HTTP interfaces for security features
The security-related endpoints let you can configure audit logging, encryption at rest, and encryption in transit
You can get and set the log level for the
audit-* log topics using the regular
endpoints for the log levels. See
The audit logging feature can otherwise only be configured using startup options. See Audit logging.
Return a summary of the TLS data. The JSON response will contain a field
result with the following components:
keyfile: Information about the key file.
clientCA: Information about the Certificate Authority (CA) for client certificate verification.
If server name indication (SNI) is used and multiple key files are
configured for different server names, then there is an additional
SNI, which contains for each configured server name
the corresponding information about the key file for that server name.
In all cases the value of the attribute will be a JSON object, which has a subset of the following attributes (whatever is appropriate):
sha256: The value is a string with the SHA256 of the whole input file.
certificates: The value is a JSON array with the public certificates in the chain in the file.
privateKeySha256: In cases where there is a private key (
clientCA), this field is present and contains a JSON string with the SHA256 of the private key.
This API requires authentication.
This API call triggers a reload of all the TLS data (server key, client-auth CA) and then returns a summary. The JSON response is exactly as in the corresponding GET request.
This is a protected API and can only be executed with superuser rights.
Change the user-supplied encryption at rest key by sending a request without
payload to this endpoint. The file supplied via
will be reloaded and the internal encryption key will be re-encrypted with the
new user key.
This is a protected API and can only be executed with superuser rights. This API is not available on coordinator nodes.
The API returns HTTP 404 in case encryption key rotation is disabled.