f77b0202b2
This change adds the server key and cert files from kmip/demos/certs to the MANIFEST.in and setup.py files. These files are being added to resolve missing file issues when using the default config values. In cases where a user is instantiating a KMIPClient and passing ca_cert=None an exception will be raised with newer versions of Python(2.7.8+). This exception is based on the missing server.crt file that is specified in the default configuration. Likewise, when instantiating a KMIPServer with keyfile=None or certfile=None the default values will be used. This will also cause an exception with newer versions of Python. Although it may be unlikely that an end user would instantiate these classes without providing cert and key files, there are cases(namely testing) where it is acceptable to pass None values for these files. In these cases the files should be present to allow proper execution. Changes * adding server.crt and server.key to MANIFEST.in and setup.py * correcting mismatched default values for KMIPServer certfile and keyfile
PyKMIP
PyKMIP is a Python implementation of the Key Management Interoperability Protocol (KMIP) specification, supporting version 1.1 of the KMIP standard. The KMIP standard is governed by the Organization for the Advancement of Structured Information Standards (OASIS) and specifies a client/server-based protocol to perform key, certificate, and secret object management, including storage and maintenance operations.
The PyKMIP library currently provides a KMIP client and server supporting the following operations for the KMIP SymmetricKey managed object:
- Create
- Register
- Get
- Destroy
Note that KMIP specifies profiles that tailor the standard to specific use cases. The KMIP Profile Support section includes several profiles that need to be developed for PyKMIP to fully support symmetric key storage and generation capabilities. A list of operations necessary for these profiles is included.
The PyKMIP software-based KMIP server is intended for use only in testing and demonstration environments. Note that the PyKMIP server is NOT intended to be a substitute for secured, hardware-based KMIP appliances. The PyKMIP client should be used for operational purposes only with a hardware-based KMIP server. The development of the PyKMIP client and server should take place in parallel to facilitate testing of each operation as it is developed.
Platforms
PyKMIP has been tested and runs on Ubuntu 12.04 LTS.
KMIP Profile Support
The KMIP standard includes various profiles that tailor the standard for specific use cases (e.g., symmetric key storage with TLS 1.2). These profiles specify conformance to certain operations and attributes. The operations listed below are needed to support symmetric key profiles, which are also provided below. We would appreciate help in the development of these operations, and have listed our recommended order of development prioritization in descending order. Since active development of these features is already underway, please check the code base to assess the status of operations prior to development.
KMIP operations to add to PyKMIP:
- Discover Versions
- List
- Locate
- Check
- Revoke
- Get Attributes
- Get Attribute List
- Add Attribute
- Modify Attribute
- Delete Attribute
- Activate
- Query
Note that the Create, Register, Get, and Destroy operations were completed with the initial version of PyKMIP to allow very basic KMIP symmetric key operations.
Server Profiles
Server profiles that support KMIP symmetric key operations:
- Basic
Baseline Server KMIP Profile (includes TLS 1.0+)
- Client-to-Server operations needed for this (see the Baseline
Server Clause) include:
- Locate
- Check
- Get
- Get Attributes
- Get Attribute
- List
- Add Attribute
- Modify Attribute
- Delete Attribute
- Activate
- Revoke
- Destroy
- Query
- Discover Versions
- Client-to-Server operations needed for this (see the Baseline
Server Clause) include:
- Symmetric
Key Store and Server TLS 1.2 Authentication KMIP Profile
- Client-to-Server operations needed for this (see the Symmetric Key Store and Server Conformance Clause) include all operations from the Basic Baseline Server KMIP Profile and also the Register operation.
- Symmetric
Key Foundry and Server TLS 1.2 Authentication KMIP profile
- Client-to-Server operations needed for this (see the Symmetric Key Foundry and Server Conformance Clause) include all operations from the Basic Baseline Server KMIP Profile and also the Create operation.
Client Profiles
Client profiles that support KMIP symmetric key operations:
- Basic
Baseline Client KMIP Profile (includes TLS 1.0+)
- Client-to-Server operations needed for this (see the Baseline
Client Clause) include:
- Locate
- Check
- Get
- Get Attributes
- Get Attribute
- List
- Add Attribute
- Modify Attribute
- Delete Attribute
- Activate
- Revoke
- Destroy
- Query
- Discover Versions
- Client-to-Server operations needed for this (see the Baseline
Client Clause) include:
- Symmetric
Key Store Client TLS 1.2 Authentication KMIP Profile
- Client-to-Server operations needed for this (see the Symmetric Key Store Client Conformance Clause) include all operations from the Basic Baseline Client KMIP Profile and also the Register operation.
- Symmetric
Key Foundry Client TLS 1.2 Authentication KMIP Profile
- Client-to-Server operations needed for this (see the Symmetric Key Foundry Client Conformance Clause) include all operations from the Basic Baseline Client KMIP Profile and also the Create operation.
- Storage
Client TLS 1.2 Authentication KMIP Profile
- Client-to-Server operations needed for this (see the Storage Client Conformance Clauses) include all operations from the Basic Baseline Client KMIP Profile, the Register operation from the Symmetric Key Store Client TLS 1.2 Authentication KMIP Profile, and the Create operation from the Symmetric Key Foundry Client TLS 1.2 Authentication KMIP Profile.
References
The source code for PyKMIP is hosted on GitHub and the library is available for installation from the Python Package Index (PyPI):
For more information on KMIP version 1.1, see the following documentation:
- Key Management Interoperability Protocol Specification Version 1.1
- Key Management Interoperability Protocol Profiles Version 1.1
- Key Management Interoperability Protocol Test Cases Version 1.1
Contributors
Many thanks to the developers who created PyKMIP: