IBM Cloud Docs
Syncing keys in keystores with managed keys manually

Syncing keys in keystores with managed keys manually

If the key state in some keystores is different from the managed key state, you receive a Key out of sync warning message. You can sync the key state by using Unified Key Orchestrator with the UI, or programmatically with the Unified Key Orchestrator API.

An Out of sync flag is also displayed in the corresponding keystore card or the key list. There can be multiple reasons why the key is out of sync. For example, there is an issue in relinking the key in the keystore, the key is failed to be destroyed in some of the distributed keystores, or the key is modified in the target keystore outside of Unified Key Orchestrator. Take the following steps to munually sync the state of keys in keystores with the managed key.

Syncing keys with the UI

To sync the key in keystores with managed keys manually, you need to verify the key state first and then sync keys. Complete the following steps to sync a managed key:

Step 1: Verify key state

  1. Log in to the UI.
  2. Go to Menu > Resource list to view a list of your resources.
  3. Select your provisioned instance of Hyper Protect Crypto Services with Unified Key Orchestrator from your IBM Cloud resource list.
  4. Click Managed keys from the navigation to view all the available keys.
  5. Select the key that you want to verify the key state and click the Actions icon Actions icon to open a list of options for the key.
  6. Click Verify sync from the options menu.

Step 2: Sync key state

After you verify the key state, if an Out of sync flag is displayed next to the key state, you can sync the key state by performing the following steps:

  1. Select the key that you want to sync and click the Actions icon Actions icon to open a list of options for the key.
  2. Click Sync key from the options menu. Alternatively, you can sync keys by selecting Show details on the Actions Actions icon menu and clicking Sync key in the key details page.
  3. Confirm the keystores where you want to sync the key and click Sync key.

Syncing with the API

To sync a managed key through the API, follow these steps:

  1. Retrieve your service and authentication credentials to work with keys in the service.

  2. Sync a managed key by making a POST call based on the following example:

    curl --location --request POST 'https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/managed_keys/<id>/sync_status_in_keystores' 
    --header 'Authorization: Bearer <IAM_token>' \
    --header 'Accept: application/json' \
    --header 'If-Match: <ETag>'
    

    Replace the variables in the example request according to the following table.

    Table 1. Variables needed to sync a managed key
    Variable Description
    region Required. The prefix that represents the geographic area where your service instance resides. For more information, see Regions and locations.
    port Required. The port number of the API endpoint.
    id Required. The unique identifier for the managed key that you want to sync.
    IAM_token Required. Your IBM Cloud IAM access token that you retrieve in step 1. Include the full contents of the IAM token, including the Bearer value.
    ETag Required. The precondition of the update, which is the value of ETag from the header on a GET request.

    For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

What's next