alistairncoles/setup_pykmip.sh Secret

## setup_pykmip.sh
#!/usr/bin/env bash

# change as appropriate
USER=swift
GROUP=swift

PYKMIP_DIR=/etc/pykmip
PYKMIP_VENV_DIR=./pykmip_venv


echo "
We need to interactively generate some certificates...
"
sudo mkdir -p ${PYKMIP_DIR}/certs
sudo chown ${USER} ${PYKMIP_DIR}
sudo chgrp ${GROUP} ${PYKMIP_DIR}
sudo openssl genrsa -out ${PYKMIP_DIR}/certs/MyRootCA.key 2048
sudo openssl req -x509 -new -nodes -key ${PYKMIP_DIR}/certs/MyRootCA.key -sha256 -days 1024 -out ${PYKMIP_DIR}/certs/MyRootCA.pem
sudo openssl genrsa -out ${PYKMIP_DIR}/certs/MyClient1.key 2048
sudo openssl req -new -key ${PYKMIP_DIR}/certs/MyClient1.key -out ${PYKMIP_DIR}/certs/MyClient1.csr
sudo openssl x509 -req -in ${PYKMIP_DIR}/certs/MyClient1.csr -CA ${PYKMIP_DIR}/certs/MyRootCA.pem -CAkey ${PYKMIP_DIR}/certs/MyRootCA.key -CAcreateserial -out ${PYKMIP_DIR}/certs/MyClient1.pem -days 1024 -sha256

echo "Writing ${PYKMIP_DIR}/server.conf"
echo "
[server]
hostname=127.0.0.1
port=5696
certificate_path=/etc/pykmip/certs/MyRootCA.pem
key_path=/etc/pykmip/certs/MyRootCA.key
ca_path=/etc/pykmip/certs/MyRootCA.pem
auth_suite=Basic
policy_path=/etc/pykmip/server_policy
enable_tls_client_auth=False
tls_cipher_suites=
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
logging_level=DEBUG
" > ${PYKMIP_DIR}/server.conf

echo "Writing ${PYKMIP_DIR}/pykmip.conf"
echo "
[client]
host=127.0.0.1
port=5696
certfile=/etc/pykmip/certs/MyClient1.pem
keyfile=/etc/pykmip/certs/MyClient1.key
ca_certs=/etc/pykmip/certs/MyRootCA.pem
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_SSLv23
do_handshake_on_connect=True
suppress_ragged_eofs=True
username=example_username
password=password
" > ${PYKMIP_DIR}/pykmip.conf

echo "Creating a virtualenv in ${PYKMIP_VENV_DIR}"
virtualenv ${PYKMIP_VENV_DIR}
source ${PYKMIP_VENV_DIR}/bin/activate
pip install requests
pip install pykmip

# run the pykmip server in background
# NOTE: this should NEVER be used as a production KMIP service!
mkdir -p ${PYKMIP_DIR}/server_policy
sudo mkdir -p /var/log/pykmip
sudo chown ${USER} /var/log/pykmip
sudo chgrp ${GROUP} /var/log/pykmip
python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/services/server/server.py &
echo "PyKMIP server is running"
sleep 1

# create an AES-256 symmetric key
# expect output similar to :
#    2018-06-20 15:21:37,286 - demo - INFO - Successfully created symmetric key with ID: 1
echo "Creating a key..."
python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/demos/pie/create.py --password whatever -a AES -l 256

echo "Fetching a key..."
# verify the key can be fetched
# expect an output similar to:
#    2018-06-20 15:22:07,499 - demo - INFO - Successfully retrieved secret with ID: 2
#    2018-06-20 15:22:07,499 - demo - INFO - Secret data: 54283fb6767dff6c5d2256a5dfa1494cbe69dc6b41547a70cc3461958218d26b
python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/demos/pie/get.py -i 1

echo "
NB assuming the created key has ID 1. If getting the key failed then maybe it has a different id.
If not then you'll need to edit /etc/swift/kmip_keymaster.conf. "

echo "
[kmip_keymaster]
key_id = 1
host = 127.0.0.1
port = 5696
certfile = ${PYKMIP_DIR}/certs/MyClient1.pem
keyfile = ${PYKMIP_DIR}/certs/MyClient1.key
ca_certs = ${PYKMIP_DIR}/certs/MyRootCA.pem
username = swift
password = ignored
" > /etc/swift/kmip_keymaster.conf

echo "
You need to edit /etc/swift/proxy-server.conf:
Add 'kmip_keymaster encryption' to the proxy pipeline i.e.:
    .... kmip_keymaster encryption proxy-logging proxy-server

Add a kmip_keymaster filter section:

    [filter:kmip_keymaster]
    use = egg:swift#kmip_keymaster
    keymaster_config_path = /etc/swift/kmip_keymaster.conf
"

echo "
Ensure swift is installed with kmip_keymaster extra dependencies e.g. in swift root dir:
    sudo pip install -e .[kmip_keymaster]"

echo "
Restart the proxy server and check proxy log for 'Loaded secret id 1' message"
	#!/usr/bin/env bash

	# change as appropriate
	USER=swift
	GROUP=swift

	PYKMIP_DIR=/etc/pykmip
	PYKMIP_VENV_DIR=./pykmip_venv


	echo "
	We need to interactively generate some certificates...
	"
	sudo mkdir -p ${PYKMIP_DIR}/certs
	sudo chown ${USER} ${PYKMIP_DIR}
	sudo chgrp ${GROUP} ${PYKMIP_DIR}
	sudo openssl genrsa -out ${PYKMIP_DIR}/certs/MyRootCA.key 2048
	sudo openssl req -x509 -new -nodes -key ${PYKMIP_DIR}/certs/MyRootCA.key -sha256 -days 1024 -out ${PYKMIP_DIR}/certs/MyRootCA.pem
	sudo openssl genrsa -out ${PYKMIP_DIR}/certs/MyClient1.key 2048
	sudo openssl req -new -key ${PYKMIP_DIR}/certs/MyClient1.key -out ${PYKMIP_DIR}/certs/MyClient1.csr
	sudo openssl x509 -req -in ${PYKMIP_DIR}/certs/MyClient1.csr -CA ${PYKMIP_DIR}/certs/MyRootCA.pem -CAkey ${PYKMIP_DIR}/certs/MyRootCA.key -CAcreateserial -out ${PYKMIP_DIR}/certs/MyClient1.pem -days 1024 -sha256

	echo "Writing ${PYKMIP_DIR}/server.conf"
	echo "
	[server]
	hostname=127.0.0.1
	port=5696
	certificate_path=/etc/pykmip/certs/MyRootCA.pem
	key_path=/etc/pykmip/certs/MyRootCA.key
	ca_path=/etc/pykmip/certs/MyRootCA.pem
	auth_suite=Basic
	policy_path=/etc/pykmip/server_policy
	enable_tls_client_auth=False
	tls_cipher_suites=
	TLS_RSA_WITH_AES_128_CBC_SHA256
	TLS_RSA_WITH_AES_256_CBC_SHA256
	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
	logging_level=DEBUG
	" > ${PYKMIP_DIR}/server.conf

	echo "Writing ${PYKMIP_DIR}/pykmip.conf"
	echo "
	[client]
	host=127.0.0.1
	port=5696
	certfile=/etc/pykmip/certs/MyClient1.pem
	keyfile=/etc/pykmip/certs/MyClient1.key
	ca_certs=/etc/pykmip/certs/MyRootCA.pem
	cert_reqs=CERT_REQUIRED
	ssl_version=PROTOCOL_SSLv23
	do_handshake_on_connect=True
	suppress_ragged_eofs=True
	username=example_username
	password=password
	" > ${PYKMIP_DIR}/pykmip.conf

	echo "Creating a virtualenv in ${PYKMIP_VENV_DIR}"
	virtualenv ${PYKMIP_VENV_DIR}
	source ${PYKMIP_VENV_DIR}/bin/activate
	pip install requests
	pip install pykmip

	# run the pykmip server in background
	# NOTE: this should NEVER be used as a production KMIP service!
	mkdir -p ${PYKMIP_DIR}/server_policy
	sudo mkdir -p /var/log/pykmip
	sudo chown ${USER} /var/log/pykmip
	sudo chgrp ${GROUP} /var/log/pykmip
	python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/services/server/server.py &
	echo "PyKMIP server is running"
	sleep 1

	# create an AES-256 symmetric key
	# expect output similar to :
	# 2018-06-20 15:21:37,286 - demo - INFO - Successfully created symmetric key with ID: 1
	echo "Creating a key..."
	python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/demos/pie/create.py --password whatever -a AES -l 256

	echo "Fetching a key..."
	# verify the key can be fetched
	# expect an output similar to:
	# 2018-06-20 15:22:07,499 - demo - INFO - Successfully retrieved secret with ID: 2
	# 2018-06-20 15:22:07,499 - demo - INFO - Secret data: 54283fb6767dff6c5d2256a5dfa1494cbe69dc6b41547a70cc3461958218d26b
	python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/demos/pie/get.py -i 1

	echo "
	NB assuming the created key has ID 1. If getting the key failed then maybe it has a different id.
	If not then you'll need to edit /etc/swift/kmip_keymaster.conf. "

	echo "
	[kmip_keymaster]
	key_id = 1
	host = 127.0.0.1
	port = 5696
	certfile = ${PYKMIP_DIR}/certs/MyClient1.pem
	keyfile = ${PYKMIP_DIR}/certs/MyClient1.key
	ca_certs = ${PYKMIP_DIR}/certs/MyRootCA.pem
	username = swift
	password = ignored
	" > /etc/swift/kmip_keymaster.conf

	echo "
	You need to edit /etc/swift/proxy-server.conf:
	Add 'kmip_keymaster encryption' to the proxy pipeline i.e.:
	.... kmip_keymaster encryption proxy-logging proxy-server

	Add a kmip_keymaster filter section:

	[filter:kmip_keymaster]
	use = egg:swift#kmip_keymaster
	keymaster_config_path = /etc/swift/kmip_keymaster.conf
	"

	echo "
	Ensure swift is installed with kmip_keymaster extra dependencies e.g. in swift root dir:
	sudo pip install -e .[kmip_keymaster]"

	echo "
	Restart the proxy server and check proxy log for 'Loaded secret id 1' message"