Dell Unity: How to modify KMIP servers (Or switching to a different vendor)

Summary: How to modify Key Management Interoperability Protocol (KMIP) servers (OR switch to a different vendor).

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

There are two certificate types required for KMIP configurations: Certificate Authority (CA) and KMIP Client certificates. Confirm if the CA must be updated, KMIP client certificate or both.

Prerequisites:

  • The KMIP servers must be accessible and running for KMIP to be enabled or disabled.
  • When uploading a newer version of the client KMIP certificate to Unity, there is always a risk that it may introduce an issue if it is not identical to the previous client certificate other than the expiration FROM and TO dates. 
  • This is the reason that it is recommended to disable KMIP on Unity as a precaution when updating certificates. If there is an issue, KMIP is not enabled if the certificates are not correct.
  • Backup the D@RE keystore from the KMIP client when a disk or Service Process (SP) is replaced or before making certificate changes. 
  • It is recommended to keep the latest copy of the last KMIP client certificate file successfully uploaded and used to enable KMIP. This is in the case that it is ever needed. 

Scenario 1: Changing only one certificate type at a time. This could be an updated certificate for expiration dates as an example. 
Changes can be done from Unisphere Manager. Log in to Unisphere, go to the Settings Gear icon on the upper right menu bar, select Management options, then select Encryption.

  1. Disable KMIP while the array can still connect to the original KMIP server.
    This ensures no loss of the master-key on the KMIP client/server should any issues occur during the transition.
  2. If no changes are required with the CA certificates that are already imported into Unity, then modify only the KMIP servers. Import a new client KMIP certificate. If changes are needed instead for the CA certificate, modify this certificate and import it using Unisphere. If both need an update do the CA first and enable KMIP again to ensure that it succeeds. Repeat steps 1-3 again for the KMIP client certificate. 
  3. Enable KMIP.

Scenario 2: Changing the CA certificate or KMIP client certificate to a different vendor. If a significant difference exists from the original certificate, the following is required.

This cleans out the Unity KMIP lockbox where the configuration and certificates are stored and setup from the beginning with the required certificates. 

This requires contacting Dell Support and referencing this KB article: Dell Unity: Receiving a Certificate Error when trying to enable KMIP server

  1. Disable KMIP using Unisphere from step 1 above.
  2. Delete the KMIP configuration. This uses the Internal section of the KB above which needs a higher-level root shell.
  3. Create the new KMIP configuration. Create a new CA and KMIP client certificate based on the Vendors requirements.
  4. Upload the new CA and the client KMIP certificates.
  5. Enable KMIP.

Additional Information

Additional Info for Certificate Changes:

  • It is possible to have multiple CA certificates, and some may be expired. If a new certificate is uploaded and it matches the subject name of an existing CA certificate, it is replaced.
  • It is a BEST PRACTICE to NOT have CA, and KMIP client certificates expire too close to each other to give time to update the CA or the client and confirm they work. 
  • Only one KMIP client certificate may exist. In Unisphere under the Certificate Management button, the dates update once the modified client certificate upload is successful.
  • If there are issues with the new uploaded client certificate, Unity may be unable to get the D@RE keystore ignition-key from the KMIP server. This can be a reason why KMIP errors happen when an attempt to verify or enable is done. 

KMIP Command-line info:
It is possible to use the Unity command line to upload or check the status of KMIP. 

Uploading KMIP certificates from the command line is not shown here. See the Unity Security Configuration Guide for more information.

This site is the Dell Unity Info Hub Product documents and information: The site provides most of the public documentation for the Unity Products: Dell Unity Info Hub

Search for: Unity Security Configuration Guide

This opens a link to the PDF of the Guide, and it requires a login to view. 

Below are useful some useful Unity service shell examples:

uemcli /prot/encrypt/kmip show -detail

or

uemcli -u admin -securepassword /prot/encrypt/kmip show -detail

**securePassword will require user to type in the admin user password to complete the command.

Sample output:
1:    ID       = kmip_0
      Username = APM00192427999
      Address  = x.x.x.x
      Port     = 5696
      Timeout  = 5
      State    = UP

Command to VERIFY the KMIP connection once it is configured:

uemcli -u<username> -securepassword /prot/encrypt/kmip verify

Enable or Disable KMIP from command line for a current KMIP client server:

Disable:
uemcli -u admin -securepassword /prot/encrypt set -kmipEnabled no

Enable:
uemcli -u admin -securepassword /prot/encrypt set -kmipEnabled yes

KMIP Certificate Show:

uemcli -u admin -securepassword /sys/cert -service Mgmt_KMIP show

or Show Detail which provides FROM and TO Expiration dates:

uemcli -u admin -securepassword /sys/cert -service Mgmt_KMIP show -detail

Example output for a CloudLink KMIP client:

1:    ID                       = mgmt_kmip-kmip1-clientcert-1
      Type                     = Client
      Service                  = Mgmt_KMIP
      Scope                    =
      Certificate ID           = mgmt_kmip-kmip1-clientcert-1
      Trust anchor             = No
      Version                  = 3
      Serial number            = 37:03:BF:52:CE:20:51:2A:47:BD:22:14:65:D9:E8:26:EE:DB:61:18
      Signature algorithm      = SHA256WithRSAEncryption
      Issuer name              = CN=arches-cloudlink,OU=Lab,O=EMC,L=Roundup,ST=MT,C=US
      Valid from               = 2024-04-14 18:09:46
      Valid to                 = 2038-01-19 03:14:07
      Subject name             = serialNumber=8c831e64e8d9957ce75354f5a99f2bef410e07f98e59522059e7b86c137e07dc,CN=APM00192427000,OU=CloudLink,O=EMC,C=CA
      Subject alternative name =
      Public key algorithm     = Unknown
      Key length               = 2048
      Thumbprint algorithm     = SHA1
      Thumbprint               = B0:C7:AF:5E:4E:FF:A8:2C:14:53:7C:6D:F8:AC:04:1A:6A:02:DA:99
      Private key available    = Yes

References:
Dell Unity: Data at Rest Encryption.
Dell Unity: Data at Rest Encryption - White Paper

Refer to these additional knowledge articles for more information:
Dell Unity: Unable to configure KMIP server when using external Microsoft CA to sign client certificate (User Correctable)

Dell Unity: How to convert an incompatible PKCS#12 client certificate for use with KMIP

Refer to the vendor documentation for configuring KMIP.
Some vendors use client certificates which need an empty username and password. 

Affected Products

Dell EMC Unity, Dell EMC Unity Family |Dell EMC Unity All Flash, Dell EMC Unity Family, Dell EMC Unity Hybrid
Article Properties
Article Number: 000223263
Article Type: How To
Last Modified: 12 ديسمبر 2025
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.