The Virtru Customer Key Server (CKS) is able to connect to a hardware security module (HSM) utilizing the Key Management Interoperability Protocol (KMIP).
The install wizard has been upgraded to allow for connecting to an HSM via KMIP and is documented in this reference article.
- Validated Platforms
- Network Design
- Install Steps
Virtru has validated CKS functionality with the following platforms. Connecting to another vendor HSM via KMIP is expected to work but has not been explicitly tested unless noted below:
- TrustWay Data Protect KMS
Standard Implementation with limited access to HSMs.
Standard install steps for the Virtru CKS apply and can be found here. The additional/new KMIP options when running the install script are detailed below.
Download and Execute Installer
If SELinux is in use please reference this article.
wget https://cdn.virtru.com/apps/cks/v1.2.1/cks-install.sh -O cks-install-v1.2.1.sh
To run the installer in offline mode first follow prerequisites listed here. Then execute:
bash cks-install-v1.2.1.sh -o true
The installer will create all appropriate directories. The recommended install root directory:
New KMIP Options
The following new KMIP options are available in the install wizard and should be answered appropriately when configuring an HSM to utilize KMIP.
1. Specify to connect to an HSM via KMIP
During the RSA re-wrap part of the installation wizard there is an added option, #5, to allow connecting to an HSM via KMIP.
Choose this option.
2. Place the KMIP certificate files in appropriate directory
Upon choosing option 5 above, the wizard will direct the user to place the necessary KMIP certificate files in a newly created "kmip" directory.
This "kmip" directory is created upon hitting #5 above and is placed in your root cks folder. In this example /var/virtru/cks_kmip is the root install directory so /var/virtru/cks_kmip/kimp is the newly created folder used to store the KMIP certificate .pem files.
Note: Files must be in .pem format. Also it is easiest to connect to the CKS host from two terminals to be able to place files without exiting the instal wizard.
Upon hitting any key to continue the wizard will check the kmip directory for the presence of the .pem files and will display an error if they have not been placed there yet.
3. Specify host name, port, and proxy configuration
The next 3 questions are asked in succession and can be seen in the following image. The hostname is used in conjunction with the certs to connect to the HSM.
The port can be left blank to use the default of 5696 or changed.
If a proxy is desired that can be specified in the third prompt.
4. Enter the UUID of the public key
The next prompt asks for the UUID of the public key. Upon pasting that in and hitting enter the wizard will attempt to connect to the HSM and retrieve the public key based on the UUID specified.
5. Finalize configuration
The final step of the wizard asks you to confirm all the entered settings. This is unchanged from a non-KMIP CKS install but has been enhanced to show the additional KMIP configurations.
Enter yes here to finish the install and exit the wizard.