Key management interoperability protocol – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 47
Fabric OS Encryption Administrator’s Guide (KMIP)
29
53-1002747-02
Key Management Interoperability Protocol
2
Key Management Interoperability Protocol
The Key Management Interoperability Protocol (KMIP) standardizes the communication between
an Enterprise key management system and an encryption device. The same key vault servers can
be used, only in a different mode. Currently, KMIP versions 1.0 and 1.1 are supported.
NOTE
Currently, only KMIP with SafeNet KeySecure 6.1 in native KMIP mode is supported.
The KMIP KAC adapter provides configurable HA support. HA for the key vault should be set before
you register the key vault. Three settings are supported; however, certain settings are determined
by the compliant key vault type that is being used:
•
Transparent: The client assumes the entire HA is implemented on the key vault. Key archival
and retrieval is performed without any additional key hardening checks.
•
Opaque: The primary and secondary key vaults are both registered on the Brocade Encryption
Switch. The client archives the key to a single (primary) key vault. For disk operations, an
additional key hardening check is done on the secondary key vault before the key is used for
encryption.
•
None: If no HA is selected, the primary and secondary key vaults are both registered on the
Brocade Encryption Switch. The client archives keys to both key vaults and ensures that the
archival succeeds before the key is used for encryption.
Username authentication can be defined after TLS connectivity to a client device is requested.
Three modes are available:
•
User Name: Only a user name is required to identify the client device.
•
User Name and Password: Both a user name and a password are required to identify the client
device.
•
None: No authentication is required.
The TLS certificates used between the Brocade Encryption Switch and the key vault are be either
Self -Signed or CA Signed.
Steps for connecting to a KMIP appliance (SafeNet KeySecure)
With the introduction of Fabric OS 7.1.0, the Key Management Interoperability Protocol (KMIP)
KeySecure Management Console can be used on the Brocade Encryption Switch. Any
KMIP-compliant server can be reregistered as a KMIP key vault.
NOTE
Currently, only KMIP with SafeNet KeySecure for key management is supported when configured in
KMIP mode.
After installing the SafeNet KeySecure appliance (also referred to as KeySecure), you must
complete the following steps before the Brocade Encryption Switch can be configured with the
KeySecure. These steps must be performed only once.