PS-11074 [DOCS] - Update the KMIP information based on library update 8.4

patrickbirch · patrickbirch · commit f59ae7cf77f3 · 2026-04-27T05:36:45.000-05:00
modified:   docs/keyring-components-plugins-overview.md
	modified:   docs/using-kmip.md
diff --git a/docs/keyring-components-plugins-overview.md b/docs/keyring-components-plugins-overview.md
@@ -14,6 +14,6 @@ Percona Server supports the following keyring components:
 
 [Use the keyring vault component](use-keyring-vault-component.md){.md-button}
 
-[Use the Key Management Interoperability Protocol (KMIP)](using-amz-kms.md){.md-button}
+[Use the Key Management Interoperability Protocol (KMIP)](using-kmip.md){.md-button}
 
-[Use the Amazon Key Management Service (AWS KMS)](using-kmip.md){.md-button}
+[Use the Amazon Key Management Service (AWS KMS)](using-amz-kms.md){.md-button}
diff --git a/docs/using-kmip.md b/docs/using-kmip.md
@@ -1,24 +1,28 @@
 # Use the Key Management Interoperability Protocol (KMIP)
 
-Percona Server for MySQL supports the [OASIS Key Management Interoperability Protocol (KMIP) :octicons-link-external-16:](https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html). This implementation was tested with:
-- [PyKMIP server :octicons-link-external-16:](https://pykmip.readthedocs.io/en/latest/server.html)
-- [HashiCorp Vault Enterprise KMIP Secrets Engine :octicons-link-external-16:](https://developer.hashicorp.com/vault/docs/secrets/kmip)
-- [Thales CipherTrust Manager :octicons-link-external-16:](https://cpl.thalesgroup.com/encryption/ciphertrust-manager)
-- [Fortanix Data Security Manager :octicons-link-external-16:](https://www.fortanix.com/products/data-security-manager)
+Percona Server for MySQL supports the [OASIS Key Management Interoperability Protocol (KMIP) :octicons-link-external-16:](https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html). Percona has validated the KMIP implementation against the following servers:
 
-KMIP enables communication between key management systems and the database server. The protocol can do the following:
+* [PyKMIP server :octicons-link-external-16:](https://pykmip.readthedocs.io/en/latest/server.html)
 
-* Streamline encryption key management
+* [HashiCorp Vault Enterprise KMIP Secrets Engine :octicons-link-external-16:](https://developer.hashicorp.com/vault/docs/secrets/kmip)
 
-* Eliminate redundant key management processes
+* [Thales CipherTrust Manager :octicons-link-external-16:](https://cpl.thalesgroup.com/encryption/ciphertrust-manager)
+
+* [Fortanix Data Security Manager :octicons-link-external-16:](https://www.fortanix.com/products/data-security-manager)
+
+KMIP enables communication between key management systems and the database server. The protocol provides the following capabilities:
+
+* Streamlined encryption key management
+
+* Elimination of redundant key management processes
 
 ## Component installation
 
 --8<--- "keyring-components-installation.md"
 
 For more information, see [Installing and Uninstalling Components :octicons-link-external-16:](https://dev.mysql.com/doc/refman/{{vers}}/en/component-loading.html).
 
-The following is an example of a global manifest file that does not use local manifests:
+The following example shows a global manifest file that does not use local manifests:
 
 ```json
 {
@@ -27,34 +31,84 @@ The following is an example of a global manifest file that does not use local ma
 }
 ```
 
-The following is an example of a global manifest file that points to a local manifest file:
+The following example shows a global manifest file that references a local manifest file:
 
 ```json
 {
  "read_local_manifest": true
 }
 ```
 
-The following is an example of a local manifest file:
+The following example shows a local manifest file:
 
 ```json
 {
  "components": "file://component_keyring_kmip"
 }
 ```
 
-The configuration settings are either in a global configuration file or a local configuration file. The settings are the same. 
+Both global and local configuration files use the same settings. The following example shows a configuration file:
+
+```json
+{
+ "server_addr": "127.0.0.1",
+ "server_port": "5696",
+ "client_ca": "client_certificate.pem",
+ "client_key": "client_key.pem",
+ "server_ca": "root_certificate.pem",
+ "object_group": "",
+ "kmip_timeout_ms": 5000,
+ "tls_peer_verification": false,
+ "tls_hostname_verification": false
+}
+```
+
+### Configuration options
+
+The configuration file for the KMIP keyring supports the following options:
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `server_addr` | string | Required | Hostname or IP address of the KMIP server |
+| `server_port` | string | Required | TCP port of the KMIP server, for example `"5696"` |
+| `client_ca` | string | Required | Path to the client certificate that the client presents to the KMIP server, in PEM (Privacy-Enhanced Mail) format |
+| `client_key` | string | Required | Path to the client private key that matches `client_ca`, in PEM format |
+| `server_ca` | string | Required | Path to the CA (certificate authority) certificate that verifies the KMIP server, in PEM format |
+| `object_group` | string | `""` | KMIP object group for registering and enumerating objects; empty value disables grouping |
+| `kmip_timeout_ms` | integer | `5000` | KMIP connection timeout in milliseconds |
+| `tls_peer_verification` | boolean | `false` | When `true`, verifies the KMIP server TLS (Transport Layer Security) certificate against `server_ca` |
+| `tls_hostname_verification` | boolean | `false` | When `true`, verifies that `server_addr` matches the Subject Alternative Name (SAN) or Common Name (CN) in the KMIP server certificate |
+
+#### TLS verification
+
+Both `tls_peer_verification` and `tls_hostname_verification` default to `false` for backward compatibility. Enable both options in production deployments. The server then rejects KMIP endpoints that present an untrusted or mismatched certificate.
+
+To use peer verification, set `server_ca` to reference the certificate authority that signed the KMIP server certificate. To use hostname verification, set `server_addr` to a value that matches the SAN or CN in the KMIP server certificate.
+
+### Requirements for KMIP object states
+
+The KMIP keyring backend loads only KMIP objects in the `ACTIVE` state. Loaded objects include symmetric keys and secret data. The backend ignores objects in the `PRE_ACTIVE`, `DEACTIVATED`, `COMPROMISED`, or `DESTROYED` state. The backend activates each key or secret automatically when the backend registers the object.
+
+!!! important
+
+    Activate any `PRE_ACTIVE` keys on the KMIP server before you start Percona Server for MySQL. Otherwise, Percona Server for MySQL cannot load those keys.
+
+    Use the KMIP `Activate` operation through the management interface of your KMIP server. Possible interfaces include a web console, a command-line tool, or a KMIP client library. For exact steps, see the documentation of your KMIP server.
+
+### AES key size restriction
+
+The KMIP keyring backend accepts only the standard AES key sizes:
+
+| AES key size | Length in bytes |
+|---|---|
+| 128 bits | 16 |
+| 192 bits | 24 |
+| 256 bits | 32 |
+
+An attempt to generate or store an AES key of any other length fails with a keyring service error. The `keyring_udf` plugin returns this error when a caller requests a non-standard key size.
 
-??? example "Example of a configuration file in JSON format"
+!!! important
 
-     ```json
-     {
-      "server_addr": "127.0.0.1",
-      "server_port": "5696",
-      "client_ca": "client_certificate.pem",
-      "client_key": "client_key.pem",
-      "server_ca": "root_certificate.pem"
-     }
-     ```
+    Review any scripts or tooling that use non-standard AES key sizes before you upgrade.
 
 For more information, see [Keyring Component installation :octicons-link-external-16:](https://dev.mysql.com/doc/refman/{{vers}}/en/keyring-component-installation.html).
diff --git a/snippets/keyring-components-installation.md b/snippets/keyring-components-installation.md
@@ -1,16 +1,27 @@
 
-The component must be installed with a manifest. A keyring component is not loaded with the `--early-plugin-load` option on the server. The server uses a manifest and the component consults its configuration file during initialization. You should only load a keyring component with a manifest file. Do not use the `INSTALL_COMPONENT` statement, which loads the keyring components too late in the startup sequence of the server. For example, `InnoDB` requires the component, but because the components are registered in the `mysql.component` table, this table is loaded after `InnoDB` initialization.
+Install a keyring component through a manifest file. During startup, the server reads the manifest. Each component reads a corresponding configuration file during initialization.
 
-You should create a global manifest file named `mysqld.my` in the installation directory and, optionally, create a local manifest file, also named `mysqld.my` in a data directory.
+Do not load keyring components with either of the following methods:
 
-To install a keyring component, do the following:
+| Method | Why it fails |
+|---|---|
+| `--early-plugin-load` option | Loads plugins only, not components |
+| `INSTALL COMPONENT` statement | Registers components in the `mysql.component` table, which the server loads after `InnoDB` initialization |
 
-1. Write a manifest in a valid JSON format
+Components that `InnoDB` requires at startup must load earlier.
+
+Create a global manifest file named `mysqld.my` in the installation directory. Optionally, create a local manifest file with the same name in a data directory.
+
+To install a keyring component, complete the following steps:
+
+1. Write a manifest in valid JSON format
 
 2. Write a configuration file
 
-A manifest file indicates which component to load. If the manifest file does not exist, the server does not load the component associated with that file. During startup, the server reads the global manifest file from the installation directory. The global manifest file can contain the required information or point to a local manifest file located in the data directory. If you have multiple server instances that use different keyring components use a local manifest file in each data directory to load the correct keyring component for that instance.
+A manifest file declares which component to load. The server skips any component whose manifest file does not exist. During startup, the server reads the global manifest file from the installation directory. The global manifest file either contains the required information or references a local manifest file in the data directory.
+
+Use a local manifest file in each data directory when you run multiple server instances with different keyring components. Each instance then loads the correct keyring component.
 
 !!! warning
 
-    Enable only one keyring plugin or one keyring component at a time for each server instance. Enabling multiple keyring plugins or keyring components or mixing keyring plugins or keyring components is not supported and may result in data loss.
+    Enable only one keyring plugin or keyring component per server instance. Percona Server does not support multiple or mixed keyring implementations. Unsupported configurations can cause data loss.
