Updating a DKE Endpoint
Use the patch /v1/cckm/microsoft/dke/endpoints/{id} API to update the attributes of a Microsoft DKE endpoint.
Syntax
curl -k '<CCKM IP address>/api/v1/cckm/microsoft/dke/endpoints/{id}' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "<unique_name_dke_endpoint",\n "description": "dke_endpoint_description",\n "key_uri_hostname": "base_url_hostname_for_key_uri",\n "algorithm": "<dke_key_algorithm>",\n "enable_success_audit_event": <true|false>,\n "meta": {\n "color": "small",\n "size": "red"\n },\n "authorization_params": {\n "valid_issuers": [\n "<valid_issuer_for_dke_endpts>/"\n ],\n "authorization_type": "email",\n "email_authz_params": {\n "authorized_email_addresses": [\n "<authorized_email_address_1>",\n "<authorized_email_address_2>"\n ]\n }\n }\n}' --compressed
Here, {id} is the ID of the DKE endpoint.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| name | string | Unique name for the endpoint. |
| connection | string | ID of the Azure connection. Mandatory for role-based authorization (that is, when role_authz_params is set). Refer to DKE Authorization Parameters. |
| description | string | Description for the endpoint. |
| key_uri_hostname | string | Base url hostname for KeyURI. |
| algorithm | string | DKE key algorithm. The only option currently supported is RSA_DECRYPT_OAEP_2048_SHA256, which is the default value. |
| enable_success_audit_event | boolean | Enable or disable audit recording of successful operations. Default value is true. |
| meta | JSON | Additional information associated with this endpoint. |
| authorization_params | JSON | DKE authorization parameters. Refer to DKE Authorization Parameters for details. |
DKE Authorization Parameters
| Parameter | Type | Description |
|---|---|---|
| authorization_type | string | Authorization type for DKE key: email and role. |
| email_authz_params | string | Parameters for email-based authorization. Required field, if authorization_type is email. |
| authorized_email_addresses | string | Allowed email addresses. Required field, if authorization_type is email. |
| role_authz_params | string | Parameters for role-based authorization. Required field, if authorization_type is set to role. Also, specify connection. Refer to Request Parameters. |
| authorized_roles | string | Allowed roles in active directory. Required field, if authorization_type is set to role. |
| valid_issuers | string | A valid issuer for the DKE endpoint. For example, https://sts.windows.net/azure tenant ID/. This issuer must match the issuer within the JWT that the CCKM receives. |
Note
The use of wildcards '*' and '?' are supported for email addresses. The following are examples of supported wildcard formats:
-
abc*@gmail.com: supports any email that starts with abc and ends with "@gmail.com".
-
abc@?.com: supports any email that starts with abc, contains "@" followed by at least one character and ends with ".com".
-
abc@?.?*: supports any email that starts with abc, contains "@" followed by at least one character, followed by the dot character (.), and ends with at least one character.
-
?*@gmail.com: supports any email that starts with at least one character and ends with "@gmail.com".
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/microsoft/dke/endpoints/f222ffdf-80e1-4fd5-8f17-1b60a26dba5d' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1ZTc3Y2Q3NC0wMmVhLTRhNzYtODIzMi1hNDY4YTg1MGQwM2UiLCJzdWIiOiJsb2NhbHw0ODMyZDM4ZS04YzdhLTRiMjYtYTc5Ni1kNjk3NWQyOTg2ZGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiIzMGJiZTYxNS1hNWQzLTQwNzAtYTNjYi01NDA0Y2YzMmE5OTYiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiZDY2OGQ4ZWYtNTFkNS00N2Y0LWIzMTUtNDZjNmU1ZDA0ZDM5IiwiaWF0IjoxNjkyOTI1NjYxLCJleHAiOjE2OTI5MjU5NjF9.7-XtqNCuErnxpGbz5IkT6Il3gF7Xzk8ic0Sgch5CHXs' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "updated_ep_name",\n "description": "updated demo dke endpoint 7",\n "key_uri_hostname": "test.com",\n "algorithm": "RSA_DECRYPT_OAEP_2048_SHA256",\n "meta": {\n "color": "small",\n "size": "blue"\n },\n "authorization_params": {\n "valid_issuers": [\n "https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002dbc"\n ],\n "authorization_type": "email",\n "email_authz_params": {\n "authorized_email_addresses": [\n "maria_updated@test.com",\n "mark_updated@test.com"\n ]\n }\n }\n}' --compressed
This example request shows the attributes of the DKE endpoint with the ID of f222ffdf-80e1-4fd5-8f17-1b60a26dba5d is updated to now use maria_updated@test.com and mark_updated@test.com as the authorized email addresses and updated demo dke endpoint 7 as the revised description for the endpoint. Also, the valid issuer is now revised to https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002dbc/.
Example Response
{
"id": "f222ffdf-80e1-4fd5-8f17-1b60a26dba5d",
"uri": "kylo:kylo:cckm:kylo:kylo:cckm:dke-endpoint:f222ffdf-80e1-4fd5-8f17-1b60a26dba5d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-08-25T00:36:13.31051Z",
"updatedAt": "2023-08-25T01:09:48.069728Z",
"name": "updated_ep_name",
"description": "updated demo dke endpoint 7",
"key_uri_hostname": "test.com",
"key_uri": "https://test.com/api/v1/cckm/microsoft/dke-data-plane/endpoints/f222ffdf-80e1-4fd5-8f17-1b60a26dba5d/keys/ks-a7b4205513964e498f9f78ccb1a58a1a2518aae0a9a94b6c929a58402a231148",
"kek_name": "ks-a7b4205513964e498f9f78ccb1a58a1a2518aae0a9a94b6c929a58402a231148",
"kek_id": "5c5f9911c9394e41b0060494ea34a65b778aaa059fff4d18914f9733777df7b8",
"kek_uuid": "44034cb3-f94e-4239-b1fe-93dade5f38e6",
"meta": {
"color": "small",
"size": "blue"
},
"enabled": false,
"kek_version": "1",
"key_type": "asymmetric",
"algorithm": "RSA_DECRYPT_OAEP_2048_SHA256",
"enable_success_audit_event": true,
"authorization_params": {
"valid_issuers": [
"https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002dbc/"
],
"authorization_type": "email",
"email_authz_params": {
"authorized_email_addresses": [
"maria_updated@test.com",
"mark_updated@test.com"
]
},
"role_authz_params": {
"authorized_roles": [
"role_1",
"role_2"
],
}
},
"auto_rotate": false,
"status": "Enabled"
"connection": "4c36532f-53c9-4a9e-95e5-91b5f52a04c6"
}
}
This sample output shows the attributes of the DKE endpoint with the ID of f222ffdf-80e1-4fd5-8f17-1b60a26dba5d' is updated to now use maria_updated@test.com and mark_updated@test.com as the authorized email addresses and updated demo dke endpoint 7 as the revised description for the endpoint. Also, the valid issuer is now revised to https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002dbc/.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
