HTTP interfaces for security features

The security-related endpoints let you can configure audit logging, encryption at rest, and encryption in transit

Audit logging

You can get and set the log level for the audit-* log topics using the regular endpoints for the log levels. See Logs.

The audit logging feature can otherwise only be configured using startup options. See Audit logging.

Encryption in transit

Get the TLS data

get /_admin/server/tls

Return a summary of the TLS data. The JSON response will contain a field result with the following components:

  • keyfile: Information about the key file.
  • clientCA: Information about the Certificate Authority (CA) for client certificate verification.

If server name indication (SNI) is used and multiple key files are configured for different server names, then there is an additional attribute SNI, which contains for each configured server name the corresponding information about the key file for that server name.

In all cases the value of the attribute will be a JSON object, which has a subset of the following attributes (whatever is appropriate):

  • sha256: The value is a string with the SHA256 of the whole input file.
  • certificates: The value is a JSON array with the public certificates in the chain in the file.
  • privateKeySha256: In cases where there is a private key (keyfile but not clientCA), this field is present and contains a JSON string with the SHA256 of the private key.

This API requires authentication.

Responses
  • This API will return HTTP 200 if everything is ok

Reload the TLS data

post /_admin/server/tls

This API call triggers a reload of all the TLS data (server key, client-auth CA) and then returns a summary. The JSON response is exactly as in the corresponding GET request.

This is a protected API and can only be executed with superuser rights.

Responses
  • This API will return HTTP 200 if everything is ok

  • This API will return HTTP 403 Forbidden if it is not called with superuser rights.

Encryption at rest

Rotate the encryption at rest key

post /_admin/server/encryption

Change the user-supplied encryption at rest key by sending a request without payload to this endpoint. The file supplied via --rocksdb.encryption-keyfolder will be reloaded and the internal encryption key will be re-encrypted with the new user key.

This is a protected API and can only be executed with superuser rights. This API is not available on coordinator nodes.

Responses
  • This API will return HTTP 200 if everything is ok

      Response Body application/json
    • the HTTP status code - 200 in this case

    • boolean flag to indicate whether an error occurred (false in this case)

    • The result object.

      • An array of objects with the SHA-256 hashes of the key secrets. Can be empty.

  • This API will return HTTP 403 FORBIDDEN if it is not called with superuser rights.

  • This API will return HTTP 404 in case encryption key rotation is disabled.