Key Life Cycle Management APIs
This chapter describes how CCKM manages key life cycle management APIs for Azure. These APIs are used to perform the following tasks:
Creating Azure Keys
Use the post /v1/cckm/azure/keys
API to create Azure keys.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "<key_name>",\n "key_vault": "<key_vault>",\n "azure_param": {<azure_params>}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
azure_param | JSON | Azure key parameters. Refer to Azure Parameters for details. |
key_name | string | Name for the Azure key. Key names can only contain alphanumeric characters and dashes. |
key_vault | string | Name or ID of the Azure vault where the key will be created. |
Azure Parameters
Parameter | Type | Description |
---|---|---|
kty | string | Type of key to create. Possible options are: • EC- "Soft" Elliptic Curve key. • EC-HSM- "Hard" Elliptic Curve key (only for premium key vaults). • RSA- "Soft" RSA key. • RSA-HSM- "Hard" RSA key (only for premium key vaults). |
attributes | JSON | Attributes for the key such as exp, enabled, and nbf. Possible option are: • nbf - Activation date for the key in Unix Epoch time format. For example, the corresponding epoch time for September 9, 2022, 5:52:20 AM is 1662702740. • exp - Expiration date for the key in Unix Epoch time format. For example, the corresponding epoch time for September 9, 2022, 5:52:20 AM is 1662702740. • enabled - Specify whether the key is enabled or disabled (true/false). |
crv | string | Elliptical curve name for the key. Possible options are: • P-256 • P-384 • P-521 • SECP256K1 |
key_ops | array of strings | Cryptographic operations performed by the key. Possible options are: • encrypt • decrypt • sign • verify • wrapKey • unwrapKey • import (applicable to RSA-HSM keys). This parameter is mandatory when creating a KEK. |
key_size | integer | Size for the RSA and RSA-HSM keys. Possible options are: • 2048 • 3072 • 4096 |
tags | JSON | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. Refer to the following rules on tag values. |
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _ **
CCKM does not allow the following special characters in tag values:
** \ , : " % **
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/keys' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3 MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2 1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0MjMxNmZhLWFiOTItNGQ2Ni1hMjQ4LTkxM2I2MmNhOTQzNSIsImlhdCI6MTYwMTQ2MDc5NCwiZXhwIjoxNjAxNDYxMDk0fQ.4ZoMwbFAYHRHfQbf_yhQ-f5j75HaNaWViOSunTrt8xw' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "Test-key",\n "key_vault": "bedb82b9-582c-402d-9874-f3368722cf46",\n "azure_param": {\n "kty": "RSA",\n "key_size":3072,\n "attributes": {\n "nbf": 1662702740,\n "exp": 1662702740\n }\n }\n}' --compressed
Example Response
{
"id": "94a392f3-52e8-4542-90b6-b8554c046492",
"uri": "kylo:kylo:cckm:azure-key:94a392f3-52e8-4542-90b6-b8554c046492",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:13:47.500574756Z",
"updatedAt": "2020-09-30T10:13:47.49855808Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:13:47.49001426Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-09-30T10:13:46Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "e6d8dd366c024902b00e116af5e99ecc",
"key_size": 3072,
"backup": "a67e5fb314aa47d6b9d33522ae1cc8f511b92313a30b47e58411
68da27f97f32",
"key_name": "Test-key",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvault-softkeys.vault.azure.net/keys/Test-key/e6d8dd366c024902b00e116af5e99ecc",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "pQPKeqvSEMpQ29j3bzG3Vsz-ufp5p-
JNCI1jX4lEhmL41Xmq7CVz6HkUgwPS0PC6qZc6dHXhfkewzNtmB81T5X8XYk3vK0LNckQouDoFJRm3heAyao88ei6zUndmceWGq- OmNjVMiOVViPiB46l3NAhErHVgh8DLb7gWU3yMyu4eAZGNXVYMS0BfKSy6C_ Gz9Pz4vbmJj-7jTxD_xmKuaoKkR4g2bCFDldBE8RJjtBNF_ K8XcNEoZxVuEHYlzTOQ5eXQct8LqXVgfFtwhf2BYC7cVrK0smnN-pAor_ gurBRyEtiJQV08QCwBXh4PGjWviMPt0LTkfzjLB7yIFtrAlpAece9rbfPULNOSqLuGxhFDJGHWw6IB7IIVex_ NVeBfxsbyAHOD0t3UE0VrYijrv6gVz5-VqjC1OGcqtMEEld5- aS2HlMbfpmRhTxWTbg11KKSPIm6RqplSgqMMlzSEriuCA4l6hxGRuuQRfCOqAIUQqe_9Wx433yJKF8cCt",
"e": "AQAB"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"nbf": 1662702740,
"exp": 1662702740,
"created": 1601460826,
"updated": 1601460826
}
},
"azure_created_at": "2020-09-30T10:13:46Z",
"azure_updated_at": "2020-09-30T10:13:46Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"azure_expire_at": "2022-09-09T05:52:20Z",
"key_material_origin": "native",
"gone": false
}
The sample output shows that a key (Test-key
) is created in the Azure key vault (keyvault-softkeys
). A unique ID (94a392f3-52e8-4542-90b6-b8554c046492
) for the key is returned. As the key is created in Azure vault, key material's origin is native
.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Fetching List of Azure Keys
Use the get /v1/cckm/azure/keys
API to fetch the list of Azure keys. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys?skip=0&limit=10&sort=updatedAt' -H
'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3
MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0MjMxNmZhLWFiOTItNGQ2Ni1hM
jQ4LTkxM2I2MmNhOTQzNSIsImlhdCI6MTYwMTQ2MDc5NCwiZXhwIjoxNjAxNDYxMDk0fQ.4ZoMwbFAYHRHfQb
f_yhQ-f5j75HaNaWViOSunTrt8xw' --compressed
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Internal ID of the Azure key. |
key_vault | string | Name of the Azure key vault. |
key_vault_id | string | ID of the key vault. |
key_name | string | Name of the key. |
cloud_name | string | Name of the cloud. |
region | string | Region name. |
crv | string | EC curve ID. |
status | string | Status of the key. |
backup | string | Backed up keys. |
enabled | boolean | Enabled keys. |
key_size | string | Size of the key. |
job_config_id | string | ID of the scheduler configuration job. |
deleted_in_azure | boolean | Fetches keys based on their availability in Azure. |
algorithm | string | Algorithm type. |
kid | string | Azure key ID. |
gone | boolean | Fetches keys based on their existence in the cloud. |
version | string | Fetches keys based on version. |
rotation_job_enabled | boolean | Fetches key based on the rotation job status. |
key_material_origin | string | Source of the key material. The origin of the key can be: • cckm: Key material is created on CCKM. • native: Key material is created on the Azure cloud. • unknown: Source of the key material is unknown. It is different than CCKM and the native cloud. |
skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter) will be displayed in the output. |
sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/keys?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0MjMxNmZhLWFiOTItNGQ2Ni1hM jQ4LTkxM2I2MmNhOTQzNSIsImlhdCI6MTYwMTQ2MDc5NCwiZXhwIjoxNjAxNDYxMDk0fQ.4ZoMwbFAYHRHfQbf_yhQ-f5j75HaNaWViOSunTrt8xw' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "94a392f3-52e8-4542-90b6-b8554c046492",
"uri": "kylo:kylo:cckm:azure-key:94a392f3-52e8-
4542-90b6-b8554c046492",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:13:47.500575Z",
"updatedAt": "2020-09-30T10:13:47.498558Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-
0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:13:47.490014Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-09-30T10:13:46Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "e6d8dd366c024902b00e116af5e99ecc",
"key_size": 3072,
"backup": "a67e5fb314aa47d6b9d33522ae1cc8f511b9
2313a30b47e5841168da27f97f32",
"key_name": "Test-key",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvault-softkeys.
vault.azure.net/keys/Test-key
/e6d8dd366c024902b00e116af5e99ecc",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "pQPKeqvSEMpQ29j3bzG3Vsz-ufp5p-JNCI1jX4lEhmL41Xmq7CVz6HkUgwPS0PC6qZc6dHXhfkewzNtmB81T5X8XYk3vK0LNckQouDoFJRm3heAyao88ei6zUndmceWGq-OmNjVMiOVViPiB46l3NAhErHVgh8DLb7gWU3yMyu4eAZGNXVYMS0BfKSy6C_Gz9Pz4vbmJj-7jTxD_xmKuaoKkR4g2bCFDldBE8RJjtBNF_K8XcNEoZxVuEHYlzTOQ5eXQct8LqXVgfFtwhf2BYC7cVrK0smnN-pAor_
gurBRyEtiJQV08QCwBXh4PGjWviMPt0LTkfzjLB7yIFtrAlpAece9rbfPULNOSqLuGxhFDJGHWw6IB7IIVex_
NVeBfxsbyAHOD0t3UE0VrYijrv6gVz5-VqjC1OGcqtMEEld5-
aS2HlMbfpmRhTxWTbg11KKSPIm6RqplSgqMMlzSEriuCA4l6hxGRuuQRfCOqAIUQqe_9Wx433yJKF8cCt",
"e": "AQAB"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable
+Purgeable",
"enabled": true,
"nbf": 1662702740,
"exp": 1662702740,
"created": 1601460826,
"updated": 1601460826
}
},
"azure_created_at": "2020-09-30T10:13:46Z",
"azure_updated_at": "2020-09-30T10:13:46Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"azure_expire_at": "2022-09-09T05:52:20Z",
"key_material_origin": "native",
"gone": false
}
]
}
The sample output shows the list of Azure keys.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of Azure Keys
Use the get /v1/cckm/azure/keys/{id}
API to view the details of an Azure key with a specific id.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/keys/94a392f3-52e8-4542-90b6-b8554c046492' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0MjMxNmZhLWFiOTItNGQ2Ni1hM jQ4LTkxM2I2MmNhOTQzNSIsImlhdCI6MTYwMTQ2MDc5NCwiZXhwIjoxNjAxNDYxMDk0fQ.4ZoMwbFAYHRHfQbf_yhQ-f5j75HaNaWViOSunTrt8xw' --compressed
Example Response
{
"id": "94a392f3-52e8-4542-90b6-b8554c046492",
"uri": "kylo:kylo:cckm:azure-key:94a392f3-52e8-4542-90b6-b8554c046492",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:13:47.500575Z",
"updatedAt": "2020-09-30T10:13:47.498558Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:13:47.490014Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-09-30T10:13:46Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "e6d8dd366c024902b00e116af5e99ecc",
"key_size": 3072,
"backup": "a67e5fb314aa47d6b9d33522ae1cc8f511b92313a30b47e58411
68da27f97f32",
"key_name": "Test-key",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvault-softkeys.vault.azure.net/keys/Test-key/e6d8dd366c024902b00e116af5e99ecc",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "pQPKeqvSEMpQ29j3bzG3Vsz-ufp5p- JNCI1jX4lEhmL41Xmq7CVz6HkUgwPS0PC6qZc6dHXhfkewzNtmB81T5X8XYk3vK0LNckQouDoFJRm3heAyao88ei6zUndmceWGq- OmNjVMiOVViPiB46l3NAhErHVgh8DLb7gWU3yMyu4eAZGNXVYMS0BfKSy6C_ Gz9Pz4vbmJj-7jTxD_xmKuaoKkR4g2bCFDldBE8RJjtBNF_ K8XcNEoZxVuEHYlzTOQ5eXQct8LqXVgfFtwhf2BYC7cVrK0smnN-pAor_ gurBRyEtiJQV08QCwBXh4PGjWviMPt0LTkfzjLB7yIFtrAlpAece9rbfPULNOSqLuGxhFDJGHWw6IB7IIVex_ NVeBfxsbyAHOD0t3UE0VrYijrv6gVz5-VqjC1OGcqtMEEld5- aS2HlMbfpmRhTxWTbg11KKSPIm6RqplSgqMMlzSEriuCA4l6hxGRuuQRfCOqAIUQqe_9Wx433yJKF8cCt",
"e": "AQAB"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"nbf": 1662702740,
"exp": 1662702740,
"created": 1601460826,
"updated": 1601460826
}
},
"azure_created_at": "2020-09-30T10:13:46Z",
"azure_updated_at": "2020-09-30T10:13:46Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"azure_expire_at": "2022-09-09T05:52:20Z",
"key_material_origin": "native",
"gone": false,
"version_count": 1
}
The sample output shows the details corresponding to the key (with ID 94a392f3-52e8-4542-90b6-b8554c046492
).
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Updating Key Parameters
Use the patch /v1/cckm/azure/keys/{id}
API to update the parameters of a key. You can modify the key attributes (such as expiration and activation time), key operations, and tags.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys/{id}' -X PATCH -H 'Authorization: Bearer
AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_ops":
["<key_operations>"]\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
attributes | JSON | Attributes to be updated such as exp, enabled, and nbf. Possible option are: • nbf - Activation date for the key in Unix Epoch time format. For example, the corresponding epoch time for September 9, 2022, 5:52:20 AM is 1662702740. • exp - Expiration date for the key in Unix Epoch time format. For example, the corresponding epoch time for September 9, 2022, 5:52:20 AM is 1662702740. • enabled - Specify whether the key is enabled or disabled (true/false). |
key_ops | array of strings | Cryptographic operations the key can perform. Possible options are: • encrypt • decrypt • sign • verify • wrapKey • unwrapKey |
tags | JSON | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. Refer to the following rules on tag values. |
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _ **
CCKM does not allow the following special characters in tag values:
** \ , : " % **
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/keys/94a392f3-52e8-4542-90b6-b8554c046492' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijg0MjMxNmZhLWFiOTItNGQ2Ni1hMjQ4LTkxM2I2MmNhOTQzNSIsImlhdCI6MTYwMTQ2MDc5NCwiZXhwIjoxNjAxNDYxMDk0fQ.4ZoMwbFAYHRHfQbf_yhQ-f5j75HaNaWViOSunTrt8xw' -H 'Content-Type: application/json' --data-binary $'{\n "key_ops": ["encrypt",\n"decrypt",\n"sign"]\n}' --compressed
Example Response
{
"id": "94a392f3-52e8-4542-90b6-b8554c046492",
"uri": "kylo:kylo:cckm:azure-key:94a392f3-52e8-4542-90b6-b8554c046492",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:13:47.500575Z",
"updatedAt": "2020-09-30T10:17:13.803318868Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:13:47.490014Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-09-30T10:13:46Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "e6d8dd366c024902b00e116af5e99ecc",
"key_size": 3072,
"backup": "971a66b249e34d31b92b1c46ce0586feaefb9a69149144d4826c7db39ab7edb7",
"key_name": "Test-key",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvault-softkeys.vault.azure.net/keys/Test
-key/e6d8dd366c024902b00e116af5e99ecc",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign"
],
"n": "pQPKeqvSEMpQ29j3bzG3Vsz-ufp5p- JNCI1jX4lEhmL41Xmq7CVz6HkUgwPS0PC6qZc6dHXhfkewzNtmB81T5X8XYk3vK0LNckQouDoFJRm3heAyao88ei6zUndmceWGq- OmNjVMiOVViPiB46l3NAhErHVgh8DLb7gWU3yMyu4eAZGNXVYMS0BfKSy6C_ Gz9Pz4vbmJj-7jTxD_xmKuaoKkR4g2bCFDldBE8RJjtBNF_K8XcNEoZxVuEHYlzTOQ5eXQct8LqXVgfFtwhf2BYC7cVrK0smnN-pAor_ gurBRyEtiJQV08QCwBXh4PGjWviMPt0LTkfzjLB7yIFtrAlpAece9rbfPULNOSqLuGxhFDJGHWw6IB7IIVex_ NVeBfxsbyAHOD0t3UE0VrYijrv6gVz5-VqjC1OGcqtMEEld5- aS2HlMbfpmRhTxWTbg11KKSPIm6RqplSgqMMlzSEriuCA4l6hxGRuuQRfCOqAIUQqe_9Wx433yJKF8cCt",
"e": "AQAB"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"nbf": 1662702740,
"exp": 1662702740,
"created": 1601460826,
"updated": 1601461032
}
},
"azure_created_at": "2020-09-30T10:13:46Z",
"azure_updated_at": "2020-09-30T10:13:46Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"azure_expire_at": "2022-09-09T05:52:20Z",
"key_material_origin": "native",
"gone": false
}
The sample output shows that the key_ops
parameter is modified and the key (Test-key
) can perform the following crypto operations:
encrypt
decrypt
sign
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Deleting Keys from CCKM
Use the post /v1/cckm/azure/keys/{id}/delete-backup
API to delete an Azure key and its versions from the CCKM.
Warning
This operation will delete all the versions of a key and they cannot be restored to the vault. Use this option with caution.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys/{id}/delete-backup' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/keys/94a392f3-52e8-4542-90b6-b8554c046492/delete-backup' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRmMGExN2Y0LWQxOGUtNGE5YS04Z WM2LTU1ZjI2ZjJjNTMzMiIsImlhdCI6MTYwMTQ2MTEwNiwiZXhwIjoxNjAxNDYxNDA2fQ.P_d2ngOq_AlxqXhfG-saEvQRYZCSzQbzR2S6Jzv6Ogs' --compressed
Example Response
{
"status": 204
}
The sample output shows that the key is deleted successfully from the CCKM and "status": 204
is returned in response.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Soft-Deleting Azure Keys
Use the post /v1/cckm/azure/keys/{id}/soft-delete
API to soft-delete an Azure key from the key vault.
Caution
This operation permanently deletes keys from non-soft enabled vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys/{id}/soft-delete' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/keys/94a392f3-52e8-4542-90b6-b8554c046492/soft-delete' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3 MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2 1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRmMGExN2Y0LWQxOGUtNGE5YS04ZWM2LTU1ZjI2ZjJjNTMzMiIsImlhdCI6MTYwMTQ2MTEwNiwiZXhwIjoxNjAxNDYxNDA2fQ.P_d2ngOq_AlxqXhfG-saEvQRYZCSzQbzR2S6Jzv6Ogs' --compressed
Example Response
{
"id": "94a392f3-52e8-4542-90b6-b8554c046492",
"uri": "kylo:kylo:cckm:azure-key:94a392f3-52e8-4542-90b6-b8554c046492",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:13:47.500575Z",
"updatedAt": "2020-09-30T10:17:13.803319Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:13:47.490014Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": true,
"status": "SOFT-DELETED",
"syncedAt": "2020-09-30T10:13:46Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "e6d8dd366c024902b00e116af5e99ecc",
"key_size": 3072,
"backup": "971a66b249e34d31b92b1c46ce0586feaefb9a69149144d4826c7db
39ab7edb7",
"key_name": "Test-key",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvault-softkeys.vault.azure.net/keys/
Test-key/e6d8dd366c024902b00e116af5e99ecc",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign"
],
"n": "pQPKeqvSEMpQ29j3bzG3Vsz-ufp5p-
JNCI1jX4lEhmL41Xmq7CVz6HkUgwPS0PC6qZc6dHXhfkewzNtmB81T5X8XYk3vK0LNckQouDoFJRm3heAyao88ei6zUndmceWGq-
OmNjVMiOVViPiB46l3NAhErHVgh8DLb7gWU3yMyu4eAZGNXVYMS0BfKSy6C_
Gz9Pz4vbmJj-7jTxD_xmKuaoKkR4g2bCFDldBE8RJjtBNF_
K8XcNEoZxVuEHYlzTOQ5eXQct8LqXVgfFtwhf2BYC7cVrK0smnN-pAor_
gurBRyEtiJQV08QCwBXh4PGjWviMPt0LTkfzjLB7yIFtrAlpAece9rbfPULNOSqLuGxhFDJGHWw6IB7IIVex_NVeBfxsbyAHOD0t3UE0VrYijrv6gVz5-VqjC1OGcqtMEEld5-aS2HlMbfpmRhTxWTbg11KKSPIm6RqplSgqMMlzSEriuCA4l6hxGRuuQRfCOqAIUQqe_9Wx433yJKF8cCt",
"e": "AQAB"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"nbf": 1662702740,
"exp": 1662702740,
"created": 1601460826,
"updated": 1601461032
}
},
"azure_created_at": "2020-09-30T10:13:46Z",
"azure_updated_at": "2020-09-30T10:13:46Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"azure_expire_at": "2022-09-09T05:52:20Z",
"key_material_origin": "native",
"gone": false,
"version_count": 1
}
The sample output shows that the parameter key_soft_deleted_in_azure
is set to true
. This indicates that the key (Test-key
) is soft-deleted from the vault.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Purging Azure Keys
Use the post /v1/cckm/azure/keys/{id}/hard-delete
API to permanently delete an Azure key.
Note
This operation can only be performed on the soft-deleted keys residing in the soft-enabled key vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys/{id}/hard-delete' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/keys/94a392f3-52e8-4542-90b6-b8554c046492/hard-delete' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRmMGExN2Y0LWQxOGUtNGE5YS04ZWM2LTU1ZjI2ZjJjNTMzMiIsImlhdCI6MTYwMTQ2MTEwNiwiZXhwIjoxNjAxNDYxNDA2fQ.P_d2ngOq_AlxqXhfG-saEvQRYZCSzQbzR2S6Jzv6Ogs' --compressed
Example Response
{
"id": "94a392f3-52e8-4542-90b6-b8554c046492",
"uri": "kylo:kylo:cckm:azure-key:94a392f3-52e8-4542-90b6-b8554c046492",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:13:47.500575Z",
"updatedAt": "2020-09-30T10:20:36.30319Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": true,
"backup_at": "2020-09-30T10:13:47.490014Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": true,
"status": "DELETED",
"syncedAt": "2020-09-30T10:13:46Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "e6d8dd366c024902b00e116af5e99ecc",
"key_size": 3072,
"backup": "971a66b249e34d31b92b1c46ce0586feaefb9a69149144d4826c7db39ab7edb7",
"key_name": "Test-key",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvault-softkeys.vault.azure.net/keys/
Test-key/e6d8dd366c024902b00e116af5e99ecc",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign"
],
"n": "pQPKeqvSEMpQ29j3bzG3Vsz-ufp5p-
JNCI1jX4lEhmL41Xmq7CVz6HkUgwPS0PC6qZc6dHXhfkewzNtmB81T5X8XYk3vK0LNckQouDoFJRm3heAyao88ei6zUndmceWGq-
OmNjVMiOVViPiB46l3NAhErHVgh8DLb7gWU3yMyu4eAZGNXVYMS0BfKSy6C_
Gz9Pz4vbmJj-7jTxD_xmKuaoKkR4g2bCFDldBE8RJjtBNF_
K8XcNEoZxVuEHYlzTOQ5eXQct8LqXVgfFtwhf2BYC7cVrK0smnN-pAor_
gurBRyEtiJQV08QCwBXh4PGjWviMPt0LTkfzjLB7yIFtrAlpAece9rbfPULNOSqLuGxhFDJGHWw6IB7IIVex_
NVeBfxsbyAHOD0t3UE0VrYijrv6gVz5-VqjC1OGcqtMEEld5-
aS2HlMbfpmRhTxWTbg11KKSPIm6RqplSgqMMlzSEriuCA4l6hxGRuuQRfCOqAIUQqe_9Wx433yJKF8cCt",
"e": "AQAB"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"nbf": 1662702740,
"exp": 1662702740,
"created": 1601460826,
"updated": 1601461032
}
},
"azure_created_at": "2020-09-30T10:13:46Z",
"azure_updated_at": "2020-09-30T10:13:46Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"azure_expire_at": "2022-09-09T05:52:20Z",
"key_material_origin": "native",
"gone": false,
"version_count": 1
}
The sample output shows that the parameter status becomes DELETED
. This indicates that the key (Testkey
) is permanently deleted from the Azure vault.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Uploading Keys to Azure Key Vault
Use the post /v1/cckm/azure/upload-key
API to upload a key created on CipherTrust Manager to the Azure key vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "<key_name>",\n "local_key_identifier": "<local_key_id>",\n "key_vault": "<key_vault>"\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
key_name | string | Name of the key on Azure. Key name can only contain alphanumeric characters and dashes. |
key_vault | string | Name or ID of the key vault where the key will be uploaded. |
azure_param | JSON | Azure key parameters. Refer to Azure Parameters below for details. |
local_key_identifier | string | Name or ID of the CipherTrust Manager key to upload. This parameter is mandatory if source_key_tier is local . |
luna_key_identifier | string | Name or ID of the HSM Luna key to upload. This parameter is mandatory if source_key_tier is hsm-luna . |
password | string | PFX password. Specify only if the PFX certificate is provided. |
pfx | string | PFX key. Specify a Base64 encoded key. |
source_key_tier | string | Tier of the source. Possible options are: • local (default) • pfx • hsm-luna • dsm |
dsm_key_identifier | string | ID of the DSM key. This parameter is mandatory if source_key_tier is dsm . |
kek_kid | string | ID of the Azure key encryption key. |
exportable | boolean | Whether the private key can be exported from Azure. Set to true to allow the key export. Also, specify release_policy . Currently, the exportable parameter is valid only when the key source is hsm-luna and the Azure vault is a premium vault or a managed HSM vault.The exportable parameter cannot be modified after key creation. |
release_policy | JSON | Policy rules under which the key can be exported. release_policy is mandatory when exportable is set to true . |
Azure Parameters
Parameter | Type | Description |
---|---|---|
attributes | JSON | Attributes for the key such as exp, enabled, and nbf. Possible option are: • nbf - Activation date for the key in Unix Epoch time format. • exp - Expiration date for the key in Unix Epoch time format. • enabled - Specify whether the key is enabled or disabled (true/false). |
hsm | boolean | Allow key creation in Azure HSM. Set to true to allow, false to deny. |
key_ops | array of strings | Cryptographic operations performed by the key. Possible options are: • encrypt • decrypt • sign • verify • wrapKey • unwrapKey |
tags | JSON | Optional parameter to add additional information to the key. The value must be specified as the key-value pair. Refer to the following rules on tag values. |
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _ **
CCKM does not allow the following special characters in tag values:
** \ , : " % **
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI1ZTYwMjQ5LTI5MTgtNDVlNS04Z TM3LThlMWE3MGEwNjYyYSIsImlhdCI6MTYwMTQ2MTQxNiwiZXhwIjoxNjAxNDYxNzE2fQ.R_iu6Qrh_hwBPylzcqOYYfw37Rgt15JEUFQh149DO2o' -H 'Content-Type: application/json' --data-binary $'{\n "key_name": "Uploadtestkey",\n "local_key_identifier": "rsakey",\n "key_
vault": "bedb82b9-582c-402d-9874-f3368722cf46"\n}' --compressed
Example Response
{
"id": "b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
"uri": "kylo:kylo:cckm:azure-key:b3779b0a-09ca-4b2d-b9e6-8947bb5d740f",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:24:41.448099979Z",
"updatedAt": "2020-09-30T10:24:41.446020965Z",
"key_vault": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"key_vault_id": "bedb82b9-582c-402d-9874-f3368722cf46",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-09-30T10:24:41.435775419Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-09-30T10:24:40Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "628cd445146240c3bbd226e3d7ca5c62",
"key_size": 2048,
"backup": "c95104adb1684af69b86927cb993a03e905f0462e19d42c5be40778ac993ddc2",
"key_name": "Uploadtestkey",
"local_key_id": "c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3",
"local_key_name": "rsakey",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://keyvaultsoftkeys.
vault.azure.net/keys/Uploadtestkey/628cd445146240c3bbd226e3d7ca5c62",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "nkxK6mYxOvM_ZQfc1AM2vPxslhg5WYGqaP3CtG9K4c6WEoVsPn_Iijc8bRdU02VjlAmIkRqHMms1_xxCSmy2ZMG91PQGwdrX-TeOa6kLv5b-RCsu_IP46SkDSGOgCpD0-DyfUXnPe3zgIfNOulAvFCy-rKbGmzrTuqCkEcznRHHOLiZRP1M4MF5cHBS33aqKaH5KfKndoF5Qk5PhHrqaxJ9SKBa5NL9ZZzm_DC1J4hnu2HcLVq-5cw1xL--uReyKAKsDjYZcxh6C6A9DuDe10qux1LieWJi7xzDJKbmBNWSTqle92kVOvOSy2jfxTdi721FTQucxs_Sh-lZ2eS4rQ",
"e": "AAAAAAABAAE"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"created": 1601461480,
"updated": 1601461480
}
},
"azure_created_at": "2020-09-30T10:24:40Z",
"azure_updated_at": "2020-09-30T10:24:40Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"meta": {
"source_key_id": "rsakey"
},
"key_material_origin": "cckm",
"rotated_at": "2020-09-30T10:24:41.435777091Z",
"gone": false
}
The sample output shows that a key (Uploadtestkey) is created on the Azure vault (bedb82b9-582c-402d-9874-f3368722cf46
) and it uses local key material (c9a282fcae5046509212c0d711efc586d255e78316aa4771b5b126b24df9aae3
) created on the CipherTrust Manager. As the key material is created on the Key Manager, key material's origin is cckm
.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Downloading Keys Created on Azure Vault to CCKM
Use the post /v1/cckm/azure/synchronization-jobs
API to download the keys created on the Azure vault to the CCKM.
Syntax
curl -k '<IP>/api/v1/cckm/azure/synchronization-jobs' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_vaults": ["<key_vault>"],\n "synchronize_all": <boolean>\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
key_vaults | array of strings | Name or ID of key vaults from which Azure keys will be synchronized. |
synchronize_all | boolean | Set to true to synchronize all keys from all vaults. |
Note
The synchronize_all
and key_vaults
parameters are mutually exclusive. Specify either of the two.
Note
If an exportable Luna HSM key is created on Azure cloud, and the synchronization operation is performed on CCKM, the exportable flag does not show any value for the key.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/synchronization-jobs' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI1ZTYwMjQ5LTI5MTgtNDVlNS04Z TM3LThlMWE3MGEwNjYyYSIsImlhdCI6MTYwMTQ2MTQxNiwiZXhwIjoxNjAxNDYxNzE2fQ.R_iu6Qrh_hwBPylzcqOYYfw37Rgt15JEUFQh149DO2o' -H 'Content-Type: application/json' --data-binary $'{\n "key_vaults": ["bedb82b9-582c-402d-9874-f3368722cf46"],\n "synchronize_all": false\n}' --compressed
Example Response
{
"id": "2321c6fb-acde-4b94-a00b-949c85968af3",
"uri": "kylo:kylo:cckm:synchronize:2321c6fb-acde-4b94-a00b-949c85968af3",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:25:47.057312858Z",
"updatedAt": "2020-09-30T10:25:47.059972903Z",
"overall_status": "in progress",
"cloud": "AzureCloud",
"key_vaults": [
"keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34"
],
"abort": false
}
The sample output shows that the synchronization-jobs API has started downloading the keys from the vault (bedb82b9-582c-402d-9874-f3368722cf46
) to the CCKM. The status of synchronization process is in progress. A unique ID (2321c6fb-acde-4b94-a00b-949c85968af3
) for the synchronization process is returned.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Synchronization Status
Use the get /v1/cckm/azure/synchronization-jobs
API to get the synchronization status. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/azure/synchronization-jobs?skip=0&limit=10' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of synchronization. |
overall_status | string | Overall synchronization status. |
key_vaults | array | Name or ID of key vault. |
skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter) will be displayed in the output. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/synchronization-jobs?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI1ZTYwMjQ5LTI5MTgtNDVlNS04Z TM3LThlMWE3MGEwNjYyYSIsImlhdCI6MTYwMTQ2MTQxNiwiZXhwIjoxNjAxNDYxNzE2fQ.R_iu6Qrh_hwBPylzcqOYYfw37Rgt15JEUFQh149DO2o' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "2321c6fb-acde-4b94-a00b-949c85968af3",
"uri": "kylo:kylo:cckm:synchronize:2321c6fb-acde-4b94-
a00b-949c85968af3",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:25:47.057313Z",
"updatedAt": "2020-09-30T10:26:40.378092Z",
"overall_status": "in progress",
"detailed_status": {
"northcentralus/keyvault-softkeys::12e533dd-b5c2-
4e58-a264-0cd812dc5a34": "in progress"
},
"cloud": "AzureCloud",
"key_vaults": [
"keyvault-softkeys::12e533dd-b5c2-4e58-a264-
0cd812dc5a34"
],
"abort": false
}
]
}
The sample output shows the status of synchronization process.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of Synchronization Jobs
Use the get /v1/cckm/azure/synchronization-jobs/{id}
API to return the details of a synchronization with a specific ID.
Syntax
curl -k '<IP>/api/v1/cckm/azure/synchronization-jobs/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the synchronization job ID.
Request Parameter
Parameter} | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/synchronization-jobs/2321c6fb-acde-4b94-a00b-949c85968af3' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3 MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2 1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjBjMzU3ZGFkLTRiOWUtNDYxNC04OTZmLTk4NjdkOTgzMjA2YSIsImlhdCI6MTYwMTQ2MTY2MywiZXhwIjoxNjAxNDYxOTYzfQ.Yr8elLXclrAysFbeO6deB_yFf1vl9zlbvLHJwZNotEY' --compressed
Example Response
{
"id": "2321c6fb-acde-4b94-a00b-949c85968af3",
"uri": "kylo:kylo:cckm:synchronize:2321c6fb-acde-4b94-a00b-949c85968af3",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:25:47.057313Z",
"updatedAt": "2020-09-30T10:27:25.1795Z",
"completed_at": "2020-09-30T10:27:25.179211Z",
"overall_status": "synchronization completed",
"detailed_status": {
"northcentralus/keyvault-softkeys::12e533dd-b5c2-4e58-a264-
0cd812dc5a34": "vault synchronized successfully"
},
"cloud": "AzureCloud",
"key_vaults": [
"keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34"
],
"abort": false
}
The sample output shows the details corresponding to the specific synchronization job (with ID 2321c6fbacde-4b94-a00b-949c85968af3
).
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Aborting Synchronization Jobs
Use the post /v1/cckm/azure/synchronization-jobs/{id}/cancel
API to cancel a specific synchronization job.
Syntax
curl -k '<IP>/api/v1/cckm/azure/synchronization-jobs/{id}/cancel' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the synchronization job ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/synchronization-jobs/2321c6fb-acde-4b94-a00b-949c85968af3/cancel' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjBjMzU3ZGFkLTRiOWUtNDYxNC04O TZmLTk4NjdkOTgzMjA2YSIsImlhdCI6MTYwMTQ2MTY2MywiZXhwIjoxNjAxNDYxOTYzfQ.Yr8elLXclrAysFbeO6deB_yFf1vl9zlbvLHJwZNotEY' --compressed
Example Response
{
"id": "2321c6fb-acde-4b94-a00b-949c85968af3",
"uri": "kylo:kylo:cckm:synchronize:2321c6fb-acde-
4b94-a00b-949c85968af3",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T10:25:47.057313Z",
"updatedAt": "2020-09-30T10:26:40.378092Z",
"overall_status": "in progress",
"detailed_status": {
"northcentralus/keyvault-softkeys::12e533dd-b5c2-
4e58-a264-0cd812dc5a34": "in progress"
},
"cloud": "AzureCloud",
"key_vaults": [
"keyvault-softkeys::12e533dd-b5c2-4e58-a264-
0cd812dc5a34"
],
"abort": true
}
The sample output shows that the abort parameter is set to true which indicates that the synchronization job (with ID (2321c6fb-acde-4b94-a00b-949c85968af3
) is canceled.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Enabling Key for Rotation Job
Use the /v1/cckm/azure/keys/{id}/enable-rotation-job
enable an Azure key for scheduled rotation job. To use this API, first create a new rotation job configuration, the job_config_id
is required to call this API. Refer to Scheduling Key Rotation for details.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys/{id}/enable-rotation-job' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "job_config_id": "<job_config_id>",\n "auto_rotate_key_source": "<key_material_source>",\n "auto_rotate_key_type": "<key_type>",\n "auto_rotate_key_size": <key_size>,\n "auto_rotate_enable_key": <boolean>\n}' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
auto_rotate_key_source | string | Source of the key material. Possible options are: • native • hsm-luna • dsm • ciphertrust |
auto_rotate_partition_id | string | ID of the partition in which the Luna HSM key will be created. |
auto_rotate_key_type | string | Type of the key. Possible options are: • RSA • EC |
job_config_id | string | Id of the scheduler job that will perform key rotation. |
auto_rotate_ec_name | string | Name of the Elliptical curve key. Required only when key_type=EC. Possible options are: • P-256 • P-384 • P-521 • SECP256K1 |
auto_rotate_enable_key | boolean | Flag to enable the newly rotated key. |
auto_rotate_key_size | integer | Size of the new rotated key. Required only when key_type=RSA. Possible options are: •2048 • 3072 • 4096 |
auto_rotate_domain_id | string | ID of the domain in which the key will be created. |
Example Request
curl -k 'https://54.175.71.61/api/v1/cckm/azure/keys/45b35f7b-b7b7-416c-a29c-4568d354fd2c/enable-rotation-job' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1NjlmZTIyMy0zZGM2LTRhZDctYjE5YS1lYjFlZTY4MDBlMzUiLCJzdWIiOiJsb2NhbHxjNjc2ZGM1Zi1iMjNjLTQ4ODgtYTZmYi05MjMwNWU3MDdkNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTlhZmY2ZGMtYTdjYy00NmJiLThiYTUtMDg3OWViZGRiZTA1Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQ3MDY1MDhiLTllYWYtNDQ0Mi04MGY4LWM4NTA2ODBlOWUyZCIsImlhdCI6MTYwMzEwNDA4NCwiZXhwIjoxNjAzMTA0Mzg0fQ.Kp-X2Y9cb_PSJtIasz_krM6wip4s8_LTu7ozPJZ_2Hs' -H 'Content-Type: application/json' --data-binary $'{\n "job_config_id": "c7cd8d4c-6ef5-4de5-b107-2054160abb3a",\n "auto_rotate_key_source": "native",\n "auto_rotate_key_type": "RSA",\n "auto_rotate_key_size": 2048,\n "auto_rotate_enable_key": true\n}' --compressed
Example Response
{
"id": "45b35f7b-b7b7-416c-a29c-4568d354fd2c",
"uri": "kylo:kylo:cckm:azure-key:45b35f7b-b7b7-416c-a29c-4568d354fd2c",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-10-19T06:10:52.784557Z",
"updatedAt": "2020-10-19T07:04:16.520845Z",
"key_vault": "key-vault-softkeys::260ecbe7-777b-4d3c-84ea-887620498863",
"key_vault_id": "da2e6bb6-845c-4a3a-8c10-831065f6e855",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-10-19T06:10:40.371055Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-10-19T05:28:32Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "927bb136b2674414ac65a90660703f4f",
"key_size": 2048,
"backup": "701e44d020d44689b97c26a5de3cd6a5a05a91f8f7bd4b63998e423ef6f1b668",
"key_name": "newTestKey2048",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://key-vault-softkeys.vault.azure.net/keys/newTestKey2048/927bb136b2674414ac65a90660703f4f",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "2kZsxVk8RHI5UIBm0v-LKTm3pm_jbLOqFcUe7dnYoaKXCp2XHfBad0jVu-oM8C5k8Ka_K5cVT9OQrtnfR_RptAL6SvtWzuUXiMgasovvX_Kc5cA54UtnuNO3-bHeijVWfH2VosGlf5PT0tB_nf8CAQplbWG3374YRozjxS5Ds22KSDbtli0CZiGL6v1jtBm24D-Y64PVHOBVejLDM6YesCSO1XkdMAgm7DItO04YmDoxOJcbfxLsmYN_HYvMKbqVAU4P1EeIEFmKAJ-7PbScfnW2mfAY_wTN1pe7GIfHpY1d1JoP96acYrj1k7sLuG5ZzXMEEHG711ayWVfANHJJQw",
"e": "AAAAAAABAAE"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"created": 1603085312,
"updated": 1603085312
}
},
"azure_created_at": "2020-10-19T05:28:32Z",
"azure_updated_at": "2020-10-19T05:28:32Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"labels": {
"auto_rotate_enable_key": true,
"auto_rotate_key_size": 2048,
"auto_rotate_key_source": "native",
"auto_rotate_key_type": "RSA",
"job_config_id": "c7cd8d4c-6ef5-4de5-b107-2054160abb3a"
},
"key_material_origin": "unknown",
"gone": false,
"version_count": 2
}
The sample output shows that the key (with ID 45b35f7b-b7b7-416c-a29c-4568d354fd2c
) is enabled for the scheduled key rotation.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disabling Key for Rotation Job
Use the /v1/cckm/azure/keys/{id}/disable-rotation-job
API to disable the scheduled rotation job for an Azure key.
Syntax
curl -k '<IP>/api/v1/cckm/azure/keys/{id}/disable-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://54.175.71.61/api/v1/cckm/azure/keys/45b35f7b-b7b7-416c-a29c-4568d354fd2c/disable-rotation-job' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1NjlmZTIyMy0zZGM2LTRhZDctYjE5YS1lYjFlZTY4MDBlMzUiLCJzdWIiOiJsb2NhbHxjNjc2ZGM1Zi1iMjNjLTQ4ODgtYTZmYi05MjMwNWU3MDdkNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTlhZmY2ZGMtYTdjYy00NmJiLThiYTUtMDg3OWViZGRiZTA1Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQ3MDY1MDhiLTllYWYtNDQ0Mi04MGY4LWM4NTA2ODBlOWUyZCIsImlhdCI6MTYwMzEwNDA4NCwiZXhwIjoxNjAzMTA0Mzg0fQ.Kp-X2Y9cb_PSJtIasz_krM6wip4s8_LTu7ozPJZ_2Hs' --compressed
Example Response
{
"id": "45b35f7b-b7b7-416c-a29c-4568d354fd2c",
"uri": "kylo:kylo:cckm:azure-key:45b35f7b-b7b7-416c-a29c-4568d354fd2c",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-10-19T06:10:52.784557Z",
"updatedAt": "2020-10-19T07:04:16.520845Z",
"key_vault": "key-vault-softkeys::260ecbe7-777b-4d3c-84ea-887620498863",
"key_vault_id": "da2e6bb6-845c-4a3a-8c10-831065f6e855",
"region": "northcentralus",
"deleted": false,
"backup_at": "2020-10-19T06:10:40.371055Z",
"soft_delete_enabled": true,
"key_soft_deleted_in_azure": false,
"status": "ACTIVE",
"syncedAt": "2020-10-19T05:28:32Z",
"created_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"modified_by": "ef767cf9-61dd-4765-a4df-ebd65493c728",
"version": "927bb136b2674414ac65a90660703f4f",
"key_size": 2048,
"backup": "701e44d020d44689b97c26a5de3cd6a5a05a91f8f7bd4b63998e423ef6f1b668",
"key_name": "newTestKey2048",
"cloud_name": "AzureCloud",
"azure_param": {
"key": {
"kid": "https://key-vault-softkeys.vault.azure.net/keys/newTestKey2048/927bb136b2674414ac65a90660703f4f",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "2kZsxVk8RHI5UIBm0v-LKTm3pm_jbLOqFcUe7dnYoaKXCp2XHfBad0jVu-oM8C5k8Ka_K5cVT9OQrtnfR_RptAL6SvtWzuUXiMgasovvX_Kc5cA54UtnuNO3-bHeijVWfH2VosGlf5PT0tB_nf8CAQplbWG3374YRozjxS5Ds22KSDbtli0CZiGL6v1jtBm24D-Y64PVHOBVejLDM6YesCSO1XkdMAgm7DItO04YmDoxOJcbfxLsmYN_HYvMKbqVAU4P1EeIEFmKAJ-7PbScfnW2mfAY_wTN1pe7GIfHpY1d1JoP96acYrj1k7sLuG5ZzXMEEHG711ayWVfANHJJQw",
"e": "AAAAAAABAAE"
},
"attributes": {
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"enabled": true,
"created": 1603085312,
"updated": 1603085312
}
},
"azure_created_at": "2020-10-19T05:28:32Z",
"azure_updated_at": "2020-10-19T05:28:32Z",
"tenant": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"key_material_origin": "unknown",
"gone": false,
"version_count": 2
}
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.