Module netapp_ontap.resources.security_key_manager
Copyright © 2019 NetApp Inc. All rights reserved.
Overview
A key manager is a key management solution (software or dedicated hardware) that enables other ONTAP client modules to securely and persistently store keys for various uses. For example, WAFL uses the key management framework to store and retrieve the volume encryption keys that it uses to encrypt/decrypt data on NVE volumes. A key manager can be configured at both cluster scope and SVM, with one key manager allowed per SVM. The key management framework in ONTAP supports two mutually exclusive modes for persisting keys, external and onboard.
When an SVM is configured with external key management, the keys are stored on up to four key servers that are external to the system. Once external key management is enabled for an SVM, key servers can be added or removed using the /api/security/key-managers/{uuid}/key-servers endpoint. See [POST /security/key-managers/{uuid}/key-servers
] and [DELETE /security/key-managers/{uuid}/key-servers/{server}
] for more details.
Setting up external key management dictates that the required certificates for securely communicating with the key server are installed prior to configuring the key manager. To install the required client and server_ca certificates, use the /api/security/certificates/ endpoint.
See [POST /security/certificates
], [GET /security/certificates/uuid
] and [DELETE /security/certificates/{uuid}
] for more details.
When an SVM is configured with onboard key management, the keys are stored in ONTAP in wrapped format using a key hierarchy created using the salted hash of the passphrase entered when configuring onboard key management. This model fits well for customers who use ONTAP to store their own data.
Examples
Creating an external key manager with 1 key server for a cluster
The example key manager is configured at the cluster-scope with one key server. Note that the UUIDs of the certificates are those that are already installed at the cluster-scope. Note the return_records=true query parameter is used to obtain the newly created key manager configuration
# The API:
POST /api/security/key-managers
# The call:
curl -X POST 'https://<mgmt-ip>/api/security/key-managers?return_records=true' -H 'accept: application/hal+json' -d "{ \"external\": { \"client_certificate\": { \"uuid\": \"5fb1701a-d922-11e8-bfe8-005056bb017d\" }, \"server_ca_certificates\": [ { \"uuid\": \"827d7d31-d6c8-11e8-b5bf-005056bb017d\" }],\"servers\": [ { \"server\": \"10.225.89.33:5696\" } ] } }"
# The response:
{
"num_records": 1,
"records": [
{
"uuid": "815e9462-dc57-11e8-9b2c-005056bb017d",
"external": {
"client_certificate": {
"uuid": "5fb1701a-d922-11e8-bfe8-005056bb017d"
},
"server_ca_certificates": [
{
"uuid": "827d7d31-d6c8-11e8-b5bf-005056bb017d"
}
],
"servers": [
{
"server": "10.225.89.33:5696"
}
]
},
"_links": {
"self": {
"href": "/api/security/key-managers/815e9462-dc57-11e8-9b2c-005056bb017d"
}
}
}
]
}
Creating an external key manager with 1 key server for an SVM
The example key manager is configured at the SVM-scope with one key server. Note that the UUIDs of the certificates are those that are already installed in that SVM. Note the return_records=true query parameter is used to obtain the newly created key manager configuration
# The API:
POST /api/security/key-managers
# The call:
curl -X POST 'https://<mgmt-ip>/api/security/key-managers?return_records=true' -H 'accept: application/hal+json' -d "{ \"svm\": { \"uuid\": \"216e6c26-d6c6-11e8-b5bf-005056bb017d\" }, \"external\": { \"client_certificate\": { \"uuid\": \"91dcaf7c-dbbd-11e8-9b2c-005056bb017d\" }, \"server_ca_certificates\": [ { \"uuid\": \"a4d4b8ba-dbbd-11e8-9b2c-005056bb017d\" }],\"servers\": [ { \"server\": \"10.225.89.34:5696\" } ] } }"
# The response:
{
"num_records": 1,
"records": [
{
"uuid": "80af63f2-dbbf-11e8-9b2c-005056bb017d",
"svm": {
"uuid": "216e6c26-d6c6-11e8-b5bf-005056bb017d"
},
"external": {
"client_certificate": {
"uuid": "91dcaf7c-dbbd-11e8-9b2c-005056bb017d"
},
"server_ca_certificates": [
{
"uuid": "a4d4b8ba-dbbd-11e8-9b2c-005056bb017d"
}
],
"servers": [
{
"server": "10.225.89.34:5696"
}
]
},
"_links": {
"self": {
"href": "/api/security/key-managers/80af63f2-dbbf-11e8-9b2c-005056bb017d"
}
}
}
]
}
Creating an onboard key manager for a cluster
The following example shows how to create an onboard key manager for a cluster with the onboard key manager configured at the cluster-scope.
# The API:
POST /api/security/key-managers
# The call:
curl -X POST 'https://<mgmt-ip>/api/security/key-managers' -H 'accept: application/hal+json' -d '{ "onboard": { "passphrase": "passphrase" } }'
Retrieving the key manager configurations for all clusters and SVMs
The following example shows how to retrieve all configured key managers along with their configurations.
# The API:
GET /api/security/key-managers
# The call:
curl -X GET 'https://<mgmt-ip>/api/security/key-managers?fields=*' -H 'accept: application/hal+json'
# The response:
{
"records": [
{
"uuid": "2345f09c-d6c9-11e8-b5bf-005056bb017d",
"scope": "svm",
"svm": {
"uuid": "0f22f8f3-d6c6-11e8-b5bf-005056bb017d",
"name": "vs0"
},
"external": {
"client_certificate": {
"uuid": "4cb15482-d6c8-11e8-b5bf-005056bb017d",
"_links": {
"self": {
"href": "/api/security/certificates/4cb15482-d6c8-11e8-b5bf-005056bb017d/"
}
}
},
"server_ca_certificates": [
{
"uuid": "8a17c858-d6c8-11e8-b5bf-005056bb017d",
"_links": {
"self": {
"href": "/api/security/certificates/8a17c858-d6c8-11e8-b5bf-005056bb017d/"
}
}
}
],
"servers": [
{
"server": "10.2.30.4:5696",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/10.2.30.4:5696/"
}
}
},
{
"server": "vs0.local1:3678",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/vs0.local1:3678/"
}
}
}
]
},
"_links": {
"self": {
"href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d"
}
}
},
{
"uuid": "815e9462-dc57-11e8-9b2c-005056bb017d",
"scope": "cluster",
"external": {
"client_certificate": {
"uuid": "5fb1701a-d922-11e8-bfe8-005056bb017d",
"_links": {
"self": {
"href": "/api/security/certificates/5fb1701a-d922-11e8-bfe8-005056bb017d/"
}
}
},
"server_ca_certificates": [
{
"uuid": "827d7d31-d6c8-11e8-b5bf-005056bb017d",
"_links": {
"self": {
"href": "/api/security/certificates/827d7d31-d6c8-11e8-b5bf-005056bb017d/"
}
}
}
],
"servers": [
{
"server": "10.225.89.33:5696",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/815e9462-dc57-11e8-9b2c-005056bb017d/key-servers/10.225.89.33:5696/"
}
}
}
]
},
"_links": {
"self": {
"href": "/api/security/key-managers/815e9462-dc57-11e8-9b2c-005056bb017d"
}
}
}
],
"num_records": 2,
"_links": {
"self": {
"href": "/api/security/key-managers?fields=*"
}
}
}
Retrieving a specific key manager configuration
The following example shows how to retrieve a specific key manager configuration.
# The API:
GET /api/security/key-managers/{uuid}
# The call:
curl -X GET 'https://<mgmt-ip>/api/security/key-managers/<uuid>?fields=*' -H 'accept: application/hal+json'
# The response:
{
"uuid": "2345f09c-d6c9-11e8-b5bf-005056bb017d",
"scope": "svm",
"svm": {
"uuid": "0f22f8f3-d6c6-11e8-b5bf-005056bb017d",
"name": "vs0"
},
"external": {
"client_certificate": {
"uuid": "4cb15482-d6c8-11e8-b5bf-005056bb017d",
"_links": {
"self": {
"href": "/api/security/certificates/4cb15482-d6c8-11e8-b5bf-005056bb017d/"
}
}
},
"server_ca_certificates": [
{
"uuid": "8a17c858-d6c8-11e8-b5bf-005056bb017d",
"_links": {
"self": {
"href": "/api/security/certificates/8a17c858-d6c8-11e8-b5bf-005056bb017d/"
}
}
}
],
"servers": [
{
"server": "10.2.30.4:5696",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/10.2.30.4:5696/"
}
}
},
{
"server": "vs0.local1:3678",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/vs0.local1:3678/"
}
}
}
]
},
"_links": {
"self": {
"href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d"
}
}
}
Updating the configuration of an external key manager
The following example shows how to update the server-ca configuration of an external key manager.
# The API:
PATCH /api/security/key-managers/{uuid}
# The call:
curl -X PATCH 'https://<mgmt-ip>/api/security/key-managers/<uuid>?' -H 'accept: application/hal+json' -d "{ \"external\": { \"server_ca_certificates\": [ { \"uuid\": \"23b05c58-d790-11e8-b5bf-005056bb017d\" }] } }"
Updating the passphrase of an onboard key manager
The following example shows how to update the passphrase of a given key manager.
# The API:
PATCH /api/security/key-managers/{uuid}
# The call:
curl -X PATCH 'https://<mgmt-ip>/api/security/key-managers/<uuid>?' -H 'accept: application/hal+json' -d "{ \"onboard\": { \"existing_passphrase\": \"existing_passphrase\", \"passphrase\": \"new_passphrase\" } }"
Deleting a configured key manager
The following example shows how to delete a key manager given its UUID.
# The API:
DELETE /api/security/key-managers/{uuid}
# The call:
curl -X DELETE 'https://<mgmt-ip>/api/security/key-managers/<uuid>?' -H 'accept: application/hal+json'
Adding a key server to an external key manager
The following example shows how to add a key server to an external key manager.
# The API:
POST /api/security/key-managers/{uuid}/key-servers
# The call:
curl -X POST 'https://<mgmt-ip>/api/security/key-managers/<uuid>/key-servers?return_records=true' -H 'accept: application/hal+json' -d "{ \"server\": \"10.225.89.34:5696\" }"
# The response:
{
"num_records": 1,
"records": [
{
"server": "10.225.89.34:5696",
"_links": {
"self": {
"href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.34%3A5696"
}
}
}
]
}
Adding 2 key servers to an external key manager
The following example shows how to add 2 key servers to an external key manager. Note that the records property is used to add multiple key servers to the key manager in a single API call.
# The API:
POST /api/security/key-managers/{uuid}/key-servers
# The call:
curl -X POST 'https://<mgmt-ip>/api/security/key-managers/<uuid>/key-servers?return_records=true' -H 'accept: application/hal+json' -d "{ \"records\": [ { \"server\": \"10.225.89.34:5696\" }, { \"server\": \"10.225.89.33:5696\" } ] }"
# The response:
{
"num_records": 1,
"records": [
{
"_links": {
"self": {
"href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/"
}
}
}
]
}
Retrieving all the key servers configured in an external key manager
The following example shows how to retrieve all key servers configured in an external key manager.
# The API:
GET /api/security/key-managers/{uuid}/key-servers
# The call:
curl -X GET 'https://<mgmt-ip>/api/security/key-managers/<uuid>/key-servers?fields=*' -H 'accept: application/hal+json'
# The response:
{
"records": [
{
"uuid": "43e0c191-dc5c-11e8-9b2c-005056bb017d",
"server": "10.225.89.33:5696",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.33%3A5696"
}
}
},
{
"uuid": "43e0c191-dc5c-11e8-9b2c-005056bb017d",
"server": "10.225.89.34:5696",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.34%3A5696"
}
}
}
],
"num_records": 2,
"_links": {
"self": {
"href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers?fields=*"
}
}
}
Retrieving a specific key server configured in an external key manager
The following example shows how to retrieve a specific key server configured in an external key manager.
# The API:
GET /api/security/key-managers/{uuid}/key-servers/{server}
# The call:
curl -X GET 'https://<mgmt-ip>/api/security/key-managers/<uuid>/key-servers/{server}?fields=*' -H 'accept: application/hal+json'
# The response:
{
"uuid": "43e0c191-dc5c-11e8-9b2c-005056bb017d",
"server": "10.225.89.34:5696",
"timeout": 25,
"username": "",
"_links": {
"self": {
"href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.34:5696"
}
}
}
Updating a specific key server configuration configured in an external key manager
The following example shows how to update a specific key server configured in an external key manager.
# The API:
PATCH /api/security/key-managers/{uuid}/key-servers/{server}
# The call:
curl -X PATCH 'https://<mgmt-ip>/api/security/key-managers/<uuid>/key-servers/{server}' -H 'accept: application/hal+json' -d "{ \"timeout\": 45 }"
Deleting a key server from an external key manager
The following example shows how to delete a key server from an external key manager.
# The API:
DELETE /api/security/key-managers/{uuid}/key-servers/{server}
# The call:
curl -X DELETE 'https://<mgmt-ip>/api/security/key-managers/<uuid>/key-servers/{server}' -H 'accept: application/hal+json'
Classes
class SecurityKeyManager (*args, **kwargs)
-
Allows interaction with SecurityKeyManager objects on the host
Initialize the instance of the resource.
Any keyword arguments are set on the instance as properties. For example, if the class was named 'MyResource', then this statement would be true:
MyResource(name='foo').name == 'foo'
Args
*args
- Each positional argument represents a parent key as used in the URL of the object. That is, each value will be used to fill in a segment of the URL which refers to some parent object. The order of these arguments must match the order they are specified in the URL, from left to right.
**kwargs
- each entry will have its key set as an attribute name on the instance and its value will be the value of that attribute.
Ancestors
Static methods
def delete_collection(*args, connection: HostConnection = None, **kwargs) -> NetAppResponse
-
Deletes a key manager.
Related ONTAP commands
security key-manager external disable
security key-manager onboard disable
Learn more
Delete all objects in a collection which match the given query.
All records on the host which match the query will be deleted.
Args
*args
- Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to delete the collection of bars for a particular foo, the foo.name value should be passed.
connection
- The
HostConnection
object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context. **kwargs
- Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be patched.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400 def find(*args, connection: HostConnection = None, **kwargs) -> Resource
-
Retrieves key managers.
Related ONTAP commands
security key-manager show-keystore
security key-manager external show
Learn more
Find an instance of an object on the host given a query.
The host will be queried with the provided key/value pairs to find a matching resource. If 0 are found or if more than 1 is found, an error will be raised or returned. If there is exactly 1 matching record, then it will be returned.
Args
*args
- Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to find a bar for a particular foo, the foo.name value should be passed.
connection
- The
HostConnection
object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context. **kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
Resource
object containing the details of the object.Raises
NetAppRestError
: If the API call did not return exactly 1 matching resource. def get_collection(*args, connection: HostConnection = None, max_records: int = None, **kwargs) -> typing.Iterable
-
Retrieves key managers.
Related ONTAP commands
security key-manager show-keystore
security key-manager external show
Learn more
Fetch a list of all objects of this type from the host.
Args
*args
- Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to get the collection of bars for a particular foo, the foo.name value should be passed.
connection
- The
HostConnection
object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context. max_records
- The maximum number of records to return per call
**kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A list of
Resource
objectsRaises
NetAppRestError
: If there is no connection available to use either passed in or on the library. def patch_collection(body: dict, *args, connection: HostConnection = None, **kwargs) -> NetAppResponse
-
Updates a key manager.
Related ONTAP commands
security key-manager external modify
security key-manager onboard update-passphrase
Learn more
Patch all objects in a collection which match the given query.
All records on the host which match the query will be patched with the provided body.
Args
body
- A dictionary of name/value pairs to set on all matching members of the collection.
*args
- Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to patch the collection of bars for a particular foo, the foo.name value should be passed.
connection
- The
HostConnection
object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context. **kwargs
- Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be patched.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400
Methods
def delete(self, poll: bool = True, poll_interval: typing.Union = None, poll_timeout: typing.Union = None, **kwargs) -> NetAppResponse
-
Deletes a key manager.
Related ONTAP commands
security key-manager external disable
security key-manager onboard disable
Learn more
Send a deletion request to the host for this object.
Args
poll
- If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
- If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
- If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400 def get(self, **kwargs) -> NetAppResponse
-
Retrieves key managers.
Related ONTAP commands
security key-manager show-keystore
security key-manager external show
Learn more
Fetch the details of the object from the host.
Requires the keys to be set (if any). After returning, new or changed properties from the host will be set on the instance.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400 def patch(self, hydrate: bool = False, poll: bool = True, poll_interval: typing.Union = None, poll_timeout: typing.Union = None, **kwargs) -> NetAppResponse
-
Updates a key manager.
Related ONTAP commands
security key-manager external modify
security key-manager onboard update-passphrase
Learn more
Send the difference in the object's state to the host as a modification request.
Calculates the difference in the object's state since the last time we interacted with the host and sends this in the request body.
Args
hydrate
- If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
- If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
- If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
- If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400 def post(self, hydrate: bool = False, poll: bool = True, poll_interval: typing.Union = None, poll_timeout: typing.Union = None, **kwargs) -> NetAppResponse
-
Creates a key manager.
Required properties
svm.uuid
orsvm.name
- Existing SVM in which to create a key manager.external.client_certificate
- Client certificate. Required only when creating an external key manager.external.server_ca_certificates
- Server CA certificates. Required only when creating an external key manager.external.servers.server
- Key servers. Required only when creating an external key manager.onboard.passphrase
- Cluster-wide passphrase. Required only when creating an onboard key manager.
Related ONTAP commands
security key-manager external enable
security key-manager onboard enable
Learn more
Send this object to the host as a creation request.
Args
hydrate
- If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
- If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
- If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
- If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
- Any key/value pairs passed will be sent as query parameters to the host.
Returns
A
NetAppResponse
object containing the details of the HTTP response.Raises
NetAppRestError
: If the API call returned a status code >= 400
Inherited members
class SecurityKeyManagerSchema (only=None, exclude=(), many=False, context=None, load_only=(), dump_only=(), partial=False, unknown=None)
-
The fields of the SecurityKeyManager object
Ancestors
- netapp_ontap.resource.ResourceSchema
- marshmallow.schema.Schema
- marshmallow.schema.BaseSchema
- marshmallow.base.SchemaABC
Class variables
var external
-
The external field of the security_key_manager.
var links
-
The links field of the security_key_manager.
var onboard
-
The onboard field of the security_key_manager.
var opts
var scope
-
The scope field of the security_key_manager.
var svm
-
The svm field of the security_key_manager.
var uuid
-
The uuid field of the security_key_manager.