AWS Custom Key Store APIs
The Custom Key Store APIs for integration with Amazon Web Services Key Management Service (AWS KMS) allow you to manage both locally managed and AWS Cloud HSM key stores.
Custom Key Store of type AWS_CLOUDHSM
would have keys backed by CloudHSM cluster in AWS. Custom Key Store of type EXTERNAL_KEY_STORE
could have keys from Luna HSM or CipherTrust Manager.
Use the APIs in this section to perform following operations:
Operations common to both key store types:
Create, list, get, update and delete custom key stores.
Connect and disconnect to a custom key stores.
Synchronizes AWS custom key stores, get status of synchronization job, cancel a synchronization job.
Operations exclusive to external key store:
Block and unblock access.
Rotate credential.
Enable and disable schedule rotation of credentials for a custom key store.
List and get credentials.
Link local external key store with AWS KMS.
Enable or disable audit recording.
Operations exclusive to CloudHSM key store:
- Get list of unused CloudHSM clusters (that are not already associated with a CloudHSM key store).
Operations exclusive to HYOK keys:
Create an AWS HYOK key in a external key store.
Create, list, and get virtual keys and their versions.
Link an unlinked HYOK key.
List versions of an AWS HYOK key.
Block and unblock HYOK key access.
Operations exclusive to CloudHSM keys:
- Create key in a CloudHSM key store.
External Custom Key Store Overview
External Custom Key Stores allow you to manage keys held in CipherTrust Manager or in Luna Network HSMs (Hardware Security Module), and allows AWS KMS to use the keys for cryptographic operations on demand.
The external custom key store entity on CipherTrust Cloud Key Manager (CCKM) provides access to AWS KMS to use source key material stored in HSM partitions or CipherTrust Manager, while preserving end user control to manage those source keys.
External Custom Key Stores allow you to manage keys held in CipherTrust Manager, and allows AWS KMS to use the keys for cryptographic operations on demand.
The external custom key store entity on CipherTrust Cloud Key Manager (CCKM) provides access to AWS KMS to use source key material, while preserving end user control to manage those source keys.
Setting up necessary XKS objects for Luna as the key source requires a specific sequence:
Set up Luna partition and create at least one key as described in Luna HSM APIs. Luna HSM keys that are compatible for external custom key stores must have the following values:
The only supported key mechanism for external custom key stores is
CKM_AES_KEY_GEN
. The displayedalgorithm
for this isaes
.The key size must be 256.
The following attributes must be enabled:
CKA_ENCRYPT
andCKA_DECRYPT
.
Add the AWS account associated with the external key store integration to CCKM, as described in AWS KMS Management APIs.
The Health Check Key must be created before creating a key store. Depending on the location of the key store, the health check is initiated.
If the key store is on Luna HSM, the Health Check Key must have the following attributes:
CKA_EXTRACTABLE = FALSE
CKA_SENSITIVE = TRUE
CKA_ENCRYPT = TRUE
CKA_DECRYPT = TRUE
CKA_WRAP = TRUE
CKA_UNWRAP = TRUE
If the key store is on CipherTrust Manager, the Health Check Key must have the following attributes:
Key Not Exportable
Key Not Deletable
Usage Masks - Encrypt, Decrypt, Wrap, Unwrap
Create an External Custom Key Store. The key store can be created as unlinked, which is default, or linked. Creating a linked key store also creates a corresponding external key store on AWS KMS, and the CCKM external custom key store automatically synchronizes with the AWS KMS key store. If the key store is unlinked, retain the returned
xks_proxy_uri_path
value which is needed to manually create the corresponding external key store on AWS. After creation, unlinked external custom key stores can later be linked to the corresponding AWS KMS key store.Create a virtual key, which links to a source key. This intermediary virtual key in the API allows versioning and rotation on encryption keys.
Note
In the CipherTrust Manager web console UI, the virtual key object is not displayed; AWS Hold Your Own Key (HYOK) keys can be rotated directly, and are shown with a direct link to the source key on the HSM partition.
Create an AWS HYOK (External Key). The AWS HYOK key can be created as unlinked, which is default, or linked. For unlinked keys, you need the returned
XksKeyConfiguration:Id
value to create the corresponding KMS key on AWS. On CCKM. The AWS HYOK key is linked to the virtual key, which is in turn linked to the source key.Note
Do not provide the
source_key_id
, or virtual key'sid
to AWS KMS.
Once XKS objects are created, and communication between AWS and CCKM is established, AWS KMS can then make requests for the following operations:
GetKeyMetadata
Encrypt
Decrypt
GetHealthStatus
Note
You can exercise the health status independently of KMS for troubleshooting purposes. A sample command is provided below.
AWS KMS communicates these requests through the CCKM external custom key store and the AWS HYOK key, and the Luna HSM or CipherTrust Manager carries out encryption and decryption operations, depending on the key source.
The AWS Cloud KMS documentation describes AWS KMS API methods used for the external key store integration.
Troubleshooting External Custom Key Store
If CipherTrust Manager does not respond successfully to requests from AWS KMS to the external key store, you can use the REST API to determine the component which is failing.
To check if CipherTrust Manager interface services are available:
curl -w "%{time_total}\n" -k 'https://<ciphertrust_FQDN>/api/v1/system/services/status' -H 'accept: application/json' –compressed {"status":"started","services":[{"name":"web","status":"started"},{"name":"nae-kmip","status":"started"}]}
If the above command is successful, the CipherTrust Manager interface services are in a started
state and the interfaces are able to receive requests. If you receive an error, you might need to restart services or re-configure the CipherTrust Manager interfaces.
To exercise the health status check:
curl --aws-sigv4 "aws:amz:<region>:kms-xks-proxy" --user "<access_key_id>:<secret_access_key_id>" -X POST --data '{"requestMetadata": {"kmsRequestId": "<request_id_string>","kmsOperation": "ConnectCustomKeyStore"}}' -H "Content-Type: application/json" https://<ciphertrust_FQDN>/api/<xks_proxy_uri_path>/health
A successful response returns "healthStatus":"ACTIVE"
, and indicates that the CCKM external key store is accessible and can execute an encryption with the health check key.
If you receive an error for a linked key store, make sure the VPC or private network elements are working correctly.
If you receive an error for an unlinked key store, you might need to check for network access issues, and check that both the AWS KMS key store and the CCKM key store have matching access key credentials, the health check key, and the region. Many of these mismatches can be fixed by updating or re-creating the AWS KMS external key store.
Create a Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores
to create a custom key store on CCKM. The custom key store can be an external key store or a cloud HSM key store.
For an External Custom Key Store, specify the following details:
Name
Region
AWS account. This must be an AWS account registered on CCKM as a container.
Luna Network HSM Partition ID.
Linked state (false by default)
Blocked (false by default)
Audit recording (false by default)
Source Key Tier (hsm-luna by default)
In addition, you can specify whether the key store is created in a blocked state or not.
Note
Enabling audit recording of successful operations for a custom key store of type EXTERNAL_KEY_STORE significantly impacts the performance of the key store. Enable type of audit recording only for the purpose of troubleshooting or presenting a demo.
For a CKS supported by an AWS CloudHSM, specify the following details:
Name
Region
AWS account
CloudHSM cluster ID
CloudHSM kmsuser Crypto User (CU) password
Trust anchor certificate
The
custom_key_store_type
asAWS_CLOUDHSM
.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer AUTHTOKEN -H 'accept: application/json' --data-binary $'{\n "name": "<key_store_name>",\n "kms": "<aws-account-number>",\n "region": "<aws-region>",\n "linked_state": <boolean>,\n "local_hosted_params": {\n "partition_id": "<Luna_HSM_partition_ID>",\n "blocked": <boolean>\n "health_check_key_id": "<key_id>",\n "max_credentials": <number_of_credentials>\n },\n "aws_param": {\n "xks_proxy_connectivity": "<network_connectivity_type>",\n "xks_proxy_uri_endpoint": "<DNS_hostname_for_requests>"\n },\n "enable_success_audit_event": <true|false>\n}' --compressed
:::bash
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer AUTHTOKEN -H 'accept: application/json' --data-binary $'{\n "name": "<key_store_name>",\n "kms": "<aws-account-number>",\n "region": "<aws-region>",\n "linked_state": <boolean>,\n "local_hosted_params": {\n "partition_id": "<Luna_HSM_partition_ID>",\n "blocked": <boolean>\n "health_check_key_id": "<key_id>",\n "max_credentials": <number_of_credentials>\n },\n "aws_param": {\n "xks_proxy_connectivity": "<network_connectivity_type>",\n "xks_proxy_uri_endpoint": "<DNS_hostname_for_requests>"\n }\n}' --compressed
:::bash
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer AUTHTOKEN -H 'accept: application/json' --data-binary $'{\n "name": "<key_store_name>",\n "kms": "<aws-account-number>",\n "region": "<aws-region>",\n "linked_state": <boolean>,\n "local_hosted_params": {\n "blocked": <boolean>\n "health_check_key_id": "<key_id>",\n "max_credentials": <number_of_credentials>\n },\n "aws_param": {\n "xks_proxy_connectivity": "<network_connectivity_type>",\n "xks_proxy_uri_endpoint": "<DNS_hostname_for_requests>"\n }\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
name | string | Required. Unique name for the custom key store. |
kms | string | Required. Name or ID of the AWS account container on CCKM in which to create the custom key store. |
region | string | Required. Name of the available regions. |
linked state | boolean | Indicates if custom key store is linked with AWS. Applicable for custom key store of type EXTERNAL_KEY_STORE. Default value is false. When false, creating a CKS in CCKM does not trigger AWS KMS to create a new key store, and new CKS will not synchronize with any key stores on AWS KMS until linked. |
enable_success_audit_event | boolean | Indicates whether audit recording of successful operations within an external key store is enabled or disabled. This field is optional. Default value is false. |
local_hosted_params | JSON | Parameters for locally hosted external custom key store on CCKM. |
aws_param | JSON | Required. Parameters related to AWS interaction with CKS. |
Local Hosted Parameters
The local hosted parameters are applicable to EXTERNAL_KEY_STORE
type. The descriptions indicate which values are required for external custom key stores.
Parameter | Type | Description |
---|---|---|
blocked | boolean | Whether the key store is blocked or not. If not specified, this is set to false . |
mtls_enabled | boolean | Whether the key store is enabled for the verification of a TLS client-side certificate where the CipherTrust Manager authenticates the AWS KMS client. If not specified, this is set to false . |
health_check_key_id | string | Required. ID of existing luna key (if source key tier is 'luna-hsm') or CipherTrust key (if source key tier is local) to use for health-check. |
max_credentials | string | Required. Max number of credentials that can be associated with custom key store (min value 2. max value 20). |
partition_id | string | ID of Luna HSM partition. Required field if custom key store of type EXTERNAL_KEY_STORE and Source Key Tier is luna-hsm . |
source_key_tier | string | Source for cryptographic keys. Default value is luna-hsm . Options are local or luna-hsm . |
Note
If you plan to enable mutual TLS on an AWS external custom key store, and there is a load balancer in front of CCKM, then configure the load balancer so that SSL termination does not take place on it thereby allowing SSL/TLS Passthrough. This configuration is required for CCKM and AWS KMS to successfully exchange certificates.
If enabling the mtls_enabled
parameter by setting it to true
, ensure to perform the following prerequisite steps:
1. Create a CA signed certificate for one of the AWS Trusted CAs for the Web interface of your CipherTrust Manager.
2. Download and add the AWS root CA certificate from the same AWS trusted CA to External CA on CipherTrust Manager. For more information, refer to Creating an External CA.
Note
- Add the certificate from Step 1 to the CipherTrust Manager web interface. For more information, refer Using an externally generated server certificate for an interface.
AWS Parameters
Parameter | Type | Description |
---|---|---|
cloud_hsm_cluster_id | string | Required field for custom key store of type AWS_CLOUDHSM . ID of CloudHSM cluster for the custom key store. Enter cluster ID of active CloudHSM cluster that is not already associated with a custom key store. |
custom_key_store_type | string | Specifies the type of custom key store. The default value is EXTERNAL_KEY_STORE . For a custom key store backed by an AWS CloudHSM cluster, key store type is AWS_CLOUDHSM . For a custom key store backed by an HSM or key manager outside of AWS, key store type is EXTERNAL_KEY_STORE . |
key_store_password | string | Required field for custom key store of type AWS_CLOUDHSM . The password of the kmsuser crypto user (CU) account configured in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. User needs to configure the credentials on CloudHSM cluster separately. |
trust_anchor_certificate | string | Required field for custom key store of type AWS_CLOUDHSM . The content of CA certificate or Self signed certificate file created during CloudHSM Cluster initialization. |
xks_proxy_connectivity | string | Required for custom key store of type EXTERNAL_KEY_STORE . Indicates how AWS KMS communicates with the Ciphertrust Manager. Default value is PUBLIC_ENDPOINT. Valid options are VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT . |
xks_proxy_uri_endpoint | string | Required for custom key store of type EXTERNAL_KEY_STORE . Specifies the protocol (always HTTPS) and DNS hostname to which KMS will send XKS API requests. The DNS hostname is for either for a load balancer directing to the CipherTrust Manager, or the CipherTrust Manager itself. |
xks_proxy_uri_path | string | Required for custom key store of type EXTERNAL_KEY_STORE .Indicates the base path to the Ciphertrust Manager API's for this external key store. |
xks_proxy_vpc_endpoint_service_name | string | Indicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity is VPC_ENDPOINT_SERVICE . |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI4NzIyY2E0LTM1NzAtNDI1OS04NmYzLTIyOGI3ZDM4MmQzMiIsImlhdCI6MTY0ODQ3OTg3OCwiZXhwIjoxNjQ4NDgwMTc4fQ.eQk0b0pwJ67U5oHHWzPnCaJbJ3fJEBudo1Vb6E9Ag6M' -H 'accept: application/json' --data-binary $'{\n "name": "custom_key_store_name",\n "kms": "aws_account_number",\n "region": "ap-south-1", \n "linked_state": true,\n "local_hosted_params": {\n "partition_id": "f707115b-ca27-4f75-b44a-9b6a68788dd5",\n "blocked": false\n "health_check_key_id": "511e1344-ad9f-4ee6-9eb5-df94e3c4a17c",\n "max_credentials": 10\n },\n "aws_param": {\n "xks_proxy_connectivity": "PUBLIC_ENDPOINT",\n "xks_proxy_uri_endpoint": "https://xks.example.com"\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283215Z",
"updatedAt": "2022-01-10T03:09:21.714446273Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_name",
"xks_proxy_uri_endpoint": "https://xks.example.com",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8130b47d-a774-4739-8c71-94e733d6177c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-6479457edc5fd993d",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": true
},
"linked_state": true,
"partition_label": "cckm-1608012946",
"partition_id": "8f6882be-eced-403a-a578-fe8393539b2d",
"source_container_id": "8f6882be-eced-403a-a578-fe8393539b2d",
"source_container_type": "hsm-luna",
"health_check_key_id": "339e786b-c236-495c-925e-87bd8bde82ca",
"health_check_ciphertext": "cf8iW1y5Ks/drIGZMxsgxJ5t27zOn4HAIEB/deQfFETe83RgMGOVCruEqGmXQEOXo338gZD/lRGtG8mYJzQuq+M=",
"max_credentials": 10,
"source_key_tier": "local"
"mtls_enabled": false
},
"access_key_id": "K045XFG9DFXVOCAK5LH904",
"secret_access_key": "08ddafe16d4f80c5b64eeacedde02258fd1cc210bd0cfd6df72d8516da1b4a4f"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List Custom Key Stores
Use GET /v1/cckm/aws/custom-key-stores
to return the list of external custom key stores.
Syntax
curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores?<query_parameters>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Filter the results by internal ID of the AWS custom key store. |
name | string | Filter the results by AWS custom key store ID. |
kms | string | Filter the results by KMS name. |
kms | string | Filter the results by KMS ID. |
region | string | Filter the results by region. |
cloud_name | string | Filter the results by cloud name. |
type | string | Filter the results by type, LOCAL , REMOTE , or CloudHSM . This is the key store's local hosted parameter value. |
blocked | boolean | Filter the resulted by blocked or unblocked state. |
linked_state | boolean | Filter the results by status of link between CCKM and AWS KMS. |
xks_proxy_connectivity | string | Filter the results by XKS proxy connectivity type, VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT |
connection_state | string | Filter the results by key store connection state. |
source_key_tier | string | Filter the results by source key tier, local or luna-hsm . |
source_key_tier | string | Filter the results by source key tier, local . |
custom_key_store_type | string | Filter the results by type of custom key store, EXTERNAL_KEY_STORE or CLOUD_HSM . |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNzIxOGE2LWI3ZWUtNDdkMS1iMGEyLTdlZjBlMTYxMDA1YyIsImlhdCI6MTY0ODQ4MjM3MiwiZXhwIjoxNjQ4NDgyNjcyfQ.Y9ekMDlzrGczHuDkCi3qxZUTw_1uSzWTDQq-D7ILw2Y' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "033716fc-898d-48a4-b12f-a6f2dd0d718b",
"uri": "kylo:kylo:cckm:aws_cks:033716fc-898d-48a4-b12f-a6f2dd0d718b",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:05:18.788744Z",
"updatedAt": "2022-01-10T03:05:18.786765Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name2"
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8c706a48-0e1a-4756-83dd-e46c54b65fb1/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "123456_name",
"partition_id": "123456",
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "123456",
"source_container_type": "container_type",
"linked_state": false
"mtls_enabled": false
}
},
{
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7f33443d-4773-41bb-8eec-7e320d511b00/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
"mtls_enabled": false
}
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
View Details of a Custom Key Store
Use GET /v1/cckm/aws/custom-key-stores/{id}
to return the details for a custom key store with the given ID.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0YjM1MWVmMy0xMDMyLTQ1ZTItOGU3ZC05OGQ2NGMyNTNlNGIiLCJzdWIiOiJsb2NhbHw1M2FjNzc0OS0xZDgwLTQ1NjktYWY4OC03OTA0OTQ3ODFlMTYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNmVjZGIyMDctNTQzMC00M2EwLWEwZTMtMWI1OGIzZTI1ZjhkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjUzZmM5MzVjLWQxYmMtNGFmNy04Yjg1LTI1MTNkMzRjZTU0MiIsImlhdCI6MTY0ODQ4ODE2NCwiZXhwIjoxNjQ4NDg4NDY0fQ.YvM-lsOWhniMIr8RiZG3HXMPnnBmA-DEt-JT47olgrs' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8c706a48-0e1a-4756-83dd-e46c54b65fb1/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
"mtls_enabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Remove a Custom Key Store
Use DELETE /v1/cckm/aws/custom-key-stores/{id}
to remove an AWS external custom key store from the CCKM.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id> -X DELETE -H 'AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNDgzMTU4LWNlYjAtNGRiMi1hOGFhLTVmYTdkZGE4MzUzOCIsImlhdCI6MTY1MDU2NjI5NywiZXhwIjoxNjUwNTY2NTk3fQ.kabqQJ96FtrkRJGdJK1tkz-pXHGMxYBhUrO5vUl_b4w' -H 'accept: application/json' --compressed
Example Response
{
"status": 204
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Edit a Custom Key Store
Use PATCH /v1/cckm/aws/custom-key-stores/{id}
to edit a custom key store on CCKM.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>' -X PATCH -H 'AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "<new_name>",\n "aws_param": {\n "xks_proxy_uri_endpoint": "<new_xks_proxy_uri_endpoint>",\n "xks_proxy_uri_path": "<new_xks_proxy_uri_path>",\n "access_key_id": "<new_access_key_id>",\n "secret_access_key": "<new_secret_access_key_id>"\n },\n "local_hosted_params": {\n "health_check_key_id": "<new_health_check_key_id>"\n }\n "enable_success_audit_event": <true|false>\n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
name | string | New unique name for the custom key store. |
local_hosted_params | JSON | Parameters for locally hosted external custom key store on CCKM. |
aws_param | JSON | Required.Parameters related to AWS interaction with CKS. |
enable_success_audit_event | boolean | Indicates whether audit recording of successful operations within an external key store is enabled or disabled. This field is optional. Default value is false. |
Local Hosted Parameters
The local hosted parameters are applicable to EXTERNAL_KEY_STORE
type.
Parameter | Type | Description |
---|---|---|
health_check_key_id | string | ID of existing luna key (if source key tier is 'luna-hsm') or CipherTrust key (if source key tier is local) to use for health-check. |
mtls_enabled | boolean | Whether the key store is enabled for the verification of a TLS client-side certificate where the CipherTrust Manager authenticates the AWS KMS client. If not specified, this is set to false . Note: If enabling this feature, ensure to perform the prerequisite steps. These include the following steps: download an AWS root CA certificate from Amazon's Trust Service site and then add an external CA from the CipherTrust Manager UI > CA menu. For more information, refer to the CipherTrust Manager documentation. |
AWS Parameters
Parameter | Type | Description |
---|---|---|
access_key_id | string | Access key ID for XKS service hosted at xks_proxy_uri_endpoint . Applicable only for custom key store of type EXTERNAL_KEY_STORE . |
cloud_hsm_cluster_id | string | New CloudHSM cluster ID. This field is applicable only for custom key store of type AWS_CLOUDHSM . |
key_store_password | string | New password of kmsuser CU (crypto user) account in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. Configure the credentials on CloudHSM cluster separately. Applicable only for custom key store of type AWS_CLOUDHSM. |
secret_access_key | string | Secret access key for XKS service hosted at xks_proxy_uri_endpoint. Applicable only for custom key store of type EXTERNAL_KEY_STORE . |
xks_proxy_connectivity | string | Change how AWS KMS communicates with the Ciphertrust Manager. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE . Valid options are VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT . |
xks_proxy_uri_endpoint | string | New XKS proxy URI endpoint. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE . |
xks_proxy_uri_path | string | New base path to the Ciphertrust Manager API's for this custom key store. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE . |
xks_proxy_vpc_endpoint_service_name | string | Indicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity is VPC_ENDPOINT_SERVICE . |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwNjcxNGU4OC03NGE1LTQwNmMtYThmYS1lZWE2N2Q1NjBjYWEiLCJzdWIiOiJsb2NhbHwyNDMwNDRhZi1jZGNlLTQ0NmYtODU2Ni1mYmRlYjk2MWVmZTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODgzZTFiYTMtNjcxZi00MDQxLTgwZDAtZDdkMjI0ZTliYmE2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjllZDFkOTg5LWZlY2MtNDAzZC1hNDcxLTRlNzY2ZWEzYzBjNyIsImlhdCI6MTY2MTY0MjA2MCwiZXhwIjoxNjYxNjQyMzYwfQ.B0dIWaOLvEFexiTHmUGO0VUg4j77EeJgWUF1anc8B6M' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "new_name_1234",\n "aws_param": {\n "xks_proxy_uri_endpoint": "https://xksproxy.mycompany.com",\n "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/736d4b20-fe22-4139-b39f-622404dc725e/kms/xks/v1",\n "access_key_id": "KYBZ5TKM7OUXZIWBAPVD",\n "secret_access_key": "e49f198bb94ce8efea6b987ae1aac6885d98ab3087168f8106d6f8c784db2ff4"\n },\n "local_hosted_params": {\n "health_check_key_id": "a9e80f5a-9680-413d-8ec0-c901d3cb04c0"\n },\n "enable_success_audit_event": true\n}' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "new_name_1234",
"kms": "aws",
"region": "ap-south-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-6479457edc5fd993d",
"xks_proxy_uri_endpoint": "https://xksproxy.mycompany.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/736d4b20-fe22-4139-b39f-622404dc725e/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "cckm-1608012946",
"partition_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
"blocked": false,
"health_check_key_id": "a9e80f5a-9680-413d-8ec0-c901d3cb04c0",
"policy": {
"reserved": false
},
"source_container_id": "",
"source_container_type": "",
"source_key_tier": "hsm-luna",
"linked_state": false,
"max_credentials": 10
"mtls_enabled": false
},
"enable_success_audit_event": false
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Create a KMS key in a CloudHSM Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/create-aws-key
to create a KMS key in a CloudHSM-backed custom key store.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/create-aws-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Description": "<key_description>",\n "Alias": "<Alias_for_the_key>",\n "Tags": [\n {\n "TagKey": "<key_of_the_tag>",\n "TagValue": "<value_of_the_tag>"\n }\n ]\n },\n "key_admins": [\n "<IAM_user_to_admin_key>"\n ],\n "key_admins_roles": [\n "<IAM_roles_to_admin_key>"\n ],\n "key_users": [\n "<IAM_user_to_use_key>"\n ],\n "key_users_roles": [\n "<IAM_user_to_use_key>"\n ], \n "external_accounts": [\n "<AWS_accounts_to_use_key>"\n ], \n \n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
external_accounts | array | AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_admins | array | IAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_admins_roles | array | IAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_users | array | IAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_users_roles | array | IAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
policytemplate | string | ID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified, the default policy is used. |
aws_param | JSON | Required.Parameters related to AWS interaction with CKS. |
AWS Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias for the key. Required. |
Description | string | Description of the key. |
Policy | JSON | Key policy to attach to the KMS Key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used. |
Tags | Array | Optional tags |
TagKey | string | Key of the tag. A tag is a key-value pair. |
TagValue | string | Value corresponding to the key of the tag. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/create-aws-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwNjcxNGU4OC03NGE1LTQwNmMtYThmYS1lZWE2N2Q1NjBjYWEiLCJzdWIiOiJsb2NhbHwyNDMwNDRhZi1jZGNlLTQ0NmYtODU2Ni1mYmRlYjk2MWVmZTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODgzZTFiYTMtNjcxZi00MDQxLTgwZDAtZDdkMjI0ZTliYmE2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjllZDFkOTg5LWZlY2MtNDAzZC1hNDcxLTRlNzY2ZWEzYzBjNyIsImlhdCI6MTY2MTY0MjA2MCwiZXhwIjoxNjYxNjQyMzYwfQ.B0dIWaOLvEFexiTHmUGO0VUg4j77EeJgWUF1anc8B6M' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Description": "Test CloudHSM key ",\n "Alias": "cloudhsmkey13",\n "Tags": [\n {\n "TagKey": "tag3",\n "TagValue": "value3"\n }\n ]\n },\n "key_admins": [\n "john.doe"\n ],\n "key_admins_roles": [\n "aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem"\n ],\n "key_users": [\n "richard-roe"\n ],\n "key_users_roles": [\n "aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"\n ]\n}' --compressed
Example Response
{
"application/json": {
"id": "0016ea0c-8f37-44ac-ac8f-3b5396130a19",
"uri": "kylo:kylo-81539629-e4b5-4d77-933f-30174a27dc20:cckm:aws-key:0016ea0c-8f37-44ac-ac8f-3b5396130a19",
"account": "kylo:kylo-81539629-e4b5-4d77-933f-30174a27dc20:admin:accounts:kylo-81539629-e4b5-4d77-933f-30174a27dc20",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2022-08-09T23:05:48.03608398Z",
"updatedAt": "2022-08-09T23:05:48.033508896Z",
"kms_id": "7262dee3-e0dc-4a0c-91c5-40395dd8f92e",
"kms": "aws_acc_atf",
"synced_at": "2022-08-09T23:05:48.027918202Z",
"rotation_status": "",
"cloud_name": "aws",
"key_users": [
"arn:aws:iam::556782317223:user/richard-roe"
],
"key_users_roles": [
"arn:aws:iam::556782317223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
],
"key_admins": [
"arn:aws:iam::556782317223:user/john.doe"
],
"key_admins_roles": [
"arn:aws:iam::556782317223:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem"
],
"key_type": "symmetric",
"basic_view_enabled": true,
"region": "eu-west-1",
"gone": false,
"blocked": false,
"linked_state": true,
"key_material_origin": "CloudHSM",
"key_source": "CloudHSM",
"custom_key_store_id": "1421d123-5cfc-4291-bc3f-4232362a8ee4",
"custom_key_store_name": "test-eu-cloudhsm-2",
"aws_param": {
"AWSAccountId": "556782317223",
"Arn": "arn:aws:kms:eu-west-1:556782359223:key/0c0389d3-d327-4689-b8f9-0f966f83424c",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Test CloudHSM key ",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "0c0389d3-d327-4689-b8f9-0f966f83424c",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_CLOUDHSM",
"CreationDate": "2022-08-09T23:05:47.448Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::556782359223:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782359223:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem",
"arn:aws:iam::556782359223:user/john.doe"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782359223:user/richard-roe",
"arn:aws:iam::556782359223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782359223:user/richard-roe",
"arn:aws:iam::556782359223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"Alias": [
"alias/cloudhsmkey13"
],
"Tags": [
{
"TagKey": "tag3",
"TagValue": "value3"
}
],
"KeyRotationEnabled": false,
"CustomKeyStoreId": "cks-ea58c749fdb248c96"
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Block Access to External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/block
to disallow AWS KMS from performing encrypt, decrypt, and health requests on an external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/block' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/block' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQwODA5ZjkyLTUwZjMtNGZmYi04YzdhLTNjYmJhMWVjNjBjYiIsImlhdCI6MTY1MDU2Njg2MSwiZXhwIjoxNjUwNTY3MTYxfQ.ktaPfZkjiWILr5mB4saH8yA653l4LXzOFbdfJ-Gfqws' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": true,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Unblock Access to External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/unblock
to restore the ability of AWS KMS to perform encrypt, decrypt, and health requests on an external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/unblock' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/unblock' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQwODA5ZjkyLTUwZjMtNGZmYi04YzdhLTNjYmJhMWVjNjBjYiIsImlhdCI6MTY1MDU2Njg2MSwiZXhwIjoxNjUwNTY3MTYxfQ.ktaPfZkjiWILr5mB4saH8yA653l4LXzOFbdfJ-Gfqws' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": true,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Connect a Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/connect
to connect the AWS custom key store using the AWS KMS API.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/connect' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "key_store_password": "<key_store_password>"\n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
key_store_password | string | The password of the kmsuser crypto user (CU) account configured in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. User needs to configure the credentials on CloudHSM cluster separately. Required field for custom key store of type AWS_CLOUDHSM. Omit for External Key Stores. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123567/connect' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY3OWI4MmMyLWY0MzMtNGYwMi1hMTY2LWExYzUwZDQwZTY3NiIsImlhdCI6MTY2MTcwMDE3MSwiZXhwIjoxNjYxNzAwNDcxfQ.uH1kYKKFuhkcOrWmHthkMteLLitv3drJSNjTJRuUF_o' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "key_store_password": "myPassword"\n}' --compressed
Example Response
{
"application/json": {
"id": "7527884a-6f73-4d4b-8078-64e35640629c",
"uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
"account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
"createdAt": "2022-07-27T21:12:48.903987Z",
"updatedAt": "2022-07-27T21:12:49.75161Z",
"name": "cks_1",
"kms": "aws",
"region": "us-east-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_1",
"xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-8a87408fb819ddb94",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "CONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"source_container_type": "hsm-luna",
"linked_state": true,
"partition_label": "aws_cm_vpc_par1",
"partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
"health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
"max_credentials": 5
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disconnect a Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/disconnect
to connect the AWS custom key store using the AWS KMS API.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/disconnect' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123567/connect' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY3OWI4MmMyLWY0MzMtNGYwMi1hMTY2LWExYzUwZDQwZTY3NiIsImlhdCI6MTY2MTcwMDE3MSwiZXhwIjoxNjYxNzAwNDcxfQ.uH1kYKKFuhkcOrWmHthkMteLLitv3drJSNjTJRuUF_o' -H 'Content-Type: application/json' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "7527884a-6f73-4d4b-8078-64e35640629c",
"uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
"account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
"createdAt": "2022-07-27T21:12:48.903987Z",
"updatedAt": "2022-07-27T21:12:49.75161Z",
"name": "cks_1",
"kms": "aws",
"region": "us-east-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_1",
"xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-8a87408fb819ddb94",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"source_container_type": "hsm-luna",
"linked_state": true,
"partition_label": "aws_cm_vpc_par1",
"partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
"health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
"max_credentials": 5
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Link Local External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/link
to link local custom key store with AWS custom key store. Applicable only to external custom key stores.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/link' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "xks_proxy_uri_endpoint": "<xks_proxy_endpoint>",\n "xks_proxy_vpc_endpoint_service_name": "<vpc_endpoint_service_name>"\n }\n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
aws_param | JSON | Parameters related to AWS interaction with the custom key store. |
AWS Parameters
Parameter | Type | Description |
---|---|---|
xks_proxy_uri_endpoint | string | Required. Indicates the URL endpoint used by the custom key store. |
xks_proxy_vpc_endpoint_service_name | string | Indicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity of custom key store is VPC_ENDPOINT_SERVICE. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123456/link' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDc1YzUyMDktNzA5Ni00NzQwLWE1NzUtNTI1MTc3ODBjMjAyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjA4Y2ZlYzUwLWE5OGMtNDEyNi1hMWU4LWZkNzI5ZTFkZTY1NiIsImlhdCI6MTY2MjU3NTAyNSwiZXhwIjoxNjYyNTc1MzI1fQ.nTzFCUkltF0jS5J6eU7ljjhkxAEtFBUokoNb-oDsBvQ' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "xks_proxy_uri_endpoint": "https://xks.example.com",\n "xks_proxy_vpc_endpoint_service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-03d5ed"\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name_1",
"kms": "aws",
"region": "ap-south-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_name_1",
"xks_proxy_uri_endpoint": "https://dev3-xksproxy.thalescpl.io",
"xks_proxy_vpc_endpoint_service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-03d5ed",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/35164f70-2308-4a02-b2ee-436c478beaa1/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-007ee1e9c09e6690e",
"xks_proxy_connectivity": "VPC_ENDPOINT_SERVICE",
"connection_state": "CONNECTED"
},
"local_hosted_params": {
"partition_label": "cckm-1608012946",
"partition_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
"health_check_key_id": "511e1344-ad9f-4ee6-9eb5-df94e3c4a17c",
"health_check_ciphertext": "Dp5Dn3azWYBt5AZaIEqEiEdD53GH0XRMzXoYgRlPEX1Ooq+HjcTp8jTA3H67uNYY4WWPSIMGQfH5CaNqMufSZ5Q=",
"blocked": true,
"policy": {
"reserved": false
},
"source_container_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
"source_container_type": "hsm-luna",
"linked_state": true,
"max_credentials": 10
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Check Health Status of External Custom Key Store
Use POST v1/cckm/aws/custom-key-stores/{keystore_id}/health
to validate whether a custom key store, which uses a Luna HSM or a CipherTrust Manager as a key source, is available, working, and ready to handle requests. In the event of a successful validation, this API returns an HTTP status code of 200 (OK) and no message body.
Note
This API does not require authentication.
Note
This API implements rate limiting. Each CipherTrust Manager node can process up to two requests per second per key store. CCKM sends an error message, if the rate of requests exceeds this limit.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/health' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/e58070c2-d359-484d-a42d-93e6cda8a906/health' -H 'accept: application/json' --compressed
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Synchronize Custom Key Stores
User POST /v1/cckm/aws/custom-key-stores/synchronization-jobs
to synchronize custom key stores on CCKM with the corresponding key stores on AWS KMS.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY1YzZmYzA0LWEyYTgtNDljOC05ODJkLWVlMTlmYTc5ODZjNSIsImlhdCI6MTY2MjU3OTQ2OCwiZXhwIjoxNjYyNTc5NzY4fQ.hLbhBT9cYVIxVSErH4F8UJmGSd3bsZfzkkTJYMfBAtw' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": [],\n "synchronize_all": false,\n "regions": []\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
kms | array | Name or ID of KMS resource from which the AWS custom key stores will be synchronized. synchronize_all and kms , regions are mutually exclusive. Specify either synchronize_all or kms and regions . |
regions | array | Regions from which the AWS custom key stores will be synchronized. If not specified, custom key stores from all regions are synchronized. synchronize_all and kms , regions are mutually exclusive. Specify either synchronize_all or kms and regions . |
synchronize_all | boolean | Set true to synchronize all custom key stores from all KMS and regions. synchronize_all and kms , regions are mutually exclusive. Specify either synchronize_all or kms and regions . |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs' -H 'Authorization: Bearer AUTHTOKEN -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": [],\n "synchronize_all": false,\n "regions": []\n}' --compressed
Example Response
{
"application/json": {
"id": "84980655-f1df-40e1-a2ec-736ac77a7889",
"uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:40:04.915495495Z",
"updatedAt": "2020-08-06T09:40:04.918785299Z",
"overall_status": "in progress",
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": false
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List the Status of all Synchronization Jobs
Use GET /v1/cckm/aws/custom-key-stores/synchronization-jobs
to return the list of updated synchronization status. The results can be filtered using the query parameters.
Syntax
curl -k 'https://<ciphertrust_FQDN>>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Filter the results by internal ID of synchronization. |
overall_status | string | Filter results by synchronization overall status. Possible values are in_progress , completed , and failed . |
kms | string | Filter the results by KMS. |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImZlYjU4NGJlLTY4OWEtNGNhMi04ZWJlLTU3NDM3ZGQ4ZjM5NiIsImlhdCI6MTY2MjU4MDc1MiwiZXhwIjoxNjYyNTgxMDUyfQ.JIyXwfLs_sHVZHry1u2KRPo5pF5079q9S7U-5hOTanA' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "84980655-f1df-40e1-a2ec-736ac77a7889",
"uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:40:04.915495Z",
"updatedAt": "2020-08-06T09:40:33.308945Z",
"overall_status": "in progress",
"detailed_status": {
"123456789012/ap-south-1": "region synchronized successfully",
"123456789012/eu-north-1": "region synchronized successfully",
"123456789012/eu-west-2": "region synchronized successfully",
"123456789012/eu-west-3": "region synchronized successfully"
},
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": false
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
View Details of a Synchronization Job
Use GET /v1/cckm/aws/custom-key-stores/synchronization-jobs/{id}
to return the details of a synchronize process with the given ID.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/<synchronization_job_id>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the synchronization job. This must be the UUID. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/12345' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjQxNjE1NWVmLTMzYTctNDA3Ny1hOTY1LWUwNWUzYWJjMWYwMyIsImlhdCI6MTY2MjU4MTczMiwiZXhwIjoxNjYyNTgyMDMyfQ.UHefabPmsuh-wW5-cI5GcB3jplpiAn1G6sEXXAVKIlo' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "84980655-f1df-40e1-a2ec-736ac77a7889",
"uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:40:04.915495Z",
"updatedAt": "2020-08-06T09:43:31.731954Z",
"overall_status": "in progress",
"detailed_status": {
"123456789012/ap-northeast-1": "region synchronized successfully",
"123456789012/ap-northeast-2": "region synchronized successfully",
"123456789012/ap-south-1": "region synchronized successfully",
"123456789012/ap-southeast-1": "region synchronized successfully",
"123456789012/ap-southeast-2": "region synchronized successfully",
"123456789012/ca-central-1": "region synchronized successfully",
"123456789012/eu-west-2": "region synchronized successfully",
"123456789012/eu-west-3": "region synchronized successfully",
"123456789012/sa-east-1": "region synchronized successfully",
"123456789012/us-east-1": "in progress"
},
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": false
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Cancel a Synchronization Job
Use POST /v1/cckm/aws/custom-key-stores/synchronization-jobs/{id}/cancel
to cancel a synchronization job.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/<synchronization_job_id>/cancel' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the synchronization job. This must be the UUID. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/123456/cancel' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImZlYjU4NGJlLTY4OWEtNGNhMi04ZWJlLTU3NDM3ZGQ4ZjM5NiIsImlhdCI6MTY2MjU4MDc1MiwiZXhwIjoxNjYyNTgxMDUyfQ.JIyXwfLs_sHVZHry1u2KRPo5pF5079q9S7U-5hOTanA' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "e8f2e77d-95e8-46f6-891f-37469da3bf57",
"uri": "kylo:kylo:cckm:synchronize:e8f2e77d-95e8-46f6-891f-37469da3bf57",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:46:06.534541Z",
"updatedAt": "2020-08-06T09:46:25.768957301Z",
"overall_status": "in progress",
"detailed_status": {
"123456789012/eu-north-1": "in progress"
},
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": true
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Create Credential for an External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/credential
to create a credential for the external custom key store. You must upload the returned access_key_id
and secret_access_key
to the corresponding key store in AWS KMS.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTA0ZTMyMWYtNzI3Zi00YTFjLWI1ZGUtMWUzMjIyMjJkY2IyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjQ3OWFiNzU1LTVjZGYtNGQ0Yy04ZmU2LWY2YTBiMDkzNjEzNCIsImlhdCI6MTY1MDY0MTEyNCwiZXhwIjoxNjUwNjQxNDI0fQ.agZ3vPoi624xVX61BLaZpbBAGRZN4PHEXJYRXR-oETY' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-12-23T16:25:49.463282986Z",
"updatedAt": "2021-12-23T16:25:49.460296196Z",
"custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
"version": 1,
"access_key_id": "generated_access_id",
"cloud_name": "aws"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List Credentials for an External Custom Key Store
Use GET /v1/cckm/aws/custom-key-stores/{id}/credentials
to list the credentials associated with a specified external custom key store.
Syntax
curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials?<query_parameters>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
access_key_id | string | filter by the access key id. |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNzIxOGE2LWI3ZWUtNDdkMS1iMGEyLTdlZjBlMTYxMDA1YyIsImlhdCI6MTY0ODQ4MjM3MiwiZXhwIjoxNjQ4NDgyNjcyfQ.Y9ekMDlzrGczHuDkCi3qxZUTw_1uSzWTDQq-D7ILw2Y' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-12-23T16:25:49.463283Z",
"updatedAt": "2021-12-23T16:25:49.460296Z",
"custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
"access_key_id": "generated_access_id",
"secret_access_key_id": "id_of_generated_secret_key",
"cloud_name": "aws"
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
View Details of a Credential for an External Custom Key Store
Use GET /v1/cckm/aws/custom-key-stores/{customKeyStoreID}/credentials/{id}
to view details of a given credential for a given external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials/<credential_id>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
customKeyStoreID | string | ID of the key store. This must be the UUID. |
id | string | ID of the credential. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials/123456' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI5NWI3OWY1LWVhMDAtNGQxOS05YWQ3LWQyODJiMjhiYTU2OCIsImlhdCI6MTY1MTA5MTYxOCwiZXhwIjoxNjUxMDkxOTE4fQ.IuQUd-4Lhu3BvnccvBJq873yCdwL6Y7YQv8_s8VzdwY' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-12-23T16:25:49.463283Z",
"updatedAt": "2021-12-23T16:25:49.460296Z",
"custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
"version": 1,
"access_key_id": "generated_access_id",
"cloud_name": "aws"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Delete a Credential for an External Custom Key Store
USE DELETE /v1/cckm/aws/custom-key-stores/{customKeyStoreID}/credentials/{id}
to delete a given credential for a given external custom key store.
Syntax
curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials/<credential_id>' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
customKeyStoreID | string | ID of the key store. This must be the UUID. |
id | string | ID of the credential. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials/123456' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNlNDNmYWQ5LTdkNjgtNDI1NS1iMzc3LWU4ZGUyYWY2OTc3YyIsImlhdCI6MTY1MTA5MjA4NCwiZXhwIjoxNjUxMDkyMzg0fQ.9KlwSpuGOZ-CThV4qUGAmoM09c-Xf324PNGdmTPxzNo' -H 'accept: application/json' --compressed
Example Response
{
"status": 204
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Rotate Credential for an External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/rotate-credential
to rotate the credential for the specified external custom key store. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. Rotates credential for a given external custom key store. For linked key store, rotated (new) credential will be updated in AWS KMS. All credentials (new and old) associated with key store will continue to work until deleted.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/rotate-credential' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.my.company.com/api/v1/cckm/aws/custom-key-stores/1234567/rotate-credential' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTA0ZTMyMWYtNzI3Zi00YTFjLWI1ZGUtMWUzMjIyMjJkY2IyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM1OTJlOTY0LTRkNmQtNDhiMC1iZDY0LTY0Y2IzMGMxZGM1MCIsImlhdCI6MTY1MDY0MDcwMSwiZXhwIjoxNjUwNjQxMDAxfQ.mjJp45ySM1W1Xy6ZhILdQO5uXQ9UT0Xo9J5yc-9Ej0o' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "7527884a-6f73-4d4b-8078-64e35640629c",
"uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
"account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
"createdAt": "2022-07-27T21:12:48.903987Z",
"updatedAt": "2022-07-27T21:12:49.75161Z",
"name": "cks_1",
"kms": "aws_acc",
"region": "us-east-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_1",
"xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-8a87408fb819ddb94",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"source_container_type": "hsm-luna",
"linked_state": true,
"partition_label": "aws_cm_vpc_par1",
"partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
"health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
"max_credentials": 5
},
"access_key_id": "52EKEOV2JFCCNVSYRIV2",
"secret_access_key": "dc00ea89acd936f72409483623bb9f463662ec699d4cb34b01f20ef8ee1218fa",
"credential_count": 2,
"oldest_credentials_id": "8ceeb249-47cb-4f9a-bdaf-bd5de59c3174"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Enable Auto Rotation of Credential for an External Custom Key Store
Use the post /v1/cckm/aws/custom-key-stores/{id}/enable-credential-rotation-job
API to enable auto rotation of the credential for the specified external custom key store using the associated scheduler ID. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. The key store must also be in a linked state, which allows the auto rotated (new) credentials to be updated in AWS KMS. All credentials (new and old) associated with key store will continue to work until deleted.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/enable-credential-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "job_config_id": "ID of sccheduler job"\n}' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
key_store_id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
job_config_id | string | ID of the scheduler job that will perform the credentials rotation. |
Example Request
curl -k 'https://aws-xks-test.thalescpl.io/api/v1/cckm/aws/custom-key-stores/b5b7d549-b3d8-40e4-bfaa-58bebab31438/enable-credential-rotation-job' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0ZTZkMTc2Zi02YjRhLTQ5MGItYmI1NC02OThiNDAwNWQ1Y2IiLCJzdWIiOiJsb2NhbHw3OTg3ODYwOC05ZmQ5LTQ4NmUtODU5OS1hZDJhNTQ5MDg3ZDgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiI1NDliNGE2MC0xMmRhLTQxNjEtOTg4MC03OWFmZTRmYWUxMzMiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiMDIzNDVmYjgtNzA0NS00NGJmLTkzYWEtMjY0YWYzOGVmZGJiIiwiaWF0IjoxNjgzNzQ0NjI2LCJleHAiOjE2ODM3NDQ5MjZ9.xtMLcGf__9cM0d2EAPYaBOcGDIQIvrRuEt-QevwPAbM' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "job_config_id": "ff29eeec-82bf-4e15-81bb-ef7c43099203"\n}' --compressed
Example Response
{
"application/json": {
"id": "b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"uri": "kylo:kylo:cckm:aws_cks:b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-10T18:49:58.08837Z",
"labels": {
"job_config_id": "ff29eeec-82bf-4e15-81bb-ef7c43099203"
},
"updatedAt": "2023-05-10T18:51:14.346451Z",
"name": "test_keystore_2",
"kms": "AWS_KMS",
"region": "eu-west-3",
"type": "LOCAL",
credential_version": 1,
"kms_id": "118844e7-2e53-43ed-b53e-567118a324e4",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "test_keystore_2",
"xks_proxy_uri_endpoint": "https://aws-xks-test.thalescpl.io",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/b5b7d549-b3d8-40e4-bfaa-58bebab31438/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-193035a77a8239d6a",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": true
},
"source_container_type": "local",
"linked_state": true,
"health_check_key_id": "f1da90038f16465aa64345394864776543229c19156b405083724b1945ed3fcb",
"health_check_ciphertext": "fe6ad170985d3486dbb4946e159534433b19327c8f5d1859246ec84dafc366e0c6d6a59b9c4a252ad9c12480532928d259b29897b03ba3bf0331cef6a59e7b634e32bafe0c170e07",
"max_credentials": 20,
"source_key_tier": "local",
"mtls_enabled": false
},
"gone": false,
"enable_success_audit_event": true
}
}
The sample output displays that the custom key store with the ID b5b7d549-b3d8-40e4-bfaa-58bebab31438
has been enabled for the auto rotation using scheduler job with ID ff29eeec-82bf-4e15-81bb-ef7c43099203
. Note that the labels
and job_config_id
parameters are included in the output. These parameters indicate auto rotation of the credential is enabled.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disable Auto Rotation of Credential for an External Custom Key Store
Use the post /v1/cckm/aws/custom-key-stores/{id}/disable-credential-rotation-job
API to disable auto rotation of the credential for the specified external custom key store. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. The key store must also be in a linked state.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/disable-credential-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
key_store_id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://aws-xks-test.thalescpl.io/api/v1/cckm/aws/custom-key-stores/b5b7d549-b3d8-40e4-bfaa-58bebab31438/disable-credential-rotation-job' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0ZTZkMTc2Zi02YjRhLTQ5MGItYmI1NC02OThiNDAwNWQ1Y2IiLCJzdWIiOiJsb2NhbHw3OTg3ODYwOC05ZmQ5LTQ4NmUtODU5OS1hZDJhNTQ5MDg3ZDgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiI1NDliNGE2MC0xMmRhLTQxNjEtOTg4MC03OWFmZTRmYWUxMzMiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiMDIzNDVmYjgtNzA0NS00NGJmLTkzYWEtMjY0YWYzOGVmZGJiIiwiaWF0IjoxNjgzNzQ0NjI2LCJleHAiOjE2ODM3NDQ5MjZ9.xtMLcGf__9cM0d2EAPYaBOcGDIQIvrRuEt-QevwPAbM' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"uri": "kylo:kylo:cckm:aws_cks:b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-10T18:49:58.08837Z",
"updatedAt": "2023-05-10T18:52:13.207313Z",
"name": "test_keystore_2",
"kms": "AWS_KMS",
"region": "eu-west-3",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "118844e7-2e53-43ed-b53e-567118a324e4",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "test_keystore_2",
"xks_proxy_uri_endpoint": "https://aws-xks-test.thalescpl.io",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/b5b7d549-b3d8-40e4-bfaa-58bebab31438/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-193035a77a8239d6a",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": true
},
"source_container_type": "local",
"linked_state": true,
"health_check_key_id": "f1da90038f16465aa64345394864776543229c19156b405083724b1945ed3fcb",
"health_check_ciphertext": "fe6ad170985d3486dbb4946e159534433b19327c8f5d1859246ec84dafc366e0c6d6a59b9c4a252ad9c12480532928d259b29897b03ba3bf0331cef6a59e7b634e32bafe0c170e07",
"max_credentials": 20,
"source_key_tier": "local",
"mtls_enabled": false
},
"gone": false,
"enable_success_audit_event": true
}
}
The sample output displays that the auto rotation of the credential associated with the custom key store with the ID of b5b7d549-b3d8-40e4-bfaa-58bebab31438
has been been disabled. Note that the labels
and job_config_id
parameters are no longer included in the output. These parameters are included in the output of the enable-credential-rotation-job API. The removal of these parameters from the output indicates that the auto rotation of the credential is disabled.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List Unused AWS CloudHSM Clusters
Use POST /v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters
to list CloudHSM clusters in the specified region that are not already associated with a CloudHSM key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters' -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --data-binary $'{\n "kms": "<kms_id>",\n "region": "<aws_region>"\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
kms | string | Name or ID of KMS resource from which the AWS CloudHSM clusters will be retrieved. |
region | string | AWS region from which the AWS CloudHSM clusters will be retrieved. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjVkOTRlM2Y2LTVmY2ItNDZjNC04ZjA1LTkzN2NiMmY3NDU5MCIsImlhdCI6MTY2MTcwMDgyNSwiZXhwIjoxNjYxNzAxMTI1fQ.tFKzjQYare-cQ0FQ7rTMyolVRsDU1SPuvw7AQfI4WR8' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": "eab80374-04c2-468a-b732-ce90596f6db0",\n "region": "us-west-1"\n}' --compressed
Example Response
{
"application/json": {
"total": 2,
"detailed_status": "Unused CloudHSM cluster(s) found",
"resources": [
{
"BackupPolicy": "DEFAULT",
"BackupRetentionPolicy": {
"Type": "DAYS",
"Value": "45"
},
"Certificates": {
"AwsHardwareCertificate": null,
"ClusterCertificate": "-----BEGIN CERTIFICATE-----\nMIIEczCCAlsCCQCkL360L0D8ODANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD\nQTELMAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdHZW1h\nbHRvMQ0wCwYDVQQLDARJRFNTMRwwGgYDVQQDDBNUZXN0Q2xvdWRIU01DbHVzdGVy\nMB4XDTE4MDMwODIyMjMzNloXDTI4MDMwNzIyMjMzNlowgYoxRDAJBgNVBAYTAlVT\nMAkGA1UECAwCQ0EwDQYDVQQKDAZDYXZpdW0wDQYDVQQLDAZOM0ZJUFMwDgYDVQQH\nDAdTYW5Kb3NlMUIwQAYDVQQDDDlIU006ODYxNkE0MkY4Q0M5NEZEQkJGNTY5Q0ZE\nNkM1NUVCOlBBUlROOjgsIGZvciBGSVBTIG1vZGUwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQC6BOMjF7WK0M2hD6WbkW1qPkizTbF1+iAcZAjBTKn6DaFb\nY5fFl3vl52yRno66vWSMxnjcKxyDGBZ5mm+/cmk4sHgpCYnUKQ5hNy/aQP1ZM8IW\n5lYVqBRuqdhTFkEfYctuxjueiyyRU0rpUNWqEbFQO2h9MOtqI2qkogU9yzWASB6l\nekr/zAwl9qx6EEFW/B/VkN/v3a3CHqdYKu0ANDlNSI8481MQF29WtAmyCy6mUdIa\nRO/S/BcBxnIns+nTpvsd7EGtZ+TUPou+qbxgLQW0JOxg6kkUzS0SE370dtiqt0G3\nhjzpMF6fGo5Lz4Xhu4N6EgA/Q6zd0f9ZKjOIdI/xAgMBAAEwDQYJKoZIhvcNAQEL\nBQADggIBALbJkWPp4w+NjAc9b54I76gEE9Lb8y/oO6mk5yQo2nrvCYFqYcCjjD9G\ncQW7KmK300UuUVTTnfjEh4Txjdp4iy46GFBL5+Kn6p6Q6TMWU6CzCtDdWoNcbK+w\nofjotWtCe83NDfCJb0EBSZ8uvq12c7EczoCcyJVvaamRzmVG3f+h2qLgazudkY9s\nwYFNMzhXaw4z8FJpzEtC4QmmRV4zjZJYmA6Wzz9N0Rr8GhaVGAhM6rV8EvFP0Y8N\nz6W7/hQ8gmek8Ts+u7YMY0HWU6jY6jndnIoXGeBbVnYn04P6eJiSORhmz1ZF5YSC\nwMAUW+w6kkdItgSuHgLRzAPeJoxxlIjkQAOeHLF4WQCc2oaahtnbYZUgt5ADQmlS\nywu3qFCsheZiG5nMPQJu6zrVk1mLArGWXfXJZ7myZjZKKoXl3g/mTz1tqLj/CIl8\nZWYHyBrdLKNI9t3hTHAKtCD5S5LoOFkFHvVw6uZ5wwW5WyBvG5NFJr42Y0egK85L\n97q2avnfH4VuqN1MwhohcfC+E8tsbcE1n74rpoTNoDoOG1kLWWBu2QflIHW+zJMI\nC5uOK6QKckNiMdwsn1olbCABDPCuWXYCFF6qh252QDJGiHf94hKoelOjtujyT1cC\nlNJao5IdI6KtCoMcvHBBeioODUHQKi1MwCq3nCq/FyKh67qPobaA\n-----END CERTIFICATE-----\n",
"ClusterCsr": null,
"HsmCertificate": null,
"ManufacturerHardwareCertificate": null
},
"ClusterId": "cluster-7rq2hgwvl5o",
"CreateTimestamp": "2021-08-04T18:46:37.841Z",
"HsmType": "hsm1.medium",
"Hsms": [],
"PreCoPassword": null,
"SecurityGroup": "sg-01cd078a29065ebc0",
"SourceBackupId": "backup-tecrwims3np",
"State": "ACTIVE",
"StateMessage": null,
"SubnetMapping": {
"us-east-1a": "subnet-8e7983f9",
"us-east-1b": "subnet-8842a6d1",
"us-east-1d": "subnet-6d565145"
},
"TagList": [
{
"Key": "customer-issue",
"Value": "first-republic"
}
],
"VpcId": "vpc-4dc16428"
},
{
"BackupPolicy": "DEFAULT",
"BackupRetentionPolicy": {
"Type": "DAYS",
"Value": "1075"
},
"Certificates": {
"AwsHardwareCertificate": null,
"ClusterCertificate": "-----BEGIN CERTIFICATE-----\nMIIEczCCAlsCCQCkL360L0D8ODANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD\nQTELMAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdHZW1h\nbHRvMQ0wCwYDVQQLDARJRFNTMRwwGgYDVQQDDBNUZXN0Q2xvdWRIU01DbHVzdGVy\nMB4XDTE4MDMwODIyMjMzNloXDTI4MDMwNzIyMjMzNlowgYoxRDAJBgNVBAYTAlVT\nMAkGA1UECAwCQ0EwDQYDVQQKDAZDYXZpdW0wDQYDVQQLDAZOM0ZJUFMwDgYDVQQH\nDAdTYW5Kb3NlMUIwQAYDVQQDDDlIU006ODYxNkE0MkY4Q0M5NEZEQkJGNTY5Q0ZE\nNkM1NUVCOlBBUlROOjgsIGZvciBGSVBTIG1vZGUwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQC6BOMjF7WK0M2hD6WbkW1qPkizTbF1+iAcZAjBTKn6DaFb\nY5fFl3vl52yRno66vWSMxnjcKxyDGBZ5mm+/cmk4sHgpCYnUKQ5hNy/aQP1ZM8IW\n5lYVqBRuqdhTFkEfYctuxjueiyyRU0rpUNWqEbFQO2h9MOtqI2qkogU9yzWASB6l\nekr/zAwl9qx6EEFW/B/VkN/v3a3CHqdYKu0ANDlNSI8481MQF29WtAmyCy6mUdIa\nRO/S/BcBxnIns+nTpvsd7EGtZ+TUPou+qbxgLQW0JOxg6kkUzS0SE370dtiqt0G3\nhjzpMF6fGo5Lz4Xhu4N6EgA/Q6zd0f9ZKjOIdI/xAgMBAAEwDQYJKoZIhvcNAQEL\nBQADggIBALbJkWPp4w+NjAc9b54I76gEE9Lb8y/oO6mk5yQo2nrvCYFqYcCjjD9G\ncQW7KmK300UuUVTTnfjEh4Txjdp4iy46GFBL5+Kn6p6Q6TMWU6CzCtDdWoNcbK+w\nofjotWtCe83NDfCJb0EBSZ8uvq12c7EczoCcyJVvaamRzmVG3f+h2qLgazudkY9s\nwYFNMzhXaw4z8FJpzEtC4QmmRV4zjZJYmA6Wzz9N0Rr8GhaVGAhM6rV8EvFP0Y8N\nz6W7/hQ8gmek8Ts+u7YMY0HWU6jY6jndnIoXGeBbVnYn04P6eJiSORhmz1ZF5YSC\nwMAUW+w6kkdItgSuHgLRzAPeJoxxlIjkQAOeHLF4WQCc2oaahtnbYZUgt5ADQmlS\nywu3qFCsheZiG5nMPQJu6zrVk1mLArGWXfXJZ7myZjZKKoXl3g/mTz1tqLj/CIl8\nZWYHyBrdLKNI9t3hTHAKtCD5S5LoOFkFHvVw6uZ5wwW5WyBvG5NFJr42Y0egK85L\n97q2avnfH4VuqN1MwhohcfC+E8tsbcE1n74rpoTNoDoOG1kLWWBu2QflIHW+zJMI\nC5uOK6QKckNiMdwsn1olbCABDPCuWXYCFF6qh252QDJGiHf94hKoelOjtujyT1cC\nlNJao5IdI6KtCoMcvHBBeioODUHQKi1MwCq3nCq/FyKh67qPobaA\n-----END CERTIFICATE-----\n",
"ClusterCsr": null,
"HsmCertificate": null,
"ManufacturerHardwareCertificate": null
},
"ClusterId": "cluster-d5v3afg4pk2",
"CreateTimestamp": "2018-03-08T19:39:30.009Z",
"HsmType": "hsm1.medium",
"Hsms": [
{
"AvailabilityZone": "us-east-1b",
"ClusterId": "cluster-d5v3afg4pk2",
"EniId": "eni-9343f242",
"EniIp": "172.30.1.120",
"HsmId": "hsm-fs4hvzzrnjx",
"State": "ACTIVE",
"StateMessage": "HSM created.",
"SubnetId": "subnet-8842a6d1"
}
],
"PreCoPassword": null,
"SecurityGroup": "sg-5a43e82c",
"SourceBackupId": null,
"State": "ACTIVE",
"StateMessage": null,
"SubnetMapping": {
"us-east-1a": "subnet-8e7983f9",
"us-east-1b": "subnet-8842a6d1",
"us-east-1d": "subnet-6d565145"
},
"TagList": [],
"VpcId": "vpc-4dc16428"
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Create a Virtual Key
Use POST /v1/cckm/virtual/keys
to create a virtual key, which links to a key in Luna HSM. The source key in Luna HSM performs cryptographic operations for AWS KMS requests. The virtual key allows versioning which cannot take place directly with the source key.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/virtual/keys' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "source_key_id": "<source_key_id>"\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
source_key_id | string | The unique id of the source key (Luna HSM key) for the first version of the virtual key. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/virtual/keys' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIyZjk5OGE1LTM4ZmItNDBkYi1hZjhkLTYwZjdkYjhiY2QyNiIsImlhdCI6MTY1MTA5MjY3NCwiZXhwIjoxNjUxMDkyOTc0fQ.RMOP06eDy0IJ9cayffyKW5851Q8QsuMnMuB5OCflQRc' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff"\n}' --compressed
Example Response
{
"application/json": {
"id": "b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
"uri": "kylo:kylo:cckm:virtual-keys:b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-15T06:20:15.699004Z",
"updatedAt": "2020-12-15T06:25:57.338588051Z",
"partition_id": "ed5b1bbd-ce0b-48c1-ab69-a4592e5b2da2",
"partition_label": "cckm-1608012946",
"source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff",
"version": 0
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List Virtual Keys
Use GET /v1/cckm/virtual/keys
to return the list of virtual keys.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/virtual/keys?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Filter the results by virtual key ID. |
partition_id | string | Filter the results by the ID of the Luna HSM partition. |
source_key_id | string | Filter the results by the ID of the source key in Luna HSM |
partition_label | string | Filter the results by the label of the Luna HSM partition. |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/virtual/keys?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIyZjk5OGE1LTM4ZmItNDBkYi1hZjhkLTYwZjdkYjhiY2QyNiIsImlhdCI6MTY1MTA5MjY3NCwiZXhwIjoxNjUxMDkyOTc0fQ.RMOP06eDy0IJ9cayffyKW5851Q8QsuMnMuB5OCflQRc' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
"uri": "kylo:kylo:cckm:virtual-keys:b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-15T06:20:15.699004Z",
"updatedAt": "2020-12-15T06:25:57.338588051Z",
"partition_id": "ed5b1bbd-ce0b-48c1-ab69-a4592e5b2da2",
"partition_label": "cckm-1608012946",
"source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff",
"version": 0
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
View Details for a Virtual Key
Use GET /v1/cckm/virtual/keys/{id}
to return details of a given virtual key.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<virtual_key_id>/versions?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the virtual key. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/versions?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIyZjk5OGE1LTM4ZmItNDBkYi1hZjhkLTYwZjdkYjhiY2QyNiIsImlhdCI6MTY1MTA5MjY3NCwiZXhwIjoxNjUxMDkyOTc0fQ.RMOP06eDy0IJ9cayffyKW5851Q8QsuMnMuB5OCflQRc' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
"uri": "kylo:kylo:cckm:virtual-keys:b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-15T06:20:15.699004Z",
"updatedAt": "2020-12-15T06:25:57.338588051Z",
"partition_id": "ed5b1bbd-ce0b-48c1-ab69-a4592e5b2da2",
"partition_label": "cckm-1608012946",
"source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff",
"version": 0
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Create an AWS HYOK Key (External Key)
Use POST /v1/cckm/aws/create-hyok-key
to create an AWS HYOK (Hold Your Own Key) key, which links a virtual key to an external custom key store. The corresponding key in AWS KMS is referred to as an "external key".
Currently, only creation of HYOK keys for locally hosted key store is supported. Currently, only "unlinked" state is supported, which means HYOK Key isn't automatically created in AWS KMS or in-sync with AWS KMS.
HYOK keys in locally hosted key stores require the following two values:
Source Key ID (virtual key ID).
Custom key store ID.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/create-hyok-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "local_hosted_params": {\n "source_key_id": "<source_key_id>",\n "custom_key_store_id": "<external_custom_key_store_id>",\n "blocked": <boolean_Value>\n }\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
local_hosted_params | JSON | Local hosted parameters for the AWS HYOK key. |
Local Hosted Parameters
Parameter | Type | Description |
---|---|---|
blocked | boolean | Whether the endpoint is blocked or not blocked. Set to false by default. |
custom_key_store_id | string | External custom key store ID. Required for locally hosted custom key store. |
source_key_id | string | Source Key ID. For Luna HSM key source, this is the ID of the virtual key. Required for locally hosted custom key store. |
policy | JSON | This parameter is not currently read. It will be functional in a future release. |
Policy Parameters
Parameter | Type | Description |
---|---|---|
reserved | boolean | This parameter is not currently read. It will be functional in a future release. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/create-hyok-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNTg0ODY5OGUtNjA0NC00MWEwLWEyOTUtNjNlNjZmZTk5MDBhIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijk1M2ZhOWEyLTdjNjItNDAwZS04NjZmLTE0YjFjMGZmN2JjNiIsImlhdCI6MTY1MTE3ODg5MywiZXhwIjoxNjUxMTc5MTkzfQ.KuRRb6VErQRxIcvexxSOBLgGllJV3zLgZErwXZKjE2w' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "local_hosted_params": {\n "source_key_id": "8658e434-1be1-4da6-9c6b-d4ec4f0e91f9",\n "custom_key_store_id": "677f9689-b2af-4fdb-ad9a-71cac77f6789",\n "blocked": false\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"local_key_id": "0c20bd6137334d0d832e65cb38aec32165d0ace291ba4a7c939afb987ef2e8e0",
"local_key_name": "aes-local-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "cckm",
"locally_hosted": true,
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"custom_key_store_id": "677f9689-b2af-4fdb-ad9a-71cac77f6789",
"linked_state": false,
"source_key_id": "8658e434-1be1-4da6-9c6b-d4ec4f0e91f9"
},
"aws_param": {
"XksKeyConfiguration": {
"Id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0"
}
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List AWS HYOK Key Versions
Use GET /v1/cckm/aws/keys/{id}/versions
to list the versions of the AWS HYOK key.
Syntax
curl -k 'https://<ciphertrust_fQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/versions?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/versions?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImVjZmEyNzgwLTM3NTQtNDMxNS04ZjUwLTUzODE3NmU2NTg1YiIsImlhdCI6MTY1MTI0NjY0MiwiZXhwIjoxNjUxMjQ2OTQyfQ.edjyTlN5tAcUPne0b26YJIdg6mZX69bdwFSFplWE8vk' -H 'accept: application/json' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "dfd88e59-b621-45d4-8f19-62d8ea6956e8",
"uri": "kylo:kylo:cckm:subscription:dfd88e59-b621-45d4-8f19-62d8ea6956e8",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-15T10:19:09.246956Z",
"updatedAt": "2020-09-15T10:19:09.245242Z",
"source_key_id": "c0d7f123-6058-418c-bcb0-5e68701df111",
"version": 0
},
{
"id": "dfd88e59-b621-45d4-8f19-62d8ea6956e9",
"uri": "kylo:kylo:cckm:subscription:dfd88e59-b621-45d4-8f19-62d8ea6956e9",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-15T10:19:09.246956Z",
"updatedAt": "2020-09-15T10:19:09.245242Z",
"source_key_id": "c0d7f123-6058-418c-bcb0-5e68701df222",
"version": 1
}
]
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Block AWS HYOK key
Use POST /v1/cckm/aws/keys/{id}/block
to block AWS KMS from performing cryptographic operations with the AWS HYOK key.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/block' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/block' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM4OWE3NmE0LTk0MzctNDE1YS1hZWVhLWM4ODEzYjIwOGU4OSIsImlhdCI6MTY1MTI0NzE5NSwiZXhwIjoxNjUxMjQ3NDk1fQ.RsGQEMy8hGlgGahHl_rnhwtnLy6i_wQfXb-AAOJa30I' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "ACTIVE",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "native",
"key_source": "hsm-luna",
"blocked": true,
"linked_state": false,
"custom_key_store_id": "eb4fc6ee-35f7-42c7-9116-37fdecb43941",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-07-24T04:10:55Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/Test"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Unblock AWS HYOK key
Use POST /v1/cckm/aws/keys/{id}/unblock
to allow AWS KMS to perform cryptographic operations with the AWS HYOK key.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/unblock' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/unblock' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM4OWE3NmE0LTk0MzctNDE1YS1hZWVhLWM4ODEzYjIwOGU4OSIsImlhdCI6MTY1MTI0NzE5NSwiZXhwIjoxNjUxMjQ3NDk1fQ.RsGQEMy8hGlgGahHl_rnhwtnLy6i_wQfXb-AAOJa30I' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "ACTIVE",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "native",
"local_hosted_params": {
"blocked": false
},
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Description",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"KeyManager": "CUSTOMER",
"KeyState": "Disabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-07-24T04:10:55Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/Test"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Link an Unlinked AWS HYOK key
Use POST /v1/cckm/aws/keys/{id}/link
to link an unlinked AWS HYOK key in a local external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/link' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Alias": "alias/<key_alias>",\n "Tags": [\n {\n "TagKey": "<tag_key>",\n "TagValue": "<tag_value>>"\n }\n ],\n "Policy": { <key_policy> },\n "BypassPolicyLockoutSafetyCheck": false\n } \n "external_accounts": [\n <external_accounts>\n] "key_admins": [\n <key_admins>\n] "key_admins_roles": [\n <key_admins_roles>\n] "key_users": [\n <key_users>\n] "key_users_roles": [\n <key_users_roles>\n], "policytemplate": <policytemplate> \n}' --compressed
Path parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
aws_param | JSON | AWS key parameters. |
external_accounts | array | AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_admins | array | IAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_admins_roles | array | IAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_users | array | AM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_users_roles | array | IAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
policytemplate | string | ID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used. |
AWS Key Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias for the KMS key. |
BypassPolicyLockoutSafetyCheck | boolean | Whether to bypass the key policy lockout safety check. |
Description | string | Description of the KMS key. |
Policy | JSON | Key policy to attach to the KMS key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used. |
Tags | array | Optional tags for the KMS key. |
TagKey | string | Key for the tag. |
TagValue | string | Value corresponding to key of the tag. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/1234567/link' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0N2U5MjhlNy1lNjg5LTQ0ZDctOTRhZi02NjVjYWU3NWQwNmIiLCJzdWIiOiJsb2NhbHxkMWExZjc4NS1lZmY1LTRiN2UtYTgyYS01MTQxMDAyZTdhMjgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNTE4ZThiNTUtYTIzNi00MjcxLTljZjUtZjk5N2MzYjU1NTU1Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkzNzViZDIwLThhMTUtNDhiNi1iNzU3LTk5ZDQ0NmZlMmJhMiIsImlhdCI6MTY2MzM0OTUyMiwiZXhwIjoxNjYzMzQ5ODIyfQ.0t1RgwRNA8bW6UOEm1SHY0emNjP0chJ6HGj242HUOMY' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Alias": "alias/projectKey1",\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ],\n "Policy": {\n "Version": "2022-04-17",\n "Id": "key-default-1",\n "Statement": [\n {\n "Sid": "Enable IAM User Permissions",\n "Effect": "Allow",\n "Principal": {\n "AWS": "arn:aws:iam::123456789012:root"\n },\n "Action": "kms:*",\n "Resource": "*"\n }\n ]\n },\n "BypassPolicyLockoutSafetyCheck": false\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "ACTIVE",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "native",
"key_source": "hsm-luna",
"blocked": true,
"linked_state": true,
"custom_key_store_id": "eb4fc6ee-35f7-42c7-9116-37fdecb43941",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-07-24T04:10:55Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/Test"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.