REST API reference
Create a key manager
Suggest changes
PDFs
POST /security/key-managers
Introduced In: 9.6
Creates a key manager.
Required properties
-
svm.uuidorsvm.name- Existing SVM in which to create a key manager. -
external.client_certificate- Client certificate. Required only when creating an external key manager. -
external.server_ca_certificates- Server CA certificates. Required only when creating an external key manager. -
external.servers.server- Primary Key servers. Required only when creating an external key manager. -
onboard.passphrase- Cluster-wide passphrase. Required only when creating an Onboard Key Manager. -
synchronize- Synchronizes missing onboard keys on any node in the cluster. Required only when creating an Onboard Key Manager at the partner site of a MetroCluster configuration.
Related ONTAP commands
-
security key-manager external enable -
security key-manager onboard enable -
security key-manager onboard sync
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
external |
Configures external key management |
|
is_default_data_at_rest_encryption_disabled |
boolean |
Indicates whether default data-at-rest encryption is disabled in the cluster. This field is deprecated in ONTAP 9.8 and later. Use the "software_data_encryption.disabled_by_default" of /api/security endpoint.
|
onboard |
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. |
|
policy |
string |
Security policy associated with the key manager. This value is currently ignored if specified for the onboard key manager. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
status |
Optional status information on the current state of the key manager indicating if it is fully setup or requires more action. |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
|
volume_encryption |
Indicates whether volume encryption is supported in the cluster. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"external": {
"client_certificate": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"server_ca_certificates": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}
],
"servers": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"connectivity": {
"node_states": [
{
"node": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"state": "not_responding"
}
]
},
"secondary_key_servers": "secondary1.com, 10.2.3.4",
"server": "keyserver1.com:5698",
"timeout": 60,
"username": "admin"
}
]
},
"onboard": {
"existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
"key_backup": "'--------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAAAxBFWWAAAAACEAAAAAAAAA QAAAAAAAAABzDyyVAAAAALI5Jsjvy6gUxnT78KoDKXHYb6sSeraM00quOULY6BeV n6dMFxuErCD1lbERaOQZSuaYy1p8oQHtTEfGMLZM4TYiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/LRzU QRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAADV1Vd/AAAAAMFM9Q229Bhp mDaTSdqku5DCd8wG+fOZSr4bx4JT5WHvV/r5gJnXDQQAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOZXRBcHAgS2V5IEJsb2IA AQAAAAMAAAAYAQAAAAAAALgePkcAAAAAIgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAA AAAAAAAAAAACAAAAAAAJAGr3tJA/LRzUQRHwv+1aWvAAAAAAAAAAACIAAAAAAAAA KAAAAAAAAACIlCHZAAAAAAAAAAAAAAAAAgAAAAAAAQCafcabsxRXMM7gxhLRrzxh AAAAAAAAAAAkAAAAAAAAAIAAAAAAAAAA2JjQBQAAAACt4IqXcNpVggahl0axLsN4 yQjnNVKWY7mANB29O42hI7b70DTGCTaVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAE5ldEFwcCBLZXkgQmxvYgABAAAAAwAAABgBAAAAAAAA 7sbaoQAAAAAiAAAAAAAAACgAAAAAAAAAQ5NxHQAAAAAAAAAAAAAAAAIAAAAAAAkA ave0kD8tHNRBEfC/7Vpa8AAAAAAAAAAAIgAAAAAAAAAoAAAAAAAAALOHfWkAAAAA AAAAAAAAAAACAAAAAAABAMoI9UxrHOGthQm/CB+EHdAAAAAAAAAAACQAAAAAAAAA gAAAAAAAAACnMmUtAAAAAGVk8AtPzENFgsGdsFvnmucmYrlQCsFew0HDSFKaZqK6 W8IEVzBAhPoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ---------------------------END BACKUP---------------------------'",
"passphrase": "The cluster password of length 32-256 ASCII characters."
},
"policy": "string",
"scope": "string",
"status": {
"code": 346758,
"message": "This cluster is part of a MetroCluster configuration. Use the REST API POST method security/key_managers/ with the synchronize option and the same passphrase on the partner cluster before proceeding with any key manager operations. Failure to do so could lead to switchover or switchback failure."
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "string",
"volume_encryption": {
"code": 346758,
"message": "No platform support for volume encryption in following nodes - node1, node2."
}
}Response
Status: 201, Created| Name | Type | Description |
|---|---|---|
_links |
||
num_records |
integer |
Number of records |
records |
array[security_key_manager] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"num_records": 1,
"records": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"external": {
"client_certificate": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"server_ca_certificates": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}
],
"servers": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"connectivity": {
"node_states": [
{
"node": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
},
"state": "not_responding"
}
]
},
"secondary_key_servers": "secondary1.com, 10.2.3.4",
"server": "keyserver1.com:5698",
"timeout": 60,
"username": "admin"
}
]
},
"onboard": {
"existing_passphrase": "The cluster password of length 32-256 ASCII characters.",
"key_backup": "'--------------------------BEGIN BACKUP-------------------------- TmV0QXBwIEtleSBCbG9iAAEAAAAEAAAAcAEAAAAAAAAxBFWWAAAAACEAAAAAAAAA QAAAAAAAAABzDyyVAAAAALI5Jsjvy6gUxnT78KoDKXHYb6sSeraM00quOULY6BeV n6dMFxuErCD1lbERaOQZSuaYy1p8oQHtTEfGMLZM4TYiAAAAAAAAACgAAAAAAAAA 3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/LRzU QRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAADV1Vd/AAAAAMFM9Q229Bhp mDaTSdqku5DCd8wG+fOZSr4bx4JT5WHvV/r5gJnXDQQAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOZXRBcHAgS2V5IEJsb2IA AQAAAAMAAAAYAQAAAAAAALgePkcAAAAAIgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAA AAAAAAAAAAACAAAAAAAJAGr3tJA/LRzUQRHwv+1aWvAAAAAAAAAAACIAAAAAAAAA KAAAAAAAAACIlCHZAAAAAAAAAAAAAAAAAgAAAAAAAQCafcabsxRXMM7gxhLRrzxh AAAAAAAAAAAkAAAAAAAAAIAAAAAAAAAA2JjQBQAAAACt4IqXcNpVggahl0axLsN4 yQjnNVKWY7mANB29O42hI7b70DTGCTaVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAE5ldEFwcCBLZXkgQmxvYgABAAAAAwAAABgBAAAAAAAA 7sbaoQAAAAAiAAAAAAAAACgAAAAAAAAAQ5NxHQAAAAAAAAAAAAAAAAIAAAAAAAkA ave0kD8tHNRBEfC/7Vpa8AAAAAAAAAAAIgAAAAAAAAAoAAAAAAAAALOHfWkAAAAA AAAAAAAAAAACAAAAAAABAMoI9UxrHOGthQm/CB+EHdAAAAAAAAAAACQAAAAAAAAA gAAAAAAAAACnMmUtAAAAAGVk8AtPzENFgsGdsFvnmucmYrlQCsFew0HDSFKaZqK6 W8IEVzBAhPoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ---------------------------END BACKUP---------------------------'",
"passphrase": "The cluster password of length 32-256 ASCII characters."
},
"policy": "string",
"scope": "string",
"status": {
"code": 346758,
"message": "This cluster is part of a MetroCluster configuration. Use the REST API POST method security/key_managers/ with the synchronize option and the same passphrase on the partner cluster before proceeding with any key manager operations. Failure to do so could lead to switchover or switchback failure."
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "string",
"volume_encryption": {
"code": 346758,
"message": "No platform support for volume encryption in following nodes - node1, node2."
}
}
]
}Headers
| Name | Description | Type |
|---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
262224 |
Failed to contact the peer cluster. |
262228 |
Failed to contact the peer cluster. |
65536038 |
A maximum of 4 active primary key servers are allowed. |
65536214 |
Failed to generate cluster key encryption key. |
65536216 |
Failed to add cluster key encryption key. |
65536310 |
Failed to setup the Onboard Key Manager because the MetroCluster peer is unhealthy. |
65536341 |
Failed to setup the Onboard Key Manager because the MetroCluster peer is unhealthy. |
65536508 |
The platform does not support data at rest encryption. |
65536821 |
The certificate is not installed. |
65536823 |
The SVM has key manager already configured. |
65536824 |
Multitenant key management is not supported in MetroCluster configurations. |
65536834 |
Failed to get existing key-server details for the SVM. |
65536852 |
Failed to query supported KMIP protocol versions. |
65536870 |
Key management servers already configured. |
65536871 |
Duplicate key management servers exist. |
65536876 |
External key management requires client and server CA certificates installed and with one or more key servers provided. |
65536878 |
External key management cannot be configured as one or more volume encryption keys of the SVM are stored in cluster key management server. |
65536895 |
External key manager cannot be configured because this cluster is part of a MetroCluster configuration and the partner site of this MetroCluster configuration has Onboard Key Manager configured. |
65536900 |
The Onboard Key Manager cannot be configured because this cluster is part of a MetroCluster configuration and the partner site has the external key manager configured. |
65536903 |
The Onboard Key Manager has failed to configure on some nodes in the cluster. Use the CLI to sync the Onboard Key Manager configuration on failed nodes. |
65536906 |
The Onboard Key Manager has already been configured at the partner site. Use the CLI to sync the Onboard Key Manager with the same passphrase. |
65536913 |
The Onboard Key Manager is already configured. Use the CLI to sync any nodes with the Onboard Key Manager configuration. |
65536916 |
The Onboard Key Manager is only supported for an admin SVM. |
65536920 |
The Onboard Key Manager passphrase length is incorrect. |
65537240 |
The Onboard Key Manager passphrase must be provided when performing a POST/synchronize operation. |
65537241 |
The Onboard Key Manager existing_passphrase must not be provided when performing a POST/synchronize operation. |
65537244 |
Unable to sync/create Onboard Key Manager on the local cluster; Onboard Key Manager is already configured on the cluster. |
65537245 |
Unable to sync/create Onboard Key Manager on the local cluster; Onboard Key Manager is not configured on the partner cluster. |
65537246 |
Unable to sync/create Onboard Key Manager on local cluster. This cluster is not part of a MetroCluster configuration. |
65537247 |
Internal error. Unable to sync the Onboard Key Manager on local cluster. |
65537248 |
Unable to sync the Onboard Key Manager on local cluster. |
65538111 |
The key manager policy is invalid. |
65538120 |
The key manager policy is not supported on the admin SVM. |
65539216 |
The Admin SVM has a key manager already configured. |
65539221 |
Failed to configure the Onboard Key Manager because the MetroCluster peer cluster is unhealthy. Verify that the peer cluster is online and healthy. |
66060338 |
Failed to establish secure connection for a key management server due to incorrect server_ca certificates. |
66060339 |
Failed to establish secure connection for a key management server due to incorrect client certificates. |
66060340 |
Failed to establish secure connection for a key management server due to Cryptsoft error. |
Also see the table of common errors in the Response body overview section of this documentation.
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
client_certificate
Client certificate (name and UUID)
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
Certificate name |
uuid |
string |
Certificate UUID |
server_ca_certificates
Security certificate object reference
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
Certificate name |
uuid |
string |
Certificate UUID |
self_link
| Name | Type | Description |
|---|---|---|
self |
node
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
|
uuid |
string |
key_server_state
The connectivity state of the key server for a specific node.
| Name | Type | Description |
|---|---|---|
node |
||
state |
string |
Key server connectivity state |
connectivity
This property contains the key server connectivity state of all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
cluster_availability |
boolean |
Set to true when key server connectivity state is available on all nodes of the cluster. |
node_states |
array[key_server_state] |
An array of key server connectivity states for each node. |
key_server_readcreate
| Name | Type | Description |
|---|---|---|
_links |
||
connectivity |
This property contains the key server connectivity state of all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
secondary_key_servers |
string |
A comma delimited string of the secondary key servers associated with the primary key server. |
server |
string |
External key server for key management. If no port is provided, a default port of 5696 is used. |
timeout |
integer |
I/O timeout in seconds for communicating with the key server. |
username |
string |
Username credentials for connecting with the key server. |
external
Configures external key management
| Name | Type | Description |
|---|---|---|
client_certificate |
Client certificate (name and UUID) |
|
server_ca_certificates |
array[server_ca_certificates] |
The array of certificates that are common for all the keyservers per SVM. |
servers |
array[key_server_readcreate] |
The set of external key servers. |
onboard
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation.
| Name | Type | Description |
|---|---|---|
enabled |
boolean |
Is the onboard key manager enabled? |
existing_passphrase |
string |
The cluster-wide passphrase. This is not audited. |
key_backup |
string |
Backup of the onboard key manager's key hierarchy. It is required to save this backup after configuring the onboard key manager to help in the recovery of the cluster in case of catastrophic failures. |
passphrase |
string |
The cluster-wide passphrase. This is not audited. |
synchronize |
boolean |
Synchronizes missing onboard keys on any node in the cluster. If a node is added to a cluster that has onboard key management configured, the synchronize operation needs to be performed in a PATCH operation. In a MetroCluster configuration, if onboard key management is enabled on one site, then the synchronize operation needs to be run as a POST operation on the remote site providing the same passphrase. |
status
Optional status information on the current state of the key manager indicating if it is fully setup or requires more action.
| Name | Type | Description |
|---|---|---|
code |
integer |
Code corresponding to the status message. Returns 0 if the setup is complete. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
message |
string |
Current state of the key manager indicating any additional steps to perform to finish the setup. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
svm
SVM, applies only to SVM-scoped objects.
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
volume_encryption
Indicates whether volume encryption is supported in the cluster.
| Name | Type | Description |
|---|---|---|
code |
integer |
Code corresponding to the status message. Returns a 0 if volume encryption is supported in all nodes of the cluster. |
message |
string |
Reason for not supporting volume encryption. |
supported |
boolean |
Set to true when volume encryption support is available on all nodes of the cluster. |
security_key_manager
| Name | Type | Description |
|---|---|---|
_links |
||
external |
Configures external key management |
|
is_default_data_at_rest_encryption_disabled |
boolean |
Indicates whether default data-at-rest encryption is disabled in the cluster. This field is deprecated in ONTAP 9.8 and later. Use the "software_data_encryption.disabled_by_default" of /api/security endpoint.
|
onboard |
Configures onboard key management. After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. |
|
policy |
string |
Security policy associated with the key manager. This value is currently ignored if specified for the onboard key manager. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
status |
Optional status information on the current state of the key manager indicating if it is fully setup or requires more action. |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
|
volume_encryption |
Indicates whether volume encryption is supported in the cluster. |
_links
| Name | Type | Description |
|---|---|---|
next |
||
self |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |