Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

AWS APIs

AWS Custom Key Store APIs

search

Please Note:

AWS Custom Key Store APIs

The Custom Key Store APIs for integration with Amazon Web Services Key Management Service (AWS KMS) allow you to manage both locally managed and AWS Cloud HSM key stores.

Custom Key Store of type AWS_CLOUDHSM would have keys backed by CloudHSM cluster in AWS. Custom Key Store of type EXTERNAL_KEY_STORE could have keys from Luna HSM or CipherTrust Manager.

Use the APIs in this section to perform following operations:

  • Operations common to both key store types:

    • Create, list, get, update and delete custom key stores.

    • Connect and disconnect to a custom key stores.

    • Synchronizes AWS custom key stores, get status of synchronization job, cancel a synchronization job.

  • Operations exclusive to external key store:

    • Block and unblock access.

    • Rotate credential.

    • Enable and disable schedule rotation of credentials for a custom key store.

    • List and get credentials.

    • Link local external key store with AWS KMS.

    • Enable or disable audit recording.

  • Operations exclusive to CloudHSM key store:

    • Get list of unused CloudHSM clusters (that are not already associated with a CloudHSM key store).
  • Operations exclusive to HYOK keys:

    • Create an AWS HYOK key in a external key store.

    • Create, list, and get virtual keys and their versions.

    • Link an unlinked HYOK key.

    • List versions of an AWS HYOK key.

    • Block and unblock HYOK key access.

  • Operations exclusive to CloudHSM keys:

    • Create key in a CloudHSM key store.

External Custom Key Store Overview

External Custom Key Stores allow you to manage keys held in CipherTrust Manager or in Luna Network HSMs (Hardware Security Module), and allows AWS KMS to use the keys for cryptographic operations on demand.

The external custom key store entity on CipherTrust Cloud Key Manager (CCKM) provides access to AWS KMS to use source key material stored in HSM partitions or CipherTrust Manager, while preserving end user control to manage those source keys.

External Custom Key Stores allow you to manage keys held in CipherTrust Manager, and allows AWS KMS to use the keys for cryptographic operations on demand.

The external custom key store entity on CipherTrust Cloud Key Manager (CCKM) provides access to AWS KMS to use source key material, while preserving end user control to manage those source keys.

Setting up necessary XKS objects for Luna as the key source requires a specific sequence:

  1. Set up Luna partition and create at least one key as described in Luna HSM APIs. Luna HSM keys that are compatible for external custom key stores must have the following values:

    • The only supported key mechanism for external custom key stores is CKM_AES_KEY_GEN. The displayed algorithm for this is aes.

    • The key size must be 256.

    • The following attributes must be enabled: CKA_ENCRYPT and CKA_DECRYPT.

  2. Add the AWS account associated with the external key store integration to CCKM, as described in AWS KMS Management APIs.

  3. The Health Check Key must be created before creating a key store. Depending on the location of the key store, the health check is initiated.

    • If the key store is on Luna HSM, the Health Check Key must have the following attributes:

      • CKA_EXTRACTABLE = FALSE

      • CKA_SENSITIVE = TRUE

      • CKA_ENCRYPT = TRUE

      • CKA_DECRYPT = TRUE

      • CKA_WRAP = TRUE

      • CKA_UNWRAP = TRUE

    • If the key store is on CipherTrust Manager, the Health Check Key must have the following attributes:

      • Key Not Exportable

      • Key Not Deletable

      • Usage Masks - Encrypt, Decrypt, Wrap, Unwrap

  4. Create an External Custom Key Store. The key store can be created as unlinked, which is default, or linked. Creating a linked key store also creates a corresponding external key store on AWS KMS, and the CCKM external custom key store automatically synchronizes with the AWS KMS key store. If the key store is unlinked, retain the returned xks_proxy_uri_path value which is needed to manually create the corresponding external key store on AWS. After creation, unlinked external custom key stores can later be linked to the corresponding AWS KMS key store.

  5. Create a virtual key, which links to a source key. This intermediary virtual key in the API allows versioning and rotation on encryption keys.

    In the CipherTrust Manager web console UI, the virtual key object is not displayed; AWS Hold Your Own Key (HYOK) keys can be rotated directly, and are shown with a direct link to the source key on the HSM partition.

  6. Create an AWS HYOK (External Key). The AWS HYOK key can be created as unlinked, which is default, or linked. For unlinked keys, you need the returned XksKeyConfiguration:Id value to create the corresponding KMS key on AWS. On CCKM. The AWS HYOK key is linked to the virtual key, which is in turn linked to the source key.

    Do not provide the source_key_id, or virtual key's id to AWS KMS.

Once XKS objects are created, and communication between AWS and CCKM is established, AWS KMS can then make requests for the following operations:

  • GetKeyMetadata

  • Encrypt

  • Decrypt

  • GetHealthStatus

You can exercise the health status independently of KMS for troubleshooting purposes. A sample command is provided below.

AWS KMS communicates these requests through the CCKM external custom key store and the AWS HYOK key, and the Luna HSM or CipherTrust Manager carries out encryption and decryption operations, depending on the key source.

The AWS Cloud KMS documentation describes AWS KMS API methods used for the external key store integration.

Troubleshooting External Custom Key Store

If CipherTrust Manager does not respond successfully to requests from AWS KMS to the external key store, you can use the REST API to determine the component which is failing.

To check if CipherTrust Manager interface services are available:

curl -w  "%{time_total}\n" -k 'https://<ciphertrust_FQDN>/api/v1/system/services/status' -H 'accept: application/json' –compressed {"status":"started","services":[{"name":"web","status":"started"},{"name":"nae-kmip","status":"started"}]}

If the above command is successful, the CipherTrust Manager interface services are in a started state and the interfaces are able to receive requests. If you receive an error, you might need to restart services or re-configure the CipherTrust Manager interfaces.

To exercise the health status check:

curl --aws-sigv4 "aws:amz:<region>:kms-xks-proxy" --user "<access_key_id>:<secret_access_key_id>" -X POST --data '{"requestMetadata": {"kmsRequestId": "<request_id_string>","kmsOperation": "ConnectCustomKeyStore"}}' -H "Content-Type: application/json" https://<ciphertrust_FQDN>/api/<xks_proxy_uri_path>/health

A successful response returns "healthStatus":"ACTIVE", and indicates that the CCKM external key store is accessible and can execute an encryption with the health check key.

If you receive an error for a linked key store, make sure the VPC or private network elements are working correctly.

If you receive an error for an unlinked key store, you might need to check for network access issues, and check that both the AWS KMS key store and the CCKM key store have matching access key credentials, the health check key, and the region. Many of these mismatches can be fixed by updating or re-creating the AWS KMS external key store.

Create a Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores to create a custom key store on CCKM. The custom key store can be an external key store or a cloud HSM key store.

For an External Custom Key Store, specify the following details:

  • Name

  • Region

  • AWS account. This must be an AWS account registered on CCKM as a container.

  • Luna Network HSM Partition ID.

  • Linked state (false by default)

  • Blocked (false by default)

  • Audit recording (false by default)

  • Source Key Tier (hsm-luna by default)

In addition, you can specify whether the key store is created in a blocked state or not.

Enabling audit recording of successful operations for a custom key store of type EXTERNAL_KEY_STORE significantly impacts the performance of the key store. Enable type of audit recording only for the purpose of troubleshooting or presenting a demo.

For a CKS supported by an AWS CloudHSM, specify the following details:

  • Name

  • Region

  • AWS account

  • CloudHSM cluster ID

  • CloudHSM kmsuser Crypto User (CU) password

  • Trust anchor certificate

  • The custom_key_store_type as AWS_CLOUDHSM.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer AUTHTOKEN -H 'accept: application/json' --data-binary $'{\n  "name": "<key_store_name>",\n  "kms": "<aws-account-number>",\n  "region": "<aws-region>",\n "linked_state": <boolean>,\n  "local_hosted_params": {\n    "partition_id": "<Luna_HSM_partition_ID>",\n    "blocked": <boolean>\n "health_check_key_id": "<key_id>",\n  "max_credentials": <number_of_credentials>\n  },\n  "aws_param": {\n    "xks_proxy_connectivity": "<network_connectivity_type>",\n    "xks_proxy_uri_endpoint": "<DNS_hostname_for_requests>"\n  },\n  "enable_success_audit_event": <true|false>\n}' --compressed

:::bash
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer AUTHTOKEN -H 'accept: application/json' --data-binary $'{\n  "name": "<key_store_name>",\n  "kms": "<aws-account-number>",\n  "region": "<aws-region>",\n "linked_state": <boolean>,\n  "local_hosted_params": {\n    "partition_id": "<Luna_HSM_partition_ID>",\n    "blocked": <boolean>\n "health_check_key_id": "<key_id>",\n  "max_credentials": <number_of_credentials>\n  },\n  "aws_param": {\n    "xks_proxy_connectivity": "<network_connectivity_type>",\n    "xks_proxy_uri_endpoint": "<DNS_hostname_for_requests>"\n  }\n}' --compressed

:::bash
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer AUTHTOKEN -H 'accept: application/json' --data-binary $'{\n  "name": "<key_store_name>",\n  "kms": "<aws-account-number>",\n  "region": "<aws-region>",\n "linked_state": <boolean>,\n  "local_hosted_params": {\n "blocked": <boolean>\n "health_check_key_id": "<key_id>",\n  "max_credentials": <number_of_credentials>\n  },\n  "aws_param": {\n    "xks_proxy_connectivity": "<network_connectivity_type>",\n    "xks_proxy_uri_endpoint": "<DNS_hostname_for_requests>"\n  }\n}' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
namestringRequired. Unique name for the custom key store.
kmsstringRequired. Name or ID of the AWS account container on CCKM in which to create the custom key store.
regionstringRequired. Name of the available regions.
linked statebooleanIndicates if custom key store is linked with AWS. Applicable for custom key store of type EXTERNAL_KEY_STORE. Default value is false. When false, creating a CKS in CCKM does not trigger AWS KMS to create a new key store, and new CKS will not synchronize with any key stores on AWS KMS until linked.
enable_success_audit_eventbooleanIndicates whether audit recording of successful operations within an external key store is enabled or disabled. This field is optional. Default value is false.
local_hosted_paramsJSONParameters for locally hosted external custom key store on CCKM.
aws_paramJSONRequired. Parameters related to AWS interaction with CKS.

Local Hosted Parameters

The local hosted parameters are applicable to EXTERNAL_KEY_STORE type. The descriptions indicate which values are required for external custom key stores.

ParameterTypeDescription
blockedbooleanWhether the key store is blocked or not. If not specified, this is set to false.
mtls_enabledbooleanWhether the key store is enabled for the verification of a TLS client-side certificate where the CipherTrust Manager authenticates the AWS KMS client. If not specified, this is set to false.
health_check_key_idstringRequired. ID of existing luna key (if source key tier is 'luna-hsm') or CipherTrust key (if source key tier is local) to use for health-check.
max_credentialsstringRequired. Max number of credentials that can be associated with custom key store (min value 2. max value 20).
partition_idstringID of Luna HSM partition. Required field if custom key store of type EXTERNAL_KEY_STORE and Source Key Tier is luna-hsm.
source_key_tierstringSource for cryptographic keys. Default value is luna-hsm. Options are local or luna-hsm.

If you plan to enable mutual TLS on an AWS external custom key store, and there is a load balancer in front of CCKM, then configure the load balancer so that SSL termination does not take place on it thereby allowing SSL/TLS Passthrough. This configuration is required for CCKM and AWS KMS to successfully exchange certificates.

If enabling the mtls_enabled parameter by setting it to true, ensure to perform the following prerequisite steps:
1. Create a CA signed certificate for one of the AWS Trusted CAs for the Web interface of your CipherTrust Manager.
2. Download and add the AWS root CA certificate from the same AWS trusted CA to External CA on CipherTrust Manager. For more information, refer to Creating an External CA.
3. Add the certificate from Step 1 to the CipherTrust Manager web interface. For more information, refer Using an externally generated server certificate for an interface.

AWS Parameters

ParameterTypeDescription
cloud_hsm_cluster_idstringRequired field for custom key store of type AWS_CLOUDHSM. ID of CloudHSM cluster for the custom key store. Enter cluster ID of active CloudHSM cluster that is not already associated with a custom key store.
custom_key_store_typestringSpecifies the type of custom key store. The default value is EXTERNAL_KEY_STORE. For a custom key store backed by an AWS CloudHSM cluster, key store type is AWS_CLOUDHSM. For a custom key store backed by an HSM or key manager outside of AWS, key store type is EXTERNAL_KEY_STORE.
key_store_passwordstringRequired field for custom key store of type AWS_CLOUDHSM. The password of the kmsuser crypto user (CU) account configured in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. User needs to configure the credentials on CloudHSM cluster separately.
trust_anchor_certificatestringRequired field for custom key store of type AWS_CLOUDHSM. The content of CA certificate or Self signed certificate file created during CloudHSM Cluster initialization.
xks_proxy_connectivitystringRequired for custom key store of type EXTERNAL_KEY_STORE. Indicates how AWS KMS communicates with the Ciphertrust Manager. Default value is PUBLIC_ENDPOINT. Valid options are VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT.
xks_proxy_uri_endpointstringRequired for custom key store of type EXTERNAL_KEY_STORE. Specifies the protocol (always HTTPS) and DNS hostname to which KMS will send XKS API requests. The DNS hostname is for either for a load balancer directing to the CipherTrust Manager, or the CipherTrust Manager itself.
xks_proxy_uri_pathstringRequired for custom key store of type EXTERNAL_KEY_STORE.Indicates the base path to the Ciphertrust Manager API's for this external key store.
xks_proxy_vpc_endpoint_service_namestringIndicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity is VPC_ENDPOINT_SERVICE.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI4NzIyY2E0LTM1NzAtNDI1OS04NmYzLTIyOGI3ZDM4MmQzMiIsImlhdCI6MTY0ODQ3OTg3OCwiZXhwIjoxNjQ4NDgwMTc4fQ.eQk0b0pwJ67U5oHHWzPnCaJbJ3fJEBudo1Vb6E9Ag6M' -H 'accept: application/json' --data-binary $'{\n  "name": "custom_key_store_name",\n  "kms": "aws_account_number",\n  "region": "ap-south-1", \n "linked_state": true,\n "local_hosted_params": {\n    "partition_id": "f707115b-ca27-4f75-b44a-9b6a68788dd5",\n    "blocked": false\n  "health_check_key_id": "511e1344-ad9f-4ee6-9eb5-df94e3c4a17c",\n  "max_credentials": 10\n  },\n  "aws_param": {\n    "xks_proxy_connectivity": "PUBLIC_ENDPOINT",\n    "xks_proxy_uri_endpoint": "https://xks.example.com"\n }\n}' --compressed

Example Response

{
    "application/json": {
        "id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2022-01-10T03:09:21.716283215Z",
        "updatedAt": "2022-01-10T03:09:21.714446273Z",
        "name": "cks_name",
        "kms": "aws",
        "region": "ap-south-1",
        "type": "LOCAL",
        "credential_version": 1,
        "kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
        "cloud_name": "aws",
        "version_count": 0,
        "aws_param": {
            "custom_key_store_name": "cks_name",
            "xks_proxy_uri_endpoint": "https://xks.example.com",
            "xks_proxy_connectivity": "PUBLIC_ENDPOINT",
            "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8130b47d-a774-4739-8c71-94e733d6177c/kms/xks/v1",
            "custom_key_store_type": "EXTERNAL_KEY_STORE",
            "custom_key_store_id": "cks-6479457edc5fd993d",
            "connection_state": "DISCONNECTED"
        },
        "local_hosted_params": {
            "blocked": false,
            "policy": {
                "reserved": true
            },
            "linked_state": true,
            "partition_label": "cckm-1608012946",
            "partition_id": "8f6882be-eced-403a-a578-fe8393539b2d",
            "source_container_id": "8f6882be-eced-403a-a578-fe8393539b2d",
            "source_container_type": "hsm-luna",
            "health_check_key_id": "339e786b-c236-495c-925e-87bd8bde82ca",
            "health_check_ciphertext": "cf8iW1y5Ks/drIGZMxsgxJ5t27zOn4HAIEB/deQfFETe83RgMGOVCruEqGmXQEOXo338gZD/lRGtG8mYJzQuq+M=",
            "max_credentials": 10,
            "source_key_tier": "local"
            "mtls_enabled": false
        },
        "access_key_id": "K045XFG9DFXVOCAK5LH904",
        "secret_access_key": "08ddafe16d4f80c5b64eeacedde02258fd1cc210bd0cfd6df72d8516da1b4a4f"
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

List Custom Key Stores

Use GET /v1/cckm/aws/custom-key-stores to return the list of external custom key stores.

Syntax

curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores?<query_parameters>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Request Query Parameters

ParameterTypeDescription
idstringFilter the results by internal ID of the AWS custom key store.
namestringFilter the results by AWS custom key store ID.
kmsstringFilter the results by KMS name.
kmsstringFilter the results by KMS ID.
regionstringFilter the results by region.
cloud_namestringFilter the results by cloud name.
typestringFilter the results by type, LOCAL, REMOTE, or CloudHSM. This is the key store's local hosted parameter value.
blockedbooleanFilter the resulted by blocked or unblocked state.
linked_statebooleanFilter the results by status of link between CCKM and AWS KMS.
xks_proxy_connectivitystringFilter the results by XKS proxy connectivity type, VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT
connection_statestringFilter the results by key store connection state.
source_key_tierstringFilter the results by source key tier, local or luna-hsm.
source_key_tierstringFilter the results by source key tier, local.
custom_key_store_typestringFilter the results by type of custom key store, EXTERNAL_KEY_STORE or CLOUD_HSM.
skipintegerThe index of the first resource to return. Equivalent to 'offset' in SQL.
limitintegerThe max number of resources to return. Equivalent to 'limit' in SQL.
sortstringThe fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name, ascending, then by createdAt, descending.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNzIxOGE2LWI3ZWUtNDdkMS1iMGEyLTdlZjBlMTYxMDA1YyIsImlhdCI6MTY0ODQ4MjM3MiwiZXhwIjoxNjQ4NDgyNjcyfQ.Y9ekMDlzrGczHuDkCi3qxZUTw_1uSzWTDQq-D7ILw2Y' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "skip": 0,
        "limit": 10,
        "total": 2,
        "resources": [
            {
                "id": "033716fc-898d-48a4-b12f-a6f2dd0d718b",
                "uri": "kylo:kylo:cckm:aws_cks:033716fc-898d-48a4-b12f-a6f2dd0d718b",
                "account": "kylo:kylo:admin:accounts:kylo",
                "createdAt": "2022-01-10T03:05:18.788744Z",
                "updatedAt": "2022-01-10T03:05:18.786765Z",
                "name": "cks_name",
                "kms": "aws",
                "region": "ap-south-1",
                "locally_hosted": true,
                "kms_id": "custom_cks_id",
                "cloud_name": "aws",
                "aws_param": {
                    "custom_key_store_name": "cks_name2"
                    "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8c706a48-0e1a-4756-83dd-e46c54b65fb1/kms/xks/v1"
                },
                "local_hosted_params": {
                    "partition_label": "123456_name",
                    "partition_id": "123456",
                    "blocked": false,
                    "policy": {
                        "reserved": false
                    },
                    "source_container_id": "123456",
                    "source_container_type": "container_type",
                    "linked_state": false
                    "mtls_enabled": false
                }
            },
            {
                "id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
                "uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
                "account": "kylo:kylo:admin:accounts:kylo",
                "createdAt": "2022-01-10T03:09:21.716283Z",
                "updatedAt": "2022-01-10T03:09:21.714446Z",
                "name": "cks_name",
                "kms": "aws",
                "region": "ap-south-1",
                "locally_hosted": true,
                "kms_id": "custom_cks_id",
                "cloud_name": "aws",
                "aws_param": {
                    "custom_key_store_name": "cks_name"
                    "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7f33443d-4773-41bb-8eec-7e320d511b00/kms/xks/v1"
                },
                "local_hosted_params": {
                    "partition_label": "12345_name",
                    "partition_id": "12345",
                    "blocked": false,
                    "policy": {
                        "reserved": false
                    },
                    "source_container_id": "12345",
                    "source_container_type": "container_type",
                    "linked_state": false
                    "mtls_enabled": false
                }
            }
        ]
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

View Details of a Custom Key Store

Use GET /v1/cckm/aws/custom-key-stores/{id} to return the details for a custom key store with the given ID.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0YjM1MWVmMy0xMDMyLTQ1ZTItOGU3ZC05OGQ2NGMyNTNlNGIiLCJzdWIiOiJsb2NhbHw1M2FjNzc0OS0xZDgwLTQ1NjktYWY4OC03OTA0OTQ3ODFlMTYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNmVjZGIyMDctNTQzMC00M2EwLWEwZTMtMWI1OGIzZTI1ZjhkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjUzZmM5MzVjLWQxYmMtNGFmNy04Yjg1LTI1MTNkMzRjZTU0MiIsImlhdCI6MTY0ODQ4ODE2NCwiZXhwIjoxNjQ4NDg4NDY0fQ.YvM-lsOWhniMIr8RiZG3HXMPnnBmA-DEt-JT47olgrs' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2022-01-10T03:09:21.716283Z",
        "updatedAt": "2022-01-10T03:09:21.714446Z",
        "name": "cks_name",
        "kms": "aws",
        "region": "ap-south-1",
        "locally_hosted": true,
        "kms_id": "custom_cks_id",
        "cloud_name": "aws",
        "aws_param": {
            "custom_key_store_name": "cks_name"
            "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8c706a48-0e1a-4756-83dd-e46c54b65fb1/kms/xks/v1"
        },
        "local_hosted_params": {
            "partition_label": "12345_name",
            "partition_id": "12345",
            "blocked": false,
            "policy": {
                "reserved": false
            },
            "source_container_id": "12345",
            "source_container_type": "container_type",
            "linked_state": false
            "mtls_enabled": false
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Remove a Custom Key Store

Use DELETE /v1/cckm/aws/custom-key-stores/{id} to remove an AWS external custom key store from the CCKM.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id> -X DELETE -H 'AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNDgzMTU4LWNlYjAtNGRiMi1hOGFhLTVmYTdkZGE4MzUzOCIsImlhdCI6MTY1MDU2NjI5NywiZXhwIjoxNjUwNTY2NTk3fQ.kabqQJ96FtrkRJGdJK1tkz-pXHGMxYBhUrO5vUl_b4w' -H 'accept: application/json' --compressed

Example Response

{
    "status": 204
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Edit a Custom Key Store

Use PATCH /v1/cckm/aws/custom-key-stores/{id} to edit a custom key store on CCKM.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>' -X PATCH -H 'AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "name": "<new_name>",\n  "aws_param": {\n    "xks_proxy_uri_endpoint": "<new_xks_proxy_uri_endpoint>",\n    "xks_proxy_uri_path": "<new_xks_proxy_uri_path>",\n    "access_key_id": "<new_access_key_id>",\n    "secret_access_key": "<new_secret_access_key_id>"\n  },\n  "local_hosted_params": {\n    "health_check_key_id": "<new_health_check_key_id>"\n  }\n  "enable_success_audit_event": <true|false>\n}' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
namestringNew unique name for the custom key store.
local_hosted_paramsJSONParameters for locally hosted external custom key store on CCKM.
aws_paramJSONRequired.Parameters related to AWS interaction with CKS.
enable_success_audit_eventbooleanIndicates whether audit recording of successful operations within an external key store is enabled or disabled. This field is optional. Default value is false.

Local Hosted Parameters

The local hosted parameters are applicable to EXTERNAL_KEY_STORE type.

ParameterTypeDescription
health_check_key_idstringID of existing luna key (if source key tier is 'luna-hsm') or CipherTrust key (if source key tier is local) to use for health-check.
mtls_enabledbooleanWhether the key store is enabled for the verification of a TLS client-side certificate where the CipherTrust Manager authenticates the AWS KMS client. If not specified, this is set to false. Note: If enabling this feature, ensure to perform the prerequisite steps. These include the following steps: download an AWS root CA certificate from Amazon's Trust Service site and then add an external CA from the CipherTrust Manager UI > CA menu. For more information, refer to the CipherTrust Manager documentation.

AWS Parameters

ParameterTypeDescription
access_key_idstringAccess key ID for XKS service hosted at xks_proxy_uri_endpoint. Applicable only for custom key store of type EXTERNAL_KEY_STORE.
cloud_hsm_cluster_idstringNew CloudHSM cluster ID. This field is applicable only for custom key store of type AWS_CLOUDHSM.
key_store_passwordstringNew password of kmsuser CU (crypto user) account in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. Configure the credentials on CloudHSM cluster separately. Applicable only for custom key store of type AWS_CLOUDHSM.
secret_access_keystringSecret access key for XKS service hosted at xks_proxy_uri_endpoint. Applicable only for custom key store of type EXTERNAL_KEY_STORE.
xks_proxy_connectivitystringChange how AWS KMS communicates with the Ciphertrust Manager. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE. Valid options are VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT.
xks_proxy_uri_endpointstringNew XKS proxy URI endpoint. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE.
xks_proxy_uri_pathstringNew base path to the Ciphertrust Manager API's for this custom key store. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE.
xks_proxy_vpc_endpoint_service_namestringIndicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity is VPC_ENDPOINT_SERVICE.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwNjcxNGU4OC03NGE1LTQwNmMtYThmYS1lZWE2N2Q1NjBjYWEiLCJzdWIiOiJsb2NhbHwyNDMwNDRhZi1jZGNlLTQ0NmYtODU2Ni1mYmRlYjk2MWVmZTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODgzZTFiYTMtNjcxZi00MDQxLTgwZDAtZDdkMjI0ZTliYmE2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjllZDFkOTg5LWZlY2MtNDAzZC1hNDcxLTRlNzY2ZWEzYzBjNyIsImlhdCI6MTY2MTY0MjA2MCwiZXhwIjoxNjYxNjQyMzYwfQ.B0dIWaOLvEFexiTHmUGO0VUg4j77EeJgWUF1anc8B6M' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "name": "new_name_1234",\n  "aws_param": {\n    "xks_proxy_uri_endpoint": "https://xksproxy.mycompany.com",\n    "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/736d4b20-fe22-4139-b39f-622404dc725e/kms/xks/v1",\n    "access_key_id": "KYBZ5TKM7OUXZIWBAPVD",\n    "secret_access_key": "e49f198bb94ce8efea6b987ae1aac6885d98ab3087168f8106d6f8c784db2ff4"\n  },\n  "local_hosted_params": {\n    "health_check_key_id": "a9e80f5a-9680-413d-8ec0-c901d3cb04c0"\n  },\n  "enable_success_audit_event": true\n}' --compressed

Example Response

{
    "application/json": {
        "id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2022-01-10T03:09:21.716283Z",
        "updatedAt": "2022-01-10T03:09:21.714446Z",
        "name": "new_name_1234",
        "kms": "aws",
        "region": "ap-south-1",
        "type": "LOCAL",
        "credential_version": 1,
        "kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
        "cloud_name": "aws",
        "version_count": 0,
        "aws_param": {
            "xks_proxy_connectivity": "PUBLIC_ENDPOINT",
            "connection_state": "DISCONNECTED",
            "custom_key_store_type": "EXTERNAL_KEY_STORE",
            "custom_key_store_id": "cks-6479457edc5fd993d",
            "xks_proxy_uri_endpoint": "https://xksproxy.mycompany.com",
            "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/736d4b20-fe22-4139-b39f-622404dc725e/kms/xks/v1"
        },
        "local_hosted_params": {
            "partition_label": "cckm-1608012946",
            "partition_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
            "blocked": false,
            "health_check_key_id": "a9e80f5a-9680-413d-8ec0-c901d3cb04c0",
            "policy": {
                "reserved": false
            },
            "source_container_id": "",
            "source_container_type": "",
            "source_key_tier": "hsm-luna",
            "linked_state": false,
            "max_credentials": 10
            "mtls_enabled": false
        },
        "enable_success_audit_event": false
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Create a KMS key in a CloudHSM Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores/{id}/create-aws-key to create a KMS key in a CloudHSM-backed custom key store.

Syntax

curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/create-aws-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "aws_param": {\n    "Description": "<key_description>",\n   "Alias": "<Alias_for_the_key>",\n    "Tags": [\n      {\n        "TagKey": "<key_of_the_tag>",\n        "TagValue": "<value_of_the_tag>"\n      }\n    ]\n  },\n  "key_admins": [\n    "<IAM_user_to_admin_key>"\n  ],\n  "key_admins_roles": [\n    "<IAM_roles_to_admin_key>"\n  ],\n  "key_users": [\n    "<IAM_user_to_use_key>"\n  ],\n  "key_users_roles": [\n    "<IAM_user_to_use_key>"\n  ], \n "external_accounts": [\n    "<AWS_accounts_to_use_key>"\n  ], \n  \n}' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
external_accountsarrayAWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.
key_adminsarrayIAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.
key_admins_rolesarrayIAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.
key_usersarrayIAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.
key_users_rolesarrayIAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used.
policytemplatestringID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified, the default policy is used.
aws_paramJSONRequired.Parameters related to AWS interaction with CKS.

AWS Parameters

ParameterTypeDescription
AliasstringAlias for the key. Required.
DescriptionstringDescription of the key.
PolicyJSONKey policy to attach to the KMS Key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used.
TagsArrayOptional tags
TagKeystringKey of the tag. A tag is a key-value pair.
TagValuestringValue corresponding to the key of the tag.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/create-aws-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwNjcxNGU4OC03NGE1LTQwNmMtYThmYS1lZWE2N2Q1NjBjYWEiLCJzdWIiOiJsb2NhbHwyNDMwNDRhZi1jZGNlLTQ0NmYtODU2Ni1mYmRlYjk2MWVmZTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODgzZTFiYTMtNjcxZi00MDQxLTgwZDAtZDdkMjI0ZTliYmE2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjllZDFkOTg5LWZlY2MtNDAzZC1hNDcxLTRlNzY2ZWEzYzBjNyIsImlhdCI6MTY2MTY0MjA2MCwiZXhwIjoxNjYxNjQyMzYwfQ.B0dIWaOLvEFexiTHmUGO0VUg4j77EeJgWUF1anc8B6M' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "aws_param": {\n    "Description": "Test CloudHSM key ",\n    "Alias": "cloudhsmkey13",\n    "Tags": [\n      {\n        "TagKey": "tag3",\n        "TagValue": "value3"\n      }\n    ]\n  },\n  "key_admins": [\n    "john.doe"\n  ],\n  "key_admins_roles": [\n    "aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem"\n  ],\n  "key_users": [\n    "richard-roe"\n  ],\n  "key_users_roles": [\n    "aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"\n  ]\n}' --compressed

Example Response

{
    "application/json": {
        "id": "0016ea0c-8f37-44ac-ac8f-3b5396130a19",
        "uri": "kylo:kylo-81539629-e4b5-4d77-933f-30174a27dc20:cckm:aws-key:0016ea0c-8f37-44ac-ac8f-3b5396130a19",
        "account": "kylo:kylo-81539629-e4b5-4d77-933f-30174a27dc20:admin:accounts:kylo-81539629-e4b5-4d77-933f-30174a27dc20",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2022-08-09T23:05:48.03608398Z",
        "updatedAt": "2022-08-09T23:05:48.033508896Z",
        "kms_id": "7262dee3-e0dc-4a0c-91c5-40395dd8f92e",
        "kms": "aws_acc_atf",
        "synced_at": "2022-08-09T23:05:48.027918202Z",
        "rotation_status": "",
        "cloud_name": "aws",
        "key_users": [
            "arn:aws:iam::556782317223:user/richard-roe"
        ],
        "key_users_roles": [
            "arn:aws:iam::556782317223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
        ],
        "key_admins": [
            "arn:aws:iam::556782317223:user/john.doe"
        ],
        "key_admins_roles": [
            "arn:aws:iam::556782317223:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem"
        ],
        "key_type": "symmetric",
        "basic_view_enabled": true,
        "region": "eu-west-1",
        "gone": false,
        "blocked": false,
        "linked_state": true,
        "key_material_origin": "CloudHSM",
        "key_source": "CloudHSM",
        "custom_key_store_id": "1421d123-5cfc-4291-bc3f-4232362a8ee4",
        "custom_key_store_name": "test-eu-cloudhsm-2",
        "aws_param": {
            "AWSAccountId": "556782317223",
            "Arn": "arn:aws:kms:eu-west-1:556782359223:key/0c0389d3-d327-4689-b8f9-0f966f83424c",
            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
            "Description": "Test CloudHSM key ",
            "Enabled": true,
            "EncryptionAlgorithms": [
                "SYMMETRIC_DEFAULT"
            ],
            "KeyID": "0c0389d3-d327-4689-b8f9-0f966f83424c",
            "KeyManager": "CUSTOMER",
            "KeyState": "Enabled",
            "KeyUsage": "ENCRYPT_DECRYPT",
            "Origin": "AWS_CLOUDHSM",
            "CreationDate": "2022-08-09T23:05:47.448Z",
            "Policy": {
                "Version": "2012-10-17",
                "Id": "key-consolepolicy-3",
                "Statement": [
                    {
                        "Sid": "Enable IAM User Permissions",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "arn:aws:iam::556782359223:root"
                        },
                        "Action": "kms:*",
                        "Resource": "*"
                    },
                    {
                        "Sid": "Allow access for Key Administrators",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::556782359223:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem",
                                "arn:aws:iam::556782359223:user/john.doe"
                            ]
                        },
                        "Action": [
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:TagResource",
                            "kms:UntagResource",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Sid": "Allow use of the key",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::556782359223:user/richard-roe",
                                "arn:aws:iam::556782359223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
                            ]
                        },
                        "Action": [
                            "kms:Encrypt",
                            "kms:Decrypt",
                            "kms:ReEncrypt*",
                            "kms:GenerateDataKey*",
                            "kms:DescribeKey"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Sid": "Allow attachment of persistent resources",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::556782359223:user/richard-roe",
                                "arn:aws:iam::556782359223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
                            ]
                        },
                        "Action": [
                            "kms:CreateGrant",
                            "kms:ListGrants",
                            "kms:RevokeGrant"
                        ],
                        "Resource": "*",
                        "Condition": {
                            "Bool": {
                                "kms:GrantIsForAWSResource": "true"
                            }
                        }
                    }
                ]
            },
            "Alias": [
                "alias/cloudhsmkey13"
            ],
            "Tags": [
                {
                    "TagKey": "tag3",
                    "TagValue": "value3"
                }
            ],
            "KeyRotationEnabled": false,
            "CustomKeyStoreId": "cks-ea58c749fdb248c96"
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Block Access to External Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores/{id}/block to disallow AWS KMS from performing encrypt, decrypt, and health requests on an external custom key store.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/block' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/block' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQwODA5ZjkyLTUwZjMtNGZmYi04YzdhLTNjYmJhMWVjNjBjYiIsImlhdCI6MTY1MDU2Njg2MSwiZXhwIjoxNjUwNTY3MTYxfQ.ktaPfZkjiWILr5mB4saH8yA653l4LXzOFbdfJ-Gfqws' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2022-01-10T03:09:21.716283Z",
        "updatedAt": "2022-01-10T03:09:21.714446Z",
        "name": "cks_name",
        "kms": "aws",
        "region": "ap-south-1",
        "locally_hosted": true,
        "kms_id": "custom_cks_id",
        "cloud_name": "aws",
        "aws_param": {
            "custom_key_store_name": "cks_name"
        },
        "local_hosted_params": {
            "partition_label": "12345_name",
            "partition_id": "12345",
            "blocked": true,
            "policy": {
                "reserved": false
            },
            "source_container_id": "12345",
            "source_container_type": "container_type",
            "linked_state": false
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Unblock Access to External Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores/{id}/unblock to restore the ability of AWS KMS to perform encrypt, decrypt, and health requests on an external custom key store.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/unblock' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/unblock' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQwODA5ZjkyLTUwZjMtNGZmYi04YzdhLTNjYmJhMWVjNjBjYiIsImlhdCI6MTY1MDU2Njg2MSwiZXhwIjoxNjUwNTY3MTYxfQ.ktaPfZkjiWILr5mB4saH8yA653l4LXzOFbdfJ-Gfqws' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2022-01-10T03:09:21.716283Z",
        "updatedAt": "2022-01-10T03:09:21.714446Z",
        "name": "cks_name",
        "kms": "aws",
        "region": "ap-south-1",
        "locally_hosted": true,
        "kms_id": "custom_cks_id",
        "cloud_name": "aws",
        "aws_param": {
            "custom_key_store_name": "cks_name"
        },
        "local_hosted_params": {
            "partition_label": "12345_name",
            "partition_id": "12345",
            "blocked": true,
            "policy": {
                "reserved": false
            },
            "source_container_id": "12345",
            "source_container_type": "container_type",
            "linked_state": false
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Connect a Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores/{id}/connect to connect the AWS custom key store using the AWS KMS API.

Syntax

curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/connect' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "key_store_password": "<key_store_password>"\n}' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
key_store_passwordstringThe password of the kmsuser crypto user (CU) account configured in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. User needs to configure the credentials on CloudHSM cluster separately. Required field for custom key store of type AWS_CLOUDHSM. Omit for External Key Stores.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123567/connect' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY3OWI4MmMyLWY0MzMtNGYwMi1hMTY2LWExYzUwZDQwZTY3NiIsImlhdCI6MTY2MTcwMDE3MSwiZXhwIjoxNjYxNzAwNDcxfQ.uH1kYKKFuhkcOrWmHthkMteLLitv3drJSNjTJRuUF_o' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "key_store_password": "myPassword"\n}' --compressed

Example Response

{
    "application/json": {
        "id": "7527884a-6f73-4d4b-8078-64e35640629c",
        "uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
        "account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
        "createdAt": "2022-07-27T21:12:48.903987Z",
        "updatedAt": "2022-07-27T21:12:49.75161Z",
        "name": "cks_1",
        "kms": "aws",
        "region": "us-east-1",
        "type": "LOCAL",
        "credential_version": 1,
        "kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
        "cloud_name": "aws",
        "version_count": 0,
        "aws_param": {
            "custom_key_store_name": "cks_1",
            "xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
            "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
            "custom_key_store_type": "EXTERNAL_KEY_STORE",
            "custom_key_store_id": "cks-8a87408fb819ddb94",
            "xks_proxy_connectivity": "PUBLIC_ENDPOINT",
            "connection_state": "CONNECTED"
        },
        "local_hosted_params": {
            "blocked": false,
            "policy": {
                "reserved": false
            },
            "source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
            "source_container_type": "hsm-luna",
            "linked_state": true,
            "partition_label": "aws_cm_vpc_par1",
            "partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
            "health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
            "health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
            "max_credentials": 5
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Disconnect a Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores/{id}/disconnect to connect the AWS custom key store using the AWS KMS API.

Syntax

curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/disconnect' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123567/connect' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY3OWI4MmMyLWY0MzMtNGYwMi1hMTY2LWExYzUwZDQwZTY3NiIsImlhdCI6MTY2MTcwMDE3MSwiZXhwIjoxNjYxNzAwNDcxfQ.uH1kYKKFuhkcOrWmHthkMteLLitv3drJSNjTJRuUF_o' -H 'Content-Type: application/json' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "7527884a-6f73-4d4b-8078-64e35640629c",
        "uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
        "account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
        "createdAt": "2022-07-27T21:12:48.903987Z",
        "updatedAt": "2022-07-27T21:12:49.75161Z",
        "name": "cks_1",
        "kms": "aws",
        "region": "us-east-1",
        "type": "LOCAL",
        "credential_version": 1,
        "kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
        "cloud_name": "aws",
        "version_count": 0,
        "aws_param": {
            "custom_key_store_name": "cks_1",
            "xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
            "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
            "custom_key_store_type": "EXTERNAL_KEY_STORE",
            "custom_key_store_id": "cks-8a87408fb819ddb94",
            "xks_proxy_connectivity": "PUBLIC_ENDPOINT",
            "connection_state": "DISCONNECTED"
        },
        "local_hosted_params": {
            "blocked": false,
            "policy": {
                "reserved": false
            },
            "source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
            "source_container_type": "hsm-luna",
            "linked_state": true,
            "partition_label": "aws_cm_vpc_par1",
            "partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
            "health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
            "health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
            "max_credentials": 5
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Use POST /v1/cckm/aws/custom-key-stores/{id}/link to link local custom key store with AWS custom key store. Applicable only to external custom key stores.

Syntax

curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/link' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "aws_param": {\n    "xks_proxy_uri_endpoint": "<xks_proxy_endpoint>",\n    "xks_proxy_vpc_endpoint_service_name": "<vpc_endpoint_service_name>"\n  }\n}' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
aws_paramJSONParameters related to AWS interaction with the custom key store.

AWS Parameters

ParameterTypeDescription
xks_proxy_uri_endpointstringRequired. Indicates the URL endpoint used by the custom key store.
xks_proxy_vpc_endpoint_service_namestringIndicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity of custom key store is VPC_ENDPOINT_SERVICE.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123456/link' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDc1YzUyMDktNzA5Ni00NzQwLWE1NzUtNTI1MTc3ODBjMjAyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjA4Y2ZlYzUwLWE5OGMtNDEyNi1hMWU4LWZkNzI5ZTFkZTY1NiIsImlhdCI6MTY2MjU3NTAyNSwiZXhwIjoxNjYyNTc1MzI1fQ.nTzFCUkltF0jS5J6eU7ljjhkxAEtFBUokoNb-oDsBvQ' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "aws_param": {\n    "xks_proxy_uri_endpoint": "https://xks.example.com",\n    "xks_proxy_vpc_endpoint_service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-03d5ed"\n  }\n}' --compressed

Example Response

{
    "application/json": {
        "id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2022-01-10T03:09:21.716283Z",
        "updatedAt": "2022-01-10T03:09:21.714446Z",
        "name": "cks_name_1",
        "kms": "aws",
        "region": "ap-south-1",
        "type": "LOCAL",
        "credential_version": 1,
        "kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
        "cloud_name": "aws",
        "version_count": 0,
        "aws_param": {
            "custom_key_store_name": "cks_name_1",
            "xks_proxy_uri_endpoint": "https://dev3-xksproxy.thalescpl.io",
            "xks_proxy_vpc_endpoint_service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-03d5ed",
            "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/35164f70-2308-4a02-b2ee-436c478beaa1/kms/xks/v1",
            "custom_key_store_type": "EXTERNAL_KEY_STORE",
            "custom_key_store_id": "cks-007ee1e9c09e6690e",
            "xks_proxy_connectivity": "VPC_ENDPOINT_SERVICE",
            "connection_state": "CONNECTED"
        },
        "local_hosted_params": {
            "partition_label": "cckm-1608012946",
            "partition_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
            "health_check_key_id": "511e1344-ad9f-4ee6-9eb5-df94e3c4a17c",
            "health_check_ciphertext": "Dp5Dn3azWYBt5AZaIEqEiEdD53GH0XRMzXoYgRlPEX1Ooq+HjcTp8jTA3H67uNYY4WWPSIMGQfH5CaNqMufSZ5Q=",
            "blocked": true,
            "policy": {
                "reserved": false
            },
            "source_container_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
            "source_container_type": "hsm-luna",
            "linked_state": true,
            "max_credentials": 10
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Check Health Status of External Custom Key Store

Use POST v1/cckm/aws/custom-key-stores/{keystore_id}/health to validate whether a custom key store, which uses a Luna HSM or a CipherTrust Manager as a key source, is available, working, and ready to handle requests. In the event of a successful validation, this API returns an HTTP status code of 200 (OK) and no message body.

This API does not require authentication.

This API implements rate limiting. Each CipherTrust Manager node can process up to two requests per second per key store. CCKM sends an error message, if the rate of requests exceeds this limit.

Syntax

curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/health' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/e58070c2-d359-484d-a42d-93e6cda8a906/health' -H 'accept: application/json' --compressed

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Synchronize Custom Key Stores

User POST /v1/cckm/aws/custom-key-stores/synchronization-jobs to synchronize custom key stores on CCKM with the corresponding key stores on AWS KMS.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY1YzZmYzA0LWEyYTgtNDljOC05ODJkLWVlMTlmYTc5ODZjNSIsImlhdCI6MTY2MjU3OTQ2OCwiZXhwIjoxNjYyNTc5NzY4fQ.hLbhBT9cYVIxVSErH4F8UJmGSd3bsZfzkkTJYMfBAtw' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "kms": [],\n  "synchronize_all": false,\n  "regions": []\n}' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
kmsarrayName or ID of KMS resource from which the AWS custom key stores will be synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.
regionsarrayRegions from which the AWS custom key stores will be synchronized. If not specified, custom key stores from all regions are synchronized. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.
synchronize_allbooleanSet true to synchronize all custom key stores from all KMS and regions. synchronize_all and kms, regions are mutually exclusive. Specify either synchronize_all or kms and regions.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs' -H 'Authorization: Bearer AUTHTOKEN -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "kms": [],\n  "synchronize_all": false,\n  "regions": []\n}' --compressed

Example Response

{
    "application/json": {
        "id": "84980655-f1df-40e1-a2ec-736ac77a7889",
        "uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-08-06T09:40:04.915495495Z",
        "updatedAt": "2020-08-06T09:40:04.918785299Z",
        "overall_status": "in progress",
        "cloud": "aws",
        "kms": [
            "de0b5a77-918a-453e-8675-604133a8984e"
        ],
        "abort": false
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

List the Status of all Synchronization Jobs

Use GET /v1/cckm/aws/custom-key-stores/synchronization-jobs to return the list of updated synchronization status. The results can be filtered using the query parameters.

Syntax

curl -k 'https://<ciphertrust_FQDN>>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Query Parameters

ParameterTypeDescription
idstringFilter the results by internal ID of synchronization.
overall_statusstringFilter results by synchronization overall status. Possible values are in_progress, completed, and failed.
kmsstringFilter the results by KMS.
skipintegerThe index of the first resource to return. Equivalent to 'offset' in SQL.
limitintegerThe max number of resources to return. Equivalent to 'limit' in SQL.
sortstringThe fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name, ascending, then by createdAt, descending.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImZlYjU4NGJlLTY4OWEtNGNhMi04ZWJlLTU3NDM3ZGQ4ZjM5NiIsImlhdCI6MTY2MjU4MDc1MiwiZXhwIjoxNjYyNTgxMDUyfQ.JIyXwfLs_sHVZHry1u2KRPo5pF5079q9S7U-5hOTanA' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "skip": 0,
        "limit": 10,
        "total": 2,
        "resources": [
            {
                "id": "84980655-f1df-40e1-a2ec-736ac77a7889",
                "uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
                "account": "kylo:kylo:admin:accounts:kylo",
                "application": "ncryptify:gemalto:admin:apps:kylo",
                "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
                "createdAt": "2020-08-06T09:40:04.915495Z",
                "updatedAt": "2020-08-06T09:40:33.308945Z",
                "overall_status": "in progress",
                "detailed_status": {
                    "123456789012/ap-south-1": "region synchronized successfully",
                    "123456789012/eu-north-1": "region synchronized successfully",
                    "123456789012/eu-west-2": "region synchronized successfully",
                    "123456789012/eu-west-3": "region synchronized successfully"
                },
                "cloud": "aws",
                "kms": [
                    "de0b5a77-918a-453e-8675-604133a8984e"
                ],
                "abort": false
            }
        ]
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

View Details of a Synchronization Job

Use GET /v1/cckm/aws/custom-key-stores/synchronization-jobs/{id} to return the details of a synchronize process with the given ID.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/<synchronization_job_id>' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameter

ParameterTypeDescription
idstringID of the synchronization job. This must be the UUID.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/12345' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjQxNjE1NWVmLTMzYTctNDA3Ny1hOTY1LWUwNWUzYWJjMWYwMyIsImlhdCI6MTY2MjU4MTczMiwiZXhwIjoxNjYyNTgyMDMyfQ.UHefabPmsuh-wW5-cI5GcB3jplpiAn1G6sEXXAVKIlo' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "84980655-f1df-40e1-a2ec-736ac77a7889",
        "uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-08-06T09:40:04.915495Z",
        "updatedAt": "2020-08-06T09:43:31.731954Z",
        "overall_status": "in progress",
        "detailed_status": {
            "123456789012/ap-northeast-1": "region synchronized successfully",
            "123456789012/ap-northeast-2": "region synchronized successfully",
            "123456789012/ap-south-1": "region synchronized successfully",
            "123456789012/ap-southeast-1": "region synchronized successfully",
            "123456789012/ap-southeast-2": "region synchronized successfully",
            "123456789012/ca-central-1": "region synchronized successfully",
            "123456789012/eu-west-2": "region synchronized successfully",
            "123456789012/eu-west-3": "region synchronized successfully",
            "123456789012/sa-east-1": "region synchronized successfully",
            "123456789012/us-east-1": "in progress"
        },
        "cloud": "aws",
        "kms": [
            "de0b5a77-918a-453e-8675-604133a8984e"
        ],
        "abort": false
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Cancel a Synchronization Job

Use POST /v1/cckm/aws/custom-key-stores/synchronization-jobs/{id}/cancel to cancel a synchronization job.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/<synchronization_job_id>/cancel' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameter

ParameterTypeDescription
idstringID of the synchronization job. This must be the UUID.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/123456/cancel' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImZlYjU4NGJlLTY4OWEtNGNhMi04ZWJlLTU3NDM3ZGQ4ZjM5NiIsImlhdCI6MTY2MjU4MDc1MiwiZXhwIjoxNjYyNTgxMDUyfQ.JIyXwfLs_sHVZHry1u2KRPo5pF5079q9S7U-5hOTanA' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "e8f2e77d-95e8-46f6-891f-37469da3bf57",
        "uri": "kylo:kylo:cckm:synchronize:e8f2e77d-95e8-46f6-891f-37469da3bf57",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-08-06T09:46:06.534541Z",
        "updatedAt": "2020-08-06T09:46:25.768957301Z",
        "overall_status": "in progress",
        "detailed_status": {
            "123456789012/eu-north-1": "in progress"
        },
        "cloud": "aws",
        "kms": [
            "de0b5a77-918a-453e-8675-604133a8984e"
        ],
        "abort": true
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Create Credential for an External Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores/{id}/credential to create a credential for the external custom key store. You must upload the returned access_key_id and secret_access_key to the corresponding key store in AWS KMS.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTA0ZTMyMWYtNzI3Zi00YTFjLWI1ZGUtMWUzMjIyMjJkY2IyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjQ3OWFiNzU1LTVjZGYtNGQ0Yy04ZmU2LWY2YTBiMDkzNjEzNCIsImlhdCI6MTY1MDY0MTEyNCwiZXhwIjoxNjUwNjQxNDI0fQ.agZ3vPoi624xVX61BLaZpbBAGRZN4PHEXJYRXR-oETY' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
        "uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2021-12-23T16:25:49.463282986Z",
        "updatedAt": "2021-12-23T16:25:49.460296196Z",
        "custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
        "version": 1,
        "access_key_id": "generated_access_id",
        "cloud_name": "aws"
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

List Credentials for an External Custom Key Store

Use GET /v1/cckm/aws/custom-key-stores/{id}/credentials to list the credentials associated with a specified external custom key store.

Syntax

curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials?<query_parameters>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Request Query Parameters

ParameterTypeDescription
access_key_idstringfilter by the access key id.
skipintegerThe index of the first resource to return. Equivalent to 'offset' in SQL.
limitintegerThe max number of resources to return. Equivalent to 'limit' in SQL.
sortstringThe fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name, ascending, then by createdAt, descending.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNzIxOGE2LWI3ZWUtNDdkMS1iMGEyLTdlZjBlMTYxMDA1YyIsImlhdCI6MTY0ODQ4MjM3MiwiZXhwIjoxNjQ4NDgyNjcyfQ.Y9ekMDlzrGczHuDkCi3qxZUTw_1uSzWTDQq-D7ILw2Y' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "skip": 0,
        "limit": 10,
        "total": 1,
        "resources": [
            {
                "id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
                "uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
                "account": "kylo:kylo:admin:accounts:kylo",
                "createdAt": "2021-12-23T16:25:49.463283Z",
                "updatedAt": "2021-12-23T16:25:49.460296Z",
                "custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
                "access_key_id": "generated_access_id",
                "secret_access_key_id": "id_of_generated_secret_key",
                "cloud_name": "aws"
            }
        ]
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

View Details of a Credential for an External Custom Key Store

Use GET /v1/cckm/aws/custom-key-stores/{customKeyStoreID}/credentials/{id} to view details of a given credential for a given external custom key store.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials/<credential_id>' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
customKeyStoreIDstringID of the key store. This must be the UUID.
idstringID of the credential.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials/123456' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI5NWI3OWY1LWVhMDAtNGQxOS05YWQ3LWQyODJiMjhiYTU2OCIsImlhdCI6MTY1MTA5MTYxOCwiZXhwIjoxNjUxMDkxOTE4fQ.IuQUd-4Lhu3BvnccvBJq873yCdwL6Y7YQv8_s8VzdwY' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
        "uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2021-12-23T16:25:49.463283Z",
        "updatedAt": "2021-12-23T16:25:49.460296Z",
        "custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
        "version": 1,
        "access_key_id": "generated_access_id",
        "cloud_name": "aws"
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Delete a Credential for an External Custom Key Store

USE DELETE /v1/cckm/aws/custom-key-stores/{customKeyStoreID}/credentials/{id} to delete a given credential for a given external custom key store.

Syntax

curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials/<credential_id>' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
customKeyStoreIDstringID of the key store. This must be the UUID.
idstringID of the credential.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials/123456' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNlNDNmYWQ5LTdkNjgtNDI1NS1iMzc3LWU4ZGUyYWY2OTc3YyIsImlhdCI6MTY1MTA5MjA4NCwiZXhwIjoxNjUxMDkyMzg0fQ.9KlwSpuGOZ-CThV4qUGAmoM09c-Xf324PNGdmTPxzNo' -H 'accept: application/json' --compressed

Example Response

{
    "status": 204
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Rotate Credential for an External Custom Key Store

Use POST /v1/cckm/aws/custom-key-stores/{id}/rotate-credential to rotate the credential for the specified external custom key store. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. Rotates credential for a given external custom key store. For linked key store, rotated (new) credential will be updated in AWS KMS. All credentials (new and old) associated with key store will continue to work until deleted.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/rotate-credential' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameter

ParameterTypeDescription
idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.my.company.com/api/v1/cckm/aws/custom-key-stores/1234567/rotate-credential' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTA0ZTMyMWYtNzI3Zi00YTFjLWI1ZGUtMWUzMjIyMjJkY2IyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM1OTJlOTY0LTRkNmQtNDhiMC1iZDY0LTY0Y2IzMGMxZGM1MCIsImlhdCI6MTY1MDY0MDcwMSwiZXhwIjoxNjUwNjQxMDAxfQ.mjJp45ySM1W1Xy6ZhILdQO5uXQ9UT0Xo9J5yc-9Ej0o' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "7527884a-6f73-4d4b-8078-64e35640629c",
        "uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
        "account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
        "createdAt": "2022-07-27T21:12:48.903987Z",
        "updatedAt": "2022-07-27T21:12:49.75161Z",
        "name": "cks_1",
        "kms": "aws_acc",
        "region": "us-east-1",
        "type": "LOCAL",
        "credential_version": 1,
        "kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
        "cloud_name": "aws",
        "version_count": 0,
        "aws_param": {
            "custom_key_store_name": "cks_1",
            "xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
            "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
            "custom_key_store_type": "EXTERNAL_KEY_STORE",
            "custom_key_store_id": "cks-8a87408fb819ddb94",
            "xks_proxy_connectivity": "PUBLIC_ENDPOINT",
            "connection_state": "DISCONNECTED"
        },
        "local_hosted_params": {
            "blocked": false,
            "policy": {
                "reserved": false
            },
            "source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
            "source_container_type": "hsm-luna",
            "linked_state": true,
            "partition_label": "aws_cm_vpc_par1",
            "partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
            "health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
            "health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
            "max_credentials": 5
        },
        "access_key_id": "52EKEOV2JFCCNVSYRIV2",
        "secret_access_key": "dc00ea89acd936f72409483623bb9f463662ec699d4cb34b01f20ef8ee1218fa",
        "credential_count": 2,
        "oldest_credentials_id": "8ceeb249-47cb-4f9a-bdaf-bd5de59c3174"
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Enable Auto Rotation of Credential for an External Custom Key Store

Use the post /v1/cckm/aws/custom-key-stores/{id}/enable-credential-rotation-job API to enable auto rotation of the credential for the specified external custom key store using the associated scheduler ID. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. The key store must also be in a linked state, which allows the auto rotated (new) credentials to be updated in AWS KMS. All credentials (new and old) associated with key store will continue to work until deleted.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/enable-credential-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "job_config_id": "ID of sccheduler job"\n}' --compressed

Path Parameter

ParameterTypeDescription
key_store_idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
job_config_idstringID of the scheduler job that will perform the credentials rotation.

Example Request

curl -k 'https://aws-xks-test.thalescpl.io/api/v1/cckm/aws/custom-key-stores/b5b7d549-b3d8-40e4-bfaa-58bebab31438/enable-credential-rotation-job' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0ZTZkMTc2Zi02YjRhLTQ5MGItYmI1NC02OThiNDAwNWQ1Y2IiLCJzdWIiOiJsb2NhbHw3OTg3ODYwOC05ZmQ5LTQ4NmUtODU5OS1hZDJhNTQ5MDg3ZDgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiI1NDliNGE2MC0xMmRhLTQxNjEtOTg4MC03OWFmZTRmYWUxMzMiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiMDIzNDVmYjgtNzA0NS00NGJmLTkzYWEtMjY0YWYzOGVmZGJiIiwiaWF0IjoxNjgzNzQ0NjI2LCJleHAiOjE2ODM3NDQ5MjZ9.xtMLcGf__9cM0d2EAPYaBOcGDIQIvrRuEt-QevwPAbM' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "job_config_id": "ff29eeec-82bf-4e15-81bb-ef7c43099203"\n}' --compressed

Example Response

{
    "application/json": {
          "id": "b5b7d549-b3d8-40e4-bfaa-58bebab31438",
          "uri": "kylo:kylo:cckm:aws_cks:b5b7d549-b3d8-40e4-bfaa-58bebab31438",
          "account": "kylo:kylo:admin:accounts:kylo",
          "createdAt": "2023-05-10T18:49:58.08837Z",
          "labels": {
                "job_config_id": "ff29eeec-82bf-4e15-81bb-ef7c43099203"
        },
          "updatedAt": "2023-05-10T18:51:14.346451Z",
          "name": "test_keystore_2",
          "kms": "AWS_KMS",
          "region": "eu-west-3",
          "type": "LOCAL",
           credential_version": 1,
          "kms_id": "118844e7-2e53-43ed-b53e-567118a324e4",
          "cloud_name": "aws",
          "version_count": 0,
          "aws_param": {
              "custom_key_store_name": "test_keystore_2",
              "xks_proxy_uri_endpoint": "https://aws-xks-test.thalescpl.io",
              "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/b5b7d549-b3d8-40e4-bfaa-58bebab31438/kms/xks/v1",
              "custom_key_store_type": "EXTERNAL_KEY_STORE",
              "custom_key_store_id": "cks-193035a77a8239d6a",
              "xks_proxy_connectivity": "PUBLIC_ENDPOINT",
               "connection_state": "DISCONNECTED"
          },
          "local_hosted_params": {
              "blocked": false,
              "policy": {
                    "reserved": true
              },
              "source_container_type": "local",
              "linked_state": true,
              "health_check_key_id": "f1da90038f16465aa64345394864776543229c19156b405083724b1945ed3fcb",
              "health_check_ciphertext": "fe6ad170985d3486dbb4946e159534433b19327c8f5d1859246ec84dafc366e0c6d6a59b9c4a252ad9c12480532928d259b29897b03ba3bf0331cef6a59e7b634e32bafe0c170e07",
              "max_credentials": 20,
               "source_key_tier": "local",
              "mtls_enabled": false
          },
          "gone": false,
          "enable_success_audit_event": true
    }
}

The sample output displays that the custom key store with the ID b5b7d549-b3d8-40e4-bfaa-58bebab31438 has been enabled for the auto rotation using scheduler job with ID ff29eeec-82bf-4e15-81bb-ef7c43099203. Note that the labels and job_config_id parameters are included in the output. These parameters indicate auto rotation of the credential is enabled.

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Disable Auto Rotation of Credential for an External Custom Key Store

Use the post /v1/cckm/aws/custom-key-stores/{id}/disable-credential-rotation-job API to disable auto rotation of the credential for the specified external custom key store. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. The key store must also be in a linked state.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/disable-credential-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed

Path Parameter

ParameterTypeDescription
key_store_idstringID of the key store. This must be the UUID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://aws-xks-test.thalescpl.io/api/v1/cckm/aws/custom-key-stores/b5b7d549-b3d8-40e4-bfaa-58bebab31438/disable-credential-rotation-job' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0ZTZkMTc2Zi02YjRhLTQ5MGItYmI1NC02OThiNDAwNWQ1Y2IiLCJzdWIiOiJsb2NhbHw3OTg3ODYwOC05ZmQ5LTQ4NmUtODU5OS1hZDJhNTQ5MDg3ZDgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiI1NDliNGE2MC0xMmRhLTQxNjEtOTg4MC03OWFmZTRmYWUxMzMiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiMDIzNDVmYjgtNzA0NS00NGJmLTkzYWEtMjY0YWYzOGVmZGJiIiwiaWF0IjoxNjgzNzQ0NjI2LCJleHAiOjE2ODM3NDQ5MjZ9.xtMLcGf__9cM0d2EAPYaBOcGDIQIvrRuEt-QevwPAbM' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
          "id": "b5b7d549-b3d8-40e4-bfaa-58bebab31438",
          "uri": "kylo:kylo:cckm:aws_cks:b5b7d549-b3d8-40e4-bfaa-58bebab31438",
          "account": "kylo:kylo:admin:accounts:kylo",
          "createdAt": "2023-05-10T18:49:58.08837Z",
          "updatedAt": "2023-05-10T18:52:13.207313Z",
          "name": "test_keystore_2",
          "kms": "AWS_KMS",
          "region": "eu-west-3",
          "type": "LOCAL",
          "credential_version": 1,
          "kms_id": "118844e7-2e53-43ed-b53e-567118a324e4",
          "cloud_name": "aws",
          "version_count": 0,
          "aws_param": {
              "custom_key_store_name": "test_keystore_2",
              "xks_proxy_uri_endpoint": "https://aws-xks-test.thalescpl.io",
              "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/b5b7d549-b3d8-40e4-bfaa-58bebab31438/kms/xks/v1",
              "custom_key_store_type": "EXTERNAL_KEY_STORE",
              "custom_key_store_id": "cks-193035a77a8239d6a",
              "xks_proxy_connectivity": "PUBLIC_ENDPOINT",
              "connection_state": "DISCONNECTED"
          },
          "local_hosted_params": {
              "blocked": false,
              "policy": {
                    "reserved": true
               },
              "source_container_type": "local",
              "linked_state": true,
              "health_check_key_id": "f1da90038f16465aa64345394864776543229c19156b405083724b1945ed3fcb",
              "health_check_ciphertext": "fe6ad170985d3486dbb4946e159534433b19327c8f5d1859246ec84dafc366e0c6d6a59b9c4a252ad9c12480532928d259b29897b03ba3bf0331cef6a59e7b634e32bafe0c170e07",
              "max_credentials": 20,
              "source_key_tier": "local",
              "mtls_enabled": false
           },
          "gone": false,
           "enable_success_audit_event": true
    }
}

The sample output displays that the auto rotation of the credential associated with the custom key store with the ID of b5b7d549-b3d8-40e4-bfaa-58bebab31438 has been been disabled. Note that the labels and job_config_id parameters are no longer included in the output. These parameters are included in the output of the enable-credential-rotation-job API. The removal of these parameters from the output indicates that the auto rotation of the credential is disabled.

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

List Unused AWS CloudHSM Clusters

Use POST /v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters to list CloudHSM clusters in the specified region that are not already associated with a CloudHSM key store.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters' -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --data-binary $'{\n  "kms": "<kms_id>",\n  "region": "<aws_region>"\n}' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
kmsstringName or ID of KMS resource from which the AWS CloudHSM clusters will be retrieved.
regionstringAWS region from which the AWS CloudHSM clusters will be retrieved.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjVkOTRlM2Y2LTVmY2ItNDZjNC04ZjA1LTkzN2NiMmY3NDU5MCIsImlhdCI6MTY2MTcwMDgyNSwiZXhwIjoxNjYxNzAxMTI1fQ.tFKzjQYare-cQ0FQ7rTMyolVRsDU1SPuvw7AQfI4WR8' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "kms": "eab80374-04c2-468a-b732-ce90596f6db0",\n  "region": "us-west-1"\n}' --compressed

Example Response

{
    "application/json": {
        "total": 2,
        "detailed_status": "Unused CloudHSM cluster(s) found",
        "resources": [
            {
                "BackupPolicy": "DEFAULT",
                "BackupRetentionPolicy": {
                    "Type": "DAYS",
                    "Value": "45"
                },
                "Certificates": {
                    "AwsHardwareCertificate": null,
                    "ClusterCertificate": "-----BEGIN CERTIFICATE-----\nMIIEczCCAlsCCQCkL360L0D8ODANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD\nQTELMAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdHZW1h\nbHRvMQ0wCwYDVQQLDARJRFNTMRwwGgYDVQQDDBNUZXN0Q2xvdWRIU01DbHVzdGVy\nMB4XDTE4MDMwODIyMjMzNloXDTI4MDMwNzIyMjMzNlowgYoxRDAJBgNVBAYTAlVT\nMAkGA1UECAwCQ0EwDQYDVQQKDAZDYXZpdW0wDQYDVQQLDAZOM0ZJUFMwDgYDVQQH\nDAdTYW5Kb3NlMUIwQAYDVQQDDDlIU006ODYxNkE0MkY4Q0M5NEZEQkJGNTY5Q0ZE\nNkM1NUVCOlBBUlROOjgsIGZvciBGSVBTIG1vZGUwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQC6BOMjF7WK0M2hD6WbkW1qPkizTbF1+iAcZAjBTKn6DaFb\nY5fFl3vl52yRno66vWSMxnjcKxyDGBZ5mm+/cmk4sHgpCYnUKQ5hNy/aQP1ZM8IW\n5lYVqBRuqdhTFkEfYctuxjueiyyRU0rpUNWqEbFQO2h9MOtqI2qkogU9yzWASB6l\nekr/zAwl9qx6EEFW/B/VkN/v3a3CHqdYKu0ANDlNSI8481MQF29WtAmyCy6mUdIa\nRO/S/BcBxnIns+nTpvsd7EGtZ+TUPou+qbxgLQW0JOxg6kkUzS0SE370dtiqt0G3\nhjzpMF6fGo5Lz4Xhu4N6EgA/Q6zd0f9ZKjOIdI/xAgMBAAEwDQYJKoZIhvcNAQEL\nBQADggIBALbJkWPp4w+NjAc9b54I76gEE9Lb8y/oO6mk5yQo2nrvCYFqYcCjjD9G\ncQW7KmK300UuUVTTnfjEh4Txjdp4iy46GFBL5+Kn6p6Q6TMWU6CzCtDdWoNcbK+w\nofjotWtCe83NDfCJb0EBSZ8uvq12c7EczoCcyJVvaamRzmVG3f+h2qLgazudkY9s\nwYFNMzhXaw4z8FJpzEtC4QmmRV4zjZJYmA6Wzz9N0Rr8GhaVGAhM6rV8EvFP0Y8N\nz6W7/hQ8gmek8Ts+u7YMY0HWU6jY6jndnIoXGeBbVnYn04P6eJiSORhmz1ZF5YSC\nwMAUW+w6kkdItgSuHgLRzAPeJoxxlIjkQAOeHLF4WQCc2oaahtnbYZUgt5ADQmlS\nywu3qFCsheZiG5nMPQJu6zrVk1mLArGWXfXJZ7myZjZKKoXl3g/mTz1tqLj/CIl8\nZWYHyBrdLKNI9t3hTHAKtCD5S5LoOFkFHvVw6uZ5wwW5WyBvG5NFJr42Y0egK85L\n97q2avnfH4VuqN1MwhohcfC+E8tsbcE1n74rpoTNoDoOG1kLWWBu2QflIHW+zJMI\nC5uOK6QKckNiMdwsn1olbCABDPCuWXYCFF6qh252QDJGiHf94hKoelOjtujyT1cC\nlNJao5IdI6KtCoMcvHBBeioODUHQKi1MwCq3nCq/FyKh67qPobaA\n-----END CERTIFICATE-----\n",
                    "ClusterCsr": null,
                    "HsmCertificate": null,
                    "ManufacturerHardwareCertificate": null
                },
                "ClusterId": "cluster-7rq2hgwvl5o",
                "CreateTimestamp": "2021-08-04T18:46:37.841Z",
                "HsmType": "hsm1.medium",
                "Hsms": [],
                "PreCoPassword": null,
                "SecurityGroup": "sg-01cd078a29065ebc0",
                "SourceBackupId": "backup-tecrwims3np",
                "State": "ACTIVE",
                "StateMessage": null,
                "SubnetMapping": {
                    "us-east-1a": "subnet-8e7983f9",
                    "us-east-1b": "subnet-8842a6d1",
                    "us-east-1d": "subnet-6d565145"
                },
                "TagList": [
                    {
                        "Key": "customer-issue",
                        "Value": "first-republic"
                    }
                ],
                "VpcId": "vpc-4dc16428"
            },
            {
                "BackupPolicy": "DEFAULT",
                "BackupRetentionPolicy": {
                    "Type": "DAYS",
                    "Value": "1075"
                },
                "Certificates": {
                    "AwsHardwareCertificate": null,
                    "ClusterCertificate": "-----BEGIN CERTIFICATE-----\nMIIEczCCAlsCCQCkL360L0D8ODANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD\nQTELMAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdHZW1h\nbHRvMQ0wCwYDVQQLDARJRFNTMRwwGgYDVQQDDBNUZXN0Q2xvdWRIU01DbHVzdGVy\nMB4XDTE4MDMwODIyMjMzNloXDTI4MDMwNzIyMjMzNlowgYoxRDAJBgNVBAYTAlVT\nMAkGA1UECAwCQ0EwDQYDVQQKDAZDYXZpdW0wDQYDVQQLDAZOM0ZJUFMwDgYDVQQH\nDAdTYW5Kb3NlMUIwQAYDVQQDDDlIU006ODYxNkE0MkY4Q0M5NEZEQkJGNTY5Q0ZE\nNkM1NUVCOlBBUlROOjgsIGZvciBGSVBTIG1vZGUwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQC6BOMjF7WK0M2hD6WbkW1qPkizTbF1+iAcZAjBTKn6DaFb\nY5fFl3vl52yRno66vWSMxnjcKxyDGBZ5mm+/cmk4sHgpCYnUKQ5hNy/aQP1ZM8IW\n5lYVqBRuqdhTFkEfYctuxjueiyyRU0rpUNWqEbFQO2h9MOtqI2qkogU9yzWASB6l\nekr/zAwl9qx6EEFW/B/VkN/v3a3CHqdYKu0ANDlNSI8481MQF29WtAmyCy6mUdIa\nRO/S/BcBxnIns+nTpvsd7EGtZ+TUPou+qbxgLQW0JOxg6kkUzS0SE370dtiqt0G3\nhjzpMF6fGo5Lz4Xhu4N6EgA/Q6zd0f9ZKjOIdI/xAgMBAAEwDQYJKoZIhvcNAQEL\nBQADggIBALbJkWPp4w+NjAc9b54I76gEE9Lb8y/oO6mk5yQo2nrvCYFqYcCjjD9G\ncQW7KmK300UuUVTTnfjEh4Txjdp4iy46GFBL5+Kn6p6Q6TMWU6CzCtDdWoNcbK+w\nofjotWtCe83NDfCJb0EBSZ8uvq12c7EczoCcyJVvaamRzmVG3f+h2qLgazudkY9s\nwYFNMzhXaw4z8FJpzEtC4QmmRV4zjZJYmA6Wzz9N0Rr8GhaVGAhM6rV8EvFP0Y8N\nz6W7/hQ8gmek8Ts+u7YMY0HWU6jY6jndnIoXGeBbVnYn04P6eJiSORhmz1ZF5YSC\nwMAUW+w6kkdItgSuHgLRzAPeJoxxlIjkQAOeHLF4WQCc2oaahtnbYZUgt5ADQmlS\nywu3qFCsheZiG5nMPQJu6zrVk1mLArGWXfXJZ7myZjZKKoXl3g/mTz1tqLj/CIl8\nZWYHyBrdLKNI9t3hTHAKtCD5S5LoOFkFHvVw6uZ5wwW5WyBvG5NFJr42Y0egK85L\n97q2avnfH4VuqN1MwhohcfC+E8tsbcE1n74rpoTNoDoOG1kLWWBu2QflIHW+zJMI\nC5uOK6QKckNiMdwsn1olbCABDPCuWXYCFF6qh252QDJGiHf94hKoelOjtujyT1cC\nlNJao5IdI6KtCoMcvHBBeioODUHQKi1MwCq3nCq/FyKh67qPobaA\n-----END CERTIFICATE-----\n",
                    "ClusterCsr": null,
                    "HsmCertificate": null,
                    "ManufacturerHardwareCertificate": null
                },
                "ClusterId": "cluster-d5v3afg4pk2",
                "CreateTimestamp": "2018-03-08T19:39:30.009Z",
                "HsmType": "hsm1.medium",
                "Hsms": [
                    {
                        "AvailabilityZone": "us-east-1b",
                        "ClusterId": "cluster-d5v3afg4pk2",
                        "EniId": "eni-9343f242",
                        "EniIp": "172.30.1.120",
                        "HsmId": "hsm-fs4hvzzrnjx",
                        "State": "ACTIVE",
                        "StateMessage": "HSM created.",
                        "SubnetId": "subnet-8842a6d1"
                    }
                ],
                "PreCoPassword": null,
                "SecurityGroup": "sg-5a43e82c",
                "SourceBackupId": null,
                "State": "ACTIVE",
                "StateMessage": null,
                "SubnetMapping": {
                    "us-east-1a": "subnet-8e7983f9",
                    "us-east-1b": "subnet-8842a6d1",
                    "us-east-1d": "subnet-6d565145"
                },
                "TagList": [],
                "VpcId": "vpc-4dc16428"
            }
        ]
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Create a Virtual Key

Use POST /v1/cckm/virtual/keys to create a virtual key, which links to a key in Luna HSM. The source key in Luna HSM performs cryptographic operations for AWS KMS requests. The virtual key allows versioning which cannot take place directly with the source key.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/virtual/keys' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "source_key_id": "<source_key_id>"\n}' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
source_key_idstringThe unique id of the source key (Luna HSM key) for the first version of the virtual key.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/virtual/keys' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIyZjk5OGE1LTM4ZmItNDBkYi1hZjhkLTYwZjdkYjhiY2QyNiIsImlhdCI6MTY1MTA5MjY3NCwiZXhwIjoxNjUxMDkyOTc0fQ.RMOP06eDy0IJ9cayffyKW5851Q8QsuMnMuB5OCflQRc' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff"\n}' --compressed

Example Response

{
    "application/json": {
        "id": "b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
        "uri": "kylo:kylo:cckm:virtual-keys:b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-12-15T06:20:15.699004Z",
        "updatedAt": "2020-12-15T06:25:57.338588051Z",
        "partition_id": "ed5b1bbd-ce0b-48c1-ab69-a4592e5b2da2",
        "partition_label": "cckm-1608012946",
        "source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff",
        "version": 0
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

List Virtual Keys

Use GET /v1/cckm/virtual/keys to return the list of virtual keys.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/virtual/keys?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Request Query Parameters

ParameterTypeDescription
idstringFilter the results by virtual key ID.
partition_idstringFilter the results by the ID of the Luna HSM partition.
source_key_idstringFilter the results by the ID of the source key in Luna HSM
partition_labelstringFilter the results by the label of the Luna HSM partition.
skipintegerThe index of the first resource to return. Equivalent to 'offset' in SQL.
limitintegerThe max number of resources to return. Equivalent to 'limit' in SQL.
sortstringThe fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name, ascending, then by createdAt, descending.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/virtual/keys?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIyZjk5OGE1LTM4ZmItNDBkYi1hZjhkLTYwZjdkYjhiY2QyNiIsImlhdCI6MTY1MTA5MjY3NCwiZXhwIjoxNjUxMDkyOTc0fQ.RMOP06eDy0IJ9cayffyKW5851Q8QsuMnMuB5OCflQRc' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
        "uri": "kylo:kylo:cckm:virtual-keys:b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-12-15T06:20:15.699004Z",
        "updatedAt": "2020-12-15T06:25:57.338588051Z",
        "partition_id": "ed5b1bbd-ce0b-48c1-ab69-a4592e5b2da2",
        "partition_label": "cckm-1608012946",
        "source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff",
        "version": 0
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

View Details for a Virtual Key

Use GET /v1/cckm/virtual/keys/{id} to return details of a given virtual key.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<virtual_key_id>/versions?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the virtual key.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Request Query Parameters

ParameterTypeDescription
skipintegerThe index of the first resource to return. Equivalent to 'offset' in SQL.
limitintegerThe max number of resources to return. Equivalent to 'limit' in SQL.
sortstringThe fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name, ascending, then by createdAt, descending.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/versions?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIyZjk5OGE1LTM4ZmItNDBkYi1hZjhkLTYwZjdkYjhiY2QyNiIsImlhdCI6MTY1MTA5MjY3NCwiZXhwIjoxNjUxMDkyOTc0fQ.RMOP06eDy0IJ9cayffyKW5851Q8QsuMnMuB5OCflQRc' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
        "uri": "kylo:kylo:cckm:virtual-keys:b2b01847-3f4b-43c3-afd3-c6ca381b5a45",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-12-15T06:20:15.699004Z",
        "updatedAt": "2020-12-15T06:25:57.338588051Z",
        "partition_id": "ed5b1bbd-ce0b-48c1-ab69-a4592e5b2da2",
        "partition_label": "cckm-1608012946",
        "source_key_id": "fe60eab9-bf80-4d9d-b622-309106d65fff",
        "version": 0
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Create an AWS HYOK Key (External Key)

Use POST /v1/cckm/aws/create-hyok-key to create an AWS HYOK (Hold Your Own Key) key, which links a virtual key to an external custom key store. The corresponding key in AWS KMS is referred to as an "external key".

Currently, only creation of HYOK keys for locally hosted key store is supported. Currently, only "unlinked" state is supported, which means HYOK Key isn't automatically created in AWS KMS or in-sync with AWS KMS.

HYOK keys in locally hosted key stores require the following two values:

  • Source Key ID (virtual key ID).

  • Custom key store ID.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/create-hyok-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "local_hosted_params": {\n    "source_key_id": "<source_key_id>",\n    "custom_key_store_id": "<external_custom_key_store_id>",\n    "blocked": <boolean_Value>\n  }\n}' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
local_hosted_paramsJSONLocal hosted parameters for the AWS HYOK key.

Local Hosted Parameters

ParameterTypeDescription
blockedbooleanWhether the endpoint is blocked or not blocked. Set to false by default.
custom_key_store_idstringExternal custom key store ID. Required for locally hosted custom key store.
source_key_idstringSource Key ID. For Luna HSM key source, this is the ID of the virtual key. Required for locally hosted custom key store.
policyJSONThis parameter is not currently read. It will be functional in a future release.

Policy Parameters

ParameterTypeDescription
reservedbooleanThis parameter is not currently read. It will be functional in a future release.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/create-hyok-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNTg0ODY5OGUtNjA0NC00MWEwLWEyOTUtNjNlNjZmZTk5MDBhIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijk1M2ZhOWEyLTdjNjItNDAwZS04NjZmLTE0YjFjMGZmN2JjNiIsImlhdCI6MTY1MTE3ODg5MywiZXhwIjoxNjUxMTc5MTkzfQ.KuRRb6VErQRxIcvexxSOBLgGllJV3zLgZErwXZKjE2w' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "local_hosted_params": {\n    "source_key_id": "8658e434-1be1-4da6-9c6b-d4ec4f0e91f9",\n    "custom_key_store_id": "677f9689-b2af-4fdb-ad9a-71cac77f6789",\n    "blocked": false\n  }\n}' --compressed

Example Response

{
    "application/json": {
        "id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-07-24T04:10:56.180805743Z",
        "updatedAt": "2020-07-24T04:10:56.177874659Z",
        "kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
        "kms": "kms-name",
        "rotation_status": "",
        "synced_at": "2020-07-24T04:10:56.125474304Z",
        "local_key_id": "0c20bd6137334d0d832e65cb38aec32165d0ace291ba4a7c939afb987ef2e8e0",
        "local_key_name": "aes-local-key",
        "cloud_name": "aws",
        "key_type": "symmetric",
        "basic_view_enabled": false,
        "region": "ap-southeast-1",
        "gone": false,
        "key_material_origin": "cckm",
        "locally_hosted": true,
        "local_hosted_params": {
            "blocked": false,
            "policy": {
                "reserved": false
            },
            "custom_key_store_id": "677f9689-b2af-4fdb-ad9a-71cac77f6789",
            "linked_state": false,
            "source_key_id": "8658e434-1be1-4da6-9c6b-d4ec4f0e91f9"
        },
        "aws_param": {
            "XksKeyConfiguration": {
                "Id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0"
            }
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

List AWS HYOK Key Versions

Use GET /v1/cckm/aws/keys/{id}/versions to list the versions of the AWS HYOK key.

Syntax

curl -k 'https://<ciphertrust_fQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/versions?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the AWS HYOK key.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Request Query Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
skipintegerThe index of the first resource to return. Equivalent to 'offset' in SQL.
limitintegerThe max number of resources to return. Equivalent to 'limit' in SQL.
sortstringThe fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name, ascending, then by createdAt, descending.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/versions?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImVjZmEyNzgwLTM3NTQtNDMxNS04ZjUwLTUzODE3NmU2NTg1YiIsImlhdCI6MTY1MTI0NjY0MiwiZXhwIjoxNjUxMjQ2OTQyfQ.edjyTlN5tAcUPne0b26YJIdg6mZX69bdwFSFplWE8vk' -H 'accept: application/json' --compressed

Example Response

{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": [
        {
            "id": "dfd88e59-b621-45d4-8f19-62d8ea6956e8",
            "uri": "kylo:kylo:cckm:subscription:dfd88e59-b621-45d4-8f19-62d8ea6956e8",
            "account": "kylo:kylo:admin:accounts:kylo",
            "application": "ncryptify:gemalto:admin:apps:kylo",
            "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
            "createdAt": "2020-09-15T10:19:09.246956Z",
            "updatedAt": "2020-09-15T10:19:09.245242Z",
            "source_key_id": "c0d7f123-6058-418c-bcb0-5e68701df111",
            "version": 0
        },
        {
            "id": "dfd88e59-b621-45d4-8f19-62d8ea6956e9",
            "uri": "kylo:kylo:cckm:subscription:dfd88e59-b621-45d4-8f19-62d8ea6956e9",
            "account": "kylo:kylo:admin:accounts:kylo",
            "application": "ncryptify:gemalto:admin:apps:kylo",
            "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
            "createdAt": "2020-09-15T10:19:09.246956Z",
            "updatedAt": "2020-09-15T10:19:09.245242Z",
            "source_key_id": "c0d7f123-6058-418c-bcb0-5e68701df222",
            "version": 1
        }
    ]
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Block AWS HYOK key

Use POST /v1/cckm/aws/keys/{id}/block to block AWS KMS from performing cryptographic operations with the AWS HYOK key.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/block' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the AWS HYOK key.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/block' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM4OWE3NmE0LTk0MzctNDE1YS1hZWVhLWM4ODEzYjIwOGU4OSIsImlhdCI6MTY1MTI0NzE5NSwiZXhwIjoxNjUxMjQ3NDk1fQ.RsGQEMy8hGlgGahHl_rnhwtnLy6i_wQfXb-AAOJa30I' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-07-24T04:10:56.180805743Z",
        "updatedAt": "2020-07-24T04:10:56.177874659Z",
        "kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
        "kms": "kms-name",
        "rotation_status": "ACTIVE",
        "synced_at": "2020-07-24T04:10:56.125474304Z",
        "cloud_name": "aws",
        "key_type": "symmetric",
        "basic_view_enabled": false,
        "region": "ap-southeast-1",
        "gone": false,
        "key_material_origin": "native",
        "key_source": "hsm-luna",
        "blocked": true,
        "linked_state": false,
        "custom_key_store_id": "eb4fc6ee-35f7-42c7-9116-37fdecb43941",
        "aws_param": {
            "AWSAccountId": "123456789012",
            "Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
            "Description": "Description",
            "Enabled": true,
            "EncryptionAlgorithms": [
                "SYMMETRIC_DEFAULT"
            ],
            "KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
            "KeyManager": "CUSTOMER",
            "KeyState": "Enabled",
            "KeyUsage": "ENCRYPT_DECRYPT",
            "Origin": "AWS_KMS",
            "CreationDate": "2020-07-24T04:10:55Z",
            "Policy": {
                "Version": "2012-10-17",
                "Id": "key-default-1",
                "Statement": [
                    {
                        "Sid": "Enable IAM User Permissions",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "arn:aws:iam::123456789012:root"
                        },
                        "Action": "kms:*",
                        "Resource": "*"
                    }
                ]
            },
            "Alias": [
                "alias/Test"
            ],
            "Tags": [
                {
                    "TagKey": "key",
                    "TagValue": "value"
                }
            ],
            "KeyRotationEnabled": false
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Unblock AWS HYOK key

Use POST /v1/cckm/aws/keys/{id}/unblock to allow AWS KMS to perform cryptographic operations with the AWS HYOK key.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/unblock' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed

Path Parameters

ParameterTypeDescription
idstringID of the AWS HYOK key.

Request Parameter

ParameterTypeDescription
AUTHTOKENstringAuthorization Token

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/unblock' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM4OWE3NmE0LTk0MzctNDE1YS1hZWVhLWM4ODEzYjIwOGU4OSIsImlhdCI6MTY1MTI0NzE5NSwiZXhwIjoxNjUxMjQ3NDk1fQ.RsGQEMy8hGlgGahHl_rnhwtnLy6i_wQfXb-AAOJa30I' -H 'accept: application/json' --compressed

Example Response

{
    "application/json": {
        "id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-07-24T04:10:56.180805743Z",
        "updatedAt": "2020-07-24T04:10:56.177874659Z",
        "kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
        "kms": "kms-name",
        "rotation_status": "ACTIVE",
        "synced_at": "2020-07-24T04:10:56.125474304Z",
        "cloud_name": "aws",
        "key_type": "symmetric",
        "basic_view_enabled": false,
        "region": "ap-southeast-1",
        "gone": false,
        "key_material_origin": "native",
        "local_hosted_params": {
            "blocked": false
        },
        "aws_param": {
            "AWSAccountId": "123456789012",
            "Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
            "Description": "Description",
            "Enabled": false,
            "EncryptionAlgorithms": [
                "SYMMETRIC_DEFAULT"
            ],
            "KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
            "KeyManager": "CUSTOMER",
            "KeyState": "Disabled",
            "KeyUsage": "ENCRYPT_DECRYPT",
            "Origin": "AWS_KMS",
            "CreationDate": "2020-07-24T04:10:55Z",
            "Policy": {
                "Version": "2012-10-17",
                "Id": "key-default-1",
                "Statement": [
                    {
                        "Sid": "Enable IAM User Permissions",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "arn:aws:iam::123456789012:root"
                        },
                        "Action": "kms:*",
                        "Resource": "*"
                    }
                ]
            },
            "Alias": [
                "alias/Test"
            ],
            "Tags": [
                {
                    "TagKey": "key",
                    "TagValue": "value"
                }
            ],
            "KeyRotationEnabled": false
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

Use POST /v1/cckm/aws/keys/{id}/link to link an unlinked AWS HYOK key in a local external custom key store.

Syntax

curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/link' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "aws_param": {\n    "Alias": "alias/<key_alias>",\n    "Tags": [\n      {\n        "TagKey": "<tag_key>",\n        "TagValue": "<tag_value>>"\n      }\n    ],\n    "Policy": { <key_policy> },\n    "BypassPolicyLockoutSafetyCheck": false\n  } \n  "external_accounts": [\n <external_accounts>\n] "key_admins": [\n <key_admins>\n] "key_admins_roles": [\n <key_admins_roles>\n]  "key_users": [\n <key_users>\n] "key_users_roles": [\n <key_users_roles>\n], "policytemplate": <policytemplate>  \n}' --compressed

Path parameter

ParameterTypeDescription
idstringID of the AWS HYOK key.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization Token
aws_paramJSONAWS key parameters.
external_accountsarrayAWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used.
key_adminsarrayIAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used.
key_admins_rolesarrayIAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used.
key_usersarrayAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used.
key_users_rolesarrayIAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used.
policytemplatestringID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used.

AWS Key Parameters

ParameterTypeDescription
AliasstringAlias for the KMS key.
BypassPolicyLockoutSafetyCheckbooleanWhether to bypass the key policy lockout safety check.
DescriptionstringDescription of the KMS key.
PolicyJSONKey policy to attach to the KMS key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used.
TagsarrayOptional tags for the KMS key.
TagKeystringKey for the tag.
TagValuestringValue corresponding to key of the tag.

Example Request

curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/1234567/link' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0N2U5MjhlNy1lNjg5LTQ0ZDctOTRhZi02NjVjYWU3NWQwNmIiLCJzdWIiOiJsb2NhbHxkMWExZjc4NS1lZmY1LTRiN2UtYTgyYS01MTQxMDAyZTdhMjgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNTE4ZThiNTUtYTIzNi00MjcxLTljZjUtZjk5N2MzYjU1NTU1Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkzNzViZDIwLThhMTUtNDhiNi1iNzU3LTk5ZDQ0NmZlMmJhMiIsImlhdCI6MTY2MzM0OTUyMiwiZXhwIjoxNjYzMzQ5ODIyfQ.0t1RgwRNA8bW6UOEm1SHY0emNjP0chJ6HGj242HUOMY' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "aws_param": {\n    "Alias": "alias/projectKey1",\n    "Tags": [\n      {\n        "TagKey": "key",\n        "TagValue": "value"\n      }\n    ],\n    "Policy": {\n      "Version": "2022-04-17",\n      "Id": "key-default-1",\n      "Statement": [\n        {\n          "Sid": "Enable IAM User Permissions",\n          "Effect": "Allow",\n          "Principal": {\n            "AWS": "arn:aws:iam::123456789012:root"\n          },\n          "Action": "kms:*",\n          "Resource": "*"\n        }\n      ]\n    },\n    "BypassPolicyLockoutSafetyCheck": false\n  }\n}' --compressed

Example Response

{
    "application/json": {
        "id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
        "account": "kylo:kylo:admin:accounts:kylo",
        "application": "ncryptify:gemalto:admin:apps:kylo",
        "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
        "createdAt": "2020-07-24T04:10:56.180805743Z",
        "updatedAt": "2020-07-24T04:10:56.177874659Z",
        "kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
        "kms": "kms-name",
        "rotation_status": "ACTIVE",
        "synced_at": "2020-07-24T04:10:56.125474304Z",
        "cloud_name": "aws",
        "key_type": "symmetric",
        "basic_view_enabled": false,
        "region": "ap-southeast-1",
        "gone": false,
        "key_material_origin": "native",
        "key_source": "hsm-luna",
        "blocked": true,
        "linked_state": true,
        "custom_key_store_id": "eb4fc6ee-35f7-42c7-9116-37fdecb43941",
        "aws_param": {
            "AWSAccountId": "123456789012",
            "Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
            "Description": "Description",
            "Enabled": true,
            "EncryptionAlgorithms": [
                "SYMMETRIC_DEFAULT"
            ],
            "KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
            "KeyManager": "CUSTOMER",
            "KeyState": "Enabled",
            "KeyUsage": "ENCRYPT_DECRYPT",
            "Origin": "AWS_KMS",
            "CreationDate": "2020-07-24T04:10:55Z",
            "Policy": {
                "Version": "2012-10-17",
                "Id": "key-default-1",
                "Statement": [
                    {
                        "Sid": "Enable IAM User Permissions",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "arn:aws:iam::123456789012:root"
                        },
                        "Action": "kms:*",
                        "Resource": "*"
                    }
                ]
            },
            "Alias": [
                "alias/Test"
            ],
            "Tags": [
                {
                    "TagKey": "key",
                    "TagValue": "value"
                }
            ],
            "KeyRotationEnabled": false
        }
    }
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.