Thales KMIP Configuration Guide

Thales KMIP Configuration Guide

Overview

  • Make sure your CipherTrust Manager is licensed to allow KMIP access
  • Create a domain for each tenant organization
  • Register the domain CA with the KMIP service
  • Create a domain user that will manage encryption keys
  • Create a certificate for the user to authenticate with the KMIP service
  • Use the key and certificate for the user to finish configuration of the BYOK service in the VMware Cloud Director Tenant UI

Before getting started, make sure you have CipherTrust running with the correct network configuration and administrator credentials.

UI

See the "BYOK Thales Configuration Guide - UI.pdf" file attached to this page for detailed instructions.

CLI

 

 

# Download the ksctl utility and make it available in your path.
sudo install ksctl-linux-amd64 /usr/local/bin/ksctl

 

 

Configuration

 

 

KSCTL_VERBOSITY: false
KSCTL_RESP: json
KSCTL_URL: https://192.168.111.160:443
KSCTL_USERNAME: admin
KSCTL_PASSWORD: PASSWORD
KSCTL_NOSSLVERIFY: true
KSCTL_TIMEOUT: 30

 

 

Licensing

You can skip this step if you have already activated your CipherTrust appliance with an official or trial license.

 

 

ksctl licensing trials activate --id "CipherTrust Manager Full Trial" --timeout 120

 

 

Create a domain

 

 

export CT_DOMAIN_NAME=Group01

# Create the domain and get the CA ID
ksctl domains create \
--allow-user-mgmt \
--admins=admin \
--name=$CT_DOMAIN_NAME

# Add the domain default CA as an external CA in the root
get_domain_ca_id() { ksctl domains get --id=$CT_DOMAIN_NAME | jq -r .default_ca_id; }

get_domain_ca() { ksctl --domain=$CT_DOMAIN_NAME ca locals get --id=`get_domain_ca_id` | jq -r .cert; }

ksctl ca externals upload \
--cert-ca="$(get_domain_ca)"

# Append the external CA to the KMIP interface list of trusted CAs
get_domain_ca_root_uri() { ksctl ca externals list --cert-ca="$CT_DOMAIN_CA" | jq -r '.resources[0].uri'; }

get_kmip_trusted_external_cas() {
ksctl interfaces get --name=kmip \
| CT_ROOT_DOMAIN_CA_URI=`get_domain_ca_root_uri` jq -r \
'.trusted_cas.external | . + [$ENV.CT_ROOT_DOMAIN_CA_URI] | join(",")'
}

ksctl interfaces modify \
--name=kmip \
--trusted-external-cas="$(get_kmip_trusted_external_cas)"

 

 

Create a domain user for KMIP access

 

export CT_DOMAIN_USERNAME="user01"
export CT_DOMAIN_PASSWORD="P@ssw0rd"

# Create a domain user
ksctl --domain=$CT_DOMAIN_NAME users create \
--name=$CT_DOMAIN_USERNAME \
--pword=$CT_DOMAIN_PASSWORD \
--is-domain-user=true \
--allowed-auth-methods=user_certificate

# Add domain user to the "Key Users" group
get_domain_userid() { ksctl --domain=$CT_DOMAIN_NAME users list --username=$CT_DOMAIN_USERNAME | jq -r .resources[0].user_id; }

ksctl --domain=$CT_DOMAIN_NAME groups adduser \
--name="Key Users" \
--userid="$(get_domain_userid)"

# Create a KMIP profile for the user
jq -n '{"csr_cn": ($ENV.CT_DOMAIN_NAME + "|" + $ENV.CT_DOMAIN_NAME + "||" + $ENV.CT_DOMAIN_USERNAME)}' > kmip-profile.json

ksctl --domain=$CT_DOMAIN_NAME kmip createprofile \
--profilename=$CT_DOMAIN_USERNAME \
--kmipprof=kmip-profile.json

# Create a KMIP registration token for the user
ksctl --domain=$CT_DOMAIN_NAME kmip createkmipregtoken \
--ca_id=$CT_DOMAIN_CA_ID \
--profilename=$CT_DOMAIN_USERNAME \
--name-prefix="KMIP-$CT_DOMAIN_USERNAME-" \
| tee kmip-regtoken.json

# Create a KMIP client for the user
get_regtoken() { cat kmip-regtoken.json | jq -r .token; }

ksctl --domain=$CT_DOMAIN_NAME kmip register \
--name $CT_DOMAIN_USERNAME \
--regtoken "$(get_regtoken)" \
| tee kmip-client.json

# Get KMIP client credentials
cat kmip-client.json | jq -r .key
cat kmip-client.json | jq -r .cert

# Cleanup temporary files
rm kmip-profile.json kmip-regtoken.json kmip-client.json

 

Attachments
0 Kudos
Version history
Revision #:
2 of 2
Last update:
‎11-15-2023 06:56 PM
Updated by:
VMware Employee
 
View Article History
Contributors