2014-09-20 00:00:35 +02:00
|
|
|
------
|
|
|
|
PyKMIP
|
|
|
|
------
|
2014-09-22 18:30:27 +02:00
|
|
|
PyKMIP is a Python implementation of the Key Management Interoperability
|
2015-03-14 16:41:25 +01:00
|
|
|
Protocol (KMIP). KMIP is a client/server communication protocol for the
|
|
|
|
storage and maintenance of key, certificate, and secret objects. The standard
|
|
|
|
is governed by the `Organization for the Advancement of Structured Information
|
|
|
|
Standards`_ (OASIS). PyKMIP supports a subset of features in version 1.1 of
|
|
|
|
the KMIP specification.
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
For a high-level overview of KMIP, check out the `KMIP Wikipedia page`_. For
|
|
|
|
comprehensive documentation from OASIS and information about the KMIP
|
|
|
|
community, visit the `KMIP Technical Committee home page`_.
|
|
|
|
|
2015-06-25 14:58:47 +02:00
|
|
|
.. _Usage:
|
2015-08-03 16:47:08 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
Usage
|
|
|
|
=====
|
2015-08-03 16:47:08 +02:00
|
|
|
Client
|
|
|
|
------
|
|
|
|
There are two implementations of the KMIP client. The first,
|
|
|
|
``kmip.services.kmip_client.KMIPProxy``, is the original client and provides
|
|
|
|
support for the following operations:
|
|
|
|
|
|
|
|
* ``Create``
|
|
|
|
* ``CreateKeyPair``
|
|
|
|
* ``Register``
|
|
|
|
* ``Locate``
|
|
|
|
* ``Get``
|
|
|
|
* ``Activate``
|
|
|
|
* ``Revoke``
|
|
|
|
* ``Destroy``
|
|
|
|
* ``Query``
|
|
|
|
* ``DiscoverVersions``
|
|
|
|
|
|
|
|
The second client, ``kmip.pie.client.ProxyKmipClient``, wraps the original
|
|
|
|
``KMIPProxy`` and provides a simpler interface. It provides support for the
|
|
|
|
following operations:
|
|
|
|
|
|
|
|
* ``Create``
|
|
|
|
* ``CreateKeyPair``
|
|
|
|
* ``Register``
|
|
|
|
* ``Get``
|
|
|
|
* ``Destroy``
|
|
|
|
|
|
|
|
For examples of how to create and use the different clients, see the scripts
|
|
|
|
in ``kmip/demos``.
|
|
|
|
|
|
|
|
Configuration
|
|
|
|
*************
|
|
|
|
A KMIP client can be configured in different ways to connect to a KMIP server.
|
|
|
|
The first method is the default approach, which uses settings found in
|
|
|
|
``kmip/kmipconfig.ini``. Users can specify the connection configuration
|
|
|
|
settings to use on client instantiation, allowing applications to support
|
|
|
|
multiple key storage backends simultaneously, one client per backend.
|
2015-03-14 16:41:25 +01:00
|
|
|
|
|
|
|
An example client configuration settings block is shown below::
|
|
|
|
|
|
|
|
[client]
|
|
|
|
host=127.0.0.1
|
|
|
|
port=5696
|
|
|
|
keyfile=/path/to/key/file
|
|
|
|
certfile=/path/to/cert/file
|
|
|
|
cert_reqs=CERT_REQUIRED
|
|
|
|
ssl_version=PROTOCOL_SSLv23
|
|
|
|
ca_certs=/path/to/ca/cert/file
|
|
|
|
do_handshake_on_connect=True
|
|
|
|
suppress_ragged_eofs=True
|
2015-08-03 16:47:08 +02:00
|
|
|
username=user
|
|
|
|
password=password
|
|
|
|
|
|
|
|
The second configuration approach allows developers to specify the
|
|
|
|
configuration settings when creating the client at run time. The following
|
|
|
|
example demonstrates how to create the ``ProxyKmipClient``, directly
|
|
|
|
specifying the different configuration values::
|
|
|
|
|
|
|
|
client = ProxyKmipClient(
|
|
|
|
hostname='127.0.0.1',
|
|
|
|
port=5696,
|
|
|
|
cert='/path/to/cert/file/',
|
|
|
|
key='/path/to/key/file/',
|
|
|
|
ca='/path/to/ca/cert/file/',
|
|
|
|
ssl_version='PROTOCOL_SSLv23',
|
|
|
|
username='user',
|
|
|
|
password='password',
|
|
|
|
config='client')
|
|
|
|
|
|
|
|
A KMIP client will load the configuration settings found in the ``client``
|
|
|
|
settings block by default. Settings specified at runtime, as in the above
|
|
|
|
example, will take precedence over the default values found in the
|
|
|
|
configuration file.
|
2015-03-14 16:41:25 +01:00
|
|
|
|
|
|
|
Many of these settings correspond to the settings for ``ssl.wrap_socket``,
|
|
|
|
which is used to establish secure connections to KMIP backends. For more
|
|
|
|
information, check out the `Python SSL library documentation`_.
|
|
|
|
|
2015-08-03 16:47:08 +02:00
|
|
|
Server
|
|
|
|
------
|
|
|
|
In addition to the KMIP clients, PyKMIP provides a basic software
|
|
|
|
implementation of a KMIP server, ``kmip.services.kmip_server.KMIPServer``.
|
2015-03-14 16:41:25 +01:00
|
|
|
However, the server is intended for use only in testing and demonstration
|
2015-08-03 16:47:08 +02:00
|
|
|
environments. The server is **not** intended to be a substitute for a secure,
|
|
|
|
hardware-based key management appliance. The PyKMIP client should be used for
|
|
|
|
operational purposes **only** with a hardware-based KMIP server.
|
|
|
|
|
|
|
|
The KMIP server provides basic support for the following operations:
|
2015-03-14 16:41:25 +01:00
|
|
|
|
2015-08-03 16:47:08 +02:00
|
|
|
* ``Create``
|
|
|
|
* ``Register``
|
|
|
|
* ``Locate``
|
|
|
|
* ``Get``
|
|
|
|
* ``Destroy``
|
|
|
|
|
|
|
|
Configuration
|
|
|
|
*************
|
|
|
|
The KMIP software server also pulls settings from ``kmip/kmipconfig.ini``.
|
2015-03-14 16:41:25 +01:00
|
|
|
An example server configuration settings block is shown below::
|
|
|
|
|
|
|
|
[server]
|
|
|
|
host=127.0.0.1
|
|
|
|
port=5696
|
|
|
|
keyfile=/path/to/key/file
|
|
|
|
certfile=/path/to/cert/file
|
|
|
|
cert_reqs=CERT_NONE
|
|
|
|
ssl_version=PROTOCOL_SSLv23
|
|
|
|
ca_certs=/path/to/ca/cert/file
|
|
|
|
do_handshake_on_connect=True
|
|
|
|
suppress_ragged_eofs=True
|
|
|
|
|
2015-08-03 16:47:08 +02:00
|
|
|
When used together, a KMIP client and KMIP server will use certificate files
|
2015-03-14 16:41:25 +01:00
|
|
|
found in ``kmip/demos/certs``. These files should be replaced with alternative
|
|
|
|
certificates for standalone deployments.
|
|
|
|
|
|
|
|
Profiles
|
|
|
|
========
|
2014-09-22 18:30:27 +02:00
|
|
|
The KMIP standard includes various profiles that tailor the standard for
|
2015-03-14 16:41:25 +01:00
|
|
|
specific use cases (e.g., symmetric key storage with TLS 1.2). These profiles
|
|
|
|
specify conformance to certain operations and attributes.
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-08-03 16:47:08 +02:00
|
|
|
The PyKMIP ``KMIPProxy`` client provides full support for the following
|
|
|
|
profile(s):
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
* Basic Discover Versions Client KMIP Profile
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
Development
|
|
|
|
===========
|
2015-08-03 16:47:08 +02:00
|
|
|
Roadmap
|
|
|
|
-------
|
2015-03-14 16:41:25 +01:00
|
|
|
The development plan for PyKMIP follows the requirements for the following
|
|
|
|
KMIP profiles. The foundation for symmetric and asymmetric key operation
|
|
|
|
support is already built into the library.
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
Client profiles:
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
* Basic Baseline Client KMIP Profile
|
|
|
|
* Basic Symmetric Key Store Client KMIP Profile
|
|
|
|
* Basic Symmetric Key Foundry Client KMIP Profile
|
|
|
|
* Basic Asymmetric Key Store Client KMIP Profile
|
|
|
|
* Basic Asymmetric Key Foundry Client KMIP Profile
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
Server profiles:
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
* Basic Discover Versions Server KMIP Profile
|
|
|
|
* Basic Baseline Server KMIP Profile
|
|
|
|
* Basic Symmetric Key Store and Server KMIP Profile
|
|
|
|
* Basic Symmetric Key Foundry and Server KMIP Profile
|
|
|
|
* Basic Asymmetric Key Store Server KMIP Profile
|
|
|
|
* Basic Asymmetric Key Foundry and Server KMIP Profile
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
Testing
|
|
|
|
-------
|
2015-08-03 16:47:08 +02:00
|
|
|
The PyKMIP test suite is composed of two parts, a unit test suite and an
|
|
|
|
integration test suite that runs various tests against instantiations of the
|
|
|
|
software KMIP server and real KMIP appliances. The tests are managed by a
|
|
|
|
combination of the ``tox``, ``pytest``, and ``flake8`` libraries.
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
There are several ways to run different versions of the tests. To run, use one
|
|
|
|
of the following commands in the PyKMIP root directory.
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-05-14 19:08:02 +02:00
|
|
|
To run all of the unit tests::
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
$ tox
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
To run the Python syntax and format compliance tests::
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
$ tox -e pep8
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-05-14 19:08:02 +02:00
|
|
|
To run the unit test suite against Python 2.7::
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
$ tox -e py27
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-06-25 14:58:47 +02:00
|
|
|
The integration tests require a configuration flag whose value corresponds to
|
2015-08-03 16:47:08 +02:00
|
|
|
the name of a client configuration section in the ``kmipconfig.ini``
|
|
|
|
configuration file. See the Usage_ section for more information.
|
2015-05-14 19:08:02 +02:00
|
|
|
|
2015-08-03 16:47:08 +02:00
|
|
|
To run the integration test suite with a specific configuration setup::
|
2015-06-25 14:58:47 +02:00
|
|
|
|
|
|
|
$ tox -e integration -- --config <section-name>
|
2015-05-14 19:08:02 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
For more information and a list of supported ``tox`` environments, see
|
|
|
|
``tox.ini`` in the PyKMIP root directory.
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
Platforms
|
|
|
|
=========
|
|
|
|
PyKMIP has been tested and runs on the following platform(s):
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
* Ubuntu 12.04 LTS
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-08-03 16:47:08 +02:00
|
|
|
PyKMIP is supported by Python 2.6, 2.7, 3.3, and 3.4.
|
|
|
|
|
2014-09-20 00:00:35 +02:00
|
|
|
References
|
|
|
|
==========
|
2014-09-22 18:30:27 +02:00
|
|
|
The source code for PyKMIP is hosted on GitHub and the library is available
|
|
|
|
for installation from the Python Package Index (PyPI):
|
2014-09-20 00:00:35 +02:00
|
|
|
|
2015-03-14 16:41:25 +01:00
|
|
|
* `PyKMIP on GitHub <https://github.com/OpenKMIP/PyKMIP>`_
|
|
|
|
* `PyKMIP on PyPI <https://pypi.python.org/pypi/PyKMIP>`_
|
2014-09-20 00:00:35 +02:00
|
|
|
|
|
|
|
For more information on KMIP version 1.1, see the following documentation:
|
|
|
|
|
|
|
|
* `Key Management Interoperability Protocol Specification Version 1.1`_
|
|
|
|
* `Key Management Interoperability Protocol Profiles Version 1.1`_
|
|
|
|
* `Key Management Interoperability Protocol Test Cases Version 1.1`_
|
|
|
|
|
|
|
|
.. _code base: https://github.com/OpenKMIP/PyKMIP
|
|
|
|
.. _Organization for the Advancement of Structured Information Standards: https://www.oasis-open.org/
|
|
|
|
.. _Key Management Interoperability Protocol Specification Version 1.1: http://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.html
|
|
|
|
.. _Key Management Interoperability Protocol Profiles Version 1.1: http://docs.oasis-open.org/kmip/profiles/v1.1/os/kmip-profiles-v1.1-os.html
|
|
|
|
.. _Key Management Interoperability Protocol Test Cases Version 1.1: http://docs.oasis-open.org/kmip/testcases/v1.1/cn01/kmip-testcases-v1.1-cn01.html
|
2015-03-14 16:41:25 +01:00
|
|
|
.. _Python SSL library documentation: https://docs.python.org/dev/library/ssl.html#socket-creation
|
|
|
|
.. _KMIP Wikipedia page: https://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
|
|
|
|
.. _KMIP Technical Committee home page: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip
|