algorithm and a Digest value.
Initial Date: The date and time when the managed object was first created or registered by the Key Manager.
Link: A link from one Managed Cryptographic Object to another, closely related Managed Cryptographic Object, for example a public and private key pair.
Name: Used to identify and locate an object. This attribute is assigned by the client and is composed of a Name value and a Name type. Key Manager supports the Name type string.
Object Group*: A group of objects. An object may belong to more than one group of objects.
Object Type: Describes the type of object: Symmetric Key, Template, or Secret Data.
Unique Identifier: Generated by the Key Manager to uniquely identify the managed object.
Note
- Contact Information and Object Group will appear as custom attributes in certain sections of the KeySecure Classic Management Console.
