The examples in this
section show how to use the
Cisco IMC XML API
to configure Key Management Interoperability Protocol (KMIP) functions. Each
example shows the XML API request followed by the response from
Cisco IMC.
This section
includes the following examples:
Enabling or
Disabling Secure Key Management
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1486744606/2436e891-3048-1830-8002-be18652a6ca4" inHierarchical="false" >
<inConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt" secureKeyManagement="enabled">
</kmipManagement>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1486744606/2436e891-3048-1830-8002-be18652a6ca4" response="yes">
<outConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt"
description="Key Management Interoperability Protocol"
secureKeyManagement="enabled" serverRootCACertificate="Available"
clientCertificate="Available" clientPrivateKey="Available"
adminAction="no-op" status="modified"/>
</outConfig>
</configConfMo>
Note |
To disable Secure
Key Management, use secureKeyManagement="disabled" in the command.
|
Configuring KMIP
Server
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
cookie="1478249230/3d18c6f9-4076-1076-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<kmipServer dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
ipAddress="10.10.10.10" port="6000" timeout="25">
</kmipServer>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
cookie="1478249230/3d18c6f9-4076-1076-8002-e8374190b1d8" response="yes">
<outConfig>
<kmipServer id="1" ipAddress="10.10.10.10" port="6000" timeout="25"
testConnectionStatus="Unavailable" adminAction="no-op"
dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server" status="modified"/>
</outConfig>
</configConfMo>
Deleting KMIP
Server
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
cookie="1478249230/3d18c6f9-4076-1076-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<kmipServer dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server" adminAction="delete" >
</kmipServer>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
cookie="1478249230/3d18c6f9-4076-1076-8002-e8374190b1d8" response="yes">
<outConfig>
<kmipServer id="1" ipAddress="" port="5696" timeout="5"
adminAction="no-op" dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server" status="modified"/>
</outConfig>
</configConfMo>
Viewing Secure
Key Management Settings
Request:
< <configResolveClass dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1478234140/28bb863a-4073-1073-8002-e8374190b1d8" inHierarchical="false"
classId="kmipManagement">
Response:
<configResolveClass dn="sys/chassis-1/server-1/kmip-mgmt/"
cookie="1478235085/94b63d5a-4072-1072-8002-e8374190b1d8" response="yes" >
<outConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt" description="Key Management Interoperability Protocol"
secureKeyManagement="enabled" serverRootCACertificate="Available"
clientCertificate="Not Available" clientPrivateKey="Available"
adminAction="no-op"/>
</outConfig>
</configResolveClass>
Downloading Root
CA Certificate (tftp)
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-download"
cookie="1478184218/cf931a62-4066-1066-8003-e8374190b1d8" inHierarchical="false">
<inConfig>
<downloadRootCACertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-download"
protocol="tftp" remoteServer="10.10.10.10"
remoteFile="/home/ss/cert/RootCA.pem">
</downloadRootCACertificate>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-download"
cookie="1478184218/cf931a62-4066-1066-8003-e8374190b1d8" response="yes">
<outConfig>
<downloadRootCACertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-download"
protocol="none" remoteServer="" remoteFile="" user="" pwd=""
downloadStatus="COMPLETED" downloadProgress="100%" status="modified"/>
</outConfig>
</configConfMo>
Exporting Root
CA Certificate (scp)
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-export"
cookie="1478189648/3db712b5-4068-1068-8004-e8374190b1d8" inHierarchical="false" >
<inConfig>
<exportRootCACertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-export"
protocol="scp" remoteServer="10.10.10.10" user="jsmith" pwd="johnpwd1980"
remoteFile="/home/jsmith/cert/RootCA.pem">
</exportRootCACertificate>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-export"
cookie="1478189648/3db712b5-4068-1068-8004-e8374190b1d8" response="yes">
<outConfig>
<exportRootCACertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-ca-cert-export"
protocol="none" remoteServer="" remoteFile="" user="" pwd=""
exportStatus="COMPLETED" exportProgress="100%" status="modified"/>
</outConfig>
</configConfMo>
Deleting Root
CA Certificate
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1478237721/12423b5d-4073-1073-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt"
adminAction="delete-root-ca-certificate" >
</kmipManagement>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1478237721/12423b5d-4073-1073-8002-e8374190b1d8" response="yes">
<outConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt"
description="Key Management Interoperability Protocol"
secureKeyManagement="enabled" serverRootCACertificate="Not Available"
clientCertificate="Not Available" clientPrivateKey="Not Available"
adminAction="no-op" status="modified"/>
</outConfig>
</configConfMo>
Testing
Connection with KMIP Server
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
cookie="1478249230/3d18c6f9-4076-1076-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<kmipServer dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server" adminAction="test-connection" >
</kmipServer>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
cookie="1478249230/3d18c6f9-4076-1076-8002-e8374190b1d8" response="yes">
<outConfig>
<kmipServer id="1" ipAddress="10.10.10.10" port="5696"
timeout="5" adminAction="no-op" dn="sys/chassis-1/server-1/kmip-mgmt/kmip-server"
status="modified"/>
</outConfig>
</configConfMo>
Downloading a
Client Private Key
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-download"
cookie="1478184218/cf931a62-4066-1066-8003-e8374190b1d8" inHierarchical="false">
<inConfig>
<downloadClientPrivateKey dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-download"
protocol="scp" remoteServer="10.10.10.10" user="jsmith" pwd="pwd1234"
remoteFile="/home/ss/cert/client_private.pem">
</downloadClientPrivateKey>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-download"
cookie="1478184218/cf931a62-4066-1066-8003-e8374190b1d8" response="yes">
<outConfig>
<downloadClientPrivateKey dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-download"
protocol="none" remoteServer="" remoteFile="" user="" pwd=""
downloadStatus="COMPLETED" downloadProgress="100%" status="modified"/>
</outConfig>
</configConfMo>
Exporting a
Client Private Key
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-export"
cookie="1478247863/eb2fa9cd-4075-1075-8002-e8374190b1d8" inHierarchical="false" >
<inConfig>
<exportClientPrivateKey dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-export"
protocol="scp" remoteServer="10.10.10.10" user="jsmith" pwd="Johnpwd1982"
remoteFile="/home/ss/cert/KMIP/Client-Pvt-Key.pem">
</exportClientPrivateKey>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-export"
cookie="1478247863/eb2fa9cd-4075-1075-8002-e8374190b1d8" response="yes">
<outConfig>
<exportClientPrivateKey dn="sys/chassis-1/server-1/kmip-mgmt/kmip-private-key-export"
protocol="none" remoteServer="" remoteFile="" user="" pwd=""
exportStatus="COMPLETED" exportProgress="100%" status="modified"/>
</outConfig>
</configConfMo>
Deleting a
Client Private Key
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1478236687/46db1685-4073-1073-8003-e8374190b1d8" inHierarchical="false" >
<inConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt" adminAction="delete-client-private-key" >
</kmipManagement>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1478236687/46db1685-4073-1073-8003-e8374190b1d8" response="yes">
<outConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt"
description="Key Management Interoperability Protocol"
secureKeyManagement="enabled" serverRootCACertificate="Not Available"
clientCertificate="Not Available" clientPrivateKey="Not Available"
adminAction="no-op" status="modified"/>
</outConfig>
</configConfMo>
Downloading a
Client Certificate
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-download"
cookie="1478184218/cf931a62-4066-1066-8003-e8374190b1d8" inHierarchical="false" >
<inConfig>
<downloadClientCertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-download"
protocol="scp" remoteServer="10.10.10.10" user="jsmith" pwd="Johnpwd1982"
remoteFile="/home/ss/cert/Client_cert.pem">
</downloadClientCertificate>
</inConfig>
</configConfMo>
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-download"
cookie="1478184218/cf931a62-4066-1066-8003-e8374190b1d8" response="yes">
<outConfig>
<downloadClientCertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-download"
protocol="none" remoteServer="" remoteFile="" user="" pwd=""
downloadStatus="COMPLETED" downloadProgress="100%" status="modified"/>
</outConfig>
</configConfMo>
Exporting a
Client Certificate
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-export"
cookie="1478187971/13b8e805-4068-1068-8003-e8374190b1d8" inHierarchical="false">
<inConfig>
<exportClientCertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-export"
protocol="scp" remoteServer="10.10.10.10" user="jsmith" pwd="Johnpwd1982"
remoteFile="/home/ss/cert/KMIP/ClientCert.pem”>
</exportClientCertificate>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-export"
cookie="1478247863/eb2fa9cd-4075-1075-8002-e8374190b1d8" response="yes">
<outConfig>
<exportClientCertificate dn="sys/chassis-1/server-1/kmip-mgmt/kmip-client-cert-export"
protocol="none" remoteServer="" remoteFile="" user="" pwd=""
exportStatus="COMPLETED" exportProgress="100%" status="modified"/>
</outConfig>
</configConfMo>
Deleting a
Client Certificate
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1478237721/12423b5d-4073-1073-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt" adminAction="delete-client-certificate" >
</kmipManagement>
</inConfig>
</configConfMo>
Reponse:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt"
cookie="1478237721/12423b5d-4073-1073-8002-e8374190b1d8" response="yes">
<outConfig>
<kmipManagement dn="sys/chassis-1/server-1/kmip-mgmt" description="Key Management Interoperability Protocol"
secureKeyManagement="enabled" serverRootCACertificate="Not Available"
clientCertificate="Not Available" clientPrivateKey="Not Available" adminAction="no-op" status="modified"/>
</outConfig>
</configConfMo>
Deleting KMIP
Server Login Details
Request:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-login"
cookie="1478254180/02b1c8b1-4077-1077-8003-e8374190b1d8" inHierarchical="false" >
<inConfig>
<kmipServerLogin dn="sys/chassis-1/server-1/kmip-mgmt/kmip-login" adminAction="clear">
</kmipServerLogin>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/kmip-mgmt/kmip-login"
cookie="1478254180/02b1c8b1-4077-1077-8003-e8374190b1d8" response="yes">
<outConfig>
<kmipServerLogin dn="sys/chassis-1/server-1/kmip-mgmt/kmip-login"
accountStatus="disabled" name="" pwd="" adminAction="no-op" status="modified"/>
</outConfig>
</configConfMo>
Unlocking
Foreign Configuration on a Self Encrypted Drive
Request:
<configConfMo dn='sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt'
cookie='1480557066/0583da3f-4290-1290-8021-127a1e1b0ff4' inHierarchical='false'>
<inConfig>
<selfEncryptStorageController dn='sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt'
adminAction='unlock-secured-drives'/>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1480557066/0583da3f-4290-1290-8021-127a1e1b0ff4" response="yes">
<outConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
keyId="UCSC-MRAID12G_SV53647770_1fd23aac" securityKey="Security key"
existingSecurityKey="Existing security key" keyManagement=""
adminAction="no-op" status="modified" >
</selfEncryptStorageController>
</outConfig>
</configConfMo>
Importing
Foreign Configuration to a Self Encrypted Drive
Request:
<configConfMo dn='sys/chassis-1/server-1/board/storage-SAS-SBMezz1'
cookie='1480557066/0583da3f-4290-1290-8021-127a1e1b0ff4' inHierarchical=‘false’>
<inConfig>
<storageController dn='sys/chassis-1/server-1/board/storage-SAS-SBMezz1'
adminAction='import-foreign-config'/>
</inConfig>
</configConfMo>
Response:
<configConfMo dn='sys/chassis-1/server-1/board/storage-SAS-SBMezz1'
cookie="1480557500/2d74a062-428f-128f-8022-127a1e1b0ff4" response="yes" >
<outConfig>
<storageController id="SBMezz1" model="Cisco 12G SAS Modular Raid Controller"
pciSlot="SBMezz1" presence="equipped" raidSupport="yes" serial="SV53647770"
type="SAS" vendor="LSI Logic" selfEncryptEnabled="yes" adminAction="no-op"
dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1" >
</storageController>
</outConfig>
</configConfMo>
Enabling Self
Encrypted Drive with Key Management as Local and KMIP Disabled
Request:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478342437/3c993fcb-408c-108c-8002-e8374190b1d8" inHierarchical="false" >
<inConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
keyId="test123" securityKey="test123" adminAction="enable-self-encrypt" keyManagement="local">
</selfEncryptStorageController>
</inConfig>
</configConfMo>
Response:
As the
configuration takes time, you see an empty response.
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478342437/3c993fcb-408c-108c-8002-e8374190b1d8" response="yes">
<outConfig>
</outConfig>
</configConfMo>
After the
configuration is completed, send the following request:
<configResolveClass
cookie="1490834627/de1ed316-4be8-1be8-92d4-20be7d8bf200" inHierarchical="false"
classId="selfEncryptStorageController"/>
You see the
following response:
<configResolveClass
cookie="1490834627/de1ed316-4be8-1be8-92d4-20be7d8bf200" response="yes"
classId="selfEncryptStorageController">
<outConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
keyId="testkeyid" securityKey="Security key" existingSecurityKey="Existing security key"
keyManagement="" adminAction="no-op" >
</selfEncryptStorageController>
</outConfig>
</configResolveClass>
Enabling Self
Encrypted Drive with Key Management as Remote and KMIP Enabled
Request:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478340466/cde62027-408b-108b-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
adminAction="enable-self-encrypt" keyManagement="remote">
</selfEncryptStorageController>
</inConfig>
</configConfMo>
Response:
As the
configuration takes time, you see an empty response.
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478340466/cde62027-408b-108b-8002-e8374190b1d8" response="yes">
<outConfig>
</outConfig>
</configConfMo>
After the
configuration is completed, send the following request:
<configResolveClass
cookie="1490834627/de1ed316-4be8-1be8-92d4-20be7d8bf200" inHierarchical="false"
classId="selfEncryptStorageController"/>
You see the
following response:
<configResolveClass
cookie="1490834627/de1ed316-4be8-1be8-92d4-20be7d8bf200" response="yes"
classId="selfEncryptStorageController">
<outConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
keyId="testkeyid" securityKey="Security key" existingSecurityKey="Existing security key"
keyManagement="" adminAction="no-op" >
</selfEncryptStorageController>
</outConfig>
</configResolveClass>
Switching Key
Management From Local to Remote with Existing Security Key
Request:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478343933/7da81dea-408c-108c-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-2/board/storage-SAS-SBMezz1/ctr-self-encrypt"
adminAction="switch-local-to-remote" existingSecurityKey="SecurityKey">
</selfEncryptStorageController>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478343933/7da81dea-408c-108c-8002-e8374190b1d8" response="yes">
<outConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
keyId="UCSC-MRAID12G_SV52731947_1fb07b15" securityKey="Security key"
existingSecurityKey="Existing security key" keyManagement=""
adminAction="no-op" status="modified"/>
</outConfig>
</configConfMo>
Switching Key
Management From Remote to Local with Key ID and Security Key
Request:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478343933/7da81dea-408c-108c-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-2/board/storage-SAS-SBMezz1/ctr-self-encrypt"
keyId="KeyId" securityKey="SecurityKey" adminAction="switch-remote-to-local">
</selfEncryptStorageController>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478343933/7da81dea-408c-108c-8002-e8374190b1d8" response="yes">
<outConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
keyId="test1234" securityKey="Security key" existingSecurityKey="Existing security key"
keyManagement="" adminAction="no-op" status="modified"/>
</outConfig>
</configConfMo>
Disabling Security
Enabled Drive when Key Management is Local
Request:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478342437/3c993fcb-408c-108c-8002-e8374190b1d8" inHierarchical="false">
<inConfig>
<selfEncryptStorageController dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
adminAction="disable-self-encrypt" >
</selfEncryptStorageController>
</inConfig>
</configConfMo>
Response:
<configConfMo dn="sys/chassis-1/server-1/board/storage-SAS-SBMezz1/ctr-self-encrypt"
cookie="1478342437/3c993fcb-408c-108c-8002-e8374190b1d8" response="yes">
<outConfig>
</outConfig>
</configConfMo>