KMIP Storage Array with Self-Encrypting Drives Profile Version 1.0

Transcription

1 KMIP Storage Array with Self-Encrypting Drives Profile Version 1.0 Committee Specification Draft 02 / Public Review Draft June 2014 Specification URIs This version: csprd02.doc (Authoritative) csprd02.html csprd02.pdf Previous version: csprd01.doc (Authoritative) csprd01.html csprd01.pdf Latest version: (Authoritative) Technical Committee: OASIS Key Management Interoperability Protocol (KMIP) TC Chairs: Subhash Sankuratripati (Subhash.Sankuratripati@netapp.com), NetApp Saikat Saha (saikat.saha@oracle.com), Oracle Editors: Tim Hudson (tjh@cryptsoft.com), Cryptsoft Pty Ltd. Mahadev Karadigudda (mahadev@netapp.com), NetApp Related work: This specification is related to: Key Management Interoperability Protocol Profiles Version 1.0. Edited by Robert Griffin and Subhash Sankuratripati. 01 October OASIS Standard. Key Management Interoperability Protocol Specification Version 1.1. Edited by Robert Haas and Indra Fitzgerald. 24 January OASIS Standard. Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 1 of 48

2 Key Management Interoperability Protocol Specification Version 1.2. Edited by Kiran Thota and Kelley Burgin. Latest version: Abstract: Describes a profile for Storage Arrays with Self-Encrypting Drives as KMIP clients interacting with KMIP servers Status: This document was last revised or approved by the OASIS Key Management Interoperability Protocol (KMIP) TC on the above date. The level of approval is also listed above. Check the Latest version location noted above for possible later revisions of this document. Technical Committee members should send comments on this specification to the Technical Committee s list. Others should send comments to the Technical Committee by using the Send A Comment button on the Technical Committee s web page at For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page ( Citation format: When referencing this specification the following citation format should be used: [kmip-sa-sed-v1.0] KMIP Storage Array with Self-Encrypting Drives Profile Version 1.0. Edited by Tim Hudson and Mahadev Karadigudda. 19 June OASIS Committee Specification Draft 02 / Public Review Draft Latest version: Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 2 of 48

3 Notices Copyright OASIS Open All Rights Reserved. All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so. OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims. The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see for above guidance. Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 3 of 48

4 Table of Contents 1 Introduction Terminology Normative References Storage Array with Self-Encrypting Drives Profile Authentication Suite Storage Array with Self-Encrypting Drives - Client Storage Array with Self-Encrypting Drives - Server Storage Array with Self-Encrypting Drives Test Cases Mandatory Test Cases KMIP v SASED-M Configuration SASED-M Register the authentication key SASED-M Retrieve Authentication Key Mandatory Test Cases KMIP v SASED-M Configuration SASED-M Register the authentication key SASED-M Retrieve Authentication Key Mandatory Test Cases KMIP v SASED-M Configuration SASED-M Register the authentication key SASED-M Retrieve Authentication Key Conformance Storage Array with Self Encrypting Drive Client KMIP v1.0 Profile Conformance Storage Array with Self Encrypting Drive Client KMIP v1.1 Profile Conformance Storage Array with Self Encrypting Drive Client KMIP v1.2 Profile Conformance Storage Array with Self Encrypting Drive Server KMIP v1.0 Profile Conformance Storage Array with Self Encrypting Drive Server KMIP v1.1 Profile Conformance Storage Array with Self Encrypting Drive Server KMIP v1.2 Profile Conformance Permitted Test Case Variations Variable Items Variable behavior Appendix A. Acknowledgments Appendix B. KMIP Specification Cross Reference Appendix C. Revision History Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 4 of 48

5 Introduction For normative definition of the elements of KMIP see the KMIP Specification [KMIP-SPEC] and the KMIP Profiles [KMIP-PROF]. This profile defines the necessary KMIP functionality that a Storage Array with Self-Encrypting Drives operating as a KMIP client SHALL use and a KMIP server conforming to this profile SHALL support in order to interoperate in conformance with this profile. 1.1 Terminology The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in [RFC2119]. Authentication Key A secret used by self-encrypting drives to verify authenticity of the client before allowing the drive to perform sensitive operations Normative References [RFC2119] Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, BCP 14, RFC 2119, March [KMIP-ENCODE] KMIP Additional Message Encodings Version 1.0. URL Candidate OASIS Standard 01. DD MMM YYYY. [KMIP-SPEC] One or more of [KMIP-SPEC-1_0], [KMIP-SPEC-1_1], [KMIP-SPEC-1_2] [KMIP-SPEC-1_0] Key Management Interoperability Protocol Specification Version OASIS Standard, October [KMIP-SPEC-1_1] Key Management Interoperability Protocol Specification Version OASIS Standard. 24 January [KMIP-SPEC-1_2] Key Management Interoperability Protocol Specification Version 1.2. URL Candidate OASIS Standard 01. DD MMM YYYY. [KMIP-PROF] One or more of [KMIP-PROF-1_0], [KMIP-PROF-1_1], [KMIP-PROF-1_2] [KMIP-PROF-1_0] Key Management Interoperability Protocol Profiles Version OASIS Standard. 1 October [KMIP-PROF-1_1] Key Management Interoperability Protocol Profiles Version OASIS Standard January [KMIP-PROF-1_2] Key Management Interoperability Protocol Profiles Version 1.2. URL Candidate OASIS Standard 01. DD MMM YYYY. Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 5 of 48

6 Storage Array with Self-Encrypting Drives Profile The Storage Array with Self-Encrypting Drives Profile is a storage array containing self-encrypting drives operating as a KMIP client interacting with a KMIP server. 2.1 Authentication Suite Implementations conformant to this profile SHALL support at least one of the Authentication Suites defined within [KMIP-PROF]. The establishment of the trust relationship between the KMIP client and the KMIP server is the same as the defined base profiles for the version of the profile supported. 2.2 Storage Array with Self-Encrypting Drives - Client KMIP clients conformant to this profile under [KMIP-SPEC-1_0]: 1. SHALL conform to the [KMIP-SPEC-1_0] KMIP clients conformant to this profile under [KMIP-SPEC-1_1]: 2. SHALL conform to the Baseline Client Clause (section 5.12) of [KMIP-PROF-1_1] KMIP clients conformant to this profile under [KMIP-SPEC-1_2]: 3. SHALL conform to the Baseline Client (section 5.2) of [KMIP-PROF-1_2] KMIP clients conformant to this profile: 4. SHOULD NOT use a Custom Attribute [KMIP-SPEC] that duplicates information that is already in standard Attributes [KMIP-SPEC] 2.3 Storage Array with Self-Encrypting Drives - Server KMIP servers conformant to this profile under [KMIP-SPEC-1_0]: 1. SHALL conform to the Conformance clauses for a KMIP Server (section 12.1) of [KMIP-SPEC- 1_0] KMIP servers conformant to this profile under [KMIP-SPEC-1_1]: 2. SHALL conform to the Baseline Server Clause (section 5.2) of [KMIP-PROF-1_1] KMIP servers conformant to this profile under [KMIP-SPEC-1_2]: 3. SHALL conform to the Baseline Server (section 5.1) of [KMIP-PROF-1_2] KMIP servers conformant to this profile SHALL: 4. SHALL support the following Objects [KMIP-SPEC] a. Template [KMIP-SPEC] b. Secret Data [KMIP-SPEC] 5. SHALL support the following Attributes [KMIP-SPEC] c. Custom Attribute [KMIP SPEC] 6. SHALL support the following client-to-server operations: d. Register [KMIP-SPEC] 7. SHALL support the following Message Encoding [KMIP-SPEC]:: e. Secret Data Type Enumeration [KMIP-SPEC] value: i. Password f. Object Type Enumeration [KMIP-SPEC] values: i. Secret Data Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 6 of 48

7 ii. Template g. Name Type Enumeration [KMIP-SPEC] value: i. Uninterpreted Text String 8. SHALL support Custom Attribute [KMIP-SPEC] with the following data types and properties: h. TextString 9. SHALL support a minimum length of 64 characters for Custom Attribute [KMIP-SPEC] and Name [KMIP-SPEC] values where the attribute type is of variable length. 10. SHALL support a minimum of 10 Custom Attribute [KMIP-SPEC] per managed object 11. SHALL support a minimum of 64 characters in Custom Attribute [KMIP-SPEC] names 12. MAY support any clause within [KMIP-SPEC] provided it does not conflict with any other clause within this section MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not contradict any KMIP requirements. Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 7 of 48

8 Storage Array with Self-Encrypting Drives Test Cases The test cases define a number of request-response pairs for KMIP operations. Each test case is provided in the XML format specified in [KMIP-ENCODE] intended to be both human-readable and usable by automated tools. The time sequence (starting from 0) for each request-response pair is noted and line numbers are provided for ease of cross-reference for a given test sequence. Each test case has a unique label (the section name) which includes indication of mandatory (-M-) or optional (-O-) status and the protocol version major and minor numbers as part of the identifier. The test cases may depend on a specific configuration of a KMIP client and server being configured in a manner consistent with the test case assumptions. Where possible the flow of unique identifiers between tests, the date-time values, and other dynamic items are indicated using symbolic identifiers in actual request and response messages these dynamic values will be filled in with valid values. Note: the values for the returned items and the custom attributes are illustrative. Actual values from a real client system may vary as specified in section Mandatory Test Cases KMIP v SASED-M Configuration Determine server configuration details including operations supported (only the mandatory operations are listed in the response example), objects supported (only the mandatory objects types are listed in the response example), and optional server information # TIME 0 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="query"/> <QueryFunction type="enumeration" value="queryoperations"/> <QueryFunction type="enumeration" value="queryobjects"/> <QueryFunction type="enumeration" value="queryserverinformation"/> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:03+00:00"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 8 of 48

9 <Operation type="enumeration" value="query"/> <Operation type="enumeration" value="query"/> <Operation type="enumeration" value="locate"/> <Operation type="enumeration" value="destroy"/> <Operation type="enumeration" value="get"/> <Operation type="enumeration" value="register"/> <Operation type="enumeration" value="getattributes"/> <Operation type="enumeration" value="getattributelist"/> <Operation type="enumeration" value="addattribute"/> <ObjectType type="enumeration" value="secretdata"/> <ObjectType type="enumeration" value="template"/> <VendorIdentification type="textstring" value="servervendor.com"/> <ServerInformation> </ServerInformation> SASED-M Register the authentication key A template is created and the secret data for the authentication key is then registered. The server must allow the registration of managed objects for Object Groups either by allowed arbitrary values for Object Groups or by pre-configuration of specific Object Groups prior to the storage array registering the authentication key. The authentication key may be a new authentication key or a replacement authentication key # TIME 0 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="template"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 9 of 48

10 <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="locate"/> # TIME 1 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="register"/> <ObjectType type="enumeration" value="template"/> <TemplateAttribute> </TemplateAttribute> <Template> <AttributeName type="textstring" value="object Group"/> <AttributeValue type="textstring" value="sased-m group"/> <AttributeName type="textstring" value="x- CustomAttribute1"/> <AttributeValue type="textstring" value="customvalue1"/> <AttributeName type="textstring" value="x- CustomAttribute2"/> <AttributeValue type="textstring" value="customvalue2"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 10 of 48

11 </Template> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="register"/> # TIME 2 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="register"/> <ObjectType type="enumeration" value="secretdata"/> <TemplateAttribute> <Name> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </Name> <AttributeName type="textstring" value="x- CustomAttribute3"/> <AttributeValue type="textstring" value="customvalue3"/> <AttributeName type="textstring" value="x- CustomAttribute4"/> <AttributeValue type="textstring" value="customvalue4"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m-2-10-name"/> <NameType type="enumeration" value="uninterpretedtextstring"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 11 of 48

12 </AttributeValue> </TemplateAttribute> <SecretData> <SecretDataType type="enumeration" value="password"/> <KeyBlock> <KeyFormatType type="enumeration" value="opaque"/> <KeyValue> <KeyMaterial type="bytestring" value="2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2 a2a"/> </KeyValue> </KeyBlock> </SecretData> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="register"/> value="$unique_identifier_1"/> SASED-M Retrieve Authentication Key Locate and retrieve the previously registered authentication key and finally destroy both the authentication key and the template # TIME 0 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="object Group"/> <AttributeValue type="textstring" value="sased-m group"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 12 of 48

13 <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="secretdata"/> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:13+00:00"/> <Operation type="enumeration" value="locate"/> # TIME 1 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x-customattribute4"/> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:14+00:00"/> <Operation type="enumeration" value="getattributes"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 13 of 48

14 <AttributeName type="textstring" value="x- CustomAttribute4"/> <AttributeValue type="textstring" value="customvalue4"/> # TIME 2 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x-customattribute3"/> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:14+00:00"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x- CustomAttribute3"/> <AttributeValue type="textstring" value="customvalue3"/> # TIME 3 <ProtocolVersionMinor type="integer" value="0"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 14 of 48

15 <Operation type="enumeration" value="get"/> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> <Operation type="enumeration" value="get"/> <ObjectType type="enumeration" value="secretdata"/> <SecretData> <SecretDataType type="enumeration" value="password"/> <KeyBlock> <KeyFormatType type="enumeration" value="opaque"/> <KeyValue> <KeyMaterial type="bytestring" value="2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2 a2a"/> </KeyValue> </KeyBlock> </SecretData> # TIME 4 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="destroy"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 15 of 48

16 <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> <Operation type="enumeration" value="destroy"/> # TIME 5 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="template"/> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="locate"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 16 of 48

17 value="$unique_identifier_1"/> # TIME 6 <ProtocolVersionMinor type="integer" value="0"/> <Operation type="enumeration" value="destroy"/> value="$unique_identifier_1"/> <ProtocolVersionMinor type="integer" value="0"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> <Operation type="enumeration" value="destroy"/> value="$unique_identifier_1"/> Mandatory Test Cases KMIP v SASED-M Configuration Determine server configuration details including operations supported (only the mandatory operations are listed in the response example), objects supported (only the mandatory objects types are listed in the response example), and optional server information # TIME 0 <ProtocolVersionMinor type="integer" value="1"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 17 of 48

18 <Operation type="enumeration" value="query"/> <QueryFunction type="enumeration" value="queryoperations"/> <QueryFunction type="enumeration" value="queryobjects"/> <QueryFunction type="enumeration" value="queryserverinformation"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:03+00:00"/> <Operation type="enumeration" value="query"/> <Operation type="enumeration" value="query"/> <Operation type="enumeration" value="locate"/> <Operation type="enumeration" value="destroy"/> <Operation type="enumeration" value="get"/> <Operation type="enumeration" value="register"/> <Operation type="enumeration" value="getattributes"/> <Operation type="enumeration" value="getattributelist"/> <Operation type="enumeration" value="addattribute"/> <ObjectType type="enumeration" value="secretdata"/> <ObjectType type="enumeration" value="template"/> <VendorIdentification type="textstring" value="servervendor.com"/> <ServerInformation> </ServerInformation> SASED-M Register the authentication key A template is created and the secret data for the authentication key is then registered. The server must allow the registration of managed objects for Object Groups either by allowed arbitrary values for Object Groups or by pre-configuration of specific Object Groups prior to the storage array registering the authentication key. The authentication key may be a new authentication key or a replacement authentication key # TIME 0 <ProtocolVersionMinor type="integer" value="1"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 18 of 48

19 <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="template"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="locate"/> # TIME 1 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="register"/> <ObjectType type="enumeration" value="template"/> <TemplateAttribute> </TemplateAttribute> <Template> <AttributeName type="textstring" value="object Group"/> <AttributeValue type="textstring" value="sased-m group"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 19 of 48

20 <AttributeName type="textstring" value="x- CustomAttribute1"/> <AttributeValue type="textstring" value="customvalue1"/> <AttributeName type="textstring" value="x- CustomAttribute2"/> <AttributeValue type="textstring" value="customvalue2"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> </Template> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="register"/> # TIME 2 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="register"/> <ObjectType type="enumeration" value="secretdata"/> <TemplateAttribute> <Name> <NameValue type="textstring" value="sased-m Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 20 of 48

21 template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </Name> <AttributeName type="textstring" value="x- CustomAttribute3"/> <AttributeValue type="textstring" value="customvalue3"/> <AttributeName type="textstring" value="x- CustomAttribute4"/> <AttributeValue type="textstring" value="customvalue4"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m-2-11-name"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> </TemplateAttribute> <SecretData> <SecretDataType type="enumeration" value="password"/> <KeyBlock> <KeyFormatType type="enumeration" value="opaque"/> <KeyValue> <KeyMaterial type="bytestring" value="2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2 a2a"/> </KeyValue> </KeyBlock> </SecretData> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="register"/> value="$unique_identifier_1"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 21 of 48

22 SASED-M Retrieve Authentication Key Locate and retrieve the previously registered authentication key and finally destroy both the authentication key and the template # TIME 0 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="object Group"/> <AttributeValue type="textstring" value="sased-m group"/> <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="secretdata"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:13+00:00"/> <Operation type="enumeration" value="locate"/> # TIME 1 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="getattributes"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 22 of 48

23 <AttributeName type="textstring" value="x-customattribute4"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:14+00:00"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x- CustomAttribute4"/> <AttributeValue type="textstring" value="customvalue4"/> # TIME 2 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x-customattribute3"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:14+00:00"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 23 of 48

24 <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x- CustomAttribute3"/> <AttributeValue type="textstring" value="customvalue3"/> # TIME 3 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="get"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> <Operation type="enumeration" value="get"/> <ObjectType type="enumeration" value="secretdata"/> <SecretData> <SecretDataType type="enumeration" value="password"/> <KeyBlock> <KeyFormatType type="enumeration" value="opaque"/> <KeyValue> <KeyMaterial type="bytestring" value="2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2 a2a"/> </KeyValue> </KeyBlock> </SecretData> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 24 of 48

25 # TIME 4 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="destroy"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> <Operation type="enumeration" value="destroy"/> # TIME 5 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 25 of 48

26 <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="template"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="locate"/> value="$unique_identifier_1"/> # TIME 6 <ProtocolVersionMinor type="integer" value="1"/> <Operation type="enumeration" value="destroy"/> value="$unique_identifier_1"/> <ProtocolVersionMinor type="integer" value="1"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> <Operation type="enumeration" value="destroy"/> value="$unique_identifier_1"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 26 of 48

27 Mandatory Test Cases KMIP v SASED-M Configuration Determine server configuration details including operations supported (only the mandatory operations are listed in the response example), objects supported (only the mandatory objects types are listed in the response example), and optional server information # TIME 0 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="query"/> <QueryFunction type="enumeration" value="queryoperations"/> <QueryFunction type="enumeration" value="queryobjects"/> <QueryFunction type="enumeration" value="queryserverinformation"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:03+00:00"/> <Operation type="enumeration" value="query"/> <Operation type="enumeration" value="query"/> <Operation type="enumeration" value="locate"/> <Operation type="enumeration" value="destroy"/> <Operation type="enumeration" value="get"/> <Operation type="enumeration" value="register"/> <Operation type="enumeration" value="getattributes"/> <Operation type="enumeration" value="getattributelist"/> <Operation type="enumeration" value="addattribute"/> <ObjectType type="enumeration" value="secretdata"/> <ObjectType type="enumeration" value="template"/> <VendorIdentification type="textstring" value="servervendor.com"/> <ServerInformation> </ServerInformation> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 27 of 48

28 SASED-M Register the authentication key A template is created and the secret data for the authentication key is then registered. The server must allow the registration of managed objects for Object Groups either by allowed arbitrary values for Object Groups or by pre-configuration of specific Object Groups prior to the storage array registering the authentication key. The authentication key may be a new authentication key or a replacement authentication key # TIME 0 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="template"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="locate"/> # TIME 1 Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 28 of 48

29 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="register"/> <ObjectType type="enumeration" value="template"/> <TemplateAttribute> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> </TemplateAttribute> <Template> <AttributeName type="textstring" value="object Group"/> <AttributeValue type="textstring" value="sased-m group"/> <AttributeName type="textstring" value="x- CustomAttribute1"/> <AttributeValue type="textstring" value="customvalue1"/> <AttributeName type="textstring" value="x- CustomAttribute2"/> <AttributeValue type="textstring" value="customvalue2"/> </Template> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="register"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 29 of 48

30 # TIME 2 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="register"/> <ObjectType type="enumeration" value="secretdata"/> <TemplateAttribute> <Name> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </Name> <AttributeName type="textstring" value="x- CustomAttribute3"/> <AttributeValue type="textstring" value="customvalue3"/> <AttributeName type="textstring" value="x- CustomAttribute4"/> <AttributeValue type="textstring" value="customvalue4"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m-2-12-name"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> </TemplateAttribute> <SecretData> <SecretDataType type="enumeration" value="password"/> <KeyBlock> <KeyFormatType type="enumeration" value="opaque"/> <KeyValue> <KeyMaterial type="bytestring" value="2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2 a2a"/> </KeyValue> </KeyBlock> </SecretData> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 30 of 48

31 <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="register"/> value="$unique_identifier_1"/> SASED-M Retrieve Authentication Key Locate and retrieve the previously registered authentication key and finally destroy both the authentication key and the template # TIME 0 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="object Group"/> <AttributeValue type="textstring" value="sased-m group"/> <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="secretdata"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:13+00:00"/> <Operation type="enumeration" value="locate"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 31 of 48

32 # TIME 1 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x-customattribute4"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:14+00:00"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x- CustomAttribute4"/> <AttributeValue type="textstring" value="customvalue4"/> # TIME 2 <ProtocolVersionMinor type="integer" value="2"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 32 of 48

33 <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x-customattribute3"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:14+00:00"/> <Operation type="enumeration" value="getattributes"/> <AttributeName type="textstring" value="x- CustomAttribute3"/> <AttributeValue type="textstring" value="customvalue3"/> # TIME 3 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="get"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 33 of 48

34 <Operation type="enumeration" value="get"/> <ObjectType type="enumeration" value="secretdata"/> <SecretData> <SecretDataType type="enumeration" value="password"/> <KeyBlock> <KeyFormatType type="enumeration" value="opaque"/> <KeyValue> <KeyMaterial type="bytestring" value="2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2 a2a"/> </KeyValue> </KeyBlock> </SecretData> # TIME 4 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="destroy"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t17:01:41+00:00"/> <Operation type="enumeration" value="destroy"/> # TIME 5 Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 34 of 48

35 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="locate"/> <AttributeName type="textstring" value="name"/> <AttributeValue> <NameValue type="textstring" value="sased-m template1"/> <NameType type="enumeration" value="uninterpretedtextstring"/> </AttributeValue> <AttributeName type="textstring" value="object Type"/> <AttributeValue type="enumeration" value="template"/> <ProtocolVersionMinor type="integer" value="2"/> <TimeStamp type="datetime" value=" t16:53:08+00:00"/> <Operation type="enumeration" value="locate"/> value="$unique_identifier_1"/> # TIME 6 <ProtocolVersionMinor type="integer" value="2"/> <Operation type="enumeration" value="destroy"/> value="$unique_identifier_1"/> Standards Track Work Product Copyright OASIS Open All Rights Reserved. Page 35 of 48