Syncing keys in keystores with managed keys manually

If the key state in some keystores is different from the managed key state, you receive a Key out of sync warning message. You can sync the key state by using Unified Key Orchestrator with the UI, or programmatically with the Unified Key Orchestrator API.

An Out of sync flag is also displayed in the corresponding keystore card or the key list. There can be multiple reasons why the key is out of sync. For example, there is an issue in relinking the key in the keystore, the key is failed to be destroyed in some of the distributed keystores, or the key is modified in the target keystore outside of Unified Key Orchestrator. Take the following steps to munually sync the state of keys in keystores with the managed key.

Syncing keys with the UI

To sync the key in keystores with managed keys manually, you need to verify the key state first and then sync keys. Complete the following steps to sync a managed key:

Step 1: Verify key state

Log in to the UI.
Go to Menu > Resource list to view a list of your resources.
Select your provisioned instance of Hyper Protect Crypto Services with Unified Key Orchestrator from your IBM Cloud resource list.
Click Managed keys from the navigation to view all the available keys.
Select the key that you want to verify the key state and click the Actions icon to open a list of options for the key.
Click Verify sync from the options menu.

Step 2: Sync key state

After you verify the key state, if an Out of sync flag is displayed next to the key state, you can sync the key state by performing the following steps:

Select the key that you want to sync and click the Actions icon to open a list of options for the key.
Click Sync key from the options menu. Alternatively, you can sync keys by selecting Show details on the Actions menu and clicking Sync key in the key details page.
Confirm the keystores where you want to sync the key and click Sync key.

Syncing with the API

To sync a managed key through the API, follow these steps:

Retrieve your service and authentication credentials to work with keys in the service.

Sync a managed key by making a POST call based on the following example:

curl --location --request POST 'https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/managed_keys/<id>/sync_status_in_keystores' 
--header 'Authorization: Bearer <IAM_token>' \
--header 'Accept: application/json' \
--header 'If-Match: <ETag>'

Replace the variables in the example request according to the following table.

Table 1. Variables needed to sync a managed key
Variable	Description
`region`	Required. The prefix that represents the geographic area where your service instance resides. For more information, see Regions and locations.
`port`	Required. The port number of the API endpoint.
`id`	Required. The unique identifier for the managed key that you want to sync.
`IAM_token`	Required. Your IBM Cloud IAM access token that you retrieve in step 1. Include the full contents of the `IAM` token, including the Bearer value.
`ETag`	Required. The precondition of the update, which is the value of ETag from the header on a GET request.

For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

What's next

To find out more about managing your keys, check out Filtering and searching keys or Editing key details.
To find out more about programmatically managing your keys, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.