Key Export REST Service
Use Key Export REST Service to export secret keys or public/private key pairs. A secret key is a symmetric key. A public/private key pair is an asymmetric key pair with a public key and a private key.
- Operation
PUT
- URL
- https://<host>:<port>/SKLM/rest/v1/keys/export
By default, Guardium® Key Lifecycle Manager server
listens to non-secure port 9080 (HTTP) and secure port 9443
(HTTPS) for communication. During IBM® Security Guardium Key Lifecycle Manager
installation, you can modify these default ports.
Note: The non-secure port 9080 is not applicable
when IBM Security Guardium Key Lifecycle Manager is deployed in a containerized
environment.
Request
Request Parameters
Parameter | Description |
---|---|
host | Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server. |
port | Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests. |
Request Headers
Header name | Value |
---|---|
Content-Type | application/json |
Accept | application/json |
Authorization | SKLMAuth userAuthId=<authIdValue> |
Accept-Language | Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example: en or de |
Request body
JSON object with the following specification:
Property name | Description |
---|---|
alias | Specifies
an alias of the key that you export.
This parameter is required if a value is not specified for the aliasRange parameter.
For a privatekey type, a value for alias is
required. For a secretkey type, you must specify
a value for either alias or aliasRange. |
aliases | This parameter is required if values are not specified for the
alias and aliasRange parameters. Specify comma-separated alias values for the keys that you want to export. |
aliasRange | This parameter is required if a value is not specified for the alias parameter. When the value of alias is specified, the value of aliasRange is ignored. To export a secret key, specify a three character prefix followed by a range of numbers in hexadecimal format. You can use the characters 0 through 9 and a through f. You can specify the range only for secret keys. |
fileName | Specify the name of the file in which the exported key is stored. The file is stored in the SKLM_DATA directory. You can specify a directory path along with the file name as the value. If you specify the directory path, the file is stored in the path relative to the SKLM_DATA directory. For example, if you specify the value as export1/exportedKeys, then the exported key file is stored in the following path:
|
keyAlias | This parameter is required if the exported key is a secret key. Specify the alias of the public key entry in the keystore that is used to encrypt the secret key or keys to the file. Only the holder of the corresponding private key can access the keys. |
password | This parameter is required if the value of the type parameter
is privatekey . Specify a password to protect the PKCS#12 file
to which the private key and certificate are exported. You might need
to retain the value of the password to import the key. |
type | Specifies whether the keys are secret or private.
|
Response
Response Headers
Header name | Value and description |
---|---|
Status Code |
|
Content-Type | application/json |
Content-Language | Locale for the response message. |
Success response
body
JSON object with the following specification:
JSON property name | Description |
---|---|
status | Returns the status to indicate whether the key is exported with an appropriate message. |
Error Response Body
JSON object with the following specification.
JSON property name | Description |
---|---|
code | Returns the application error code. |
message | Returns a message that describes the error. |
Examples
- Service request to export a private key
PUT https://localhost:<port>/SKLM/rest/v1/keys/export Content-Type: application/json Accept: application/json Authorization: SKLMAuth userAuthId=139aeh34567m {"alias":"sklmCertificate","fileName":"myprivatekeys","type": "privatekey", "password":"mypassword"}
- Service request to export a secret key
PUT https://localhost:<port>/SKLM/rest/v1/keys/export Content-Type: application/json Accept: application/json Authorization: SKLMAuth userAuthId=139aeh34567m {"aliasRange":"def0-3","fileName":"mysecretkeys","type":"secretkey", "keyAlias":"sklmCertificate"}
- Service request to export multiple secret keys
PUT https://localhost:<port>/SKLM/rest/v1/keys/export Content-Type: application/json Accept: application/json Authorization: SKLMAuth userAuthId=139aeh34567m {"aliases" : "abc1,abc3","fileName":"mysecretkeys","type":"secretkey", "keyAlias":"sklmCertificate"}
- Service request to export multiple private keys
PUT https://localhost:<port>/SKLM/rest/v1/keys/export Content-Type: application/json Accept: application/json Authorization: SKLMAuth userAuthId=139aeh34567m {"aliases" : "abc1,abc3","fileName":"myprivatekeys","type":"privatekey","password":"mypassword"}
Date | Change description |
25 Aug 2021 | Corrected the description of the fileName property. |
08 Dec 2020 | Initial version. |