Unable to configure kmip client

I have a use case where my kmip client is the python library pykmip. I have configured kmip and I am able to connect to it as well however no operation succeeds and the client is not able to register/get information from vault’s kmip secret engine.
I was wondering if it’s a kmip version issue and have been unable to find out the kmip version vault runs. I tried all and didn’t work.

Can someone please confirm if the kmip support is limited perhaps and what i am trying to achieve is not possible ?

To conclude, my objective is to use vault’s kmip secret engine for storing keys and the client is pykmip.

Hi sonicaj,

I’ve had some success in talking to Vault KMIP using pykmip. What errors are you seeing? Can you share your pykmip setup and any relevant logs? Also note that there are some debugging env vars that will make Vault KMIP emit a ton of debugging info, which might prove helpful:

export KMIP_CONNECTION_DEBUGGING=1
export KMIP_REQUEST_DEBUGGING=1
export KMIP_RESPONSE_DEBUGGING=1
export KMIP_DECODING_DEBUGGING=1
export KMIP_INDEX_DEBUGGING=1

Much of this information is also available in the audit log, even without those env vars.

Thank you for reaching out. This is the issue I am seeing

conn = ProxyKmipClient(hostname=‘10.234.64.63’, port=5696, cert=’/etc/certificates/kmip_cert_final.crt’, key=’/etc/certificates/kmip_cert_final.key’, ca=’/etc/certificates/CA/KMIPServer.crt’, config=‘client’, kmip_version=enums.KMIPVersion.KMIP_1_2)
conn.open()
key=‘somevalue’
secret_data = SecretData(key.encode(), enums.SecretDataType.PASSWORD)
conn.register(secret_data)
Traceback (most recent call last):
File “”, line 1, in
File “/usr/local/lib/python3.8/site-packages/kmip/pie/client.py”, line 39, in wrapper
return function(self, *args, **kwargs)
File “/usr/local/lib/python3.8/site-packages/kmip/pie/client.py”, line 436, in register
raise exceptions.KmipOperationFailure(status, reason, message)
kmip.pie.exceptions.KmipOperationFailure: OPERATION_FAILED: INVALID_FIELD

Can you please let me know where I could grab the vault logs ? I have been testing a trial and not very familiar with vault right now unfortunately.

Also @ncabatoff I had to modify pykmip to properly raise the error as it expected a string as well which was not being returned. I was wondering if vault uses a different kmip version and I could use those, I tried 1.0, 1.1, 1.2, 1.3, 1.4 and 2.0 on the client side but unfortunately no luck.

The server logs are normally sent to stderr (or stdout? don’t recall), but if you’re running via systemd you’ll want to use journalctl to access them. That’s where the debugging output controlled by those env vars would go.

For the audit logs you have to enable them first, and then you control where they go:

https://www.vaultproject.io/docs/audit/file

The audit logs are probably going to be more readable (if you use jq to prettify them) than the system logs here.

On it right away, btw is the kmip server which vault runs compatible with pykmip ? ( It should be I assume based on the OASIS standard but was wondering if maybe it’s only functional for some clients like mongo etc )

I’ve used pykmip with vault, I’ve run at least one of the pykmip integration tests against it successfully. That said, since we only implement a subset of the KMIP standard I’m sure there are plenty of KMIP requests pykmip can issue which would fail against Vault.

I missed your earlier question:

Also @ncabatoff I had to modify pykmip to properly raise the error as it expected a string as well which was not being returned.

Can you give more details?

I was wondering if vault uses a different kmip version and I could use those, I tried 1.0, 1.1, 1.2, 1.3, 1.4 and 2.0 on the client side but unfortunately no luck.

We aim for 1.4 compatibility.

I have this in the logs when I make a register call

Tag: RequestMessage
Type: Structure
Length/Padding: 328/0
| Tag: RequestHeader
| Type: Structure
| Length/Padding: 56/0
| | Tag: ProtocolVersion
| | Type: Structure
| | Length/Padding: 32/0
| | | Tag: ProtocolVersionMajor
| | | Type: Integer
| | | Length/Padding: 4/4
| | | Value: 1
| | | Tag: ProtocolVersionMinor
| | | Type: Integer
| | | Length/Padding: 4/4
| | | Value: 4
| | Tag: BatchCount
| | Type: Integer
| | Length/Padding: 4/4
| | Value: 1
| Tag: BatchItem
| Type: Structure
| Length/Padding: 256/0
| | Tag: Operation
| | Type: Enumeration
| | Length/Padding: 4/4
| | Value: 3
| | Tag: RequestPayload
| | Type: Structure
| | Length/Padding: 232/0
| | | Tag: ObjectType
| | | Type: Enumeration
| | | Length/Padding: 4/4
| | | Value: 7
| | | Tag: TemplateAttribute
| | | Type: Structure
| | | Length/Padding: 128/0
| | | | Tag: Attribute
| | | | Type: Structure
| | | | Length/Padding: 48/0
| | | | | Tag: AttributeName
| | | | | Type: TextString
| | | | | Length/Padding: 24/0
| | | | | Value: Cryptographic Usage Mask
| | | | | Tag: AttributeValue
| | | | | Type: Integer
| | | | | Length/Padding: 4/4
| | | | | Value: 0
| | | | Tag: Attribute
| | | | Type: Structure
| | | | Length/Padding: 64/0
| | | | | Tag: AttributeName
| | | | | Type: TextString
| | | | | Length/Padding: 4/4
| | | | | Value: Name
| | | | | Tag: AttributeValue
| | | | | Type: Structure
| | | | | Length/Padding: 40/0
| | | | | | Tag: NameValue
| | | | | | Type: TextString
| | | | | | Length/Padding: 11/5
| | | | | | Value: Secret Data
| | | | | | Tag: NameType
| | | | | | Type: Enumeration
| | | | | | Length/Padding: 4/4
| | | | | | Value: 1
| | | Tag: SecretData
| | | Type: Structure
| | | Length/Padding: 72/0
| | | | Tag: SecretDataType
| | | | Type: Enumeration
| | | | Length/Padding: 4/4
| | | | Value: 1
| | | | Tag: KeyBlock
| | | | Type: Structure
| | | | Length/Padding: 48/0
| | | | | Tag: KeyFormatType
| | | | | Type: Enumeration
| | | | | Length/Padding: 4/4
| | | | | Value: 2
| | | | | Tag: KeyValue
| | | | | Type: Structure
| | | | | Length/Padding: 24/0
| | | | | | Tag: KeyMaterial
| | | | | | Type: ByteString
| | | | | | Length/Padding: 9/7
| | | | | | Value: byte{0x73, 0x6f, 0x6d, 0x65, 0x76, 0x61, 0x6c, 0x75, 0x65}
"
2020-06-02T16:04:31.373-0400 [INFO] secrets.kmip.kmip_92497e23.kmipserver: got request: request="&message.RequestMessage{
RawTTLV: nil,
RequestHeader: &message.RequestHeader{
ProtocolVersion: &payload.ProtocolVersion{
ProtocolVersionMajor: &int32(1),
ProtocolVersionMinor: &int32(4),
},
MaximumResponseSize: (*int32)(nil),
ClientCorrelationValue: (*string)(nil),
ServerCorrelationValue: (*string)(nil),
AsynchronousIndicator: (*bool)(nil),
AttestationCapableIndicator: (*bool)(nil),
AttestationTypes: nil,
Authentication: (*message.Authentication)(nil),
BatchErrorContinuationOption: (*enum.BatchErrorContinuationOption)(nil),
BatchOrderOption: (*bool)(nil),
TimeStamp: (*time.Time)(nil),
BatchCount: &int32(1),
},
RequestBatchItems: {
&message.RequestBatchItem{
Operation: &enum.Operation(0x3),
UniqueBatchItemID: nil,
RequestPayload: &payload.RegisterRequestPayload{
ObjectType: &attr.ObjectType(0x7),
TemplateAttribute: &bo.TemplateAttribute{
Name: (*attr.Name)(nil),
Attributes: {
&kmip.Attribute{
Name: &“Cryptographic Usage Mask”,
Index: (*int32)(nil),
Value: &data.Integer{},
},
&kmip.Attribute{
Name: &“Name”,
Index: (*int32)(nil),
Value: &data.Structure{
Value: {
&data.Object{
Tag: 0x420055,
Data: &data.TextString{Value:“Secret Data”},
},
&data.Object{
Tag: 0x420054,
Data: &data.Enumeration{Value:0x1},
},
},
},
},
},
},
Attributes: &bo.Attributes{
UniqueIdentifier: (*attr.UniqueIdentifier)(nil),
Names: {
&attr.Name{
NameValue: &“Secret Data”,
NameType: &enum.NameType(0x1),
},
},
ObjectType: (*attr.ObjectType)(nil),
CryptographicAlgorithm: (*attr.CryptographicAlgorithm)(nil),
CryptographicLength: (*attr.CryptographicLength)(nil),
CryptographicParameters: nil,
CryptographicDomainParameters: (*attr.CryptographicDomainParameters)(nil),
CertificateType: (*attr.CertificateType)(nil),
CertificateLength: (*attr.CertificateLength)(nil),
X509CertificateIdentifier: (*attr.X509CertificateIdentifier)(nil),
X509CertificateSubject: (*attr.X509CertificateSubject)(nil),
X509CertificateIssuer: (*attr.X509CertificateIssuer)(nil),
DigitalSignatureAlgorithms: nil,
Digests: nil,
OperationPolicyName: (*attr.OperationPolicyName)(nil),
CryptographicUsageMask: &attr.CryptographicUsageMask(0),
LeaseTime: (*attr.LeaseTime)(nil),
UsageLimits: (*attr.UsageLimits)(nil),
State: (*attr.State)(nil),
InitialDate: (*attr.InitialDate)(nil),
ActivationDate: (*attr.ActivationDate)(nil),
ProcessStartDate: (*attr.ProcessStartDate)(nil),
ProtectStopDate: (*attr.ProtectStopDate)(nil),
DeactivationDate: (*attr.DeactivationDate)(nil),
DestroyDate: (*attr.DestroyDate)(nil),
CompromiseOccurrenceDate: (*attr.CompromiseOccurrenceDate)(nil),
CompromiseDate: (*attr.CompromiseDate)(nil),
RevocationReason: (*attr.RevocationReason)(nil),
ArchiveDate: (*attr.ArchiveDate)(nil),
ObjectGroups: nil,
Fresh: (*attr.Fresh)(nil),
Links: nil,
ApplicationSpecificInformation: nil,
ContactInformation: (*attr.ContactInformation)(nil),
LastChangeDate: (*attr.LastChangeDate)(nil),
CustomAttributes: nil,
AlternativeNames: nil,
KeyValuePresent: (*attr.KeyValuePresent)(nil),
OriginalCreationDate: (*attr.OriginalCreationDate)(nil),
RandomNumberGenerator: (*attr.RandomNumberGenerator)(nil),
PKCS12FriendlyName: (*attr.PKCS12FriendlyName)(nil),
Description: (*attr.Description)(nil),
Comment: (*attr.Comment)(nil),
Sensitive: (*attr.Sensitive)(nil),
AlwaysSensitive: (*attr.AlwaysSensitive)(nil),
Extractable: (*attr.Extractable)(nil),
NeverExtractable: (*attr.NeverExtractable)(nil),
ActivationDateMinimum: (*attr.ActivationDate)(nil),
OriginalCreationDateMinimum: (*attr.OriginalCreationDate)(nil),
},
SymmetricKey: (*mo.SymmetricKey)(nil),
SecretData: &mo.SecretData{
SecretDataType: &enum.SecretDataType(0x1),
KeyBlock: &bo.KeyBlock{
KeyFormatType: &enum.KeyFormatType(0x2),
KeyCompressionType: (*enum.KeyCompressionType)(nil),
KeyValue: &bo.KeyValue{
keyFormatType: &enum.KeyFormatType(0x2),
KeyMaterial: {0x73, 0x6f, 0x6d, 0x65, 0x76, 0x61, 0x6c, 0x75, 0x65},
TransparentKeyStructure: (*bo.TransparentKeyStructure)(nil),
Attributes: nil,
},
CryptographicAlgorithm: (*attr.CryptographicAlgorithm)(nil),
CryptographicLength: (*attr.CryptographicLength)(nil),
KeyWrappingData: (*bo.KeyWrappingData)(nil),
},
},
},
MessageExtension: (*message.MessageExtension)(nil),
},
},
}"

2020-06-02T15:51:53.416-0400 [INFO] secrets.kmip.kmip_92497e23.kmipserver: sending response: response="&message.ResponseMessage{
RawTTLV: nil,
ResponseHeader: &message.ResponseHeader{
ProtocolVersion: &payload.ProtocolVersion{
ProtocolVersionMajor: &int32(1),
ProtocolVersionMinor: &int32(4),
},
TimeStamp: &time.Time{
wall: 0xbfadc95657e11b11,
ext: 2796688803258,
loc: &time.Location{
name: “Local”,
zone: {
{name:“LMT”, offset:-17762, isDST:false},
{name:“EDT”, offset:-14400, isDST:true},
{name:“EST”, offset:-18000, isDST:false},
{name:“EWT”, offset:-14400, isDST:true},
{name:“EPT”, offset:-14400, isDST:true},
},
tx: {
{when:-576460752303423488, index:0x0, isstd:false, isutc:false},
{when:-2717650800, index:0x2, isstd:false, isutc:false},
{when:-1633280400, index:0x1, isstd:false, isutc:false},
{when:-1615140000, index:0x2, isstd:false, isutc:false},
{when:-1601830800, index:0x1, isstd:true, isutc:true},
{when:-1583690400, index:0x2, isstd:false, isutc:false},
{when:-1570381200, index:0x1, isstd:false, isutc:false},
{when:-1551636000, index:0x2, isstd:false, isutc:false},
{when:-1536512400, index:0x1, isstd:false, isutc:false},
{when:-1523210400, index:0x2, isstd:false, isutc:false},
{when:-1504458000, index:0x1, isstd:false, isutc:false},
{when:-1491760800, index:0x2, isstd:false, isutc:false},
{when:-1473008400, index:0x1, isstd:false, isutc:false},
{when:-1459706400, index:0x2, isstd:false, isutc:false},
{when:-1441558800, index:0x1, isstd:false, isutc:false},
{when:-1428256800, index:0x2, isstd:false, isutc:false},
{when:-1410109200, index:0x1, isstd:false, isutc:false},
{when:-1396807200, index:0x2, isstd:false, isutc:false},
{when:-1378659600, index:0x1, isstd:false, isutc:false},
{when:-1365357600, index:0x2, isstd:false, isutc:false},
{when:-1347210000, index:0x1, isstd:false, isutc:false},
{when:-1333908000, index:0x2, isstd:false, isutc:false},
{when:-1315155600, index:0x1, isstd:false, isutc:false},
{when:-1301853600, index:0x2, isstd:false, isutc:false},
{when:-1283706000, index:0x1, isstd:false, isutc:false},
{when:-1270404000, index:0x2, isstd:false, isutc:false},
{when:-1252256400, index:0x1, isstd:false, isutc:false},
{when:-1238954400, index:0x2, isstd:false, isutc:false},
{when:-1220806800, index:0x1, isstd:false, isutc:false},
{when:-1207504800, index:0x2, isstd:false, isutc:false},
{when:-1189357200, index:0x1, isstd:false, isutc:false},
{when:-1176055200, index:0x2, isstd:false, isutc:false},
{when:-1157302800, index:0x1, isstd:false, isutc:false},
{when:-1144605600, index:0x2, isstd:false, isutc:false},
{when:-1125853200, index:0x1, isstd:false, isutc:false},
{when:-1112551200, index:0x2, isstd:false, isutc:false},
{when:-1094403600, index:0x1, isstd:false, isutc:false},
{when:-1081101600, index:0x2, isstd:false, isutc:false},
{when:-1062954000, index:0x1, isstd:false, isutc:false},
{when:-1049652000, index:0x2, isstd:false, isutc:false},
{when:-1031504400, index:0x1, isstd:false, isutc:false},
{when:-1018202400, index:0x2, isstd:false, isutc:false},
{when:-1000054800, index:0x1, isstd:false, isutc:false},
{when:-986752800, index:0x2, isstd:false, isutc:false},
{when:-968000400, index:0x1, isstd:false, isutc:false},
{when:-955303200, index:0x2, isstd:false, isutc:false},
{when:-936550800, index:0x1, isstd:false, isutc:false},
{when:-923248800, index:0x2, isstd:false, isutc:false},
{when:-905101200, index:0x1, isstd:false, isutc:false},
{when:-891799200, index:0x2, isstd:false, isutc:false},
{when:-880218000, index:0x3, isstd:false, isutc:false},
{when:-769395600, index:0x4, isstd:false, isutc:false},
{when:-765396000, index:0x2, isstd:false, isutc:false},
{when:-747248400, index:0x1, isstd:false, isutc:false},
{when:-733946400, index:0x2, isstd:false, isutc:false},
{when:-715798800, index:0x1, isstd:false, isutc:false},
{when:-702496800, index:0x2, isstd:false, isutc:false},
{when:-684349200, index:0x1, isstd:false, isutc:false},
{when:-671047200, index:0x2, isstd:false, isutc:false},
{when:-652899600, index:0x1, isstd:false, isutc:false},
{when:-639597600, index:0x2, isstd:false, isutc:false},
{when:-620845200, index:0x1, isstd:false, isutc:false},
{when:-608148000, index:0x2, isstd:false, isutc:false},
{when:-589395600, index:0x1, isstd:false, isutc:false},
{when:-576093600, index:0x2, isstd:false, isutc:false},
{when:-557946000, index:0x1, isstd:false, isutc:false},
{when:-544644000, index:0x2, isstd:false, isutc:false},
{when:-526496400, index:0x1, isstd:false, isutc:false},
{when:-513194400, index:0x2, isstd:false, isutc:false},
{when:-495046800, index:0x1, isstd:false, isutc:false},
{when:-481744800, index:0x2, isstd:false, isutc:false},
{when:-463597200, index:0x1, isstd:false, isutc:false},
{when:-447271200, index:0x2, isstd:false, isutc:false},
{when:-431542800, index:0x1, isstd:false, isutc:false},
{when:-415821600, index:0x2, isstd:false, isutc:false},
{when:-400093200, index:0x1, isstd:false, isutc:false},
{when:-384372000, index:0x2, isstd:false, isutc:false},
{when:-368643600, index:0x1, isstd:false, isutc:false},
{when:-352922400, index:0x2, isstd:false, isutc:false},
{when:-337194000, index:0x1, isstd:false, isutc:false},
{when:-321472800, index:0x2, isstd:false, isutc:false},
{when:-305744400, index:0x1, isstd:false, isutc:false},
{when:-289418400, index:0x2, isstd:false, isutc:false},
{when:-273690000, index:0x1, isstd:false, isutc:false},
{when:-257968800, index:0x2, isstd:false, isutc:false},
{when:-242240400, index:0x1, isstd:false, isutc:false},
{when:-226519200, index:0x2, isstd:false, isutc:false},
{when:-210790800, index:0x1, isstd:false, isutc:false},
{when:-195069600, index:0x2, isstd:false, isutc:false},
{when:-179341200, index:0x1, isstd:false, isutc:false},
{when:-163620000, index:0x2, isstd:false, isutc:false},
{when:-147891600, index:0x1, isstd:false, isutc:false},
{when:-131565600, index:0x2, isstd:false, isutc:false},
{when:-116442000, index:0x1, isstd:false, isutc:false},
{when:-100116000, index:0x2, isstd:false, isutc:false},
{when:-84387600, index:0x1, isstd:false, isutc:false},
{when:-68666400, index:0x2, isstd:false, isutc:false},
{when:-52938000, index:0x1, isstd:false, isutc:false},
{when:-37216800, index:0x2, isstd:false, isutc:false},
{when:-21488400, index:0x1, isstd:false, isutc:false},
{when:-5767200, index:0x2, isstd:false, isutc:false},
{when:9961200, index:0x1, isstd:false, isutc:false},
{when:25682400, index:0x2, isstd:false, isutc:false},
{when:41410800, index:0x1, isstd:false, isutc:false},
{when:57736800, index:0x2, isstd:false, isutc:false},
{when:73465200, index:0x1, isstd:false, isutc:false},
{when:89186400, index:0x2, isstd:false, isutc:false},
{when:104914800, index:0x1, isstd:false, isutc:false},
{when:120636000, index:0x2, isstd:false, isutc:false},
{when:126687600, index:0x1, isstd:false, isutc:false},
{when:152085600, index:0x2, isstd:false, isutc:false},
{when:162370800, index:0x1, isstd:false, isutc:false},
{when:183535200, index:0x2, isstd:false, isutc:false},
{when:199263600, index:0x1, isstd:false, isutc:false},
{when:215589600, index:0x2, isstd:false, isutc:false},
{when:230713200, index:0x1, isstd:false, isutc:false},
{when:247039200, index:0x2, isstd:false, isutc:false},
{when:262767600, index:0x1, isstd:false, isutc:false},
{when:278488800, index:0x2, isstd:false, isutc:false},
{when:294217200, index:0x1, isstd:false, isutc:false},
{when:309938400, index:0x2, isstd:false, isutc:false},
{when:325666800, index:0x1, isstd:false, isutc:false},
{when:341388000, index:0x2, isstd:false, isutc:false},
{when:357116400, index:0x1, isstd:false, isutc:false},
{when:372837600, index:0x2, isstd:false, isutc:false},
{when:388566000, index:0x1, isstd:false, isutc:false},
{when:404892000, index:0x2, isstd:false, isutc:false},
{when:420015600, index:0x1, isstd:false, isutc:false},
{when:436341600, index:0x2, isstd:false, isutc:false},
{when:452070000, index:0x1, isstd:false, isutc:false},
{when:467791200, index:0x2, isstd:false, isutc:false},
{when:483519600, index:0x1, isstd:false, isutc:false},
{when:499240800, index:0x2, isstd:false, isutc:false},
{when:514969200, index:0x1, isstd:false, isutc:false},
{when:530690400, index:0x2, isstd:false, isutc:false},
{when:544604400, index:0x1, isstd:false, isutc:false},
{when:562140000, index:0x2, isstd:false, isutc:false},
{when:576054000, index:0x1, isstd:false, isutc:false},
{when:594194400, index:0x2, isstd:false, isutc:false},
{when:607503600, index:0x1, isstd:false, isutc:false},
{when:625644000, index:0x2, isstd:false, isutc:false},
{when:638953200, index:0x1, isstd:false, isutc:false},
{when:657093600, index:0x2, isstd:false, isutc:false},
{when:671007600, index:0x1, isstd:false, isutc:false},
{when:688543200, index:0x2, isstd:false, isutc:false},
{when:702457200, index:0x1, isstd:false, isutc:false},
{when:719992800, index:0x2, isstd:false, isutc:false},
{when:733906800, index:0x1, isstd:false, isutc:false},
{when:752047200, index:0x2, isstd:false, isutc:false},
{when:765356400, index:0x1, isstd:false, isutc:false},
{when:783496800, index:0x2, isstd:false, isutc:false},
{when:796806000, index:0x1, isstd:false, isutc:false},
{when:814946400, index:0x2, isstd:false, isutc:false},
{when:828860400, index:0x1, isstd:false, isutc:false},
{when:846396000, index:0x2, isstd:false, isutc:false},
{when:860310000, index:0x1, isstd:false, isutc:false},
{when:877845600, index:0x2, isstd:false, isutc:false},
{when:891759600, index:0x1, isstd:false, isutc:false},
{when:909295200, index:0x2, isstd:false, isutc:false},
{when:923209200, index:0x1, isstd:false, isutc:false},
{when:941349600, index:0x2, isstd:false, isutc:false},
{when:954658800, index:0x1, isstd:false, isutc:false},
{when:972799200, index:0x2, isstd:false, isutc:false},
{when:986108400, index:0x1, isstd:false, isutc:false},
{when:1004248800, index:0x2, isstd:false, isutc:false},
{when:1018162800, index:0x1, isstd:false, isutc:false},
{when:1035698400, index:0x2, isstd:false, isutc:false},
{when:1049612400, index:0x1, isstd:false, isutc:false},
{when:1067148000, index:0x2, isstd:false, isutc:false},
{when:1081062000, index:0x1, isstd:false, isutc:false},
{when:1099202400, index:0x2, isstd:false, isutc:false},
{when:1112511600, index:0x1, isstd:false, isutc:false},
{when:1130652000, index:0x2, isstd:false, isutc:false},
{when:1143961200, index:0x1, isstd:false, isutc:false},
{when:1162101600, index:0x2, isstd:false, isutc:false},
{when:1173596400, index:0x1, isstd:false, isutc:false},
{when:1194156000, index:0x2, isstd:false, isutc:false},
{when:1205046000, index:0x1, isstd:false, isutc:false},
{when:1225605600, index:0x2, isstd:false, isutc:false},
{when:1236495600, index:0x1, isstd:false, isutc:false},
{when:1257055200, index:0x2, isstd:false, isutc:false},
{when:1268550000, index:0x1, isstd:false, isutc:false},
{when:1289109600, index:0x2, isstd:false, isutc:false},
{when:1299999600, index:0x1, isstd:false, isutc:false},
{when:1320559200, index:0x2, isstd:false, isutc:false},
{when:1331449200, index:0x1, isstd:false, isutc:false},
{when:1352008800, index:0x2, isstd:false, isutc:false},
{when:1362898800, index:0x1, isstd:false, isutc:false},
{when:1383458400, index:0x2, isstd:false, isutc:false},
{when:1394348400, index:0x1, isstd:false, isutc:false},
{when:1414908000, index:0x2, isstd:false, isutc:false},
{when:1425798000, index:0x1, isstd:false, isutc:false},
{when:1446357600, index:0x2, isstd:false, isutc:false},
{when:1457852400, index:0x1, isstd:false, isutc:false},
{when:1478412000, index:0x2, isstd:false, isutc:false},
{when:1489302000, index:0x1, isstd:false, isutc:false},
{when:1509861600, index:0x2, isstd:false, isutc:false},
{when:1520751600, index:0x1, isstd:false, isutc:false},
{when:1541311200, index:0x2, isstd:false, isutc:false},
{when:1552201200, index:0x1, isstd:false, isutc:false},
{when:1572760800, index:0x2, isstd:false, isutc:false},
{when:1583650800, index:0x1, isstd:false, isutc:false},
{when:1604210400, index:0x2, isstd:false, isutc:false},
{when:1615705200, index:0x1, isstd:false, isutc:false},
{when:1636264800, index:0x2, isstd:false, isutc:false},
{when:1647154800, index:0x1, isstd:false, isutc:false},
{when:1667714400, index:0x2, isstd:false, isutc:false},
{when:1678604400, index:0x1, isstd:false, isutc:false},
{when:1699164000, index:0x2, isstd:false, isutc:false},
{when:1710054000, index:0x1, isstd:false, isutc:false},
{when:1730613600, index:0x2, isstd:false, isutc:false},
{when:1741503600, index:0x1, isstd:false, isutc:false},
{when:1762063200, index:0x2, isstd:false, isutc:false},
{when:1772953200, index:0x1, isstd:false, isutc:false},
{when:1793512800, index:0x2, isstd:false, isutc:false},
{when:1805007600, index:0x1, isstd:false, isutc:false},
{when:1825567200, index:0x2, isstd:false, isutc:false},
{when:1836457200, index:0x1, isstd:false, isutc:false},
{when:1857016800, index:0x2, isstd:false, isutc:false},
{when:1867906800, index:0x1, isstd:false, isutc:false},
{when:1888466400, index:0x2, isstd:false, isutc:false},
{when:1899356400, index:0x1, isstd:false, isutc:false},
{when:1919916000, index:0x2, isstd:false, isutc:false},
{when:1930806000, index:0x1, isstd:false, isutc:false},
{when:1951365600, index:0x2, isstd:false, isutc:false},
{when:1962860400, index:0x1, isstd:false, isutc:false},
{when:1983420000, index:0x2, isstd:false, isutc:false},
{when:1994310000, index:0x1, isstd:false, isutc:false},
{when:2014869600, index:0x2, isstd:false, isutc:false},
{when:2025759600, index:0x1, isstd:false, isutc:false},
{when:2046319200, index:0x2, isstd:false, isutc:false},
{when:2057209200, index:0x1, isstd:false, isutc:false},
{when:2077768800, index:0x2, isstd:false, isutc:false},
{when:2088658800, index:0x1, isstd:false, isutc:false},
{when:2109218400, index:0x2, isstd:false, isutc:false},
{when:2120108400, index:0x1, isstd:false, isutc:false},
{when:2140668000, index:0x2, isstd:false, isutc:false},
},
cacheStart: 1583650800,
cacheEnd: 1604210400,
cacheZone: &time.zone{(CYCLIC REFERENCE)},
},
},
Nonce: (*bo.Nonce)(nil),
AttestationTypes: nil,
ClientCorrelationValue: (*string)(nil),
ServerCorrelationValue: (*string)(nil),
BatchCount: &int32(1),
},
ResponseBatchItems: {
&message.ResponseBatchItem{
Operation: &enum.Operation(0x3),
UniqueBatchItemID: nil,
ResultStatus: &enum.ResultStatus(0x1),
ResultReason: &enum.ResultReason(0x7),
ResultMessage: &“result reason: ResultReasonInvalidField; additional message: object with “scope_text_names” name of “Secret Data” already exists”,
AsynchronousCorrelationValue: nil,
ResponsePayload: nil,
MessageExtension: (*message.MessageExtension)(nil),
},
},
}"
2020-06-02T16:04:31.390-0400 [INFO] secrets.kmip.kmip_92497e23.kmipserver: sending object: object="

Tag: ResponseMessage
Type: Structure
Length/Padding: 136/0
| Tag: ResponseHeader
| Type: Structure
| Length/Padding: 72/0
| | Tag: ProtocolVersion
| | Type: Structure
| | Length/Padding: 32/0
| | | Tag: ProtocolVersionMajor
| | | Type: Integer
| | | Length/Padding: 4/4
| | | Value: 1
| | | Tag: ProtocolVersionMinor
| | | Type: Integer
| | | Length/Padding: 4/4
| | | Value: 4
| | Tag: TimeStamp
| | Type: DateTime
| | Length/Padding: 8/0
| | Value: 2020-06-02T16:04:31-04:00
| | Tag: BatchCount
| | Type: Integer
| | Length/Padding: 4/4
| | Value: 1
| Tag: BatchItem
| Type: Structure
| Length/Padding: 48/0
| | Tag: Operation
| | Type: Enumeration
| | Length/Padding: 4/4
| | Value: 3
| | Tag: ResultStatus
| | Type: Enumeration
| | Length/Padding: 4/4
| | Value: 1
| | Tag: ResultReason
| | Type: Enumeration
| | Length/Padding: 4/4
| | Value: 7

It certainly is detailed. However I am not sure what to make of the error, everything seems in place ?
( I had to lay it out on multiple messages because of the max limit )

So with pykmip, vault returned malformed response probably or not sure if the standard supports this so pykmip should expect it to be not being present, anyways this line fails in pykmip

message = result.result_message.value

As result.result_message is null so it does not have any attribute value.

Here’s your error (this would’ve been clearer in the audit log I think btw):

&“result reason: ResultReasonInvalidField; additional message: object with “scope_text_names” name of “Secret Data” already exists”,

You’re trying to register an object with a name that already exists, and names must be unique within a given scope.

Can you please confirm if the name refers to this section ?

&kmip.Attribute{
Name: &“Name”,
Index: (*int32)(nil),
Value: &data.Structure{
Value: {
&data.Object{
Tag: 0x420055,
Data: &data.TextString{Value:“somevalue”},
},
&data.Object{
Tag: 0x420054,
Data: &data.Enumeration{Value:0x1},
},
},
},

It was defaulting to Secret Data and i changed it to somevalue right now and getting this error

The Register response payload encoding is missing the unique identifier.

Register response in the logs are:

Tag: ResponseMessage
Type: Structure
Length/Padding: 184/0
| Tag: ResponseHeader
| Type: Structure
| Length/Padding: 72/0
| | Tag: ProtocolVersion
| | Type: Structure
| | Length/Padding: 32/0
| | | Tag: ProtocolVersionMajor
| | | Type: Integer
| | | Length/Padding: 4/4
| | | Value: 1
| | | Tag: ProtocolVersionMinor
| | | Type: Integer
| | | Length/Padding: 4/4
| | | Value: 4
| | Tag: TimeStamp
| | Type: DateTime
| | Length/Padding: 8/0
| | Value: 2020-06-02T16:23:13-04:00
| | Tag: BatchCount
| | Type: Integer
| | Length/Padding: 4/4
| | Value: 1
| Tag: BatchItem
| Type: Structure
| Length/Padding: 96/0
| | Tag: Operation
| | Type: Enumeration
| | Length/Padding: 4/4
| | Value: 3
| | Tag: ResultStatus
| | Type: Enumeration
| | Length/Padding: 4/4
| | Value: 0
| | Tag: ResponsePayload
| | Type: Structure
| | Length/Padding: 56/0
| | | Tag: ObjectType
| | | Type: Enumeration
| | | Length/Padding: 4/4
| | | Value: 7
| | | Tag: UniqueIdentifier
| | | Type: TextString
| | | Length/Padding: 32/0
| | | Value: 9DzPQoQv8wntpaPu9XsAFlh3TvydVupz

It seems the unique identifier is here, might be a pykmip bug then ?

@ncabatoff after looking at pykmip source code, I see that it does not expect the additional tag attribute which is returned. If i tweak it to expect and find the correct one in the response, it works as desired. However i am not sure if OASIS spec supports it or not, if it does then it’s a pykmip flaw. Thank you for all the help, I’ll look around some more tomorrow.

@ncabatoff looking at KMIP spec I don’t think the spec expects this in the response and that’s why pykmip does not take it into account.

| | | Tag: ObjectType
| | | Type: Enumeration
| | | Length/Padding: 4/4
| | | Value: 7

Here’s what I have been looking at https://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html#_Toc490660843. Can you please confirm if my understanding is accurate else we can patch pykmip to make sure it does the right thing ?

Looking forward to hearing from you. Thank you

Also looking at name attribute which was causing issues before, I looked it up and it seems that it should be okay to repeat it wrt OASIS spec https://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html#_Toc490660757. Can you please confirm ? We can certainly change our client implementation to factor that but I want to be sure that we don’t miss out a valid case. Thank you

I think you’re confusing “attribute name” with the attribute named “Name”. I was talking about the latter, i.e. http://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html#_Toc490660785

image.jpeg

The spec says that a Register call where you are “Trying to register a new object with the same Name attribute value as an existing object” should return a failure with ResultReason=InvalidField (7). That’s what the enumeration you cite is, the result reason.

image.jpeg

Thank you for reaching back. Yes you are right, I confused the two. However can you please confirm the response being sent back and the additional ObjectType tag added which results in pykmip not handling register response as desired and failing. I have pointed out a spec link as well which shows what the response can contain.

@ncabatoff please let me know if you think this is a valid issue and I can maybe open an issue on github if you think that’s the best way forward and paste the link here ?

Did you see my previous response about ResultReason?