Key Export REST Service

Use Key Export REST Service to export secret keys or public/private key pairs. A secret key is a symmetric key. A public/private key pair is an asymmetric key pair with a public key and a private key.

Operation: PUT
URL: https://<host>:<port>/SKLM/rest/v1/keys/export

By default, Guardium® Key Lifecycle Manager server listens to non-secure port 9080 (HTTP) and secure port 9443 (HTTPS) for communication. During IBM® Security Guardium Key Lifecycle Manager installation, you can modify these default ports.

Note: The non-secure port 9080 is not applicable when IBM Security Guardium Key Lifecycle Manager is deployed in a containerized environment.

Request

Request Parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request Headers

Header name	Value
Content-Type	`application/json`
Accept	`application/json`
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example: `en` or `de`

Request body

JSON object with the following specification:

Property name	Description
alias	Specifies an alias of the key that you export. This parameter is required if a value is not specified for the aliasRange parameter. For a `privatekey` type, a value for alias is required. For a `secretkey` type, you must specify a value for either alias or aliasRange.
aliases	This parameter is required if values are not specified for the alias and aliasRange parameters. Specify comma-separated alias values for the keys that you want to export.
aliasRange	This parameter is required if a value is not specified for the alias parameter. When the value of alias is specified, the value of aliasRange is ignored. To export a secret key, specify a three character prefix followed by a range of numbers in hexadecimal format. You can use the characters `0` through `9` and `a` through `f`. You can specify the range only for secret keys.
fileName	Specify the name of the file in which the exported key is stored. The file is stored in the `SKLM_DATA` directory. You can specify a directory path along with the file name as the value. If you specify the directory path, the file is stored in the path relative to the `SKLM_DATA` directory. For example, if you specify the value as export1/exportedKeys, then the exported key file is stored in the following path: Windows C:\Program Files\IBM\WebSphere\AppServer\products\sklm\data\export1\exportedKeys Linux® /opt/IBM/WebSphere/AppServer/products/sklm/data/export1/exportedKeys
keyAlias	This parameter is required if the exported key is a secret key. Specify the alias of the public key entry in the keystore that is used to encrypt the secret key or keys to the file. Only the holder of the corresponding private key can access the keys.
password	This parameter is required if the value of the type parameter is `privatekey`. Specify a password to protect the PKCS#12 file to which the private key and certificate are exported. You might need to retain the value of the password to import the key.
type	Specifies whether the keys are secret or private. secretkey Specifies a symmetric key. privatekey Specifies an asymmetric key in a key pair with a public key and a private key. If you select this value, a password is required. If you export private keys to a `PKCS#12` file, ensure that the file with the key is wrapped; use a FIPS-approved method before the file leaves the computer.

Response

Response Headers

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400® Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON object with the following specification:

JSON property name	Description
status	Returns the status to indicate whether the key is exported with an appropriate message.

Error Response Body

JSON object with the following specification.

JSON property name	Description
code	Returns the application error code.
message	Returns a message that describes the error.

Examples

Service request to export a private key

PUT https://localhost:<port>/SKLM/rest/v1/keys/export
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"alias":"sklmCertificate","fileName":"myprivatekeys","type":
"privatekey",
"password":"mypassword"}

Success response

Status Code : 200 OK
{"code":"0","status":"Succeeded"}

Service request to export a secret key

PUT https://localhost:<port>/SKLM/rest/v1/keys/export
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"aliasRange":"def0-3","fileName":"mysecretkeys","type":"secretkey",
"keyAlias":"sklmCertificate"}

Success Response

Status Code : 200 OK
{"status":"Exported Successfully"}

Error response

 Status Code : 400 Bad Request
{"code":"CTGKM0742E","message":"CTGKM0742E Key type not valid: 
key."}

Service request to export multiple secret keys

PUT https://localhost:<port>/SKLM/rest/v1/keys/export
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"aliases" : "abc1,abc3","fileName":"mysecretkeys","type":"secretkey",
"keyAlias":"sklmCertificate"}

Success Response

Status Code : 200 OK
{"code":"CTGKM3328I","status":"CTGKM3328I Export of keys successfully finished."}

Error response

 Status Code : 400 Bad Request
{"code":"CTGKM0742E","message":"CTGKM0742E Key type not valid: 
key."}

Service request to export multiple private keys

PUT https://localhost:<port>/SKLM/rest/v1/keys/export
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
{"aliases" : "abc1,abc3","fileName":"myprivatekeys","type":"privatekey","password":"mypassword"}

Success Response

Status Code : 200 OK
{"code":"CTGKM3328I","status":"CTGKM3328I Export of keys successfully finished."}

Error response

 Status Code : 400 Bad Request
{"code":"CTGKM0742E","message":"CTGKM0742E Key type not valid: 
key."}

Date	Change description
25 Aug 2021	Corrected the description of the fileName property.
08 Dec 2020	Initial version.