Skip to main content
A newer release of this product is available.

Retrieve key managers

Contributors

GET /security/key-managers

Introduced In: 9.6

Retrieves key managers.

Expensive properties

There is an added computational cost to retrieving values for these properties. They are not included by default in GET results and must be explicitly requested using the fields query parameter. See Requesting specific fields to learn more.

  • connectivity.cluster_availability

  • connectivity.node_states.node.name

  • connectivity.node_states.node.uuid

  • connectivity.node_states.state

  • status.message

  • status.code

  • security key-manager show-key-store

  • security key-manager external show

  • security key-manager external show-status

  • security key-manager onboard show-backup

Parameters

Name Type In Required Description

scope

string

query

False

Filter by scope

onboard.enabled

boolean

query

False

Filter by onboard.enabled

onboard.key_backup

string

query

False

Filter by onboard.key_backup

  • Introduced in: 9.7

svm.uuid

string

query

False

Filter by svm.uuid

svm.name

string

query

False

Filter by svm.name

policy

string

query

False

Filter by policy

  • Introduced in: 9.9

external.client_certificate.uuid

string

query

False

Filter by external.client_certificate.uuid

external.client_certificate.name

string

query

False

Filter by external.client_certificate.name

  • Introduced in: 9.8

external.servers.server

string

query

False

Filter by external.servers.server

external.servers.username

string

query

False

Filter by external.servers.username

external.servers.connectivity.node_states.state

string

query

False

Filter by external.servers.connectivity.node_states.state

  • Introduced in: 9.13

external.servers.connectivity.node_states.node.uuid

string

query

False

Filter by external.servers.connectivity.node_states.node.uuid

  • Introduced in: 9.13

external.servers.connectivity.node_states.node.name

string

query

False

Filter by external.servers.connectivity.node_states.node.name

  • Introduced in: 9.13

external.servers.connectivity.cluster_availability

boolean

query

False

Filter by external.servers.connectivity.cluster_availability

  • Introduced in: 9.7

external.servers.secondary_key_servers

string

query

False

Filter by external.servers.secondary_key_servers

  • Introduced in: 9.8

external.servers.timeout

integer

query

False

Filter by external.servers.timeout

  • Max value: 60

  • Min value: 1

external.server_ca_certificates.uuid

string

query

False

Filter by external.server_ca_certificates.uuid

external.server_ca_certificates.name

string

query

False

Filter by external.server_ca_certificates.name

  • Introduced in: 9.8

uuid

string

query

False

Filter by uuid

status.code

integer

query

False

Filter by status.code

  • Introduced in: 9.7

status.message

string

query

False

Filter by status.message

  • Introduced in: 9.7

is_default_data_at_rest_encryption_disabled

boolean

query

False

Filter by is_default_data_at_rest_encryption_disabled

  • Introduced in: 9.7

volume_encryption.message

string

query

False

Filter by volume_encryption.message

  • Introduced in: 9.7

volume_encryption.code

integer

query

False

Filter by volume_encryption.code

  • Introduced in: 9.7

volume_encryption.supported

boolean

query

False

Filter by volume_encryption.supported

  • Introduced in: 9.7

fields

array[string]

query

False

Specify the fields to return.

max_records

integer

query

False

Limit the number of records returned.

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When iterating over a collection, the default is 15 seconds. ONTAP returns earlier if either max records or the end of the collection is reached.

  • Max value: 120

  • Min value: 0

  • Default value: 1

return_records

boolean

query

False

The default is true for GET calls. When set to false, only the number of records is returned.

  • Default value: 1

order_by

array[string]

query

False

Order results by specified fields and optional [asc

Response

Status: 200, Ok
Name Type Description

_links

_links

num_records

integer

Number of records

records

array[security_key_manager]

Example response
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "num_records": 1,
  "records": [
    {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "external": {
        "client_certificate": {
          "_links": {
            "self": {
              "href": "/api/resourcelink"
            }
          },
          "name": "cert1",
          "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
        },
        "server_ca_certificates": [
          {
            "_links": {
              "self": {
                "href": "/api/resourcelink"
              }
            },
            "name": "cert1",
            "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
          }
        ],
        "servers": [
          {
            "_links": {
              "self": {
                "href": "/api/resourcelink"
              }
            },
            "connectivity": {
              "node_states": [
                {
                  "node": {
                    "_links": {
                      "self": {
                        "href": "/api/resourcelink"
                      }
                    },
                    "name": "node1",
                    "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
                  },
                  "state": "not_responding"
                }
              ]
            },
            "secondary_key_servers": "secondary1.com, 10.2.3.4",
            "server": "keyserver1.com:5698",
            "timeout": 60,
            "username": "admin"
          }
        ]
      },
      "onboard": {
        "existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
        "key_backup": "'--------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAAAxBFWWAAAAACEAAAAAAAAA QAAAAAAAAABzDyyVAAAAALI5Jsjvy6gUxnT78KoDKXHYb6sSeraM00quOULY6BeV n6dMFxuErCD1lbERaOQZSuaYy1p8oQHtTEfGMLZM4TYiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/LRzU QRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAADV1Vd/AAAAAMFM9Q229Bhp mDaTSdqku5DCd8wG+fOZSr4bx4JT5WHvV/r5gJnXDQQAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOZXRBcHAgS2V5IEJsb2IA AQAAAAMAAAAYAQAAAAAAALgePkcAAAAAIgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAA AAAAAAAAAAACAAAAAAAJAGr3tJA/LRzUQRHwv+1aWvAAAAAAAAAAACIAAAAAAAAA KAAAAAAAAACIlCHZAAAAAAAAAAAAAAAAAgAAAAAAAQCafcabsxRXMM7gxhLRrzxh AAAAAAAAAAAkAAAAAAAAAIAAAAAAAAAA2JjQBQAAAACt4IqXcNpVggahl0axLsN4 yQjnNVKWY7mANB29O42hI7b70DTGCTaVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAE5ldEFwcCBLZXkgQmxvYgABAAAAAwAAABgBAAAAAAAA 7sbaoQAAAAAiAAAAAAAAACgAAAAAAAAAQ5NxHQAAAAAAAAAAAAAAAAIAAAAAAAkA ave0kD8tHNRBEfC/7Vpa8AAAAAAAAAAAIgAAAAAAAAAoAAAAAAAAALOHfWkAAAAA AAAAAAAAAAACAAAAAAABAMoI9UxrHOGthQm/CB+EHdAAAAAAAAAAACQAAAAAAAAA gAAAAAAAAACnMmUtAAAAAGVk8AtPzENFgsGdsFvnmucmYrlQCsFew0HDSFKaZqK6 W8IEVzBAhPoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ---------------------------END BACKUP---------------------------'",
        "passphrase": "The cluster password of length 32-256 ASCII characters."
      },
      "policy": "string",
      "scope": "string",
      "status": {
        "code": 346758,
        "message": "This cluster is part of a MetroCluster configuration. Use the REST API POST method security/key_managers/ with the synchronize option and the same passphrase on the partner cluster before proceeding with any key manager operations.  Failure to do so could lead to switchover or switchback failure."
      },
      "svm": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      },
      "uuid": "string",
      "volume_encryption": {
        "code": 346758,
        "message": "No platform support for volume encryption in following nodes - node1, node2."
      }
    }
  ]
}

Error

Status: Default, Error
Name Type Description

error

error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

next

href

self

href

Name Type Description

self

href

client_certificate

Client certificate (name and UUID)

Name Type Description

_links

_links

name

string

Certificate name

uuid

string

Certificate UUID

server_ca_certificates

Name Type Description

_links

_links

name

string

Certificate name

uuid

string

Certificate UUID

Name Type Description

self

href

node

Name Type Description

_links

_links

name

string

uuid

string

key_server_state

The connectivity state of the key server for a specific node.

Name Type Description

node

node

state

string

Key server connectivity state

connectivity

This property contains the key server connectivity state of all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

Name Type Description

cluster_availability

boolean

Set to true when key server connectivity state is available on all nodes of the cluster.

node_states

array[key_server_state]

An array of key server connectivity states for each node.

key_server_readcreate

Name Type Description

_links

self_link

connectivity

connectivity

This property contains the key server connectivity state of all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

secondary_key_servers

string

A comma delimited string of the secondary key servers associated with the primary key server.

server

string

External key server for key management. If no port is provided, a default port of 5696 is used.

timeout

integer

I/O timeout in seconds for communicating with the key server.

username

string

Username credentials for connecting with the key server.

external

Configures external key management

Name Type Description

client_certificate

client_certificate

Client certificate (name and UUID)

server_ca_certificates

array[server_ca_certificates]

The array of certificates that are common for all the keyservers per SVM.

servers

array[key_server_readcreate]

The set of external key servers.

onboard

Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.

Name Type Description

enabled

boolean

Is the onboard key manager enabled?

existing_passphrase

string

The cluster-wide passphrase. This is not audited.

key_backup

string

Backup of the onboard key manager's key hierarchy. It is required to save this backup after configuring the onboard key manager to help in the recovery of the cluster in case of catastrophic failures.

passphrase

string

The cluster-wide passphrase. This is not audited.

synchronize

boolean

Synchronizes missing onboard keys on any node in the cluster. If a node is added to a cluster that has onboard key management configured, the synchronize operation needs to be performed in a PATCH operation. In a MetroCluster configuration, if onboard key management is enabled on one site, then the synchronize operation needs to be run as a POST operation on the remote site providing the same passphrase.

status

Optional status information on the current state of the key manager indicating if it is fully setup or requires more action.

Name Type Description

code

integer

Code corresponding to the status message. Returns 0 if the setup is complete. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

message

string

Current state of the key manager indicating any additional steps to perform to finish the setup. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

svm

Name Type Description

_links

_links

name

string

The name of the SVM.

uuid

string

The unique identifier of the SVM.

volume_encryption

Indicates whether volume encryption is supported in the cluster.

Name Type Description

code

integer

Code corresponding to the status message. Returns a 0 if volume encryption is supported in all nodes of the cluster.

message

string

Reason for not supporting volume encryption.

supported

boolean

Set to true when volume encryption support is available on all nodes of the cluster.

security_key_manager

Name Type Description

_links

_links

external

external

Configures external key management

is_default_data_at_rest_encryption_disabled

boolean

Indicates whether default data-at-rest encryption is disabled in the cluster. This field is deprecated in ONTAP 9.8 and later. Use the "software_data_encryption.disabled_by_default" of /api/security endpoint.

  • Default value:

  • Introduced in: 9.7

  • x-ntap-readModify: true

  • x-nullable: true

onboard

onboard

Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.

policy

string

Security policy associated with the key manager. This value is currently ignored if specified for the onboard key manager.

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

status

status

Optional status information on the current state of the key manager indicating if it is fully setup or requires more action.

svm

svm

uuid

string

volume_encryption

volume_encryption

Indicates whether volume encryption is supported in the cluster.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.