HTTP interfaces for security features

The security-related endpoints let you can configure audit logging, encryption at rest, and encryption in transit

Audit logging

You can get and set the log level for the audit-* log topics using the regular endpoints for the log levels. See Monitoring.

The audit logging feature can otherwise only be configured using startup options. See Audit logging.

Encryption in transit

Return a summary of the TLS data

Return the TLS data of this server (server key, client-auth CA)

GET /_admin/server/tls

Return a summary of the TLS data. The JSON response will contain a field result with the following components:

  • keyfile: Information about the key file.
  • clientCA: Information about the CA for client certificate verification.

If server name indication (SNI) is used and multiple key files are configured for different server names, then there is an additional attribute SNI, which contains for each configured server name the corresponding information about the key file for that server name.

In all cases the value of the attribute will be a JSON object, which has a subset of the following attributes (whatever is appropriate):

  • sha256: The value is a string with the SHA256 of the whole input file.
  • certificates: The value is a JSON array with the public certificates in the chain in the file.
  • privateKeySha256: In cases where there is a private key (keyfile but not clientCA), this field is present and contains a JSON string with the SHA256 of the private key.

This API requires authentication.

Responses

HTTP 200: This API will return HTTP 200 if everything is ok

Trigger a reload of the TLS data and return a summary

Trigger a reload of the TLS data of this server (server key, client-auth CA) and return the new data as a summary.

POST /_admin/server/tls

This API call triggers a reload of all the TLS data and then returns a summary. The JSON response is exactly as in the corresponding GET request (see there).

This is a protected API and can only be executed with superuser rights.

Responses

HTTP 200: This API will return HTTP 200 if everything is ok

HTTP 403: This API will return HTTP 403 FORBIDDEN if it is not called with superuser rights.

Encryption at rest

Rotate the encryption at rest keystore

Rotate encryption at rest key

POST /_admin/server/encryption

Change the user supplied encryption at rest key by sending a request without payload to this endpoint. The file supplied via --rocksdb.encryption-keyfolder will be reloaded and the internal encryption key will be re-encrypted with the new user key.

This is a protected API and can only be executed with superuser rights. This API is not available on coordinator nodes.

The API returns HTTP 404 in case encryption key rotation is disabled.

Responses

HTTP 200: This API will return HTTP 200 if everything is ok

  • error (boolean): boolean flag to indicate whether an error occurred (false in this case)

  • code (integer): the HTTP status code - 200 in this case

  • result (object): The result object.

    • encryption-keys (array of objects): An array of objects with the SHA-256 hashes of the key secrets. Can be empty.

HTTP 403: This API will return HTTP 403 FORBIDDEN if it is not called with superuser rights.

HTTP 404: This API will return HTTP 404 in case encryption key rotation is disabled.