Update KMIP documentation to reflect Vault 1.11 changes. (#15868)
Update documentation to reflect new KMIP features in Vault 1.11. Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
Victor Rodriguez
GitHub
parent
5c03fe6a30
commit
d922225fcd
|
|
@ -12,12 +12,37 @@ description: |-
|
|||
with the Advanced Data Protection Module.
|
||||
|
||||
The KMIP secrets engine allows Vault to act as a [Key Management
|
||||
Interoperability Protocol](https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html) (KMIP) server provider and handle
|
||||
Interoperability Protocol][kmip-spec] (KMIP) server provider and handle
|
||||
the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows
|
||||
services and applications to perform cryptographic operations without having to
|
||||
manage cryptographic material, otherwise known as managed objects, by delegating
|
||||
its storage and lifecycle to a key management server.
|
||||
|
||||
## KMIP Conformance
|
||||
|
||||
Vault implements version 1.4 of the following Key Management Interoperability Protocol Profiles:
|
||||
|
||||
* [Baseline Server][baseline-server]
|
||||
* Supports all profile attributes except for *Alternative Name*, *Key Value Present* and
|
||||
*Key Value Location*.
|
||||
* Supports all profile operations except for *Check*, *Modify Attribute* and *Delete Attribute*.
|
||||
* Operation *Locate* only supports attributes *Activation Date*, *Application
|
||||
Specific Information*, *Cryptographic Algorithm*, *Cryptographic Length*,
|
||||
*Name*, *Object Type*, *Original Creation Date*, and *State*.
|
||||
|
||||
* [Symmetric Key Lifecycle Server][lifecycle-server]
|
||||
* Supports cryptographic algorithm *AES* (*3DES* is not supported).
|
||||
* Only the *Transparent Symmetric Key* key format type is supported.
|
||||
|
||||
* [Basic Cryptographic Server][basic-cryptographic-server]
|
||||
* Supports block cipher modes *CBC*, *CFB*, *CTR*, *ECB*, *GCM*, and *OFB*.
|
||||
* On mulit-part (streaming) operations, block cipher mode *GCM* is not supported.
|
||||
* The supported padding methods are *None* and *PKCS5*.
|
||||
|
||||
[baseline-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431430
|
||||
[lifecycle-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431487
|
||||
[basic-cryptographic-server]: http://docs.oasis-open.org/kmip/profiles/v1.4/os/kmip-profiles-v1.4-os.html#_Toc491431527
|
||||
|
||||
## Setup
|
||||
|
||||
The KMIP secrets engine must be configured before it can start accepting KMIP
|
||||
|
|
@ -66,6 +91,43 @@ allowed operations for it.
|
|||
Success! Data written to: kmip/scope/my-service/role/admin
|
||||
```
|
||||
|
||||
### Supported KMIP Operations
|
||||
|
||||
The KMIP secrets engine currently supports the following set of operations:
|
||||
|
||||
```text
|
||||
operation_activate
|
||||
operation_add_attribute
|
||||
operation_create
|
||||
operation_decrypt
|
||||
operation_destroy
|
||||
operation_discover_versions
|
||||
operation_encrypt
|
||||
operation_get
|
||||
operation_get_attribute_list
|
||||
operation_get_attributes
|
||||
operation_import
|
||||
operation_locate
|
||||
operation_query
|
||||
operation_register
|
||||
operation_rekey
|
||||
operation_revoke
|
||||
```
|
||||
|
||||
Additionally, there are two pseudo-operations that can be used to allow or deny
|
||||
all operation capabilities to a role. These operations are mutually exclusive to
|
||||
all other operations. That is, if it's provided during role creation or update,
|
||||
no other operations can be provided. Similarly, if an existing role contains a
|
||||
pseudo-operation, and it is then updated with a set supported operation, it will
|
||||
be overwritten with the newly set of provided operations.
|
||||
|
||||
Pseudo-operations:
|
||||
|
||||
```text
|
||||
operation_all
|
||||
operation_none
|
||||
```
|
||||
|
||||
### Client Certificate Generation
|
||||
|
||||
Once a scope and role has been created, client certificates can be generated for
|
||||
|
|
@ -194,44 +256,6 @@ with their client certificate.
|
|||
serial_number 317328055225536560033788492808123425026102524390
|
||||
```
|
||||
|
||||
### Supported KMIP Operations
|
||||
|
||||
The KMIP protocol supports a wide variety of operations that can be
|
||||
issued by clients to perform certain actions, such as key management,
|
||||
encryption, signing, etc. The KMIP secrets engine currently supports a subset of
|
||||
KMIP operations.
|
||||
|
||||
Supported KMIP operations:
|
||||
|
||||
```text
|
||||
operation_activate
|
||||
operation_add_attribute
|
||||
operation_create
|
||||
operation_destroy
|
||||
operation_discover_versions
|
||||
operation_get
|
||||
operation_get_attribute_list
|
||||
operation_get_attributes
|
||||
operation_locate
|
||||
operation_register
|
||||
operation_rekey
|
||||
operation_revoke
|
||||
```
|
||||
|
||||
Additionally, there are two pseudo-operations that can be used to allow or deny
|
||||
all operation capabilities to a role. These operations are mutually exclusive to
|
||||
all other operations. That is, if it's provided during role creation or update,
|
||||
no other operations can be provided. Similarly, if an existing role contains a
|
||||
pseudo-operation, and it is then updated with a set supported operation, it will
|
||||
be overwritten with the newly set of provided operations.
|
||||
|
||||
Pseudo-operations:
|
||||
|
||||
```text
|
||||
operation_all
|
||||
operation_none
|
||||
```
|
||||
|
||||
## Tutorial
|
||||
|
||||
Refer to the [KMIP Secrets Engine](https://learn.hashicorp.com/vault/secrets-management/kmip-engine)
|
||||
|
|
|
|||
Loading…
Reference in New Issue