Security Object Commands

5 Security Object Commands

Endpoints can make use of the security object commands to operate on the managed objects.

okv managed-object attribute add Command
The okv managed-object attribute add command adds one or more attributes to a security object.
okv managed-object attribute delete Command
The okv managed-object attribute delete command deletes one or more attributes associated with a security object.
okv managed-object attribute get Command
The okv managed-object attribute get command retrieves an attribute or list of attributes of a security object.
okv managed-object attribute get-all Command
The okv managed-object attribute get-all command retrieves all attributes of a security object.
okv managed-object object fetch Command
The okv managed-object fetch command fetches a security object and its attributes together.
okv managed-object attribute list Command
The okv managed-object attribute list command retrieves the names of attributes associated with a security object.
okv managed-object attribute modify Command
The okv managed-object attribute modify command modifies attributes that are associated with a security object.
okv managed-object certificate get Command
The okv managed-object certificate get command retrieves a digital certificate.
okv managed-object certificate register Command
The okv managed-object certificate register command registers a certificate.
okv managed-object certificate-request get Command
The okv managed-object certificate-request get command retrieves a certificate request.
okv managed-object certificate-request register Command
The okv managed-object certificate-request register command registers a certificate request object with Oracle Key Vault.
okv managed-object custom-attribute add Command
The okv managed-object custom-attribute add command adds a custom attribute to a security object.
okv managed-object custom-attribute delete Command
The okv managed-object custom-attribute delete command deletes a custom attribute of a security object.
okv managed-object custom-attribute modify Command
The okv managed-object custom-attribute modify command modifies a custom attribute of a security object.
okv managed-object key create Command
The okv managed-object key create command creates a symmetric key.
okv managed-object key get Command
The okv managed-object key get command retrieves a symmetric key.
okv managed-object key register Command
The okv managed-object key register command registers a symmetric key.
okv managed-object object activate Command
The okv managed-object object activate command activates a security object.
okv managed-object object destroy Command
The okv managed-object object destroy command requests the server to destroy the key data for a security object.
okv managed-object object locate Command
The okv managed-object object locate command locates a security object.
okv managed-object object query Command
The okv managed-object object query command identifies supported operations and objects.
okv managed-object object revoke Command
The okv managed-object object revoke command revokes a security object.
okv managed-object opaque get Command
The okv managed-object opaque get command retrieves an object that contains opaque data.
okv managed-object opaque register Command
The okv managed-object opaque register command registers an opaque security object.
okv managed-object private-key get Command
The okv managed-object private-key get command retrieves a private key.
okv managed-object private-key register Command
The okv managed-object private-key register command registers a private key. You can use this command to also register an SSH private key.
okv managed-object public-key get Command
The okv managed-object public-key get command retrieves a public key.
okv managed-object public-key register Command
The okv managed-object public-key register command registers a public key. You can use this command to also register an SSH public key.
okv managed-object secret get Command
The okv managed-object secret get command retrieves the secret data from a security object of type secret.
okv managed-object secret register Command
The okv managed-object secret register command registers secret data such as passwords or random seeds.
okv managed-object wallet add-member Command
The okv managed-object wallet add-member command adds a security object to a wallet as its member.
okv managed-object wallet delete-member Command
The okv managed-object wallet delete-member command deletes the membership of the managed-object from a wallet.
okv managed-object wallet list Command
The okv managed-object wallet list command lists wallets that have their access granted to the endpoint used to connect to Oracle Key Vault.
okv managed-object key-pair create command
The okv managed-object key-pair create command creates a pair of public and private keys. You can use this command to also create an SSH key pair.

5.1 okv managed-object attribute add Command

The okv managed-object attribute add command adds one or more attributes to a security object.

To find the existing attributes for the security object, run the okv managed-object attribute list command. If you want to create a custom attribute, then use the okv managed-object custom-attribute add command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

 okv managed-object attribute add [--activation-date <activation date>] [--contact-info <contact information>] [--deactivation-date <deactivation date>] [--name <name>] [--process-start-date <process start date>] [--protect-stop-date <protect stop date>] --uuid <uuid>

You may use the JSON syntax for this command to specify the attributes with the --uuid parameter specified at the command line. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column. See, okv managed-object object locate Command
`--activation-date` / `activationDate`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDat If `activation-date` does not meet the criteria an error message displays.
`contact-info` / `contactInfo`	Optional	The attribute is used for descriptive purposes only.
`--deactivation-date` / `deactivationDate`	Optional	Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--name` / `name`	Optional	Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--process-start-date` / `process start date`	Optional	Specifies the date and time. When a valid security object begin to process cryptographically protected information.
`--protect-stop-date` / `protectStopDate`	Optional	Specifies the date and time, after which a valid security object cannot be used for applying cryptographic protection.
`/ attributes`	Required	A JSON object with the list of attributes. You must use the JSON syntax to add an attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. Attributes that you can enter are as follows: `name` includes the following: `value` is the value name. `type` is either `text` or `uri`. The default type is `text` when the `name` attribute is used in the command line. `contactInfo` : Contact information of the object. For example, an e-mail address. The following date and time attributes: `activationDate`: Contains the date and time when using the Managed Object. `deactivationDate`: The date and time when the Managed Object should not be used for any purpose, except for decryption. `protectStopDate`: The date and time when a valid Managed Object is used to process cryptographically protected information, for example, decryption or unwrapping. `processStartDate`: The date and time after which a valid Managed Object should not be used for applying cryptographic protection, for example, encryption or wrapping. You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for more details about these attributes.

JSON Example

Generate JSON input for the okv managed-object attribute add command and save it as add-attrib.json.

okv managed-object attribute add --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
       "name" : {
        "value" : "#VALUE",
        "type" : "#text|uri"
                },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      }
    }
  }
}

Save the generated input to a file (for example, add_attribute.json) and then edit it to include the attributes for the security object. For example:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "add",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "attributes" : {
        "contactInfo" : "psmith@example.com",
        "deactivationDate" : "2024-12-31 09:00:00",
       "name" : {
         "value" : "PROD-HRDB-MKEY",
         "type" : "text"
                 },
       "protectStopDate" : "2024-09-30 09:00:00"
      }
    }
  }
}

Run the okv managed-object attribute add command using the generated JSON file.

okv managed-object attribute add --from-json add_attribute.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "attributes" : {
      "contactInfo" : "Added",
      "deactivationDate" : "Added",
      "name" : "Added",
      "protectStopDate" : "Added"
      }
   }    
 }

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.2 okv managed-object attribute delete Command

The okv managed-object attribute delete command deletes one or more attributes associated with a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object attribute delete [--activation-date] [--contact-info] [--deactivation-date]
             [--name name] [--process-start-date] [--protect-stop-date] --uuid uuid

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "delete",
    "options": {
      "uuid": "#VALUE",
      "attributes": {
        "name": {
          "value": "#VALUE"
        },
        "contactInfo": "#VALUE",
        "activationDate": "#VALUE",
        "deactivationDate": "#VALUE",
        "protectStopDate": "#VALUE",
        "processStartDate": "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--activation-date`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDate If `activation-date` does not meet the criteria an error message displays.
`--contact-info` / `contactInfo`	Optional	The attribute is used for descriptive purposes only.
`--deactivation-date` / `deactivationDate`	Optional	Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--name` / `name`	Optional	Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--process-start-date` / `processStartDate`	Optional	Specifies the date and time. When a valid security object begin to process cryptographically protected information.
`--protect-stop-date` / `protectStopDate`	Optional	Specifies the date and time, after which a valid security object cannot be used for applying cryptographic protection.
`/ attributes`	Required	A JSON object with the list of attributes. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. Attributes that you can delete are as follows: `name` (You must also specify the value of the `name` attribute instance that you want to delete.) The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37`

JSON Example

Generate JSON input for the okv managed-object attribute delete command.

okv managed-object attribute delete --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "delete",
    "options": {
      "uuid": "#VALUE",
      "attributes": {
        "name": {
          "value": "#VALUE"
        },
        "contactInfo": "#VALUE",
        "activationDate": "#VALUE",
        "deactivationDate": "#VALUE",
        "protectStopDate": "#VALUE",
        "processStartDate": "#VALUE"
      }
    }
  }
}

Save the generated input to a file (for example, del_attribute.json) and then edit it so that you can delete the attributes associated with a security object.

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "delete",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "attributes": {
        "name": {
          "value": "PROD-HRDB-MKEY"
        }
      }
    }
  }
}

Run the okv managed-object attribute delete command using the generated JSON file.

okv managed-object attribute delete --from-json del_attribute.json

Output similar to the following appears:

{
  "result": "Success",
  "value": {
    "attributes": {
      "name": "Deleted"
    }
  }
}

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.3 okv managed-object attribute get Command

The okv managed-object attribute get command retrieves an attribute or list of attributes of a security object.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object attribute get [--activation-date] [--archive-date] [--certificate-length] [--certificate-type]
 [--com promise-date] [--compromise-occurrence-date] [--contact-info] [--crypto-usage-mask] [--cryptographic-algorithm]
 [--cryptographic-length][--custom-attribute] [--custom-attributes custom attributes] [--deactivation-date] [--destroy-date]
 [--digest] [--digital-signing-algorithm ][--extractable] [--initial-date] [--last-change-date] [--link] [--name][--never-extractable]
 [--object-group-member] [--object-type][- -process-start-date] [--protect-stop-date] [--state] --uuid <uuid> [--x509-certificate-issuer]
 [--x509-certificate-subject]

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME"],
      "customAttributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME" ]
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--activation-date` / `activationDate`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDate If `activation-date` does not meet the criteria an error message displays.
`--archive-date` / `archiveDate`	Optional	Specifies the date and time of the security object when placed in archival storage.
`--certificate-length` / `certificateLength`	Optional	Specifies the certificate object length in bytes.
`--certificate-type` / `certificateType`	Optional	Specifies the certificate type.
`--compromise-date` / `compromiseDate`	Optional	Specifies the date and time when the Managed Cryptographic Object entered into the compromised state.
`--compromise-occurrence-date` / `compromiseOccurrenceDate`	Optional	Specifies the date and time when the security object was first believed to be compromised. Use this setting only when `KEY_COMPROMISE` is specified for the `--code` parameter.
`--contact-info` / `contactInformation`	Optional	The attribute is for descriptive purposes only.
`--crypto-usage-mask` / `cryptographicUsageMask`	Optional	Specifies the cryptographic usage of the security object.
`--cryptographic-algorithm`/ `cryptographicAlgorithm`	Optional	Specifies the algorithm used in the security object.
`--cryptographic-length` / `cryptographicLength`	Optional	Specifies the length in bits of the cryptographic key material of the security object.
`--custom-attribute` / `customAttribute`	Optional	Specifies the endpoint defined additional attributes that Oracle Key Vault cannot interpret.
`--deactivation-date` / `deactivationDate`	Optional	Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--destroy-date` / `destroyDate`	Optional	Specifies the date and time when the security object was destroyed.
`--digest` / `digest`	Optional	Specifies the digest value of the security object.
`--digital-signing-algorithm` / `digitalSigningAlgorithm`	Optional	Specifies the digital signature algorithm associated with a digitally signed object.
`--extractable` / `true\|false`	Optional	Specifies the true or false values. `FALSE`: Specifies the server shall prevent the object value being retrieved. `TRUE`: Specifies the default value as true, if the client does not provides the value. .
`--initial-date` / `initialDate`	Optional	Specifies the date and time when the security object was first created or registered at the server.
`--last-change-date` / `lastChangeDate`	Optional	Specifies the date and time of the last change of the specified object.
`--link` / `link`	Optional	Specifies the link from one security object to another, closely related target security object.
`--name` / `name`	Optional	Specifies the name of the object to locate.
`--never-extractable` / `true\|false`	Optional	Specifies the value as `TRUE` if the Extractable attribute is always `FALSE`.
`--object-group-member`/ `objectGroupMember`	Optional	Specifies the object group member type as `DEFAULT` or `FRESH`.
`--object-type` / `object-type`	Optional	Specifies the security object type.
`--process-start-date` / `processStartDate`	Optional	Specifies the date and time when a valid security object start processing the cryptographically protected information.
`--protect-stop-date` / `protectStopDate`	Optional	Specifies the date and time after which a valid security object cannot be used for applying cryptographic protection.
`--state` / `state`	Optional	Specifies the different states of an object as `PREACTIVE`, `ACTIVE`, `DEACTIVATED`, `COMPROMISED`, `DESTROYED`, and `DESTROYED_COMPROMISED`.
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--x509-certificate-issuer` / `x509CertificateIssuer`	Optional	Specifies the issuer distinguished name in the X.509 certificate.
`--x509-certificate-subject` / `x509CertificateSubject`	Optional	Specifies the subject distinguished name in the X.509 certificate subject.
`/ attributes`	Required	Array of attribute names. You must use the JSON syntax to specify the attributes. You cannot specify attributes at the command line. You can retrieve the value of multiple attributes by including additional optional `ATTRIBUTE_NAME` attributes. See the example. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. To retrieve the values of all existing attributes for the managed object, run the `okv managed-object attribute get-all` command. See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`/ customAttributes`	Optional	Array of custom attributes. You must use the JSON syntax to specify the custom attributes. You cannot specify custom attributes at the command line. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command.

JSON Example

Generate JSON input for the okv managed-object attribute get command.

okv managed-object attribute get --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME" ],
      "customAttributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME" ]
    }
  }
}

Save the generated input to a file (for example, get_attribute.json) and then edit it to retrieve the attributes associated with the security object.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get",
    "options" : {
       "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
       "attributes": [
         "activationDate",
         "contactInfo",
         "cryptoUsageMask",
         "cryptographicAlgorithm",
         "cryptographicLength",
         "name",
         "objectType",
         "state",
         "extractable",
         "neverExtractable"
      ],
      "customAttributes" : ["x-ApplicationTag"]
    }
  }
}

Run the okv managed-object attribute get command using the generated JSON file.

okv managed-object attribute get --from-json get_attribute.json

Output similar to the following appears:

{
  "result": "Success",
  "value": {
    "attributes": {
      "activationDate": "2020-11-21 01:00:00",
      "contactInfo": "psmith@example.com",
      "cryptoUsageMask": [
        "ENCRYPT",
        "DECRYPT"
      ],
      "cryptographicAlgorithm": "AES",
      "cryptographicLength": "256",
      "extractable" : "false",
      "name": [
        {
          "type": "text",
          "value": "PROD-HRDB-MKEY"
        }
      ],
      "neverExtractable" : "TRUE",
      "objectType": "Symmetric Key",
      "state": "Active"
    },
    "customAttributes": [
      {
        "index": "1",
        "name": "x-ApplicationTag",
        "type": "Text String",
        "value": "HR-Production"
      }
    ]
  }
}

Parent topic: Security Object Commands

5.4 okv managed-object attribute get-all Command

The okv managed-object attribute get-all command retrieves all attributes of a security object.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object attribute get-all --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get-all",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

Generate JSON input for the okv managed-object attribute get-all command.

okv managed-object attribute get-all --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get-all",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_all_attributes.json) and then edit it to get all the attributes of the security object.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get-all",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}

Run the okv managed-object attribute get-all command using the generated JSON file.

okv managed-object attribute get-all --from-json get_all_attributes.json

Output similar to the following appears:

{  
  "result" : "Success",  "value" : {
    "attributes" : {
      "activationDate" : "2022-10-28 18:58:34",
      "cryptoUsageMask" : [ "SIGN" ],
      "cryptographicAlgorithm" : "RSA",
      "cryptographicLength" : "2048",
      "digest" : {
        "algorithm" : "SHA-256",
        "digestValue" : "9E6C6718C34FE44E3C91558CB83278CEC0706B8906BF0DED23A6117DC9EE6CD0",
        "keyFormatType" : "RAW"
      },
      "extractable" : "false",
      "fresh" : "Yes",
      "initialDate" : "2022-10-28 18:58:36",
      "lastChangeDate" : "2022-10-28 18:58:38",
      "neverExtractable" : "true",
      "objectType" : "Private Key",
      "processStartDate" : "2022-10-28 18:58:36",
      "state" : "Active",
      "uuid" : "06024832-066A-4F02-BF03-FA5B09E9A6AF"
    }
  }
}

Parent topic: Security Object Commands

5.5 okv managed-object object fetch Command

The okv managed-object fetch command fetches a security object and its attributes together.

Required Authorization

The endpoint must have read permission on the object

Syntax

 okv managed-object object fetch [--activation-date activation date] [--archive-date archive date] [--certificate-length certificate
       length] [--certificate-type certificate type] [--compromise-date compromise date] [--compromise-occurrence-date compromise occurrence
       date] [--contact-info contact information] [--crypto-usage-mask cryptographic usage mask] [--cryptographic-algorithm cryptographic
       algorithm] [--cryptographic-length cryptographic length] [--custom-attribute custom attribute] [--deactivation-date deactivation date]
       [--destroy-date destroy date] [--digest digest] [--digital-signing-algorithm digital signing algorithm] [--extractable true|false]
       [--initial-date initial date] [--last-change-date last change date] [--link link] [--max max] [--name name] [--never-extractable
       true|false] [--object-group-member object group member] [--object-type object type] [--process-start-date process start date]
       [--protect-stop-date protect stop date] [--single-object true|false] [--state state] [--x509-certificate-issuer X.509 certificate
       issuer] [--x509-certificate-subject X.509 certificate subject]

JSON Input File Template

okv managed-object object fetch --generate-json-input
{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "fetch",
    "options" : {
      "max" : "#VALUE",
      "objectGroupMember" : "#FRESH|DEFAULT",
      "attributes" : {
        "name" : {
          "value" : "#VALUE"
        },
        "state" : "#PREACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
        "objectType" : "#VALUE",
        "fresh" : "#YES|NO",
        "objectGroup" : "#VALUE",
        "contactInfo" : "#VALUE",
        "cryptographicAlgorithm" : "#VALUE",
        "cryptographicLength" : "#VALUE",
        "cryptoUsageMask" : "#VALUE",
        "certificateLength" : "#VALUE",
        "certificateType" : "#VALUE",
        "x509CertificateSubject" : "#VALUE",
        "x509CertificateIssuer" : "#VALUE",
        "digitalSigningAlgorithm" : "#VALUE",
        "digest" : {
          "digestValue" : "#VALUE",
          "algorithm" : "#VALUE",
          "keyFormatType" : "#VALUE"
        },
        "link" : {
          "linkType" : "#VALUE",
          "linkValue" : "#VALUE"
        },
        "activationDate" : "#YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#YYYY-MM-DD HH:mm:ss",
        "initialDate" : "#YYYY-MM-DD HH:mm:ss",
        "lastChangeDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseOccurrenceDate" : "#YYYY-MM-DD HH:mm:ss",
        "destroyDate" : "#YYYY-MM-DD HH:mm:ss",
        "archiveDate" : "#YYYY-MM-DD HH:mm:ss",
        "extractable" : "#TRUE|FALSE",
        "neverExtractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--max` / `max`	Optional	Maximum number of objects that this command should return
`--object-group-member` / `objectGroupMember`	Optional	Enter one of the following group values: `DEFAULT` `FRESH`
`--state` / `state`	Optional	Enter one of the following states: `PREACTIVE` `ACTIVE` `DEACTIVATED` `COMPROMISED` `DESTROYED` `DESTROYED_COMPROMISED`
`--activation-date` / `activationDate`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDate If `activation-date` does not meet the criteria an error message displays.
`--archive-date` / `archive date`	Optional	Specifies the date and time of the security object when placed in archival storage.
`--certificate-length` / `certificate length`	Optional	Specifies the certificate object length in bytes.
`--certificate-type` / `certificate type`	Optional	Specifies the certificate type.
`--compromise-date` / `compromise-date`	Optional	Specifies the date and time when the Managed Cryptographic Object entered into the compromised state.
`--compromise-occurrence-date` / `compromise-occurrence-date`	Optional	Specifies the date and time when the security object was first believed to be compromised. Use this setting only when `KEY_COMPROMISE` is specified for the `--code` parameter.
`--contact-info` / `contact information`	Optional	The attribute is for descriptive purposes only.
`--crypto-usage-mask` / `cryptographic usage mask`	Optional	Specifies the cryptographic usage of the security object.
`--cryptographic-algorithm`/ `cryptographic algorithm`	Optional	Specifies the algorithm used in the security object.
`--cryptographic-length` / `cryptographic length`	Optional	Specifies the length in bits of the cryptographic key material of the security object.
`--custom-attribute` / `custom attribute`	Optional	Specifies the endpoint defined additional attributes that Oracle Key Vault cannot interpret.
`--deactivation-date` / `deactivation date`	Optional	Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--destroy-date` / `destroy date`	Optional	Specifies the date and time when the security object was destroyed.
`--digest` / `digest`	Optional	Specifies the digest value of the security object.
`--digital-signing-algorithm` / `digital signing algorithm`	Optional	Specifies the digital signature algorithm associated with a digitally signed object.
`--extractable` / `true\|false`	Optional	Specifies the true or false values. `FALSE`: Specifies the server shall prevent the object value being retrieved. `TRUE`: Specifies the default value as true, if the client does not provides the value. .
`--initial-date` / `initial date`	Optional	Specifies the date and time when the security object was first created or registered at the server.
`--last-change-date` / `last change date`	Optional	Specifies the date and time of the last change of the specified object.
`--link` / `link`	Optional	Specifies the link from one security object to another, closely related target security object.
`--max` / `max`	Optional	Specifies the maximum number of objects that this command should return.
`--name` / `name`	Optional	Specifies the name of the object to locate.
`--never-extractable` / `true\|false`	Optional	Specifies the value as `TRUE` if the Extractable attribute is always `FALSE`.
`--object-group-member`/ `object-group-member`	Optional	Specifies the object group member type as `DEFAULT` or `FRESH`.
`--object-type` / `object-type`	Optional	Specifies the security object type.
`--process-start-date` / `process-start-date`		Specifies the date and time when a valid security object start processing the cryptographically protected information.
`--protect-stop-date` / `protect-stop-date`	Optional	Specifies the date and time after which a valid security object cannot be used for applying cryptographic protection.
`--state` / `state`	Optional	Specifies the different states of an object as `PREACTIVE`, `ACTIVE`, `DEACTIVATED`, `COMPROMISED`, `DESTROYED`, and `DESTROYED_COMPROMISED`.
`--x509-certificate-issuer` / `x509-certificate-issuer`	Optional	Specifies the issuer distinguished name in the X.509 certificate.
`--x509-certificate-subject`/ `x509-certificate-subject`	Optional	Specifies the subject distinguished name in the X.509 certificate subject.
/ `attributes`	Required	Attributes names and their values of the object to locate. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes `value`. `state` is the state of the object. `objectType`, type of the object. `fresh` indicates whether the object is fresh or not. Enter either `YES` or `NO`. `objectGroup` is the object group or wallet name. `contactInfo` is the contact information for the object. `cryptographicAlgorithm` is the cryptographic algorithm of the object. `cryptographicLength` is the cryptographic length of the object. `cryptoUsageMask` is the usage mask of the object. `certificateType` is the type of the certificate object. `x509CertificateSubject` is the subject of the X.509 certificate. `x509CertificateIssuer` is the issuer of the X.509 certificate. `digitalSigningAlgorithm` is the digital signature algorithm of the object. `digest` is digest of the object, which includes: `digestValue` is the value of the digest. `algorithm` is the hashing algorithm. `keyFormatType` is the format of the object. `link` is the link attribute of the object, and it includes: `linkType` is the type of the link. `linkValue` is the linked object UUID. The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` `activationDate` `deactivationDate` `processStartDate` `protectStopDate` `initialDate` `lastChangeDate` `compromiseDate` `compromiseOccurrenceDate` `destroyDate` `archiveDate` `extractable` can be set as follows: `TRUE` Allows the object to be extracted from Oracle Key Vault. `FALSE` Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault. `neverExtractable` tracks whether the extraction of the security object has always been restricted during its existence in the Oracle Key Vault server. Settings are as follows: `TRUE` means that the security object was never extractable from Oracle Key Vault during the object's existence. `FALSE` means the security object was extractable from Oracle Key Vault at least once during the object's existence. You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "2021-12-20 10:30:00" --starts at this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37`

`--custom attributes` /`customAttribute`	Optional	List of custom attributes of the object to locate. Custom attributes that you can enter are as follows: `name` is the name of the custom attribute. `value` is the value of the custom attribute. `type` is either `text` or `number`. -Specifies custom defined attribute on security object. 2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] ' -Support simplified data format, name attribute(single instance), in command line --name KEY1 -Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]' See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name`		Specifies the name of a security object. The allowed values are : `value` `type` The default type: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`

Note:

Use the CLI command syntax to specify the output_format option. By default, the output format is JSON. However, the output_format option with a value as 'text' displays the output in text format. Use of text output format removes the need to parse JSON output. The option is useful when the output of a command serves as input for another command.

JSON Examples

Generate JSON input for the command.

okv managed-object object fetch --generate-json-input

The generated input appears as follows:

okv managed-object object fetch --generate-json-input
{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "fetch",
    "options" : {
      "max" : "#VALUE",
      "objectGroupMember" : "#FRESH|DEFAULT",
      "attributes" : {
        "name" : {
          "value" : "#VALUE"
        },
        "state" : "#PREACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
        "objectType" : "#VALUE",
        "fresh" : "#YES|NO",
        "objectGroup" : "#VALUE",
        "contactInfo" : "#VALUE",
        "cryptographicAlgorithm" : "#VALUE",
        "cryptographicLength" : "#VALUE",
        "cryptoUsageMask" : "#VALUE",
        "certificateLength" : "#VALUE",
        "certificateType" : "#VALUE",
        "x509CertificateSubject" : "#VALUE",
        "x509CertificateIssuer" : "#VALUE",
        "digitalSigningAlgorithm" : "#VALUE",
        "digest" : {
          "digestValue" : "#VALUE",
          "algorithm" : "#VALUE",
          "keyFormatType" : "#VALUE"
        },
        "link" : {
          "linkType" : "#VALUE",
          "linkValue" : "#VALUE"
        },
        "activationDate" : "#YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#YYYY-MM-DD HH:mm:ss",
        "initialDate" : "#YYYY-MM-DD HH:mm:ss",
        "lastChangeDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseOccurrenceDate" : "#YYYY-MM-DD HH:mm:ss",
        "destroyDate" : "#YYYY-MM-DD HH:mm:ss",
        "archiveDate" : "#YYYY-MM-DD HH:mm:ss",
        "extractable" : "#TRUE|FALSE",
        "neverExtractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Save the generated input to a file, for example, fetch_obj.json.

Run the command using the generated JSON file. For example:

okv managed-object object fetch --custom-attribute  --max  --name 
--object-group-member --single-object --state

Output similar to the following appears:

{
  "result" : "Success",
  "value" : [ {
    "attributes" : {
      "activationDate" : "2022-07-01 15:54:38",
      "cryptographicAlgorithm" : "RSA",
      "cryptographicLength" : "2048",
      "cryptoUsageMask" : [ "ENCRYPT" ],
      "deactivationDate" : "2030-10-10 10:10:10",
      "digest" : {
        "digestValue" : "B8ACE70487179C70DF3A6D320CA0D52FF7F4FB2D9E41E9542E7D8C0166B3D93",
        "keyFormatType" : "RAW",
        "algorithm" : "SHA-256"
      },
      "fresh" : "No",
      "initialDate" : "2022-07-01 15:54:38",
      "lastChangeDate" : "2022-07-01 17:57:24",
       "name" : [ {
        "type" : "text",
        "value" : "private_0701"
      } ],
      "objectType" : "Private Key",
      "processStartDate" : "2022-07-01 15:54:38",
      "state" : "Active",
      "uuid" : "95092BD2-B546-4F9A-BF0B-D8ECDC548546"
    }, "customAttribute" : [ {
      "name" : "x-NAME",
      "index" : "0",
      "type" : "Text String",
      "value" : "test4"
    }, {
      "name" : "x-ID",
      "index" : "0",
      "type" : "Integer",
      "value" : "1"
    } ],
       "object" : "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAyYrcnHs6I51lHheg90qTripWIuVKszoluqnBG0+QRLdLKOMIJjajygXKlT\n04DJSrQliR45oki2s/dgyfsTqpvanjTj7W10O5X2poohlGojumNOmb2p52em55yABUcYOb\nK4Qf5sX4vDpc/iUQAAABFkb3BhcmtAZG9wYXJrLW1hYw==\n-----END OPENSSH PRIVATE KEY-----\n"
  } ]
}

Example Using Output Format Text

okv managed-object object fetch --max max_value --object-group-member object_group_member_type --state state_value --name name_value

Parent topic: Security Object Commands

5.6 okv managed-object attribute list Command

The okv managed-object attribute list command retrieves the names of attributes associated with a security object.

The okv managed-object attribute list command shows the key customAttributes if the object has one or more custom attributes. To find the custom attributes defined for the object, run the okv managed-object attribute get-all command.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object attribute list --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "list",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

JSON Example

Generate JSON input for the okv managed-object attribute list command.

okv managed-object attribute list --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "list",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, list_attributes.json) and then edit it to retrieve the list of attributes for the security object.

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "list",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}

Run the okv managed-object attribute list command using the generated JSON file.

okv managed-object attribute list --from-json list_attributes.json

Output similar to the following appears:

{
  "result": "Success",
  "value": {
     "attributes" : [
         "activationDate",
         "contactInfo",
         "cryptoUsageMask",
         "cryptographicAlgorithm",
         "cryptographicLength",
         "deactivationDate",
         "digest",
         "extractable",
         "fresh",
         "initialDate",
         "lastChangeDate",
         "name",
         "neverExtractable", 
         "objectType",
         "processStartDate",
         "protectStopDate",
         "state"
         "uuid"
      ],
     "customAttributes" : [ "x-ApplicationTag" ]
  }
}

Parent topic: Security Object Commands

5.7 okv managed-object attribute modify Command

The okv managed-object attribute modify command modifies attributes that are associated with a security object.

To find the existing attributes for the managed object, run the okv managed-object attribute list command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object attribute modify [--activation-date activation date] [--contact-info contact information]
    [--deactivation-date deactivation date] [--name name] [--process-start-date process start date] 
    [--protect-stop-date protect stop date] --uuid uuid

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "modify",
      "options" : {
        "uuid" : "#VALUE",
        "attributes" : {
          "name" : {
            "value" : "#VALUE",
            "newValue" : "#VALUE",
            "newType" : "#text|uri"
                },
            "contactInfo" : "#VALUE",
            "activationDate" : "#VALUE",
            "deactivationDate" : "#VALUE",
            "protectStopDate" : "#VALUE",
            "processStartDate" : "#VALUE",
            "extractable" : "#TRUE|FALSE"
           }
        }
      }
   }

Parameters

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--activation-date` / `activationDate`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDate If `activation-date` does not meet the criteria an error message displays.
`contact-info` / `contact information`	Optional	The attribute is used for descriptive purposes only.
`--deactivation-date` / `deactivation date`	Optional	Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--name` / `name`	Optional	Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--process-start-date` / `process start date`	Optional	Specifies the date and time. When a valid security object begin to process cryptographically protected information.
`--protect-stop-date` / `protect-stop-date`	Optional	Specifies the date and time, after which a valid security object cannot be used for applying cryptographic protection.
`/attributes`	Required	Attribute names and their values. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. Attributes that you can enter are as follows: `name` includes the following: `value` is the existing name value. `newValue` is the new name value. `newType` is the new name value type. If you want to change the type only, then you must provide a `value` and `newValue`. The default value is `text`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` `extractable` can be set as follows: `TRUE` Allows the object to be extracted from Oracle Key Vault. `FALSE` Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault. As a user who has the Key Administrator role, you can modify the extractable attribute setting of an existing symmetric key or private key to either `TRUE` or `FALSE`. A user with read-modify access on an existing symmetric key can also modify its extractable attribute setting, however, this is allowed only to apply the stricter setting, that is, to set the value to `FALSE` to make the object non-extractable. Such users cannot modify the extractable attribute setting to make a symmetric key extractable if it is currently non-extractable. You can apply the extractable attribute setting to only symmetric keys, and not to other types of security objects. You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

Generate JSON input for the okv managed-object attribute modify command.

okv managed-object attribute modify --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "newValue" : "#VALUE",
          "newType" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Save the generated input to a file (for example, modify_attributes.json) and then edit it to modify the attributes that are associated with the security object.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "attributes" : {
        "name" : {
          "value" : "PROD-HRDB-MKEY",
          "newValue" : "PROD-GLOBAL-HRDB-MKEY",
          "newType" : "text"
        },
        "contactInfo" : "jscott@example.com",
        "deactivationDate" : "2024-07-31 09:00:00",
        "protectStopDate" : "2024-04-30 09:00:00",
        "extractable" : "FALSE"
      }
    }
  }
}

Run the okv managed-object attribute modify command using the generated JSON file.

okv managed-object attribute modify --from-json modify_attributes.json

Output similar to the following appears:

{
     "result": "Success",
     "value": {
      "attributes": {
       "contactInfo": "Modified",
       "deactivationDate": "Modified",
       "name": "Modified",
       "protectStopDate": "Modified",
       "extractable" : "Modified"
    }
  }
}

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.8 okv managed-object certificate get Command

The okv managed-object certificate get command retrieves a digital certificate.

Required Authorization

The endpoint must have read permission on the certificate object.

Syntax

okv managed-object certificate get --output_format OUTPUT_FORMAT --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "certificate",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the certificate. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

--uuid / uuid

Required

Universally unique ID (UUID) of the certificate.

--output_format

Optional

Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message.

The default value is:

text

Note:

JSON Example

Generate JSON input for the

okv managed-object certificate
            get

command.

okv managed-object certificate get --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "certificate",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_cert.json) and then edit it to retrieve the specified certificate.

{
  "service": {
    "category": "managed-object",
    "resource": "certificate",
    "action": "get",
    "options": {
      "uuid": "EEED2C4F-33D7-4F9A-BF02-52DD2225A43A"
    }
  }
}

Run the okv managed-object certificate get command using the generated JSON file.

okv managed-object certificate get --from-json get_cert.json

Output similar to the following appears:

{
 "result": "Success",
  "value": {
   "object": "-----BEGIN CERTIFICATE-----\nMIIDdzCCAl+gAwIBAgICfVEwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCdXMx\nEzARB << output truncated >> AYP\n4vwrDwBdNdGtj36GqjuCpz/xCVM9ieSRxJU8\n-----END CERTIFICATE-----"
  } 
}

Example Using Text as Output Format

okv managed-object certificate get --output_format text --uuid EEED2C4F-33D7-4F9A-BF02-52DD2225A43A

Output

Output similar to the following appears:

-----BEGIN CERTIFICATE-----\nMIIDdzCCAl+gAwIBAgICfVEwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCdXMx\nEzARB << output truncated >> AYP\n4vwrDwBdNdGtj36GqjuCpz/xCVM9ieSRxJU8\n-----END CERTIFICATE-----

Parent topic: Security Object Commands

5.9 okv managed-object certificate register Command

The okv managed-object certificate register command registers a certificate.

Required Authorization

None

Syntax

okv managed-object certificate register --output_format <text|json> --object certificate_file_path --type certificate_type
 --sub-type certificate_sub_type --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask
 --private-key-uuid private_key_uuid --wallet wallet_name --activation-date activation_date --deactivation-date deactivation_date

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
                   "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", 
                   "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "type" : "X_509",
      "subType" : "#USER_CERT|TRUSTPOINT",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--object` / `object`	Required	File path to the certificate object.
`--type` / `type`	Optional	Type of certificate. Enter the following value: `X_509`.
`--sub-type` / `subType`	Optional	Sub-type of the certificate. Choose from the following values: `USER_CERT` `TRUSTPOINT`
`--algorithm` / `algorithm`	Optional	Cryptographic algorithm of the public key contained in the certificate. If you omit this parameter, then the algorithm is retrieved from the certificate file that is being uploaded. Enter the following value: `RSA`
`--length` / `length`	Optional	Length of the public key contained in the certificate. If you omit this parameter, then the key length is retrieved from the certificate file that being uploaded. Choose from the following values: `1024` `2048` `4096`
`--mask` / `mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: `EXPORT` `VERIFY` The default values are: `VERIFY`
`--privateKeyUUID` / `privateKeyUUID`	Optional	Universally unique ID (UUID) of the private key associated with the certificate object. To find the unique identifier for the key, run the `okv manage-access wallet list-objects` command or the `okv admin endpoint list-objects` command.
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`--name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute` / `customAttribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--deactivation-date`		Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--activation-date`		Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDat If `activation-date` does not meet the criteria an error message displays.
`--attributes`/ `attributes`	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes the following: `value` is the name value. `type` is either `text` or `uri`. The default value is `text`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

CLI Example

Note:

okv managed-object certificate register --type X_509 --private-key-uuid 
95092BD2-B546-4F9A-BF0B-D8ECDC548546 --algorithm RSA --mask "ENCRYPT" --object
/Users/dopark/test/my.crt --name cert_0701 --activation-date now
--deactivation-date "2030-10-10 10:10:10

JSON Example

Generate JSON input for the okv managed-object certificate register command.

okv managed-object certificate register --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
       "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
                   "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", 
                   "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "subType" : "#USER_CERT|TRUSTPOINT",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Save the generated input to a file (for example, reg_cert.json) and then edit it to register the specified certificate.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "register",
    "options" : {
      "object" : "./cert.pem",
      "algorithm" : "RSA",
      "length" : "2048",
      "mask" : [ "VERIFY"],
      "type" : "X_509",
      "subType" : "USER_CERT",
      "privateKeyUUID" : "D497994E-74CD-4F60-BF7C-52F254142705",
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "FINDB-PROD-CERT",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}

Run the okv managed-object certificate register command using the generated JSON file.

okv managed-object certificate register --from-json reg_cert.json

Output similar to the following appears:

{
 "result" : "Success",
  "value" : {
  "uuid" : "EEED2C4F-33D7-4F9A-BF02-52DD2225A43A"
  }
}

Example Using Text as Output Format

okv managed-object certificate register --output_format text --object certificate_file_path --type certificate_type --sub-type certificate_sub_type --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --private-key-uuid private_key_uuid  --wallet wallet_name

Output

Output similar to the following appears:

"EEED2C4F-33D7-4F9A-BF02-52DD2225A43A"

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.10 okv managed-object certificate-request get Command

The okv managed-object certificate-request get command retrieves a certificate request.

Required Authorization

The endpoint must have read permission on the certificate request object.

Syntax

okv managed-object certificate-request get --output_format OUTPUT_FORMAT --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the certificate request. To find the unique identifier for the certificate request, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text` Note: Use the CLI command syntax to specify the output_format option. By default, the output format is JSON. However, the output_format option with a value as 'text' displays the output in text format. Use of text output format removes the need to parse JSON output. The option is useful when the output of a command serves as input for another command.

--uuid / uuid

Required

Universally unique ID (UUID) of the certificate request.

To find the unique identifier for the certificate request, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object certificate-request get command.

okv managed-object certificate-request get  --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_cert_req.json) and then edit it to specify the UUID of the certificate request.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "get",
    "options" : {
      "uuid" : "BC0E9004-82E0-4FFA-BFF2-29A67DDD5C64"
    }
  }
}

Run the okv managed-object certificate-request get command using the generated JSON file.

okv managed-object certificate-request get  --from-json get_cert_req.json

Output similar to the following appears:

{
     "result" : "Success",
     "value" : {
      "object" : "-----BEGIN NEW CERTIFICATE REQUEST-----\nMIIC5TCCAc0CAQAwdDELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWEx << output truncated >> \nDtWoeZfNYHcWPFmHK8aiLCgzeFG62xRdyg==\n-----END NEW CERTIFICATE REQUEST-----"
      }
    }

Example Using Text as Output Format

okv managed-object certificate-request get --output_format text --uuid BC0E9004-82E0-4FFA-BFF2-29A67DDD5C64

Output

Output similar to the following appears:

"-----BEGIN NEW CERTIFICATE REQUEST-----\nMIIC5TCCAc0CAQAwdDELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWEx << output truncated >> \nDtWoeZfNYHcWPFmHK8aiLCgzeFG62xRdyg==\n-----END NEW CERTIFICATE REQUEST-----"

Parent topic: Security Object Commands

5.11 okv managed-object certificate-request register Command

The okv managed-object certificate-request register command registers a certificate request object with Oracle Key Vault.

Required Authorization

None

Syntax

okv managed-object certificate-request register --output_format <text|json> object certificate_requeset_file_path --type certificate_requeset_type --private-key-uuid private_key_uuid --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "register",
    "options" : {
      "type" : "#CRMF,PKCS10,PEM,PGP",
      "object" : "#VALUE",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--object` / `object`	Required	File path to the certificate request object.
`--type` / `type`	Optional	Type of certificate request. Choose from the following values: `CRMF` `PKCS10` `PGP` The default value is: `PEM`
`--privateKeyUUID` / `privateKeyUUID`	Required	Universally unique ID (UUID) of the private key associated with the certificate request to be registered. To find the unique identifier for the key, run the `okv manage-access wallet list-objects` command or the `okv admin endpoint list-objects` command.
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`/attributes`	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes the following: `value` is the name value. `type` is either `text` or `uri`. The default value is `text`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute`/ `customAttribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--deactivation-date`		Specifies when to deactivate a security object. It has the same format as `activation-date`.
`--activation-date`		Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

Note:

CLI Example

okv managed-object certificate-request register --name "FINDB-PROD-CERTREQ" --custom-attribute "x-local-name:HR" --activation-date "2020-12-31 09:00:00" --deactivation-date "2024-12-31 09:00:00

JSON Example

Generate JSON input for the

okv managed-object certificate-request
            register

command.

okv managed-object certificate-request register --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "register",
    "options" : {
      "type" : "#CRMF,PKCS10,PEM,PGP",
      "object" : "#VALUE",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Save the generated input to a file (for example, reg_cert_req.json) and then edit it to specify the appropriate certificate request values.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "register",
    "options" : {
      "type" : "PEM",
      "object" : "./cert_req.pem",
      "privateKeyUUID" : "D497994E-74CD-4F60-BF7C-52F254142705",
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "FINDB-PROD-CERTREQ",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}

Run the okv managed-object certificate-request register command using the generated JSON file.

okv managed-object certificate-request register --from-json reg_cert_req.json

Output similar to the following appears:

{
  "result" : "Success",
   "value" : {
    "uuid" : "BC0E9004-82E0-4FFA-BFF2-29A67DDD5C64"
   }
    }

Example Using Text as Output Format

okv managed-object  certificate-request register --output_format text --object "./cert_req.pem" --type "PEM" --private-key-uuid
      "D497994E-74CD-4F60-BF7C-52F254142705" --wallet hr_wallet  --activation-date now --name hr_csr --custom-attribute "x-local-name:HR"

Output

Output similar to the following appears:

"BC0E9004-82E0-4FFA-BFF2-29A67DDD5C64"

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.12 okv managed-object custom-attribute add Command

The okv managed-object custom-attribute add command adds a custom attribute to a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object custom-attribute add --custom-attribute custom attribute --uuid uuid

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

--custom-attribute/ customAttribute

Required

Custom attribute name. Include the prefix x- in the attribute name. Do not use the prefix of x-OKV with custom attribute names. The custom attributes that start with the x-OKV prefix are reserved for use by Oracle Key Vault only. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You must specify these values for the custom attribute:

name is the name of the value that you want to add.
value is the value of the attribute.
type is either text or number.

See Key Management Interoperability Protocol Specification Version 1.1 for details about JSON attributes.

Note:

Use the CLI command syntax to specify the output_format option. By default, the output format is JSON. However, the output_format option with a value as text displays the output in text format. Use of text output format removes the need to parse JSON output. The option is useful when the output of a command serves as input for another command.

JSON Example

Generate JSON input for the okv managed-object custom-attribute add command.

okv managed-object custom-attribute add --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      }
    }
  }
}

Save the generated input to a file (for example, add_cust_attr.json) and then edit it to include the custom attribute to the security object.

{
  "service": {
    "category": "managed-object",
    "resource": "custom-attribute",
    "action": "add",
    "options": {
      "uuid": "3C695846-BB8D-4FD2-BFC4-E646ACB60404",
      "customAttribute": {
        "name": "x-ApplicationTag",
        "value": "HR-Production",
        "type": "TEXT"
      }
    }
  }
}

Run the okv managed-object custom-attribute add command using the generated JSON file.
```
okv managed-object custom-attribute add --from-json add_cust_attr.json
```
Output similar to the following appears:
```
{
 "result" : "Success"
}
```

Parent topic: Security Object Commands

5.13 okv managed-object custom-attribute delete Command

The okv managed-object custom-attribute delete command deletes a custom attribute of a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

 okv managed-object custom-attribute delete --custom-attribute custom attribute --uuid uuid

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

--custom-attribute/ customAttribute

Required

Custom attribute name and its index. Do not use the prefix of x-OKV with custom attribute names. The custom attributes that start with the x-OKV prefix are reserved for use by Oracle Key Vault only. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for a managed object, run the okv managed-object attribute get-all command.

You must specify these values for the attribute:

name is the name of the value.
index is the index of the value.

Note:

Do not use the prefix of x-OKV with custom attribute names. The custom attributes that start with the x-OKV prefix are reserved for use by Oracle Key Vault only.

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

Generate JSON input for the okv managed-object custom-attribute delete command.

okv managed-object custom-attribute delete --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Save the generated input to a file (for example, del_cust_attr.json) and then edit it so that you can delete the custom attribute.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "customAttribute" : {
        "name" : "x-ApplicationTag",
        "index" : "1"
      }
    }
  }
}

Run the okv managed-object custom-attribute delete command using the generated JSON file.
```
okv managed-object custom-attribute delete --from-json del_cust_attr.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Security Object Commands

5.14 okv managed-object custom-attribute modify Command

The okv managed-object custom-attribute modify command modifies a custom attribute of a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

 okv managed-object custom-attribute modify --custom-attribute <custom attribute> --uuid <uuid>

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "newValue" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Parameters

Template Parameter Required? Description

Template Parameter	Required?	Description
`--uuid`/ `uuid`	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`/ customAttribute`	Required	Custom attribute name, value, and index. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the `okv managed-object attribute get-all` command. You cannot specify attributes at the command line. You must use the JSON syntax to modify a custom attribute. You must specify these values for the attribute: `name` is the name of the attribute that you want to modify. `newValue` is the new value for the attribute. `index` is the index of the attribute that you want to modify. Note: Do not use the prefix of `x-OKV` with custom attribute names. The custom attributes that start with the `x-OKV` prefix are reserved for use by Oracle Key Vault only. See Key Management Interoperability Protocol Specification Version 1.1 for details about JSON attributes.

--uuid/ uuid

Required

Universally unique ID (UUID) of the security object.

/ customAttribute

Required

Custom attribute name, value, and index. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute get-all command.

You cannot specify attributes at the command line. You must use the JSON syntax to modify a custom attribute.

You must specify these values for the attribute:

name is the name of the attribute that you want to modify.
newValue is the new value for the attribute.
index is the index of the attribute that you want to modify.

Note:

Do not use the prefix of x-OKV with custom attribute names. The custom attributes that start with the x-OKV prefix are reserved for use by Oracle Key Vault only.

See Key Management Interoperability Protocol Specification Version 1.1 for details about JSON attributes.

JSON Example

Generate JSON input for the okv managed-object custom-attribute modify command.

okv managed-object custom-attribute modify --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "newValue" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Save the generated input to a file (for example, modify_cust_attr.json) and then edit it to modify the custom attribute.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "customAttribute" : {
        "name" : "x-ApplicationTag",
        "newValue" : "Global-HR-Production",
        "index" : "1"
      }
    }
  }
}

Run the okv managed-object custom-attribute modify command using the generated JSON file.
```
okv managed-object custom-attribute modify --from-json modify_cust_attr.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Security Object Commands

5.15 okv managed-object key create Command

The okv managed-object key create command creates a symmetric key.

Required Authorization

None

Syntax

okv managed-object key create --extractable --output_format <text|json> --algorithm  cryptographic_algorithm --length  key_length --mask crypographic_usage_mask --wallet wallet_name --name name_value --custom-attrbute custom_attribute_value --activation-date activation_date --deactivation-date deactivation_date

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "create",
    "options": {
      "algorithm": "#3DES|AES",
      "length": "#112,168(3DES)|128,192,256(AES)",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
                   "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", 
                   "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],      "wallet": "#VALUE",
      "attributes": {
         "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--algorithm` / `algorithm`	Optional	Cryptographic algorithm. Choose from the following values: `AES` `3DES` The default value is: `AES`
`--length` / `length`	Optional	Key length for the algorithm. Choose from the following values: For `AES`: `128`, `192`, `256` For `3DES`: `112`, `168` The default value is: `256`
`--mask` / `mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: `ENCRYPT` `DECRYPT` `DERIVE_KEY` `EXPORT` `GENERATE_CRYPTOGRAM` `TRANSLATE_DECRYPT` `TRANSLATE_ENCRYPT` `TRANSLATE_UNWRAP` `TRANSLATE_WRAP` `UNWRAP_KEY` `VALIDATE_CRYPTOGRAM` `WRAP_KEY` The default values are: `ENCRYPT` `DECRYPT` `UNWRAP_KEY` `WRAP_KEY`
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`/attributes`	Optional	Sets the `extractable` attribute. `TRUE` Allows the object to be extracted from Oracle Key Vault. `FALSE` Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault. If you do not set the `extractable` attribute, then this value is inherited from the endpoint's configuration. In the command line, you can only specify the `extractable` attribute setting that is stricter than the endpoint's effective setting. For example, you cannot set the `extractable` attribute to `TRUE` if it is set to `FALSE` in the endpoint. However, you can always set the extractable attribute value to `FALSE` in the command line.
`--name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute` / `--custom-attribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--deactivation-date`		Specifies when to deactivate a security object. It has the same format as `activation-date`.
`--activation-date`		Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message.

Note:

Example without using JSON

okv managed-object key create --length 128 --algorithm AES --mask"ENCRYPT" --name  dw_0706

JSON Example

Generate JSON input for the okv managed-object key create command.

okv managed-object key create --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "create",
    "options": {
      "algorithm": "#3DES|AES",
      "length": "#112,168(3DES)|128,192,256(AES)",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
                   "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", 
                   "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],      "wallet": "#VALUE",
      "attributes": {
         "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Save the generated input to a file (for example, create_key.json) and then edit it to create the key.

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "create",
    "options": {
      "algorithm": "AES",
      "length": "256",
      "mask": [
        "ENCRYPT",
        "DECRYPT"
      ],
      "wallet": "hr_wallet",
      "attributes": {
         "extractable" : "FALSE"
      }
    }
  }
}

Run the okv managed-object key create command using the generated JSON file.

okv managed-object key create --from-json create_key.json

Output similar to the following appears:

{
  "result": "Success",
   "value": {
    "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
  }
}

Example Using Text as Output Format

okv managed-object key create --extractablefalse --output_format text --algorithm  cryptographic_algorithm --length key_length --mask crypographic_usage_mask --wallet wallet_name

Output

Output similar to the following appears:

"2359E04F-DA61-4F7C-BF9F-913D3369A93A"

Parent topic: Security Object Commands

5.16 okv managed-object key get Command

The okv managed-object key get command retrieves a symmetric key.

Required Authorization

The endpoint must have read permission on the key object.

Syntax

okv managed-object key get --output_format <text|json> --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the key. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`contact-info` / `contact information`	Optional	The attribute is used for descriptive purposes only.
`--deactivation-date` / `deactivation date`	Optional	Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--name` / `name`	Optional	Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--process-start-date` / `process start date`	Optional	Specifies the date and time. When a valid security object begin to process cryptographically protected information.
`--protect-stop-date` / `protect-stop-date`	Optional	Specifies the date and time, after which a valid security object cannot be used for applying cryptographic protection.
`--activation-date` / `activation date`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDat If `activation-date` does not meet the criteria an error message displays.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message.

Note:

JSON Example

Generate JSON input for the okv managed-object key get command.

okv managed-object key get --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_key.json) and then edit it to get the specified key.

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "get",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}

Run the okv managed-object key get command using the generated JSON file.

okv managed-object key get --from-json get_key.json

Output similar to the following appears:

{
  "result": "Success",
   "value": {
    "object": "E7A641D77DDAF074C62E7A2C2355F2B8D9CD49486E6AF7F38A22CBDEC91630D0"
    }
 }

If the symmetric key is not extractable, then the following message appears:

{
 "result" : "Failure",
 "message" : "Operation Result Status: Operation Failed, Result Reason: Unavailable"
}

Example Using Text as Output Format

okv managed-object certificate-request get --output_format text --uuid 2359E04F-DA61-4F7C-BF9F-913D3369A93A

Output

Output similar to the following appears:

"E7A641D77DDAF074C62E7A2C2355F2B8D9CD49486E6AF7F38A22CBDEC91630D0"

Parent topic: Security Object Commands

5.17 okv managed-object key register Command

The okv managed-object key register command registers a symmetric key.

Required Authorization

None

Syntax

okv managed-object key register --extractablefalse --output_format <text|json> --algorithm cryptographic_algorithm 
--length key_length --mask cryptographic_usage_mask --object key_file_path --wallet wallet_name --name name_value
 --custom-attrbute custom_attribute_value --activation-date activation_date --deactivation-date deactivation_date

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "key",
    "action" : "register",
    "options" : {
      "length" : "#112,168(3DES)|128,192,256(AES)",
      "object" : "#VALUE",
      "algorithm" : "#3DES|AES",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
                   "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", 
                   "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],       "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
         "activationDate" : "#YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--algorithm` / `algorithm`	Optional	Cryptographic algorithm. Choose from the following values: `AES` `3DES` The default value is: `AES`
`--length` / `length`	Optional	Key length for the algorithm. Choose from the following values: For `AES`: `128`, `192`, `256` For `3DES`: `112`, `168` The default value is: `256`
`--mask` / `mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: `ENCRYPT` `DECRYPT` `DERIVE_KEY` `EXPORT` `GENERATE_CRYPTOGRAM` `TRANSLATE_DECRYPT` `TRANSLATE_ENCRYPT` `TRANSLATE_UNWRAP` `TRANSLATE_WRAP` `UNWRAP_KEY` `VALIDATE_CRYPTOGRAM` `WRAP_KEY` The default values are: `ENCRYPT` `DECRYPT` `WRAP_KEY` `UNWRAP_KEY`
`--object` / `object`	Required	File path to the symmetric key object.
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`/attributes`	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes the following: `value` is the name value. `type` is either `text` or `uri`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` `extractable` can be set as follows: `TRUE` Allows the object to be extracted from Oracle Key Vault. `FALSE` Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault. If you do not set the `extractable` attribute, then this value is inherited from the endpoint's configuration. In the command line, you can only specify the `extractable` attribute setting that is stricter than the endpoint's effective setting. For example, you cannot set the `extractable` attribute to `TRUE` if it is set to `FALSE` in the endpoint. However, you can always set the extractable attribute value to `FALSE` in the command line. You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute` / `/ customAttribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--deactivation-date`		Specifies when to deactivate a security object. It has the same format as `activation-date`.
`--activation-date`		Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

Note:

Example without using JSON

       okv managed-object key register
        --length 128 --object/Users/dopark/test/my.key --algorithm AES 
        --mask "ENCRYPT" --name dw_0701--activation-date now --deactivation-date "2030-10-10 10:10:10"
        okv managed-object key register --name
        '{"value" : "dw_key_2"}'--activation-date --deactivation-date
        okv managed-object key register --name
        '{"value" : "dw_key_2", "type" :"uri"}' --activation-date --deactivation-date
        okv managed-object key register --name
        '{"value" : "dw_key_2", "type" :"text"}' --activation-date --deactivation-date
        okv managed-object key register --name
        '{"value" : "dw_key_2", "type" :"uri"}' --custom-attribute '[ { "name": "x-OKV
        Private Key UID", "value" :"CA8075A4-C13F-4FD0-BF58-FDB984CC879A"}, { "name":
        "x-NAME2", "value" :"11111"} ] ' --activation-date
        --deactivation-date

JSON Example

Generate JSON input for the okv managed-object key register command.

okv managed-object key register --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "key",
    "action" : "register",
    "options" : {
      "length" : "#112,168(3DES)|128,192,256(AES)",
      "object" : "#VALUE",
      "algorithm" : "#3DES|AES",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
                   "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", 
                   "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Save the generated input to a file (for example, reg_key.json) and then edit it to register the key.

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "register",
    "options": {
      "length": "256",
      "object": "./object.txt",
      "algorithm": "AES",
      "mask": [
        "ENCRYPT",
        "DECRYPT"
      ],
      "wallet": "hr_wallet",
      "attributes": {
        "name": {
          "value": "FINDB-PROD-MKEY",
          "type": "text"
        },
        "contactInfo" : "pfitch@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00",
        "extractable" : "FALSE"
      }
    }
  }
}

Run the okv managed-object key register command using the generated JSON file.

okv managed-object key register --from-json reg_key.json

Output similar to the following appears:

{
 "result": "Success",
  "value": {
   "uuid": "39BE0215-5D7B-4F38-BF5F-FC87C82AA004"
  }
}

Example Using Text as Output Format

okv managed-object key register --output_format text --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --object key_file_path --wallet wallet_name

Output

Output similar to the following appears:

"39BE0215-5D7B-4F38-BF5F-FC87C82AA004"

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.18 okv managed-object object activate Command

The okv managed-object object activate command activates a security object.

See Oasis Key Management Interoperability Protocol Specification Version 1.1 Oasis Standard for various states that a security object can be in.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object activate --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "activate",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object managed-object activate command.

okv managed-object object activate --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "activate",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, activate_object.json) and then edit it to activate the security object.

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "activate",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}

Run the okv managed-object managed-object activate command using the generated JSON file.
```
okv managed-object object activate --from-json activate_object.json
```
Output similar to the following appears:
```
{
 "result": "Success"
}
```

Example Using Output Format Text

okv managed-object object activate --output_format text --uuid UUID

Output

Output similar to the following appears:

exit code 0 - Indicates Success
exit code 1- Indicates Failure

Parent topic: Security Object Commands

5.19 okv managed-object object destroy Command

The okv managed-object object destroy command requests the server to destroy the key data for a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object destroy --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "destroy",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object object destroy command.

okv managed-object object destroy --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "destroy",
    "options": {
      "uuid": "#VALUE"
     }
   }
 }

Save the generated input to a file (for example, destroy_obj.json) and then edit it so that you can destroy the security object data.

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "destroy",
    "options": {
      "uuid": "B36F3AD1-0AC7-4FEB-BF32-79E6F727ECB2"
      }
    }
 }

Run the okv managed-object object destroy command using the generated JSON file.
```
okv managed-object object destroy --from-json destroy_obj.json
```
Output similar to the following appears:
```
{
 "result": "Success"
}
```

Example Using Output Format Text

okv managed-object object destroy --output_format text --uuid UUID

Output

Output similar to the following appears:

exit code 0 - Indicates Success
exit code 1- Indicates Failure

Parent topic: Security Object Commands

5.20 okv managed-object object locate Command

The okv managed-object object locate command locates a security object.

Required Authorization

The endpoint must have read permission on the objects.

Syntax

okv managed-object object locate --output_format text|json --output_format text --max max_value --object-group-member object_group_member_type --state state_value --name name_value --custom-attribute custom_attributes_value

JSON Input File Template

okv managed-object object locate --generate-json-input

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "locate",
    "options" : {
      "max" : "#VALUE",
      "objectGroupMember" : "#FRESH|DEFAULT",
      "attributes" : {
        "name" : {
          "value" : "#VALUE"
        },
        "state" : "#PRE-ACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
        "objectType" : "#VALUE",
        "fresh" : "#YES|NO",
        "objectGroup" : "#VALUE",
        "contactInfo" : "#VALUE",
        "cryptographicAlgorithm" : "#VALUE",
        "cryptographicLength" : "#VALUE",
        "cryptoUsageMask" : "#VALUE",
        "certificateLength" : "#VALUE",
        "certificateType" : "#VALUE",
        "x509CertificateSubject" : "#VALUE",
        "x509CertificateIssuer" : "#VALUE",
        "digitalSigningAlgorithm" : "#VALUE",
        "digest" : {
          "digestValue" : "#VALUE",
          "algorithm" : "#VALUE",
          "keyFormatType" : "#VALUE"
        },
        "link" : {
          "linkType" : "#VALUE",
          "linkValue" : "#VALUE"
        },
        "activationDate" : "#YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#YYYY-MM-DD HH:mm:ss",
        "initialDate" : "#YYYY-MM-DD HH:mm:ss",
        "lastChangeDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseOccurrenceDate" : "#YYYY-MM-DD HH:mm:ss",
        "destroyDate" : "#YYYY-MM-DD HH:mm:ss",
        "archiveDate" : "#YYYY-MM-DD HH:mm:ss",
        "extractable" : "#TRUE|FALSE",
        "neverExtractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--max` / `max`	Optional	Maximum number of objects that this command should return
`--object-group-member` / `objectGroupMember`	Optional	Enter one of the following group values: `DEFAULT` `FRESH`
`--state` / `state`	Optional	Enter one of the following states: `PREACTIVE` `ACTIVE` `DEACTIVATED` `COMPROMISED` `DESTROYED` `DESTROYED_COMPROMISED`
`--name` / `name`	Optional	Name of the object to locate.
`attributes`	Required	Attributes names and their values of the object to locate. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes `value`. `state` is the state of the object. `objectType`, type of the object. `fresh` indicates whether the object is fresh or not. Enter either `YES` or `NO`. `objectGroup` is the object group or wallet name. `contactInfo` is the contact information for the object. `cryptographicAlgorithm` is the cryptographic algorithm of the object. `cryptographicLength` is the cryptographic length of the object. `cryptoUsageMask` is the usage mask of the object. `certificateType` is the type of the certificate object. `x509CertificateSubject` is the subject of the X.509 certificate. `x509CertificateIssuer` is the issuer of the X.509 certificate. `digitalSigningAlgorithm` is the digital signature algorithm of the object. `digest` is digest of the object, which includes: `digestValue` is the value of the digest. `algorithm` is the hashing algorithm. `keyFormatType` is the format of the object. `link` is the link attribute of the object, and it includes: `linkType` is the type of the link. `linkValue` is the linked object UUID. The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` `activationDate` `deactivationDate` `processStartDate` `protectStopDate` `initialDate` `lastChangeDate` `compromiseDate` `compromiseOccurrenceDate` `destroyDate` `archiveDate` `extractable` can be set as follows: `TRUE` Allows the object to be extracted from Oracle Key Vault. `FALSE` Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault. `neverExtractable` tracks whether the extraction of the security object has always been restricted during its existence in the Oracle Key Vault server. Settings are as follows: `TRUE` means that the security object was never extractable from Oracle Key Vault during the object's existence. `FALSE` means the security object was extractable from Oracle Key Vault at least once during the object's existence. You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "2021-12-20 10:30:00" --starts at this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37`
`--activation-date` / `activationDate`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` If you omit this parameter, then the activation date is retrieved from the certificate file that being uploaded. If activationDate meets the date criteria,the date is overwritten with the provided date. notBefore < deactivationDate <= notAfter activationDate < deactivationDat If `activation-date` does not meet the criteria an error message displays.
`--archive-date` / `archiveDate`	Optional	Specifies the date and time of the security object when placed in archival storage.
`--certificate-length` / `certificateLength`	Optional	Specifies the certificate object length in bytes.
`--certificate-type` / `certificateType`	Optional	Specifies the certificate type.
`--compromise-date` / `compromiseDate`	Optional	Specifies the date and time when the Managed Cryptographic Object entered into the compromised state.
`--compromise-occurrence-date` / `compromiseOccurrence-date`	Optional	Specifies the date and time when the security object was first believed to be compromised. Use this setting only when `KEY_COMPROMISE` is specified for the `--code` parameter.
`--contact-info` / `contactInformation`	Optional	The attribute is for descriptive purposes only.
`--crypto-usage-mask` / `cryptographicUsageMask`	Optional	Specifies the cryptographic usage of the security object.
`--cryptographic-algorithm`/ `cryptographicAlgorithm`	Optional	Specifies the algorithm used in the security object.
`--cryptographic-length` / `cryptographicLength`	Optional	Specifies the length in bits of the cryptographic key material of the security object.
`--custom-attribute` / `customAttribute`	Optional	Specifies the endpoint defined additional attributes that Oracle Key Vault cannot interpret.
`--deactivation-date` / `deactivationDate`	Optional	Specifies when to deactivate a security object. It has the same format as `activation-date`. If you omit this parameter, then the deactivation date is retrieved from the certificate file that being uploaded. If deactivationDate meets the date criteria,the date is overwritten with the provided date. notBefore <= activationDate < notAfter activationDate < deactivationDate If `deactivation-date` does not meet the criteria an error message displays.
`--destroy-date`/ `destroyDate`	Optional	Specifies the date and time when the security object was destroyed.
`--digest` / `digest`	Optional	Specifies the digest value of the security object.
`--digital-signing-algorithm` / `digital signing algorithm`	Optional	Specifies the digital signature algorithm associated with a digitally signed object.
`--extractable` / `extractable`	Optional	Specifies the true or false values. `FALSE`: Specifies the server shall prevent the object value being retrieved. `TRUE`: Specifies the default value as true, if the client does not provides the value. .
`--initial-date` / `initialDate`	Optional	Specifies the date and time when the security object was first created or registered at the server.
`--last-change-date`/ `lastChangeDate`	Optional	Specifies the date and time of the last change of the specified object.
`--link`/ `link`	Optional	Specifies the link from one security object to another, closely related target security object.
`--max`/ `max`	Optional	Specifies the maximum number of objects that this command should return.
`--name`/ `name`	Optional	Specifies the name of the object to locate.
`--never-extractable`/ `neverExtractable`	Optional	Specifies the value as `TRUE` if the Extractable attribute is always `FALSE`.
`--object-group-member`/ `objectGroupMember`	Optional	Specifies the object group member type as `DEFAULT` or `FRESH`.
`--object-type` / `objectType`	Optional	Specifies the security object type.
`--process-start-date`/ `processStartDate`		Specifies the date and time when a valid security object start processing the cryptographically protected information.
`--protect-stop-date`/ `protectStopDate`	Optional	Specifies the date and time after which a valid security object cannot be used for applying cryptographic protection.
`--state`/ `state`	Optional	Specifies the different states of an object as `PREACTIVE`, `ACTIVE`, `DEACTIVATED`, `COMPROMISED`, `DESTROYED`, and `DESTROYED_COMPROMISED`.
`--x509-certificate-issuer`/ `x509CertificateIssuer`	Optional	Specifies the issuer distinguished name in the X.509 certificate.
`--x509-certificate-subject` / `x509CertificateSubject`	Optional	Specifies the subject distinguished name in the X.509 certificate subject.
`--cutstom-attribute` / `customAttribute`	Optional	List of custom attributes of the object to locate. Custom attributes that you can enter are as follows: `name` is the name of the custom attribute. `value` is the value of the custom attribute. `type` is either `text` or `number`. `-Support simplified data format, name attribute(single instance), in command line --name KEY1 -Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name`/ `name`	Optional	Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

Note:

JSON Example

Generate JSON input for the okv managed-object object locate command.

okv managed-object object locate --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "locate",
    "options" : {
      "max" : "#VALUE",
      "objectGroupMember" : "#FRESH|DEFAULT",
      "attributes" : {
        "name" : {
          "value" : "#VALUE"
        },
        "state" : "#PRE-ACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
        "objectType" : "#VALUE",
        "fresh" : "#YES|NO",
        "objectGroup" : "#VALUE",
        "contactInfo" : "#VALUE",
        "cryptographicAlgorithm" : "#VALUE",
        "cryptographicLength" : "#VALUE",
        "cryptoUsageMask" : "#VALUE",
        "certificateLength" : "#VALUE",
        "certificateType" : "#VALUE",
        "x509CertificateSubject" : "#VALUE",
        "x509CertificateIssuer" : "#VALUE",
        "digitalSigningAlgorithm" : "#VALUE",
        "digest" : {
          "digestValue" : "#VALUE",
          "algorithm" : "#VALUE",
          "keyFormatType" : "#VALUE"
        },
        "link" : {
          "linkType" : "#VALUE",
          "linkValue" : "#VALUE"
        },
        "activationDate" : "#YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#YYYY-MM-DD HH:mm:ss",
        "initialDate" : "#YYYY-MM-DD HH:mm:ss",
        "lastChangeDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseDate" : "#YYYY-MM-DD HH:mm:ss",
        "compromiseOccurrenceDate" : "#YYYY-MM-DD HH:mm:ss",
        "destroyDate" : "#YYYY-MM-DD HH:mm:ss",
        "archiveDate" : "#YYYY-MM-DD HH:mm:ss",
        "extractable" : "#TRUE|FALSE",
        "neverExtractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Save the generated input to a file (for example, locate_obj.json) and then edit it to locate the security object.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "locate",
    "options" : {
      "max" : "10",
      "objectGroupMember" : "FRESH",
      "attributes" : {
         "state": "ACTIVE",
          "name": {
            "value": "key8"
         },
         "fresh" : "Yes",
         "activationDate": "2021-04-10 07:16:00",
          "link" : {
            "linkType" : "Replaced Object Link",
            "linkValue" : "6B13B7B3-BE61-4FF6-BFB0-4108231392F8"
           },
          "extractable" : "FALSE",
          "neverExtractable" : "TRUE"
      },
     "customAttributes" : [{
        "name": "x-test_1",
        "value": "test_1",
        "type": "TEXT"
       },
       {
        "name": "x-number",
        "value": "1",
        "type": "NUMBER"
       }]
    }
  }
}

Run the okv managed-object object locate command using the generated JSON file.

okv managed-object object locate --from-json locate_obj.json

Output similar to the following appears:

{
     "result" : "Success",
     "value" : {
       "uuids" : [ "6C51CC04-BFA5-4FBD-BFB4-12DCCECAA355" ]
  }
 }

Example Using Output Format Text

okv managed-object object locate --output_format text|json --output_format text --max max_value --object-group-member object_group_member_type --state state_value --name name_value --custom-attribute custom_attributes_value

Output

Output similar to the following appears:

"6C51CC04-BFA5-4FBD-BFB4-12DCCECAA355"

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.21 okv managed-object object query Command

The okv managed-object object query command identifies supported operations and objects.

Required Authorization

None

Syntax

okv managed-object object query

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "query"
  }
}

Parameters

None

JSON Example

Generate JSON input for the okv managed-object object query command.

okv managed-object object query --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "query"
  }
}

Save the generated input to a file (for example, query_obj.json).

Run the okv managed-object object query command using the generated JSON file.

okv managed-object object query --from-json query_obj.json

Output similar to the following appears:

{
  "result": "Success",
  "value": {
    "objects": [
      "Symmetric Key",
      "Template",
      "Secret Data",
      "Opaque Object",
      "Certificate"
    ],
    "operations": [
      "Create",
      "Register",
      "Re-key",
      "Locate",
      "Check",
      "Get",
      "Get Attributes",
      "Get Attribute List",
      "Add Attribute",
      "Modify Attribute",
      "Delete Attribute",
      "Activate",
      "Revoke",
      "Destroy",
      "Query",
      "Discover Versions"
    ]
  }
}

Parent topic: Security Object Commands

5.22 okv managed-object object revoke Command

The okv managed-object object revoke command revokes a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object revoke --code code --reason reason --compromise-occurrence-date date --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "revoke",
    "options" : {
      "code" : "#UNSPECIFIED|KEY_COMPROMISE|CA_COMPROMISE|AFFILIATION_CHANGED|SUPERSEDED|CESSATION_OF_OPERATION|PRIVILEGE_WITHDRAWN",
      "reason" : "#VALUE",
      "compromiseOccurrenceDate" : "#YYYY-MM-DD HH:mm:ss",
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--code` / `code`	Optional	Enter one of the following values: `AFFILIATION_CHANGED` `CA_COMPROMISE` `CESSATION_OF_OPERATION` `PRIVILEGE_WITHDRAWN` `SUPERSEDED` `UNSPECIFIED` `KEY_COMPROMISE` The default value is: `KEY_COMPROMISE`
`--reason` / `reason`	Required	Description of the reason for the revocation
`--compromise-occurrence-date` / `compromiseOccurrenceDate`	Optional	Date the compromise took place. This setting is used only if `KEY_COMPROMISE` is selected for the `--code` / `code` parameter.
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

Note:

JSON Example

Generate JSON input for the okv managed-object object revoke command.

okv managed-object object revoke --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "revoke",
    "options" : {
      "code" : "#UNSPECIFIED|KEY_COMPROMISE|CA_COMPROMISE|AFFILIATION_CHANGED|SUPERSEDED|CESSATION_OF_OPERATION|PRIVILEGE_WITHDRAWN",
      "reason" : "#VALUE",
      "compromiseOccurrenceDate" : "#YYYY-MM-DD HH:mm:ss",
      "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, revoke_obj.json) and then edit it so that you can revoke the security object privileges.

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "revoke",
    "options": {
      "code": "KEY_COMPROMISE",
      "reason": "security incidence",
      "compromiseOccurrenceDate": "2020-11-20 10:34:29",
      "uuid": "E4CA6A16-B3CD-4F98-BF25-4A0EF482B8B8"
    }
  }
}

Run the okv managed-object object revoke command using the generated JSON file.
```
okv managed-object object revoke --from-json revoke_obj.json
```
Output similar to the following appears:
```
{
 "result": "Success"
}
```

Example Using Output Format Text

okv managed-object object revoke --output_format text --code code --reason reason --compromise-occurrence-date date --uuid UUID

Output

Output similar to the following appears:

exit code 0 - Indicates Success
exit code 1- Indicates Failure

Parent topic: Security Object Commands

5.23 okv managed-object opaque get Command

The okv managed-object opaque get command retrieves an object that contains opaque data.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object opaque get --output_format OUTPUT_FORMAT --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object opaque get command.

okv managed-object opaque get --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_opaque_object.json) and then edit it to retrieve the data from the opaque object.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "get",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}

Run the okv managed-object opaque get command using the generated JSON file.

okv managed-object opaque get --from-json get_opaque_object.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
   "object" : "2D2D2D2D2D424547494E2050524956415445204B45592D2D2D2D2D0A4D494945765149424144414E42676B71686B6947397730424151454641415343424B637767675363
    <<<< Output Truncated>>>>
    7067533170633634656D3630686C72336B786C593858665734317A594A450A724546334C652F4A4F4B4968674A754C367352734C67553D0A2D2D2D2D2D454E442050524956415445204B45592D2D2D2D2D0A"
   }
 }

Example Using Output Format Text

okv managed-object opaque get --output_format text --uuid 2359E04F-DA61-4F7C-BF9F-913D3369A93A

Output

Output similar to the following appears:

2D2D2D2D2D424547494E2050524956415445204B45592D2D2D2D2D0A4D494945765149424144414E42676B71686B6947397730424151454641415343424B637767675363
<<<< Output Truncated>>>>
7067533170633634656D3630686C72336B786C593858665734317A594A450A724546334C652F4A4F4B4968674A754C367352734C67553D0A2D2D2D2D2D454E442050524956415445204B45592D2D2D2D2D0A

Parent topic: Security Object Commands

5.24 okv managed-object opaque register Command

The okv managed-object opaque register command registers an opaque security object.

Objects containing opaque data are not necessarily interpreted by the server.

Required Authorization

None

Syntax

okv managed-object opaque register --object object_name --wallet wallet_name --name name_value --custom-attrbute custom_attribute_value --activation-date activation_date --deactivation-date deactivation_date

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--object` / `object`	Required	File path to the object.
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
/`attributes`	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes the following: `value` is the name value. `type` is either `text` or `uri`. The default value is `text`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name` / `name`		Specifies the name of a security object. The allowed values are : `value` `KEY1` `type` `uri` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute` / `customAttribute`		Specifies custom defined attribute on security object. `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'` `Support simplified data format, name attribute(single instance), in command line --name KEY1` Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '`
`--deactivation-date` / `deactivationDate`		Specifies when to deactivate a security object.
`--activation-date` / `activationDate`		Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

Note:

JSON Example

Generate JSON input for the okv managed-object opaque register command.

okv managed-object opaque register --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Save the generated input to a file (for example, reg_opaque.json) and then edit it to register the opaque key.

{
  "service": {
    "category": "managed-object",
    "resource": "opaque",
    "action": "register",
    "options": {
      "object": "./key.pem",
      "wallet": "hr_wallet",
      "attributes": {
        "name": {
          "value": "Opaque-Key-102",
          "type": "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}

Run the okv managed-object opaque register command using the generated JSON file.

okv managed-object opaque register --from-json reg_opaque.json

Output similar to the following appears:

{
 "result" : "Success",
  "value" : {
   "uuid" : "B44A99FD-F892-4F3E-BF7D-487B68159CC3"
  }
}

Example Using Output Format Text

okv managed-object opaque register --output_format text --object object_name --wallet wallet_name

Output

Output similar to the following appears:

"B44A99FD-F892-4F3E-BF7D-487B68159CC3"

Related Topics

Parent topic: Security Object Commands

5.25 okv managed-object private-key get Command

The okv managed-object private-key get command retrieves a private key.

Required Authorization

The endpoint must have read permission on the private key.

Syntax

okv managed-object private-key get  --output_format OUTPUT_FORMAT --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the private key. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. Note: Use the CLI command syntax to specify the output_format option. By default, the output format is JSON. However, the output_format option with a value as 'text' displays the output in text format. Use of text output format removes the need to parse JSON output. The option is useful when the output of a command serves as input for another command. The default value is: `text`

--uuid / uuid

Required

Universally unique ID (UUID) of the private key.

--output_format

Optional

Note:

The default value is:

text

JSON Example

Generate JSON input for the okv managed-object private-key get command.

okv managed-object private-key get  --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_private_key.json) and then edit it to specify the UUID of the private key.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "get",
    "options" : {
      "uuid" : "2F9E2A31-D15A-4F5B-BFA0-761892021DBE"
    }
  }
}

Run the okv managed-object private-key get command using the generated JSON file.

okv managed-object private-key get  --from-json get_private_key.json

Output similar to the following appears:

{
     "result" : "Success",
     "value" : {
       "object" : "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAg << output truncated >> /onTXJKf8A1kZwPW/Qa6IpPOGCfOJDtyM9F5X9REaJQr+1\nXw1sBm1Tjh4z/m6rsKK6A4YP\n-----END PRIVATE KEY-----"
               }
}

Example Using Output Format Text

okv managed-object private-key get --output_format text --uuid 2F9E2A31-D15A-4F5B-BFA0-761892021DBE

Output

Output similar to the following appears:

"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAg << output truncated >> /onTXJKf8A1kZwPW/Qa6IpPOGCfOJDtyM9F5X9REaJQr+1\nXw1sBm1Tjh4z/m6rsKK6A4YP\n-----END PRIVATE KEY-----"

Parent topic: Security Object Commands

5.26 okv managed-object private-key register Command

The okv managed-object private-key register command registers a private key. You can use this command to also register an SSH private key.

Required Authorization

None

Syntax

okv managed-object private-key register [--activation-date <activation date>] [--algorithm <algorithm>] 
[--custom-attribute <custom attribute>] [--deactivation-date <deactivation date>] [--extractable <extractable>]
 --length <length> [--mask <mask>] [--name <name>] --object <object> [--ssh-user <ssh-user>] [--wallet <wallet>]

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "sshUser" : "#VALUE"
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", 
                 "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "extractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--object` / `object`	Required	File path to the private key object.
`--algorithm` / `algorithm`	Optional	Cryptographic algorithm. The default value is: `RSA`.
`--length` / `length`	Required	Key length for the algorithm. Choose from the following values: `1024` `2048` `4096`
`--mask` / `mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: `ENCRYPT` `DECRYPT` `DERIVE_KEY` `EXPORT` `SIGN` `TRANSLATE_DECRYPT` `TRANSLATE_ENCRYPT` `TRANSLATE_UNWRAP` `TRANSLATE_WRAP` `WRAP_KEY` `UNWRAP_KEY` The default values are: `DECRYPT` `UNWRAP_KEY` `WRAP_KEY` `SIGN`
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`/attributes`	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes the following: `value` is the name value. `type` is either `text` or `uri`. the default value is`text`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` `extractable` can be set as follows: `TRUE` Allows the object to be extracted from Oracle Key Vault. `FALSE` Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault. If you do not set the `extractable` attribute, then this value is inherited from the endpoint's configuration. In the command line, you can only specify the `extractable` attribute setting that is stricter than the endpoint's effective setting. For example, you cannot set the `extractable` attribute to `TRUE` if it is set to `FALSE` in the endpoint. However, you can always set the extractable attribute value to `FALSE` in the command line. You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name` / `name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute` / `customAttribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--deactivation-date` / `deactivationDate`		Specifies when to deactivate a security object. It has the same format as `activation-date`.
`--activation-date` / `activationDate`		Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

Note:

Example without using JSON

         okv managed-object private-key register --algorithm RSA --length 2048
         --mask"ENCRYPT" --object /Users/dopark/test/id_rsa 
         --name private_0701--activation-date now --deactivation-date "2030-10-10 10:10:10"

JSON Example

Generate JSON input for the okv managed-object private-key register command.

okv managed-object private-key register --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", 
                 "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "extractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}
      }
    }
  }
}

Save the generated input to a file (for example, reg_private_key.json) and then edit it to specify the appropriate private key settings.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "register",
    "options" : {
      "object" : "./priv_key.pem",
      "algorithm" : "RSA",
      "length" : "2048",
      "mask" : [ "ENCRYPT", "DECRYPT" ],
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "CERT-APPID-103",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}

Run the okv managed-object private-key register command using the generated JSON file.

okv managed-object private-key register --from-json reg_private_key.json

Output similar to the following appears:

{
  "result" : "Success",
   "value" : {
    "uuid" : "2F9E2A31-D15A-4F5B-BFA0-761892021DBE"
  }
}

Example Using Output Format Text

okv managed-object private-key register --output_format text --object private_key_file_path --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --wallet wallet_name

Output

Output similar to the following appears:

"2F9E2A31-D15A-4F5B-BFA0-761892021DBE"

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.27 okv managed-object public-key get Command

The okv managed-object public-key get command retrieves a public key.

Required Authorization

The endpoint must have read permission on the public key.

Syntax

okv managed-object public-key get  --output_format OUTPUT_FORMAT --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the public key. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

--uuid / uuid

Required

Universally unique ID (UUID) of the public key.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object public-key get command.

okv managed-object public-key get --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_public_key.json) and then edit it to specify the UUID of the public key.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "get",
    "options" : {
      "uuid" : "11652909-D019-4F3B-BFB9-791723095005"
    }
  }
}

Run the okv managed-object public-key get command using the generated JSON file.

okv managed-object public-key get  --from-json get_public_key.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "object" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK4YrT6A/4tVnadRg0ZT\nprsdUwXrIdoqf1+ye/yVkN6RmtR7mthn6WIIrbTVX5MuAkLc6yyuMEc+nLDPZzrU\nFXkCAQeVR7sT/hQo74dQHebIfJxgx+uZrlzOgT4Il1qfmjR6y81RjTvAU8ZPdzPb\nuXKHZErZVQdoXUw5uFrTNzOegLbYJFI2dZnf3erB7Ho64DckFRoFP05cc3A0iLrL\ntzE8CcjAlBlXTGJD4kAtTEet/0TkvuHzBHr23zkfj0kWV3PHGYYC3O+/UzXg/nal\n3iTK5yRDkln45AyI/PkfzAFiZ/kX9C66H0WRMxgfaOn/uRNbikFOFK6IPOGcT+0S\n/QIDAQAB\n-----END PUBLIC KEY-----"
   }
 }

Example Using Output Format Text

okv managed-object public-key get --output_format text --uuid 11652909-D019-4F3B-BFB9-791723095005

Output

Output similar to the following appears:

"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK4YrT6A/4tVnadRg0ZT\nprsdUwXrIdoqf1+ye/yVkN6RmtR7mthn6WIIrbTVX5MuAkLc6yyuMEc+nLDPZzrU\nFXkCAQeVR7sT/hQo74dQHebIfJxgx+uZrlzOgT4Il1qfmjR6y81RjTvAU8ZPdzPb\nuXKHZErZVQdoXUw5uFrTNzOegLbYJFI2dZnf3erB7Ho64DckFRoFP05cc3A0iLrL\ntzE8CcjAlBlXTGJD4kAtTEet/0TkvuHzBHr23zkfj0kWV3PHGYYC3O+/UzXg/nal\n3iTK5yRDkln45AyI/PkfzAFiZ/kX9C66H0WRMxgfaOn/uRNbikFOFK6IPOGcT+0S\n/QIDAQAB\n-----END PUBLIC KEY-----"

Parent topic: Security Object Commands

5.28 okv managed-object public-key register Command

The okv managed-object public-key register command registers a public key. You can use this command to also register an SSH public key.

Required Authorization

None

Syntax

okv managed-object public-key register [--activation-date <activation date>] [--algorithm <algorithm>] [--custom-attribute <custom attribute>]
       [--deactivation-date <deactivation date>] --length <length> [--mask <mask>] [--name <name>] --object <object> [--private-key-uuid
       <private-key-uuid>] [--ssh-user <ssh-user>] [--wallet <wallet>]

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,3072,4096(RSA)",
      "sshUser" : "#VALUE",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--object` / `object`	Required	File path to the public key object.
`--algorithm` / `algorithm`	Optional	Cryptographic algorithm. The default value is: `RSA`
`--length` / `length`	Required	Key length for the algorithm. Choose from the following values: `1024` `2048` `4096`
`--mask` / `mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: `ENCRYPT` `DECRYPT` `DERIVE_KEY` `EXPORT` `TRANSLATE_DECRYPT` `TRANSLATE_ENCRYPT` `TRANSLATE_UNWRAP` `UNWRAP_KEY` `VERIFY` The default values are: `UNWRAP_KEY` `ENCRYPT` `VERIFY`
`----private-key-uuid` / `privateKeyUUID`	Optional	Universally unique ID (UUID) of the private key associated with the public key being registered. To find the unique identifier for the key, run the `okv manage-access wallet list-objects` command or the `okv admin endpoint list-objects` command.
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`/attributes`	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes the following: `value` is the name value. `type` is either `text` or `uri`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name` / `name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute` / `customAttribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--deactivation-date` / `deactivationDate`		Specifies when to deactivate a security object. It has the same format as `activation-date`.
`--activation-date` / `activationDate`		Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`
`--ssh-user` /`sshUser`	Optional	SSH user name. The SSH user is intended to track the actual consumer of the SSH keys, a human, an application, or a machine.

Note:

JSON Example

Generate JSON input for the okv managed-object public-key register command.

okv managed-object public-key register --generate-json-input

The generated input appears as follows:

 {
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,3072,4096(RSA)",
      "sshUser" : "#VALUE",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Save the generated input to a file (for example, reg_public_key.json) and then edit it to specify the appropriate public key settings.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "./key.pub",
      "algorithm" : "RSA",
      "length" : "2048",
      "mask" : [ "ENCRYPT", "DECRYPT" ],
      "privateKeyUUID" : "2F9E2A31-D15A-4F5B-BFA0-761892021DBE ",
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : " FINDB-PROD-PUBKEY ",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}

Run the okv managed-object public-key register command using the generated JSON file.

okv managed-object public-key register --from-json reg_public_key.json

Output similar to the following appears:

{
  "result" : "Success",
   "value" : {
    "uuid" : "11652909-D019-4F3B-BFB9-791723095005"
   }
 }

Example without using JSON

okv managed-object public-key register   --object
id_rsa.pub  --algorithm RSA ---length 2048 -mask "ENCRYPT"
--private-key-uuid  95092BD2-B546-4F9A-BF0B-D8ECDC548546 --name hr_public_key
--activation-date now --deactivation-date "2030-10-10 10:10:10

Example Using Output Format Text

okv managed-object public-key register --output_format text --object public_key_file_path --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --private-key-uuid private_key_uuid --wallet wallet_nameokv managed-object public-key get --output_format text --uuid UUID

Output

Output similar to the following appears:

"11652909-D019-4F3B-BFB9-791723095005 "

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.29 okv managed-object secret get Command

The okv managed-object secret get command retrieves the secret data from a security object of type secret.

Required Authorization

The endpoint must have read permission on the secret object.

Syntax

okv managed-object secret get --output_format OUTPUT_FORMAT --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "secret",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object secret get command.

okv managed-object secret get --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "secret",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, secret_get.json) and then edit it to locate the secret object.

{
  "service": {
    "category": "managed-object",
    "resource": "secret",
    "action": "get",
    "options": {
      "uuid": "D69D2F32-2DBB-4FF3-BF52-95487526E6EC"
    }
  }
}

Run the okv managed-object secret get command using the generated JSON file.

okv managed-object secret get --from-json secret_get.json

Output similar to the following appears:

{
     "result": "Success",
     "value": {
       "object": "ki3j&8slo73y2ls"
      }
   }

Example Using Output Format Text

okv managed-object secret get --output_format text --uuid D69D2F32-2DBB-4FF3-BF52-95487526E6EC

Output

Output similar to the following appears:

"ki3j&8slo73y2ls"

Parent topic: Security Object Commands

5.30 okv managed-object secret register Command

The okv managed-object secret register command registers secret data such as passwords or random seeds.

Required Authorization

None

Syntax

okv managed-object secret register --output_format text|json --object object_name type PASSWORD|SEED wallet wallet_name --mask cryptogrpahic_usage_mask --name name_value --custom-attrbute custom_attribute_value --activation-date activation_date --deactivation-date deactivation_date

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "type" : "#PASSWORD|SEED",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Parameters

Parameter/Template	Required?	Description
`--object` / `object`	Required	Path of the object file containing secret data.
`--type` / `type`	Optional	Enter one of the following values: `SEED` `PASSWORD` The default value is: `PASSWORD`
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`--mask` / `mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. The default value is : `DERIVE_KEY` Choose from the following values: `EXPORT` `DERIVE_KEY`
`/attributes`	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the `okv managed-object attribute list` command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: `name` includes the following: `value` is the name value. `type` is either `text` or `uri`. The default value is`text`. `contactInfo` The following date and time attributes: `activationDate` `deactivationDate` `protectStopDate` `processStartDate` You can use different ways to set the date and time. Examples are as follows: `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time` To display the time in UTC format, use the Linux `date` command. For example: `$ date --utc "+%F %T" 2021-03-15 20:31:37` See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.
`--name`/ `name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "KEY1", "type" : "uri"}'or --name '{"value" : "KEY1", "type" : "text}' -Support simplified data format, name attribute in command line. when type is "text" as a default: --name KEY1`
`--custom-attribute` / `customAttribute`		Specifies custom defined attribute on security object. `2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in commandline --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--deactivation-date`/ `deactivationDate`		Specifies when to deactivate a security object. It has the same format as `activation-date`.
`--activation-date` / `activationDate`		Specifies when to activate a security object. It will have the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

Note:

Example without using JSON

okv managed-object secret register --type PASSWORD --mask "DERIVE_KEY"
--name secret_0701 --object /Users/dopark/test/my.secret --activation-date now
--deactivation-date "2030-10-10 10:10:10

JSON Example

Generate JSON input for the okv managed-object secret register command.

okv managed-object secret register --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "type" : "#PASSWORD|SEED",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Save the generated input to a file (for example, reg_secret.json) and then edit it to register the secret object.

{
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "register",
    "options" : {
      "object" : "./hr_db_connect_password.txt",
      "type" : "PASSWORD",
      "mask" : [ "DERIVE_KEY" ],
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "HR-DB-CONNECT-PASSWORD",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}

Run the okv managed-object secret register command using the generated JSON file.

okv managed-object secret register --from-json reg_secret.json

Output similar to the following appears:

{
     "result": "Success",
     "value": {
      "uuid": "0F54D31A-ABA0-4F15-BF67-1B7513DD8634"
   }
}

Example Using Output Format Text

okv managed-object secret register --output_format text --object object_name type PASSWORD|SEED wallet wallet_name --mask cryptogrpahic_usage_mask

Output

Output similar to the following appears:

"0F54D31A-ABA0-4F15-BF67-1B7513DD8634"

Related Topics

How to Set the Date and Time in RESTful Services Utility Commands

Parent topic: Security Object Commands

5.31 okv managed-object wallet add-member Command

The okv managed-object wallet add-member command adds a security object to a wallet as its member.

This command authenticates with the endpoint's client certificate.

Required Authorization

The endpoint must have read-modify permission on the object and manage-wallet access (MW) on the wallet.

Syntax

okv managed-object wallet add-member -output_format text|json --uuid UUID --wallet wallet_name

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "add-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the managed object that is being added to the wallet. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

--uuid / uuid

Required

Universally unique ID (UUID) of the managed object that is being added to the wallet.

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object wallet add-member command.

okv managed-object wallet add-member --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "add-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, add_wallet_member.json) and then edit it to add the security object to the wallet.

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "add-member",
    "options": {
      "uuid": "D69D2F32-2DBB-4FF3-BF52-95487526E6EC",
      "wallet": "hr_wallet"
    }
  }
}

Run the okv managed-object wallet add-member command using the generated JSON file.
```
okv managed-object wallet add-member --from-json add_wallet_member.json
```
Output similar to the following appears:
```
{
 "result": "Success"
}
```

Example Using Output Format Text

okv managed-object wallet add-member --output_format text --uuid UUID --wallet wallet_name

Output

Output similar to the following appears:

exit code 0 - Indicates Success
exit code 1- Indicates Failure

Parent topic: Security Object Commands

5.32 okv managed-object wallet delete-member Command

The okv managed-object wallet delete-member command deletes the membership of the managed-object from a wallet.

This command authenticates with the endpoint's client certificate.

Required Authorization

The endpoint must have read-modify permission on the object and manage-wallet access (MW) on the wallet.

Syntax

okv managed-object wallet delete-member -output_format text|json--uuid UUID --wallet wallet_name

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "delete-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the managed object in the wallet. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is: `text`

--uuid / uuid

Required

Universally unique ID (UUID) of the managed object in the wallet.

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--output_format

Optional

The default value is:

text

Note:

JSON Example

Generate JSON input for the okv managed-object wallet delete-member command.

okv managed-object wallet delete-member --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "delete-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, delete_wallet_member.json) and then edit it to delete the security object from the wallet.

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "delete-member",
    "options": {
      "uuid": "D69D2F32-2DBB-4FF3-BF52-95487526E6EC",
      "wallet": "hr_wallet"
    }
  }
}

Run the okv managed-object wallet delete-member command using the generated JSON file.
```
okv managed-object wallet delete-member --from-json delete_wallet_member.json
```
Output similar to the following appears:
```
{
 "result": "Success"
}
```

Example Using Output Format Text

okv managed-object wallet delete-member --output_format text --uuid UUID --wallet wallet_name

Output

Output similar to the following appears:

exit code 0 - Indicates Success
exit code 1- Indicates Failure

Parent topic: Security Object Commands

5.33 okv managed-object wallet list Command

The okv managed-object wallet list command lists wallets that have their access granted to the endpoint used to connect to Oracle Key Vault.

This command authenticates with the endpoint's client certificate.

Required Authorization

None, but this command returns only those wallets to which the current endpoint is granted access.

Syntax

okv managed-object wallet list

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "wallet",
    "action" : "list"
  }
}

Parameters

None

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--output_format`	Optional	Specifies output format of the command. The command completes with an exit code 0, when command is executed successfully, and exit code 1, when the command fails and generates a relevant error message. The default value is `text`.

--output_format

Optional

The default value is text.

Note:

JSON Example

Generate JSON input for the okv managed-object wallet list command.

okv managed-object wallet list --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "wallet",
    "action" : "list"
  }
}

Save the generated input to a file (for example, wallet_list.json).

Run the okv managed-object wallet list command using the generated JSON file.

okv managed-object wallet list --from-json wallet_list.json

Output similar to the following appears:

{
  "result": "Success",
  "value": {
    "wallets": {
      "HR_WALLET",
      "SALES_WALLET"
                  }
            }
    }
 )

Example Using Output Format Text

okv managed-object wallet list -output_format text

Output

Output similar to the following appears:

"HR_WALLET","SALES_WALLET

Parent topic: Security Object Commands

5.34 okv managed-object key-pair create command

The okv managed-object key-pair create command creates a pair of public and private keys. You can use this command to also create an SSH key pair.

Required Authorization

Must be an endpoint

Syntax

okv managed-object key-pair create
        --activation-date <activation date>] [--algorithm <algorithm>] [--deactivation-date <deactivation date>]
       [--length <length>] [--private-key-custom-attribute <private key custom attribute>] [--private-key-extractable <private-key-extractable>]
       [--private-key-mask <private key mask>] [--private-key-name <private-key-name>] [--public-key-custom-attribute <public key custom attribute>]
       [--public-key-mask <public key mask>] [--public-key-name <public-key-name>] [--ssh-user <ssh-user>] [--wallet <wallet>]

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "key-pair",
    "action": "create ",
    "options": {
      "algorithm": "#RSA",
      "length": "#2048|3072|4096",
      "sshUser" : "#VALUE",
      "wallet" : "#VALUE",
       "privateKey" : {
            "mask" : ["#SIGN", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT",
                      "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT",
                      "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
            "attributes" : {
                    "name" : {
                          "value" : "#VALUE",
                          "type" : "#text|uri"
                    },
                    "extractable" : "#TRUE|FALSE"
            },
            "customAttributes" : [ {
                    "name" : "#VALUE",
                    "value" : "#VALUE",
                    "type" : "#TEXT|NUMBER"
             } ]
       },

       "publicKey" : {
            "mask" : ["#VERIFY", "#ENCRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT",
                      "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT",
                      "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
            "attributes" : {
                    "name" : {
                           "value" : "#VALUE",
                           "type" : "#text|uri"
                    }
            },
            "customAttributes" : [ {
                    "name" : "#VALUE",
                    "value" : "#VALUE",
                    "type" : "#TEXT|NUMBER"
             } ]
       },
      "attributes" : {
              "contactInfo" : "#VALUE",
              "activationDate" : "#VALUE",
              "deactivationDate" : "#VALUE"
      }

    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--algorithm` / `algorithm`	Optional	Cryptographic algorithm. Choose from the following values: `RSA` The default value is: `RSA`
`--length` / `length`	Optional	Key length for the algorithm. Choose from the following values: For `RSA`: `2048`, `3072`, `4096` The default value is: `2048`
`--private-key-mask` / `privateKey → mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: `ENCRYPT` `DECRYPT` `DERIVE_KEY` `EXPORT` `SIGN` `TRANSLATE_DECRYPT` `TRANSLATE_ENCRYPT` `TRANSLATE_UNWRAP` `TRANSLATE_WRAP` `UNWRAP_KEY` `WRAP_KEY` The default values are: `WRAP_KEY` `DECRYPT` `UNWRAP_KEY` `SIGN`
`--public-key-mask` / `publicKey → mask`	Optional	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: `ENCRYPT` `DERIVE_KEY` `EXPORT` `TRANSLATE_DECRYPT` `TRANSLATE_ENCRYPT` `TRANSLATE_UNWRAP` `UNWRAP_KEY` The default values are: `ENCRYPT` `UNWRAP_KEY` `VERIFY`
`--wallet` / `wallet`	Optional	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`--deactivation-date`/`attributes → deactivationDate`	Optional	Specifies when to deactivate a security object. It has the same format as activation-date.
`--activation-date`/`attributes → activationDate`	Optional	Specifies when to activate a security object. It has the following format. `"activationDate" : "now" --starts immediately "activationDate" : "now+PT10M" --starts 10 minutes from now "activationDate" : "2021-12-20 10:30:00" --starts at this date and time "activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time`
`--private-key-name`/`privateKey → attributes → name`		Specifies the name of a security object. The allowed values are : `value` `type` The default value is: `text` `-Support complex data format, name attribute in command line --name '{"value" : "PRIVATE_KEY1", "type" : "uri"}'or --name '{"value" : " PRIVATE_KEY1", "type" : "text}' -Support simplified data format, name attribute in command line, when type is "text" as a default: --name PRIVATE_KEY1`
`--private-key-custom-attribute`/`privateKey → customAttributes`		Specifies custom defined attribute on security object. `--custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] '` `Support simplified data format, name attribute(single instance), in command line --name KEY1` `Support simplified data format, custom attribute(multi instance),in command line --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'`
`--public-key-name`/`publicKey → attributes→ name`		Specifies the name of a security object. The allowed values are : value type The default value of the type is: text `-Support complex data format, name attribute in command line --name '{"value" : "PUBLIC_KEY1", "type" : "uri"}'or --name '{"value" : " PUBLIC_KEY1", "type" : "text}' -Support simplified data format, name attribute in command line, when type is "text" as a default: --name PUBLIC_KEY1`
`--public-key-custom-attribute`/`publicKey → customAttributes`		Specifies when to activate a security object. It has the following format. Specifies custom defined attribute on security object. 2017-04-29 18:14:51"}' --custom-attribute '[ { "name": "x-OKV Certificate Expiration Date", "value" : "2017-04-29 18:14:51"}, { "name": "x-local-name", "value" : "HR"} ] ' Support simplified data format, name attribute(single instance), in command line --name KEY1 Support simplified data format, custom attribute(multi instance),in command line --custom-attribute "x-local-name:HR" --custom-attribute ' [ “x-local-name:HR”,“x-local-id:100” ]'
`--output_format`	Optional	Specifies the output format of the command. The allowed values are "text" or "json". When the specified output format is "text", the command completes with an exit code 0 upon successful execution, and returns the universally unique IDs (UUIDs) of the private and public keys. The first line of output is the UUID of the private key and the second line is the UUID for the public key. It completes with an exit code of 1 on failure and generates a relevant error message. When the specified output format is "json", the command returns a JSON structure indicating the result of the operation. If the operation is successful, the JSON structure includes the universally unique IDs (UUIDs) of the private and public keys, and completes with an exit code of 0. If the operation fails, the JSON structure includes a relevant error message, and completes with an exit code of 1.
`--ssh-user` /`sshUser`	Optional	SSH user name. The SSH user is intended to track the actual consumer of the SSH keys, a human, an application, or a machine.

Note:

Use the CLI command syntax to specify the output_format option. By default, the output format is JSON. However, the output_format option with a value as 'text' displays the output in text format. Use of text output format removes the need to parse JSON output. The option is useful when the output of a command serves as input for another command.

Example without using JSON

okv managed-object key-pair create --length 4096 --algorithm RSA --private-key-mask "SIGN" --public-key-mask "VERIFY" --private-key-name 2023_ PRIVATE_KEY_FOR_SIGNING --public-key-name 2023_PUBLIC_KEY_FOR_VERIFY

JSON Example

Generate JSON input for the

 okv managed-object key-pair
                        create

command.

okv managed-object key-pair create --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "managed-object",
    "resource" : "key-pair",
    "action" : "create",
    "options" : {
      "algorithm" : "#RSA",
      "length" : "#2048,3072,4096(RSA)",
      "sshUser" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "privateKey" : {
        "mask" : [ "#SIGN", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
        "attributes" : {
          "name" : {
            "value" : "#VALUE",
            "type" : "#text|uri"
          },
          "extractable" : "#TRUE|FALSE"
        },
        "customAttributes" : [ {
          "name" : "#VALUE",
          "value" : "#VALUE",
          "type" : "#TEXT|NUMBER"
        } ]
      },
      "publicKey" : {
        "mask" : [ "#VERIFY", "#ENCRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
        "attributes" : {
          "name" : {
            "value" : "#VALUE",
            "type" : "#text|uri"
          }
        },
        "customAttributes" : [ {
          "name" : "#VALUE",
          "value" : "#VALUE",
          "type" : "#TEXT|NUMBER"
        } ]
      }
    }
  }
}

Save the generated input to a file (for example, create_key_pair.json) and then edit it to create the key pair.

 {
  "service": {
    "category": "managed-object",
    "resource": "key-pair",
    "action": "create",
    "options": {
      "algorithm": "RSA",
      "length": "3072",
      "privateKey": {
        "mask": ["SIGN", "DECRYPT"],
        "attributes": {
         "extractable" : "FALSE"
        },
      },
      "publicKey": {
        "mask": ["VERIFY", "ENCRYPT"]
      },
      "wallet": "hr_wallet"
    }
  }
}

Run the okv managed-object key-pair create command using the generated JSON file.

okv managed-object key-pair create --from-json create_key_pair.json

Output similar to the following appears:

{
  "result": "Success",
   "value": {
    "privateKeyUUID": "2BFDEBD7-5AE5-4F31-BFF7-6E8B2D20A170",
    "publicKeyUUID": "6B87CF6A-A10E-4F10-BF06-D92CB0241E8A",
  }
}

Usage Notes

(Optional) Provide detailed information about using the API or subprogram here.

Example Using Text as Output Format

okv managed-object key-pair create --output_format text --length 4096 --algorithm RSA --private-key-mask "SIGN" --public-key-mask "VERIFY" –private-key-name 2023_PRIVATE_KEY_FOR_SIGNING –public-key-name 2023_PUBLIC_KEY_FOR_VERIFY

Output

Output similar to the following appears:

2BFDEBD7-5AE5-4F31-BFF7-6E8B2D20A170
6B87CF6A-A10E-4F10-BF06-D92CB0241E8A

Parent topic: Security Object Commands