Abstract: An application that consumes key management information (e.g., keys and certificates) through a conventional keystore API is configured to recognize a new keystore type. In addition, the services of that API are pointed to a management server component associated with a key management protocol (e.g., KMIP), and a client component of the key management protocol is instantiated as a “semi-remote” keystore in association with the application. Once configured to use the new keystore type, the consuming application uses the keystore API in a conventional manner, but calls to the new keystore type are directed to the KMIP client. The client intercepts these calls and then interacts with the KMIP server on behalf of the consuming application, and without the application being aware of the interaction over the KMIP client-server API. This approach enables the consuming application to take advantage of the full benefits provided by the key management protocol transparently.

Abstract: An application that consumes key management information (e.g., keys and certificates) through a conventional keystore API is configured to recognize a new keystore type. In addition, the services of that API are pointed to a management server component associated with a key management protocol (e.g., KMIP), and a client component of the key management protocol is instantiated as a “semi-remote” keystore in association with the application. Once configured to use the new keystore type, the consuming application uses the keystore API in a conventional manner, but calls to the new keystore type are directed to the KMIP client. The client intercepts these calls and then interacts with the KMIP server on behalf of the consuming application, and without the application being aware of the interaction over the KMIP client-server API. This approach enables the consuming application to take advantage of the full benefits provided by the key management protocol transparently.

Abstract: A key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.

Abstract: A key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.

Abstract: A key management protocol (such as Key Management Interoperability Protocol (KMIP)) is extended via set of one or more custom attributes to provide a mechanism by which clients pass additional metadata to facilitate enhanced key provisioning operations by a key management server. The protocol comprises objects, operations, and attributes. Objects are the cryptographic material (e.g., symmetric keys, asymmetric keys, digital certificates and so on) upon which operations are performed. Operations are the actions taken with respect to the objects, such as getting an object from a key management server, modifying attributes of an object and the like. Attributes are the properties of the object, such as the kind of object it is, the unique identifier for the object, and the like. According to this disclosure, a first custom server attribute has a value that specifies a keygroup name that can be used by the key management server to locate (e.g.