REST API reference
Create a key manager
Suggest changes
PDFs
POST /security/key-managers
Creates a key manager.
Required properties
-
svm.uuidorsvm.name- Existing SVM in which to create a key manager. -
external.client_certificate- Client certificate. Required only when creating an external key manager. -
external.server_ca_certificates- Server CA certificates. Required only when creating an external key manager. -
external.servers.server- Key servers. Required only when creating an external key manager. -
onboard.passphrase- Cluster-wide passphrase. Required only when creating an onboard key manager.
Related ONTAP commands
-
security key-manager external enable -
security key-manager onboard enable
Learn more
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
external |
Configures external key management |
|
onboard |
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. |
|
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"external": {
"client_certificate": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"server_ca_certificates": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"servers": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"server": "keyserver1.com:5698",
"timeout": 60,
"username": "username"
}
},
"onboard": {
"existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
"passphrase": "The cluster password of length 32-256 ASCII characters."
},
"scope": "svm",
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "string"
}Response
Status: 201, Created| Name | Type | Description |
|---|---|---|
_links |
||
num_records |
integer |
Number of records |
records |
array[security_key_manager] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"records": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"external": {
"client_certificate": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"server_ca_certificates": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"servers": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"server": "keyserver1.com:5698",
"timeout": 60,
"username": "username"
}
},
"onboard": {
"existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
"passphrase": "The cluster password of length 32-256 ASCII characters."
},
"scope": "svm",
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "string"
}
}Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
65536822 |
Multitenant key management is not supported in the current cluster version. |
65536823 |
The SVM has key manager already configured. |
65536878 |
External key management cannot be configured as one or more volume encryption keys of the SVM are stored in cluster key management server. |
65536824 |
Multitenant key management is not supported in MetroCluster configurations. |
65536038 |
A maximum of 4 active key servers are allowed. |
65536876 |
External key management requires client and server CA certificates installed and with one or more key servers provided. |
65536920 |
Onboard key manager passphrase length is incorrect. |
65536871 |
Duplicate key management servers exist. |
65536834 |
Failed to get existing key-server details for the SVM. |
65536870 |
Key management servers already configured. |
65536821 |
Certificate is not installed. |
65536852 |
Failed to query supported KMIP protocol versions. |
65536895 |
External key manager cannnot be configured since this cluster is part of a MetroCluster configuration and the partner site of this MetroCluster configuration has onboard key manager configured. |
65536916 |
Onboard key management is only supported for an admin SVM. |
65536906 |
Onboard key management has already been configured at the partner site. Use the CLI to sync the onboard key management with the same passphrase. |
65536907 |
Onboard key management is already configured. Use the CLI to sync any nodes with onboard key management configuration. |
65536508 |
The platform does not support data at rest encryption. |
65536310 |
Failed to setup onboard key management because the MetroCluster peer is unhealthy. |
65536900 |
Onboard key management cannot be configured because this cluster is part of a MetroCluster configuration and the partner site has the external key manager configured. |
65536903 |
Onboard key management has failed to configure on some nodes in the cluster. Use the CLI to sync the onboard key management configuration on failed nodes. |
65536214 |
Failed to generate cluster key encryption key. |
65536216 |
Failed to add cluster key encryption key. |
66060338 |
Failed to establish secure connection for a key management server due to incorrect server_ca certificates. |
66060339 |
Failed to establish secure connection for a key management server due to incorrect client certificates. |
66060340 |
Failed to establish secure connection for a key management server due to Cryptsoft error. |
66060341 |
Failed to establish secure connection for a key management server due to network configuration issues. |
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": {
"code": "string",
"message": "string"
},
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
client_certificate
Client certificate
| Name | Type | Description |
|---|---|---|
_links |
||
uuid |
string |
Certificate UUID |
server_ca_certificates
Security certificate object reference
| Name | Type | Description |
|---|---|---|
_links |
||
uuid |
string |
Certificate UUID |
key_server_readcreate
| Name | Type | Description |
|---|---|---|
_links |
||
server |
string |
External key server for key management. If no port is provided, a default port of 5696 is used. |
timeout |
integer |
I/O timeout in seconds for communicating with the key server. |
username |
string |
Username credentials for connecting with the key server. |
external
Configures external key management
| Name | Type | Description |
|---|---|---|
client_certificate |
Client certificate |
|
server_ca_certificates |
array[server_ca_certificates] |
The UUIDs of the server CA certificates already installed in the cluster or SVM. The array of certificates are common for all the keyservers per SVM. |
servers |
array[key_server_readcreate] |
The set of external key servers. |
onboard
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.
| Name | Type | Description |
|---|---|---|
enabled |
boolean |
Is the onboard key manager enabled? |
existing_passphrase |
string |
The cluster-wide passphrase. This is not audited. |
passphrase |
string |
The cluster-wide passphrase. This is not audited. |
svm
SVM, applies only to SVM-scoped objects.
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. |
uuid |
string |
The unique identifier of the SVM. |
security_key_manager
| Name | Type | Description |
|---|---|---|
_links |
||
external |
Configures external key management |
|
onboard |
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. |
|
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
_links
| Name | Type | Description |
|---|---|---|
next |
||
self |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |