Lists the KMIP operations that HSM should support, to use the external KMIP
keystore.
IMPORTANT
HPE has validated its
KMIP solution on Utimaco ESKM, SafeNet KeySecure,
and Vormetric DSM.
KMIP is still in its early stages, so just because a
HSM advertises support for the list of operations, it does not necessarily mean that it
works with the HPE
KMIP solution, but only that it has a good chance of
working. Use at your own risk if you use HSMs that HPE did not validate. You do not have to
explicitly perform any operation that is mentioned in this list.
- Activate
- Description: Activates managed objects.
- Purpose: Activates the KEK by setting the state to Active either at the current
(default) or later date. Only keys in the Active state can be used. For the
data-fabric platform, the CLDB and DARE master keys are encrypted using the KMIP key.
- Create
- Description: Creates managed objects.
- Purpose: Creates the CLDB and DARE AES-256 master keys. Keys are initially created
in PreActive state and need to be activated before they can be used.
- Destroy
- Description: Destroys managed objects.
- Purpose: Destroys a KMIP key that is no longer used.
- Discover Versions
- Description: Discovers supported protocol versions.
- Purpose: Ensures that the KMIP server can support at least one of the
KMIP protocol versions that are supported by
the data-fabric client. Since this operation does not change the KMIP server state, the data-fabric KMIP client also uses it to ping the server
to ensure that it is alive.
- Get
- Description: Retrieves managed objects.
- Purpose: Retrieves the key from the HSM when the UUID (unique identifier) or name
is specified.
- Locate
- Description: Locates managed objects based on specified attributes.
- Purpose: Searches for keys by name instead of UUID.
- Rekey
- Description: Rekeys the Core or Common KEK.
- Purpose: Used to rekey the Core or Common KEK either on a periodic basis or when
the keys are compromised.
- Register
- Description: Imports CLDB and/or DARE key.
- Purpose: Imports an existing CLDB and/or DARE key into the HSM for backup purposes
for upgrade deployments.
- Revoke
- Description: Revokes specified keys.
- Purpose: KMIP keys in the Active state cannot be
deleted; they need to be revoked and placed in the Deactivated state before they can
be destroyed. Used prior to deleting unused keys.