Create a Barbican KMS configuration for an SVM
Suggest changes
PDFs
POST /security/barbican-kms
Introduced In: 9.17
Creates a Barbican KMS configuration for the specified SVM.
Required properties
-
configuration.name- Name for the new Barbican configuration. -
svm.uuidorsvm.name- Existing SVM in which to create a Barbican KMS. -
key_id- Barbican key URL. -
keystone_url- Keystone authentication URL. -
application_cred_id- Keystone authentication application ID with access to the Barbican KMS. -
application_cred_secret- Application credentials secret to authenticate the application credentials ID with Keystone.
Optional properties
-
proxy_type- Type of proxy (http/https) if proxy configuration is used. -
proxy_host- Proxy hostname if proxy configuration is used. -
proxy_port- Proxy port number if proxy configuration is used. -
proxy_username- Proxy username if proxy configuration is used. -
proxy_password- Proxy password if proxy configuration is used. -
verify- Verify the identity of the Barbican KMS? -
verify_host- Verify the identity of the Barbican KMS host name? -
timeout- Connection timeout in seconds.
Related ONTAP commands
-
security key-manager external barbican create-config
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
application_cred_id |
string |
Keystone application credentials ID required to access the specified Barbican KMS. |
application_cred_secret |
string |
Keystone application credentials secret required to access the specified Barbican KMS. It is not audited. |
barbican_reachability |
Indicates whether the Barbican KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET request or an instance GET request unless it is explicitly requested using the field's query parameter or GET for all advanced properties is enabled. |
|
configuration |
Security keystore object reference. |
|
enabled |
boolean |
Indicates whether the configuration is enabled. |
key_id |
string |
Key Identifier URL of the Barbican KMS key encryption key. Must be an HTTPS URL. |
keystone_url |
string |
Keystone URL for the access token. Must be an HTTPS URL. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Indicates whether or not the SVM key encryption key (KEK) is available cluster wide.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
timeout |
integer |
Connection timeout in seconds. |
uuid |
string |
A unique identifier of the Barbican KMS. |
verify |
boolean |
Verify the identity of the Barbican KMS. |
verify_host |
boolean |
Verify the identity of the Barbican KMS host name. |
Example request
{
"application_cred_id": "63e3cb77f84f42b7a0395a3efb7636f9",
"application_cred_secret": "secret",
"barbican_reachability": {
"code": "346758",
"message": "Barbican KMS is not reachable from all nodes - <reason>.",
"reachable": ""
},
"configuration": {
"name": "default",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563434"
},
"key_id": "https://172.29.58.184:9311/v1/secrets/5c610a4f-ea97-44b5-8682-f4daeafa9647",
"keystone_url": "https://keystoneip:5000/v3/auth/tokens",
"proxy_host": "proxy.eng.com",
"proxy_password": "proxypassword",
"proxy_port": 1234,
"proxy_type": "http",
"proxy_username": "proxyuser",
"scope": "string",
"state": {
"cluster_state": "",
"code": "346758",
"message": "Top-level internal key encryption key is unavailable on the following nodes with the associated reasons: Node: node1. Reason: No volumes created yet for the SVM. Wrapped KEK status will be available after creating encrypted volumes."
},
"svm": {
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"timeout": 60,
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563434"
}Response
Status: 202, Accepted| Name | Type | Description |
|---|---|---|
job |
Example response
{
"job": {
"uuid": "string"
}
}Headers
| Name | Description | Type |
|---|---|---|
Location |
Useful for tracking the resource location |
string |
Response
Status: 201, CreatedError
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
1115127 |
Package MT_EK_MGMT is not licensed in the cluster. |
65539805 |
Failed to create a Barbican Key Management Service configuration because the "application-cred-secret" field is invalid or was not provided. |
65539806 |
Barbican Key Management Service (KMS) cannot be configured because not all nodes in the cluster are running an effective cluster version of 9.17 or later to support the Barbican KMS feature. |
65539807 |
Barbican Key Management Service is not supported for the admin SVM. |
65539808 |
Failed to create the specified Barbican Key Management Service configuration because a Barbican Key Management Service configuration with the same name already exists. |
65539809 |
Barbican Key Management Service is not supported in MetroCluster configurations. |
65539810 |
Failed to create a Barbican Key Management Service configuration because the "key-id" field is invalid or was not provided. The URI scheme must be HTTPS. |
65539811 |
Failed to create a Barbican Key Management Service configuration because the "keystone-url" field is invalid or was not provided. The URI scheme must be HTTPS. |
65539835 |
Failed to create a Barbican Key Management Service configuration because the "application-cred-id" field cannot be empty. |
Also see the table of common errors in the Response body overview section of this documentation.
Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
barbican_reachability
Indicates whether the Barbican KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET request or an instance GET request unless it is explicitly requested using the field's query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
code |
string |
Code corresponding to the error message. Returns 0 if Barbican KMS is reachable from all nodes in the cluster. |
message |
string |
Set to the appropriate error message when 'reachable' is false. |
reachable |
boolean |
Set to true if the Barbican KMS is reachable from all nodes of the cluster. |
configuration
Security keystore object reference.
| Name | Type | Description |
|---|---|---|
name |
string |
Name of the configuration. |
uuid |
string |
Keystore UUID. |
state
Indicates whether or not the SVM key encryption key (KEK) is available cluster wide.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
cluster_state |
boolean |
Set to true when an SVM-KEK is present on all nodes of the cluster. |
code |
string |
Code corresponding to the status message. Returns a 0 if the SVM-KEK is available on all nodes in the cluster. |
message |
string |
Error message returned when there's no SVM-KEK availability on the cluster. |
svm
SVM, applies only to SVM-scoped objects.
| Name | Type | Description |
|---|---|---|
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
barbican
| Name | Type | Description |
|---|---|---|
_links |
||
application_cred_id |
string |
Keystone application credentials ID required to access the specified Barbican KMS. |
application_cred_secret |
string |
Keystone application credentials secret required to access the specified Barbican KMS. It is not audited. |
barbican_reachability |
Indicates whether the Barbican KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET request or an instance GET request unless it is explicitly requested using the field's query parameter or GET for all advanced properties is enabled. |
|
configuration |
Security keystore object reference. |
|
enabled |
boolean |
Indicates whether the configuration is enabled. |
key_id |
string |
Key Identifier URL of the Barbican KMS key encryption key. Must be an HTTPS URL. |
keystone_url |
string |
Keystone URL for the access token. Must be an HTTPS URL. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Indicates whether or not the SVM key encryption key (KEK) is available cluster wide.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
timeout |
integer |
Connection timeout in seconds. |
uuid |
string |
A unique identifier of the Barbican KMS. |
verify |
boolean |
Verify the identity of the Barbican KMS. |
verify_host |
boolean |
Verify the identity of the Barbican KMS host name. |
job_link
| Name | Type | Description |
|---|---|---|
uuid |
string |
The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |