Pending Client Certificate List REST Service

Use Pending Client Certificate List REST Service to list pending certificates that are pushed to the server from a client device for secure communication with IBM® Security Guardium® Key Lifecycle Manager.

Acceptance marks the certificate as trusted and allows the client device to establish secure communication with IBM Security Guardium Key Lifecycle Manager. The certificate is added to the keystore. Rejection removes the certificate from the pending list and prevents its use for secure communication between the device and the server.

Operation: GET
URL: https://<host>:<port>/SKLM/rest/v1/pendingClientCertificates

By default, Guardium Key Lifecycle Manager server listens to non-secure port 9080 (HTTP) and secure port 9443 (HTTPS) for communication. During IBM Security Guardium Key Lifecycle Manager installation, you can modify these default ports.

Note: The non-secure port 9080 is not applicable when IBM Security Guardium Key Lifecycle Manager is deployed in a containerized environment.

Request

Request Parameters

Parameter	Description
host	Specify the IP address or host name of the IBM Security Guardium Key Lifecycle Manager server.
port	Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.

Request Headers

Header name	Value
Content-Type	`application/json`
Accept	`application/json`
Authorization	`SKLMAuth userAuthId=<authIdValue>`
Accept-Language	Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example: `en` or `de`

Response

Response Headers

Header name	Value and description
Status Code	200 OK The request was successful. The response body contains the requested representation. 400® Bad Request The authentication information was not provided in the correct format. 401 Unauthorized The authentication credentials were missing or incorrect. 404 Not Found Error The processing of the request fails. 500 Internal Server Error The processing of the request fails because of an unexpected condition on the server.
Content-Type	`application/json`
Content-Language	Locale for the response message.

Success response body

JSON object with the following specification:

JSON property name	Description
uuid	Returns the universal unique identifier of the certificate.
subject name	Returns the certificate subject name. The `X.509` certificates contain the subject distinguished name. The property value is from the Subject field of the certificate.
issuer name	Returns the distinguished name of the certificate issuer. The property value is from the Issuer field of the certificate.
serial number	Returns the certificate serial number.
client cert pending date	Returns the certificate pending date for acceptance or rejection.
key state	Indicates the certificate status, such as `ACTIVE`.
creation date	Returns the certificate creation date.
expiration date	Returns the certificate expiration date at which the certificate expires for use in secure communication.
Cryptographic Algorithm	Represents the cryptographic algorithm of the certificate, such as `RSA`, `DSA`, `DES`, `3DES`, or `AES`.
Cryptographic Length	Returns the length of the clear-text cryptographic object in bits.
X509 output	Returns the standard `X509` certificate details.

Error Response Body

JSON object with the following specification.

JSON property name	Description
code	Returns the application error code.
message	Returns a message that describes the error.

Examples

Service request to list pending client certificates

GET https://localhost:<port>/SKLM/rest/v1/pendingClientCertificates
Content-Type: application/json
Accept : application/json
Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20
Accept-Language : en

Success response

Status Code : 200 OK
[
  {
    "uuid": "CERTIFICATE-a2b3f39e-e2e2-4c3a-8d2a-1a7a70325f98",
    "subject name": "CN=sklm, OU=sales, O=myCompanyName, C=US",
    "issuer name": "CN=sklm, OU=sales, O=myCompanyName, C=US",
    "serial number": "187046468526998",
    "client cert pending date": "null",
    "key state": "ACTIVE",
    "creation date": "2/5/14 2:36:08 PM India Standard Time",
    "expiration date": "10/31/16 2:36:08 PM India Standard Time",
    "Cryptographic Algorithm": "null",
    "Cryptographic Length": "null",
    "X509 output": "[
[
  Version: V3
  Subject: CN=sklm, OU=sales, O=myCompanyName, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  IBMJCEPlus RSA Public Key:
modulus:
20343792752701333201377325794017522444564006442664306525766597161469787
17332526254247928986503718943545941228409997415431018962702806278524534
66583572866286863688798455159498253836109219126642962373937070041657442
08695618234138808452257672772438474671177397384842843716438786042706893
75975912478122192280406495103069267569084049922680543292121637319172591
79566018401847209738098004334904688848677255967871931296704384455471587
75669733723407193952257210589631928286911089116030508338233863473536922
75555776466241294432324170157283095834048906391686293082742737202863073
2131104857473817762574727003026725415471938291973
public exponent:
65537

  Validity: [From: Wed Feb 05 14:36:08 IST 2014,
               To: Mon Oct 31 14:36:08 IST 2016]
  Issuer: CN=sklm, OU=sales, O=myCompanyName, C=US
  SerialNumber: [187046468526998]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 37 28 bb 82 e8 02 14 68  a0 51 13 75 7a 7a 80 e2  7......h.Q.uzz..
0010: 10 0b 9b d5                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 66 c8 b7 ca d2 35 5c 11  0d ee cd 77 57 52 47 8a  f....5.....wWRG.
0010: e0 98 bb f8 4e 43 d1 56  dd 29 24 6c 43 d7 ec 9d  ....NC.V...lC...
0020: a6 8a e9 d4 b3 b2 1b 0a  37 be 09 d7 5a 7a 26 8c  ........7...Zz..
0030: f9 6b ac d7 a4 2e a8 c3  d6 45 e6 a4 ae 6c df ad  .k.......E...l..
0040: b5 c5 db c5 b1 f5 44 2d  30 84 60 41 0b a1 77 89  ......D.0..A..w.
0050: 78 ee 59 d0 9a ea 8d 32  95 c6 26 bf 39 6b 46 67  x.Y....2....9kFg
0060: 6b 0c 65 fa 09 a1 49 0a  7b 0e fe af 20 cf d3 fd  k.e...I.........
0070: 3f 4b 55 03 4d 6f 8e ef  ca 0e e6 a0 c1 91 06 f7  .KU.Mo..........
0080: b0 6c ef 49 a4 b3 2e 4a  1f 8d 2c 0f cd f3 1e aa  .l.I...J........
0090: 28 0f 1b 51 09 fb 73 dc  79 ba 0c d6 a6 2c 65 a6  ...Q..s.y.....e.
00a0: f7 51 25 7f 7d 54 5b 19  7a 5c 3e 6c fb e9 7e 45  .Q...T..z..l...E
00b0: be 6a c8 42 22 f2 21 e7  6c c3 be 9a c2 f1 2c 64  .j.B....l......d
00c0: a5 1b bd 79 a7 c7 aa f7  5f e7 7d 76 c0 2c c4 f8  ...y.......v....
00d0: 77 48 2c 7e f7 04 a3 d4  b8 0e 99 56 2a b5 f7 b4  wH.........V....
00e0: 06 f3 b8 b7 7f d4 e3 b5  ff 35 05 fa 64 10 75 79  .........5..d.uy
00f0: 85 f1 97 bb ab ce f1 08  bc b5 d0 73 a5 34 80 5a  ...........s.4.Z

]
  }
]

Error response

Status Code : 400 Bad Request
Content-Language: en
{"code" "CTGKM6002E",
 "message": "CTGKM6002E Bad Request: Invalid user authentication
	ID or invalid request format."
 }