What was the need?
P6R sells a KMIP client SDK and a Transparent Data Encryption (TDE) Connector. The TDE connector uses PKCS#11 with a KMIP token so that an Oracle database can use a KMIP server to manage its keys. In supporting these products we have seen the need for a full featured, scriptable, KMIP command line tool that can be used with any KMIP Server.
There are similar questions that occur during KMIP application development, deployment, and support some of which include: What KMIP protocol version does the server support?; What KMIP features does the server support (e.g., streaming encryption)?; Is the TLS connection to a server working?; Did we create the key we attempted to create, what is its state, what are the attributes associated with it? Logging into the KMIP server’s Web front end won’t answer all of these questions and each server’s UI is different. Most KMIP application developers we talk to want their applications to work with all KMIP servers, and would prefer the tools they use to also work with all KMIP servers rather then one per server vendor.
We have gotten customer requests for such a tool and in response we have built a full featured, scriptable command line tool that was implemented with our own KMIP client SDK. Since we have tested our SDK with just about every KMIP server commercially available our KMIP command line tool should work with every KMIP server. Our KMIP client SDK product page documents all the servers we have test with: SKC Secure KMIP Client
It is important to note that KMIP supports more than just keys. It also supports a collection of objects which include: Certificates, Opaque objects, and Secret data such as passwords. So instead of just talking about keys we will try to use the generic term Managed Object wherever possible.
From our experience we have added the most commonly used and useful KMIP features to our command line tool. Basically each command performs one KMIP operation which includes: creating objects, exporting/importing objects, adding/modifying/deleting/listing attributes associated with objects, deleting objects, activate/revoking a key, re-keying keys, encrypt/decrypt files, obtain server generated random numbers, query server features, and searching for objects based on various filters (e.g., object type, attribute values associated with a Managed object). The search command is an very useful one. For example, we can assign a set of Managed Objects with the same KMIP custom attributes such as
“x-group-name = customerZ”. Then we can do a search (actual a KMIP Locate operation) for all Managed Objects with the associated attribute “x-group-name = customerZ”. The result of that search will be all the objects we stamped with the “x-group-name = customerZ” attribute value.
Another nice feature is that our command line tool can be configured to work with one or more KMIP servers at the same time. Each command requires the user to provide either the IP address or fully qualified domain name of a KMIP server as part of the command (e.g., “p6kmiptool -list -server kmiptest01.p6r.com ….”). Here are some simple examples of using our command line tool.
.......>p6kmiptool -config ----- Server List ----- 1> Server: [192.168.72.1] 2> Server: [kmiptest01.p6r.com] Config found 2 items. ....>p6kmiptool -list -server kmiptest01.p6r.com -type symmetrickey ----- Object List ----- 1> Type: Symmetric Key, Unique Id: [4c5db22f-3747-4d19-9593-7fa1b83816aa] 2> Type: Symmetric Key, Unique Id: [a6efe3ed-08c5-418b-b76a-c15e1652a5ac], Alias: [frank] 3> Type: Symmetric Key, Unique Id: [80116b3e-156e-4079-abd8-34ff337fffad] 4> Type: Symmetric Key, Unique Id: [96a97e73-3e6a-4b95-8c93-65c1bd2966c9], Alias: [henry11] List found 4 managed objects. .....>p6kmiptool -attributes -server kmiptest01.p6r.com -uid a6efe3ed-08c5-418b-b76a-c15e1652a5ac List of attributes associated with object [a6efe3ed-08c5-418b-b76a-c15e1652a5ac]. x-P6R-CMD-LABEL = frank, index 0 x-P6R-CMD-SKCCLIENT = true, index 0 Object Type = Symmetric Key (2), index 0 Cryptographic Algorithm = AES (3), index 0 Cryptographic Length = 256, index 0 Alternative Name = frank, index 0 Cryptographic Usage Mask = Encrypt, Decrypt, index 0 Digest hash algorithm = SHA256 (6), index 0 Digest value: b251c1ad58587d294421696063aad76f655f7c47055f83bc53dcc5a1de3c Fresh = true, index 0 Initial Date = 2016-05-16T03:32:55Z, index 0 Last Change Date = 2016-05-16T03:32:55Z, index 0 Lease Time = 3600, index 0 Original Creation Date = 2016-05-16T03:32:55Z, index 0 State = Pre-Active (1), index 0 List of object attributes succeeded (error: eOk).
The current shipping version of our KMIP command line tool can be used to script access to a KMIP server and it runs on Linux and Windows. P6R’s KMIP command line tool comes standard with our SKC KMIP client SDK and is also available as a standalone product.