### GET /api/v2/kmip_adapters Source: https://cloud.ibm.com/apidocs/key-protect.json Retrieves a list of KMIP Adapters. ```markdown ### Parameters - **Bluemix-Instance** (string, header, required): The IBM Cloud instance ID that identifies your Key Protect service instance. - **Correlation-Id** (string, header, optional): The v4 UUID used to correlate and track transactions. - **limit** (integer, query, optional): The number of KMIP Adapters to retrieve. By default, `GET /kmip_adapters` returns the first 100 KMIP Adapters. To retrieve a different set of KMIP adapters, use `limit` with `offset` to page through your available resources. The maximum value for `limit` is 200. **Usage:** If you have 20 KMIP Adapters, and you want to retrieve only the first 5 adapters, use `../kmip_adapters?limit=5`. - **offset** (integer, query, optional): The number of KMIP adapters to skip. By specifying `offset`, you retrieve a subset of KMIP adapters that starts with the `offset` value. Use `offset` with `limit` to page through your available resources. **Usage:** If you have 20 KMIP Adapters, and you want to retrieve adapters 11 through 15, use `../kmip_adapters?offset=10&limit=5`. - **totalCount** (boolean, query, optional): If set to `true`, returns `totalCount` in the response metadata for use with pagination. The `totalCount` value returned specifies the total number of kmip adapters that match the request, disregarding limit and offset. The default is set to false. **Usage:** To return the `totalCount` value for use with pagination, use `../kmip_adapters?totalCount=true`. - **crk_id** (union, query, optional): The root key ID(`crk_id`) in the `profile_data` to filter on. This field is currently only applicable to profile `"native_1.0"`. It will only return adapters with profile_data that contains this field. Example usage `../kmip_adapters?crk_id=feddecaf-0000-0000-0000-1234567890ab`. ### Responses #### 200 - Returns a list of all KMIP Adapters. **ListKMIPAdaptersWithTotalCount** #### 400 - response **ErrorCollection** #### 401 - response **ErrorCollection** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/kmip_adapters?limit=100&offset=0&totalCount=true&crk_id=value" ``` ``` -------------------------------- ### GET /api/v2/instance/policies Source: https://cloud.ibm.com/apidocs/key-protect.json Retrieves a list of policies that are associated with a specified service instance. You can manage advanced preferences for keys in your service instance by creating instance-level policies. Use `GET /instance/policies` to browse the policies that are associated with the specified instance. Currently, dual authorization policies are supported. ```markdown ### Parameters - **Bluemix-Instance** (string, header, required): The IBM Cloud instance ID that identifies your Key Protect service instance. - **Correlation-Id** (string, header, optional): The v4 UUID used to correlate and track transactions. - **policy** (string (allowedNetwork|dualAuthDelete|allowedIP|keyCreateImportAccess|metrics|rotation), query, optional): The type of policy that is associated with the specified instance. ### Responses #### 200 - The policy resources were successfully retrieved. **GetInstancePoliciesOneOf** - **metadata** (object) (required): The metadata that describes the resource array. - **collectionType** (string (application/vnd.ibm.kms.allowed_ip_metadata+json|application/vnd.ibm.kms.crn+json|application/vnd.ibm.kms.error+json|application/vnd.ibm.kms.event_acknowledge+json|application/vnd.ibm.kms.import_token+json|application/vnd.ibm.kms.key+json|application/vnd.ibm.kms.key_action+json|application/vnd.ibm.kms.alias+json|application/vnd.ibm.kms.key_ring+json|application/vnd.ibm.kms.policy+json|application/vnd.ibm.kms.registration_input+json|application/vnd.ibm.kms.registration+json|application/vnd.ibm.kms.resource_crn+json|application/vnd.ibm.kms.kmip_adapter+json|application/vnd.ibm.kms.kmip_client_certificate+json|application/vnd.ibm.kms.kmip_object+json)) (required): The type of resources in the resource array. ("application/vnd.ibm.kms.allowed_ip_metadata+json"|"application/vnd.ibm.kms.crn+json"|"application/vnd.ibm.kms.error+json"|"application/vnd.ibm.kms.event_acknowledge+json"|"application/vnd.ibm.kms.import_token+json"|"application/vnd.ibm.kms.key+json"|"application/vnd.ibm.kms.key_action+json"|"application/vnd.ibm.kms.alias+json"|"application/vnd.ibm.kms.key_ring+json"|"application/vnd.ibm.kms.policy+json"|"application/vnd.ibm.kms.registration_input+json"|"application/vnd.ibm.kms.registration+json"|"application/vnd.ibm.kms.resource_crn+json"|"application/vnd.ibm.kms.kmip_adapter+json"|"application/vnd.ibm.kms.kmip_client_certificate+json"|"application/vnd.ibm.kms.kmip_object+json") - **collectionTotal** (integer (int64)) (required): The number of elements in the resource array. (example: 1) - **resources** (array (object)) (required): A collection of resources. Array items: - **creationDate** (string (date-time)) (required): The date the policy was created. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") - **createdBy** (string) (required): The unique identifier for the resource that created the policy. - **updatedBy** (string): The unique identifier for the resource that updated the policy. - **lastUpdated** (string (date-time)): Updates when the policy is replaced or modified. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") #### 400 - The request is missing a required field or contains invalid values. **ErrorCollection** #### 401 - response **ErrorCollection** #### 403 - response **ErrorCollection** #### 404 - response **ErrorCollection** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork" ``` ``` -------------------------------- ### GET /api/v2/keys Source: https://cloud.ibm.com/apidocs/key-protect.json Retrieves a list of keys that are stored in your Key Protect service instance. **Important:** When a user of Key Protect on Satellite views lists of keys through the [IBM Console](https://cloud.ibm.com/login), or programmatically via this API, keys with ["fine grain" permissions](/docs/key-protect?topic=key-protect-grant-access-keys#grant-access-key-level) won't appear due to the manner in which the service aggregates the collection. While the user can still use the key resource, only by using the CLI or API and passing the specific key ID can a user access the metadata and other details of the key. **Note:** `GET /keys` will not return the key material in the response body. You can retrieve the key material for a standard key with a subsequent `GET /keys/{id}` request. ```markdown ### Parameters - **limit** (integer, query, optional): The number of keys to retrieve. By default, `GET /keys` returns the first 200 keys. To retrieve a different set of keys, use `limit` with `offset` to page through your available resources. The maximum value for `limit` is 5,000. **Usage:** If you have 20 keys in your instance, and you want to retrieve only the first 5 keys, use `../keys?limit=5`. - **offset** (integer, query, optional): The number of keys to skip. By specifying `offset`, you retrieve a subset of keys that starts with the `offset` value. Use `offset` with `limit` to page through your available resources. **Usage:** If you have 100 keys in your instance, and you want to retrieve keys 26 through 50, use `../keys?offset=25&limit=25`. - **state** (array (integer), query, optional): The state of the keys to be retrieved. States must be a list of integers from 0 to 5 delimited by commas with no whitespace or trailing commas. Valid states are based on NIST SP 800-57. States are integers and correspond to the Pre-activation = 0, Active = 1, Suspended = 2, Deactivated = 3, and Destroyed = 5 values. **Usage:** If you want to retrieve active and deleted keys, use `../keys?state=1,5`. - **extractable** (boolean, query, optional): The type of keys to be retrieved. Filters keys based on the `extractable` property. You can use this query parameter to search for keys whose material can leave the service. If set to `true`, standard keys will be retrieved. If set to `false`, root keys will be retrieved. If omitted, both root and standard keys will be retrieved. **Usage:** If you want to retrieve standard keys, use `../keys?extractable=true`. - **search** (string, query, optional): When provided, performs a search, possibly limiting the number of keys returned. *Examples*: - `foobar` - find keys where the name or any of its aliases contain `foobar`, case insentive (i.e. matches `xfoobar`, `Foobar`). - `fadedbee-0000-0000-0000-1234567890ab` (a valid key id) - find keys where the id the key is `fadedbee-0000-0000-0000-1234567890ab`, or the name or any of its aliases contain `fadedbee-0000-0000-0000-1234567890ab`, case insentive. May prepend with options: - `not:` = when specified, inverts matching logic (example: `not:foo` will search for keys that have aliases or names that do not contain `foo`) - `escape:` = everything after this option is take as plaintext (example: `escape:not:` will search for keys that have an alias or name containing the substring `not:`) - `exact:` = only looks for exact matches May prepend with search scopes: - `alias:` = search in key aliases for search query - `name:` = search in key names for search query *Examples*: - `not:exact:foobar`/`exact:not:foobar` - find keys where the name nor any of its aliases are *not* exactly `foobar` (i.e. matches `xfoobar`, `bar`, `foo`) - `exact:escape:not:foobar` - find keys where the name or any of its aliases are exactly `not:foobar` - `not:alias:foobar`/`alias:not:foobar` - find keys where any of its aliases do *not* contain `foobar` - `name:exact:foobar`/`exact:name:foobar` - find keys where the name is exactly `foobar` *Note*: By default, if no scopes are provided, search will be performed in both `name` and `alias` scopes. Search is only possible on a intial searchable space of at most 5000 keys. If the initial seachable space is greater than 5000 keys, the API returns HTTP 400 with the property resouces[0].reasons[0].code equals to 'KEY_SEARCH_TOO_BROAD'. Use the following filters to reduce the initial searchable space: - `state` (query parameter) - `extractable` (query parameter) - `X-Kms-Key-Ring` (HTTP header) If the total intial searchable space exceeds the 5000 keys limit and when providing a fully specified key id or when searching within the `alias` scope, a lookup will be performed and if a key is found, the key will be returned as the only resource and in the response metadata the property `incompleteSearch` will be `true`. When providing a fully specified key id or when searching within the `alias` scope, a key lookup is performed in addition to the search. This means search will try to lookup a single key that is uniquely identified by the key id or provided alias, this key will be included in the response as the first resource, before other matches. Search scopes are disjunctive, behaving in an *OR* manner. When using more than one search scope, a match in at least one of the scopes will result in the key being returned. - **sort** (string (id|state|extractable|imported|creationDate|lastUpdateDate|lastRotateDate|deletionDate|expirationDate), query, optional): When provided, sorts the list of keys returned based on one or more key properties. To sort on a property in descending order, prefix the term with "-". To sort on multiple key properties, use a comma to separate each properties. The first property in the comma-separated list will be evaluated before the next. The key properties that can be sorted at this time are: - `id` - `state` - `extractable` - `imported` - `creationDate` - `lastUpdateDate` - `lastRotateDate` - `deletionDate` - `expirationDate` The list of keys returned is sorted on id by default, if this parameter is not provided. - **filter** (string, query, optional): When provided, returns the list of keys that match the queried properties. Each key property to be filtered on is specified as the property name itself, followed by an “=“ symbol, and then the value to filter on, followed by a space if there are more properties to filter only. Note: Anything between `<` and `>` in the examples or descriptions represent placeholder to specify the value *Basic format*: = = - The value to filter on may contain a value related to the property itself, or an operator followed by a value accepted by the operator - Only one operator and value, or one value is accepted per property at a time *Format with operator/value pair*: =: Up to three of the same property may be specified at a time. The key properties that can be filtered at this time are: - `creationDate` * Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z” - `deletionDate` * Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z” - `expirationDate` * Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z” - `extractable` * Boolean true or false without quotes, case-insensitive - `lastRotateDate` * Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z” - `lastUpdateDate` * Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z” - `state` * A list of comma-separated integers with no space in between: 0,1,2,3,5 Comparison operations (operators) that can be performed on date values are: - `lte:` Less than or equal to - `lt:` Less than - `gte:` Greater than or equal to - `gt:` Greater than A special keyword for date, `none` (case-insensitive), may be used to retreive keys that do not have that property. This is useful for `lastRotateDate`, where only keys that have never been rotated can be retreived. *Examples*: - `lastRotateDate="2022-02-15T00:00:00Z"` Filter keys that were last rotated on February 15, 2022 - `lastRotateDate=gte:"2022-02-15T00:00:00Z"` Filter keys that were last rotated after or on February 15, 2022 - `lastRotateDate=gte:"2022-02-15T00:00:00Z" lastRotateDate=lt:"2022-03-15T00:00:00Z"` Filter keys that were last rotated after or on February 15, 2022 but before (not including) March 15, 2022 - `lastRotateDate="2022-02-15T00:00:00Z" state=0,1,2,3,5 extractable=false` Filter root keys that were last rotated on February 15, 2022, with any state *Note*: When you filter by `state` or `extractable` in this query parameter, you will not be able to use the deprecated `state` or `extractable` independent query parameter. You will get a 400 response code if you specify a value for one of the two properties in both this filter query parameter and the deprecated independent query of the same name (the same applies vice versa). - **X-Kms-Key-Ring** (string, header, optional): The ID of the target key ring. If unspecified, all resources in the instance that the caller has access to will be returned. When the header is specified, only resources within the specified key ring, that the caller has access to, will be returned. The key ring ID of keys that are created without an `X-Kms-Key-Ring` header is: `default`. ### Responses #### 200 - The list of keys was successfully retrieved. **ListKeys** #### 400 - If reason code (resouces[0].reasons[0].code) is present and is equal to 'KEY_SEARCH_TOO_BROAD', the total searchable space is more than 5000 keys. Try using a filter to reduce the seachable space. If reason code (resouces[0].reasons[0].code) is present and is equal to 'KEY_SEARCH_TOO_BROAD', the total searchable space is more than 5000 keys. Try using a filter to reduce the seachable space. #### 401 - response **ErrorCollection** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/keys?limit=200&offset=0&state=0,1,2,3&extractable=true&search=string&sort=id&filter=string" ``` ``` -------------------------------- ### GET /api/v2/key_rings Source: https://cloud.ibm.com/apidocs/key-protect.json List all key rings in the instance. ```markdown ### Responses #### 200 - The list of key rings was successfully retrieved. **ListKeyRingsWithTotalCount** #### 400 - response **ErrorCollection** #### 401 - response **ErrorCollection** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/key_rings" ``` ``` -------------------------------- ### GET /api/v2/kmip_adapters/{adapter_id}/certificates Source: https://cloud.ibm.com/apidocs/key-protect.json List client certificates of a KMIP Adapter. ```markdown ### Parameters - **Bluemix-Instance** (string, header, required): The IBM Cloud instance ID that identifies your Key Protect service instance. - **limit** (integer, query, optional): The number of client certificates to retrieve. By default, `GET /kmip_adapters/{id}/certificates` returns the first 100 certificates. To retrieve a different set of certificates, use `limit` with `offset` to page through your available resources. The maximum value for `limit` is 200. **Usage:** If you have 20 certificates associated with your KMIP adapter, and you want to retrieve only the first 5 certificates, use `../kmip_adapters/{id}/certificates?limit=5`. - **offset** (integer, query, optional): The number of client certificates to skip. By specifying `offset`, you retrieve a subset of certificates that starts with the `offset` value. Use `offset` with `limit` to page through your available resources. **Usage:** If you have 20 certificates associated with your KMIP adapter, and you want to retrieve certificates 11 through 15, use `../kmip_adapters/{id}/certificates?offset=10&limit=5`. - **totalCount** (boolean, query, optional): If set to `true`, returns `totalCount` in the response metadata for use with pagination. The `totalCount` value returned specifies the total number of client certificates that match the request, disregarding limit and offset. The default is set to false. **Usage:** To return the `totalCount` value for use with pagination, use `../kmip_adapters/{id}/certificates?totalCount=true`. - **Correlation-Id** (string, header, optional): The v4 UUID used to correlate and track transactions. ### Responses #### 200 - List of client certificates associated with the KMIP Adapter. **ListKMIPPartialClientCertificatesWithTotalCount** #### 400 - The client certificates could not be retrieved due to invalid request data. **ErrorCollectionWithReason** #### 401 - response **ErrorCollection** #### 404 - The client certificates could not be retrieved because a resource could not be found. **ErrorCollectionWithReason** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/kmip_adapters/{adapter_id}/certificates?limit=100&offset=0&totalCount=true" ``` ``` -------------------------------- ### GET /api/v2/kmip_adapters/{adapter_id}/kmip_objects Source: https://cloud.ibm.com/apidocs/key-protect.json List KMIP objects of a KMIP Adapter. ```markdown ### Parameters - **Bluemix-Instance** (string, header, required): The IBM Cloud instance ID that identifies your Key Protect service instance. - **limit** (integer, query, optional): The number of kmip objects to retrieve. By default, `GET /kmip_adapters/{id}/kmip_objects` returns the first 100 kmip_objects. To retrieve a different set of kmip objects, use `limit` with `offset` to page through your available resources. The maximum value for `limit` is 5000. **Usage:** If you have 20 kmip objects associated with your KMIP adapter, and you want to retrieve only the first 5 kmip objects, use `../kmip_adapters/{id}/kmip_objects?limit=5`. - **offset** (integer, query, optional): The number of kmip objects to skip. By specifying `offset`, you retrieve a subset of kmip objects that starts with the `offset` value. Use `offset` with `limit` to page through your available resources. **Usage:** If you have 20 kmip objects associated with your KMIP adapter, and you want to retrieve kmip objects 11 through 15, use `../kmip_adapters/{id}/kmip_objects?offset=10&limit=5`. - **totalCount** (boolean, query, optional): If set to `true`, returns `totalCount` in the response metadata for use with pagination. The `totalCount` value returned specifies the total number of kmip objects that match the request, disregarding limit and offset. The default is set to false. **Usage:** To return the `totalCount` value for use with pagination, use `../kmip_adapters/{id}/kmip_objects?totalCount=true`. - **state** (array (KMIPObjectPropertyState), query, optional): List of states to filter the KMIP objects on. The `default` is set to `[1,2,3,4]`. States are integers and correspond to Pre-Active = 1, Active = 2, Deactivated = 3, Compromised = 4, Destroyed = 5, Destroyed Compromised = 6. **Usage:** To filter on multiples `state` values, use `../kmip_adapters/{id}/kmip_objects?state=2,3`. - **Correlation-Id** (string, header, optional): The v4 UUID used to correlate and track transactions. ### Responses #### 200 - List of KMIP objects associated with the KMIP Adapter. **ListKMIPObjectsWithTotalCount** #### 400 - The KMIP Objects could not be retrieved due to invalid request data. **ErrorCollectionWithReason** #### 401 - response **ErrorCollection** #### 404 - The KMIP Objects could not be retrieved because a resource could not be found. **ErrorCollectionWithReason** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/kmip_adapters/{adapter_id}/kmip_objects?limit=100&offset=0&totalCount=true&state=1,2,3,4" ``` ``` -------------------------------- ### GET /api/v2/keys/{id}/policies Source: https://cloud.ibm.com/apidocs/key-protect.json Retrieves a list of policies that are associated with a specified key. You can set policies for a key, such as an [automatic rotation policy](/docs/key-protect?topic=key-protect-set-rotation-policy) or a [dual authorization policy](/docs/key-protect?topic=key-protect-set-dual-auth-key-policy) to protect against the accidental deletion of keys. Use `GET /keys/{id}/policies` to browse the policies that exist for a specified key. ```markdown ### Parameters - **policy** (string (dualAuthDelete|rotation), query, optional): The type of policy that is associated with the specified key. ### Responses #### 200 - The policy resources were successfully retrieved. **GetKeyPoliciesOneOf** #### 400 - The request is missing a required field or contains invalid values. **ErrorCollection** #### 401 - response **ErrorCollection** #### 403 - response **ErrorCollection** #### 404 - response **ErrorCollection** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/keys/{id}/policies?policy=dualAuthDelete" ``` ``` -------------------------------- ### GET /api/v2/import_token Source: https://cloud.ibm.com/apidocs/key-protect.json Retrieves the import token that is associated with your service instance. When you call `GET /import_token`, Key Protect returns the public key that you can use to encrypt and import key material to the service, along with details about the key. **Note:** After you reach the `maxAllowedRetrievals` or `expirationDate` for the import token, the import token and its associated public key can no longer be used for key operations. To create a new import token, use `POST /import_token`. ```markdown ### Responses #### 200 - The import token was successfully retrieved. **GetImportToken** - **expiration** (number): The time in seconds from the creation of an import token that determines how long its associated public key remains valid. The minimum value is `300` seconds (5 minutes), and the maximum value is `86400` (24 hours). The default value is `600` (10 minutes). - **maxAllowedRetrievals** (number): The number of times that an import token can be retrieved within its expiration time before it is no longer accessible. - **creationDate** (string (date-time)): The date the import token was created. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") - **expirationDate** (string (date-time)): The date the import token expires. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") - **remainingRetrievals** (number): The number of retrievals that are available for the import token before it is no longer accessible. - **payload** (string (byte)): The public encryption key that you can use to encrypt key material before you import it into the service. This value is a PEM-encoded public key in PKIX format. Because PEM encoding is a binary format, the value is base64 encoded. - **nonce** (string (byte)): The nonce value that is used to verify a key import request. Encrypt and provide the encrypted nonce value when you use `POST /keys` to securely import a key to the service. #### 401 - response **ErrorCollection** #### 403 - response **ErrorCollection** #### 404 - There are two possible causes for HTTP 404 while trying to retrieve an import token, specifying a reason code (resouces[0].reasons[0].code) as follows: IMPORT_TOKEN_NOT_FOUND_ERR: An import token was not found in the specified service instance. To create an import token, use `POST /import_token`. INSTANCE_NOT_FOUND_ERR: Import token could not be retrieved, instance does not exist. **ErrorCollection** #### 409 - The import token has reached its `maxAllowedRetrievals` or `expirationDate`, and it is no longer available for use. To create a new import token, use `POST /import_token`. In very rare cases, the import token may expire before its expiration time. Ensure that your client application is configured with a retry mechanism for catching and responding to `409` conflict exceptions. **ErrorCollection** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X GET "https://{region}.kms.cloud.ibm.com/api/v2/import_token" ``` ``` -------------------------------- ### POST /api/v2/import_token Source: https://cloud.ibm.com/apidocs/key-protect.json Creates an import token that you can use to encrypt and import root keys into the service. [Learn more](/docs/key-protect?topic=key-protect-importing-keys#using-import-tokens). When you call `POST /import_token`, Key Protect creates an RSA key-pair from its HSMs. The service encrypts and stores the private key in the HSM, and returns the corresponding public key when you call `GET /import_token`. You can create only one import token per service instance. ```markdown ### Request Body **Content-Type:** application/json - **expiration** (number): The time in seconds from the creation of an import token that determines how long its associated public key remains valid. The minimum value is `300` seconds (5 minutes), and the maximum value is `86400` (24 hours). The default value is `600` (10 minutes). - **maxAllowedRetrievals** (number): The number of times that an import token can be retrieved within its expiration time before it is no longer accessible. - **creationDate** (string (date-time)): The date the import token was created. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") - **expirationDate** (string (date-time)): The date the import token expires. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") - **remainingRetrievals** (number): The number of retrievals that are available for the import token before it is no longer accessible. ### Responses #### 200 - The import token was successfully created. **ImportToken** - **expiration** (number): The time in seconds from the creation of an import token that determines how long its associated public key remains valid. The minimum value is `300` seconds (5 minutes), and the maximum value is `86400` (24 hours). The default value is `600` (10 minutes). - **maxAllowedRetrievals** (number): The number of times that an import token can be retrieved within its expiration time before it is no longer accessible. - **creationDate** (string (date-time)): The date the import token was created. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") - **expirationDate** (string (date-time)): The date the import token expires. The date format follows RFC 3339. (example: "2000-03-21T00:00:00Z") - **remainingRetrievals** (number): The number of retrievals that are available for the import token before it is no longer accessible. #### 400 - The import token cannot be created due to a malformed or invalid request. **ErrorCollection** #### 401 - response **ErrorCollection** #### 403 - response **ErrorCollection** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X POST "https://{region}.kms.cloud.ibm.com/api/v2/import_token" \ -H "Content-Type: application/json" \ -d '{ "expiration": "600", "maxAllowedRetrievals": "1", "creationDate": "2000-03-21T00:00:00Z", "expirationDate": "2000-03-21T00:00:00Z", "remainingRetrievals": "1" }' ``` ``` -------------------------------- ### POST /api/v2/kmip_adapters Source: https://cloud.ibm.com/apidocs/key-protect.json Creates a KMIP adapter. ```markdown ### Parameters - **Bluemix-Instance** (string, header, required): The IBM Cloud instance ID that identifies your Key Protect service instance. - **Correlation-Id** (string, header, optional): The v4 UUID used to correlate and track transactions. - **allowExpiringKey** (boolean, query, optional): If set to 'true', allows an active root key containing an expiration date to be associated with the KMIP adapter. ### Request Body **Content-Type:** application/json - **metadata** (object) (required): The metadata that describes the resource array. (example: {"collectionType":"application/vnd.ibm.kms.kmip_adapter+json","collectionTotal":1}) - **collectionType** (string (application/vnd.ibm.kms.allowed_ip_metadata+json|application/vnd.ibm.kms.crn+json|application/vnd.ibm.kms.error+json|application/vnd.ibm.kms.event_acknowledge+json|application/vnd.ibm.kms.import_token+json|application/vnd.ibm.kms.key+json|application/vnd.ibm.kms.key_action+json|application/vnd.ibm.kms.alias+json|application/vnd.ibm.kms.key_ring+json|application/vnd.ibm.kms.policy+json|application/vnd.ibm.kms.registration_input+json|application/vnd.ibm.kms.registration+json|application/vnd.ibm.kms.resource_crn+json|application/vnd.ibm.kms.kmip_adapter+json|application/vnd.ibm.kms.kmip_client_certificate+json|application/vnd.ibm.kms.kmip_object+json)) (required): The type of resources in the resource array. ("application/vnd.ibm.kms.allowed_ip_metadata+json"|"application/vnd.ibm.kms.crn+json"|"application/vnd.ibm.kms.error+json"|"application/vnd.ibm.kms.event_acknowledge+json"|"application/vnd.ibm.kms.import_token+json"|"application/vnd.ibm.kms.key+json"|"application/vnd.ibm.kms.key_action+json"|"application/vnd.ibm.kms.alias+json"|"application/vnd.ibm.kms.key_ring+json"|"application/vnd.ibm.kms.policy+json"|"application/vnd.ibm.kms.registration_input+json"|"application/vnd.ibm.kms.registration+json"|"application/vnd.ibm.kms.resource_crn+json"|"application/vnd.ibm.kms.kmip_adapter+json"|"application/vnd.ibm.kms.kmip_client_certificate+json"|"application/vnd.ibm.kms.kmip_object+json") - **collectionTotal** (integer (int64)) (required): The number of elements in the resource array. (example: 1) - **resources** (array (CreateKMIPAdapterRequestBodyResources)) (required): A collection of resources. Array items: - **name** (string): A human-readable name of the KMIP adapter unique within the kms instance. If one is not specified, one will be autogenerated of the format `kmip_adapter_`. To protect your privacy do not use personal data, such as your name or location, as a name for your KMIP adapter. The name must be alphanumeric and cannot contain spaces or special characters other than `-` or `_`. The name cannot be a UUID. (example: "kmip-adapter-name") - **description** (string): The optional description of the KMIP adapter. The maximum length is 240 characters. To protect your privacy, do not use personal data, such as your name or location, as a description for your KMIP adapter. (example: "kmip adapter description") - **profile** (string (native_1.0)) (required): The profile of KMIP adapter to be created ("native_1.0") - **profile_data** (object): Properties that must be specified to profile_data when it is of native_1.0 KMIP adapter resource. (example: {"crk_id":"feddecaf-0000-0000-0000-1234567890ab"}) - **crk_id** (string) (required): An ID that identifies the Customer Root Key(CRK) to be used. This CRK must exist in the same kms instance as the adapter. (example: "feddecaf-0000-0000-0000-1234567890ab") ### Responses #### 201 - Returns the KMIP Adapter just created. **ListKMIPAdapters** - **metadata** (object): The metadata that describes the resource array. - **collectionType** (string (application/vnd.ibm.kms.allowed_ip_metadata+json|application/vnd.ibm.kms.crn+json|application/vnd.ibm.kms.error+json|application/vnd.ibm.kms.event_acknowledge+json|application/vnd.ibm.kms.import_token+json|application/vnd.ibm.kms.key+json|application/vnd.ibm.kms.key_action+json|application/vnd.ibm.kms.alias+json|application/vnd.ibm.kms.key_ring+json|application/vnd.ibm.kms.policy+json|application/vnd.ibm.kms.registration_input+json|application/vnd.ibm.kms.registration+json|application/vnd.ibm.kms.resource_crn+json|application/vnd.ibm.kms.kmip_adapter+json|application/vnd.ibm.kms.kmip_client_certificate+json|application/vnd.ibm.kms.kmip_object+json)) (required): The type of resources in the resource array. ("application/vnd.ibm.kms.allowed_ip_metadata+json"|"application/vnd.ibm.kms.crn+json"|"application/vnd.ibm.kms.error+json"|"application/vnd.ibm.kms.event_acknowledge+json"|"application/vnd.ibm.kms.import_token+json"|"application/vnd.ibm.kms.key+json"|"application/vnd.ibm.kms.key_action+json"|"application/vnd.ibm.kms.alias+json"|"application/vnd.ibm.kms.key_ring+json"|"application/vnd.ibm.kms.policy+json"|"application/vnd.ibm.kms.registration_input+json"|"application/vnd.ibm.kms.registration+json"|"application/vnd.ibm.kms.resource_crn+json"|"application/vnd.ibm.kms.kmip_adapter+json"|"application/vnd.ibm.kms.kmip_client_certificate+json"|"application/vnd.ibm.kms.kmip_object+json") - **collectionTotal** (integer (int64)) (required): The number of elements in the resource array. (example: 1) - **totalCount** (integer (int64)): The total number of elements that match the request, disregarding limit and offset. (example: 1) - **resources** (array (KMIPAdapter)): A collection of resources. #### 400 - The KMIP Adapter could not be created due to invalid request data. **ErrorCollectionWithReason** #### 401 - response **ErrorCollection** #### 409 - KMIP adapter could not be created due to a constraint. **ErrorCollectionWithReason** #### 429 - response **ErrorCollection** #### 500 - response **ErrorCollection** ### Example Usage ```bash curl -X POST "https://{region}.kms.cloud.ibm.com/api/v2/kmip_adapters?allowExpiringKey=true" \ -H "Content-Type: application/json" \ -d '{ "metadata": "value", "resources": [ "value" ] }' ``` ```