Module netapp_ontap.resources.security_key_manager

Copyright © 2022 NetApp Inc. All rights reserved.

Overview

A key manager is a key management solution (software or dedicated hardware) that enables other ONTAP client modules to securely and persistently store keys for various uses. For example, WAFL uses the key management framework to store and retrieve the volume encryption keys that it uses to encrypt/decrypt data on NVE volumes. A key manager can be configured at both cluster scope and SVM, with one key manager allowed per SVM. The key management framework in ONTAP supports two mutually exclusive modes for persisting keys: external and onboard.

When an SVM is configured with external key management, the keys are stored on up to four key servers that are external to the system.

Once external key management is enabled for an SVM, key servers can be added or removed using the /api/security/key-managers/{uuid}/key-servers endpoint. See [POST /security/key-managers/{uuid}/key-servers] and [DELETE /security/key-managers/{uuid}/key-servers/{server}] for more details.

Setting up external key management dictates that the required certificates for securely communicating with the key server are installed prior to configuring the key manager. To install the required client and server_ca certificates, use the /api/security/certificates/ endpoint.

See [POST /security/certificates], [GET /security/certificates/uuid] and [DELETE /security/certificates/{uuid}] for more details.

When an SVM is configured with the Onboard Key Manager, the keys are stored in ONTAP in wrapped format using a key hierarchy created using the salted hash of the passphrase entered when configuring the Onboard Key Manager. This model fits well for customers who use ONTAP to store their own data.

Examples

Creating an external key manager with 1 key server for a cluster

The example key manager is configured at the cluster-scope with one key server. Note that the UUIDs of the certificates are those that are already installed at the cluster-scope. Note the return_records=true query parameter is used to obtain the newly created key manager configuration

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager()
    resource.external = {
        "client_certificate": {"uuid": "5fb1701a-d922-11e8-bfe8-005056bb017d"},
        "server_ca_certificates": [{"uuid": "827d7d31-d6c8-11e8-b5bf-005056bb017d"}],
        "servers": [{"server": "10.225.89.33:5696"}],
    }
    resource.post(hydrate=True)
    print(resource)

SecurityKeyManager(
    {
        "external": {
            "server_ca_certificates": [
                {"uuid": "827d7d31-d6c8-11e8-b5bf-005056bb017d"}
            ],
            "servers": [{"server": "10.225.89.33:5696"}],
            "client_certificate": {"uuid": "5fb1701a-d922-11e8-bfe8-005056bb017d"},
        },
        "uuid": "815e9462-dc57-11e8-9b2c-005056bb017d",
        "_links": {
            "self": {
                "href": "/api/security/key-managers/815e9462-dc57-11e8-9b2c-005056bb017d"
            }
        },
    }
)


Creating an external key manager with 1 primary key server and 2 secondary key servers for a cluster

The example key manager is configured at the cluster-scope with one key server and two secondary key servers. Note that the UUIDs of the certificates are those that are already installed at the cluster-scope. Note the return_records=true query parameter is used to obtain the newly created key manager configuration

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager()
    resource.external = {
        "client_certificate": {"uuid": "5fb1701a-d922-11e8-bfe8-005056bb017d"},
        "server_ca_certificates": [{"uuid": "827d7d31-d6c8-11e8-b5bf-005056bb017d"}],
        "servers": [
            {
                "server": "10.225.89.33:5696",
                "secondary_key_servers": ["1.1.1.1", "10.72.204.27:5696"],
            }
        ],
    }
    resource.post(hydrate=True)
    print(resource)

SecurityKeyManager(
    {
        "external": {
            "server_ca_certificates": [
                {"uuid": "827d7d31-d6c8-11e8-b5bf-005056bb017d"}
            ],
            "servers": [
                {
                    "secondary_key_servers": ["1.1.1.1", "10.72.204.27:5096"],
                    "server": "10.225.89.33:5696",
                }
            ],
            "client_certificate": {"uuid": "5fb1701a-d922-11e8-bfe8-005056bb017d"},
        },
        "uuid": "815e9462-dc57-11e8-9b2c-005056bb017d",
        "_links": {
            "self": {
                "href": "/api/security/key-managers/815e9462-dc57-11e8-9b2c-005056bb017d"
            }
        },
    }
)


Creating an external key manager with 1 key server for an SVM

The example key manager is configured at the SVM-scope with one key server. Note that the UUIDs of the certificates are those that are already installed in that SVM. Note the return_records=true query parameter is used to obtain the newly created key manager configuration

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager()
    resource.svm = {"uuid": "216e6c26-d6c6-11e8-b5bf-005056bb017d"}
    resource.external = {
        "client_certificate": {"uuid": "91dcaf7c-dbbd-11e8-9b2c-005056bb017d"},
        "server_ca_certificates": [{"uuid": "a4d4b8ba-dbbd-11e8-9b2c-005056bb017d"}],
        "servers": [{"server": "10.225.89.34:5696"}],
    }
    resource.post(hydrate=True)
    print(resource)

SecurityKeyManager(
    {
        "external": {
            "server_ca_certificates": [
                {"uuid": "a4d4b8ba-dbbd-11e8-9b2c-005056bb017d"}
            ],
            "servers": [{"server": "10.225.89.34:5696"}],
            "client_certificate": {"uuid": "91dcaf7c-dbbd-11e8-9b2c-005056bb017d"},
        },
        "svm": {"uuid": "216e6c26-d6c6-11e8-b5bf-005056bb017d"},
        "uuid": "80af63f2-dbbf-11e8-9b2c-005056bb017d",
        "_links": {
            "self": {
                "href": "/api/security/key-managers/80af63f2-dbbf-11e8-9b2c-005056bb017d"
            }
        },
    }
)


Creating an onboard key manager for a cluster

The following example shows how to create an onboard key manager for a cluster with the onboard key manager configured at the cluster-scope.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager()
    resource.onboard = {"passphrase": "passphrase"}
    resource.post(hydrate=True)
    print(resource)


Retrieving the key manager configurations for all clusters and SVMs

The following example shows how to retrieve all configured key managers along with their configurations.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    print(list(SecurityKeyManager.get_collection(fields="*")))

[
    SecurityKeyManager(
        {
            "external": {
                "server_ca_certificates": [
                    {
                        "uuid": "8a17c858-d6c8-11e8-b5bf-005056bb017d",
                        "_links": {
                            "self": {
                                "href": "/api/security/certificates/8a17c858-d6c8-11e8-b5bf-005056bb017d/"
                            }
                        },
                    }
                ],
                "servers": [
                    {
                        "username": "",
                        "server": "10.2.30.4:5696",
                        "timeout": 25,
                        "_links": {
                            "self": {
                                "href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/10.2.30.4:5696/"
                            }
                        },
                    },
                    {
                        "secondary_key_servers": ["1.1.1.1", "10.72.204.27:5096"],
                        "username": "",
                        "server": "vs0.local1:3678",
                        "timeout": 25,
                        "_links": {
                            "self": {
                                "href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/vs0.local1:3678/"
                            }
                        },
                    },
                ],
                "client_certificate": {
                    "uuid": "4cb15482-d6c8-11e8-b5bf-005056bb017d",
                    "_links": {
                        "self": {
                            "href": "/api/security/certificates/4cb15482-d6c8-11e8-b5bf-005056bb017d/"
                        }
                    },
                },
            },
            "scope": "svm",
            "svm": {"uuid": "0f22f8f3-d6c6-11e8-b5bf-005056bb017d", "name": "vs0"},
            "uuid": "2345f09c-d6c9-11e8-b5bf-005056bb017d",
            "_links": {
                "self": {
                    "href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d"
                }
            },
        }
    ),
    SecurityKeyManager(
        {
            "external": {
                "server_ca_certificates": [
                    {
                        "uuid": "827d7d31-d6c8-11e8-b5bf-005056bb017d",
                        "_links": {
                            "self": {
                                "href": "/api/security/certificates/827d7d31-d6c8-11e8-b5bf-005056bb017d/"
                            }
                        },
                    }
                ],
                "servers": [
                    {
                        "username": "",
                        "server": "10.225.89.33:5696",
                        "timeout": 25,
                        "_links": {
                            "self": {
                                "href": "/api/security/key-managers/815e9462-dc57-11e8-9b2c-005056bb017d/key-servers/10.225.89.33:5696/"
                            }
                        },
                    }
                ],
                "client_certificate": {
                    "uuid": "5fb1701a-d922-11e8-bfe8-005056bb017d",
                    "_links": {
                        "self": {
                            "href": "/api/security/certificates/5fb1701a-d922-11e8-bfe8-005056bb017d/"
                        }
                    },
                },
            },
            "scope": "cluster",
            "uuid": "815e9462-dc57-11e8-9b2c-005056bb017d",
            "_links": {
                "self": {
                    "href": "/api/security/key-managers/815e9462-dc57-11e8-9b2c-005056bb017d"
                }
            },
        }
    ),
]


Retrieving the key manager configurations for all clusters and SVMs (showing Onboard Key Manager)

The following example shows how to retrieve all configured key managers along with their configurations.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    print(list(SecurityKeyManager.get_collection(fields="*")))

[
    SecurityKeyManager(
        {
            "onboard": {
                "key_backup": "--------------------------BEGIN BACKUP--------------------------\n <Backup Data> \n---------------------------END BACKUP---------------------------\n",
                "enabled": True,
            },
            "is_default_data_at_rest_encryption_disabled": False,
            "scope": "cluster",
            "volume_encryption": {
                "code": 65536935,
                "message": "The following nodes do not support volume granular encryption: ntap-vsim2.",
                "supported": False,
            },
            "uuid": "8ba52e0f-ae22-11e9-b747-005056bb7636",
        }
    )
]


Retrieving expensive fields such as, status.code and status.message, associated with a key manager.

These values are not retreived by default with the 'fields=*' option. The following example shows how to retrieve the expensive objects associated with a key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    print(list(SecurityKeyManager.get_collection(fields="status.message,status.code")))

[
    SecurityKeyManager(
        {
            "status": {"code": 65537200, "message": "No action needed at this time."},
            "uuid": "ac305d46-aef4-11e9-ad3c-005056bb7636",
            "_links": {
                "self": {
                    "href": "/api/security/key-managers/ac305d46-aef4-11e9-ad3c-005056bb7636"
                }
            },
        }
    )
]


Retrieving a specific key manager configuration

The following example shows how to retrieve a specific key manager configuration.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager(uuid="<uuid>")
    resource.get(fields="*")
    print(resource)

SecurityKeyManager(
    {
        "external": {
            "server_ca_certificates": [
                {
                    "uuid": "8a17c858-d6c8-11e8-b5bf-005056bb017d",
                    "_links": {
                        "self": {
                            "href": "/api/security/certificates/8a17c858-d6c8-11e8-b5bf-005056bb017d/"
                        }
                    },
                }
            ],
            "servers": [
                {
                    "username": "",
                    "server": "10.2.30.4:5696",
                    "timeout": 25,
                    "_links": {
                        "self": {
                            "href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/10.2.30.4:5696/"
                        }
                    },
                },
                {
                    "username": "",
                    "server": "vs0.local1:3678",
                    "timeout": 25,
                    "_links": {
                        "self": {
                            "href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d/key-servers/vs0.local1:3678/"
                        }
                    },
                },
            ],
            "client_certificate": {
                "uuid": "4cb15482-d6c8-11e8-b5bf-005056bb017d",
                "_links": {
                    "self": {
                        "href": "/api/security/certificates/4cb15482-d6c8-11e8-b5bf-005056bb017d/"
                    }
                },
            },
        },
        "scope": "svm",
        "svm": {"uuid": "0f22f8f3-d6c6-11e8-b5bf-005056bb017d", "name": "vs0"},
        "uuid": "2345f09c-d6c9-11e8-b5bf-005056bb017d",
        "_links": {
            "self": {
                "href": "/api/security/key-managers/2345f09c-d6c9-11e8-b5bf-005056bb017d"
            }
        },
    }
)


Updating the configuration of an external key manager

The following example shows how to update the server_ca configuration of an external key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager(uuid="<uuid>")
    resource.external = {
        "server_ca_certificates": [{"uuid": "23b05c58-d790-11e8-b5bf-005056bb017d"}]
    }
    resource.patch()


Updating the passphrase of an Onboard Key Manager

The following example shows how to update the passphrase of a given key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager(uuid="<uuid>")
    resource.onboard = {
        "existing_passphrase": "existing_passphrase",
        "passphrase": "new_passphrase",
    }
    resource.patch()


Synchronizing the passphrase of the Onboard Key Manager on a cluster

The following example shows how to synchronize the passphrase on a cluster where the Onboard Key Manager is already configured.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager(uuid="<uuid>")
    resource.onboard = {
        "existing_passphrase": "existing_passphrase",
        "synchronize": True,
    }
    resource.patch()


Configuring the Onboard Key Manager on a cluster

The following example shows how to configure the Onboard Key Manager on a cluster where the Onboard Key Manager is not configured, but is configured on an MetroCluster partner cluster.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager()
    resource.onboard = {"passphrase": "passphrase", "synchronize": True}
    resource.post(hydrate=True, return_records=False)
    print(resource)


Deleting a configured key manager

The following example shows how to delete a key manager given its UUID.

from netapp_ontap import HostConnection
from netapp_ontap.resources import SecurityKeyManager

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = SecurityKeyManager(uuid="<uuid>")
    resource.delete()


Adding a key server to an external key manager

The following example shows how to add a key server with two secondary key servers to an external key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import KeyServer

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = KeyServer("<uuid>")
    resource.server = "10.225.89.34:5696"
    resource.secondary_key_servers = ["1.1.1.1", "10.72.204.27:5696"]
    resource.post(hydrate=True)
    print(resource)

KeyServer(
    {
        "secondary_key_servers": ["1.1.1.1", "10.72.204.27:5096"],
        "server": "10.225.89.34:5696",
        "_links": {
            "self": {
                "href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.34%3A5696"
            }
        },
    }
)


Adding 2 key servers to an external key manager

The following example shows how to add 2 key servers to an external key manager. Note that the records property is used to add multiple key servers to the key manager in a single API call.

from netapp_ontap import HostConnection
from netapp_ontap.resources import KeyServer

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = KeyServer("<uuid>")
    resource.records = [
        {"server": "10.225.89.34:5696"},
        {"server": "10.225.89.33:5696"},
    ]
    resource.post(hydrate=True)
    print(resource)

KeyServer(
    {
        "_links": {
            "self": {
                "href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/"
            }
        }
    }
)


Retrieving all the key servers configured in an external key manager

The following example shows how to retrieve all key servers configured in an external key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import KeyServer

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    print(list(KeyServer.get_collection("<uuid>", fields="*")))

[
    KeyServer(
        {
            "secondary_key_servers": ["1.1.1.1", "10.72.204.27:5096"],
            "username": "",
            "server": "10.225.89.33:5696",
            "timeout": 25,
            "_links": {
                "self": {
                    "href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.33%3A5696"
                }
            },
        }
    ),
    KeyServer(
        {
            "username": "",
            "server": "10.225.89.34:5696",
            "timeout": 25,
            "_links": {
                "self": {
                    "href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.34%3A5696"
                }
            },
        }
    ),
]


Retrieving a specific key server configured in an external key manager

The following example shows how to retrieve a specific key server configured in an external key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import KeyServer

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = KeyServer("<uuid>", server="{server}")
    resource.get(fields="*")
    print(resource)

KeyServer(
    {
        "username": "",
        "server": "10.225.89.34:5696",
        "timeout": 25,
        "_links": {
            "self": {
                "href": "/api/security/key-managers/43e0c191-dc5c-11e8-9b2c-005056bb017d/key-servers/10.225.89.34:5696"
            }
        },
    }
)


Updating a specific key server configuration configured in an external key manager

The following example shows how to update a specific key server configured in an external key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import KeyServer

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = KeyServer("<uuid>", server="{server}")
    resource.timeout = 45
    resource.patch()


The following example shows how to update the set of secondary key servers associated with a key server.

from netapp_ontap import HostConnection
from netapp_ontap.resources import KeyServer

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = KeyServer("<uuid>", server="{server}")
    resource.secondary_key_servers = ["1.1.1.1", "10.72.204.27:5696"]
    resource.patch()


Deleting a key server from an external key manager

The following example shows how to delete a key server from an external key manager.

from netapp_ontap import HostConnection
from netapp_ontap.resources import KeyServer

with HostConnection("<mgmt-ip>", username="admin", password="password", verify=False):
    resource = KeyServer("<uuid>", server="{server}")
    resource.delete()


Classes

class SecurityKeyManager (*args, **kwargs)

Allows interaction with SecurityKeyManager objects on the host

Initialize the instance of the resource.

Any keyword arguments are set on the instance as properties. For example, if the class was named 'MyResource', then this statement would be true:

MyResource(name='foo').name == 'foo'

Args

*args
Each positional argument represents a parent key as used in the URL of the object. That is, each value will be used to fill in a segment of the URL which refers to some parent object. The order of these arguments must match the order they are specified in the URL, from left to right.
**kwargs
each entry will have its key set as an attribute name on the instance and its value will be the value of that attribute.

Ancestors

Static methods

def count_collection(*args, connection: HostConnection = None, **kwargs) -> int

Fetch a count of all objects of this type from the host.

This calls GET on the object to determine the number of records. It is more efficient than calling get_collection() because it will not construct any objects. Query parameters can be passed in as kwargs to determine a count of objects that match some filtered criteria.

Args

*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to get the count of bars for a particular foo, the foo.name value should be passed.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host. These query parameters can affect the count. A return_records query param will be ignored.

Returns

On success, returns an integer count of the objects of this type. On failure, returns -1.

Raises

NetAppRestError: If the API call returned a status code >= 400, or if there is no connection available to use either passed in or on the library.

def delete_collection(*args, records: Iterable[_ForwardRef('SecurityKeyManager')] = None, body: Union[Resource, dict] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, connection: HostConnection = None, **kwargs) -> NetAppResponse

Deletes a key manager.

  • security key-manager external disable
  • security key-manager onboard disable

Learn more


Delete all objects in a collection which match the given query.

All records on the host which match the query will be deleted.

Args

*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to delete the collection of bars for a particular foo, the foo.name value should be passed.
records
Can be provided in place of a query. If so, this list of objects will be deleted from the host.
body
The body of the delete request. This could be a Resource instance or a dictionary object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be deleted.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def find(*args, connection: HostConnection = None, **kwargs) -> Resource

Retrieves key managers.

Expensive properties

There is an added cost to retrieving values for these properties. They are not included by default in GET results and must be explicitly requested using the fields query parameter. See Requesting specific fields to learn more. * status.message * status.code

  • security key-manager show-key-store
  • security key-manager external show
  • security key-manager external show-status
  • security key-manager onboard show-backup

Learn more


Find an instance of an object on the host given a query.

The host will be queried with the provided key/value pairs to find a matching resource. If 0 are found, None will be returned. If more than 1 is found, an error will be raised or returned. If there is exactly 1 matching record, then it will be returned.

Args

*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to find a bar for a particular foo, the foo.name value should be passed.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host.

Returns

A Resource object containing the details of the object or None if no matches were found.

Raises

NetAppRestError: If the API call returned more than 1 matching resource.

def get_collection(*args, connection: HostConnection = None, max_records: int = None, **kwargs) -> Iterable[Resource]

Retrieves key managers.

Expensive properties

There is an added cost to retrieving values for these properties. They are not included by default in GET results and must be explicitly requested using the fields query parameter. See Requesting specific fields to learn more. * status.message * status.code

  • security key-manager show-key-store
  • security key-manager external show
  • security key-manager external show-status
  • security key-manager onboard show-backup

Learn more


Fetch a list of all objects of this type from the host.

This is a lazy fetch, making API calls only as necessary when the result of this call is iterated over. For instance, if max_records is set to 5, then iterating over the collection causes an API call to be sent to the server once for every 5 records. If the client stops iterating before getting to the 6th record, then no additional API calls are made.

Args

*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to get the collection of bars for a particular foo, the foo.name value should be passed.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
max_records
The maximum number of records to return per call
**kwargs
Any key/value pairs passed will be sent as query parameters to the host.

Returns

A list of Resource objects

Raises

NetAppRestError: If there is no connection available to use either passed in or on the library. This would be not be raised when get_collection() is called, but rather when the result is iterated.

def patch_collection(body: dict, *args, records: Iterable[_ForwardRef('SecurityKeyManager')] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, connection: HostConnection = None, **kwargs) -> NetAppResponse

Updates a key manager.

Required properties

  • onboard.existing_passphrase - Cluster-wide passphrase. Required only when synchronizing the passphrase of the Onboard Key Manager.
  • synchronize - Synchronizes missing Onboard Key Manager keys on any node in the cluster. Required only when synchronizing the Onboard Key Manager keys in a local cluster.
  • security key-manager external modify
  • security key-manager onboard sync
  • security key-manager onboard update-passphrase

Learn more


Patch all objects in a collection which match the given query.

All records on the host which match the query will be patched with the provided body.

Args

body
A dictionary of name/value pairs to set on all matching members of the collection. The body argument will be ignored if records is provided.
*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to patch the collection of bars for a particular foo, the foo.name value should be passed.
records
Can be provided in place of a query. If so, this list of objects will be patched on the host.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be patched.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def post_collection(records: Iterable[_ForwardRef('SecurityKeyManager')], *args, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, connection: HostConnection = None, **kwargs) -> Union[List[SecurityKeyManager], NetAppResponse]

Creates a key manager.

Required properties

  • svm.uuid or svm.name - Existing SVM in which to create a key manager.
  • external.client_certificate - Client certificate. Required only when creating an external key manager.
  • external.server_ca_certificates - Server CA certificates. Required only when creating an external key manager.
  • external.servers.server - Key servers. Required only when creating an external key manager.
  • onboard.passphrase - Cluster-wide passphrase. Required only when creating an Onboard Key Manager.
  • synchronize - Synchronizes missing onboard keys on any node in the cluster. Required only when creating an Onboard Key Manager at the partner site of a MetroCluster configuration.
  • security key-manager external enable
  • security key-manager onboard enable
  • security key-manager onboard sync

Learn more


Send this collection of objects to the host as a creation request.

Args

records
A list of Resource objects to send to the server to be created.
*args
Each entry represents a parent key which is used to build the path to the child object. If the URL definition were /api/foos/{foo.name}/bars, then to create a bar for a particular foo, the foo.name value should be passed.
hydrate
If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of each object. When hydrate is set to True, poll must also be set to True.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
connection
The HostConnection object to use for this API call. If unset, tries to use the connection which is set globally for the library or from the current context.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host. Only resources matching this query will be patched.

Returns

A list of Resource objects matching the provided
type which have been created by the host and returned. This is _not_
 
the same list that was provided, so to continue using the object, you
 

should save this list. If poll is set to False, then a NetAppResponse object is returned instead.

Raises

NetAppRestError: If the API call returned a status code >= 400

Methods

def delete(self, body: Union[Resource, dict] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Deletes a key manager.

  • security key-manager external disable
  • security key-manager onboard disable

Learn more


Send a deletion request to the host for this object.

Args

body
The body of the delete request. This could be a Resource instance or a dictionary object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def get(self, **kwargs) -> NetAppResponse

Retrieves key managers.

Expensive properties

There is an added cost to retrieving values for these properties. They are not included by default in GET results and must be explicitly requested using the fields query parameter. See Requesting specific fields to learn more. * status.message * status.code

  • security key-manager show-key-store
  • security key-manager external show
  • security key-manager external show-status
  • security key-manager onboard show-backup

Learn more


Fetch the details of the object from the host.

Requires the keys to be set (if any). After returning, new or changed properties from the host will be set on the instance.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def migrate(self, body: Union[Resource, dict] = None, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Migrates the keys belonging to an SVM between the cluster's key manager and the SVM's key manager. This operation can run for several minutes.

Required properties

  • source.uuid - UUID of the source key manager.
  • uuid - UUID of the destination key manager. The UUID of onboard and external KMIP key manager can be fetched using [GET /api/security/key-managers]. The UUID of Azure Key Vault key manager can be fetched using [GET /api/security/azure-key-vaults]. The UUID of Google Cloud key manager can be fetched using [GET /api/security/gcp-kms].
  • security key-manager migrate

Perform a custom action on this resource which is not a simple CRUD action

Args

path
The action verb for this request. This will be added as a postfix to the instance location of the resource.
body
The body of the action request. This should be a Resource instance. The connection and URL will be determined based on the values from this object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will be sent as query parameters to the host.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def patch(self, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Updates a key manager.

Required properties

  • onboard.existing_passphrase - Cluster-wide passphrase. Required only when synchronizing the passphrase of the Onboard Key Manager.
  • synchronize - Synchronizes missing Onboard Key Manager keys on any node in the cluster. Required only when synchronizing the Onboard Key Manager keys in a local cluster.
  • security key-manager external modify
  • security key-manager onboard sync
  • security key-manager onboard update-passphrase

Learn more


Send the difference in the object's state to the host as a modification request.

Calculates the difference in the object's state since the last time we interacted with the host and sends this in the request body.

Args

hydrate
If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will normally be sent as query parameters to the host. If any of these pairs are parameters that are sent as formdata then only parameters of that type will be accepted and all others will be discarded.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

def post(self, hydrate: bool = False, poll: bool = True, poll_interval: Union[int, NoneType] = None, poll_timeout: Union[int, NoneType] = None, **kwargs) -> NetAppResponse

Creates a key manager.

Required properties

  • svm.uuid or svm.name - Existing SVM in which to create a key manager.
  • external.client_certificate - Client certificate. Required only when creating an external key manager.
  • external.server_ca_certificates - Server CA certificates. Required only when creating an external key manager.
  • external.servers.server - Key servers. Required only when creating an external key manager.
  • onboard.passphrase - Cluster-wide passphrase. Required only when creating an Onboard Key Manager.
  • synchronize - Synchronizes missing onboard keys on any node in the cluster. Required only when creating an Onboard Key Manager at the partner site of a MetroCluster configuration.
  • security key-manager external enable
  • security key-manager onboard enable
  • security key-manager onboard sync

Learn more


Send this object to the host as a creation request.

Args

hydrate
If set to True, after the response is received from the call, a a GET call will be made to refresh all fields of the object.
poll
If set to True, the call will not return until the asynchronous job on the host has completed. Has no effect if the host did not return a job response.
poll_interval
If the operation returns a job, this specifies how often to query the job for updates.
poll_timeout
If the operation returns a job, this specifies how long to continue monitoring the job's status for completion.
**kwargs
Any key/value pairs passed will normally be sent as query parameters to the host. If any of these pairs are parameters that are sent as formdata then only parameters of that type will be accepted and all others will be discarded.

Returns

A NetAppResponse object containing the details of the HTTP response.

Raises

NetAppRestError: If the API call returned a status code >= 400

Inherited members

class SecurityKeyManagerSchema (*, only: Union[Sequence[str], Set[str]] = None, exclude: Union[Sequence[str], Set[str]] = (), many: bool = False, context: Dict = None, load_only: Union[Sequence[str], Set[str]] = (), dump_only: Union[Sequence[str], Set[str]] = (), partial: Union[bool, Sequence[str], Set[str]] = False, unknown: str = None)

The fields of the SecurityKeyManager object

Ancestors

  • netapp_ontap.resource.ResourceSchema
  • marshmallow.schema.Schema
  • marshmallow.base.SchemaABC

Class variables

external GET POST PATCH

The external field of the security_key_manager.

is_default_data_at_rest_encryption_disabled GET PATCH

Indicates whether default data-at-rest encryption is disabled in the cluster. This field is deprecated in ONTAP 9.8 and later. Use the "software_data_encryption.disabled_by_default" of /api/security endpoint.

The links field of the security_key_manager.

onboard GET POST PATCH

The onboard field of the security_key_manager.

policy GET POST PATCH

Security policy associated with the key manager. This value is currently ignored if specified for the onboard key manager.

scope GET POST PATCH

The scope field of the security_key_manager.

status GET

The status field of the security_key_manager.

svm GET POST PATCH

The svm field of the security_key_manager.

uuid GET

The uuid field of the security_key_manager.

volume_encryption GET

The volume_encryption field of the security_key_manager.