We have implemented Entrust (formally Hytrust) KMS integrated into VMWare. All works well. I am trying to use the API to list out the keys in our configured Vault so I can alert when a key is reaching EOL. Using the API I can login to the KMS and retrieve an authentication token, then using that token establish a connection to our Vault. This gives me an API url for that Vault and this is where I am getting stuck. I am always getting a HTTP/1.1 401 UNAUTHORIZED response to my request for the list of KMIP Objects. My code is as follows:-
$kms = 'https://mykms/';
$username = 'mykmsusername';
$password = 'mykmspassword';
//Now all we need an access token to make further API Calls
$ch = curl_init($kms.'/v5/kc/login/');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, '{"password": "'.$password.'","username": "'.$username.'"}');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_PROXY, '');
$return = curl_exec($ch);
if ($return === false) die("CURL error ".curl_error($ch));
list($header, $body) = explode("\r\n\r\n", $return, 2);
$headers = GetHeaders($header);
curl_close($ch);
$token = json_decode($body);
if ($headers['Content-Type']!='application/json') die("Unexpected return type");
if ($token->result!=='success') die($token->result);
$authtoken = $token->access_token;
//Access the the Vault to retrieve the API URL
$ch = curl_init($kms.'/v5/vault-management/?name=MY_KMIP&type=KMIP');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Auth-Token: '.$authtoken));
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_PROXY, '');
$return = curl_exec($ch);
$return = json_decode($return, true);
echo "<pre>"; print_r($return); echo "</pre>";
$username = 'myvaultusername';
$password = 'myvaultpassword';
//Login to the vault using my vaults credentials
$ckfile = tempnam ("/tmp", "CURLCOOKIE");
$ch = curl_init($kms.'/'.$return['api_url']);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_POSTFIELDS, '{"password": "'.$password.'","username": "'.$username.'"}');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_PROXY, '');
curl_setopt($ch, CURLOPT_COOKIEJAR, $ckfile);
curl_setopt($ch, CURLOPT_COOKIEFILE, $ckfile);
$return = curl_exec($ch);
$return = json_decode($return);
$authtoken = $return->access_token;
echo "<pre>"; print_r($return); echo "</pre>";
//Try to retrieve the list of objects using the authtoken above - this is what is not working. The $authtoken is a long string and appears valid!
$ch = curl_init($kms.'/kmipTenant/1.0/ListKmipObjectByAttribute/');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Auth-Token: '.$authtoken));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, '{"max_items": "100","offset": "0"}');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_PROXY, '');
curl_setopt($ch, CURLOPT_COOKIEJAR, $ckfile);
curl_setopt($ch, CURLOPT_COOKIEFILE, $ckfile);
$return = curl_exec($ch);
if ($return === false) die("CURL error ".curl_error($ch));
list($header, $body) = explode("\r\n\r\n", $return, 2);
$headers = GetHeaders($header);
curl_close($ch);
$token = json_decode($body);
echo "<pre>"; print_r($token); echo "</pre>";
echo "<pre>"; print_r($headers); echo "</pre>";
unlink($ckfile);
The value of $token is :-
stdClass Object
(
[error] => Access token not found
)
Any help would be lovely.