Secret Management Operations
Secrets are managed objects that can store user defined data. This data can be:
blob
password
seed
There are two types of objects used to store secrets:
Secret Object: It can have password or seed as the data type. The seed may be used for cryptographic operations in the future, which is why it is a separate type. The password is a convenient way to store simple text strings.
Opaque Object: It is of blob data type. It can be used to store arbitrary data.
Note
CipherTrust Manager's Network Attached Encryption (NAE) protocol only supports Opaques Objects for XML interface 6.1 or higher.
Secrets support many of the same attributes that keys do. They can be made un-deletable, support meta-data, etc. They also support most of the same lifecycle states as keys.
The XML Interface enables you to:
Import secret object (see SecretObjectImportRequest)
Export secret object (see SecretObjectExportRequest)
Retrieve information about a secret object (see SecretObjectInfoRequest)
Modify a secret object (see SecretObjectModifyRequest)
Delete a secret object (see SecretObjectDeleteRequest)
SecretObjectImportRequest
Import a secret object.
<SecretObjectImportRequest>
<ID>......</ID>
<ObjectName>......</ObjectName>
<ObjectData>......</ObjectData>
<ObjectDataType>......</ObjectDataType>
<ObjectUUID>.......</ObjectUUID> # optional
<ObjectMUID>........</ObjectMUID> # optional
<ExternalObjectID>.......</ExternalObjectID> # optional
<Exportable/>
<Deletable/>
</SecretObjectImportRequest>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
ObjectData | Data to be imported as an opaque object. |
ObjectDataType | Data type of the object. NOTE: Currently, only opaque objects are supported. |
ObjectUUID | Used to set a UUID. It is an optional element. If not provided, a randomly generated value is used. |
ObjectMUID | Used to set a MUID. It is an optional element. |
ExternalObjectID | Used to set an ObjectID. It is an optional element. |
SecretObjectImportResponse
Server response to SecretObjectImportRequest.
<SecretObjectImportResponse>
<ID>......</ID>
<Success>.....</Success>
<Fingerprint>......</Fingerprint>
<ObjectName>......</ObjectName>
</SecretObjectImportResponse>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
Fingerprint | Contains the fingerprint of the secret object. |
Example
<SecretObjectImportRequest>
<ID>1</ID>
<ObjectName>Sample_Secret1</ObjectName>
<ObjectData>ABCDEF</ObjectData>
<ObjectDataType>opaque</ObjectDataType>
<ObjectUUID>jaiufhsfiuv</ObjectUUID>
<ObjectMUID>jaiufhsfiuvehyufjbkdhkv</ObjectMUID>
<ExternalObjectID>98765</ExternalObjectID>
<Exportable/>
<Deletable/>
</SecretObjectImportRequest>
<SecretObjectImportResponse>
<ID>1</ID>
<Success>true</Success>
<Fingerprint>970093678B182127</Fingerprint>
<ObjectName>Sample_Secret1</ObjectName>
</SecretObjectImportResponse>
SecretObjectExportRequest
Export a Secret Object.
<SecretObjectExportRequest>
<ID>......</ID>
<ObjectName>......</ObjectName>
</SecretObjectExportRequest>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
SecretObjectExportResponse
Server response to SecretObjectExportRequest.
<SecretObjectExportResponse>
<ID>......</ID>
<Success>true</Success>
<ObjectName>......</ObjectName>
<ObjectData>......</ObjectData>
<ObjectType>......</ObjectType>
<Fingerprint>......</Fingerprint>
</SecretObjectExportResponse>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
ObjectData | The data of the opaque object. |
ObjectType | Data type of the object. NOTE: Currently, only Opaque Objects are supported. |
Fingerprint | Contains the fingerprint of the secret object. |
Example
<SecretObjectExportRequest>
<ID>123</ID>
<ObjectName>MySecret1234</ObjectName>
</SecretObjectExportRequest>
<SecretObjectExportResponse>
<ID>123</ID>
<Success>true</Success>
<ObjectName>MySecret1234</ObjectName>
<ObjectData>ABCDEFG</ObjectData>
<ObjectType>Opaque Object</ObjectType>
<Fingerprint>93BE4612C41D23AF</Fingerprint>
<ObjectLength>7</ObjectLength>
</SecretObjectExportResponse>
SecretObjectInfoRequest
Return information about a secret object.
<SecretObjectInfoRequest>
<ID>......</ID>
<ObjectName>......</ObjectName>
<IDType>......</IDType> # optional, supported for 6.4 or higher
<GetObjectIDs/> #optional
</SecretObjectInfoRequest>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
IDType | Identifier in the ObjectName is managed according to the value specified in this tag. Possible values are: • Name (Default) • UUID • MUID • ObjectId |
GetObjectIDs | Displays all the identifiers of the object such as UUID, MUID, and ObjectID. This element is optional. |
SecretObjectInfoResponse
Server response to SecretObjectInfoRequest.
<SecretObjectInfoResponse>
<ID>......</ID>
<Success>......</Success>
<ObjectName>......</ObjectName>
<Fingerprint>......</Fingerprint>
<ObjectType>opaque</ObjectType>
<ObjectCreationDate>......</ObjectCreationDate>
<ObjectUpdatedAt>......</ObjectUpdatedAt>
<Exportable/>
<Deletable/>
<ObjectUUID>.......</ObjectUUID>
<ObjectMUID>........</ObjectMUID>
<ExternalObjectID>.......</ExternalObjectID>
</SecretObjectInfoResponse>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
Fingerprint | Contains the fingerprint of the secret object. |
ObjectType | Data type of the object. NOTE: Currently, only Opaque Objects are supported. |
ObjectCreationDate | Date and time when the object was created. |
ObjectUpdatedAt | Date and time when the object was most recently updated. |
ObjectUUID | Shows the UUID of the secret object. |
ObjectMUID | Shows the MUID of the secret object. |
ExternalObjectID | Shows the ExternalObjectID of the secret object. |
Example
<SecretObjectInfoRequest>
<ID>2</ID>
<ObjectName>Sample_Secret1</ObjectName>
<GetObjectIDs/>
</SecretObjectInfoRequest>
<SecretObjectInfoResponse>
<ID>2</ID>
<Success>true</Success>
<ObjectName>Sample_Secret1</ObjectName>
<Fingerprint>970093678B182127</Fingerprint>
<ObjectType>Opaque Object</ObjectType>
<ObjectCreationDate>2021-01-20 06:12:34.29376 +0000 UTC</ObjectCreationDate>
<ObjectUpdatedAt>2021-01-20 06:12:34.29376 +0000 UTC</ObjectUpdatedAt>
<Exportable/>
<Deletable/>
<IsOwner/>
<ObjectUUID>jaiufhsfiuv</ObjectUUID>
<ObjectMUID>jaiufhsfiuvehyufjbkdhkv</ObjectMUID>
<ExternalObjectID>98765</ExternalObjectID>
</SecretObjectInfoResponse>
Example - Requesting information of a object using UUID
<SecretObjectInfoRequest>
<ID>02</ID>
<ObjectName>1ba3bbe9-152c-4584-bbae-6cc4afeb590e</ObjectName>
<IDType>UUID</IDType>
</SecretObjectInfoRequest>
<SecretObjectInfoResponse>
<ID>02</ID>
<Success>true</Success>
<ObjectName>Sample_Secret1</ObjectName>
<Fingerprint>970093678B182127</Fingerprint>
<ObjectType>Opaque Object</ObjectType>
<ObjectCreationDate>2021-02-10 07:29:26.588881 +0000 UTC</ObjectCreationDate>
<ObjectUpdatedAt>2021-02-10 07:29:26.588881 +0000 UTC</ObjectUpdatedAt>
<Exportable/>
<Deletable/>
<IsOwner/>
</SecretObjectInfoResponse>
SecretObjectModifyRequest
Modify a secret object.
<SecretObjectModifyRequest>
<ID>.....</ID>
<ObjectName>.....</ObjectName>
<Owner>.....</Owner>
<ObjectMUID>.....</ObjectMUID> # optional
<ExternalObjectID>.....</ExternalObjectID> # optional
<Exportable/>
<Deletable/>
<NonExportable/>
<NonDeletable/>
</SecretObjectModifyRequest>
Caution
Above example is for reference only. Following tags must not be specified together in a single request, as it causes errors:
<Deletable>
and<NonDeletable>
<Exportable>
and<NonExportable>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
ObjectMUID | Used to set a MUID, if not set already. |
ExternalObjectID | Used to set an objectId, if not set already. It is specified in the Long type format. |
Exportable | Used to make the secret object exportable. |
NonExportable | Used to make the secret object non-exportable. |
Deletable | Used to make the secret object deletable. |
NonDeletable | Used to make the secret object non-deletable. |
Owner | Used to modify the Owner for the Secret Object. The specified owner must already exist. |
SecretObjectModifyResponse
Server response to SecretObjectModifyRequest.
<SecretObjectModifyResponse>
<ID>.....</ID>
<Success>.....</Success>
</SecretObjectModifyResponse>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
Exportable | To make the secret object exportable. |
NonExportable | To make the secret object non-exportable. |
Deletable | To make the secret object deletable. |
NonDeletable | To make the secret object non-deletable. |
Owner | Specify an owner to modify the Owner for the Secret Object. The specified owner must already exist. |
Example 1
<SecretObjectModifyRequest>
<ID>3</ID>
<ObjectName>Sample_Secret2</ObjectName>
<ObjectMUID>zxcvbnmlkjhgfetryuicvbnmtryui</ObjectMUID>
<ExternalObjectID>1256789</ExternalObjectID>
</SecretObjectModifyRequest>
<SecretObjectModifyResponse>
<ID>3</ID>
<Success>true</Success>
Example 2
<SecretObjectModifyRequest>
<ID>test1</ID>
<ObjectName>Secret</ObjectName>
<NonExportable/>
<NonDeletable/>
</SecretObjectModifyRequest>
<SecretObjectModifyResponse>
<ID>test1</ID>
<Success>true</Success>
</SecretObjectModifyResponse>
SecretObjectDeleteRequest
To delete a secret object.
<SecretObjectDeleteRequest>
<ID>...</ID>
<ObjectName>....</ObjectName>
</SecretObjectDeleteRequest>
Element | Description |
---|---|
ID | Contains the user-specified request ID. |
ObjectName | Name of the secret object. |
SecretObjectDeleteResponse
Server response to SecretObjectDeleteRequest.
<SecretObjectDeleteResponse>
<ID>.....</ID>
<Success>.....</Success>
</SecretObjectDeleteResponse>
Example:
<SecretObjectDeleteRequest>
<ID>Id</ID>
<ObjectName>Secret_Object_1</ObjectName>
</SecretObjectDeleteRequest>
<SecretObjectDeleteResponse>
<ID>Id</ID>
<Success>true</Success>
</SecretObjectDeleteResponse>