You have Hashicorp Vault enterprise version installed, which supports KMIP (the open-source version of Vault does not support KMIP).
From a terminal, execute the code below after first changing the variable VAULT_LICENSE_PATH
to reference the location of your downloaded Hashicorp Vault enterprise licence:
export VAULT_LICENSE_PATH=~/license.hclic
vault server -dev
Keep this Vault server process running in the current terminal - do not terminate it.
From a NEW separate terminal, execute the code below after first changing the variable VAULT_ADDR
to reference the listen address of the Vault server you just started:
# Clean out previously created files, if any
rm -f ca.pem cert.pem key.pem client.pem kmip-policy.hcl credential.json
# Set address of Vault server
export VAULT_ADDR='http://localhost:8200'
# Create the required KMIP privileges policy file for Vault
tee kmip-policy.hcl <<EOF
path "kmip/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
path "sys/mounts/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
path "sys/mounts" {
capabilities = [ "read", "list" ]
}
EOF
# Configure Vault with this policy
vault policy write admin kmip-policy.hcl
# Configure Vault to support the KMIP protocol
vault secrets enable kmip
vault write kmip/config listen_addrs=0.0.0.0:5696
# Configure a scope with a role for an 'appadmin' system identity for subsequent use via a client app
vault write -f kmip/scope/my-wizzy-service
vault write kmip/scope/my-wizzy-service/role/appadmin operation_all=true
# Capture the TLS Certificate Authority certificate provided by the Vault instance
vault read -field ca_pem kmip/ca > ca.pem
# Generate the TLS key and certificate to be used to authenticate from the client as an 'appadmin' system user
vault write -format=json \
kmip/scope/my-wizzy-service/role/appadmin/credential/generate \
format=pem > credential.json
jq -r .data.certificate < credential.json > cert.pem
jq -r .data.private_key < credential.json > key.pem
cat cert.pem key.pem > client.pem