The following has two different ways to have a KMS server for vCenter and not the native key provider on vCenter. I used this for testing purposes. One is with Ubuntu with pykmip and the other is centos with a docker version of pykmip. Enjoy
Install Ubuntu 23.10 install with internet access
Instructions
sudo apt install openssh-client
sudo apt install openssh-server
sudo ufw allow ssh
sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl status ssh
Login as normal user my user name is “user”
1.sudo -i
apt-get update
apt-get upgrade
mkdir /usr/local/PyKMIP
mkdir /etc/pykmip
mkdir /var/log/pykmip
chown user: -R /usr/local/PyKMIP
chown user: -R /etc/pykmip
chown user: -R /var/log/pykmip
apt-get install python3-dev libffi-dev libssl-dev libsqlite3-dev
2. Then fill out the form for the SSL certificate. The above certificate will be valid for 10 years. (3650 days)
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt
AU
VICTORIA
MELBOURNE
pykmip-kms-ub.vcf.sddc.lab
chown user: -R /etc/ssl/private
chown user: /etc/ssl/certs/selfsigned.crt
exit
cd /usr/local
sudo apt-get install git-all
git clone https://github.com/OpenKMIP/PyKMIP
cd /usr/local/PyKMIP
sudo -i
sudo apt-get install python3-setuptools
cd /usr/local/PyKMIP
python3 /usr/local/PyKMIP/setup.py install (be sure you are in the /usr/local/PyKMIP directory! See cd command above)
exit
3.
nano /etc/pykmip/server.conf
Paste the following into the file below: (replace 10.0.0.30 with your VM’s IP) This is your KMS machine certificate location you can replace this with your organization trusted certificate authority
-------------------------------------------------------------------------
[server]
database_path=/etc/pykmip/pykmip.database
hostname=10.0.0.30
port=5696
certificate_path=/etc/ssl/certs/selfsigned.crt
key_path=/etc/ssl/private/selfsigned.key
ca_path=/etc/ssl/certs/selfsigned.crt
auth_suite=TLS1.2
policy_path=/usr/local/PyKMIP/examples/
enable_tls_client_auth=False
tls_cipher_suites= TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
logging_level=DEBUG4.export EDITOR=nano
export VISUAL=nano
crontab -e
Paste the following in on a new line:
@reboot ( sleep 30s; python3 /usr/local/PyKMIP/bin/run_server.py & )This will make sure that it starts automatically on startup. Reboot your VM or type this in to start it as a background process:
sudo -i
reboot -f
or
python3 /usr/local/PyKMIP/bin/run_server.py &
5.
Login to vcenter
click your venter
click configure tab
under security click key providers
click add Standard Key Provider
give it a name, kms, address and port
example.
pykmip-kms-ub
pykmip-kms-ub.vcf.sddc.lab
10.0.0.30
5696
click on “Add Key Provider”.
Click trust
click your provider
then underneath click your kms server
“Establish Trust”
“Make KMS trust vCenter”.
Click on “KMS certificate and private key” and then on “Next”.
6.
Now, we need to fill in the KMS certificate and private key. On the KMS VM, run:
cat /etc/ssl/certs/selfsigned.crt
Paste the output (with the dashes!) under KMS certificate.
cat /etc/ssl/private/selfsigned.key
Paste the output (with the dashes!) under “KMS Private Key”.
click on “Establish Trust”
If you want to your tighten security, use trusted certificates.
KMS docker with pykmip on centos 8
Centos 8 with ip that has access to internet – change to never black out in power options
Install Docker Engine
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl start docker
sudo docker run hello-worldInstall pykmip
docker pull lamw/vmwkmip
docker run --rm -it -p 5696:5696 lamw/vmwkmipAdd Key provider on vCenter
If server is rebooted run the following to start KMS
sudo systemctl start docker
sudo docker pull lamw/vmwkmip
sudo docker run --rm -it -p 5696:5696 lamw/vmwkmip