Provisioning API
This section describes how to configure the Provisioning API with the SafeNet IDPrime Virtual (IDPV) Server.
The Provisioning API allows admin to create a token on behalf of users. Admin can access the provisioning API with the API key generated in API Key Management.
Once the provisioning is complete, admin cannot update the token.
Admin can perform following functions of the provisioning API:
-
Create Token - Create blank tokens.
- Use version V1 to create tokens, which can contain only 2k size RSA key. These tokens are known as old tokens.
- Use version V2 to create tokens, which can import 2/3/4k size RSA key. These tokens are known as new tokens.
-
Get All Tokens - Get all the virtual token ID(s) list assigned to the given user.
- Use version V1 to get a list of old tokens only.
- Use version v2 to get a list of all the tokens (old and new).
-
Import Certificate - Import certificate in a token. In this version, RSA certificate in
pfx
file format (2048-bit, 3072-bit, and 4096-bit private key) is supported. -
Update Token Label - Sets a new name for the token.
Maximum length of a token name is 32 characters.
- Delete Token - Removes the token.
Once token is deleted, it cannot be recovered.
-
Reset Pin - Admin can update token password and admin password.
-
Get All Certificates - Lists all the certificates available in the token.
-
Complete Provisioning - Admin can mark provisioning complete for a token.
-
Certificate Signing Request - This API generates a Key pair and CSR for the user as given below. Use this generated CSR to generate a certificate through the Certificate Authority (CA). Currently, the following
Key
andExtended Key
ID's are supported:- SupportedKeyUsages
[ 1, 8, 16, 32, 64, 128, 32768 ],
- SupportedExtendedKeyUsageOids
[ "1.3.6.1.5.5.7.3.1", //server auth - "1.3.6.1.5.5.7.3.2", // client auth - "1.3.6.1.5.5.7.3.3", //code signing - Easy to test require minimum setup "1.3.6.1.5.5.7.3.4", //email protection - Easy to test require minimum setup "1.3.6.1.5.5.7.3.5", //ipsecEndSystem "1.3.6.1.5.5.7.3.6", //ipsecTunnel "1.3.6.1.5.5.7.3.7", //ipsecUser "1.3.6.1.5.5.7.3.8", //timeStamping "1.3.6.1.5.5.7.3.9", // ocspSigning "1.3.6.1.1.1.1.22", //mac address "1.3.6.1.4.1.311.20.2.2" //microsoft smartcard logon - Easy to test require minimum setup ],
- SupportedKeySize
[2048 / 3072 / 4096]
-
Update Certificate - Admin can import the certificate generated by a CA using the CSR generated by Certificate Signing Request API as given above.
- Get Tenant Exchange Public Key - Returns the tenant exchange public key type, modulus and the exponent for the given tenant.
Provisioning APIs SDK Reference
For detailed information on Provisioning API parameters, refer to the Provisioning APIs (API and SDK Documentation).
Revoke API Keys From Database
This section describes the process to delete the API keys from the database.
Since the API key is not saved as a plain text in the table, it is deleted with the help
of tenantId, friendlyName and userID. This can result in the deletion of multiple records from the table.
Therefore, as recommended in API Key Management APIs, use a unique
keyName (FriendlyName
) while creating the API keys.
Deleting API Key from MySQL Server
Perform the following steps to delete the values from MySQL server:
-
Connect to
container using the following command: docker exec -it <DBServer> bash
where: DBServer = Name of mysqlDB/MariaDB container
-
Login into the server with the user having delete permission using the following command:
mysql -u <username> –p
-
Switch to DB using the following command:
use <dbName>;
where: dbName = Current IDPV database
-
Execute the following command:
delete from APIKey where TenantId = <tenantID>' and Name = 'friendlyName' and UserId ='userID';
where:
• tenantID: Tenant Identifier (GUID format) used for creating the API key,
• friendlyName: Friendly name or Alias assigned to the API key,
• userID: User id whose jwt (Auth header) was used to create API key
Deleting API Key from MariaDB Server
Perform the following steps to delete the values from MySQL server:
-
Connect to
container using the following command: docker exec -it <DBServer> bash
where: DBServer = Name of mysqlDB/MariaDB container
-
Login into the server with the user having delete permission using the following command:
mariadb -u <username> –p
-
Switch to DB using the following command:
use <dbName>;
where: dbName = Current IDPV database
-
Execute the following command:
delete from APIKey where TenantId = <tenantID>' and Name = 'friendlyName' and UserId ='userID';
where:
• tenantID: Tenant Identifier (GUID format) used for creating the API key,
• friendlyName: Friendly name or Alias assigned to the API key,
• userID: User id whose jwt (Auth header) was used to create API key
Deleting API Key from MSSQL Server
Perform the following steps to delete the values from MSSQL server:
-
Connect to
container and login to the server with the user having delete permission using the following command: docker exec -it <mssqldb> /opt/mssql-tools/bin/sqlcmd -U <username> -P <password> -S <ipAddress>
where:
• mssqldb = Name of MSSQL container
• ipAdress = IP Address of the Mssql container -
Switch to DB using the following commands:
USE <databasename>; GO
where: databasename = Current IDPV database
-
Execute the following commands:
DELETE from APIKey WHERE TenantId = <tenantID>' and Name = 'friendlyName' and UserId ='userID'; GO
where:
• tenantID = Tenant Identifier (GUID format) used for creating the API key,
• friendlyName = Friendly name or Alias assigned to the API key,
• userID = User id whose jwt (Auth header) was used to create API key
Deleting API Key from PostgreSQL Server
Perform the following steps to delete the values from PostgreSQL server:
-
Connect to
container and login to the server with the following command: docker exec -it <postgressqldb> bash
where: postgressqldb = Name of PostgreSQL container
-
Login into the server with the user having delete permission using the following command:
psql -U <username> -W -h <ipAddress>
where: ipAddress = IP Address of the PostgreSQL container
-
Switch to DB using the following commands:
\c <databasename>
where: databasename = Current IDPV database
-
Execute the following commands:
DELETE from APIKey WHERE TenantId = <tenantID>' and Name = 'friendlyName' and UserId ='userID'; GO
where:
• tenantID = Tenant Identifier (GUID format) used for creating the API key,
• friendlyName = Friendly name or Alias assigned to the API key,
• userID = User id whose jwt (Auth header) was used to create API key
Deleting API Key from Oracle Server
Perform the following steps to delete the values from Oracle server:
-
Connect to
container using following command: docker exec -it <oracledb> bash -c "source /home/oracle/.bashrc; sqlplus /nolog
where
oracledb
is the name of the Oracle container -
Login into the server with the user having delete permission using the following command:
connect <username>/<password>@<ipaddress>:<port>/<database_name>;
where
ipaddress
is the IP Address of the Oracle container -
Execute the following commands:
DELETE from APIKey WHERE TenantId = <tenantID>' and Name = 'friendlyName' and UserId ='userID'; GO
where:
• tenantID = Tenant Identifier (GUID format) used for creating the API key,
• friendlyName = Friendly name or Alias assigned to the API key,
• userID = User id whose jwt (Auth header) was used to create API key