Client Registration Examples

Client Registration Examples
InsertFrindell
Alan
Your Name
Insert Your
Denis
Pochuev
Title
Insert Date
4/26/2011
Certificate Entity: Implicit self-registration
 Server implicitly creates Entity record as a side effect of another KMIP
request
 No special TTLV required – KMIP server extracts needed values from
TLS certificate
 Client MAY already have a cert signed by a CA trusted by KMIP server
 Resulting Object:
Entity
UUID: ABCD-1234
Credential
Credential Type: Transport Certificate
Credential Value: Certificate
Certificate Type: X.509
Certificate Value: <cert>
2
Certificate Entity: Explicit self-registration
Register
Object Type=Entity
Template-Attribute
Credential
Credential Type: Transport Certificate
Credential Value: <empty>
x-custom1: custom-value1
x-custom2: custom-value2
Entity: <empty>
 Certificate fields extracted from TLS
3
Certificate Entity: Registration
Register
Object Type=Entity
Template-Attribute
Credential
Credential Type: Transport Certificate
Credential Value:
Certificate: <certificate>
x-custom1: custom-value1
x-custom2: custom-value2
Entity: <empty>
 Assumption: Registering Entity has privilege to register
Entities
4
Certificate Entity:
Authentication and Access Control
Authentication
Credential
Credential Type: Transport Certificate
Credential Value: <empty>
 Server looks up Entity based on TLS certificate
information
• Server policy: may be dynamic mapping or exact match
 For access control, server checks authenticated Entity
UUID against request object Owner attribute
5
Username/Password User: Registration
Register
Object Type=Entity
Template-Attribute
Credential
Credential Type: Username and Password
Credential Value:
Username: “user1”
Password: “password”
x-custom1: custom-value1
x-custom2: custom-value2
Entity: <empty>
6
Username/Password User:
Authentication and Access Control
 Same as v1.0
Authentication
Credential
Credential Type: Username and Password
Credential Value:
Username: “user1”
Password: “password”
 Server looks up Entity based on Credential (username)
 For access control, server checks Entity UUID against
request object Owner attribute
7
Multi-factor Entity: Registration
Register
Object Type=Entity
Template-Attribute
Credential
Credential Type: Transport Certificate
Credential Value:
Certificate: <certificate>
Credential
Credential Type: Username and Password
Credential Value:
Username: “user1”
Password: “password”
x-custom1: custom-value1
x-custom2: custom-value2
Entity: <empty>
8
Multi-factor Entity: Authentication
Authentication
Credential
Credential Type: Transport Certificate
Credential Value: <empty>
Credential
Credential Type: Username and Password
Credential Value:
Username: “user1”
Password: “password”
 Server looks up Entity based on each Credential – all must
resolve to the same Entity
 For access control, server checks Entity UUID against request
object Owner attribute
9
Locate Entity
 Find all Entities with Transport Certificate Credentials:
Locate
Credential
Credential Type: Transport Certificate
 Find an Entity by its transport certificate:
Locate
Credential
Credential Type: Transport Certificate
Credential Value:
Certificate: <certificate>
 Find yourself:
Locate
Entity Identifier = Self
10
Credential Refresh
Modify Attribute
Attribute: “Credential”
Attribute Index: N
Attribute Value:
Credential Type: Transport Certificate
Credential Value:
Certificate: <certificate>
Modify Attribute
Attribute: “Credential”
Attribute Index: N
Attribute Value:
Credential Type: Username and Password
Credential Value:
Username: “user1”
Password: “new-password”
11
Other operations
 Get Entity Info
Locate
Entity Identifier = Self
Get Attributes
Attribute Name: “Credential”
• Note server is not allowed to return Password values
 Destroy Entity
Destroy
UUID: “ABCD-1234”
12