Skip to main content
A newer release of this product is available.

Migrate SVM keys between security key managers

Contributors

POST /security/key-managers/{source.uuid}/migrate

Introduced In: 9.7

Migrates the keys belonging to an SVM between the cluster's key manager and the SVM's key manager. This operation can run for several minutes.

Required properties

  • source.uuid - UUID of the source key manager.

  • uuid - UUID of the destination key manager. The UUID of onboard and external KMIP key manager can be fetched using [GET /api/security/key-managers]. The UUID of Azure Key Vault key manager can be fetched using [GET /api/security/azure-key-vaults]. The UUID of Google Cloud key manager can be fetched using [GET /api/security/gcp-kms].

  • security key-manager migrate

Parameters

Name Type In Required Description

source.uuid

string

path

True

Migration source key manager UUID

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 1

  • Max value: 120

  • Min value: 0

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

uuid

string

Key manager UUID

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "uuid": "1cd8a442-86d1-11e0-ae1c-123478563434"
}

Response

Status: 202, Accepted
Name Type Description

job

job_link

Example response
{
  "job": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "uuid": "string"
  }
}

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

65536886

The specified migration option is not supported in this release.

65536959

The source-uuid and UUID must be different values.

65536968

Check that all nodes of the cluster are healthy and retry the operation.

65537117

The migrate operation cannot be started because a UUID cannot be converted to an SVM name.

65537117

Cannot start migration because a key manager referenced by a provided UUID does not exist.

65537551

Top-level internal key protection key (KEK) is unavailable on one or more nodes.

65537552

Embedded KMIP server status is not available.

65537564

Check that the Azure Key Vault Service is healthy and retry the operation.

65537720

Failed to configure the Google Cloud Key Management Service for an SVM because a key manager is already configured.

65537736

Check that the Google Cloud Key Management Service is healthy and retry the operation.

65538107

Key migration to an IBM Key Lore key manager is not supported.

Name Type Description

error

error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

info

Migration destination key manager UUID

Name Type Description

_links

_links

uuid

string

Key manager UUID

Name Type Description

_links

_links

uuid

string

The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.