REST API reference
Retrieve key managers
Suggest changes
PDFs
GET /security/key-managers
Introduced In: 9.6
Retrieves key managers.
Expensive properties
There is an added computational cost to retrieving values for these properties. They are not included by default in GET results and must be explicitly requested using the fields query parameter. See Requesting specific fields to learn more.
-
connectivity.cluster_availability -
connectivity.node_states.node.name -
connectivity.node_states.node.uuid -
connectivity.node_states.state -
status.message -
status.code
Related ONTAP commands
-
security key-manager show-key-store -
security key-manager external show -
security key-manager external show-status -
security key-manager onboard show-backup
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
scope |
string |
query |
False |
Filter by scope |
onboard.enabled |
boolean |
query |
False |
Filter by onboard.enabled |
onboard.key_backup |
string |
query |
False |
Filter by onboard.key_backup
|
svm.uuid |
string |
query |
False |
Filter by svm.uuid |
svm.name |
string |
query |
False |
Filter by svm.name |
policy |
string |
query |
False |
Filter by policy
|
external.client_certificate.uuid |
string |
query |
False |
Filter by external.client_certificate.uuid |
external.client_certificate.name |
string |
query |
False |
Filter by external.client_certificate.name
|
external.servers.server |
string |
query |
False |
Filter by external.servers.server |
external.servers.username |
string |
query |
False |
Filter by external.servers.username |
external.servers.connectivity.node_states.state |
string |
query |
False |
Filter by external.servers.connectivity.node_states.state
|
external.servers.connectivity.node_states.node.uuid |
string |
query |
False |
Filter by external.servers.connectivity.node_states.node.uuid
|
external.servers.connectivity.node_states.node.name |
string |
query |
False |
Filter by external.servers.connectivity.node_states.node.name
|
external.servers.connectivity.cluster_availability |
boolean |
query |
False |
Filter by external.servers.connectivity.cluster_availability
|
external.servers.secondary_key_servers |
string |
query |
False |
Filter by external.servers.secondary_key_servers
|
external.servers.timeout |
integer |
query |
False |
Filter by external.servers.timeout
|
external.server_ca_certificates.uuid |
string |
query |
False |
Filter by external.server_ca_certificates.uuid |
external.server_ca_certificates.name |
string |
query |
False |
Filter by external.server_ca_certificates.name
|
uuid |
string |
query |
False |
Filter by uuid |
status.code |
integer |
query |
False |
Filter by status.code
|
status.message |
string |
query |
False |
Filter by status.message
|
is_default_data_at_rest_encryption_disabled |
boolean |
query |
False |
Filter by is_default_data_at_rest_encryption_disabled
|
volume_encryption.message |
string |
query |
False |
Filter by volume_encryption.message
|
volume_encryption.code |
integer |
query |
False |
Filter by volume_encryption.code
|
volume_encryption.supported |
boolean |
query |
False |
Filter by volume_encryption.supported
|
fields |
array[string] |
query |
False |
Specify the fields to return. |
max_records |
integer |
query |
False |
Limit the number of records returned. |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When iterating over a collection, the default is 15 seconds. ONTAP returns earlier if either max records or the end of the collection is reached.
|
return_records |
boolean |
query |
False |
The default is true for GET calls. When set to false, only the number of records is returned.
|
order_by |
array[string] |
query |
False |
Order results by specified fields and optional [asc |
Response
Status: 200, Ok| Name | Type | Description |
|---|---|---|
_links |
||
num_records |
integer |
Number of records |
records |
array[security_key_manager] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"num_records": 1,
"records": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"external": {
"client_certificate": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "cert1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"server_ca_certificates": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "cert1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"servers": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"connectivity": {
"node_states": {
"node": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"state": "not_responding"
}
},
"secondary_key_servers": "secondary1.com, 10.2.3.4",
"server": "keyserver1.com:5698",
"timeout": 60,
"username": "admin"
}
},
"onboard": {
"existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
"key_backup": "'--------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAAAxBFWWAAAAACEAAAAAAAAA QAAAAAAAAABzDyyVAAAAALI5Jsjvy6gUxnT78KoDKXHYb6sSeraM00quOULY6BeV n6dMFxuErCD1lbERaOQZSuaYy1p8oQHtTEfGMLZM4TYiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/LRzU QRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAADV1Vd/AAAAAMFM9Q229Bhp mDaTSdqku5DCd8wG+fOZSr4bx4JT5WHvV/r5gJnXDQQAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOZXRBcHAgS2V5IEJsb2IA AQAAAAMAAAAYAQAAAAAAALgePkcAAAAAIgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAA AAAAAAAAAAACAAAAAAAJAGr3tJA/LRzUQRHwv+1aWvAAAAAAAAAAACIAAAAAAAAA KAAAAAAAAACIlCHZAAAAAAAAAAAAAAAAAgAAAAAAAQCafcabsxRXMM7gxhLRrzxh AAAAAAAAAAAkAAAAAAAAAIAAAAAAAAAA2JjQBQAAAACt4IqXcNpVggahl0axLsN4 yQjnNVKWY7mANB29O42hI7b70DTGCTaVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAE5ldEFwcCBLZXkgQmxvYgABAAAAAwAAABgBAAAAAAAA 7sbaoQAAAAAiAAAAAAAAACgAAAAAAAAAQ5NxHQAAAAAAAAAAAAAAAAIAAAAAAAkA ave0kD8tHNRBEfC/7Vpa8AAAAAAAAAAAIgAAAAAAAAAoAAAAAAAAALOHfWkAAAAA AAAAAAAAAAACAAAAAAABAMoI9UxrHOGthQm/CB+EHdAAAAAAAAAAACQAAAAAAAAA gAAAAAAAAACnMmUtAAAAAGVk8AtPzENFgsGdsFvnmucmYrlQCsFew0HDSFKaZqK6 W8IEVzBAhPoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ---------------------------END BACKUP---------------------------'",
"passphrase": "The cluster password of length 32-256 ASCII characters."
},
"scope": "svm",
"status": {
"code": 346758,
"message": "This cluster is part of a MetroCluster configuration. Use the REST API POST method security/key_managers/ with the synchronize option and the same passphrase on the partner cluster before proceeding with any key manager operations. Failure to do so could lead to switchover or switchback failure."
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "string",
"volume_encryption": {
"code": 346758,
"message": "No platform support for volume encryption in following nodes - node1, node2."
}
}
}Error
Status: Default, Error| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": {
"code": "string",
"message": "string"
},
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
next |
||
self |
_links
| Name | Type | Description |
|---|---|---|
self |
client_certificate
Client certificate (name and UUID)
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
Certificate name |
uuid |
string |
Certificate UUID |
server_ca_certificates
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
Certificate name |
uuid |
string |
Certificate UUID |
self_link
| Name | Type | Description |
|---|---|---|
self |
node
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
|
uuid |
string |
key_server_state
The connectivity state of the key server for a specific node.
| Name | Type | Description |
|---|---|---|
node |
||
state |
string |
Key server connectivity state |
connectivity
This property contains the key server connectivity state of all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
cluster_availability |
boolean |
Set to true when key server connectivity state is available on all nodes of the cluster. |
node_states |
array[key_server_state] |
An array of key server connectivity states for each node. |
key_server_readcreate
| Name | Type | Description |
|---|---|---|
_links |
||
connectivity |
This property contains the key server connectivity state of all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
secondary_key_servers |
string |
A comma delimited string of the secondary key servers associated with the primary key server. |
server |
string |
External key server for key management. If no port is provided, a default port of 5696 is used. |
timeout |
integer |
I/O timeout in seconds for communicating with the key server. |
username |
string |
Username credentials for connecting with the key server. |
external
Configures external key management
| Name | Type | Description |
|---|---|---|
client_certificate |
Client certificate (name and UUID) |
|
server_ca_certificates |
array[server_ca_certificates] |
The array of certificates that are common for all the keyservers per SVM. |
servers |
array[key_server_readcreate] |
The set of external key servers. |
onboard
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.
| Name | Type | Description |
|---|---|---|
enabled |
boolean |
Is the onboard key manager enabled? |
existing_passphrase |
string |
The cluster-wide passphrase. This is not audited. |
key_backup |
string |
Backup of the onboard key manager's key hierarchy. It is required to save this backup after configuring the onboard key manager to help in the recovery of the cluster in case of catastrophic failures. |
passphrase |
string |
The cluster-wide passphrase. This is not audited. |
synchronize |
boolean |
Synchronizes missing onboard keys on any node in the cluster. If a node is added to a cluster that has onboard key management configured, the synchronize operation needs to be performed in a PATCH operation. In a MetroCluster configuration, if onboard key management is enabled on one site, then the synchronize operation needs to be run as a POST operation on the remote site providing the same passphrase. |
status
Optional status information on the current state of the key manager indicating if it is fully setup or requires more action.
| Name | Type | Description |
|---|---|---|
code |
integer |
Code corresponding to the status message. Returns 0 if the setup is complete. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
message |
string |
Current state of the key manager indicating any additional steps to perform to finish the setup. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
svm
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. |
uuid |
string |
The unique identifier of the SVM. |
volume_encryption
Indicates whether volume encryption is supported in the cluster.
| Name | Type | Description |
|---|---|---|
code |
integer |
Code corresponding to the status message. Returns a 0 if volume encryption is supported in all nodes of the cluster. |
message |
string |
Reason for not supporting volume encryption. |
supported |
boolean |
Set to true when volume encryption support is available on all nodes of the cluster. |
security_key_manager
| Name | Type | Description |
|---|---|---|
_links |
||
external |
Configures external key management |
|
is_default_data_at_rest_encryption_disabled |
boolean |
Indicates whether default data-at-rest encryption is disabled in the cluster. This field is deprecated in ONTAP 9.8 and later. Use the "software_data_encryption.disabled_by_default" of /api/security endpoint.
|
onboard |
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. |
|
policy |
string |
Security policy associated with the key manager. This value is currently ignored if specified for the onboard key manager. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
status |
Optional status information on the current state of the key manager indicating if it is fully setup or requires more action. |
|
svm |
||
uuid |
string |
|
volume_encryption |
Indicates whether volume encryption is supported in the cluster. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |