Uploading Salesforce Tenant Secrets
Use the post /v1/cckm/sfdc/keys/upload API to upload a Salesforce tenant secret from the source key. This is only for BYOK type tenant secrets. Cache-only keys have a separate API for upload.
Syntax
curl -k '<IP>/api/v1/cckm/sfdc/keys/upload' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "organization_id": "<organization-id>",\n  "type": "<type-of-secret>",\n  "source_key_tier": "<source-key-tier>",\n  "source_key_identifier": "<source-key-identifier>",\n  "certificate_id": "<certificate-id>",\n  "key_derivation_mode": "<key-derivation-mode>"\n}' --compressed
Request Parameters
| Parameter | Type | Description | 
|---|---|---|
| AUTHTOKEN | string | Authorization token. | 
| certificate_id | string | ID of the certificate whose public key will be used to encrypt the tenant secret. Use the get /v1/cckm/sfdc/certificatesAPI to view the available certificates and their IDs. | 
| key_derivation_mode | string | Key derivation mode for the key. The options are: • PBKDF2 • NONE | 
| organization_id | string | ID of the Salesforce organization where the tenant secret will be created. | 
| source_key_identifier | string | ID of the source key that will be uploaded to the Salesforce cloud. | 
| source_key_tier | string | Tier of the source key - local(CipherTrust Manager). The default tier islocal. | 
| type | string | Type of the Salesforce tenant secret. The type can be: • Data • EventBus • SearchIndex • DeterministicData • Analytics | 
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sfdc/keys/upload' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0MmFmZDExNy02YzllLTRhNGUtOTAwYS1lYjlhNDNjYWE5ZDIiLCJzdWIiOiJsb2NhbHwzMTI5ODdkMS0wOWNiLTQxZTEtOThmNy1jZjRhNzgwNTZiMTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNDVmOWE3NWUtMzI1NC00NWJkLWE0NzYtOWU2NWUyNjdmNGVkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjdiYzNkOWM4LWRiYTQtNDVmMy05YWNiLWI3NGM2MzQyYzYyMCIsImlhdCI6MTYxNDc1MTg1MSwiZXhwIjoxNjE0NzUyMTUxfQ.ahdxfM7-WA4u7sotHy6qelc9MkoZytst7oZWsvE7Cr0' -H 'Content-Type: application/json' --data-binary $'{\n  "organization_id": "00DB000000040bIMAQ",\n  "type": "Data",\n  "source_key_tier": "local",\n  "source_key_identifier": "123",\n  "certificate_id": "123",\n  "key_derivation_mode": "PBKDF2"\n}' --compressed
Example Response
{
    "byok response": {
        "id": "a2c9f01e-48fd-4a82-bf40-918e581b3255",
        "uri": "kylo:kylo:cckm:Tenant_Secret:a2c9f01e-48fd-4a82-bf40-918e581b3255",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2021-07-03T20:32:31.526936169Z",
        "updatedAt": "2021-07-03T20:32:31.524915269Z",
        "cloud_name": "sfdc",
        "name": "IsaTS",
        "sfdc_organization_id": "00DB000000040bIMAQ",
        "key_type": "byok",
        "error_msg": "",
        "sfdc_params": {
            "salesforce_id": "02GB0000000HYQOMA4",
            "created_by_id": "005B00000021BO4IAM",
            "last_modified_date": "2021-07-03T20:32:31.000+0000",
            "last_modified_by_id": "005B00000021BO4IAM",
            "system_modstamp": "2021-07-03T20:32:31.000+0000",
            "secret_value_hash": "UNKNOWM=",
            "secret_value": "CgMyMzISEK021JIPS7SkAxiHU9zDyqIaMNASJMB5cRR6oGnhj2+6zZkXMAVAtpsb7IFI6jjrhh1a9CIBgAuUlTzR4AtiIuKEig==",
            "version": 2112,
            "status": "ACTIVE",
            "source": "HSM",
            "type": "Data"
        },
        "tenant_secret_backup": {
            "backup_key_name": "00DB000000040bIMAQ:Data:2112:02GB0000000HYQOMA4",
            "backup_key_tier": "local"
        },
        "key_upload_params": {
            "source_key_tier": "local",
            "source_key_id": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
            "source_key_name": "sfdc_key1"
        }
    }
}
The sample output shows that automatic rotation of the specified Salesforce tenant secret is enabled.
Response Codes
| Response Code | Description | 
|---|---|
| 2xx | Success | 
| 4xx | Client errors | 
| 5xx | Server errors | 
Refer to HTTP status codes for details.