Rework flags and tls config and enable one cert per endpoint

See merge request !108

Rework flags and tls config and enable one cert per endpoint
e414b725 · Neil-Jocelyn Schark · 5adbd896 · e414b725 · e414b725 · e414b725
Commit e414b725 authored 1 year ago by Neil-Jocelyn Schark
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -108,7 +108,6 @@ integration-test-kms:
                  "debug",
                  "--kms_config",
                  "/config/kms/kms_1.yaml",
-                  "--insecure",
              ]
        - name: $IMAGE_PATH/gokms:${CI_COMMIT_REF_SLUG}_integration-test
          alias: kms_2
@@ -118,7 +117,6 @@ integration-test-kms:
                  "debug",
                  "--kms_config",
                  "/config/kms/kms_2.yaml",
-                  "--insecure",
              ]
        - name: $IMAGE_PATH/quantumlayer:${CI_COMMIT_REF_SLUG}_integration-test
          alias: quantumlayer_1

--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,8 @@ lint-fix: install-tools
 unit-test:
 	go test -coverprofile=coverage.out -v ./goKMS/... ./quantumlayer/...

+build: build-gokms build-quantumlayer build-etsi14module build-akms-simulator
+
 build-gokms: pre
 	CGO_ENABLED=0 $(GOBUILD) -o $(BUILD_ARTIFACTS_PATH)/goKMS ./goKMS/main.go

@@ -96,7 +98,7 @@ debug-kms-down:

 integration-test-debug-up: generate-integration-test-certs build-images
 	docker-compose -f integration-tests/docker-compose_integration_test.yml down
-	docker-compose -f integration-tests/docker-compose_integration_test.yml up -d
+	docker-compose -f integration-tests/docker-compose_integration_test.yml up

 integration-test-debug-down:
 	docker-compose -f integration-tests/docker-compose_integration_test.yml down

--- a/README.md
+++ b/README.md
@@ -31,9 +31,28 @@ A goKMS can be configured through a configuration file, as seen below:
 Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b" # ID of the kms
 Name: kms01 # name of the kms
 InterComAddr: 172.100.20.10:50910 # Address of the endpoint for inter communication
-GRPCAddr: 172.100.20.10:50900 # deprecated
 AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key" # address of the rest endpoint of a connected AKMS (used for sending KSA key to the AKMS).
 AkmsCkmsServerPort: "9696" # Port of connected AKMS
+GnmiTLS: # Settings for TLS for gNMI endpoint. Can be overwritten with cli parameters.
+  TLS: true # Whether TLS is enabled
+  CAFile: "ssl/ca.crt" # Path to ca
+  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+KmsTLS: # Settings for TLS for inter KMS communication
+  TLS: true # Whether TLS is enabled
+  CAFile: "ssl/ca.crt" # Path to ca
+  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+QuantumModuleTLS: # Settings for TLS for quantum module communication
+  TLS: true # Whether TLS is enabled
+  CAFile: "ssl/ca.crt" # Path to ca
+  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+AkmsCkmsTLS: # Settings for TLS for akms ckms interface
+  TLS: true # Whether TLS is enabled
+  CAFile: "ssl/ca.crt" # Path to ca
+  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
 Peers: # Peers to other goKMS
    # peer to goKMS02
    - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2" # id of the peer
@@ -51,6 +70,27 @@ Peers: # Peers to other goKMS
          Address: 172.100.20.18
 ```

+You can also provide some configuration via command line arguments. Only settings relevant for running goKMS with remote configuration via gNMI are available here. This includes gNMI TLS settings and log level. Furthermore a path to a configuration file can be provided. Keep in mind that cli arguments will be prioritized, so you can overwrite your gNMI settings in the config file with your cli arguments.
+
+Available are the following flags:
+```bash
+Usage of goKMS:
+  -caFile string
+        location of the gNMI ca file (overwrites settings in config file)
+  -certFile string
+        location of the gNMI cert file (overwrites settings in config file)
+  -gnmiBindAddress string
+        address to bind gNMI to (overwrites settings in config file) (default ":7030")
+  -gnmiTLS
+        If true do use TLS for gNMI, paths to ca, cert and key must be set aswell (overwrites settings in config file)
+  -keyFile string
+        location of the gNMI key file (overwrites settings in config file)
+  -kms_config string
+        path to the config file
+  -log string
+        logrus lof level (debug, info, warn, error, fatal, panic) (default "info")
+```
+
 ### Interfaces

 #### Inter-KMS Communication
@@ -86,7 +126,7 @@ it is possible to manage (GET/SET/subscribe) configuration data of the KMS.
 Currently we use the [temp.yang](goKMS/models/danet/temp.yang) file for this and only a part of
 it is implemented yet.

-## quantumlayer
+## Quantumlayer

 A prototypical implementation of an emulated quantum module.


--- a/config/goKMS/example01.yaml
+++ b/config/goKMS/example01.yaml
@@ -5,11 +5,16 @@ QuantumAddr: 172.100.20.10:50911
 GRPCAddr: 172.100.20.10:50900
 AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms1-selfsigned.crt"
-KeyFile: "ssl/kms/kms1-selfsigned.key"
+KmsTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms1-selfsigned.crt"
+  KeyFile: "ssl/kms/kms1-selfsigned.key"
+QuantumModuleTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms1-selfsigned.crt"
+  KeyFile: "ssl/kms/kms1-selfsigned.key"
 Peers:
  # peer to kms02
  - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"

--- a/config/goKMS/example02.yaml
+++ b/config/goKMS/example02.yaml
@@ -3,11 +3,16 @@ Name: kms02
 InterComAddr: 172.100.20.11:50910
 QuantumAddr: 172.100.20.11:50911
 GRPCAddr: 172.100.20.11:50900
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms2-selfsigned.crt"
-KeyFile: "ssl/kms/kms2-selfsigned.key"
+KmsTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms2-selfsigned.crt"
+  KeyFile: "ssl/kms/kms2-selfsigned.key"
+QuantumModuleTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms2-selfsigned.crt"
+  KeyFile: "ssl/kms/kms2-selfsigned.key"
 Peers:
  # peer to kms01
  - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"

--- a/config/goKMS/example03.yaml
+++ b/config/goKMS/example03.yaml
@@ -3,11 +3,16 @@ Name: kms03
 InterComAddr: 172.100.20.12:50910
 QuantumAddr: 172.100.20.12:50911
 GRPCAddr: 172.100.20.12:50900
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms3-selfsigned.crt"
-KeyFile: "ssl/kms/kms3-selfsigned.key"
+KmsTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms3-selfsigned.crt"
+  KeyFile: "ssl/kms/kms3-selfsigned.key"
+QuantumModuleTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms3-selfsigned.crt"
+  KeyFile: "ssl/kms/kms3-selfsigned.key"
 Peers:
  # peer to kms01
  - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"

--- a/config/goKMS/example04.yaml
+++ b/config/goKMS/example04.yaml
@@ -5,11 +5,16 @@ QuantumAddr: 172.100.20.13:50911
 GRPCAddr: 172.100.20.13:50900
 AkmsURL: "http://172.100.20.23:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms4-selfsigned.crt"
-KeyFile: "ssl/kms/kms4-selfsigned.key"
+KmsTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms4-selfsigned.crt"
+  KeyFile: "ssl/kms/kms4-selfsigned.key"
+QuantumModuleTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/kms/kms4-selfsigned.crt"
+  KeyFile: "ssl/kms/kms4-selfsigned.key"
 Peers:
  # peer to kms02
  - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"

--- a/debug_configs/config/kms/kms_1.yaml
+++ b/debug_configs/config/kms/kms_1.yaml
@@ -5,10 +5,11 @@ GRPCAddr: 127.0.0.1:50900
 QuantumAddr: 0.0.0.0:50911
 AkmsURL: "http://127.0.0.1:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "../artifacts/ssl/ca.crt"
-CertFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.crt"
-KeyFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.key"
+KmsTLS:
+  TLS: true
+  CAFile: "../artifacts/ssl/ca.crt"
+  CertFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.crt"
+  KeyFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.key"
 Peers:
    # peer to kms_2
    - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'

--- a/debug_configs/config/kms/kms_2.yaml
+++ b/debug_configs/config/kms/kms_2.yaml
@@ -5,10 +5,11 @@ GRPCAddr: 0.0.0.0:50900
 QuantumAddr: 0.0.0.0:50911
 AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/debug-kms/kms2-selfsigned.crt"
-KeyFile: "ssl/debug-kms/kms2-selfsigned.key"
+KmsTLS:
+  TLS: true
+  CAFile: "ssl/ca.crt"
+  CertFile: "ssl/debug-kms/kms2-selfsigned.crt"
+  KeyFile: "ssl/debug-kms/kms2-selfsigned.key"
 Peers:
    # peer to kms_1
    - PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'

--- a/docker-compose.yml
+++ b/docker-compose.yml
 services:
  kms_1:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms01.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms01.yaml", "--insecureGNMI"]
    volumes:
        - ./config/goKMS/example01.yaml:/tmp/kms/config/kms01.yaml
        - ./artifacts/ssl:/ssl
@@ -11,7 +11,7 @@ services:

  kms_2:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms02.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms02.yaml", "--insecureGNMI"]
    volumes:
        - ./config/goKMS/example02.yaml:/tmp/kms/config/kms02.yaml
        - ./artifacts/ssl:/ssl
@@ -21,7 +21,7 @@ services:

  kms_3:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms03.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms03.yaml", "--insecureGNMI"]
    volumes:
        - ./config/goKMS/example03.yaml:/tmp/kms/config/kms03.yaml
        - ./artifacts/ssl:/ssl
@@ -31,7 +31,7 @@ services:

  kms_4:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms04.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms04.yaml", "--insecureGNMI"]
    volumes:
        - ./config/goKMS/example04.yaml:/tmp/kms/config/kms04.yaml
        - ./artifacts/ssl:/ssl

--- a/docker-compose_debug_kms.yml
+++ b/docker-compose_debug_kms.yml
 services:
  #kms_1:
    #image: gokms
-    #command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+    #command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
    #volumes:
    #    - ./debug_configs/config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
    #ports:
@@ -10,7 +10,7 @@ services:

  kms_2:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
    volumes:
        - ./debug_configs/config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
        - ./artifacts/ssl:/ssl

--- a/docker-compose_small_random.yml
+++ b/docker-compose_small_random.yml
 services:
  kms_1:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
    volumes:
        - ./config/goKMS/small_kms_1.yaml:/tmp/kms/config/kms_1.yaml
    ports:
@@ -10,7 +10,7 @@ services:

  kms_2:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
    volumes:
        - ./config/goKMS/small_kms_2.yaml:/tmp/kms/config/kms_2.yaml
    ports:

--- a/docker-compose_small_replay.yml
+++ b/docker-compose_small_replay.yml
 services:
  kms_1:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
    volumes:
        - ./config/goKMS/small_kms_1.yaml:/tmp/kms/config/kms_1.yaml
    ports:
@@ -10,7 +10,7 @@ services:

  kms_2:
    image: gokms
-    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
    volumes:
        - ./config/goKMS/small_kms_2.yaml:/tmp/kms/config/kms_2.yaml
    ports:

--- a/goKMS/config/config.go
+++ b/goKMS/config/config.go
@@ -10,6 +10,7 @@ type Config struct {
 	GRPCAddr           string `yaml:"GRPCAddr"`
 	AkmsURL            string `yaml:"AkmsURL"`
 	AkmsCkmsServerPort string `yaml:"AkmsCkmsServerPort"`
+	GnmiBindAddress    string `yaml:"GnmiBindAddress"`
 	Peers              []struct {
 		PeerId           string        `yaml:"PeerId"`
 		PeerInterComAddr string        `yaml:"PeerInterComAddr"`
@@ -17,11 +18,17 @@ type Config struct {
 		Type             string        `yaml:"Type"`
 		QuantumModule    QuantumModule `yaml:"QuantumModule"`
 	} `yaml:"Peers"`
-	TLS       bool   `yaml:"TLS"`
-	ETSI14TLS bool   `yaml:"ETSI14TLS"`
-	CAFile    string `yaml:"CAFile"`
-	CertFile  string `yaml:"CertFile"`
-	KeyFile   string `yaml:"KeyFile"`
+	GnmiTLS          TLSConfig `yaml:"GnmiTLS"`
+	KmsTLS           TLSConfig `yaml:"KmsTLS"`
+	QuantumModuleTLS TLSConfig `yaml:"QuantumModuleTLS"`
+	AkmsCkmsTLS      TLSConfig `yaml:"AkmsCkmsTLS"`
+}
+
+type TLSConfig struct {
+	TLS      bool   `yaml:"TLS"`
+	CAFile   string `yaml:"CAFile"`
+	CertFile string `yaml:"CertFile"`
+	KeyFile  string `yaml:"KeyFile"`
 }

 type QuantumModule struct {

--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -68,7 +68,7 @@ type KMS struct {
 	kmsUUID        uuid.UUID
 	interComAddr   string
 	quantumAddress string
-	tlsData        kmstls.TlsData
+	tlsConfig      config.TLSConfig
 	// TODO create a mapping between ids and address
 	remoteKMSMapping      map[string]*RemoteKMS
 	remoteKMSMappingMutex sync.RWMutex
@@ -118,13 +118,6 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 		log.SetReportCaller(false)
 	}

-	tlsData := kmstls.TlsData{
-		TLS:      config.TLS,
-		CaFile:   config.CAFile,
-		CertFile: config.CertFile,
-		KeyFile:  config.KeyFile,
-	}
-
 	ckmsAkmsClient := client.NewCkmsAkmsClient(config.AkmsURL)

 	createdKMS := &KMS{
@@ -132,7 +125,7 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 		kmsUUID:             kmsUUID,
 		interComAddr:        config.InterComAddr,
 		quantumAddress:      config.QuantumAddr,
-		tlsData:             tlsData,
+		tlsConfig:           config.KmsTLS,
 		remoteKMSMapping:    make(map[string]*RemoteKMS),
 		quantumModules:      make(map[string]peers.QuantumModule),
 		routingTable:        make(map[uuid.UUID]*Route),
@@ -146,7 +139,7 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 	createdKMS.supportedKeyLengths[BitKeyLen256] = true

 	// start the inter communication gRPC server
-	go createdKMS.startGRPC(config.InterComAddr, config.QuantumAddr, tlsData)
+	go createdKMS.startGRPC()

 	// initialize from config
 	err := createdKMS.initializePeers(config)
@@ -173,7 +166,7 @@ func (kms *KMS) initializePeers(config *config.Config) error {
 		case "emulated":
 			qm = peers.NewEmulatedQuantumModule(pqm.Address, config.Id)
 		case "etsi":
-			qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.SlaveSAEID, pqm.MasterSAEID, config.CAFile, config.CertFile, config.KeyFile, config.ETSI14TLS, pqm.MasterMode)
+			qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.SlaveSAEID, pqm.MasterSAEID, config.QuantumModuleTLS, pqm.MasterMode)
 			if err != nil {
 				log.Fatalf("Failed to create ETSI QKD module: %s", err)
 				return nil
@@ -190,8 +183,8 @@ func (kms *KMS) initializePeers(config *config.Config) error {
 		}

 		var gRPCTransportCreds credentials.TransportCredentials
-		if config.TLS {
-			gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(config.CAFile, config.CertFile, config.KeyFile)
+		if config.KmsTLS.TLS {
+			gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsConfig)
 			if err != nil {
 				log.Error(err)
 				return nil
@@ -233,15 +226,15 @@ func (kms *KMS) initializePeers(config *config.Config) error {
 	return nil
 }

-func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData kmstls.TlsData) {
-	interKMSLis, err := net.Listen("tcp", interComAddr)
+func (kms *KMS) startGRPC() {
+	interKMSLis, err := net.Listen("tcp", kms.interComAddr)
 	if err != nil {
 		log.Fatalf("failed to listen: %v", err)
 	}

 	var gRPCTransportCreds credentials.TransportCredentials
-	if tlsData.TLS {
-		gRPCTransportCreds, err = kmstls.GenerateGRPCServerTransportCredsWithTLS(tlsData.CaFile, tlsData.CertFile, tlsData.KeyFile)
+	if kms.tlsConfig.TLS {
+		gRPCTransportCreds, err = kmstls.GenerateGRPCServerTransportCredsWithTLS(kms.tlsConfig)
 		if err != nil {
 			log.Fatalf("unable to generate TLS creds: %v", err)
 		}
@@ -258,8 +251,8 @@ func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData km
 		KMS:               kms,
 	})

-	if quantumAddress != "" {
-		quantumLis, err := net.Listen("tcp", quantumAddress)
+	if kms.quantumAddress != "" {
+		quantumLis, err := net.Listen("tcp", kms.quantumAddress)
 		if err != nil {
 			log.Fatalf("failed to listen: %v", err)
 		}
@@ -434,7 +427,7 @@ func (kms *KMS) GetRemoteKMS(remoteKMSId string) (*RemoteKMS, error) {

 	remoteKMS, ok := kms.remoteKMSMapping[remoteKMSId]
 	if !ok {
-		return nil, fmt.Errorf("Address for remoteKMS with id %s not found", remoteKMSId)
+		return nil, fmt.Errorf("address for remoteKMS with id %s not found", remoteKMSId)
 	}
 	return remoteKMS, nil
 }
@@ -497,8 +490,8 @@ func (kms *KMS) GenerateAndSendKSAKey(remoteKMSId string, pathId uuid.UUID, requ
 	// TODO: move this somewhere else!
 	// send to remote
 	var gRPCTransportCreds credentials.TransportCredentials
-	if kms.tlsData.TLS {
-		gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsData.CaFile, kms.tlsData.CertFile, kms.tlsData.KeyFile)
+	if kms.tlsConfig.TLS {
+		gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsConfig)
 		if err != nil {
 			log.Fatalf("unable to generate TLS creds: %v", err)
 		}

--- a/goKMS/kms/kmsintercom.go
+++ b/goKMS/kms/kmsintercom.go
@@ -287,8 +287,8 @@ func (s *kmsTalkerServer) KeyForwarding(ctx context.Context, in *pb.KeyForwardin
 		s.KMS.PKStoreMutex.Unlock()

 		var gRPCTransportCreds credentials.TransportCredentials
-		if s.KMS.tlsData.TLS {
-			gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsData.CaFile, s.KMS.tlsData.CertFile, s.KMS.tlsData.KeyFile)
+		if s.KMS.tlsConfig.TLS {
+			gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsConfig)
 			if err != nil {
 				log.Fatalf("unable to generate TLS creds: %v", err)
 			}

--- a/goKMS/kms/peers/qmodule.go
+++ b/goKMS/kms/peers/qmodule.go
@@ -11,6 +11,7 @@ import (

 	etsi14 "code.fbi.h-da.de/danet/quant/etsi014/go/rest/etsi/client"
 	pbIC "code.fbi.h-da.de/danet/quant/goKMS/api/gen/proto/go/kmsintercom"
+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/store"
 	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
@@ -18,7 +19,6 @@ import (
 	restclient "code.fbi.h-da.de/danet/quant/goKMS/restclient"
 	"code.fbi.h-da.de/danet/quant/quantumlayer"
 	"github.com/google/uuid"
-	"github.com/sirupsen/logrus"
 	log "github.com/sirupsen/logrus"
 )

@@ -76,7 +76,7 @@ func (eqe *EmulatedQuantumModule) Address() string {

 func (eqe *EmulatedQuantumModule) Sync() error {
 	rawBulkKeyIds := util.KeysOfMap(eqe.RawBulkKeys)
-	logrus.Info("Found the following bulk key ids for usage: ", rawBulkKeyIds)
+	log.Info("Found the following bulk key ids for usage: ", rawBulkKeyIds)

 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
@@ -92,7 +92,7 @@ func (eqe *EmulatedQuantumModule) Sync() error {
 	bulkKey, ok := eqe.RawBulkKeys[initialPeerSetupResponse.BulkId]
 	if !ok {
 		// TODO: add proper error message
-		return fmt.Errorf("Could not find raw bulk key with id: %d", initialPeerSetupResponse.BulkId)
+		return fmt.Errorf("could not find raw bulk key with id: %d", initialPeerSetupResponse.BulkId)
 	}

 	// TODO: Initially the peer partners should discuss about the key length,
@@ -182,7 +182,7 @@ func (eqe *EmulatedQuantumModule) KeyChopper(bulkKey *quantumlayer.QuantumLayerB

 	if bulkKey.BulkKeyLength != len(*bulkKey.BulkKey) {
 		if (bulkKey.BulkKeyLength) != (len(*bulkKey.BulkKey) * 8) {
-			logrus.Errorf("Length missmatch, even when converting 'bulkKey.BulkKey' to bytes: %d, %d", bulkKey.BulkKeyLength, len(*bulkKey.BulkKey))
+			log.Errorf("Length missmatch, even when converting 'bulkKey.BulkKey' to bytes: %d, %d", bulkKey.BulkKeyLength, len(*bulkKey.BulkKey))
 			return nil, nil, errors.New("bulkKey length mismatch")
 		}
 	}
@@ -203,7 +203,7 @@ func (eqe *EmulatedQuantumModule) KeyChopper(bulkKey *quantumlayer.QuantumLayerB
 		} else {
 			keyId, err = uuid.Parse(keyIds[counter])
 			if err != nil {
-				return nil, nil, fmt.Errorf("The provided ID: %s can not be parsed as UUID.", keyIds[counter])
+				return nil, nil, fmt.Errorf("the provided ID: %s can not be parsed as UUID", keyIds[counter])
 			}
 			counter++
 		}
@@ -228,7 +228,7 @@ type ETSI014HTTPQuantumModule struct {
 	master      bool
 }

-func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID, caFile, certFile, keyFile string, etsi14TLS, master bool) (*ETSI014HTTPQuantumModule, error) {
+func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID string, tlsConfig config.TLSConfig, master bool) (*ETSI014HTTPQuantumModule, error) {
 	parsedUrl, err := url.Parse(addr)
 	if err != nil {
 		return nil, err
@@ -245,8 +245,8 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID, caFile, c
 		Scheme: parsedUrl.Scheme,
 	}

-	if etsi14TLS {
-		tlsConf, err := kmstls.GenerateTLSConf(caFile, certFile, keyFile)
+	if tlsConfig.TLS {
+		tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, err
 		}

--- a/goKMS/kms/tls/tls.go
+++ b/goKMS/kms/tls/tls.go
@@ -6,19 +6,13 @@ import (
 	"fmt"
 	"os"

+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"google.golang.org/grpc/credentials"
 )

-type TlsData struct {
-	TLS      bool
-	CaFile   string
-	CertFile string
-	KeyFile  string
-}
-
-func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateGRPCServerTransportCredsWithTLS(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
 	cp := x509.NewCertPool()
-	b, err := os.ReadFile(caFilePath)
+	b, err := os.ReadFile(tlsData.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -27,7 +21,7 @@ func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile strin
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}

-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
 	if err != nil {
 		return nil, err
 	}
@@ -42,10 +36,10 @@ func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile strin
 	return credentials.NewTLS(tlsConfig), nil
 }

-func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateGRPCClientTransportCredsWithTLS(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
 	cp := x509.NewCertPool()

-	b, err := os.ReadFile(caFilePath)
+	b, err := os.ReadFile(tlsData.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -53,7 +47,7 @@ func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile strin
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}

-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
 	if err != nil {
 		return nil, err
 	}
@@ -67,8 +61,8 @@ func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile strin
 	return credentials.NewTLS(tlsConfig), nil
 }

-func GenerateTLSConf(caFile, certFile, keyFile string) (*tls.Config, error) {
-	caCert, err := os.ReadFile(caFile)
+func GenerateTlsLibraryConfig(tlsData config.TLSConfig) (*tls.Config, error) {
+	caCert, err := os.ReadFile(tlsData.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -77,7 +71,7 @@ func GenerateTLSConf(caFile, certFile, keyFile string) (*tls.Config, error) {
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}

-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
 	if err != nil {
 		return nil, err
 	}

--- a/goKMS/main.go
+++ b/goKMS/main.go
@@ -51,11 +51,11 @@ import (
 func main() {
 	configPath := flag.String("kms_config", "", "path to the config file")
 	logLevel := flag.String("log", "info", "logrus lof level (debug, info, warn, error, fatal, panic)")
-	bindAddress := flag.String("bindAddress", ":7030", "address to bind to")
-	certFile := flag.String("certFile", "", "location of the cert file")
-	keyFile := flag.String("keyFile", "", "location of the key file")
-	caFile := flag.String("caFile", "", "location of the ca file")
-	insecure := flag.Bool("insecure", true, "If true do not use TLS")
+	gnmiBindAddress := flag.String("gnmiBindAddress", ":7030", "address to bind gNMI to (overwrites settings in config file)")
+	gnmiTLS := flag.Bool("gnmiTLS", false, "If true do use TLS for gNMI, paths to ca, cert and key must be set aswell (overwrites settings in config file)")
+	certFile := flag.String("certFile", "", "location of the gNMI cert file (overwrites settings in config file)")
+	keyFile := flag.String("keyFile", "", "location of the gNMI key file (overwrites settings in config file)")
+	caFile := flag.String("caFile", "", "location of the gNMI ca file (overwrites settings in config file)")

 	flag.Parse()

@@ -69,18 +69,20 @@ func main() {
 	log.Info("setting log level to ", ll)
 	log.SetLevel(ll)

+	// Parse config file
 	kmsConfig := &config.Config{}
-
 	log.Debugf("current config path: %s", *configPath)
 	file, err := os.ReadFile(*configPath)
 	if err != nil {
 		log.Fatal(err)
 	}
-
 	if err := yaml.Unmarshal(file, kmsConfig); err != nil {
 		log.Fatal(err)
 	}

+	// All gNMI settings which are provided via cli arguments should overwrite the settings in the config file.
+	overwriteConfigFieldsWithFlags(kmsConfig, gnmiBindAddress, gnmiTLS, certFile, keyFile, caFile)
+
 	// initialize id for the kms
 	var kmsId uuid.UUID
 	if kmsConfig.Id != "" {
@@ -89,6 +91,7 @@ func main() {
 		kmsId = uuid.New()
 	}

+	outputTlsSettings(kmsConfig)
 	resolveHostnameToIPForQuantumModules(kmsConfig)
 	kmsInfo := generateKMSInfo(kmsId)

@@ -114,8 +117,10 @@ func main() {
 		kmsHandler.NewAssignForwardingHandler(kms),
 	}

+	// The gnmiTarget implementation uses a flag to pass NO tls, so we have to invert our flag for it to work.
+	gnmiInsecure := !kmsConfig.GnmiTLS.TLS
 	gnmitTarget := gnmitarget.NewGnmiTarget(schema, &gnmitargetygot.Gnmitarget{}, gnmitargetygot.ΓModelData, gnmitargetygot.Unmarshal, gnmitargetygot.ΛEnum, handlers...)
-	if err := gnmitTarget.Start(*bindAddress, *certFile, *keyFile, *caFile, *insecure); err != nil {
+	if err := gnmitTarget.Start(*gnmiBindAddress, kmsConfig.GnmiTLS.CertFile, kmsConfig.GnmiTLS.KeyFile, kmsConfig.GnmiTLS.CAFile, gnmiInsecure); err != nil {
 		log.Fatal(err)
 	}
 }
@@ -154,6 +159,60 @@ func resolveHostnameToIPForQuantumModules(config *config.Config) {
 	}
 }

+func outputTlsSettings(config *config.Config) {
+	log.Infof("TLS enabled for gNMIC: %t", config.GnmiTLS.TLS)
+	if config.GnmiTLS.TLS {
+		log.Infof("TLS filepaths for gNMIC; ca: %s, cert: %s, key: %s", config.GnmiTLS.CAFile, config.GnmiTLS.CertFile, config.GnmiTLS.KeyFile)
+	}
+
+	log.Infof("TLS enabled for KMS: %t", config.KmsTLS.TLS)
+	if config.KmsTLS.TLS {
+		log.Infof("TLS filepaths for KMS; ca: %s, cert: %s, key: %s", config.KmsTLS.CAFile, config.KmsTLS.CertFile, config.KmsTLS.KeyFile)
+	}
+
+	log.Infof("TLS enabled for Quantum Module: %t", config.QuantumModuleTLS.TLS)
+	if config.QuantumModuleTLS.TLS {
+		log.Infof("TLS filepaths for Quantum Module; ca: %s, cert: %s, key: %s", config.QuantumModuleTLS.CAFile, config.QuantumModuleTLS.CertFile, config.QuantumModuleTLS.KeyFile)
+	}
+
+	log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.TLS)
+	if config.AkmsCkmsTLS.TLS {
+		log.Infof("TLS filepaths for AKMS-CKMS interface; ca: %s, cert: %s, key: %s", config.AkmsCkmsTLS.CAFile, config.AkmsCkmsTLS.CertFile, config.AkmsCkmsTLS.KeyFile)
+	}
+}
+
+func isFlagPassed(name string) bool {
+	found := false
+	flag.Visit(func(f *flag.Flag) {
+		if f.Name == name {
+			found = true
+		}
+	})
+	return found
+}
+
+func overwriteConfigFieldsWithFlags(config *config.Config, gnmiBindAddress *string, gnmiTLS *bool, certFile *string, keyFile *string, caFile *string) {
+	if isFlagPassed("gnmiTLS") {
+		config.GnmiTLS.TLS = *gnmiTLS
+	}
+
+	if isFlagPassed("gnmiBindAddress") {
+		config.GnmiBindAddress = *gnmiBindAddress
+	}
+
+	if *caFile != "" {
+		config.GnmiTLS.CAFile = *caFile
+	}
+
+	if *certFile != "" {
+		config.GnmiTLS.CertFile = *certFile
+	}
+
+	if *keyFile != "" {
+		config.GnmiTLS.KeyFile = *keyFile
+	}
+}
+
 func generateKMSInfo(id uuid.UUID) *config.KMSInfo {
 	kmsVersionInformation := config.NewKMSVersionInformation("danet-emulated-kms", "0.1.0", "0.1.0")


--- a/integration-tests/config/kms/kms_1.yaml
+++ b/integration-tests/config/kms/kms_1.yaml
@@ -5,10 +5,11 @@ QuantumAddr: 0.0.0.0:50911
 GRPCAddr: 0.0.0.0:50900
 AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "config/ssl/ca.crt"
-CertFile: "config/ssl/kms/kms1-selfsigned.crt"
-KeyFile: "config/ssl/kms/kms1-selfsigned.key"
+KmsTLS:
+  TLS: true
+  CAFile: "config/ssl/ca.crt"
+  CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+  KeyFile: "config/ssl/kms/kms1-selfsigned.key"
 Peers:
    # peer to kms_2
    - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'