Managing Keystore via API
The API allows you to retrieve information about keys within the keystore, add, update, and delete them. If a password is set on the keystore, it must be passed in the request body. Example:
GET _core/keystore
{
"keystore_password": "MyP@ssw0rd"
}
If you need to filter the servers on which the request should be executed, you can use additional filters.
The parameter for specifying the filter is nodeid
.
The value can be a server name, IP address, attribute, etc. Wildcard support is available (see more details).
Examples:
Add the password uba.sme.pass
to all nodes whose names start with smos-m
:
POST _core/keystore/uba.sme.pass?nodeid=smos-m*
{
"value" : "UbaPASS"
}
Add the password plugins.security.ssl.transport.external_truststore_password
to all nodes with the role data
:
POST _core/keystore/plugins.security.ssl.transport.external_truststore_password?nodeid=data:true
{
"value" : "ExternalTruststorePASS"
}
You can add a key via the console:
curl -XPOST -k -u admin "https://127.0.0.1:9200/_core/keystore/plugins.security.ssl.transport.external_truststore_password?nodeid=data:true" -H "Content-Type: application/json" -d '{"value" : "ExternalTruststorePASS"}'
Add the password jobscheduler.email.pass
to all nodes with the role data
:
POST _core/keystore/jobscheduler.email.pass?nodeid=routing_mode:hot
{
"value" : "JobSchedulerPASS"
}
Operations
To interact with keys within the keystore, you must grant cluster permissions. The permission name is specified in each operation.
Retrieving the list of keys
The request returns information about the placement of keys on the servers.
Example:
GET _core/keystore
Permission:
cluster:admin/sm/keystore/list
Example response:
{
"HIPMpNAmSuC7JUpBm1T33w": [
"jobscheduler.email.pass",
"jobscheduler.sme.pass",
"keystore.seed",
"uba.sme.pass"
],
"Pd779Sf9RrSYiLrpA4wyxA": ["keystore.seed", "uba.sme.pass"]
}
Adding a key
This request allows you to add a new key.
Only key names defined within SAF Data Storage or in SAF system modules are available. Adding third-party keys will result in an error.
The key value must be passed in the request body using the value
field.
Example:
POST _core/keystore/jobscheduler.email.pass?nodeid=172.16.0.3*
{
"value" : "emailPass"
}
Permission:
cluster:admin/sm/keystore/add
Updating a key
This request allows you to update an existing key.
The new key value, similar to the add request, is passed in the request body within the value
field.
Example:
PUT _core/keystore/jobscheduler.sme.pass
{
"value": "SMEpass"
}
Permission:
cluster:admin/sm/keystore/update
Deleting a key
This request allows you to delete an existing key.
Example:
DELETE _core/keystore/uba.sme.pass
Permission:
cluster:admin/sm/keystore/delete