CLI Reference - KMIP Server

Akeyless KMIP Server

kmip-set-server-state

Set the server state to enabled/disabled

Please note: mandatory values for this command: -s, --state

Usage
akeyless kmip-set-server-state --state <Enabled / Disabled> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-s, --state(Mandatory) Make the server enabled or disabled [use 'enabled' or 'disabled']
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-server-setup

Create a new KMIP environment

Please note: mandatory values for this command: -n, --hostname, -r, --root

Usage
akeyless kmip-server-setup --hostname <KMPI server hostname> \
--certificate-ttl <Server certificate TTL in days (Deafult = 90)> \
--root <Root path of KMIP Objects> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-n, --hostname(Mandatory) Hostname of this KMIP server
-t, --certificate-ttl[=90]Server certificate TTL in days
-r, --root(Mandatory) Root path of KMIP Objects
-p, --output-file-folderFolder path to save CA certificate file (for example, '.'). A new file will be created in that folder: ca.cert.
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-renew-server-certificate

Renew KMIP server certificate

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-renew-client-certificate

Renew KMIP client certificate

Parameters
ParameterDescription
-n, --nameKMIP client name (either name or id are required)
-i, --client-idKMIP client ID (either name or id are required)
-p, --output-file-folderFolder path to save client certificate files (for example, '.'). Two files are created: .key and .cert
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-list-clients

Show existing KMIP clients

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]Gateway URL (Configuration Management port).
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-describe-server

Show KMIP environment details

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]Gateway URL (Configuration Management port).
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-server-delete

Delete the kmip server (allowed only if it has no clients nor associated items)

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]<cGateway URL (Configuration Management port).
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-server-move

Move the root location of the kmip server and all associated items to a new root location

Please note: mandatory values for this command: -n, --new-root

Usage

akeyless kmip-server-move --new-root <New root for the kmip server> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]Gateway URL (Configuration Management port).
-n, --new-root(Mandatory) New root for the kmip server
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-describe-client

Show KMIP client details

Parameters
ParameterDescription
-n, --nameKMIP client name (either name or id are required)
-i, --client-idKMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-delete-client

Delete a KMIP client

Parameters
ParameterDescription
-n, --nameKMIP client name (either name or id are required)
-i, --client-idKMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-create-client

Create a new KMIP client

Please note: mandatory values for this command: -n, --name

Ussage
akeyless kmip-create-client --name <Client name> \
--certificate-ttl <Server certificate TTL in days (Deafult = 90)> \\
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-n, --name(Mandatory) Client name
-t, --certificate-ttl[=90]Client certificate TTL in days
-p, --output-file-folderFolder path to save client certificate files (for example, '.'). Two files are created: .key and .cert
-a, --activate-keys-on-creation"h-0": "If set to 'true', newly created keys on the client will be set to an 'active' state
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-client-set-rule

Add a new RBAC rule to a client

Supported capabilities are:
DENY
CREATE
REGISTER
REKEY
LOCATE
GET
GET_ATTRIBUTES
ACTIVATE
REVOKE
DESTROY

Please note: mandatory values for this command: -p, --path, -c, --capability

Usage
akeyless kmip-client-set-rule --path <Access path> \
--capability <Access capability> \
--name <KMIP client name> \
--client-id <KMIP client ID> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-p, --path(Mandatory) Access path, e.g /* or /some-key
-c, --capability(Mandatory) Access capability (see command description for supported values)
-n, --nameKMIP client name (either name or id are required)
-i, --client-idKMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

kmip-client-delete-rule

Delete an RBAC rule from a client

Please note: mandatory values for this command: -p, --path

Usage
akeyless kmip-client-delete-rule --path <Access path> \
--name <KMIP client name> \
--client-id <KMIP client ID> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-p, --path(Mandatory) Access path, e.g /* or /some-key
-n, --nameKMIP client name (either name or id are required)
-i, --client-idKMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

📘

Writing commands - generating secrets

The default Akeyless Vault behavior is that the write commands (generate secrets) are performed to the main region of Akeyless Vault, while the read commands (fetch secrets) are performed on the nearest region to you, in order to minimize latency.
If you wish to change that, in order to work only with the master region, please add
optimize_dns_disable=true in the settings file.