Secret Management Operations
Secrets are managed objects that can store user defined data. This data can be:
blob
password
seed
There are two types of objects used to store secrets:
Secret Object: It can have password or seed as the data type. The seed may be used for cryptographic operations in the future, which is why it is a separate type. The password is a convenient way to store simple text strings.
Opaque Object: It is of blob data type. It can be used to store arbitrary data.
Note
CipherTrust Manager's Network Attached Encryption (NAE) protocol only supports Opaques Objects for XML interface 6.1 or higher.
Secrets support many of the same attributes that keys do. They can be made un-deletable, support meta-data, etc. They also support most of the same lifecycle states as keys.
The XML Interface enables you to:
Import secret object (see SecretObjectImportRequest)
Export secret object (see SecretObjectExportRequest)
Retrieve information about a secret object (see SecretObjectInfoRequest)
Modify a secret object (see SecretObjectModifyRequest)
Delete a secret object (see SecretObjectDeleteRequest)
SecretObjectImportRequest
Import a secret object.
<SecretObjectImportRequest>
<ID>......</ID>
<ObjectName>......</ObjectName>
<ObjectData>......</ObjectData>
<ObjectDataType>......</ObjectDataType>
<Exportable/>
<Deletable/>
</SecretObjectImportRequest>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
| ObjectData | Data to be imported as an opaque object. |
| ObjectDataType | Data type of object. NOTE: Currently, only opaque objects are supported. |
SecretObjectImportResponse
Server response to SecretObjectImportRequest.
<SecretObjectImportResponse>
<ID>......</ID>
<Success>.....</Success>
<Fingerprint>......</Fingerprint>
<ObjectName>......</ObjectName>
</SecretObjectImportResponse>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
| Fingerprint | Contains the fingerprint of the secret object. |
Example
<ID>123</ID>
<ObjectName>MySecret1234</ObjectName>
<ObjectData>ABCDEF</ObjectData>
<ObjectDataType>opaque</ObjectDataType>
<Exportable/>
<Deletable/>
</SecretObjectImportRequest>
<SecretObjectImportResponse>
<ID>123</ID>
<Success>true</Success>
<Fingerprint>970093678B182127</Fingerprint>
<ObjectName>MySecret1234</ObjectName>
</SecretObjectImportResponse>
SecretObjectExportRequest
Export a Secret Object.
<SecretObjectExportRequest>
<ID>......</ID>
<ObjectName>......</ObjectName>
</SecretObjectExportRequest>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
SecretObjectExportResponse
Server response to SecretObjectExportRequest.
<SecretObjectExportResponse>
<ID>......</ID>
<Success>true</Success>
<ObjectName>......</ObjectName>
<ObjectData>......</ObjectData>
<ObjectType>......</ObjectType>
<Fingerprint>......</Fingerprint>
</SecretObjectExportResponse>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
| ObjectData | The data of the opaque object. |
| ObjectType | Data type of the object. NOTE: Currently, only Opaque Objects are supported. |
| Fingerprint | Contains the fingerprint of the secret object. |
Example
<ID>123</ID>
<ObjectName>MySecret1234</ObjectName>
</SecretObjectExportRequest>
<SecretObjectExportResponse>
<ID>123</ID>
<Success>true</Success>
<ObjectName>MySecret1234</ObjectName>
<ObjectData>ABCDEFG</ObjectData>
<ObjectType>Opaque Object</ObjectType>
<Fingerprint>93BE4612C41D23AF</Fingerprint>
<ObjectLength>7</ObjectLength>
</SecretObjectExportResponse>
SecretObjectInfoRequest
Return information about a secret object.
<SecretObjectInfoRequest>
<ID>......</ID>
<ObjectName>......</ObjectName>
</SecretObjectInfoRequest>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
SecretObjectInfoResponse
Server response to SecretObjectInfoRequest.
<SecretObjectInfoResponse>
<ID>......</ID>
<Success>......</Success>
<ObjectName>......</ObjectName>
<Fingerprint>......</Fingerprint>
<ObjectType>opaque</ObjectType>
<ObjectCreationDate>......</ObjectCreationDate>
<ObjectUpdatedAt>......</ObjectUpdatedAt>
<Exportable/>
<Deletable/>
</SecretObjectInfoResponse>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
| Fingerprint | Contains the fingerprint of the secret object. |
| ObjectType | Data type of the object. NOTE: Currently, only Opaque Objects are supported. |
| ObjectCreationDate | Date and time when the object was created. |
| ObjectUpdatedAt | Date and time when the object was most recently updated. |
Example
<SecretObjectInfoRequest>
<ID>123</ID>
<ObjectName>MySecret1234</ObjectName>
</SecretObjectInfoRequest>
<SecretObjectInfoResponse>
<ID>123</ID>
<Success>true</Success>
<ObjectName>MySecret1234</ObjectName>
<Fingerprint>970093678B182127</Fingerprint>
<ObjectType>Opaque Object</ObjectType>
<ObjectCreationDate>2020-02-07 07:07:02.231893 +0000 UTC</ObjectCreationDate>
<ObjectUpdatedAt>2020-02-07 07:07:19.787637 +0000 UTC</ObjectUpdatedAt>
<Exportable/>
<Deletable/>
</SecretObjectInfoResponse>
SecretObjectModifyRequest
Modify a secret object.
<SecretObjectModifyRequest>
<ID>.....</ID>
<ObjectName>.....</ObjectName>
<Owner>.....</Owner>
<Exportable/>
<Deletable/>
<NonExportable/>
<NonDeletable/>
</SecretObjectModifyRequest>
CAUTION!: Above example is for reference only. Following tagsmust not be specified together in a single request, as it causes errors:
•
•
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
| Exportable | To make the secret object exportable. |
| NonExportable | To make the secret object non-exportable. |
| Deletable | To make the secret object deletable. |
| NonDeletable | To make the secret object non-deletable. |
| Owner | Specify an owner to modify the Owner for the Secret Object. The specified owner must already exist. |
SecretObjectModifyResponse
Server response to SecretObjectModifyRequest.
<SecretObjectModifyResponse>
<ID>.....</ID>
<Success>.....</Success>
</SecretObjectModifyResponse>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
| Exportable | To make the secret object exportable. |
| NonExportable | To make the secret object non-exportable. |
| Deletable | To make the secret object deletable. |
| NonDeletable | To make the secret object non-deletable. |
| Owner | Specify an owner to modify the Owner for the Secret Object. The specified owner must already exist. |
Example 1
<SecretObjectModifyRequest>
<ID>test1</ID>
<ObjectName>Secret</ObjectName>
<Owner>james</Owner>
<Exportable/>
<Deletable/>
</SecretObjectModifyRequest>
<SecretObjectModifyResponse>
<ID>test1</ID>
<Success>true</Success>
</SecretObjectModifyResponse>
Example 2
<SecretObjectModifyRequest>
<ID>test1</ID>
<ObjectName>Secret</ObjectName>
<NonExportable/>
<NonDeletable/>
</SecretObjectModifyRequest>
<SecretObjectModifyResponse>
<ID>test1</ID>
<Success>true</Success>
</SecretObjectModifyResponse>
SecretObjectDeleteRequest
To delete a secret object.
<SecretObjectDeleteRequest>
<ID>...</ID>
<ObjectName>....</ObjectName>
</SecretObjectDeleteRequest>
| Element | Description |
|---|---|
| ID | Contains the user-specified request ID. |
| ObjectName | Name of the secret object. |
SecretObjectDeleteResponse
Server response to SecretObjectDeleteRequest.
<SecretObjectDeleteResponse>
<ID>.....</ID>
<Success>.....</Success>
</SecretObjectDeleteResponse>
Example:
<SecretObjectDeleteRequest>
<ID>Id</ID>
<ObjectName>Secret_Object_1</ObjectName>
</SecretObjectDeleteRequest>
<SecretObjectDeleteResponse>
<ID>Id</ID>
<Success>true</Success>
</SecretObjectDeleteResponse>
