How to connect a compatible product using KMIP protocol – Support Guides

Learn about the usage of the KMIP protocol and the different operations and types supported by the OVHcloud KMS.

Requirements

Instructions

Description

KMIP (Key Management Interoperability Protocol) is designed to standardize communications with a KMS.

So, any products supporting KMIP (such as VMware vSphere, Veeam, Nutanix, etc.) can natively be interfaced with a KMIP-compatible KMS, such as the OVHcloud KMS, hosted by OVHcloud or not.

It brings an easy connection and a reversible configuration.

Connection of a KMIP-compatible product with the OVHcloud KMS

The configuration depends on the product's integration but does not need any specific configuration on the OVHcloud KMS other than generating an access certificate. Software editors usually offer dedicated guides for this purpose.

As an example, the following products were validated with the OVHcloud KMS:

Nutanix
VMware
MongoDB
Barbican - for On-Premise usage
NetApp - for On-Premise usage

Direct use

It's also possible to use the KMIP API directly.

Authentication on this protocol is done with a client certificate, in the same way as for the REST API. It needs to open a TLS channel with a valid access certificate.

Then, it's possible to exchange KMIP messages such as defined in the standard. Depending on the technology stack, we recommend the following libraries:

You can also use our SDK for Go.

KMIP coverage

The OVHcloud KMS covers, at least in part, versions 1.0 to 1.4 of the KMIP standard.

Details of the coverage are available here:

Legend:

N/A : Not Applicable

✅ : Fully compatible

🚧 : Partially compatible

❌ : Not implemented

🚫 : Deprecated

Messages

	v1.0	v1.1	v1.2	v1.3	v1.4
Request Message	✅	✅	✅	✅	✅
Response Message	✅	✅	✅	✅	✅

Operations

Operation	v1.0	v1.1	v1.2	v1.3	v1.4
Create	✅	✅	✅	✅	✅
Create Key Pair	✅	✅	✅	✅	✅
Register	✅	✅	✅	✅	✅
Re-key	✅	✅	✅	✅	✅
DeriveKey	❌	❌	❌	❌	❌
Certify	❌	❌	❌	❌	❌
Re-certify	❌	❌	❌	❌	❌
Locate	✅	✅	✅	✅	✅
Check	❌	❌	❌	❌	❌
Get	✅	✅	✅	✅	✅
Get Attributes	✅	✅	✅	✅	✅
Get Attribute List	✅	✅	✅	✅	✅
Add Attribute	✅	✅	✅	✅	✅
Modify Attribute	✅	✅	✅	✅	✅
Delete Attribute	✅	✅	✅	✅	✅
Obtain Lease	✅	✅	✅	✅	✅
Get Usage Allocation	✅	✅	✅	✅	✅
Activate	✅	✅	✅	✅	✅
Revoke	✅	✅	✅	✅	✅
Destroy	✅	✅	✅	✅	✅
Archive	✅	✅	✅	✅	✅
Recover	✅	✅	✅	✅	✅
Validate	❌	❌	❌	❌	❌
Query	✅	✅	✅	✅	✅
Cancel	❌	❌	❌	❌	❌
Poll	❌	❌	❌	❌	❌
Notify	❌	❌	❌	❌	❌
Put	❌	❌	❌	❌	❌
Discover	N/A	✅	✅	✅	✅
Re-key Key Pair	N/A	❌	❌	❌	❌
Encrypt	N/A	N/A	❌	❌	❌
Decrypt	N/A	N/A	❌	❌	❌
Sign	N/A	N/A	❌	❌	❌
Signature Verify	N/A	N/A	❌	❌	❌
MAC	N/A	N/A	❌	❌	❌
MAC Verify	N/A	N/A	❌	❌	❌
RNG Retrieve	N/A	N/A	❌	❌	❌
RNG Seed	N/A	N/A	❌	❌	❌
Hash	N/A	N/A	❌	❌	❌
Create Split Key	N/A	N/A	❌	❌	❌
Join Split Key	N/A	N/A	❌	❌	❌
Export	N/A	N/A	N/A	N/A	❌
Import	N/A	N/A	N/A	N/A	❌

Managed Objects

Object	v1.0	v1.1	v1.2	v1.3	v1.4
Certificate	✅	✅	✅	✅	✅
Symmetric Key	✅	✅	✅	✅	✅
Public Key	✅	✅	✅	✅	✅
Private Key	✅	✅	✅	✅	✅
Split Key	✅	✅	✅	✅	✅
Template	✅	✅	✅	🚫	🚫
Secret Data	✅	✅	✅	✅	✅
Opaque Object	✅	✅	✅	✅	✅
PGP Key	N/A	N/A	✅	✅	✅

Base Objects

Object	v1.0	v1.1	v1.2	v1.3	v1.4
Attribute	✅	✅	✅	✅	✅
Credential	✅	✅	✅	✅	✅
Key Block	✅	✅	✅	✅	✅
Key Value	✅	✅	✅	✅	✅
Key Wrapping Data	✅	✅	✅	✅	✅
Key Wrapping Specification	✅	✅	✅	✅	✅
Transparent Key Structures	🚧	🚧	🚧	🚧	🚧
Template-Attribute Structures	✅	✅	✅	✅	✅
Extension Information	N/A	✅	✅	✅	✅
Data	N/A	N/A	❌	❌	❌
Data Length	N/A	N/A	❌	❌	❌
Signature Data	N/A	N/A	❌	❌	❌
MAC Data	N/A	N/A	❌	❌	❌
Nonce	N/A	N/A	✅	✅	✅
Correlation Value	N/A	N/A	N/A	❌	❌
Init Indicator	N/A	N/A	N/A	❌	❌
Final Indicator	N/A	N/A	N/A	❌	❌
RNG Parameter	N/A	N/A	N/A	✅	✅
Profile Information	N/A	N/A	N/A	✅	✅
Validation Information	N/A	N/A	N/A	✅	✅
Capability Information	N/A	N/A	N/A	✅	✅
Authenticated Encryption Additional Data	N/A	N/A	N/A	N/A	❌
Authenticated Encryption Tag	N/A	N/A	N/A	N/A	❌

Transparent Key Structures

Object	v1.0	v1.1	v1.2	v1.3	v1.4
Symmetric Key	✅	✅	✅	✅	✅
DSA Private/Public Key	❌	❌	❌	❌	❌
RSA Private/Public Key	✅	✅	✅	✅	✅
DH Private/Public Key	❌	❌	❌	❌	❌
ECDSA Private/Public Key	✅	✅	✅	🚫	🚫
ECDH Private/Public Key	❌	❌	❌	🚫	🚫
ECMQV Private/Public	❌	❌	❌	🚫	🚫
EC Private/Public	N/A	N/A	N/A	✅	✅

Attributes

Attribute	v1.0	v1.1	v1.2	v1.3	v1.4
Unique Identifier	✅	✅	✅	✅	✅
Name	✅	✅	✅	✅	✅
Object Type	✅	✅	✅	✅	✅
Cryptographic Algorithm	✅	✅	✅	✅	✅
Cryptographic Length	✅	✅	✅	✅	✅
Cryptographic Parameters	✅	✅	✅	✅	✅
Cryptographic Domain Parameters	✅	✅	✅	✅	✅
Certificate Type	✅	✅	✅	✅	✅
Certificate Identifier	✅	🚫	🚫	🚫	🚫
Certificate Subject	✅	🚫	🚫	🚫	🚫
Certificate Issuer	✅	🚫	🚫	🚫	🚫
Digest	✅	✅	✅	✅	✅
Operation Policy Name	✅	✅	✅	🚫	🚫
Cryptographic Usage Mask	✅	✅	✅	✅	✅
Lease Time	✅	✅	✅	✅	✅
Usage Limits	✅	✅	✅	✅	✅
State	✅	✅	✅	✅	✅
Initial Date	✅	✅	✅	✅	✅
Activation Date	✅	✅	✅	✅	✅
Process Start Date	✅	✅	✅	✅	✅
Protect Stop Date	✅	✅	✅	✅	✅
Deactivation Date	✅	✅	✅	✅	✅
Destroy Date	✅	✅	✅	✅	✅
Compromise Occurence Date	✅	✅	✅	✅	✅
Compromise Date	✅	✅	✅	✅	✅
Revocation Reason	✅	✅	✅	✅	✅
Archive Date	✅	✅	✅	✅	✅
Object Group	✅	✅	✅	✅	✅
Link	✅	✅	✅	✅	✅
Application Specific Information	✅	✅	✅	✅	✅
Contact Information	✅	✅	✅	✅	✅
Last Change Date	✅	✅	✅	✅	✅
Custom Attribute	✅	✅	✅	✅	✅
Certificate Length	N/A	✅	✅	✅	✅
X.509 Certificate Identifier	N/A	✅	✅	✅	✅
X.509 Certificate Subject	N/A	✅	✅	✅	✅
X.509 Certificate Issuer	N/A	✅	✅	✅	✅
Digital Signature Algorithm	N/A	✅	✅	✅	✅
Fresh	N/A	✅	✅	✅	✅
Alternative Name	N/A	N/A	✅	✅	✅
Key Value Present	N/A	N/A	✅	✅	✅
Key Value Location	N/A	N/A	✅	✅	✅
Original Creation Date	N/A	N/A	✅	✅	✅
Random Number Generator	N/A	N/A	N/A	✅	✅
PKCS#12 Friendly Name	N/A	N/A	N/A	N/A	✅
Description	N/A	N/A	N/A	N/A	✅
Comment	N/A	N/A	N/A	N/A	✅
Sensitive	N/A	N/A	N/A	N/A	✅
Always Sensitive	N/A	N/A	N/A	N/A	✅
Extractable	N/A	N/A	N/A	N/A	✅
Never Extractable	N/A	N/A	N/A	N/A	✅

Go further

OASIS website

For more information and tutorials, please see our other Manage & Operate support guides or explore the guides for other OVHcloud products and services.