PowerProtect Data Manager 19.9 Security Configuration Guide

Manually install a custom security certificate through the REST API

Alternatively, you can use the REST API to replace the security certificate. You must have the public certificate chain in PEM format and the private key in PKCS#1 (RSA) PEM format.

1. Log in to the PowerProtect Data Manager REST API as a user with the Administrator or Security Administrator role:

   Use curl or a REST API client of your choice.

   POST https://{{server}}:{{port}}/api/v2/login
   Headers:
     Content-Type: application/json
    
   Request Payload:
   {
       "username": "{{username}}",
       "password": "{{password}}"
   }
   

   where:

   • {{server}} is the FQDN or IP address for the PowerProtect Data Manager server.
   • {{port}} is the REST API port, typically 8443.
   • {{username}} and {{password}} are the PowerProtect Data Manager REST API credentials.

   The REST API service returns an access token:

   200 OK
   {
       "access_token": "eyJraWQiOiJkMjc5M",
       "token_type": "Bearer",
       "expires_in": 28800,
       "jti": "dadda4ef-c4ad-4153-9bee-82f5ad69c75a",
       "scope": "aaa",
       "refresh_token": "eyJraWQiOiJkMjc5M"
   }
   

   Record the access_token value.

2. Replace the security certificate:

   Use curl or a REST API client of your choice.

   POST https://{{server}}:{{port}}/api/v2/certificates-replacement
   Headers:
     Content-Type: application/json
     Authorization: Bearer {{access-token}}
   {
       "privateKey": "{{private-key}}",
       "certificateChain": "{{cert-chain}}"
       "password": "{{password}}"
   }

   Replace {{private-key}} with a \n-delimited single-line string that represents the contents of customkey.pem. For example:

   -----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEArG7\n7HmzXgmP+7owxddYeId\nuXzfA7hedyuxRSV7Whb\nQQKvO3fQz3ywb6i56Lq\n-----END RSA PRIVATE KEY-----\n

   Replace {{cert-chain}} with a \n-delimited single-line string that represents the contents of custom.pem. For example:

   -----BEGIN CERTIFICATE-----\nMIIDdzCCAl+gAwIBAgI\nUzERMA8GA1UEChMIU2l\nMDkyMjE4MDEzNFoXDTI\nBAoTC1BQRE0gU2VydmV\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nEHD0fXjANBgkqhkiG9w\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAYTAlVTMREwDwY\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDSTCCAjGgAwIBAgI\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAsTEXd3dy5zaWd\n-----END CERTIFICATE-----\n

   The password is an optional field, used when you supply an encrypted private key.

   The REST API service returns a status code:

   201 Created
   {
       "id": "004c443c-3e55-44da-ac1a-59fe65fec13a",
       "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEArG7\n7HmzXgmP+7owxddYeId\nuXzfA7hedyuxRSV7Whb\nQQKvO3fQz3ywb6i56Lq\n-----END RSA PRIVATE KEY-----\n",
       "certificateChain": "-----BEGIN CERTIFICATE-----\nMIIDdzCCAl+gAwIBAgI\nUzERMA8GA1UEChMIU2l\nMDkyMjE4MDEzNFoXDTI\nBAoTC1BQRE0gU2VydmV\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nEHD0fXjANBgkqhkiG9w\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAYTAlVTMREwDwY\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDSTCCAjGgAwIBAgI\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAsTEXd3dy5zaWd\n-----END CERTIFICATE-----\n"
   }

3. For any existing UI sessions, refresh the page to allow the new certificates to take effect.