ࡱ >
y ` bjbj z { { y N# N# 0 0 0 0 0 $ 0 0 0 P 1 5 \
0 , TC P d P P P Q g L m ( $ p 0 q Q Q q q 0 0 P P 4 q 0 P 0 P q b - 8 P G:G u e l 0 , : Vy : : 0 q q q q q q q q q q , q q q q : q q q q q q q q q N# n/ :
KMIP Tape Library Profile Version 1.0
Candidate OASIS Standard 01
13 January 2015
Specification URIs
This version:
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.doc"http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.doc (Authoritative)
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.html" http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.html
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.pdf" http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.pdf
Previous version:
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/csprd01/kmip-tape-lib-profile-v1.0-csprd01.doc"http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/csprd01/kmip-tape-lib-profile-v1.0-csprd01.doc (Authoritative)
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/csprd01/kmip-tape-lib-profile-v1.0-csprd01.html"http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/csprd01/kmip-tape-lib-profile-v1.0-csprd01.html
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/csprd01/kmip-tape-lib-profile-v1.0-csprd01.pdf"http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/csprd01/kmip-tape-lib-profile-v1.0-csprd01.pdf
Latest version:
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.doc" http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.doc (Authoritative)
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.html" http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.html
HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.pdf" http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.pdf
Technical Committee:
HYPERLINK "https://www.oasis-open.org/committees/kmip/"OASIS Key Management Interoperability Protocol (KMIP) TC
Chairs:
Saikat Saha ( HYPERLINK "mailto:saikat.saha@oracle.com" saikat.saha@oracle.com), HYPERLINK "http://www.oracle.com" Oracle
Tony Cox (HYPERLINK "mailto:tjc@cryptsoft.com"tjc@cryptsoft.com), HYPERLINK "http://www.cryptsoft.com/" Cryptsoft
Editors:
Tim Hudson ( HYPERLINK "mailto:tjh@cryptsoft.com" tjh@cryptsoft.com), HYPERLINK "http://www.cryptsoft.com/" Cryptsoft
Stan Feather ( HYPERLINK "mailto:stan.feather@hp.com" stan.feather@hp.com), HYPERLINK "http://www.hp.com/" Hewlett-Packard
Rod Wideman ( HYPERLINK "mailto:rod.wideman@quantum.com" rod.wideman@quantum.com), HYPERLINK "http://www.quantum.com/" Quantum
Related work:
This specification is related to:
Key Management Interoperability Protocol Profiles Version 1.0. Edited by Robert Griffin and Subhash Sankuratripati. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/profiles/v1.0/kmip-profiles-1.0.html" http://docs.oasis-open.org/kmip/profiles/v1.0/kmip-profiles-1.0.html.
Key Management Interoperability Protocol Profiles Version 1.1. Edited by Robert Griffin and Subhash Sankuratripati. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/profiles/v1.1/kmip-profiles-v1.1.html" http://docs.oasis-open.org/kmip/profiles/v1.1/kmip-profiles-v1.1.html.
Key Management Interoperability Protocol Profiles Version 1.2. Edited by Tim Hudson and Robert Lockhart. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/profiles/v1.2/kmip-profiles-v1.2.html" http://docs.oasis-open.org/kmip/profiles/v1.2/kmip-profiles-v1.2.html.
Key Management Interoperability Protocol Specification Version 1.1. Edited by Robert Haas and Indra Fitzgerald. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/spec/v1.1/kmip-spec-v1.1.html" http://docs.oasis-open.org/kmip/spec/v1.1/kmip-spec-v1.1.html.
Key Management Interoperability Protocol Specification Version 1.2. Edited by Kiran Thota and Kelley Burgin. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.html" http://docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.html.
Key Management Interoperability Protocol Test Cases Version 1.2. Edited by Tim Hudson and Faisal Faruqui. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/testcases/v1.2/kmip-testcases-v1.2.html" http://docs.oasis-open.org/kmip/testcases/v1.2/kmip-testcases-v1.2.html.
Key Management Interoperability Protocol Usage Guide Version 1.2. Edited by Indra Fitzgerald and Judith Furlong. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/ug/v1.2/kmip-ug-v1.2.html" http://docs.oasis-open.org/kmip/ug/v1.2/kmip-ug-v1.2.html.
Abstract:
Describes a profile for Tape Libraries as KMIP clients interacting with KMIP servers.
Status:
This document was last revised or approved by the OASIS Key Management Interoperability Protocol (KMIP) TC on the above date. The level of approval is also listed above. Check the Latest version location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at HYPERLINK "https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip" \l "technical"https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip#technical.
Technical Committee members should send comments on this specification to the Technical Committees email list. Others should send comments to the Technical Committee by using the HYPERLINK "https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=kmip" Send A Comment button on the Technical Committees web page at HYPERLINK "https://www.oasis-open.org/committees/kmip/" https://www.oasis-open.org/committees/kmip/.
For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page ( HYPERLINK "https://www.oasis-open.org/committees/kmip/ipr.php" https://www.oasis-open.org/committees/kmip/ipr.php.
Citation format:
When referencing this specification the following citation format should be used:
[kmip-tape-lib-v1.0]
KMIP Tape Library Profile Version 1.0. Edited by Tim Hudson, Stan Feather, and Rod Wideman. 13 January 2015. Candidate OASIS Standard 01. HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.html" http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/cos01/kmip-tape-lib-profile-v1.0-cos01.html. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.html" http://docs.oasis-open.org/kmip/kmip-tape-lib-profile/v1.0/kmip-tape-lib-profile-v1.0.html.
Notices
Copyright OASIS Open 2015. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full HYPERLINK "https://www.oasis-open.org/policies-guidelines/ipr"Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.
The name "OASIS" is a trademark of HYPERLINK "https://www.oasis-open.org/"OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see HYPERLINK "https://www.oasis-open.org/policies-guidelines/trademark"https://www.oasis-open.org/policies-guidelines/trademark for above guidance.
Table of Contents
TOC \o "1-3" \h \z \u HYPERLINK \l "_Toc409613892" 1 Introduction PAGEREF _Toc409613892 \h 5
HYPERLINK \l "_Toc409613893" 1.1 Terminology PAGEREF _Toc409613893 \h 5
HYPERLINK \l "_Toc409613894" 1.2 Normative References PAGEREF _Toc409613894 \h 5
HYPERLINK \l "_Toc409613895" 2 Tape Library Profile PAGEREF _Toc409613895 \h 7
HYPERLINK \l "_Toc409613896" 2.1 Authentication Suite PAGEREF _Toc409613896 \h 7
HYPERLINK \l "_Toc409613897" 2.2 Baseline Tape Library - Client PAGEREF _Toc409613897 \h 7
HYPERLINK \l "_Toc409613898" 2.3 Baseline Tape Library - Server PAGEREF _Toc409613898 \h 7
HYPERLINK \l "_Toc409613899" 2.4 Using Application Specific Information for Key Identifiers PAGEREF _Toc409613899 \h 9
HYPERLINK \l "_Toc409613900" 2.5 Using Alternative Name for tape media barcode PAGEREF _Toc409613900 \h 10
HYPERLINK \l "_Toc409613901" 3 Tape Library Profile Test Cases PAGEREF _Toc409613901 \h 11
HYPERLINK \l "_Toc409613902" 3.1 Mandatory Test Cases KMIP v1.0 PAGEREF _Toc409613902 \h 11
HYPERLINK \l "_Toc409613903" 3.1.1 TL-M-1-10 - Configuration PAGEREF _Toc409613903 \h 11
HYPERLINK \l "_Toc409613904" 3.1.2 TL-M-2-10 - Write with new (created) key PAGEREF _Toc409613904 \h 12
HYPERLINK \l "_Toc409613905" 3.1.3 TL-M-3-10 - Read an encrypted tape PAGEREF _Toc409613905 \h 15
HYPERLINK \l "_Toc409613906" 3.2 Mandatory Test Cases KMIP v1.1 PAGEREF _Toc409613906 \h 23
HYPERLINK \l "_Toc409613907" 3.2.1 TL-M-1-11 - Configuration PAGEREF _Toc409613907 \h 23
HYPERLINK \l "_Toc409613908" 3.2.2 TL-M-2-11 - Write with new (created) key PAGEREF _Toc409613908 \h 24
HYPERLINK \l "_Toc409613909" 3.2.3 TL-M-3-11 - Read an encrypted tape PAGEREF _Toc409613909 \h 26
HYPERLINK \l "_Toc409613910" 3.3 Mandatory Test Cases KMIP v1.2 PAGEREF _Toc409613910 \h 35
HYPERLINK \l "_Toc409613911" 3.3.1 TL-M-1-12 - Configuration PAGEREF _Toc409613911 \h 35
HYPERLINK \l "_Toc409613912" 3.3.2 TL-M-2-12 - Write with new (created) key PAGEREF _Toc409613912 \h 36
HYPERLINK \l "_Toc409613913" 3.3.3 TL-M-3-12 - Read an encrypted tape PAGEREF _Toc409613913 \h 39
HYPERLINK \l "_Toc409613914" 4 Conformance PAGEREF _Toc409613914 \h 48
HYPERLINK \l "_Toc409613915" 4.1 Tape Library Client KMIP v1.0 Conformance PAGEREF _Toc409613915 \h 48
HYPERLINK \l "_Toc409613916" 4.2 Tape Library Client KMIP v1.1 Conformance PAGEREF _Toc409613916 \h 48
HYPERLINK \l "_Toc409613917" 4.3 Tape Library Client KMIP v1.2 Conformance PAGEREF _Toc409613917 \h 48
HYPERLINK \l "_Toc409613918" 4.4 Tape Library Server KMIP v1.0 Conformance PAGEREF _Toc409613918 \h 48
HYPERLINK \l "_Toc409613919" 4.5 Tape Library Server KMIP v1.1 Conformance PAGEREF _Toc409613919 \h 48
HYPERLINK \l "_Toc409613920" 4.6 Tape Library Server KMIP v1.2 Conformance PAGEREF _Toc409613920 \h 49
HYPERLINK \l "_Toc409613921" 4.7 Permitted Test Case Variations PAGEREF _Toc409613921 \h 49
HYPERLINK \l "_Toc409613922" 4.7.1 Variable Items PAGEREF _Toc409613922 \h 49
HYPERLINK \l "_Toc409613923" 4.7.2 Variable behavior PAGEREF _Toc409613923 \h 50
HYPERLINK \l "_Toc409613924" Appendix A. Acknowledgments PAGEREF _Toc409613924 \h 52
HYPERLINK \l "_Toc409613925" Appendix B. KMIP Specification Cross Reference PAGEREF _Toc409613925 \h 55
HYPERLINK \l "_Toc409613926" Appendix C. Revision History PAGEREF _Toc409613926 \h 60
Introduction
For normative definition of the elements of KMIP see the KMIP Specification [KMIP-SPEC] and the KMIP Profiles [KMIP-PROF].
This profile defines the necessary KMIP functionality that a Tape Library operating as a KMIP client SHALL use and a KMIP server conforming to this profile SHALL support in order to interoperate in conformance with this profile.
Terminology
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in REF rfc2119 \h [RFC2119].
Key Associated Data (KAD)Part of the tape format. May be segmented into authenticated and unauthenticated fields. KAD usage is detailed in the SCSI SSC-3 standard from the T10 organization available as ANSI INCITS 335-2000.Hexadecimal Numeric CharactersCase-sensitive, printable, single byte ASCII characters representing the numbers 0 through 9 and uppercase alpha A through F. (US-ASCII characters 30h-39h and 41h-46h). Each byte (single 8-bit numeric value) is represented as two hexadecimal numeric characters with the high-nibble represented by the first (left-most) hexadecimal numeric character and the low-nibble represented by the second (right-most) hexadecimal numeric character.N(a)The maximum number of bytes in the tape authenticated KAD field.
For LTO4, N(a) is 12 bytes.
For LTO5, N(a) is 60 bytes.
For LTO6, N(a) is 60 bytes.N(u)The maximum number of bytes in the tape unauthenticated KAD field.
For LTO4, N(u) is 32 bytes.
For LTO5, N(u) is 32 bytes.
For LTO6, N(u) is 32 bytes.N(k)The maximum number of bytes in the tape format KAD fields i.e. N(a) + N(u).
For LTO4, N(k) is 44 bytes.
For LTO5, N(k) is 92 bytes.
For LTO6, N(k) is 92 bytes.
Normative References
[RFC2119] Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, BCP 14, RFC 2119, March 1997. HYPERLINK "http://www.ietf.org/rfc/rfc2119.txt" http://www.ietf.org/rfc/rfc2119.txt.
[KMIP-ENCODE] KMIP Additional Message Encodings Version 1.0. Edited by Tim Hudson. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/kmip-addtl-msg-enc/v1.0/kmip-addtl-msg-enc-v1.0.doc" http://docs.oasis-open.org/kmip/kmip-addtl-msg-enc/v1.0/kmip-addtl-msg-enc-v1.0.doc.
[KMIP-SPEC] One or more of [KMIP-SPEC-1_0], [KMIP-SPEC-1_1], [KMIP-SPEC-1_2]
[KMIP-SPEC-1_0] Key Management Interoperability Protocol Specification Version 1.0 HYPERLINK "http://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.doc" \t "_blank" http://docs.oasis-open.org/kmip/spec/v1.0/os/kmip-spec-1.0-os.doc OASIS Standard, October 2010.
[KMIP-SPEC-1_1] Key Management Interoperability Protocol Specification Version 1.1. HYPERLINK "http://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.doc" \t "_blank" http://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.doc OASIS Standard. 24 January 2013.
[KMIP-SPEC-1_2] Key Management Interoperability Protocol Specification Version 1.2. Edited by Kiran Thota and Kelley Burgin. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.doc" http://docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.doc.
[KMIP-PROF] One or more of [KMIP-PROF-1_0], [KMIP-PROF-1_1], [KMIP-PROF-1_2]
[KMIP-PROF-1_0] Key Management Interoperability Protocol Profiles Version 1.0. HYPERLINK "http://docs.oasis-open.org/kmip/profiles/v1.0/os/kmip-profiles-1.0-os.doc" http://docs.oasis-open.org/kmip/profiles/v1.0/os/kmip-profiles-1.0-os.docOASIS Standard. 1 October 2010.
[KMIP-PROF-1_1] 0Key Management Interoperability Protocol Profiles Version 11. HYPERLINK "http://docs.oasis-open.org/kmip/profiles/v1.1/os/kmip-profiles-v1.1-os.doc" http://docs.oasis-open.org/kmip/profiles/v1.1/os/kmip-profiles-v1.1-os.docOASIS Standard 01. 24 January 2013.
[KMIP-PROF-1_2] Key Management Interoperability Protocol Profiles Version 1.2. Edited by Tim Hudson and Robert Lockhart. Latest version: HYPERLINK "http://docs.oasis-open.org/kmip/profiles/v1.2/kmip-profiles-v1.2.doc" http://docs.oasis-open.org/kmip/profiles/v1.2/kmip-profiles-v1.2.doc.
Tape Library Profile
The Tape Library Profile specifies the behavior of a tape library operating as a KMIP client interacting with a KMIP server.
Authentication Suite
Implementations conformant to this profile SHALL support at least one of the Authentication Suites defined within [KMIP-PROF].
Baseline Tape Library - Client
KMIP clients conformant to this profile under [KMIP-SPEC-1_0]:
SHALL conform to the [KMIP-SPEC-1_0]
KMIP clients conformant to this profile under [KMIP-SPEC-1_1]:
SHALL conform to the Baseline Client Clause (section 5.12) of [KMIP-PROF-1_1]
KMIP clients conformant to this profile under [KMIP-SPEC-1_2]:
SHALL conform to the Baseline Client (section 5.2) of [KMIP-PROF-1_2]
KMIP clients conformant to this profile
SHOULD support Application Specific Information [KMIP-SPEC] with Application Data provided by the client in accordance with section REF _Ref353482169 \r \h 2.4
SHOULD NOT use a Custom Attribute [KMIP-SPEC] that duplicates information that is already in standard Attributes [KMIP-SPEC]
MAY use x-Barcode as a Custom Attribute [KMIP-SPEC] of type Text String to store the barcode
MAY support any clause within [KMIP-SPEC] provided it does not conflict with any other clause within this section REF _Ref359956742 \w \h 2.2
MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not conflict with any KMIP requirements
KMIP clients conformant to this profile under [KMIP-SPEC-1_2]:
SHALL support the following Attributes [KMIP-SPEC]
Alternative Name [KMIP-SPEC-1_2]
SHALL support the following Message Encoding [KMIP-SPEC-1_2]:
Alternative Name Type Enumeration [KMIP-SPEC-1_2] value:
Uninterpreted Text String
SHALL store the media barcode information in an Alternative Name [KMIP-SPEC-1_2] Attribute [KMIP-SPEC-1_2] in accordance with section REF _Ref359934297 \r \h 2.5
Baseline Tape Library - Server
KMIP servers conformant to this profile under [KMIP-SPEC-1_0]:
SHALL conform to the [KMIP-SPEC-1_0]
KMIP servers conformant to this profile under [KMIP-SPEC-1_1]:
SHALL conform to the Baseline Server of [KMIP-PROF-1_1]
KMIP servers conformant to this profile under [KMIP-SPEC-1_2]:
SHALL conform to the Baseline Server of [KMIP-PROF-1_2]
KMIP servers conformant to this profile:
SHALL support the following Objects [KMIP-SPEC]
Symmetric Key [KMIP-SPEC]
SHALL support the following Attributes [KMIP-SPEC]:
Name [KMIP-SPEC]
Cryptographic Algorithm [KMIP-SPEC]
Custom Attribute [KMIP SPEC]
Application Specific Information [KMIP SPEC]
SHALL support the following Client-to-Server Operations [KMIP-SPEC]:
Create [KMIP-SPEC]
SHALL support the following Message Contents [KMIP-SPEC]:
Batch Order Option [KMIP-SPEC] value:
True
Batch Count [KMIP-SPEC] value:
1 to 32
SHALL support the following Message Encoding [KMIP-SPEC]:
Cryptographic Algorithm Enumeration [KMIP-SPEC] value:
AES
Object Type Enumeration [KMIP-SPEC] value:
Symmetric Key
Key Format Type Enumeration [KMIP-SPEC] value:
Raw
Cryptographic Length [KMIP-SPEC] value :
256-bit
Name Type Enumeration [KMIP-SPEC] value:
Uninterpreted Text String
SHALL support Custom Attribute [KMIP-SPEC] with the following data types and properties:
Text String
Integer
Date Time
SHALL support a minimum length of 256 characters for Custom Attribute [KMIP-SPEC] and Name [KMIP-SPEC] values where the attribute type is of variable length
SHALL support a minimum of 30 Custom Attribute [KMIP-SPEC] per managed object
SHALL support a minimum of 64 characters in Custom Attribute [KMIP-SPEC] names
MAY support any clause within [KMIP-SPEC] provided it does not conflict with any other clause within this section REF _Ref359956742 \w \h 2.2
MAY support extensions outside the scope of this standard (e.g., vendor extensions, conformance clauses) that do not conflict with any KMIP requirements
KMIP servers conformant to this profile under [KMIP-SPEC-1_2]:
SHALL support the following Attributes [KMIP-SPEC]
Alternative Name [KMIP-SPEC-1_2]
SHALL support the following Message Encoding [KMIP-SPEC-1_2]:
Alternative Name Type Enumeration [KMIP-SPEC-1_2] value:
Uninterpreted Text String
Using Application Specific Information for Key Identifiers
This information applies to Tape Libraries that use the Application Specific Information [KMIP-SPEC] attribute to store key identifiers. KMIP clients are not required to use Application Specific Information [KMIP-SPEC] however KMIP servers are required to support KMIP clients that use Application Specific Information [KMIP-SPEC] and KMIP clients that do not use Application Specific Information [KMIP-SPEC].
The Application Specific Information [KMIP-SPEC] MAY be used to store data that is specific to the application (Tape Library) using the object.
The following Application Namespaces SHOULD be used in the Application Namespace field of the Application Specific Information [KMIP-SPEC]:
LIBRARY-LTO, LIBRARY-LTO4, LIBRARY-LTO5, and LIBRARY-LTO6
For backwards compatibility with deployed Tape Library implementations, servers MAY support VENDOR-LIBRARY-LTO as an Application Namespace, where VENDOR is an ASCII string that SHALL NOT be further interpreted and SHALL be handled by the server as if the Application Namespace was set to LIBRARY-LTO.
Application Specific Information [KMIP-SPEC] supports key identifiers being created either on the server or on the client (Tape Library), but not both. This profile specifies key identifiers created by the client.
The Application Specific Information [KMIP-SPEC] method of key identification relies on the ability to uniquely identify a key based only on its Application Data (preferably), or (alternatively) on some combination of Application Data and Custom Attributes [KMIP-SPEC], which the key creator guarantees to be unique within the Application Namespace.
Key identifiers stored in the KMIP server's Application Specific Information [KMIP-SPEC] are in ASCII format. Key identifiers stored in the KMIP client's tape format KAD fields are numeric format. The specific algorithm for converting between text and numeric formats is specified below.
All information contained in the tape formats KAD fields is converted to an ASCII string consisting of hexadecimal numeric character pairs as follows:
The unauthenticated KAD is converted to text;
The authenticated KAD is converted to text and;
The converted authenticated KAD text is concatenated to the end of the converted unauthenticated KAD text.
If the implementation uses client-created key identifiers, then the client generates a new identifier in ASCII format that SHALL be unique within the chosen namespace. The source material for generating the string is dependent on client policy. The numeric representation of this identifier SHALL be no larger than the N(k) bytes of the KAD for the tape media being used.
For KMIP clients and servers conforming to this profile, Application Specific Information [KMIP-SPEC] SHALL be created by the Tape Library KMIP client based on the tape format's KAD fields as follows:
Define an empty output buffer sufficient to contain a string with a maximum length of 2*N(k) bytes.
Copy the tape formats unauthenticated KAD (if present) to the output buffer, converting each byte value to exactly two Hexadecimal Numeric Characters. The first byte (i.e., byte 0) of the output buffer is the first byte of unauthenticated KAD.
Concatenate the tape formats authenticated KAD to the output buffer, converting each byte value to exactly two Hexadecimal Numeric Characters.
Note: the contents of the unauthenticated KAD and authenticated KAD fields may be less than the maximum permitted lengths; the implementation provides the correct length values to use in the algorithm rather than using fixed maximum length fields.
If Application Specific Information [KMIP-SPEC] is supported, then it SHALL be used by the client for locating the object for the purpose of encrypting and decrypting data on tape. The Application Specific Information [KMIP-SPEC] value SHALL solely be used for this purpose.
Using Alternative Name for tape media barcode
The Tape Library client SHALL assign a text (i.e., human-readable) representation of the media barcode to the Alternative Name [KMIP-SPEC-1_2] of the object. This SHALL occur on first use of the object for encryption, which normally is when the library requests the server to create the object.
The relationship between key identifiers in Application Specific Information [KMIP-SPEC] and Alternative Name [KMIP-SPEC-1_2] is as follows:
The values for both are provided by the client
The identifier in Alternative Name [KMIP-SPEC-1_2] (i.e., the barcode) SHALL be used by the server administrator for finding keys associated with specific tape media (e.g., a server administrator may want to find the key(s) associated with a missing tape cartridge, where the barcode of that tape cartridge is known).
The Alternative Name [KMIP-SPEC-1_2] SHALL NOT be used by a client for locating the object to encrypt or decrypt data, since the value (barcode) is not required to be unique and therefore does not ensure retrieval of the correct key.
Tape Library Profile Test Cases
The test cases define a number of request-response pairs for KMIP operations. Each test case is provided in the XML format specified in [KMIP-ENCODE] intended to be both human-readable and usable by automated tools. The time sequence (starting from 0) for each request-response pair is noted and line numbers are provided for ease of cross-reference for a given test sequence.
Each test case has a unique label (the section name) which includes indication of mandatory (-M-) or optional (-O-) status and the protocol version major and minor numbers as part of the identifier.
The test cases may depend on a specific configuration of a KMIP client and server being configured in a manner consistent with the test case assumptions.
Where possible the flow of unique identifiers between tests, the date-time values, and other dynamic items are indicated using symbolic identifiers in actual request and response messages these dynamic values will be filled in with valid values.
Note: the values for the returned items and the custom attributes are illustrative. Actual values from a real client system may vary as specified in section REF _Ref389884125 \w \h 4.7.
Mandatory Test Cases KMIP v1.0
TL-M-1-10 - Configuration
Determine server configuration details including operations supported (only the mandatory operations are listed in the response example), objects supported (only the mandatory objects types are listed in the response example), optional server information, and optional list of application name spaces.
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019# TIME 0
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
TL-M-2-10 - Write with new (created) key
This case may occur when the Write operation starts with the first block on a tape. The implementation may choose which Write operations qualify for creation of a new key. Regardless of the initiating circumstances, the Tape Library requests the server to create a new AES-256 symmetric key with appropriate identifying information which is unique within the Application Namespace.
Additional custom attributes MAY be specified in order to:
- ensure uniqueness of the key identifier when later Locating the key via ASI
- provide human-readable information (such as the tape Barcode value)
- provide information to support client-specific purposes
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071# TIME 0
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
0093
0094
0095
0096
0097
0098
0099
0100
0101
0102
0103
0104
0105
0106
0107
0108
0109
TL-M-3-10 - Read an encrypted tape
The Tape Library constructs an identifier string based on the method in 2.3, then requests the server to Locate that string via ASI. A Get is then requested based on the key's unique identifier. The Tape Library MAY update attributes associated with the Symmetric Key Managed Object. The following test case shows extensive use of custom attributes. Custom attributes are not required if the Application Name is unique within the Application Namespace. An implementation may also use custom attributes for vendor-unique purposes, or to improve usability.
The test case destroys the key created in the previous test case to clean up after the test. Tape Library implementations may elect to not perform this step.
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033# TIME 0
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
0093
0094
0095
0096
0097
0098
0099
0100
0101
0102
0103# TIME 1
0104
0105
0106
0107
0108
0109
0110
0111
0112
0113
0114
0115
0116
0117
0118
0119
0120
0121
0122
0123
0124
0125
0126
0127
0128
0129
0130
0131
0132
0133
0134
0135
0136
0137
0138
0139
0140
0141
0142
0143
0144
0145
0146
0147
0148
0149
0150
0151
0152
0153
0154
0155
0156
0157
0158
0159
0160
0161
0162
0163
0164
0165
0166
0167
0168
0169
0170
0171
0172
0173
0174
0175
0176
0177
0178
0179# TIME 2
0180
0181
0182
0183
0184
0185
0186
0187
0188
0189
0190
0191
0192
0193
0194
0195
0196
0197
0198
0199
0200
0201
0202
0203
0204
0205
0206
0207
0208
0209
0210
0211
0212
0213
0214
0215
0216
0217
0218
0219
0220
0221
0222
0223
0224
0225
0226
0227
0228
0229
0230
0231
0232
0233
0234
0235
0236
0237
0238
0239
0240
0241
0242
0243
0244
0245
0246
0247
0248
0249
0250
0251
0252
0253
0254
0255
0256
0257
0258
0259
0260
0261
0262
0263
0264
0265
0266
0267
0268
0269
0270
0271
0272
0273
0274
0275
0276
0277
0278
0279
0280
0281
0282
0283
0284
0285
0286
0287
0288
0289
0290
0291
0292
0293
0294
0295
0296
0297
0298
0299
0300
0301
0302
0303
0304
0305
0306
0307
0308
0309
0310
0311
0312
0313
0314
0315
0316
0317
0318
0319
0320
0321
0322
0323
0324
0325
0326
0327
0328
0329# TIME 3
0330
0331
0332
0333
0334
0335
0336
0337
0338
0339
0340
0341
0342
0343
0344
0345
0346
0347
0348
0349
0350
0351
0352
0353
0354
0355
0356
0357
0358
0359
0360
0361
0362
0363
0364
0365
0366
0367
0368
0369
0370
0371
0372
0373
0374
0375
0376
0377
0378
0379
0380
0381
0382
0383
0384
0385
0386# TIME 4
0387
0388
0389
0390
0391
0392
0393
0394
0395
0396
0397
0398
0399
0400
0401
0402
0403
Mandatory Test Cases KMIP v1.1
TL-M-1-11 - Configuration
Determine server configuration details including operations supported (only the mandatory operations are listed in the response example), objects supported (only the mandatory objects types are listed in the response example), optional server information, and optional list of application name spaces.
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019# TIME 0
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
TL-M-2-11 - Write with new (created) key
This case may occur when the Write operation starts with the first block on a tape. The implementation may choose which Write operations qualify for creation of a new key. Regardless of the initiating circumstances, the Tape Library requests the server to create a new AES-256 symmetric key with appropriate identifying information which is unique within the Application Namespace.
Additional custom attributes MAY be specified in order to:
- ensure uniqueness of the key identifier when later Locating the key via ASI
- provide human-readable information (such as the tape Barcode value)
- provide information to support client-specific purposes
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071# TIME 0
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
0093
0094
0095
0096
0097
0098
0099
0100
0101
0102
0103
0104
0105
0106
0107
0108
0109
TL-M-3-11 - Read an encrypted tape
The Tape Library constructs an identifier string based on the method in 2.3, then requests the server to Locate that string via ASI. A Get is then requested based on the key's unique identifier. The Tape Library MAY update attributes associated with the Symmetric Key Managed Object. The following test case shows extensive use of custom attributes. Custom attributes are not required if the Application Name is unique within the Application Namespace. An implementation may also use custom attributes for vendor-unique purposes, or to improve usability.
The test case destroys the key created in the previous test case to clean up after the test. Tape Library implementations may elect to not perform this step.
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033# TIME 0
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
0093
0094
0095
0096
0097
0098
0099
0100
0101
0102
0103# TIME 1
0104
0105
0106
0107
0108
0109
0110
0111
0112
0113
0114
0115
0116
0117
0118
0119
0120
0121
0122
0123
0124
0125
0126
0127
0128
0129
0130
0131
0132
0133
0134
0135
0136
0137
0138
0139
0140
0141
0142
0143
0144
0145
0146
0147
0148
0149
0150
0151
0152
0153
0154
0155
0156
0157
0158
0159
0160
0161
0162
0163
0164
0165
0166
0167
0168
0169
0170
0171
0172
0173
0174
0175
0176
0177
0178
0179# TIME 2
0180
0181
0182
0183
0184
0185
0186
0187
0188
0189
0190
0191
0192
0193
0194
0195
0196
0197
0198
0199
0200
0201
0202
0203
0204
0205
0206
0207
0208
0209
0210
0211
0212
0213
0214
0215
0216
0217
0218
0219
0220
0221
0222
0223
0224
0225
0226
0227
0228
0229
0230
0231
0232
0233
0234
0235
0236
0237
0238
0239
0240
0241
0242
0243
0244
0245
0246
0247
0248
0249
0250
0251
0252
0253
0254
0255
0256
0257
0258
0259
0260
0261
0262
0263
0264
0265
0266
0267
0268
0269
0270
0271
0272
0273
0274
0275
0276
0277
0278
0279
0280
0281
0282
0283
0284
0285
0286
0287
0288
0289
0290
0291
0292
0293
0294
0295
0296
0297
0298
0299
0300
0301
0302
0303
0304
0305
0306
0307
0308
0309
0310
0311
0312
0313
0314
0315
0316
0317
0318
0319
0320
0321
0322
0323
0324
0325
0326
0327
0328
0329
0330# TIME 3
0331
0332
0333
0334
0335
0336
0337
0338
0339
0340
0341
0342
0343
0344
0345
0346
0347
0348
0349
0350
0351
0352
0353
0354
0355
0356
0357
0358
0359
0360
0361
0362
0363
0364
0365
0366
0367
0368
0369
0370
0371
0372
0373
0374
0375
0376
0377
0378
0379
0380
0381
0382
0383
0384
0385
0386
0387# TIME 4
0388
0389
0390
0391
0392
0393
0394
0395
0396
0397
0398
0399
0400
0401
0402
0403
0404
Mandatory Test Cases KMIP v1.2
TL-M-1-12 - Configuration
Determine server configuration details including operations supported (only the mandatory operations are listed in the response example), objects supported (only the mandatory objects types are listed in the response example), optional server information, and optional list of application name spaces.
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019# TIME 0
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
TL-M-2-12 - Write with new (created) key
This case may occur when the Write operation starts with the first block on a tape. The implementation may choose which Write operations qualify for creation of a new key. Regardless of the initiating circumstances, the Tape Library requests the server to create a new AES-256 symmetric key with appropriate identifying information which is unique within the Application Namespace.
Additional custom attributes MAY be specified in order to:
- ensure uniqueness of the key identifier when later Locating the key via ASI
- provide human-readable information (such as the tape Barcode value)
- provide information to support client-specific purposes
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071
0072
0073
0074
0075
0076
0077
0078# TIME 0
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
0093
0094
0095
0096
0097
0098
0099
0100
0101
0102
0103
0104
0105
0106
0107
0108
0109
0110
0111
0112
0113
0114
0115
0116
TL-M-3-12 - Read an encrypted tape
The Tape Library constructs an identifier string based on the method in 2.3, then requests the server to Locate that string via ASI. A Get is then requested based on the key's unique identifier. The Tape Library MAY update attributes associated with the Symmetric Key Managed Object. The following test case shows extensive use of custom attributes. Custom attributes are not required if the Application Name is unique within the Application Namespace. An implementation may also use custom attributes for vendor-unique purposes, or to improve usability.
The test case destroys the key created in the previous test case to clean up after the test. Tape Library implementations may elect to not perform this step.
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033# TIME 0
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
0093
0094
0095
0096
0097
0098
0099
0100
0101
0102
0103# TIME 1
0104
0105
0106
0107
0108
0109
0110
0111
0112
0113
0114
0115
0116
0117
0118
0119
0120
0121
0122
0123
0124
0125
0126
0127
0128
0129
0130
0131
0132
0133
0134
0135
0136
0137
0138
0139
0140
0141
0142
0143
0144
0145
0146
0147
0148
0149
0150
0151
0152
0153
0154
0155
0156
0157
0158
0159
0160
0161
0162
0163
0164
0165
0166
0167
0168
0169
0170
0171
0172
0173
0174
0175
0176
0177
0178
0179
0180# TIME 2
0181
0182
0183
0184
0185
0186
0187
0188
0189
0190
0191
0192
0193
0194
0195
0196
0197
0198
0199
0200
0201
0202
0203
0204
0205
0206
0207
0208
0209
0210
0211
0212
0213
0214
0215
0216
0217
0218
0219
0220
0221
0222
0223
0224
0225
0226
0227
0228
0229
0230
0231
0232
0233
0234
0235
0236
0237
0238
0239
0240
0241
0242
0243
0244
0245
0246
0247
0248
0249
0250
0251
0252
0253
0254
0255
0256
0257
0258
0259
0260
0261
0262
0263
0264
0265
0266
0267
0268
0269
0270
0271
0272
0273
0274
0275
0276
0277
0278
0279
0280
0281
0282
0283
0284
0285
0286
0287
0288
0289
0290
0291
0292
0293
0294
0295
0296
0297
0298
0299
0300
0301
0302
0303
0304
0305
0306
0307
0308
0309
0310
0311
0312
0313
0314
0315
0316
0317
0318
0319
0320
0321
0322
0323
0324
0325
0326
0327
0328
0329
0330
0331
0332
0333
0334
0335
0336
0337
0338
0339
0340
0341
0342
0343
0344
0345
0346# TIME 3
0347
0348
0349
0350
0351
0352
0353
0354
0355
0356
0357
0358
0359
0360
0361
0362
0363
0364
0365
0366
0367
0368
0369
0370
0371
0372
0373
0374
0375
0376
0377
0378
0379
0380
0381
0382
0383
0384
0385
0386
0387
0388
0389
0390
0391
0392
0393
0394
0395
0396
0397
0398
0399
0400
0401
0402
0403# TIME 4
0404
0405
0406
0407
0408
0409
0410
0411
0412
0413
0414
0415
0416
0417
0418
0419
0420
Conformance
Tape Library Client KMIP v1.0 Conformance
KMIP client implementations conformant to this profile:
SHALL support the REF _Ref359934245 \h Authentication Suite conditions ( REF _Ref359934310 \w \h 2.1);
SHALL support the REF _Ref390255306 \h Baseline Tape Library - Client conditions ( REF _Ref390255293 \w \h 2.2);
SHALL support the REF _Ref353482169 \h Using Application Specific Information for Key Identifiers conditions ( REF _Ref353482169 \w \h 2.4);
SHALL support the REF _Ref359934297 \h Using Alternative Name for tape media barcode conditions ( REF _Ref359934297 \w \h 2.5); and
SHALL support all the REF _Ref389914038 \h Mandatory Test Cases KMIP v1.0 ( REF _Ref389914038 \w \h 3.1).
Tape Library Client KMIP v1.1 Conformance
KMIP client implementations conformant to this profile:
SHALL support the REF _Ref359934245 \h Authentication Suite conditions ( REF _Ref359934310 \w \h 2.1);
SHALL support the REF _Ref390255306 \h Baseline Tape Library - Client conditions ( REF _Ref390255293 \w \h 2.2);
SHALL support the REF _Ref353482169 \h Using Application Specific Information for Key Identifiers conditions ( REF _Ref353482169 \w \h 2.4);
SHALL support the REF _Ref359934297 \h Using Alternative Name for tape media barcode conditions ( REF _Ref359934297 \w \h 2.5); and
SHALL support all the REF _Ref389914047 \h Mandatory Test Cases KMIP v1.1 ( REF _Ref389914047 \w \h 3.2).
Tape Library Client KMIP v1.2 Conformance
KMIP client implementations conformant to this profile:
SHALL support the REF _Ref359934245 \h Authentication Suite conditions ( REF _Ref359934310 \w \h 2.1);
SHALL support the REF _Ref390255306 \h Baseline Tape Library - Client conditions ( REF _Ref390255293 \w \h 2.2);
SHALL support the REF _Ref353482169 \h Using Application Specific Information for Key Identifiers conditions ( REF _Ref353482169 \w \h 2.4);
SHALL support the REF _Ref359934297 \h Using Alternative Name for tape media barcode conditions ( REF _Ref359934297 \w \h 2.5); and
SHALL support all the REF _Ref389914053 \h Mandatory Test Cases KMIP v1.2 ( REF _Ref389914053 \w \h 3.3).
Tape Library Server KMIP v1.0 Conformance
KMIP server implementations conformant to this profile:
SHALL support the REF _Ref359934245 \h Authentication Suite conditions ( REF _Ref359934310 \w \h 2.1);
SHALL support the REF _Ref390255361 \h Baseline Tape Library - Server conditions ( REF _Ref390255378 \r \h 2.3);
SHALL support the REF _Ref353482169 \h Using Application Specific Information for Key Identifiers conditions ( REF _Ref353482169 \w \h 2.4);
SHALL support the REF _Ref359934297 \h Using Alternative Name for tape media barcode conditions ( REF _Ref359934297 \w \h 2.5); and
SHALL support all the REF _Ref389914038 \h Mandatory Test Cases KMIP v1.0 ( REF _Ref389914038 \w \h 3.1).
Tape Library Server KMIP v1.1 Conformance
KMIP server implementations conformant to this profile:
SHALL support the REF _Ref359934245 \h Authentication Suite conditions ( REF _Ref359934310 \w \h 2.1);
SHALL support the REF _Ref390255361 \h Baseline Tape Library - Server conditions ( REF _Ref390255378 \r \h 2.3);
SHALL support the REF _Ref353482169 \h Using Application Specific Information for Key Identifiers conditions ( REF _Ref353482169 \w \h 2.4);
SHALL support the REF _Ref359934297 \h Using Alternative Name for tape media barcode conditions ( REF _Ref359934297 \w \h 2.5); and
SHALL support all the REF _Ref389914047 \h Mandatory Test Cases KMIP v1.1 ( REF _Ref389914047 \w \h 3.2).
Tape Library Server KMIP v1.2 Conformance
KMIP server implementations conformant to this profile:
SHALL support the REF _Ref359934245 \h Authentication Suite conditions ( REF _Ref359934310 \w \h 2.1);
SHALL support the REF _Ref390255361 \h Baseline Tape Library - Server conditions ( REF _Ref390255378 \r \h 2.3);
SHALL support the REF _Ref353482169 \h Using Application Specific Information for Key Identifiers conditions ( REF _Ref353482169 \w \h 2.4);
SHALL support the REF _Ref359934297 \h Using Alternative Name for tape media barcode conditions ( REF _Ref359934297 \w \h 2.5); and
SHALL support all the REF _Ref389914053 \h Mandatory Test Cases KMIP v1.2 ( REF _Ref389914053 \w \h 3.3).
Permitted Test Case Variations
Whilst the test cases provided in this Profile define the allowed request and response content, some inherent variations MAY occur and are permitted within a successfully completed test case.
Each test case MAY include allowed variations in the description of the test case in addition to the variations noted in this section.
Other variations not explicitly noted in this Profile SHALL be deemed non-conformant.
Variable Items
An implementation conformant to this Profile MAY vary the following values:
UniqueIdentifier
PrivateKeyUniqueIdentifier
PublicKeyUniqueIdentifier
UniqueBatchItemIdentifier
AsynchronousCorrelationValue
TimeStamp
KeyValue / KeyMaterial including:
key material content returned for managed cryptographic objects which are generated by the server
wrapped versions of keys where the wrapping key is dynamic or the wrapping contains variable output for each wrap operation
For response containing the output of cryptographic operation in Data / SignatureData/ MACData / IVCounterNonce where:
the managed object is generated by the server; or
the operation inherently contains variable output
For the following DateTime attributes where the value is not specified in the request as a fixed DateTime value:
ActivationDate
ArchiveDate
CompromiseDate
CompromiseOccurrenceDate
DeactivationDate
DestroyDate
InitialDate
LastChangeDate
ProtectStartDate
ProcessStopDate
ValidityDate
OriginalCreationDate
LinkedObjectIdentifier
DigestValue
For those managed cryptographic objects which are dynamically generated
KeyFormatType
The key format type selected by the server when it creates managed objects
Digest
The HashingAlgorithm selected by the server when it calculates the digest for a managed object for which it has access to the key material
The Digest Value
Extensions reported in Query for ExtensionList and ExtensionMap
Application Namespaces reported in Query
Object Types reported in Query other than those noted as required in this profile
Operation Types reported in Query other than those noted as required in this profile (or any referenced profile documents)
For TextString attribute values containing test identifiers:
Additional vendor or application prefixes
Additional attributes beyond those noted in the response
An implementation conformant to this Profile MAY allow the following response variations:
Object Group values May or may not return one or more Object Group values not included in the requests
y-CustomAttributes May or may not include additional server-specific associated attributes not included in requests
Message Extensions May or may not include additional (non-critical) vendor extensions
TemplateAttribute May or may not be included in responses where the Template Attribute response is noted as optional in [KMIP-SPEC]
AttributeIndex May or may not include Attribute Index value where the Attribute Index value is 0 for Protocol Versions 1.1 and above.
ResultMessage May or may not be included in responses and the value (if included) may vary from the text contained within the test case.
The list of Protocol Versions returned in a DiscoverVersion response may include additional protocol versions if the request has not specified a list of client supported Protocol Versions.
VendorIdentification - The value (if included) may vary from the text contained within the test case.
Variable behavior
An implementation conformant to this Profile SHALL allow variation of the following behavior:
A test may omit the clean-up requests and responses (containing Revoke and/or Destroy) at the end of the test provided there is a separate mechanism to remove the created objects during testing.
A test may omit the test identifiers if the client is unable to include them in requests. This includes the following attributes:
Name; and
x-ID
A test MAY perform requests with multiple batch items or as multiple requests with a single batch item provided the sequence of operations are equivalent
A request MAY contain an optional Authentication [KMIP_SPEC] structure within each request
Acknowledgments
The following individuals have participated in the creation of this specification and are gratefully acknowledged:
Participants: MACROBUTTON
Hal Aldridge, Sypris Electronics
Mike Allen, Symantec
Gordon Arnold, IBM
Todd Arnold, IBM
Richard Austin, Hewlett-Packard
Lars Bagnert, PrimeKey
Elaine Barker, NIST
Peter Bartok, Venafi, Inc.
Tom Benjamin, IBM
Anthony Berglas, Cryptsoft
Mathias Bjrkqvist, IBM
Kevin Bocket, Venafi
Anne Bolgert, IBM
Alan Brown, Thales e-Security
Tim Bruce, CA Technologies
Chris Burchett, Credant Technologies, Inc.
Kelley Burgin, National Security Agency
Robert Burns, Thales e-Security
Chuck Castleton, Venafi
Kenli Chong, QuintessenceLabs
John Clark, Hewlett-Packard
Tom Clifford, Symantec Corp.
Doron Cohen, SafeNet, Inc
Tony Cox, Cryptsoft
Russell Dietz, SafeNet, Inc
Graydon Dodson, Lexmark International Inc.
Vinod Duggirala, EMC Corporation
Chris Dunn, SafeNet, Inc.
Michael Duren, Sypris Electronics
James Dzierzanowski, American Express CCoE
Faisal Faruqui, Thales e-Security
Stan Feather, Hewlett-Packard
David Finkelstein, Symantec Corp.
James Fitzgerald, SafeNet, Inc.
Indra Fitzgerald, Hewlett-Packard
Judith Furlong, EMC Corporation
Susan Gleeson, Oracle
Robert Griffin, EMC Corporation
Paul Grojean, Individual
Robert Haas, IBM
Thomas Hardjono, M.I.T.
ChengDong He, Huawei Technologies Co., Ltd.
Steve He, Vormetric
Kurt Heberlein, Hewlett-Packard
Larry Hofer, Emulex Corporation
Maryann Hondo, IBM
Walt Hubis, NetApp
Tim Hudson, Cryptsoft
Jonas Iggbom, Venafi, Inc.
Sitaram Inguva, American Express CcoE
Jay Jacobs, Target Corporation
Glen Jaquette, IBM
Mahadev Karadiguddi, NetApp
Greg Kazmierczak, Wave Systems Corp.
Marc Kenig, SafeNet, Inc.
Mark Knight, Thales e-Security
Kathy Kriese, Symantec Corporation
Mark Lambiase, SecureAuth
John Leiseboer, Quintenssence Labs
Hal Lockhart, Oracle Corporation
Robert Lockhart, Thales e-Security
Anne Luk, Cryptsoft
Sairam Manidi, Freescale
Luther Martin, Voltage Security
Neil McEvoy, iFOSSF
Marina Milshtein, Individual
Dale Moberg, Axway Software
Jishnu Mukeri, Hewlett-Packard
Bryan Olson, Hewlett-Packard
John Peck, IBM
Rob Philpott, EMC Corporation
Denis Pochuev, SafeNet, Inc.
Reid Poole, Venafi, Inc.
Ajai Puri, SafeNet, Inc.
Saravanan Ramalingam, Thales e-Security
Peter Reed, SafeNet, Inc.
Bruce Rich, IBM
Christina Richards, American Express CcoE
Warren Robbins, Dell
Peter Robinson, EMC Corporation
Scott Rotondo, Oracle
Saikat Saha, SafeNet, Inc.
Anil Saldhana, Red Hat
Subhash Sankuratripati, NetApp
Boris Schumperli, Cryptomathic
Greg Singh, QuintessenceLabs
David Smith, Venafi, Inc
Brian Spector, Certivox
Terence Spies, Voltage Security
Deborah Steckroth, RouteOne LLC
Michael Stevens, QuintessenceLabs
Marcus Streets, Thales e-Security
Satish Sundar, IBM
Kiran Thota, Vmware
Somanchi Trinath, Freescale Semiconductor, Inc.
Nathan Turajski, Thales e-Security
Sean Turner, IECA, Inc.
Paul Turner, Venafi, Inc.
Rod Wideman, Quantum Corporation
Steven Wierenga, Hewlett-Packard
Jin Wong, QuintessenceLabs
Sameer Yami, Thales e-Security
Peter Yee, EMC Corporation
Krishna Yellepeddy, IBM
Catherine Ying, SafeNet, Inc.
Tatu Ylonen, SSH Communications Security (Tectia Corp)
Michael Yoder, Vormetric. Inc.
Magda Zdunkiewicz, Cryptsoft
Peter Zelechoski, Election Systems & Software
KMIP Specification Cross Reference
Reference TermKMIP 1.0KMIP 1.1KMIP 1.21 IntroductionNon-Normative References1.3.1.3.1.3.Normative References1.2.1.2.1.2.Terminology1.1.1.1.1.1.2 ObjectsAttribute2.1.1.2.1.1.2.1.1.Base Objects2.1.2.1.2.1.Certificate2.2.1.2.2.1.2.2.1.Credential2.1.2.2.1.2.2.1.2.Data--2.1.10.Data Length--2.1.11.Extension Information-2.1.9.2.1.9.Key Block2.1.3.2.1.3.2.1.3.Key Value2.1.4.2.1.4.2.1.4.Key Wrapping Data2.1.5.2.1.5.2.1.5.Key Wrapping Specification2.1.6.2.1.6.2.1.6.MAC Data--2.1.13.Managed Objects2.2.2.2.2.2.Nonce--2.1.14.Opaque Object2.2.8.2.2.8.2.2.8.PGP Key--2.2.9.Private Key2.2.4.2.2.4.2.2.4.Public Key2.2.3.2.2.3.2.2.3.Secret Data2.2.7.2.2.7.2.2.7.Signature Data--2.1.12.Split Key2.2.5.2.2.5.2.2.5.Symmetric Key2.2.2.2.2.2.2.2.2.Template2.2.6.2.2.6.2.2.6.Template-Attribute Structures2.1.8.2.1.8.2.1.8.Transparent DH Private Key2.1.7.6.2.1.7.6.2.1.7.6.Transparent DH Public Key2.1.7.7.2.1.7.7.2.1.7.7.Transparent DSA Private Key2.1.7.2.2.1.7.2.2.1.7.2.Transparent DSA Public Key2.1.7.3.2.1.7.3.2.1.7.3.Transparent ECDH Private Key2.1.7.10.2.1.7.10.2.1.7.10.Transparent ECDH Public Key2.1.7.11.2.1.7.11.2.1.7.11.Transparent ECDSA Private Key2.1.7.8.2.1.7.8.2.1.7.8.Transparent ECDSA Public Key2.1.7.9.2.1.7.9.2.1.7.9.Transparent ECMQV Private Key2.1.7.12.2.1.7.12.2.1.7.12.Transparent ECMQV Public Key2.1.7.13.2.1.7.13.2.1.7.13.Transparent Key Structures2.1.7.2.1.7.2.1.7.Transparent RSA Private Key2.1.7.4.2.1.7.4.2.1.7.4.Transparent RSA Public Key2.1.7.5.2.1.7.5.2.1.7.5.Transparent Symmetric Key2.1.7.1.2.1.7.1.2.1.7.1.3 AttributesActivation Date3.19.3.24.3.24.Alternative Name--3.40.Application Specific Information3.30.3.36.3.36.Archive Date3.27.3.32.3.32.Attributes333Certificate Identifier3.9.3.13.3.13.Certificate Issuer3.11.3.15.3.15.Certificate Length-3.9.3.9.Certificate Subject3.10.3.14.3.14.Certificate Type3.8.3.8.3.8.Compromise Date3.25.3.30.3.30.Compromise Occurrence Date3.24.3.29.3.29.Contact Information3.31.3.37.3.37.Cryptographic Algorithm3.4.3.4.3.4.Cryptographic Domain Parameters3.7.3.7.3.7.Cryptographic Length3.5.3.5.3.5.Cryptographic Parameters3.6.3.6.3.6.Custom Attribute3.33.3.39.3.39.Deactivation Date3.22.3.27.3.27.Default Operation Policy3.13.2.3.18.2.3.18.2.Default Operation Policy for Certificates and Public Key Objects3.13.2.2.3.18.2.2.3.18.2.2.Default Operation Policy for Secret Objects3.13.2.1.3.18.2.1.3.18.2.1.Default Operation Policy for Template Objects3.13.2.3.3.18.2.3.3.18.2.3.Destroy Date3.23.3.28.3.28.Digest3.12.3.17.3.17.Digital Signature Algorithm-3.16.3.16.Fresh-3.34.3.34.Initial Date3.18.3.23.3.23.Key Value Location--3.42.Key Value Present--3.41.Last Change Date3.32.3.38.3.38.Lease Time3.15.3.20.3.20.Link3.29.3.35.3.35.Name3.2.3.2.3.2.Object Group3.28.3.33.3.33.Object Type3.3.3.3.3.3.Operation Policy Name3.13.3.18.3.18.Operations outside of operation policy control3.13.1.3.18.1.3.18.1.Original Creation Date--3.43.Process Start Date3.20.3.25.3.25.Protect Stop Date3.21.3.26.3.26.Revocation Reason3.26.3.31.3.31.State3.17.3.22.3.22.Unique Identifier3.1.3.1.3.1.Usage Limits3.16.3.21.3.21.X.509 Certificate Identifier-3.10.3.10.X.509 Certificate Issuer-3.12.3.12.X.509 Certificate Subject-3.11.3.11.4 Client-to-Server OperationsActivate4.18.4.19.4.19.Add Attribute4.13.4.14.4.14.Archive4.21.4.22.4.22.Cancel4.25.4.27.4.27.Certify4.6.4.7.4.7.Check4.9.4.10.4.10.Create4.1.4.1.4.1.Create Key Pair4.2.4.2.4.2.Create Split Key--4.38.Decrypt--4.30.Delete Attribute4.15.4.16.4.16.Derive Key4.5.4.6.4.6.Destroy4.20.4.21.4.21.Discover Versions-4.26.4.26.Encrypt--4.29.Get4.10.4.11.4.11.Get Attribute List4.12.4.13.4.13.Get Attributes4.11.4.12.4.12.Get Usage Allocation4.17.4.18.4.18.Hash--4.37.Join Split Key--4.39.Locate4.8.4.9.4.9.MAC--4.33.MAC Verify--4.34.Modify Attribute4.14.4.15.4.15.Obtain Lease4.16.4.17.4.17.Poll4.26.4.28.4.28.Query4.24.4.25.4.25.Re-certify4.7.4.8.4.8.Recover4.22.4.23.4.23.Register4.3.4.3.4.3.Re-key4.4.4.4.4.4.Re-key Key Pair-4.5.4.5.Revoke4.19.4.20.4.20.RNG Retrieve--4.35.RNG Seed--4.36.Sign--4.31.Signature Verify--4.32.Validate4.23.4.24.4.24.5 Server-to-Client OperationsNotify5.1.5.1.5.1.Put5.2.5.2.5.2.6 Message ContentsAsynchronous Correlation Value6.8.6.8.6.8.Asynchronous Indicator6.7.6.7.6.7.Attestation Capable Indicator--6.17.Batch Count6.14.6.14.6.14.Batch Error Continuation Option6.13.6.13.6.13.Batch Item6.15.6.15.6.15.Batch Order Option6.12.6.12.6.12.Maximum Response Size6.3.6.3.6.3.Message Extension6.16.6.16.6.16.Operation6.2.6.2.6.2.Protocol Version6.1.6.1.6.1.Result Message6.11.6.11.6.11.Result Reason6.10.6.10.6.10.Result Status6.9.6.9.6.9.Time Stamp6.5.6.5.6.5.Unique Batch Item ID6.4.6.4.6.4.7 Message FormatMessage Structure7.1.7.1.7.1.Operations7.2.7.2.7.2.8 AuthenticationAuthentication8889 Message EncodingAlternative Name Type Enumeration--9.1.3.2.34.Attestation Type Enumeration--9.1.3.2.36.Batch Error Continuation Option Enumeration9.1.3.2.29.9.1.3.2.30.9.1.3.2.30.Bit Masks9.1.3.3.9.1.3.3.9.1.3.3.Block Cipher Mode Enumeration9.1.3.2.13.9.1.3.2.14.9.1.3.2.14.Cancellation Result Enumeration9.1.3.2.24.9.1.3.2.25.9.1.3.2.25.Certificate Request Type Enumeration9.1.3.2.21.9.1.3.2.22.9.1.3.2.22.Certificate Type Enumeration9.1.3.2.6.9.1.3.2.6.9.1.3.2.6.Credential Type Enumeration9.1.3.2.1.9.1.3.2.1.9.1.3.2.1.Cryptographic Algorithm Enumeration9.1.3.2.12.9.1.3.2.13.9.1.3.2.13.Cryptographic Usage Mask9.1.3.3.1.9.1.3.3.1.9.1.3.3.1.Defined Values9.1.3.9.1.3.9.1.3.Derivation Method Enumeration9.1.3.2.20.9.1.3.2.21.9.1.3.2.21.Digital Signature Algorithm Enumeration-9.1.3.2.7.9.1.3.2.7.Encoding Option Enumeration-9.1.3.2.32.9.1.3.2.32.Enumerations9.1.3.2.9.1.3.2.9.1.3.2.Examples9.1.2.9.1.2.9.1.2.Hashing Algorithm Enumeration9.1.3.2.15.9.1.3.2.16.9.1.3.2.16.Item Length9.1.1.3.9.1.1.3.9.1.1.3.Item Tag9.1.1.1.9.1.1.1.9.1.1.1.Item Type9.1.1.2.9.1.1.2.9.1.1.2.Item Value9.1.1.4.9.1.1.4.9.1.1.4.Key Compression Type Enumeration9.1.3.2.2.9.1.3.2.2.9.1.3.2.2.Key Format Type Enumeration9.1.3.2.3.9.1.3.2.3.9.1.3.2.3.Key Role Type Enumeration9.1.3.2.16.9.1.3.2.17.9.1.3.2.17.Key Value Location Type Enumeration--9.1.3.2.35.Link Type Enumeration9.1.3.2.19.9.1.3.2.20.9.1.3.2.20.Name Type Enumeration9.1.3.2.10.9.1.3.2.11.9.1.3.2.11.Object Group Member Enumeration-9.1.3.2.33.9.1.3.2.33.Object Type Enumeration9.1.3.2.11.9.1.3.2.12.9.1.3.2.12.Opaque Data Type Enumeration9.1.3.2.9.9.1.3.2.10.9.1.3.2.10.Operation Enumeration9.1.3.2.26.9.1.3.2.27.9.1.3.2.27.Padding Method Enumeration9.1.3.2.14.9.1.3.2.15.9.1.3.2.15.Put Function Enumeration9.1.3.2.25.9.1.3.2.26.9.1.3.2.26.Query Function Enumeration9.1.3.2.23.9.1.3.2.24.9.1.3.2.24.Recommended Curve Enumeration for ECDSA, ECDH, and ECMQV9.1.3.2.5.9.1.3.2.5.9.1.3.2.5.Result Reason Enumeration9.1.3.2.28.9.1.3.2.29.9.1.3.2.29.Result Status Enumeration9.1.3.2.27.9.1.3.2.28.9.1.3.2.28.Revocation Reason Code Enumeration9.1.3.2.18.9.1.3.2.19.9.1.3.2.19.Secret Data Type Enumeration9.1.3.2.8.9.1.3.2.9.9.1.3.2.9.Split Key Method Enumeration9.1.3.2.7.9.1.3.2.8.9.1.3.2.8.State Enumeration9.1.3.2.17.9.1.3.2.18.9.1.3.2.18.Storage Status Mask9.1.3.3.2.9.1.3.3.2.9.1.3.3.2.Tags9.1.3.1.9.1.3.1.9.1.3.1.TTLV Encoding9.1.9.1.9.1.TTLV Encoding Fields9.1.1.9.1.1.9.1.1.Usage Limits Unit Enumeration9.1.3.2.30.9.1.3.2.31.9.1.3.2.31.Validity Indicator Enumeration9.1.3.2.22.9.1.3.2.23.9.1.3.2.23.Wrapping Method Enumeration9.1.3.2.4.9.1.3.2.4.9.1.3.2.4.XML Encoding9.2.--10 TransportTransport10101012 KMIP Server and Client Implementation ConformanceConformance clauses for a KMIP Server12.1.--KMIP Client Implementation Conformance-12.2.12.2.KMIP Server Implementation Conformance-12.1.12.1.
Revision History
RevisionDateEditorChanges Madewd0127-Jun-2013Tim Hudson / Rod Wideman / Stan FeatherConverted from draft proposal to OASIS template incorporating updates from Stan Feather and inclusion of references to KMIP 1.2 documents. Editorial and formatting cleanup.wd026-August-2013Tim HudsonUpdated to include Permitted Test Case Variations and updated Test Cases based on July 2013 Interopwd038-August-2013Stan Feater / Rod WidemanEditorial changes to section 3 wd0410-August-2013Tim HudsonUpdated Permitted Test Case Variationswd04a24-October-2013Tim HudsonEditorial update to include VendorIdentification in the list of allowed variations as per TC motion.pr01update11-June-2014Tim HudsonUpdated following Public Review
kmip-tape-lib-profile-v1.0-cos01 13 January 2015
Standards Track Work Product Copyright OASIS Open 2015. All Rights Reserved. Page PAGE 1 of NUMPAGES 60
MACROBUTTON NoMacro [document identifier] MACROBUTTON NoMacro [specification date]
Copyright OASIS Open 2004.All Rights Reserved. Page PAGE 5 of NUMPAGES 60
$ ' ( C D N O Q R S T a g l m s u v N O P _ ` a m <
Ǽvmmmd ho_ h#g 0J h#g h#g 0J h7 h1D 0J B* ph hY&