Skip to main content
KMIP supports several methods of authenticating to a key management server. The capabilities depend on the KMIP client. The KMES Series 3 supports authenticating with a username and password or by using a TLS certificate with a PKI identity provider. Both of these authentication methods require you to create a user on the KMES. The difference between the two methods is that for authentication with the TLS certificate, the name of the KMES user must match the Common Name of the TLS certificate.

Create a role and identity for the KMIP client

The following sections cover the password and TLS certificate authentication methods.

Password authentication method

Perform the following tasks to authenticate with a username and password:

Create the role

Perform the following steps to create the role:
1
Go to Identity Management> Roles, and select [ Add ].
2
On the Info tab, set the following:
SettingRequired configuration
TypeApplication
NameKMIP
Login required1
3
On the Advanced tab, set Allowed Ports to KMIP only.
4
Select [ OK ] to finish creating the role.

Create the identity

Perform the following steps to create the identity:
1
Go to Identity Management> Identities, right-click anywhere in the window, and select Add> Client Application.
2
On the Info tab of the Identity Editor window, select Application for the storage location, and specify KMIP as the identity name.
3
On the Assigned Roles tab, select the role you created.
4
On the Authentication tab, remove the default API Key mechanism and select [ Add ]. In the Configure Credential dialog, select Password in the Type drop-down menu, then select [ Change ]. Set a password and select [ Save ]. Then, select [ OK ] to finish configuring the credential.
5
Select [ OK ] to finish creating the identity.

TLS authentication method

Perform the following steps to authenticate with a TLS certificate:

Create the identity provider

Perform the following steps to create the identity provider:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management> Identity Providers.
3
Right-click anywhere in the window and select Add> Provider> PKI.
4
On the Info tab of the Identity Provider Editor window, specify a name for the Identity Provider (IdP) and uncheck Enforce Dual Factor.
5
On the PKI Options tab, select [ Select ]. In the Certificate Selector window, expand the certificate tree you previously created, select the CA certificate that signed the KMIP Client and KMIP connection pair certificates, and then select [ OK ]*.
6
Select [ OK ] to finish creating the PKI IdP.
7
Right-click the IdP you just created and select Add> Mechanism> TLS.
8
On the Info tab, specify a name for the authentication mechanism
9
On the PKI tab, leave all fields set to the default values.
10
Select [ OK ] to save.

Create the role

Perform the following steps to create the role:
1
Go to the Identity Management> Roles menu, and select [ Add ].
2
In the Info tab of the Role Editor window, use the following settings:
SettingRequired Configuration
TypeApplication
NameKMIP
Login Required 1
3
On the Advanced tab, set Allowed Ports to KMIP only.
4
Select [ OK ] to finish creating the role.

Create the identity

Perform the following steps to create the identity:
1
Go to the Identity Management> Identities menu, right-click anywhere in the window, and select Add > Client Application.
2
On the Info tab of the Identity Editor window, select Application for the storage location and specify KMIP as the identity name.
3
On the Assigned Roles tab, select the role you created.
4
On the Authentication tab, remove the default API Key mechanism and select [ Add ]. In the Configure Credential window, select TLS Certificate in the Type drop-down menu, then select the Provider and Mechanism you created. Select [ OK ] to finish configuring the credential.
5
Select [ OK ] to finish creating the identity.