Uploading Salesforce Tenant Secrets
Use the post /v1/cckm/sfdc/keys/upload API to upload a Salesforce tenant secret from the source key. This is only for BYOK type tenant secrets. Cache-only keys have a separate API for upload.
Syntax
curl -k '<IP>/api/v1/cckm/sfdc/keys/upload' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "organization_id": "<organization-id>",\n "type": "<type-of-secret>",\n "source_key_tier": "<source-key-tier>",\n "source_key_identifier": "<source-key-identifier>",\n "certificate_id": "<certificate-id>",\n "key_derivation_mode": "<key-derivation-mode>"\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| certificate_id | string | ID of the certificate whose public key will be used to encrypt the tenant secret. Use the get /v1/cckm/sfdc/certificates API to view the available certificates and their IDs. |
| key_derivation_mode | string | Key derivation mode for the key. The options are: • PBKDF2 • NONE |
| organization_id | string | ID of the Salesforce organization where the tenant secret will be created. |
| source_key_identifier | string | ID of the source key that will be uploaded to the Salesforce cloud. |
| source_key_tier | string | Tier of the source key. The options are: • local • dsm • hsm-luna The default tier is local. |
| type | string | Type of the Salesforce tenant secret. The type can be: • Data • EventBus • SearchIndex • DeterministicData • Analytics |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sfdc/keys/upload' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0MmFmZDExNy02YzllLTRhNGUtOTAwYS1lYjlhNDNjYWE5ZDIiLCJzdWIiOiJsb2NhbHwzMTI5ODdkMS0wOWNiLTQxZTEtOThmNy1jZjRhNzgwNTZiMTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNDVmOWE3NWUtMzI1NC00NWJkLWE0NzYtOWU2NWUyNjdmNGVkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjdiYzNkOWM4LWRiYTQtNDVmMy05YWNiLWI3NGM2MzQyYzYyMCIsImlhdCI6MTYxNDc1MTg1MSwiZXhwIjoxNjE0NzUyMTUxfQ.ahdxfM7-WA4u7sotHy6qelc9MkoZytst7oZWsvE7Cr0' -H 'Content-Type: application/json' --data-binary $'{\n "organization_id": "00DB000000040bIMAQ",\n "type": "Data",\n "source_key_tier": "local",\n "source_key_identifier": "123",\n "certificate_id": "123",\n "key_derivation_mode": "PBKDF2"\n}' --compressed
Example Response
{
"byok response": {
"id": "a2c9f01e-48fd-4a82-bf40-918e581b3255",
"uri": "kylo:kylo:cckm:Tenant_Secret:a2c9f01e-48fd-4a82-bf40-918e581b3255",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-07-03T20:32:31.526936169Z",
"updatedAt": "2021-07-03T20:32:31.524915269Z",
"cloud_name": "sfdc",
"name": "IsaTS",
"sfdc_organization_id": "00DB000000040bIMAQ",
"key_type": "byok",
"error_msg": "",
"sfdc_params": {
"salesforce_id": "02GB0000000HYQOMA4",
"created_by_id": "005B00000021BO4IAM",
"last_modified_date": "2021-07-03T20:32:31.000+0000",
"last_modified_by_id": "005B00000021BO4IAM",
"system_modstamp": "2021-07-03T20:32:31.000+0000",
"secret_value_hash": "UNKNOWM=",
"secret_value": "CgMyMzISEK021JIPS7SkAxiHU9zDyqIaMNASJMB5cRR6oGnhj2+6zZkXMAVAtpsb7IFI6jjrhh1a9CIBgAuUlTzR4AtiIuKEig==",
"version": 2112,
"status": "ACTIVE",
"source": "HSM",
"type": "Data"
},
"tenant_secret_backup": {
"backup_key_name": "00DB000000040bIMAQ:Data:2112:02GB0000000HYQOMA4",
"backup_key_tier": "local"
},
"key_upload_params": {
"source_key_tier": "local",
"source_key_id": "626fdff442284cf1ad4b9030c21bfcddb2004e1cfd2b420da7c33d7f50e78c91",
"source_key_name": "sfdc_key1"
}
}
}
The sample output shows that automatic rotation of the specified Salesforce tenant secret is enabled.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.