Problem:
When trying to configure KMIP secrets engine by following either this article, the tutorial for HVD or this follow along video, you are unable to save your configuration and receive the following error:
listen tcp4 0.0.0.0:5696: bind: address already in use
Prerequisites:
- HCP Vault Dedicated Plus tier cluster or access to a Vault Enterprise license
Cause:
There is a limitation where only the default KMIP port is supported, and additional ports cannot be configured. As a result, KMIP can be configured within a single namespace but cannot be simultaneously enabled across multiple namespaces.
This is because the KMIP server operates independently of namespace awareness. It does not require knowledge of whether it resides within a namespace, as namespaces are relevant only to Vault API requests, which do not pertain to KMIP operations.
This means that you can configure the listen_addrs=0.0.0.0:5696 in any namespace, but an attempt to do this in multiple namespaces will result in
listen tcp4 0.0.0.0:5696: bind: address already in use
This also means that if you leave the listen_addrs line empty in the configuration it will default to 127.0.0.1:5696 which will also result in the aforementioned error when you try to correct it to 0.0.0.0:5695:
Solutions:
-
Check if you have enabled multiple KMIP secrets engines across namespaces and make sure this port is only in use by your KMIP configuration.
-
If you only have one KMIP secrets engine but are unable to change your current configuration you can change the port in your listen_addrs from 5696 to 5697 first, and then correct it to 0.0.0.0:5696
- In the absence of the ability to configure KMIP across multiple namespaces, you can use a combination of scopes, roles and permitted operations to partition KMIP managed object storage into multiple named buckets.
Outcome:
You should be able to successfully save the configuration.