Creating a Dynamic Key Reference (DKR)
Use the post /v1/cckm/sap/dkr API to generate and store a new Dynamic Key Reference (DKR). While creating the DKR, specify the following details.
-
The ID of the encryption key that the DKR references.
-
The name for the DKR. The name must be a string of minimum length 2, containing alphanumeric characters and/or spaces.
-
Allow repointing a DKR to another encryption key and manual key rotation of the encryption key.
This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, limited functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
Syntax
curl -k '<IP>/api/v1/cckm/sap/dkr' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "sap_key_id": "<sap-key-id>",\n "name": "<dkr-name>",\n "allow_underlying_key_exchange": <true|false>\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| name | string | Name for the DKR. The name must be a string of minimum length 2, containing alphanumeric characters and/or spaces. |
| sap_key_id | string | Resource ID of the new SAP encryption key that the DKR references. Here, sap_key_id is the resource ID of the SAP key on the CipherTrust Manager. Note that the resource id is different from sap_key_id on SAP. Run the get /v1/cckm/sap/keys API to view the resource ID (id) of the SAP key on the CipherTrust Manager. |
| allow_underlying_key_exchange | boolean | Whether to allow repointing of the DKR to another encryption key and manual key rotation of the encryption key. Set to true to allow, to false to deny. The default value is true. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sap/dkr' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxMjUxY2JhZS0xMTIzLTRjNGMtYjVmZi01MzNkZjcwZWZhYTEiLCJzdWIiOiJsb2NhbHxiZDlhNGEzYi01NTlhLTRlMDEtOTRjNS1hZmYwNGZjMThhNWIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiJiZTQ4ZjhlNy1kNTc4LTQyODktOTM3YS05NDg2N2JiY2FhMjUiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiMzQ5MWY4NGYtMzY0Mi00MjI2LTllOWQtODE4MmVhNjVmNzVhIiwiaWF0IjoxNjc2MjY0OTI0LCJleHAiOjE2NzYyNjUyMjR9.RbMXiQG0aWAVKjSbsdKe7MU67SKkOIBGIaJJU2_RUfU' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "sap_key_id": "c5ecebd6-f659-470c-bad7-16d61a589626",\n "name": "DKR-1",\n "allow_underlying_key_exchange": true\n}' --compressed
Example Response
{
"id": "46c6696a-f3a5-4aba-96ed-b9a609d497c8",
"uri": "kylo:kylo:cckm:sap-dkr:46c6696a-f3a5-4aba-96ed-b9a609d497c8",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-02-13T05:09:09.235411Z",
"updatedAt": "2023-02-13T05:09:09.233699Z",
"cloud_name": "sap",
"sap_key_name": "Demo-19-10-2022",
"cckm_group_id": "6140109f-98ed-46aa-b969-3872a76909c3",
"sap_dkr_param": {
"allow_underlying_key_exchange": true,
"meta": {
"created": "2023-02-13T05:09:09",
"creatorId": "171cdee5-947e-4bcd-ae0b-562256624904",
"creatorName": "creator.name@xyz.com"
},
"name": "DKR-1",
"dynamic_key_reference_id": "dkr--b5f081cf-50be-4384-94c7-65007fd1b20b",
"sap_key_id": "b1101911-960b-4955-8133-20ca4dc6097e"
}
}
The automatic rotation of the specified SAP key is disabled.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.