Powered by Redocly

System Operations

Invoke the block-tenant operation

Block a tenant from accessing strongbox. All existing tokens will be blocked and no new tokens may be generated while the tenant is blocked. The action can be invoked by the tenant itself, the parent tenant, and users with the system-admin capability.

SecurityaccessToken
Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/block-tenant
Request samples 
tenant: acme
Response samples 
blocked: true

Invoke the create-root-token operation

This operation should only be used in an emergency. Under normal operations all root operations should be performed by authenticated users with root privileges. The system must be unsealed for this operation to work. The returned root token is for the system tenant.

Request
Request Body schema:
One of:
shares
Array of strings

A critical number of shares must be provided.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/create-root-token
Request samples 
sealkey: 7SH4tPoasvo0WGLD2C53y1e7CLMAWq3vrGCzhxkJ4UM=
Response samples 
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
token: 09715875-ac45-4ad7-bfad-00eea3949094
creation-time: 2021-02-15T14:24:20.030665Z

Invoke the debug-key operation

SecurityaccessToken
Request
Request Body schema:
site
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
host
required
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/debug-key
Request samples 
site: udc1
host: udc1-001
Response samples 
key: key:3AVyIHV76afZXnawzl8nJdLLvjbGpmY3ZoIkBhCpAyg=

Invoke the reveal-sealkey operation

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/reveal-sealkey
Response samples 
sealkey: KRn2k/dM+ewe+MlBofqgOrWIelLBE1qYGmDCJO+hSf0=
accessor: 7a3e8f3f-438c-4bb5-8b6c-5c839ebe9f93
token: 2dc16f1a-fe3c-4dc3-a3cb-ec860511f6c8
creation-time: 2022-01-12T08:15:34.586068Z
shares:
  - 1:P3/tFzkKMjNTG8ektEuG4qSAzQesz4jlwYk27a8WyEw=
  - 2:QXOuRYedpzhSAq2ZZRz735ePC/3sIO+w1WLeH6gYh3s=
  - 3:VxW1wUnbbOcf4aN8cK3dB4aHvKiB/D3NDosq1uivBso=
  - 4:9G/jCfSaNpj5lfzQq3VK0PHakAVgFx2nFHd5uFrBqy8=
  - 5:4gn4jTrc/Ue0dvI1vsRsCODSJ1ANy8/az56NcRp2Kp4=

Invoke the rotate-seal operation

SecurityaccessToken
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/rotate-seal
Response samples 
sealkey: 7SH4tPoasvo0WGLD2C53y1e7CLMAWq3vrGCzhxkJ4UM=
shares:
  - 1:13OxL/1k10ATlnhzGNe+RvmvzT5a7udzcSQBD96ZXjk=
  - 2:IDlvkypaM5bXK3jARmmHGzlsjCnw6m6R9tX9VMCl5O8=
  - 3:GmsmCC0kVizw5WJwhpBOlpd4SaSqXiQNK5FP3Ac1W5U=
  - 4:tNvfyhhQnDZhUe4g9TprDTfTUdTwFHdiy+PzY4Mybns=
  - 5:jomWUR8u+YxGn/SQNcOigJnHlFmqoD3+FqdB60Si0QE=

Invoke the seal operation

SecurityaccessToken
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/seal

Invoke the setup-tenant operation

Initializes a newly created tenant with a root token and an admin user.

SecurityaccessToken
Request
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

Name of tenant to initialize.

admin-username
required
string <username>
admin-password
required
string
admin-fullname
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/setup-tenant
Request samples 
name: acme
admin-username: admin@acme.com
admin-password: verysecret
admin-fullname: Administrator at Acme.com
Response samples 
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z

Invoke the unblock-tenant operation

Unblock a previously blocked tenant. Existing tokens will again become valid and new tokens may be generated through the various authentication mechanisms. The action can be invoked by the parent tenant, and by users with the system-admin capability.

SecurityaccessToken
Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/unblock-tenant
Request samples 
tenant: acme
Response samples 
blocked: false

Invoke the unseal operation

The system starts in a sealed state where all secrets are encrypted. In order to use Strongbox it needs to be unsealed by some external entity.

Note that at most 3 unseal attempts may be performed per hour.

Request
Request Body schema:
One of:
shares
Array of strings

The system is unsealed when enough Shamir shares have been provided.

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/unseal
Request samples 
sealkey: 7SH4tPoasvo0WGLD2C53y1e7CLMAWq3vrGCzhxkJ4UM=

Invoke the update-api-ca-site operation

Instruct site to deploy new site api ca certificate. This is useful when the site ca certificate has been manually rotated.

SecurityaccessToken
Request
Request Body schema:
site
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/update-api-ca-site
Request samples 
site: udc1

Invoke the update-api-cert-site operation

SecurityaccessToken
Request
Request Body schema:
site
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/update-api-cert-site
Request samples 
site: udc1

Invoke the update-dist-ca-site operation

Instruct site to deploy new site ca certificate. This is useful when the site ca certificate has been manually rotated.

SecurityaccessToken
Request
Request Body schema:
site
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/update-dist-ca-site
Request samples 
site: udc1

Invoke the update-dist-cert-site operation

SecurityaccessToken
Request
Request Body schema:
site
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/system/update-dist-cert-site
Request samples 
site: udc1

Invoke the get-remote-sealkey operation

This action can be used to extract a sealkey for a site. It can then be used in the unseal-remote action to unseal a site that cannot be automatically unsealed, for example, due to connectivity problems.

SecurityaccessToken
Request
path Parameters
site-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of site

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/system/sites/{site-name}/get-remote-sealkey
Response samples 
sealkey: wOf+ICSb6lkwqcfOnhs2M8iR1k7dSbS4pj3DOy6EfaU7HsOoTc/tOQnoiDSCoenZ7/SHWUtgEGewgzXmUk5LqDFpoKa2SaJGQauSzZAYkKzrJEFLodsAzd036fpV+8L30fBNJRhwpAO1CDMzbep0dwX7dYSy4/8RSL8mUmAkPerb+IqJsfm+pN4bDhYMG3rjqe4l4uDPNP9/qWQVlGtujoxImbk+chrmzmAAV+0ZS4v3oIxZWjcKIZ1ZxC6AuFd/fy15l4SOdnXsPiLdy06kXc4ZiEcxCaGCWi3tNl0N6Z8qB/Tbc2yVCUkkDexOri58B/Sx9MFXlJtDM4kuZSybLXJJ3zEr/qaxChnbWY3o8hZ2S9RYXvZq6zkHt+PIL6hho8eAg/d9FVvCDSlwpOroAkXyJYU6d2I2PQeErLBjDTBQuiKlDrqAHf/JtAKtC+oWzB57FYwEJ+PKEB6by6PZ0l4n4ozEFYDurmfS7fGZEo+ZWyQXMwMStx8EpUYE5v1z

Invoke the quarantine-site operation

Quarantine an entire site from connecting to the system. It will automatically rotate any sensitive keys used to encrypt distribution data for all tenants distributed to the site. The site can optionally be instructed to wipe its data. Note that wiping is only possible if the site is connected to the system. Also, once data has been wiped restoring the site to full operation requires all applications to be re-deployed since approle secrets are not restored.

SecurityaccessToken
Request
path Parameters
site-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of site

Request Body schema:
wipe
boolean
Default: false

Instructs the site to remove all encrypted data in addition to entering the sealed state. Note that if the site is unquarantined locally issued approle secrets and tokens will be lost.

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/system/sites/{site-name}/quarantine-site
Request samples 
wipe: true

Invoke the quarantine-site-host operation

Quarantine a certain host at a site. This operation should be used if the host has been compromised. To undo it requires a re-installation of the quarantined host.

SecurityaccessToken
Request
path Parameters
site-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of site

Request Body schema:
host
required
string

Cluster host name of host to block.

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/system/sites/{site-name}/quarantine-site-host
Request samples 
host: udc1-001

Invoke the reallow-site-unwrap operation

If a site wasn't able to unwrap its site bundle during the initial setup procedure it will not be able to initialize, as the 'strongbox unwrap' action can only be called once (for security reasons). This action will allow the site to attempt one more unwrap - only do so if you know why the site failed to unwrap and you want to allow it to retry.

SecurityaccessToken
Request
path Parameters
site-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of site

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/system/sites/{site-name}/reallow-site-unwrap

Invoke the unquarantine-site operation

Unquarantine a previously quarantined site. This is useful if a site previously suspected of being compromised turns out to not having been compromised. The site will receive a new set of keys for the tenants residing on the site. If the site was wiped all applications that use approles must be restarted.

SecurityaccessToken
Request
path Parameters
site-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of site

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/system/sites/{site-name}/unquarantine-site

Invoke the unquarantine-site-host operation

Unquarantine a certain host at a site. This operation should be used if the host has been determined to not be compromised.

SecurityaccessToken
Request
path Parameters
site-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of site

Request Body schema:
host
required
string

Cluster host name of host to block.

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/system/sites/{site-name}/unquarantine-site-host
Request samples 
host: udc1-001
➔ Next to TLS CA Roles