{"id":10104,"library":"pykmip","title":"PyKMIP - Key Management Interoperability Protocol","description":"PyKMIP (Python Key Management Interoperability Protocol) is a client library for interacting with KMIP servers, enabling operations such as creating, retrieving, deleting, and managing cryptographic keys and objects. The current version is 0.10.0, and it follows a somewhat irregular but active release cadence, typically with bug fixes and minor features between major functional updates.","status":"active","version":"0.10.0","language":"en","source_language":"en","source_url":"https://github.com/OpenKMIP/PyKMIP","tags":["kmip","key-management","cryptography","tls","security"],"install":[{"cmd":"pip install pykmip","lang":"bash","label":"Install PyKMIP"}],"dependencies":[{"reason":"Core dependency for cryptographic operations and TLS functionality.","package":"cryptography"},{"reason":"Used for parsing YAML configuration files, optional if not using config files.","package":"pyyaml","optional":true}],"imports":[{"note":"The PyKMIP library uses the 'kmip.pie' (Python Implementation Examples) namespace for its primary client and objects.","wrong":"from pykmip.client import KmipClient","symbol":"KmipClient","correct":"from kmip.pie.client import KmipClient"},{"note":"The PyKMIP library uses the 'kmip.pie' (Python Implementation Examples) namespace for its primary client and objects.","wrong":"from pykmip import enums","symbol":"enums","correct":"from kmip.pie import enums"},{"note":"The PyKMIP library uses the 'kmip.pie' (Python Implementation Examples) namespace for its primary client and objects.","wrong":"from pykmip import objects","symbol":"objects","correct":"from kmip.pie import objects"}],"quickstart":{"code":"import os\nfrom kmip.pie.client import KmipClient\nfrom kmip.pie import enums, objects\n\n# Configure KMIP server details from environment variables for security\nKMIP_HOST = os.environ.get(\"KMIP_HOST\", \"localhost\")\nKMIP_PORT = int(os.environ.get(\"KMIP_PORT\", \"5696\"))\nCLIENT_CERT_PATH = os.environ.get(\"CLIENT_CERT_PATH\", \"./client.pem\")\nCLIENT_KEY_PATH = os.environ.get(\"CLIENT_KEY_PATH\", \"./client.key\")\nCA_CERT_PATH = os.environ.get(\"CA_CERT_PATH\", \"./ca.pem\")\n\ntry:\n    # Initialize the KMIP client with TLS configuration\n    with KmipClient(\n        host=KMIP_HOST,\n        port=KMIP_PORT,\n        cert=CLIENT_CERT_PATH,\n        key=CLIENT_KEY_PATH,\n        ca=CA_CERT_PATH,\n        ssl_version=\"PROTOCOL_TLSv1_2\" # Explicit TLSv1.2, or let system negotiate (PROTOCOL_TLS)\n    ) as client:\n        client.open()\n        print(f\"Successfully connected to KMIP server at {KMIP_HOST}:{KMIP_PORT}\")\n\n        # Example 1: Create a new symmetric key\n        print(\"\\nCreating a 256-bit AES symmetric key...\")\n        create_result = client.create(\n            enums.ObjectType.SYMMETRIC_KEY,\n            enums.CryptographicAlgorithm.AES,\n            256,\n            enums.CryptographicUsageMask.ENCRYPT\n        )\n\n        if create_result.result_status == enums.ResultStatus.SUCCESS:\n            key_uuid = create_result.uuid\n            print(f\"Key created successfully. UUID: {key_uuid}\")\n\n            # Example 2: Destroy the created key\n            print(f\"\\nDestroying key with UUID: {key_uuid}...\")\n            destroy_result = client.destroy(key_uuid)\n\n            if destroy_result.result_status == enums.ResultStatus.SUCCESS:\n                print(f\"Key {key_uuid} destroyed successfully.\")\n            else:\n                print(f\"Failed to destroy key: {destroy_result.result_reason.name}\")\n        else:\n            print(f\"Failed to create key: {create_result.result_reason.name} ({create_result.result_status.name})\")\n\nexcept ConnectionRefusedError:\n    print(f\"Error: Connection refused. Is the KMIP server running on {KMIP_HOST}:{KMIP_PORT}?\")\nexcept FileNotFoundError as e:\n    print(f\"Error: Certificate or key file not found: {e}. Check paths: {CLIENT_CERT_PATH}, {CLIENT_KEY_PATH}, {CA_CERT_PATH}\")\nexcept Exception as e:\n    print(f\"An unexpected error occurred: {e}\")\nfinally:\n    # The 'with' statement handles client closing automatically\n    print(\"\\nKMIP client operations completed.\")","lang":"python","description":"This quickstart demonstrates how to connect to a KMIP server using `KmipClient`, create a new symmetric key, and then destroy it. It emphasizes secure handling of sensitive information via environment variables and includes basic error handling for common connection and file issues. Ensure you have client and CA certificates (e.g., `client.pem`, `client.key`, `ca.pem`) configured for TLS."},"warnings":[{"fix":"Avoid accessing private (`_`) methods of `KmipClient`. Rely on the public API for configuration and operations. Use the `KmipClient` constructor for TLS setup.","message":"Major internal refactoring of the `KmipClient` and TLS context management in v0.8.0. Direct access to internal methods like `_build_tls_context` will break.","severity":"breaking","affected_versions":">=0.8.0"},{"fix":"Always import from `kmip.pie.client`, `kmip.pie`, etc., instead of `pykmip.client` or `pykmip`.","message":"PyKMIP's package structure uses the `kmip.pie` namespace for its core components (client, enums, objects), not `pykmip` directly. This is a common source of `ModuleNotFoundError`.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Verify that `cert`, `key`, and `ca` paths are correct and accessible. Ensure certificates are in PEM format. Check that the server's certificate matches the hostname you are connecting to. Consult server logs for more detailed TLS errors.","message":"TLS configuration is critical and often misconfigured. Incorrect certificate paths, formats, or hostname mismatches can lead to `SSLError` or `ConnectionRefusedError`.","severity":"gotcha","affected_versions":"All versions"},{"fix":"For broader compatibility, consider omitting `ssl_version` or using `ssl.PROTOCOL_TLS` (imported from `ssl` module) to allow the underlying `ssl` library to negotiate the highest secure protocol version supported by both client and server. Only specify `PROTOCOL_TLSv1_2` if strict enforcement for older servers is required.","message":"Explicitly setting `ssl_version` (e.g., `PROTOCOL_TLSv1_2`) can limit compatibility. While common in PyKMIP examples, Python's `ssl` module generally recommends `PROTOCOL_TLS` for negotiation.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-17T00:00:00.000Z","next_check":"2026-07-16T00:00:00.000Z","problems":[{"fix":"Change your import statements from `from pykmip...` to `from kmip.pie...`. For example, `from kmip.pie.client import KmipClient`.","cause":"Incorrect import path; the core components of PyKMIP are under the `kmip.pie` namespace.","error":"ModuleNotFoundError: No module named 'pykmip.pie'"},{"fix":"Ensure the `ca` parameter points to the correct CA certificate chain file that signed the server's certificate. Verify `cert` and `key` parameters for the client are valid. Check certificate expiry dates and confirm the server's hostname matches its certificate's common name (CN) or Subject Alternative Name (SAN).","cause":"The client failed to verify the server's TLS certificate, or the client's own certificate/key is invalid/missing. Common reasons include missing CA certificate (`ca` parameter), incorrect certificate chain, expired certificates, or hostname mismatch.","error":"ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:1129)"},{"fix":"Verify the KMIP server process is active. Check the server's configuration for the listening IP address and port. Use `ping`, `telnet`, or `nc` to test network connectivity to the KMIP host and port (e.g., `telnet localhost 5696`). Disable firewalls temporarily for testing, if applicable.","cause":"The KMIP server is not running, is not listening on the specified host/port, or a firewall is blocking the connection.","error":"ConnectionRefusedError: [Errno 111] Connection refused"},{"fix":"Always check `result.result_status == enums.ResultStatus.SUCCESS` before attempting to access attributes of the result object. Handle non-success statuses gracefully, often by logging `result.result_reason` and `result.result_status`.","cause":"A KMIP operation (e.g., `create`, `get`) returned a `None` result because the operation failed, but the code attempted to access attributes like `uuid` or `managed_object` directly without checking the `result_status`.","error":"AttributeError: 'NoneType' object has no attribute 'uuid'"}]}