p11kmip.conf - Man Page

The p11kmip tool uses the configuration file /etc/opencryptoki/p11kmip.conf to read information about how to connect to a KMIP server and interact with a PKCS #11 token repository.

A custom file path can be set with  environment variable P11KMIP_DEFAULT_CONF_FILE. If the environment variable is not set, then the global /etc/opencryptoki/p11kmip.conf config file is read. If this file is unavailable, an error message is displayed.

There are two sections in the configuration. Both consist of a title, brackets, and a set of key-value pairs.

The first section configures the connection to the KMIP server. It contains the following keywords: host, tls_client_cert, tls_client_key, wrap_key_format, wrap_key_algorithm, wrap_key_size,  wrap_padding_method, wrap_hashing_algorithm.

Example:

kmip {
  host = "0.0.0.0:5696"
  tls_client_cert = "/tmp/certs/client_certificate_jane_doe.pem"
  tls_client_key = "/tmp/certs/client_key_jane_doe.pem"

  wrap_key_format = "PKCS1"
  wrap_key_algorithm = "RSA"
  wrap_key_size = 2048
  wrap_padding_method = "PKCS1.5"
  wrap_hashing_algorithm = "SHA-1" }

The host attribute must be specified in the format "hostname[:port]" when using plain TLS, where  "hostname" may be an IPv4 address, IPv6 address, or a symbolical hostname, and  "port" may optionally be used to specify a non-standard port number. If  "port" is not specified, 5696 is used as the default.

The tls_client_cert attribute must specify the path to a PEM format file containing the client certificate used for TLS authentication to the KMIP server.

The tls_client_key attribute must specify the path to a PEM format file containing the client private key used for TLS authentication to the KMIP server.

The wrap_key_format attribute specifies the format used to transmit the wrapping key, and must be one of "PKCS1",  "PKCS8", or "TransparentPublicKey".

The wrap_key_algorithm attribute specifies the algorithm used for key wrapping. Currently only "RSA" is supported.

The wrap_key_size attribute specifies the length of the key used for wrapping. This value must match the length of  the actual wrapping and unwrapping key which are provided when the tool is invoked.

The wrap_padding_method attribute specifies padding method used during the key wrap. Currently padding methods "PKCS1.5" and "OAEP" are supported.

The wrap_hashing_algorithm specifies the hashing algorithm used by the padding method. Only the "OAEP" padding method requires a hashing algorithm to be specified. For the "OAEP" padding method, only the "SHA-1" and "SHA-256" hashing algorithms are supported. For all other padding methods this field is ignored, and may be absent.

The second section configures interaction with the PKCS #11 token repository. It contains the following keyword: slot .

Example: pkcs11 {
  slot = 0 }

The slot attribute must be an integer specifying the slot number to use.

Of these attributes, the host , tls_client_cert , tls_client_key attributes of the kmip section and the slot attribute of the pkcs11 section may be absent from the file if specified by an environment variable or command option.

The remaining attributes will be treated as the the default values shown in this example when they are absent. The configuration file need not be present if all required attributes are specified by other means. Attributes and groups may be specified in any order within the configuration file.

The pound sign ('#') is used to indicate a comment up to and including the end of line.

p11kmip(1)

p11kmip(1).