Enable a keystore configuration
Suggest changes
PDFs
PATCH /security/key-stores/{uuid}
Introduced In: 9.14
Enables a keystore configuration
Related ONTAP commands
-
security key-manager keystore enable -
security key-manager keystore disable
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
uuid |
string |
path |
True |
Keystore configuration UUID |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
Request Body
| Name | Type | Description |
|---|---|---|
configuration |
Security keystore object reference. |
|
enabled |
boolean |
Indicates whether the configuration is enabled. |
location |
string |
Indicates whether the keystore is onboard or external. * 'onboard' - Onboard Key Database * 'external' - External Key Database, including KMIP and Cloud Key Management Systems |
state |
string |
State of the keystore: * 'active' - The key manager is active and serving new and existing keys. * 'mixed' - The key manager has a mixed configuration. New keys can't be created. * 'svm_kek_rekey' - An SVM key encryption key (KEK) rekey is in progress. New keys can't be created. * 'blocked' - The key manager is blocked and cannot serve new and existing keys. * 'switching' - Switching the enabled key manager keystore configuration. Some operations are blocked. * 'initializing' - The key manager is being initialized. All operations are blocked. * 'disabling' - The key manager is being disabled. All operations are blocked. |
svm |
SVM, applies only to SVM-scoped objects. |
|
type |
string |
Type of keystore that is configured: * 'okm' - Onboard Key Manager * 'kmip' - External Key Manager * 'akv' - Azure Key Vault Key Management Service * 'gcp' - Google Cloud Platform Key Management Service * 'aws' - Amazon Web Service Key Management Service * 'ikp' - IBM Key Protect Key Management Service * 'barbican' - Barbican Key Management Service |
uuid |
string |
Example request
{
"configuration": {
"name": "default",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563434"
},
"location": "string",
"state": "string",
"svm": {
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"type": "string",
"uuid": "string"
}Response
Response
Status: 202, AcceptedError
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
262155 |
This operation requires an effective cluster version of 9.14.0 or later. |
65536203 |
Internal error. Failed to generate SVM key. Cluster key database is not initialized. |
65536204 |
Internal error. Failed to generate SVM key. Cluster key encryption key is not found. |
65536207 |
Internal error. Failed to store SVM key. |
65536212 |
Internal error. Failed to delete SVM volume key. |
65536217 |
Internal error. Failed to delete key from cryptomod. |
65536602 |
Cannot perform enable/switch while nodes are out of quorum. |
65536856 |
No external key management server configured for SVM. |
65536882 |
Internal error. UUID is missing for the volume. |
65536883 |
Internal error. Volume encryption key is missing. |
65536884 |
Internal error. Volume encryption key is invalid for the volume. |
65536889 |
Internal error. The volume has an invalid encryption blob. |
65536890 |
Internal error. Failed to generate VDEK blob. |
65536973 |
Internal error. Volume DSID is missing for the volume. |
65536987 |
One or more key servers are unavailable. |
65537527 |
Internal error. Failed to rewrap SVM key encryption key. |
65537533 |
Internal error. Failed to unwrap SVM key encryption key. |
65537605 |
Failed to establish connectivity with the cloud key management service. |
65538908 |
The specified keystore configuration UUID either does not exist or corresponds to a keystore configuration that is not supported by this operation. |
65538909 |
A value for enabled is required. |
65538910 |
Disabling an enabled configuration through this method is currently not supported. |
65539200 |
The key custodian was not provided with an external key value store. |
65539201 |
Failed to encrypt. |
65539205 |
This command does not support enabling key manager configurations with the specified keystore type. |
65539206 |
The SVM associated with the supplied keystore UUID already has a keystore configuration enabled. This command does not support migrating from configurations of that keystore type". |
65539207 |
The specified keystore configuration does not exist. |
65539212 |
Cannot switch the enabled keystore configuration when it is not in the 'active' or 'switching' state. |
65539218 |
The specified keystore configuration is already enabled. |
65539222 |
Switching between configurations of different keystore types is not supported for data SVMs. |
65539416 |
Internal error. Failed to parse key value store response. |
65539442 |
Internal error. Failed to generate AES blob. |
65539444 |
Internal error. Failed to update the VDEK blob. |
65539513 |
An effective cluster version of ONTAP 9.16.1 or later is required to enable an inactive key manager on the admin SVM. |
65539514 |
This command does not support enabling key manager configurations with the specified keystore type on the admin SVM. |
65539515 |
Cannot switch keystore types on the admin SVM. The keystore type for the invalid configuration must be OKM and the enabled configuration must be KMIP, or vice versa. |
65539518 |
Internal error. Cannot find the enabled configuration. |
65539520 |
Cannot enable the Onboard Key Manager on the admin SVM because an inactive Onboard Key Manager already exists on the admin SVM. |
65539534 |
Cannot switch admin SVM Key Manager when system root volumes are present. |
65539535 |
Failed to find unwrapped key on any nodes. |
65539536 |
Internal error. Failed to find the existing wrapped key blob for the volume. |
65539538 |
SVM-KEK not created for the SVM. |
65539539 |
SVM-KEK not restored for SVM. |
65539583 |
Cannot switch to the Onboard Key Manager when the external key manager has a policy associated with it |
65539585 |
Cannot enable an external key manager on the admin SVM because an inactive external key manager already exists on the admin SVM. |
65539590 |
Cannot switch to the Onboard Key Manager if there are more than two NSE-AKs in the cluster. |
65539591 |
Cannot switch to the Onboard Key Manager if there are fewer than two NSE-AKs in the cluster. |
65539704 |
The key manager cannot be configured because the SVM has NAE volumes. |
65539837 |
The key manager configured does not have any volumes to migrate. |
65539838 |
Cannot migrate to a cloud key manager when the external key manager has a policy associated with it. |
65539839 |
Cannot migrate to a cloud key manager when the key manager is not in a mixed state. |
65539840 |
Failed to clean up the keys stored on the external key servers. |
65539842 |
Failed to restore the SVM-KEK. |
65539845 |
Cannot migrate SVM volumes to the Onboard Key Manager when the key manager is not in the mixed or active state. |
Also see the table of common errors in the Response body overview section of this documentation.
Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
configuration
Security keystore object reference.
| Name | Type | Description |
|---|---|---|
name |
string |
Name of the configuration. |
uuid |
string |
Keystore UUID. |
svm
SVM, applies only to SVM-scoped objects.
| Name | Type | Description |
|---|---|---|
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
security_keystore
| Name | Type | Description |
|---|---|---|
configuration |
Security keystore object reference. |
|
enabled |
boolean |
Indicates whether the configuration is enabled. |
location |
string |
Indicates whether the keystore is onboard or external. * 'onboard' - Onboard Key Database * 'external' - External Key Database, including KMIP and Cloud Key Management Systems |
state |
string |
State of the keystore: * 'active' - The key manager is active and serving new and existing keys. * 'mixed' - The key manager has a mixed configuration. New keys can't be created. * 'svm_kek_rekey' - An SVM key encryption key (KEK) rekey is in progress. New keys can't be created. * 'blocked' - The key manager is blocked and cannot serve new and existing keys. * 'switching' - Switching the enabled key manager keystore configuration. Some operations are blocked. * 'initializing' - The key manager is being initialized. All operations are blocked. * 'disabling' - The key manager is being disabled. All operations are blocked. |
svm |
SVM, applies only to SVM-scoped objects. |
|
type |
string |
Type of keystore that is configured: * 'okm' - Onboard Key Manager * 'kmip' - External Key Manager * 'akv' - Azure Key Vault Key Management Service * 'gcp' - Google Cloud Platform Key Management Service * 'aws' - Amazon Web Service Key Management Service * 'ikp' - IBM Key Protect Key Management Service * 'barbican' - Barbican Key Management Service |
uuid |
string |
job_link
| Name | Type | Description |
|---|---|---|
uuid |
string |
The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |