Skip to main content

Managing Keystore via API

The API allows you to retrieve information about keys within the keystore, add, update, and delete them. If a password is set on the keystore, it must be passed in the request body. Example:

GET _core/keystore
{
  "keystore_password": "MyP@ssw0rd"
}

If you need to filter the servers on which the request should be executed, you can use additional filters. The parameter for specifying the filter is nodeid.

The value can be a server name, IP address, attribute, etc. Wildcard support is available (see more details).

Examples:

Add the password uba.sme.pass to all nodes whose names start with smos-m:

POST _core/keystore/uba.sme.pass?nodeid=smos-m*
{
  "value" : "UbaPASS"
}

Add the password plugins.security.ssl.transport.external_truststore_password to all nodes with the role data:

POST _core/keystore/plugins.security.ssl.transport.external_truststore_password?nodeid=data:true
{
  "value" : "ExternalTruststorePASS"
}

You can add a key via the console:

curl -XPOST -k -u admin "https://127.0.0.1:9200/_core/keystore/plugins.security.ssl.transport.external_truststore_password?nodeid=data:true" -H "Content-Type: application/json" -d '{"value" : "ExternalTruststorePASS"}'

Add the password jobscheduler.email.pass to all nodes with the role data:

POST _core/keystore/jobscheduler.email.pass?nodeid=routing_mode:hot
{
  "value" : "JobSchedulerPASS"
}

Operations

Permissions

To interact with keys within the keystore, you must grant cluster permissions. The permission name is specified in each operation.

Retrieving the list of keys

The request returns information about the placement of keys on the servers.

Example:

GET _core/keystore

Permission:

cluster:admin/sm/keystore/list

Example response:

{
  "HIPMpNAmSuC7JUpBm1T33w": [
    "jobscheduler.email.pass",
    "jobscheduler.sme.pass",
    "keystore.seed",
    "uba.sme.pass"
  ],
  "Pd779Sf9RrSYiLrpA4wyxA": ["keystore.seed", "uba.sme.pass"]
}

Adding a key

This request allows you to add a new key.

Key Names

Only key names defined within SAF Data Storage or in SAF system modules are available. Adding third-party keys will result in an error.

The key value must be passed in the request body using the value field.

Example:

POST _core/keystore/jobscheduler.email.pass?nodeid=172.16.0.3*
{
  "value" : "emailPass"
}

Permission:

cluster:admin/sm/keystore/add

Updating a key

This request allows you to update an existing key. The new key value, similar to the add request, is passed in the request body within the value field.

Example:

PUT _core/keystore/jobscheduler.sme.pass
{
  "value": "SMEpass"
}

Permission:

cluster:admin/sm/keystore/update

Deleting a key

This request allows you to delete an existing key.

Example:

DELETE _core/keystore/uba.sme.pass

Permission:

cluster:admin/sm/keystore/delete