KMIP Supported Operations

Lists the KMIP operations that HSM should support, to use the external KMIP keystore.

IMPORTANT
HPE has validated its KMIP solution on Utimaco ESKM, SafeNet KeySecure, and Vormetric DSM. KMIP is still in its early stages, so just because a HSM advertises support for the list of operations, it does not necessarily mean that it works with the HPE KMIP solution, but only that it has a good chance of working. Use at your own risk if you use HSMs that HPE did not validate. You do not have to explicitly perform any operation that is mentioned in this list.
Activate
Description: Activates managed objects.
Purpose: Activates the KEK by setting the state to Active either at the current (default) or later date. Only keys in the Active state can be used. For the data-fabric platform, the CLDB and DARE master keys are encrypted using the KMIP key.
Create
Description: Creates managed objects.
Purpose: Creates the CLDB and DARE AES-256 master keys. Keys are initially created in PreActive state and need to be activated before they can be used.
Destroy
Description: Destroys managed objects.
Purpose: Destroys a KMIP key that is no longer used.
Discover Versions
Description: Discovers supported protocol versions.
Purpose: Ensures that the KMIP server can support at least one of the KMIP protocol versions that are supported by the data-fabric client. Since this operation does not change the KMIP server state, the data-fabric KMIP client also uses it to ping the server to ensure that it is alive.
Get
Description: Retrieves managed objects.
Purpose: Retrieves the key from the HSM when the UUID (unique identifier) or name is specified.
Locate
Description: Locates managed objects based on specified attributes.
Purpose: Searches for keys by name instead of UUID.
Rekey
Description: Rekeys the Core or Common KEK.
Purpose: Used to rekey the Core or Common KEK either on a periodic basis or when the keys are compromised.
Register
Description: Imports CLDB and/or DARE key.
Purpose: Imports an existing CLDB and/or DARE key into the HSM for backup purposes for upgrade deployments.
Revoke
Description: Revokes specified keys.
Purpose: KMIP keys in the Active state cannot be deleted; they need to be revoked and placed in the Deactivated state before they can be destroyed. Used prior to deleting unused keys.