Home » Articles

P6R’s KMIP Verification Suite (KVS)

By Mark Joseph - March 13, 2018 @ 11:08 am

This document was updated on 30 June 2020.

P6R is introducing the new product KMIP Verification Suite (KVS). Due to customer interest we have taken our KMIP test harness, which we have used to develop our KMIP Client product (SKC) and have used during several OASIS KMIP Interop events, and are making it available to vendors to test their KMIP server products. KVS implements all defined OASIS KMIP test cases for protocol versions 1.0, 1.1, 1.2, 1.3, 1.4, 2.0, and 2.1. KVS is implemented with P6R’s Secure KMIP Client (SKC) to generate proper KMIP messages in TTLV, JSON, XML, and TTLV over HTTPS. SKC is also used to parse the server’s response while KVS matches the server’s response to what is expected as defined by the OASIS test cases.

KVS supports the following OASIS defined KMIP defined tests:
KMIP Test Cases Version 1.0, (defined in several of the documents below such as http://docs.oasis-open.org/kmip/testcases/v1.2/kmip-testcases-v1.2.html)

KMIP Test Cases Version 1.1, http://docs.oasis-open.org/kmip/testcases/v1.1/kmip-testcases-v1.1.html

KMIP Test Cases Version 1.2, http://docs.oasis-open.org/kmip/testcases/v1.2/kmip-testcases-v1.2.html

KMIP Test Cases Version 1.3, http://docs.oasis-open.org/kmip/testcases/v1.3/kmip-testcases-v1.3.html

KMIP Test Cases Version 1.4, http://docs.oasis-open.org/kmip/testcases/v1.4/cn01/kmip-testcases-v1.4-cn01.html

KMIP Test Cases Version 2.0, http://docs.oasis-open.org/kmip/kmip-testcases/v2.0/cn01/kmip-testcases-v2.0-cn01.html

KMIP Test Cases Version 2.1

KVS has been used to test interoperability with the following KMIP servers:
1. Cryptsoft KMIP C Server SDK
2. Cryptsoft KMIP Java Server SDK
3. Dell KMIP Server
4. Fornetix Key Orchestration Server
5. Micro Focus ESKM Server (formerly HPE)
6. IBM SKLM Server
7. QuintessenceLabs qCrypt Server
8. SafeNet KeySecure Server
9. Thales KeyAuthority KMIP Server
10. Townsend Security Alliance Key Manager
11. Utimaco KeyServer
12. Vormetric Data Security Manager KMIP Server
13. Kryptus kNET HSM
14. Hancom Secure KeyManager
15. Unbound UKC Server
16. keyNexus KMIP Server

P6R is a member of the OASIS KMIP technical committee and one if its employees is a co-editor on several of the KMIP test case documents.

P6R has been in business for 14 years

By Mark Joseph - November 30, 2017 @ 10:44 am

P6R is a privately held, self-funded and self-sustaining software company found in 2004. Providing multi-platform solutions to a broad range of businesses, P6R’s security products and professional services enable businesses to easily solve their key management and encryption integration challenges with OASIS KMIP, PKCS#11 toolkits and custom clients.

P6R partners with our customers in an ongoing relationship to develop successful solutions that deliver the highest levels of quality and customer value. P6R has a wide range of expertise in areas including computer security, networking, mobile technologies, scalability, high-availability, email, and ad serving. We take personal pride in everything that we do and are committed to achieving exceptional business results.

P6R is a Sponsor level member of OASIS (https://www.oasis-open.org/member-roster).

P6R is a member of the OASIS KMIP Technical Committee.

P6R is a member of the OASIS PKCS#11 Technical Committee.

P6R provides KMIP client (https://www.p6r.com/articles/2016/08/08/p6rs-kmip-client-product-suite/) and server (https://www.p6r.com/articles/2017/11/14/p6rs-kmip-server-library-ksl/) products.

P6R also provides a PKCS#11 library that integrates with KMIP and all major HSMs (https://www.p6r.com/articles/2014/11/22/p6rs-pkcs-11-provider/)

P6R has customers in disk storage, health care, financial, and enterprise data management.

P6R is a technology partner with several major security companies:
Safenet (https://safenet.gemalto.com/partners/p6r/), Thales e-Security ASAP member, Microfocus (previously HPE).

P6R is a US company based in California. All development and testing are done in the US.

P6R’s KMIP Server Library (KSL)

By Mark Joseph - November 14, 2017 @ 12:32 pm

This document was updated on 4 Oct. 2021.

P6R is introducing the new product KMIP Server Library (KSL). Due to customer interest we have extended our powerful KMIP client parsing library (i.e., SKC) to be able to parse server side requests. This product includes a server side parser and all the functions needed to send a properly encoded response back to a KMIP client. The idea is that a vendor, who has a key server, can now use KSL to add a KMIP protocol front end. The server vendor will still have to implement all server side mechanisms, but will not have to deal with the complexity of parsing or generating TTLV, XML, and JSON KMIP messages.

KSL is available on Windows and Linux. It supports a C++, C, and Java Native Interface (JNI) language bindings. KSL supports all KMIP operations that are defined for KMIP 1.0, 1.1, 1.2, 1.3, 1.4, 2.0, 2.1 except for: Export. Support for the KMIP 1.4 operation Export will be added in the near future.

P6R’s KMIP Client Product Suite

By Mark Joseph - August 8, 2016 @ 10:09 pm

This document was updated on 30 June 2020.

P6R KMIP software can support a wide range of customer requirements with various programming language and integration support.

Supported Programming Languages

1. C/C++ — Secure KMIP Client (SKC) SDK
2. Java Security Provider
3. Java Native Interface (JNI)p6javakmip is a wrapper around the SKC library
4. python extension modulep6pythonkmip is a wrapper around the SKC library with a similar API as defined by p6javakmip. p6pythonkmip supports both Python 2.X and Python 3.X.

Supported Integrations

1. PKCS#11 KMIP Token
2. Oracle Transparent Data Encryption (TDE) support via P6R’s PKCS#11 KMIP Token
In this integration the Oracle database thinks it is connected to a Hardware Security Module (HSM) but it actually is using a KMIP server.
3. KMIP used in a SSH server
4. KMIP Command Line Tool allows customers to script their access to a KMIP server
5. PKCS#11 KMIP token as the PKCS#11 provider for PrimeKey’s SignServer

Supported Platforms

1. Linux x86 Kernel 2.6+ (32bit/64bit)
2. Windows 7/8+ (32bit/64bit), Windows Server 2008R2+ (32bit/64bit)
3. Unified Extensible Firmware Interface (UEFI) 64bit Tianocore Native PE Format
4. Intel and ARM processors

Supported KMIP Protocol Versions

Complete implementations of: 1.0, 1.1, 1.2, 1.3, 1.4, 2.0, 2.1.

Supported KMIP Servers

P6R has performed inter-operation testing with the following KMIP servers either at an OASIS run event or via private testing arranged between the two companies.

1. Cryptsoft KMIP C Server SDK
2. Cryptsoft KMIP Java Server SDK
3. Dell KMIP Server
4. Fornetix Key Orchestration Server
5. Micro Focus ESKM Server (formerly HPE)
6. IBM SKLM Server
7. QuintessenceLabs qCrypt Server
8. SafeNet KeySecure Server
9. Thales KeyAuthority KMIP Server
10. Townsend Security Alliance Key Manager
11. Utimaco KeyServer
12. Vormetric KMIP Server
13. Kryptus kNET HSM
14. Hancom Secure KeyManager
15. Unbound UKC Server
16. KeyNexus Universal Key Manager
17. StorMagic SvKMS

Note that P6R customers have reported successfully testing our KMIP client with the following additional server: Hytrust KeyControl

Need a Command Line KMIP Client?

By Mark Joseph - June 4, 2016 @ 9:47 am

What was the need?

P6R sells a KMIP client SDK and a Transparent Data Encryption (TDE) Connector. The TDE connector uses PKCS#11 with a KMIP token so that an Oracle database can use a KMIP server to manage its keys. In supporting these products we have seen the need for a full featured, scriptable, KMIP command line tool that can be used with any KMIP Server.

There are similar questions that occur during KMIP application development, deployment, and support some of which include: What KMIP protocol version does the server support?; What KMIP features does the server support (e.g., streaming encryption)?; Is the TLS connection to a server working?; Did we create the key we attempted to create, what is its state, what are the attributes associated with it? Logging into the KMIP server’s Web front end won’t answer all of these questions and each server’s UI is different. Most KMIP application developers we talk to want their applications to work with all KMIP servers, and would prefer the tools they use to also work with all KMIP servers rather then one per server vendor.

We have gotten customer requests for such a tool and in response we have built a full featured, scriptable command line tool that was implemented with our own KMIP client SDK. Since we have tested our SDK with just about every KMIP server commercially available our KMIP command line tool should work with every KMIP server. Our KMIP client SDK product page documents all the servers we have test with: SKC Secure KMIP Client

Our Solution

It is important to note that KMIP supports more than just keys. It also supports a collection of objects which include: Certificates, Opaque objects, and Secret data such as passwords. So instead of just talking about keys we will try to use the generic term Managed Object wherever possible.

From our experience we have added the most commonly used and useful KMIP features to our command line tool. Basically each command performs one KMIP operation which includes: creating objects, exporting/importing objects, adding/modifying/deleting/listing attributes associated with objects, deleting objects, activate/revoking a key, re-keying keys, encrypt/decrypt files, obtain server generated random numbers, query server features, and searching for objects based on various filters (e.g., object type, attribute values associated with a Managed object). The search command is an very useful one. For example, we can assign a set of Managed Objects with the same KMIP custom attributes such as
“x-group-name = customerZ”. Then we can do a search (actual a KMIP Locate operation) for all Managed Objects with the associated attribute “x-group-name = customerZ”. The result of that search will be all the objects we stamped with the “x-group-name = customerZ” attribute value.

Another nice feature is that our command line tool can be configured to work with one or more KMIP servers at the same time. Each command requires the user to provide either the IP address or fully qualified domain name of a KMIP server as part of the command (e.g., “p6kmiptool -list -server kmiptest01.p6r.com ….”). Here are some simple examples of using our command line tool.

.......>p6kmiptool -config

----- Server List  -----
1> Server: []
2> Server: [kmiptest01.p6r.com]

Config found 2 items.

....>p6kmiptool -list -server kmiptest01.p6r.com -type symmetrickey

----- Object List  -----
1> Type: Symmetric Key, Unique Id: [4c5db22f-3747-4d19-9593-7fa1b83816aa]
2> Type: Symmetric Key, Unique Id: [a6efe3ed-08c5-418b-b76a-c15e1652a5ac], Alias: [frank]
3> Type: Symmetric Key, Unique Id: [80116b3e-156e-4079-abd8-34ff337fffad]
4> Type: Symmetric Key, Unique Id: [96a97e73-3e6a-4b95-8c93-65c1bd2966c9], Alias: [henry11]

List found 4 managed objects.

.....>p6kmiptool -attributes -server kmiptest01.p6r.com -uid a6efe3ed-08c5-418b-b76a-c15e1652a5ac

List of attributes associated with object [a6efe3ed-08c5-418b-b76a-c15e1652a5ac].

x-P6R-CMD-LABEL = frank, index 0
x-P6R-CMD-SKCCLIENT = true, index 0
Object Type = Symmetric Key (2), index 0
Cryptographic Algorithm = AES (3), index 0
Cryptographic Length = 256, index 0
Alternative Name = frank, index 0
Cryptographic Usage Mask = Encrypt, Decrypt, index 0

Digest hash algorithm = SHA256 (6), index 0
Digest value: b251c1ad58587d294421696063aad76f655f7c47055f83bc53dcc5a1de3c

Fresh = true, index 0
Initial Date = 2016-05-16T03:32:55Z, index 0
Last Change Date = 2016-05-16T03:32:55Z, index 0
Lease Time = 3600, index 0
Original Creation Date = 2016-05-16T03:32:55Z, index 0
State = Pre-Active (1), index 0

List of object attributes succeeded (error: eOk).

The current shipping version of our KMIP command line tool can be used to script access to a KMIP server and it runs on Linux and Windows. P6R’s KMIP command line tool comes standard with our SKC KMIP client SDK and is also available as a standalone product.

Using KMIP via a Java Security Provider

By Mark Joseph - May 9, 2016 @ 5:23 pm

This document was updated on 12 May 2016.


P6R sells a PKCS 11 Version 2.40 Provider with a KMIP token. The KMIP token translates each PKCS 11 API function into and out of the KMIP protocol. The user of the PKCS 11 KMIP token does not even know they are talking to a KMIP server. Java supports PKCS 11 as a possible security provider via the SunPKCS11 wrapper. Also JCE provider products also directly support PKCS 11 wrappers (e.g., IAIK).

The significant benefit of using KMIP via a Java security provider is that a Java programmer can use KMIP without having to learn anything about KMIP. No company specific KMIP APIs to learn. Its even possible that existing Java programs can be converted (with the occasional tweak) to use KMIP this way. All that is required to make this work is some straightforward configuration.

Testing Environment

We have tested out our PKCS 11 library as a Java security provider both on Centos 6 and Windows using the following:

To build our Java examples we used: 
jdk1.8.0_65, language level 8.0, IntelliJ IDEA 2016.1.1
JVM: Java HotSpot(TM) 64-Bit Server VM by Oracle Corporation

Systems tested on:
[1] Windows 7 Ultimate, 64 bit
C:\....>java -version
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)
64 bit p6pkcs11.dll library 

[2] Centos6 Linux
[...... ~]$ cat /etc/redhat-release
CentOS release 6.7 (Final)
[....... ~]$ java -version
openjdk version "1.8.0_77"
OpenJDK Runtime Environment (build 1.8.0_77-b03)
OpenJDK 64-Bit Server VM (build 25.77-b03, mixed mode)
64 bit libp6pkcs11.so

Java Examples

Below are just a few code snippets that we have taken out of several of our Java test programs.

Code example 1:

KeyGenerator keyGen = KeyGenerator.getInstance("AES", "SunPKCS11-P6RPKCS11");
Key key = keyGen.generateKey();

// replace an older key
if (ks.containsAlias("symmetric_aes_128_key")) ks.deleteEntry("symmetric_aes_128_key");
ks.setKeyEntry("symmetric_aes_128_key", key, null, null);

Don’t see any KMIP calls here right? The magic is in the specification of the provider:
“SunPKCS11-P6RPKCS11″. The result is that the above code calls the KMIP server to generate the AES key. Then that key can be found later by calls to the keystore.

Code example 2:

// the "12345678" is the keystore's password (i.e., the PKCS#11 token's PIN)
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-P6RPKCS11");
ks.load(null, "12345678".toCharArray());
Key secretKey = ks.getKey("symmetric_aes_128_key", null);

The three lines above actually do a KMIP Locate call for a key with a custom KMIP attribute set to “symmetric_aes_128_key”. In Java, “symmetric_aes_128_key” is referred to as the
alias. (Actually the code above first makes PKCS#11 C_FindObjects() calls which our KMIP token maps to KMIP Locate. Still all that is done for the Java programmer and totally hidden from them.)

Code example 3:

private static byte[] encryptData(Key secretKey, byte[] iv, String handling, byte[] clearText) { 
  byte[] cipherText = null;
  try {
      // with a security provider do the encrypt on the remote server
      Cipher encryptCipher = Cipher.getInstance(handling, "SunPKCS11-P6RPKCS11");
      IvParameterSpec IV = new IvParameterSpec(iv);
      encryptCipher.init(Cipher.ENCRYPT_MODE, secretKey, IV);
      cipherText = encryptCipher.doFinal(clearText);
   } catch (Exception e) {
   return cipherText;

Again see any KMIP calls here? The parameter “secretKey” was created in example 1 above. This code example shows that the encryption will be done on the KMIP server. We have also tested streaming encryption (requiring KMIP 1.3), with the call sequence encryptCipher.init(), encryptCipher.update() multiple calls of updates, and then encryptCipher.doFinal(), allowing encryption (and decryption) of large chunks of data. We have also done testing with public/private keys.

Code example 4:

SecureRandom sr = SecureRandom.getInstance("PKCS11", "SunPKCS11-P6RPKCS11");

byte[] randomBytes = new byte[128];

Code example 4 shows how to use the random number generator on the KMIP server. The Java statement “sr.setSeed()” maps to the KMIP operation RNGSeed, and the statement “sr.nextBytes()” maps to the KMIP operation RNGRetrieve. Of course this mapping is done by the P6R PKCS#11 library. The trick in the above example is to make sure that the first parameter in the getInstance() call is “PKCS11″ and not the “SHA1PRNG” that appears in may Java examples of SecureRandom.

KMIP Server Capabilities

Well the above is all fine and good but how do I know what my KMIP server is capable of? Does my KMIP server support encryption, streaming encryption, what protocol version does it support? These are all basic questions and we provide the answer via our KMIP command line tool. Our command line tool, p6kmiptool, runs on Linux and Windows and provides scriptable access to many KMIP operations (e.g., one being KMIP Query).

>p6kmiptool -serverinfo -server {fully qualified host name}

KMIP server information:
server address: {fully qualified host name}:5696
using protocol version: 1.3

supported object: Certificate
supported object: SymmetricKey
supported object: SecretData
supported object: PublicKey
supported object: PrivateKey
supported object: Template
supported object: OpaqueObject
supported object: SplitKey
supported object: PGPKey

supported operation: Query
supported operation: Locate
supported operation: Destroy
supported operation: Get
supported operation: Create
supported operation: Register
supported operation: GetAttributes
supported operation: GetAttributeList
supported operation: AddAttribute
supported operation: ModifyAttribute
supported operation: DeleteAttribute
supported operation: Activate
supported operation: Revoke
supported operation: Poll
supported operation: Cancel
supported operation: Check
supported operation: GetUsageAllocation
supported operation: CreateKeyPair
supported operation: ReKey
supported operation: Archive
supported operation: Recover
supported operation: ObtainLease
supported operation: ReKeyKeyPair
supported operation: Certify
supported operation: ReCertify
supported operation: DiscoverVersions
supported operation: Notify
supported operation: Put
supported operation: RNGRetrieve
supported operation: RNGSeed
supported operation: Encrypt
supported operations: Decrypt
supported operations: Sign
supported operation: SignatureVerify
supported operation: MAC
supported operation: MACVerify
supported operation: Hash
supported operation: CreateSplitKey
supported operation: JoinSplitKey

vendor: {company name} KMIP Server {version}

capability: streaming is supported
capability: asynchronous command processing is supported
capability: attestation is supported
capability: unwrap mode is not processed
capability: destroy action is key material deleted
capability: shredding algorithm is unsupported
capability: RNG mode is unspecified

Given the information above, we can conclude that the above server can handle all the functions of our Java Security provider (e.g., streaming encryption: C_EncryptInit(), C_EncryptUpdate() … multiple calls, and finally C_EncryptFinal().

Our PKCS 11 library also comes with an equally powerful command line tool of its own that lets the user see what is stored on a token (also runs on Linux and Windows).

>p6pkcs11tool -list 0 -p 12345678

----- Object List  (slotId: 0) -----
1> Type: Certificate, Alias: [rsa_private_key] ID: [rsa_private_key],   Token
2> Type: Secret Key , Alias: [symmetric_aes_128_key] ID: [], AES  Token
3> Type: Private Key, Alias: [C6AC22B2-5330-48CE-A950-47CA883C03F6] ID: [rsa_private_key], RSA  Token

The above syntax is p6pkcs11tool {operation} {slotid} -p {User PIN}.

The PKCS 11 command line tool is also feature rich including functions to clean up after applications that do not call C_CloseSession(), create keys, delete keys, import and export keys and certificates, etc.

P6R KMIP Client Integration With Thales keyAuthority

By Mark Joseph - March 26, 2016 @ 10:59 am

P6R KMIP Client Integration with Micro Focus ESKM

By Mark Joseph - @ 10:45 am

Was formerly part of HPE

PKCS#11 Library Integartion with Micro Focus Atalla HSM

By Mark Joseph - March 22, 2016 @ 10:02 am

Was formerly part of HPE

P6R demonstrates KMIP and PKCS#11 Products at RSA 2016

By Mark Joseph - March 4, 2016 @ 9:17 am

P6R participated in the OASIS KMIP and PKCS#11 interoperability demonstration at the 2016 RSA conference.
P6R was showcasing the latest release of its SKC product, which contains a full featured KMIP Client with UEFI support, and PKCS#11.

Here is a picture of the P6R station in the OASIS booth at the 2016 RSA Conference:

As part of this demonstration P6R participated in an OASIS run interoperation test with other vendors in the KMIP Technical Committee. The results of these tests is shown in the chart below (see P6R Inc SKC in graph).

P6R also released and demonstrated its extensible PKCS#11 library at the Conference: