The KMIP secrets engine allows Vault to act as a Key Management Interoperability Protocol (KMIP) server provider and handle the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows services and applications to perform cryptographic operations without having to manage cryptographic material, otherwise known as managed objects, by delegating its storage and lifecycle to a key management server.
If you're configuring and looking to use Vault as a KMIP provider and face the following error:
error from connection handler: error="error processing request message: result reason:
ResultReasonInvalidField; additional message:
(RegisterRequestPayload.ParseFields)
objects of type ObjectTypeOpaqueObject are not supported by operation Register"
It is an indication that our KMIP backend does not support the Opaque Object type. As of writing (July 2024) the supported types are Symmetric Key, Secret Data, Private Key, and Public Key. Hence to get rid of that error, the KMIP client needs to use one of the supported managed objects rather than the Opaque Object.
--------------------------------------------------------------------------------------
There is a high possibility that you end up seeing the following error post you recreate the object with the same name to the supported managed object or update the same object with a different type:
ResultReasonIllegalOperation; additional message:
Name {0xc00792fe40 NameTypeUninterpretedTextString} already exists",
As a matter of fact, the problem here seems to be that you are trying to create a new managed object with a name that is already in use. As per this:
The Name attribute is a structure (see Table 57) used to identify and locate an object.
This attribute is assigned by the client, and the Name Value is intended to be
in a form that humans are able to interpret.
The key management system MAY specify rules by which the client creates valid names.
Clients are informed of such rules by a mechanism that is not specified by this
standard. Names SHALL be unique within a given key management domain,
but are NOT REQUIRED to be globally unique.
To reiterate, KMIP requires that the Name attribute be unique “in a given management domain”, which for us is a KMIP mount. Also, revoking the older object will not work, since the object remains. To liberate the name, it is possible to use Destroy on the older object, or the Name attribute of the older object can be modified or deleted (the operations are Modify Attribute and Delete Attribute).
Please note that these logs are generated in Vault Operational logging when the KMIP debugging variables are enabled. Please check the reference articles section to learn more about KMIP Debugging Variables.
Thank you.