Enabling Key-Rotation Schedule for DKE Endpoint
Use the post /v1/cckm/microsoft/dke/endpoints/{id}/enable-key-rotation-job API to enable a key-rotation schedule for a Microsoft DKE endpoint. Specify the following:
- ID of the DKE endpoint
- ID of job scheduler associated with the rotation schedule
Create a DKE endpoint and job scheduler before enabling a key-rotation schedule.
As part of enabling a key-rotation schedule for a given DKE endpoint, the auto_rotate parameter in this endpoint is set to true to reflect that key auto-rotation is now enabled. Also, the labels and job_config_id parameters are added to the endpoint to reflect the associated scheduled key rotation.
To create a job scheduler, use the post /v1/scheduler/job-configs API using the operation parameter of cckm_key_rotation along with the following request parameters:
- start_date
- run_at
- cloud_name of
Microsoft DKE(as part of the cckm_key_rotation_params parameter)
For more information about post /v1/scheduler/job-configs API, refer to Scheduling Key Rotation and Auto Rotation of Credentials.
Note
If the endpoint is in an archived state, you cannot run the post /v1/cckm/microsoft/dke/endpoints/{id}/enable-key-rotation-job API on it.
Syntax
curl -k '<CCKM IP address>/api/v1/cckm/microsoft/dke/endpoints/<id>/enable-key-rotation-job' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "job_config_id": "<job_config_id>"\n}' --compressed
Here, {id} is the ID of the DKE endpoint.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| id | string | ID of the DKE endpoint. |
| job_config_id | string | ID of the scheduler job that will perform the rotation of the DKE endpoint. |
Example Request
curl -k 'https://10.171.15.127/api/v1/cckm/microsoft/dke/endpoints/df16d580-2a45-425f-a093-6bb228d895a8/enable-key-rotation-job' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJlZGVjZGEzNS01MjljLTRlMzQtODIyOS0yOWZiZTJkMmM5ZjgiLCJzdWIiOiJsb2NhbHw3ZThiMjZjMC01YmUyLTQ5NjEtOGJhNC1iMTI5NjZiMzZjNzYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfaWQiOiI4MzdjODQwZC03NWRkLTRiNGYtYTMxOC03OWNiMTZjYTI0OGQiLCJjbGllbnRfbmFtZSI6ImFwaS1wbGF5Z3JvdW5kIiwiY2xpZW50X3R5cGUiOiJwdWJsaWMiLCJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjU5ZDJiOTQtMzJhMC00OWFlLTkxYTItZDMwNmYwMTEyNjNmIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImNmOTljNzZlLWZjOGUtNDJiZi1iMzI5LTcyZDA3Y2U2ZWM2MiIsImlhdCI6MTY5NzU4MzMwMywiZXhwIjoxNjk3NTgzNjAzfQ.k6BvcDm6VsL4hTsRglCtctL310xEMGNDPBxR16zHMhs' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "job_config_id": "0a47cc10-e4ad-4bbc-8ab2-5fdce92841cb"\n}' --compressed
Example Response
{
"id": "df16d580-2a45-425f-a093-6bb228d895a8",
"uri": "kylo:kylo:cckm:kylo:kylo:cckm:dke-endpoint:df16d580-2a45-425f-a093-6bb228d895a8",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-10-17T22:43:05.62669Z",
"labels": {
"job_config_id": "0a47cc10-e4ad-4bbc-8ab2-5fdce92841cb"
},
"updatedAt": "2023-10-17T22:55:52.774513Z",
"name": "dke_endpoint_7",
"description": "demo dke endpoint 7",
"key_uri_hostname": "dke.thales.com",
"key_uri": "https://dke.thales.com/api/v1/cckm/microsoft/dke-data-plane/endpoints/df16d580-2a45-425f-a093-6bb228d895a8/keys/ks-9fff09ff91794c7da39af2b2cbdaaa1db578e351be1d472ca90b20e155d67024",
"kek_name": "ks-9fff09ff91794c7da39af2b2cbdaaa1db578e351be1d472ca90b20e155d67024",
"kek_id": "9fff09ff91794c7da39af2b2cbdaaa1db578e351be1d472ca90b20e155d67024",
"kek_uuid": "bc7ef83d-9671-43e4-8394-c1c8f656a80f",
"meta": {
"size": "big",
"color": "blue"
},
"kek_version": "0",
"key_type": "asymmetric",
"algorithm": "RSA_DECRYPT_OAEP_2048_SHA256",
"authorization_params": {
"valid_issuers": [
"https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002d4b/"
],
"authorization_type": "email",
"email_authz_params": {
"authorized_email_addresses": [
"richard-roe@google.com",
"john-doe@yahoo.com"
]
},
"role_authz_params": {}
},
"enable_success_audit_event": true,
"auto_rotate": true,
"status": "Enabled"
}
The sample output shows that the key-rotation schedule for the DKE endpoint with the ID of df16d580-2a45-425f-a093-6bb228d895a8 and the job_config_id of 0a47cc10-e4ad-4bbc-8ab2-5fdce92841cb is successfully enabled. Note that the parameter of auto_rotate is set to true.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
