Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

DPoD APIs

Using the APIs

search

Using the APIs

Using the APIs

This guide provides an introduction to using the Thales Data Protection on Demand APIs. It provides guidelines for authenticating and example commands for common DPoD API requests. DPoD provides multiple APIs, refer to the appropriate DPoD API for more information about available endpoints, parameters and requests.

Authorization

All DPoD API requests require an Oauth2 JSON Web Token (JWT) for authorization. DPoD Credentials are used to Generate a JWT. The JWT is required for authenticating requests over the API.

Credentials

Platform or service credentials are a clientId and clientSecret generated through the DPoD user interface. Endpoint availability is limited to the scope of your credentials.

Platform credentials are generated through the DPoD user interface. Platform credentials allow:

Generating Platform Credentials

Generate a set of platform credentials for authenticating to the DPoD API.

Select the Credentials tab and click on Create Platform Credentials. The Generate Platform Credentials window displays.

On the Review Permissions page, verify the entitlements for the credentials you are about to create, and enter a name in the Credentials Name field. Click Next.

On the Summary page, click the Copy to Clipboard icon and paste the Client Secret in a .txt file. Click Close.

Copy and save your Client Secret in a secure location. DPoD does not maintain a record or copy of the Client Secret. Treat your copy of the Client Secret with all the precautions you would normally take to protect a password. You can reset the platform credentials client secret in the Credentials Table.

Resetting/Deleting Platform Credentials

Reset the platform credentials client secret or delete the platform credentials set through the Credentials Table.

Select the Credentials tab and scroll down to the Credentials Table. In the Credentials Table, identify the platform credential you would like to manage and open the drop-down menu in the Actions column. From this menu you can:

  • Reset Secret: Resets the Client Secret and provides the user with a new Client Secret.
  • Delete: Deletes the credentials from DPoD, the credentials are no longer usable.

Copy and save your Client Secret in a secure location. DPoD does not maintain a record or copy of the Client Secret. Treat your copy of the Client Secret with all the precautions you would normally take to protect a password.

Service credentials are generated through the DPoD user interface. Service credentials allow Tenant Administrators, and Application Owners to access and consume services using the DPoD API.

Generating Service Credentials

For more information about the requests and endpoints listed here, please refer to the relevant use case based API documentation.

Generate a set of platform credentials for authenticating to the DPoD API.

Select the Services tab and click on View Services (My Services for application owners). Identify the service that you would like to generate service credentials for and click on the services name in the Name column. Click the Credentials tab in the sub-menu.

Click on Create Service Credentials. The Generate Service Credentials window displays.

On the Review Permissions page, verify the entitlements for the credentials you are about to create, and enter a name in the Credentials Name field. Click Next.

On the Summary page, click the Copy to Clipboard icon and paste the Client Secret in a .txt file. Close the wizard.

Copy and save your Client Secret in a secure location. DPoD does not maintain a record or copy of the Client Secret. Treat your copy of the Client Secret with all the precautions you would normally take to protect a password.

Deleting Service Credentials

Select the Services tab and click on View Services (My Services for application owners). Click the Credentials sub-menu. In the Credentials Table, identify the service credential you would like to remove and click the Trash can icon in the Actions column.

Generate a JWT

To generate a JWT you authenticate to your tenant log in URL Oauth2 endpoint using the Credentials clientId and clientSecret. This endpoint implements an OAuth2 client credentials grant, returning a JWT in the response body. The JWT takes the format "access_token":"<bearer_access_token>". Insert the <bearer_access_token> value into the "Authorization: Bearer <bearer_access_token>" header when making requests to the API endpoint. The JWT expires after 1 hour. If the JWT expires, you need to generate a new JWT to continue executing commands over the API.

To determine your authentication domain, access your DPoD tenant log in screen and copy the URL. Remove /login and append /oauth/token.

Region Authentication Domain
https://<tenant>.na.market.dpondemand.io/ https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token
https://<tenant>.eu.market.dpondemand.io/ https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token
URL Endpoint /oauth/token
Method POST
Content-Type application/x-www-form-urlencoded
Body grant_type=client_credentials
client_id=<insert_clientId>
client_secret=<client_secret>

Examples


curl -X POST https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token \
    -H "Content-Type: application/x-www-form-urlencoded"
    -d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"


curl -X POST https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token \
    -H "Content-Type: application/x-www-form-urlencoded"
    -d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"


curl -X POST https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"


curl -X POST https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<insert_clientId>&client_secret=<insert_client_secret>"

The contents of the output "access_token":"<bearer_access_token>" is your JWT. Insert the <bearer_access_token> value into the "Authorization: Bearer <bearer_access_token>" header to authenticate requests to the API endpoint.

Example requests

API requests are made to the tenant URL/hostname endpoint. Use the "<bearer_access_token>" value, the output of Generating a JWT, in the "Authorization: Bearer <bearer_access_token>" header to authenticate requests to the API endpoint.

List tile IDs

Query the tile list and return the available tiles for the tenant. The command returns the list of available tiles in the tenant. If there is a service you would like to use that is unavailable from the list of available tiles, contact your tenant administrator and request they enable the tile.

URL Endpoint /v1/tiles
Method GET
Authorization Authorization: Bearer <bearer_access_token>
See Authorization for more information.

Sample


curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/tiles \
-H "Authorization: Bearer <bearer_access_token>"


curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/tiles -H "Authorization: Bearer <bearer_access_token>"

Output


{
    "number":0,
    "size":17,
    "totalElements":17,
    "totalPages":1,
    "content":[
        {
            "id":"<tileId>",
            "name":"<:tile_name>",
            "description":"<tile_description>",
            "shortCode":"<tile_shortcode>",
            "enabled": true,
            "serviceBrokerUrl": "serviceBrokerUrl",
            "helpURL": "Link to help and documentation",
            "categoryName": "Service Category",
            "imageUrl":
        }
    ]
}

Create service

Post a service request to deploy a service using the DPoD api. Use the <tileId> output from List Tile IDs, to specify the type of service to be deployed. Alternatively, you can use the serviceType field to identify the tile by its shortcode.

URL Endpoint /v1/service_instances
Method POST
Authorization Authorization: Bearer <bearer_access_token>
See Authorization for more information.
Content_Type application/json
Body You must provide the createParams, a name, the servicePlan, and a tileId or serviceType. tileId takes precedence over serviceType if both are provided.
{
"createParams": {deviceType: "cryptovisor_fips"},
"name": "CyberArk Service",
"servicePlan": "single_hsm",
"tileId":"2d942df2-d189-45ae-a929-ef068b456af9",
"serviceType": "cyberark_digital_vault"
}

Certain service types require additional parameters be provided in the request body. Refer to the DPoD APIs for additional details.

Sample


curl -X POST https://<tenant>.<region>.market.dpondemand.io/v1/service_instances \
-H "Authorization: Bearer <bearer_access_token>" \
-H "Content-Type: application/json" \
-d '{
    "createParams": {deviceType: "cryptovisor_fips"}
    "name": "<provide_name_for_service>",
    "servicePlan": "single_hsm",
    "tileId": "<tileId>"
}'


curl -X POST https://<tenant>.<region>.market.dpondemand.io/v1/service_instances -H "Authorization: Bearer < bearer_access_token>" -H "Content-Type: application/json" -d '{"createParams": {deviceType: "cryptovisor_fips"}, "name": "<provide_name_for_service>", "servicePlan": "single_hsm", "tileId": "<tileId>"}'

List provisioned services

Query the /v1/service_instances endpoint and return the quantity of existing services, the service id, the service name, and the service type.

You can query a specific service for its details. Maintain the same structure of the List provisioned services request, but add the <serviceId> to the URL endpoint: /v1/service_instances/<serviceId>.

URL Endpoint /v1/service_instances
Method GET
Authorization Authorization: Bearer <bearer_access_token>
See Authorization for more information.

Sample


curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/service_instances \
-H "Authorization: Bearer <bearer_access_token>"


curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/service_instances -H "Authorization: Bearer <bearer_access_token>"

Generate service client

Generate a set of client bindings to an existing Luna Cloud HSM Service. The command returns a set of credentials which can be used to access the service. The returned AuthTokenClientID and AuthTokenClientSecret can be used by an application owner to access the service.

Generating a Luna Cloud HSM Service Client requires access to the relevant <service_id_string> that you would like to generate the Luna Cloud HSM Service Client for. See List provisioned services for more information about acquiring the <service_id_string>.

URL Endpoint /v1/service_instances/{service_id}/bindings
Method PUT
Authorization Authorization: Bearer <bearer_access_token>
See Authorization for more information.
Content-Type application/json
Body Provide a name for the Luna Cloud HSM Service Client in the request body.
{"name":"<service_client_name>"}

Sample


curl -X PUT  https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId>/bindings \
-H "Authorization: Bearer <bearer_access_token>" \
-H "Content-Type: application/json" \
-d '{
"name":"<service_client_name>"
}' \


curl -X PUT  https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId>/bindings -H "Authorization: Bearer < bearer_access_token>" -H "Content-Type: application/json" -d '{"name":"<service_client_name>"}'

Delete service

Delete a service from DPoD. Include the <serviceId> in the path when executing operations on a specific service. See List provisioned services for more information about acquiring the <serviceId>.

URL Endpoint /v1/service_instances/{service_id}
Method PUT
Authorization Authorization: Bearer <bearer_access_token>
See Authorization for more information.

Sample


curl -X DELETE https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId> \
-H "Authorization: Bearer <bearer_access_token>"


curl -X DELETE https://<tenant>.<region>.market.dpondemand.io/v1/service_instances/<serviceId> -H "Authorization: Bearer <bearer_access_token>"

Generate Audit Log File

Generate an audit log file for Luna Cloud HSM Services. The command returns a jobId which can be used to retrieve the generated audit log file as described in Retrieve Audit Log File.

The limit for an individual audit log query is 1GB. If the query results in an audit log file which exceeds 1GB the request will fail and you will have to refine the query.

URL Endpoint /v1/audit-log-exports
Method POST
Authorization Authorization: Bearer <bearer_access_token>
See Authorization for more information.
Content-Type application/json
Body You must provide a from value and a to value. The timestamp must be RFC3339 compliant, and you can query a period of up to 31 days.
{
"from":"<audit_period_start_time>",
"to":"<audit_period_end_time>"
}
You can filter the results by including any of the following:
{
"source":"<origin>",
"resourceId":"<resourceID>",
"actorId":"<actorID>",
"action":"<action>",
"status":"<status>"
}
See Common Values and Use Case Specific Values for more information about available values to filter by.

Sample


curl -X POST https://<tenant>.<region>.market.dpondemand.io/v1/audit-log-exports \
-H "Authorization: Bearer <bearer_access_token>" \
-H "Content-Type: application/json" \
-d '{
    "from":"2022-03-14T00:00:00Z",
    "to":"2022-03-14T16:00:00Z"
}'


curl -X POST https://<tenant>.<region>.market.dpondemand.io/v1/audit-log-exports -H "Authorization: Bearer <bearer_access_token>" -H "Content-Type: application/json" -d '{"from":"2022-03-14T00:00:00Z",     "to":"2022-03-14T16:00:00Z"}'

Output


{
    "jobId": "<jobId>",
    "startedAt": "<jobStartTime>",
    "endedAt": "<jobEndTime,
    "state": "ACTIVE",
    "location": null
}

Retrieve Audit Log File

Retrieve the audit log file from a Generate Audit Log File request. Include the jobId, returned by the Generate Audit Log File request, in the path when retrieving an audit log file.

The request returns a signed URL that you can access to download the audit log file. The signed URL expires after 24 hours. The audit log file is a .ZIP file that contains a JSON list of audit logs. See Audit Logs for more information about the the audit log values and format.

URL Endpoint /v1/audit-log-exports/<jobId>
Method GET
Authorization Authorization: Bearer <bearer_access_token>
See Authorization for more information.

Sample


curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/audit-log-exports/<jobId> \
-H "Authorization: Bearer <bearer_access_token>" \


curl -X GET https://<tenant>.<region>.market.dpondemand.io/v1/audit-log-exports/<jobId> -H "Authorization: Bearer <bearer_access_token>" 

Output


{
    "jobId": "<jobId>",
    "startedAt": "<jobStartTime>",
    "endedAt": "<jobEndTime>",
    "state": "SUCCEEDED",
    "location": "<signedUrl>"
}