P6R's KMIP command line tool is a scriptable KMIP client that can be used during development and production. This tool provides basic functions required for any application (e.g., listing existing keys, certificats, import, export). Below is a list of all currently provided functions the p6kmiptool can perform:
For the most up to date commands and options type "p6kmiptool" or "p6kmiptool -h" on the command line to get the complete usage description.
P6R's KMIP command line tool can be configured to work witn one or more KMIP servers at the same time. This section documents its possible conifguration parameters. Note that to configure the location of KMIP logging that parameter is set in the p6kmip.conf file. Here is a sample p6kmiptool.conf file as an example:
Note that there is no limit to the number of KMIP servers that can be defined in the p6kmiptool.conf file. The user specifies which server to use as a command line parameter (e.g., "p6kmiptool -export -server kmip44.example.com" )
Other possible token configuration items:
This contains the following KMIP command line tool wide configuration parameters:
The "baseKeyPath" configuration parameter (string value), is the symmetric key protecting the KMIP command line tool keystore is to be written to after it is generated by the library. This parameter can be either a full path to the key file or just the name of the key file. If it is just a file name then it will be treated as relative to the directory the library runs out of. Essentially, this is the one key that is kept in the clear.
The "locale" configuration parameter (string value), is optional and defaults to "en_us" if not set. This parameter is used to select the P6R language file to be used when displaying output to the user. The default P6R language file is p6kmiptool.en_us. For example, for French this parameter would be set to "fr_fr" and then the language file p6kmiptool.fr_fr would be used. The command line tool comes with the p6kmiptool.en_us language file. Customers who want to support different languages have to translage the p6kmiptool.en_us file to whatever language desired and rename that file with the proper file extension (e.g., ca_fr for French Canadian) where the first 2 characters represent the language and the last 2 characters represent the country. Note, that these files are encoded in UTF-8.
The "keystore" configuration parameter (string value), is optional and can be either the full path to a directory where the KMIP command line tool library wide keystore is to be created or a database URI of the standard for: "postgresql8://..." (see Keystore documentation). When this parameter is not provided then a default location is used. Otherwise, when using the full path to a local directory then a Sqlite database will be used. This keystore holds all the keys and certificates used to communicate to KMIP servers and all keys used to protect all other keystores created for software tokens.
Each section with a Fully Qualified Domain Nname defines parameters for a separate KMIP server:
The "KMIPort" configuration parameter (positive numeric value), is optional with the default value of 5696 defined. It is passed to the Secure KMIP Client (SKC) library.
The "KMIPsslOptions" configuration parameter (bit mask), is optional and maps to the SKC setSSLOptions( const P6WCHAR* pCiphers, P6SECURESOCKETFLAGS fSecureFlags ) API call's fSecureFlags parameter (see file p6kmpclient.h). This allows the caller to customize how it makes an TLS connection to a remote KMIP server. The default setting for this parameter is (P6SSF_METHOD_NEGOTIATE | P6SSF_SECURE_CLIENT | P6SSF_SECURE_CLIENT_AUTH | P6SSF_LOG_X509SUBJECTLOOKUPS) (see file p6net.h).
The "KMIPInitFlags" configuration parameter (bit mask), is optional and maps to the SKC initialize( P6KMIPFLAGS flags, p6IKeystore* pCerts, P6KMIP_PREF preferences ) API calls's flags parameter (see file p6kmipclient.h. This has the default value of P6KMIPFLG_NOFLAGS. Note, that this parameter is how the user can control KMIP message logging (e.g., using the P6KMIPFLG_TRACE_MSGS flag value). See SKC documentation on the possible values for this parameter.
The "KMIPCertPEM" configuration parameter (string value), is the full path to a client side certificate (in PEM format) that was issued by a KMIP server to allow a KMIP client to authenticate itself. This certificate is copied into the command line tool wide keystore for use by SKC to create a TLS connection to a KMIP server.
The "KMIPPrivPEM" configuration parameter (string value), is the full path to the client's private key (in PEM format) that was issued by a KMIP server to allow a KMIP client to authenticate itself. This key is copied into the command line tool wide keystore for use by SKC to create a TLS connection to a KMIP server.
The "KMIPPrivSize" configuration parameter (positive numeric value), is the number of bits of the private key defined by the tokenKMIPPrivPEM configuration parameter.
The "KMIPRootPEM" configuration parameter (string value), is the full path to the KMIP server's root certificate that was provided by a KMIP server to allow the Secure KMIP Client to create a TLS connection to the remote KMIP server.
The "KMIPconnectTimeout", "KMIPsendTimeout", "KMIPreceiveTimeout", "KMIPMaxBufSize", "KMIPInitialBufCount", "KMIPGrowBufsBy", "KMIPPrvKeyEncode", "KMIPPubKeyEncode", "KMIPSymKeyEncode", and "KMIPcompatibility1" configuration parameters (positive numeric values), are all optional and maps to the SKC initialize( P6KMIPFLAGS flags, p6IKeystore* pCerts, P6KMIP_PREF preferences ) API calls's P6KMIP_PREF parameter (see file p6kmipclient.h and SKC documentation). The KMIP command line tool library has a reasonable set of default values for each parameter.
The "KMIPAsynch" configuration paramter (positive numeric value), is optional and maps to the SKC initialize API call's P6KMIP_PREF parameter (see file p6kmipclient.h and SKC documentation). This field is used to enable / disable the SKC client asynchronous KMIP request option.
The "KMIPUserName" and "KMIPPassword" configuration parameters (string values), are optional and map to KMIP user credentials (see SKC documentation p6kmipclient.h P6KMIP_CREDENTIAL definition).
The "KMIPPassword", "KMIPSerialNum", "KMIPDeviceId", "KMIPNetworkId", "KMIPMachineId", and "KMIPMediaId" configuration parameters (string values), are optional and map to KMIP device credentials (see SKC documentation p6kmipclient.h P6KMIP_CREDENTIAL definition).
The "logDir" configuration parameter (string value), is optional and when not provided a default location is used. Otherwise, the value defines the name of a subdirectory to be created for logging under the main KMIP server's directory. For example, if this value was "TEST", then all the KMIP logs for the kmip44.example.com would be logged in the directory "../kmip44.example.com/TEST", the full path of this directory also takes into account the log directory defined in the p6kmip.conf file.