-
Notifications
You must be signed in to change notification settings - Fork 131
Configuration
By default, the PyKMIP client and server look in /etc/pykmip for their configuration files. This directory will not be created during install, so you will need to create it yourself. However, example client and server configuration files, named pykmip.conf and server.conf respectively, are provided under the examples directory in the PyKMIP repository to help get you started.
The pykmip.conf file contains one or more client configuration sections defining the information the client needs to successfully establish a TLS connection with a KMIP appliance. This configuration section looks like this:
[client]
host=127.0.0.1
port=5696
keyfile=/etc/pykmip/certs/client_private_key.pem
certfile=/etc/pykmip/certs/client_cert.pem
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_SSLv23
ca_certs=/etc/pykmip/certs/server_ca_cert.pem
do_handshake_on_connect=True
suppress_ragged_eofs=True
username=example_username
password=example_password
The "[client]" line at the beginning is the name or label of the configuration block. You can change this label to be whatever you want, which is useful if you have multiple KMIP appliances you need to connect to. For example:
[test]
...
[production]
...
To properly connect with your KMIP appliance, you will need to work with the appliance administrator to get the proper network settings (host and port) and the right certificate files (certfile, keyfile, and ca_certs), otherwise you will not be able to connect. The username and password values may or may not be needed, depending on the appliance's security policy; if they are not needed, just leave them blank:
[client]
...
username=
password=
All of the other settings you can leave as is, unless told otherwise by your networking or appliance administrator. These settings are used to properly set up the client's TLS connection to the appliance. Modifying these improperly may weaken the security of the TLS connection.
The server.conf file contains the server configuration section defining the information the server needs to successfully establish TLS connections with clients. This configuration section looks like this:
[server]
hostname=127.0.0.1
port=5696
certificate_path=/etc/pykmip/certs/server_cert.pem
key_path=/etc/pykmip/certs/server_private_key.pem
ca_path=/etc/pykmip/certs/server_ca_cert.pem
auth_suite=Basic
policy_path=/etc/pykmip/policies
Each of these options is explained further in the project README (see Server/Configuration). Unlike the client configuration file, the server only expects to find one configuration section in the configuration file. It must be named [server] so do not change it when setting up /etc/pykmip.