Update the Barbican KMS configuration
Suggest changes
PDFs
PATCH /security/barbican-kms/{uuid}
Introduced In: 9.17
Updates the Barbican KMS configuration.
Optional properties
-
application_cred_id- New credentials used to verify the application's identity to the Barbican KMS. You must provide bothapplication_cred_idandapplication_cred_secretto update the credentials. -
application_cred_secret- New credentials secret used to verify the application's identity to the Barbican KMS. You must provide bothapplication_cred_idandapplication_cred_secretto update the credentials. -
proxy_type- Type of proxy (http/https) if proxy configuration is used. -
proxy_host- Proxy hostname if proxy configuration is used. -
proxy_port- Proxy port number if proxy configuration is used. -
proxy_username- Proxy username if proxy configuration is used. -
proxy_password- Proxy password if proxy configuration is used. -
verify- Verify the identity of the Barbican KMS? -
verify_host- Verify the identity of the Barbican KMS host name? -
timeout- Connection timeout in seconds.
Related ONTAP commands
-
security key-manager external barbican update-credentials -
security key-manager external barbican update-config
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
uuid |
string |
path |
True |
Barbican KMS UUID |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
application_cred_id |
string |
Keystone application credentials ID required to access the specified Barbican KMS. |
application_cred_secret |
string |
Keystone application credentials secret required to access the specified Barbican KMS. It is not audited. |
barbican_reachability |
Indicates whether the Barbican KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET request or an instance GET request unless it is explicitly requested using the field's query parameter or GET for all advanced properties is enabled. |
|
enabled |
boolean |
Indicates whether the configuration is enabled. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Indicates whether or not the SVM key encryption key (KEK) is available cluster wide.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
timeout |
integer |
Connection timeout in seconds. |
uuid |
string |
A unique identifier of the Barbican KMS. |
verify |
boolean |
Verify the identity of the Barbican KMS. |
verify_host |
boolean |
Verify the identity of the Barbican KMS host name. |
Example request
{
"application_cred_id": "63e3cb77f84f42b7a0395a3efb7636f9",
"application_cred_secret": "secret",
"barbican_reachability": {
"code": "346758",
"message": "Barbican KMS is not reachable from all nodes - <reason>.",
"reachable": ""
},
"proxy_host": "proxy.eng.com",
"proxy_password": "proxypassword",
"proxy_port": 1234,
"proxy_type": "http",
"proxy_username": "proxyuser",
"scope": "string",
"state": {
"cluster_state": "",
"code": "346758",
"message": "Top-level internal key encryption key is unavailable on the following nodes with the associated reasons: Node: node1. Reason: No volumes created yet for the SVM. Wrapped KEK status will be available after creating encrypted volumes."
},
"timeout": 60,
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563434"
}Response
Response
Status: 202, AcceptedError
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
65539223 |
Failed to check the health of the Barbican Key Management Service. |
65539814 |
Failed to update the Barbican Key Management Service configuration because the "application-cred-secret" field is invalid or was not provided. |
65539815 |
Failed to update the Barbican Key Management Service configuration because the "application-cred-id" field is invalid or was not provided. |
65539832 |
Specified Barbican Key Management Service configuration does not exist. |
65539841 |
Both "application_cred_id" and "application_cred_secret" are required. |
Also see the table of common errors in the Response body overview section of this documentation.
Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
barbican_reachability
Indicates whether the Barbican KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET request or an instance GET request unless it is explicitly requested using the field's query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
code |
string |
Code corresponding to the error message. Returns 0 if Barbican KMS is reachable from all nodes in the cluster. |
message |
string |
Set to the appropriate error message when 'reachable' is false. |
reachable |
boolean |
Set to true if the Barbican KMS is reachable from all nodes of the cluster. |
configuration
Security keystore object reference.
| Name | Type | Description |
|---|---|---|
name |
string |
Name of the configuration. |
uuid |
string |
Keystore UUID. |
state
Indicates whether or not the SVM key encryption key (KEK) is available cluster wide.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
cluster_state |
boolean |
Set to true when an SVM-KEK is present on all nodes of the cluster. |
code |
string |
Code corresponding to the status message. Returns a 0 if the SVM-KEK is available on all nodes in the cluster. |
message |
string |
Error message returned when there's no SVM-KEK availability on the cluster. |
svm
SVM, applies only to SVM-scoped objects.
| Name | Type | Description |
|---|---|---|
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
barbican
| Name | Type | Description |
|---|---|---|
_links |
||
application_cred_id |
string |
Keystone application credentials ID required to access the specified Barbican KMS. |
application_cred_secret |
string |
Keystone application credentials secret required to access the specified Barbican KMS. It is not audited. |
barbican_reachability |
Indicates whether the Barbican KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET request or an instance GET request unless it is explicitly requested using the field's query parameter or GET for all advanced properties is enabled. |
|
enabled |
boolean |
Indicates whether the configuration is enabled. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Indicates whether or not the SVM key encryption key (KEK) is available cluster wide.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
timeout |
integer |
Connection timeout in seconds. |
uuid |
string |
A unique identifier of the Barbican KMS. |
verify |
boolean |
Verify the identity of the Barbican KMS. |
verify_host |
boolean |
Verify the identity of the Barbican KMS host name. |
job_link
| Name | Type | Description |
|---|---|---|
uuid |
string |
The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |