You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/using-kmip.md
+39-1Lines changed: 39 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -53,8 +53,46 @@ The configuration settings are either in a global configuration file or a local
53
53
"server_port": "5696",
54
54
"client_ca": "client_certificate.pem",
55
55
"client_key": "client_key.pem",
56
-
"server_ca": "root_certificate.pem"
56
+
"server_ca": "root_certificate.pem",
57
+
"object_group": "",
58
+
"kmip_timeout_ms": 5000,
59
+
"tls_peer_verification": false,
60
+
"tls_hostname_verification": false
57
61
}
58
62
```
59
63
64
+
### Configuration options
65
+
66
+
The following options are supported in the KMIP keyring configuration file:
67
+
68
+
| Option | Type | Default | Description |
69
+
|---|---|---|---|
70
+
|`server_addr`| string |_(required)_| Hostname or IP address of the KMIP server. |
71
+
|`server_port`| string |_(required)_| TCP port of the KMIP server (for example, `"5696"`). |
72
+
|`client_ca`| string |_(required)_| Path to the client certificate (PEM) presented to the KMIP server. |
73
+
|`client_key`| string |_(required)_| Path to the client private key (PEM) that matches `client_ca`. |
74
+
|`server_ca`| string |_(required)_| Path to the CA certificate (PEM) used to verify the KMIP server. |
75
+
|`object_group`| string |`""`| Optional KMIP object group. When set, the backend registers new objects into this group and limits enumeration to it. An empty value means "no group". |
76
+
|`kmip_timeout_ms`| integer |`5000`| KMIP connection timeout, in milliseconds. |
77
+
|`tls_peer_verification`| boolean |`false`| When `true`, verifies the KMIP server's TLS certificate against `server_ca`. Defaults to `false` for backward compatibility. |
78
+
|`tls_hostname_verification`| boolean |`false`| When `true`, verifies that the hostname in `server_addr` matches the KMIP server certificate (SAN or CN). Defaults to `false` for backward compatibility. |
79
+
80
+
#### TLS verification
81
+
82
+
Both `tls_peer_verification` and `tls_hostname_verification` default to `false` to preserve the behavior of earlier releases. In production deployments, enable both so the server rejects KMIP endpoints presenting an untrusted or mismatched certificate. For peer verification to succeed, `server_ca` must point to the certificate authority that signed the KMIP server certificate. For hostname verification to succeed, the value of `server_addr` must match the Subject Alternative Name (or Common Name) in the KMIP server certificate.
83
+
84
+
### KMIP object state requirements
85
+
86
+
!!! important
87
+
88
+
The KMIP keyring backend loads and uses only KMIP objects (keys and secret data) in the `ACTIVE` state. Objects in `PRE_ACTIVE`, `DEACTIVATED`, `COMPROMISED`, or `DESTROYED` states are ignored.
89
+
90
+
If you are upgrading from an earlier release and some of your keys are still in `PRE_ACTIVE` state, activate them on the KMIP server before starting the server; otherwise Percona Server for MySQL will not be able to see them. New keys and secrets that the backend registers are activated automatically.
91
+
92
+
### AES key size restriction
93
+
94
+
!!! important
95
+
96
+
Only standard AES key sizes are accepted: **128, 192, and 256 bits** (16, 24, or 32 bytes). Attempts to generate or store an AES key of any other length through the keyring interface (for example, via the `keyring_udf` plugin) fail with a keyring service error. Review any scripts or tooling that relied on non-standard AES key sizes before upgrading.
97
+
60
98
For more information, see [Keyring Component installation :octicons-link-external-16:](https://dev.mysql.com/doc/refman/{{vers}}/en/keyring-component-installation.html).
0 commit comments