Skip to main content
A newer release of this product is available.

Create a key manager

Contributors
PDFs

POST /security/key-managers

Creates a key manager.

Required properties

  • svm.uuid or svm.name - Existing SVM in which to create a key manager.

  • external.client_certificate - Client certificate. Required only when creating an external key manager.

  • external.server_ca_certificates - Server CA certificates. Required only when creating an external key manager.

  • external.servers.server - Key servers. Required only when creating an external key manager.

  • onboard.passphrase - Cluster-wide passphrase. Required only when creating an onboard key manager.

  • security key-manager external enable

  • security key-manager onboard enable

Learn more

Request Body

Name Type Description

_links

_links

external

external

Configures external key management

onboard

onboard

Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

svm

svm

SVM, applies only to SVM-scoped objects.

uuid

string
Example request 
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "external": {
    "client_certificate": {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
    },
    "server_ca_certificates": [
      {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
      }
    ],
    "servers": [
      {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "server": "keyserver1.com:5698",
        "timeout": 60,
        "username": "username"
      }
    ]
  },
  "onboard": {
    "existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
    "passphrase": "The cluster password of length 32-256 ASCII characters."
  },
  "scope": "string",
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "uuid": "string"
}

Response

Status: 201, Created
Name Type Description

_links

_links

num_records

integer

Number of records

records

array[security_key_manager]
Example response 
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "records": [
    {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "external": {
        "client_certificate": {
          "_links": {
            "self": {
              "href": "/api/resourcelink"
            }
          },
          "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
        },
        "server_ca_certificates": [
          {
            "_links": {
              "self": {
                "href": "/api/resourcelink"
              }
            },
            "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
          }
        ],
        "servers": [
          {
            "_links": {
              "self": {
                "href": "/api/resourcelink"
              }
            },
            "server": "keyserver1.com:5698",
            "timeout": 60,
            "username": "username"
          }
        ]
      },
      "onboard": {
        "existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
        "passphrase": "The cluster password of length 32-256 ASCII characters."
      },
      "scope": "string",
      "svm": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      },
      "uuid": "string"
    }
  ]
}

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

65536822

Multitenant key management is not supported in the current cluster version.

65536823

The SVM has key manager already configured.

65536878

External key management cannot be configured as one or more volume encryption keys of the SVM are stored in cluster key management server.

65536824

Multitenant key management is not supported in MetroCluster configurations.

65536038

A maximum of 4 active key servers are allowed.

65536876

External key management requires client and server CA certificates installed and with one or more key servers provided.

65536920

Onboard key manager passphrase length is incorrect.

65536871

Duplicate key management servers exist.

65536834

Failed to get existing key-server details for the SVM.

65536870

Key management servers already configured.

65536821

Certificate is not installed.

65536852

Failed to query supported KMIP protocol versions.

65536895

External key manager cannnot be configured since this cluster is part of a MetroCluster configuration and the partner site of this MetroCluster configuration has onboard key manager configured.

65536916

Onboard key management is only supported for an admin SVM.

65536906

Onboard key management has already been configured at the partner site. Use the CLI to sync the onboard key management with the same passphrase.

65536907

Onboard key management is already configured. Use the CLI to sync any nodes with onboard key management configuration.

65536508

The platform does not support data at rest encryption.

65536310

Failed to setup onboard key management because the MetroCluster peer is unhealthy.

65536900

Onboard key management cannot be configured because this cluster is part of a MetroCluster configuration and the partner site has the external key manager configured.

65536903

Onboard key management has failed to configure on some nodes in the cluster. Use the CLI to sync the onboard key management configuration on failed nodes.

65536214

Failed to generate cluster key encryption key.

65536216

Failed to add cluster key encryption key.

66060338

Failed to establish secure connection for a key management server due to incorrect server_ca certificates.

66060339

Failed to establish secure connection for a key management server due to incorrect client certificates.

66060340

Failed to establish secure connection for a key management server due to Cryptsoft error.

66060341

Failed to establish secure connection for a key management server due to network configuration issues.
Name Type Description

error

error
Example error 
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

_links

Name Type Description

self

href

client_certificate

Client certificate

Name Type Description

_links

_links

uuid

string

Certificate UUID

server_ca_certificates

Security certificate object reference

Name Type Description

_links

_links

uuid

string

Certificate UUID

key_server_readcreate

Name Type Description

_links

_links

server

string

External key server for key management. If no port is provided, a default port of 5696 is used.

timeout

integer

I/O timeout in seconds for communicating with the key server.

username

string

Username credentials for connecting with the key server.

external

Configures external key management

Name Type Description

client_certificate

client_certificate

Client certificate

server_ca_certificates

array[server_ca_certificates]

The UUIDs of the server CA certificates already installed in the cluster or SVM. The array of certificates are common for all the keyservers per SVM.

servers

array[key_server_readcreate]

The set of external key servers.

onboard

Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.

Name Type Description

enabled

boolean

Is the onboard key manager enabled?

existing_passphrase

string

The cluster-wide passphrase. This is not audited.

passphrase

string

The cluster-wide passphrase. This is not audited.

svm

SVM, applies only to SVM-scoped objects.

Name Type Description

_links

_links

name

string

The name of the SVM.

uuid

string

The unique identifier of the SVM.

security_key_manager

Name Type Description

_links

_links

external

external

Configures external key management

onboard

onboard

Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

svm

svm

SVM, applies only to SVM-scoped objects.

uuid

string

_links

Name Type Description

next

href

self

href

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.