Key Import REST Service

Edit online

Use the Key Import REST Service to import secret keys or public/private key pairs. A secret key is a symmetric key. A public/private key pair is an asymmetric key pair that contains a public key and a private key. The private key file is in PKCS#12 format.

To import secret keys, the import file might contain multiple keys. Each key contains the required alias value for that key. The import file must be generated by a previous Key Export REST Service.
Operation
POST
URL
https://host:port/GKLM/rest/v1/keys/import

By default, IBM® Guardium® Key Lifecycle Manager server listens to the secure port 9443 (HTTPS) for communication. During IBM Guardium Key Lifecycle Manager installation, you can modify this default port.

Request

Request Parameters
Parameter Description
host Specify the IP address or hostname of the IBM Guardium Key Lifecycle Manager server.
port Specify the port number on which the IBM Guardium Key Lifecycle Manager server listens for requests.
Request Headers
Header name Value
Content-Type application/json
Accept application/json
Authorization SKLMAuth userAuthId=<authIdValue>
Accept-Language Any valid locale that is supported by IBM Guardium Key Lifecycle Manager. For example, en or de.
Request body

JSON object with the following specification:
Property name Description
alias Required parameter in the following scenarios:
  • If the value of the type attribute is secretkey and you want to rename the key with the newAlias parameter during the import process.

    Specify a value for this parameter if you want to import a specific secret key from a keystore file that has multiple secret keys.

  • If the value of the type attribute is privatekey and if the keystore file contains multiple private keys.

This parameter is not required when the keystore file contains only one private key. If you specify a value, it is ignored.

fileName Required. Specify the path and file name of the file from which the keys are imported.
keyAlias This parameter is required if the value of the type attribute is secretkey. Specify the alias of the private key entry in the keystore that decrypts the secret key or keys, from the file. Use the same alias value to import and export a secret key or keys.
newAlias Specify a new value for the key alias.
password This parameter is required if the type parameter is privatekey. This password was previously specified with the Key Export REST Service. If you export private keys to a PKCS#12 file, ensure that the file with the key is wrapped with a FIPS-approved method before the file leaves the computer.
type Specify whether the keys are secret or private.
secretkey
Specifies a symmetric key.

If you select this value, specify a value for the usage attribute for an endpoint family that administers keys.

privatekey
Specifies an asymmetric key in a key pair with a public key and a private key.
If you select this value, specify a value for the usage attribute for an endpoint (device group) that administers keys. You can specify any of the following values:
  • SSLCLIENT
  • SSLSERVER
usage Specify the target application usage such as LTO endpoint (device group). You can specify the following values:
LTO™
Specifies the LTO endpoint (device group).
3592
Specifies the 3592 endpoint (device group).
DS5000
Specifies the DS5000 endpoint (device group).
DS8000®
Specifies the DS8000 endpoint (device group).
BRCD_ENCRYPTOR
Specifies the BRCD_ENCRYPTOR endpoint (device group) that is in the LTO endpoint family.
ONESECURE
Specifies the ONESECURE endpoint (device group) that is in the DS5000 endpoint family.
usage
ETERNUS_DX
Specifies the ETERNUS_DX endpoint that is in the DS5000 endpoint family.
XIV®
Specifies the IBM Spectrum® Accelerate (previously known as XIV) endpoint.
GPFS
Specifies the IBM Spectrum Scale (previously known as GPFS) endpoint.
PEER_TO_PEER
Specifies the PEER_TO_PEER endpoint (device group).
DS8000_TCT
Specifies the DS8000_TCT endpoint (device group) that is in the GPFS endpoint family.
usage
GENERIC
Specifies an endpoint family that uses the Key Management Interoperability Protocol to interact with IBM Guardium Key Lifecycle Manager. The GENERIC endpoint (device group) enables management of KMIP objects

Do not use the REST interface to add a device to the GENERIC endpoint (device group), or to change a GENERIC endpoint (device group) attribute.

SSLCLIENT
Client-side certificate that is used in secure communication by using Transport Layer Security protocol to authenticate the client device.
SSLSERVER
Server-side certificate that is used in secure communication by using Transport Layer Security protocol.
ETERNUS_DX
Specifies the ETERNUS_DX endpoint (device group) that is in the DS5000 endpoint family.
XIV
Specifies the XIV endpoint (device group) that is in the DS5000 endpoint (device group) family.
userendpoint
Specifies a user-defined endpoint that is based on a supported endpoint family.

Response

Response Headers
Header name Value and description
Status Code
200 OK
The request was successful. The response body contains the requested representation.
400® Bad Request
The authentication information was not provided in the correct format.
401 Unauthorized
The authentication credentials were missing or incorrect.
404 Not Found Error
The processing of the request fails.
500 Internal Server Error
The processing of the request fails because of an unexpected condition on the server.
Content-Type application/json
Content-Language Locale for the response message.
Success response body for privatekey type

JSON object with the following specification:
JSON property name Description
code Returns an integer value such as 0 to indicate the key import status.
status Returns the status to indicate that the key import task is succeeded.
Success response body for secretkey type

JSON array that contains JSON objects with the following specification:
JSON property name Description
ImportedKeys JSON array that contains JSON objects with a list of imported keys. If no keys are imported, an empty list is returned.
ExistingKeys JSON array that contains JSON objects with a list of duplicate keys. If there are no duplicate keys, an empty list is returned.
FailedToImportKeys JSON array that contains JSON objects with a list of failed keys. If there are no failed keys, an empty list is returned.
Error Response Body

JSON object with the following specification.
JSON property name Description
code Returns the application error code.
message Returns a message that describes the error.

Examples

Service request to import a symmetric key (secretkey type)
POST https://localhost:port/GKLM/rest/v1/keys/import
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"keyAlias":" sklmCertificate", "alias":"xyz000000000000000000","newAlias":"ayz000000000000000000","type":"secretkey","fileName":
"mykey","usage":"LTO"}
Success response
 Status Code : 200 OK
{"ImportedKeys":[{"KeyAlias":"ayz000000000000000000"}],
"ExistingKeys":[],"FailedToImportKeys":[]}
Service request to import a private key (privatekey type)
POST https://localhost:port/GKLM/rest/v1/keys/import
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"type":"privatekey","fileName":"mykey","usage":"SSLSERVER","password":"mypassword","newAlias":"mykey"}
Success response
Status Code : 200 OK
{"code":"0","status":"Succeeded"}
Service request to import multiple private keys (privatekey type)
POST https://localhost:port/GKLM/rest/v1/keys/import 
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"type":"privatekey","fileName":"mykey","usage":"3592","password":"mypassword","alias":"abc1","newAlias":"mykey"}
Success response
Status Code : 200 OK
{"code":"0","status":"Succeeded"}
Error response for an invalid request
POST https://localhost:port/GKLM/rest/v1/keys/import
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m{"type":"privatekey",
"fileName":"privatekeys","usage":"3592","password":"your_sklmadmin_password","newAlias":"mykey"}
Error response
Status Code : 500 Internal Server Error
{"code":"CTGKM3306E","message":"CTGKM3306E 
Multiple aliases found in the file. Please mention the alias to be imported."}