Auditing events for Hyper Protect Crypto Services
As a security officer, auditor, or manager, you can use the IBM Cloud® Activity Tracker service to monitor how users and applications interact with IBM Cloud® Hyper Protect Crypto Services.
IBM Cloud Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.
To enable IBM Cloud Activity Tracker for your Hyper Protect Crypto Services instance, you need to provision an instance of the IBM Cloud Activity Tracker service in the same region where your Hyper Protect Crypto Services instance is located. For more information, see the getting started tutorial for IBM Cloud Activity Tracker.
To see which action requests correlate to the following actions, check out the key management service API reference doc and TKE CLI reference.
Historical information regarding events
| Reference | Current event names |
|---|---|
hs-crypto.governance.configread |
hs-crypto.governance-config.read |
hs-crypto.importtoken.create |
hs-crypto.import-token.create |
hs-crypto.importtoken.read |
hs-crypto.import-token.read |
hs-crypto.importtoken.default |
hs-crypto.import-token.request |
hs-crypto.instance.readallowedipport |
hs-crypto.instance-allowed-ip-port.read |
hs-crypto.instance.readipwhitelistport |
hs-crypto.instance-ip-allowlist-port.read |
hs-crypto.instancepolicies.write |
hs-crypto.instance-policies.write |
hs-crypto.instancepolicies.read |
hs-crypto.instance-policies.read |
hs-crypto.instancepolicies.default |
hs-crypto.instance-policies.request |
hs-crypto.keyrings.create |
hs-crypto.key-rings.create |
hs-crypto.keyrings.delete |
hs-crypto.key-rings.delete |
hs-crypto.keyrings.list |
hs-crypto.key-rings.list |
hs-crypto.keyrings.default |
hs-crypto.key-rings.request |
hs-crypto.secrets.defaultalias |
hs-crypto.secrets-alias.request |
hs-crypto.secrets.createalias |
hs-crypto.secrets-alias.create |
hs-crypto.secrets.deletealias |
hs-crypto.secrets-alias.delete |
hs-crypto.secrets.eventack |
hs-crypto.secrets-event.ack |
hs-crypto.secrets.listkeyversions |
hs-crypto.secrets-key-versions.list |
hs-crypto.secrets.readmetadata |
hs-crypto.secrets-metadata.read |
Supported events
Key events
The following table lists the key actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.secrets.create |
Create a key. |
hs-crypto.secrets-alias.create |
Create a key alias. |
hs-crypto.secrets.default |
Invalid key request event. |
hs-crypto.secrets.delete |
Delete a key. |
hs-crypto.secrets-alias.delete |
Delete a key alias. |
hs-crypto.secrets.disable |
Disable operations for a key. |
hs-crypto.secrets.enable |
Enable operations for a key. |
hs-crypto.secrets-event.ack |
Acknowledge a lifecycle action on a key. |
hs-crypto.secrets.expire |
Expire a key. |
hs-crypto.secrets.head |
Retrieve key total. |
hs-crypto.secrets.list |
List keys. |
hs-crypto.secrets-key-versions.list |
List all the versions of a key. |
hs-crypto.secrets.wrap |
Wrap a key. |
hs-crypto.secrets.patch |
Patch a key. |
hs-crypto.secrets.purge |
Purge a key. |
hs-crypto.secrets.read |
Retrieve all key information. |
hs-crypto.secrets-metadata.read |
Retrieve key metadata (excluding key payload, if applicable). |
hs-crypto.secrets.restore |
Restore a key. |
hs-crypto.secrets.rewrap |
Rewrap a key. |
hs-crypto.secrets.rotate |
Rotate a key. |
hs-crypto.secrets.setkeyfordeletion |
Authorize deletion for a key with Dual Authorization policy. |
hs-crypto.secrets.unsetkeyfordeletion |
Cancel deletion for a key with Dual Authorization policy. |
hs-crypto.secrets.unwrap |
Unwrap a key. |
Key Ring events
The following table lists the key ring actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.key-rings.create |
Create a key ring. |
hs-crypto.key-rings.delete |
Delete a key ring. |
hs-crypto.key-rings.list |
List key rings in an instance. |
hs-crypto.key-rings.request |
Invalid key ring request. |
Policy events
The following table lists the policy actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.policies.read |
List key policies. |
hs-crypto.policies.write |
Set key policies. |
hs-crypto.instance-policies.read |
List instance policies. |
hs-crypto.instance-policies.write |
Set instance policies. |
hs-crypto.policies.default |
Invalid policy request event. |
hs-crypto.instance-policies.request |
Invalid policy request event. |
Import token events
The following table lists the import token actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.import-token.create |
Create an import token. |
hs-crypto.import-token.read |
Retrieve an import token. |
hs-crypto.import-token.request |
Invalid import token request event. |
Registration events
The following table lists the registration actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.registrations.list |
List registrations for any key. |
hs-crypto.registrations.default |
Invalid registration request event. |
Trusted Key Entry events
The following table lists the Trusted Key Entry (TKE) actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.tke-cryptounit-admin.add |
Add a crypto unit administrator to the selected crypto units. |
hs-crypto.tke-cryptounit-admin.remove |
Remove a crypto unit administrator from the selected crypto units. |
hs-crypto.tke-cryptounit-threshold.set |
Set the signature thresholds for the selected crypto units. |
hs-crypto.tke-cryptounit-master-key-register.add |
Load the new master key register. |
hs-crypto.tke-cryptounit-master-key-register.commit |
Commit the new master key register. |
hs-crypto.tke-cryptounit-master-key-register.activate |
Activate the current master key register. |
hs-crypto.tke-cryptounit-new-master-key-register.clear |
Clear the new master key register. |
hs-crypto.tke-cryptounit-current-master-key-register.clear |
Clear the current master key register. |
hs-crypto.tke-cryptounit.reset |
Zeroize and reset the selected crypto units |
Certificate manager events
The following table lists the certificate manager actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.mtlscert-admin-key.create |
Create the administrator signature key for the certificate administrator to connect to the certificate manager server. |
hs-crypto.mtlscert-admin-key.update |
Refresh and update the administrator signature key for the certificate administrator. |
hs-crypto.mtlscert-admin-key.read |
Get the administrator signature key of the certificate administrator. |
hs-crypto.mtlscert-admin-key.delete |
Delete the administrator signature key of the certificate administrator. |
hs-crypto.mtlscert-cert.set |
Create or update certificates by the certificate administrator. |
hs-crypto.mtlscert-cert.list |
List all certificates that are managed by the certificate administrator. |
hs-crypto.mtlscert-cert.read |
Get certificates by the certificate administrator. |
hs-crypto.mtlscert-cert.delete |
Delete certificates by the certificate administrator. |
KMIP for VMware events
When you manage keys for the KMIP for VMware® service, an event is generated.
The following table provides the actions that generate and send events for KMIP for VMware. These actions are performed by an initiator from VMware vCenter Server® and do not include the initiator's IP address. The requests for these actions run from within the IBM Cloud private network.
The initiator ID is derived from the TLS (Transport Layer Security) certificate of the vCenter Server that is used to authenticate the connection to the KMIP server. The initiator ID is in the format CertificateID-<value>,
where the value matches the fingerprint of the corresponding TLS certificate. Using the fingerprint, you can identify the vCenter Server that triggered the action.
| Action | Description |
|---|---|
hs-crypto.kmip-key.create |
A KMIP key is created. |
hs-crypto.kmip-key.read |
A KMIP key is retrieved. |
hs-crypto.kmip-key-attributes.retrieve |
A KMIP key's attributes are retrieved. |
hs-crypto.kmip-key.activate |
A KMIP key is activated. |
hs-crypto.kmip-key.revoke |
A KMIP key is revoked. |
hs-crypto.kmip-key.destroy |
A KMIP key is destroyed. |
EP11 keystore events
The following table lists the Enterprise PKCS #11 (EP11) keystore actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.keystore.createkeystore |
Create an EP11 keystore. |
hs-crypto.keystore.deletekey |
Delete an EP11 key. |
hs-crypto.keystore.deletekeystore |
Delete an EP11 keystore. |
hs-crypto.keystore.listkeysbyattributes |
View EP11 keys. |
hs-crypto.keystore.listkeysbyids |
View EP11 keys. |
hs-crypto.keystore.listkeystoresbyattributes |
View EP11 keystores. |
hs-crypto.keystore.listkeystoresbyids |
View EP11 keystores. |
hs-crypto.keystore.storenewkey |
Store an EP11 key. |
hs-crypto.keystore.updatekey |
Update an EP11 key. |
EP11 crypto events
The following table lists the EP11 crypto actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.ep11.use |
Cryptographic operation |
KMIP management events
The following table lists the KMIP management actions that generate an event:
| Action | Description |
|---|---|
hs-crypto.kmip-management.create |
Create a KMIP adapter or KMIP adapter client certificate. |
hs-crypto.kmip-management.delete |
Delete a KMIP adapter, KMIP adapter client certificate, or KMIP object. |
hs-crypto.kmip-management.list |
List KMIP adapters, KMIP adapter client certificates, or KMIP objects. |
hs-crypto.kmip-management.read |
Get a KMIP adapter, KMIP adapter client certificate, or KMIP object. |
hs-crypto.kmip-management.default |
Invalid KMIP managmenet API request. |
Viewing events
Events that are generated by an instance of Hyper Protect Crypto Services are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location.
IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Launching the web UI through the IBM Cloud UI.
| Deployment Region | Activity Tracker Region |
|---|---|
au-syd |
au-syd |
br-sao |
br-sao |
ca-tor |
ca-tor |
eu-de |
eu-de |
eu-es |
eu-es |
eu-gb |
eu-gb |
jp-tok |
jp-tok |
us-east |
us-east |
us-south |
us-south |
Analyzing successful events
Most successful requests have unique requestData and responseData associated with each related event. The following sections describe the data of each Hyper Protect Crypto Services service action event.
Fields are not guaranteed to appear unless the request is successful.
Common fields
Some common fields are available for Hyper Protect Crypto Services to use outside of the CADF event model to provide more insight into your data.
| Field | Description |
|---|---|
requestData.requestURI |
The URI of the API request that was made. |
requestData.instanceID |
The unique identifier of your Hyper Protect Crypto Services service instance. |
correlationId |
The unique identifier of the API request that generated the event. Note: This field is not supported in TKE events. |
For more information about the event fields in the Cloud Auditing Data Federation (CADF) event model, see Event Fields.
While initiator.host.address is a field that is part of the Cloud Auditing Data Federation model, the host address field is not shown for requests made through private networks.
Key action events
Because of the sensitivity of the information about an encryption key, the event that is generated does not include detailed information about the key, such as the payload and encrypted nonce.
The responseData.keyState field is an integer and corresponds to the Pre-activation = 0, Active = 1, Suspended = 2, Deactivated = 3, and Destroyed = 5 values. For more information about key states, see Key states and transitions.
Create key
The following fields include extra information:
- The
requestData.keyTypefield includes the type of key that was created. - The
responseData.keyIdfield includes the unique identifier that is associated with the key. - The
responseData.keyVersionIdfield includes the unique identifier of the current key version that is used to wrap input ciphertext on wrap requests. - The
responseData.keyVersionCreationDatefield includes the date that the current version of the key was created. - The
responseData.keyStatefield includes the integer that correlates to the state of the key.
Delete key
The following field includes extra information:
- The
responseData.keyStatefield includes the integer that correlates to the state of the key.
Expire Key
The following field includes extra information:
- The
requestData.keyTypefield includes the type of key that was created. - The
responseData.keyIdfield includes the unique identifier that is associated with the key. - The
requestData.expirationDatefield includes the date that the key expired on. - The
responseData.initialValue.keyStatefield includes the integer that correlates to the previous state of the key. - The
responseData.newValue.keyStatefield includes the integer that correlates to the current state of the key.
Wrap or unwrap key
The following field includes extra information:
- The
responseData.keyVersionIdfield includes the unique identifier of the current key version that is used to wrap input ciphertext on wrap requests.
Rewrap key
The following field includes extra information:
- The
responseData.keyVersionIdfield includes the unique identifier of the current key version that is used to wrap input ciphertext on wrap requests. - The
responseData.rewrappedKeyVersionIdfield includes the unique identifier of the new key version that is used to wrap input ciphertext on wrap requests.
Restore key
The following field includes extra information:
- The
responseData.keyVersionIdfield includes the unique identifier of the current key version that is used to wrap input ciphertext on wrap requests.
Rotate key
Rotate key doesn't have any extra fields apart from the Common Fields section.
Get key total
The following field includes extra information:
- The
responseData.totalResourcesfield includes the total number of keys within the service instance.
List keys
The following field includes extra information:
- The
responseData.totalResourcesfield includes the total number of keys that are returned in the response.
Get key or key metadata
The following fields include extra information:
- The
requestData.keyTypefield includes the type of key that was retrieved. - The
responseData.keyStatefield includes the integer that correlates to the state of the key. - The
responseData.keyVersionIdfield includes the unique identifier of the current key version that is used to wrap input ciphertext on wrap requests. - The
responseData.keyVersionCreationDatefield includes the date that the current version of the key was created.
Patch key
The following fields include extra information:
- The
requestData.initialValue.keyRingIdfield includes the ID of the key ring that the key previously belonged to. - The
requestData.newValue.keyRingIdfield includes the ID of the key ring that the key belongs to.
List key versions
The following field includes extra information:
- The
responseData.totalResourcesfield includes the total number of key versions returned in the response.
Set or unset key for deletion
The following fields include extra information:
- The
responseData.initialValue.authIDfield includes the initiator ID of the person who set the dual authorization policy. - The
responseData.initialValue.authExpirationfield includes the expiration date for the dual authorization policy. - The
responseData.newValue.authIDfield includes the initiator ID of the person who set the dual authorization policy. - The
responseData.newValue.authExpirationfield includes the expiration date for the dual authorization policy.
initialValue is the initiatorID of the person who last set the dual authorization policy and newValue is the new initiatorID of the person who set the dual authorization policy.
Policy events
Allowed network policies
The following fields include extra information:
- The
requestData.initialValue.policyAllowedNetworkEnabledfield includes if your allowed network policy was previously enabled or disabled. - The
requestData.initialValue.policyAllowedNetworkAttributefield includes if your allowed network policy was previously only for public networks or both public and private networks. - The
requestData.newValue.policyAllowedNetworkEnabledfield includes if your allowed network policy is enabled or disabled. - The
requestData.newValue.policyAllowedNetworkAttributefield includes if your allowed network policy is only for public networks or both public and private networks.
Dual auth delete policies
The following fields include extra information:
- The
requestData.initialValue.policyDualAuthDeleteEnabledfield includes if your dual auth delete policy was previously enabled or disabled. - The
requestData.newValue.policyDualAuthDeleteEnabledfield includes if your dual auth delete policy is enabled or disabled.
Key creation and importation access policies
The following fields include extra information:
- The
requestData.initialValue.PolicyKCIAEnabledfield includes if your key creation and importation policy was previously enabled or disabled. - The
requestData.newValue.PolicyKCIAEnabledfield includes if your key creation and importation policy is enabled or disabled. - The
requestData.initialValue.PolicyKCIAAttrCRKfield includes if your key creation and importation policy previously allowed the creation of root keys. - The
requestData.newValue.PolicyKCIAAttrCRKfield includes if your key creation and importation policy allows the creation of root keys. - The
requestData.initialValue.PolicyKCIAAttrCSKfield includes if your key creation and importation policy previously allowed the creation of standard keys. - The
requestData.newValue.PolicyKCIAAttrCSKfield includes if your key creation and importation policy allows the creation of standard keys. - The
requestData.initialValue.PolicyKCIAAttrIRKfield includes if your key creation and importation policy previously allowed imported root keys. - The
requestData.newValue.PolicyKCIAAttrIRKfield includes if your key creation and importation policy allows imported root keys. - The
requestData.initialValue.PolicyKCIAAttrISKfield includes if your key creation and importation policy previously allowed imported standard keys. - The
requestData.newValue.PolicyKCIAAttrISKfield includes if your key creation and importation policy allows imported standard keys. - The
requestData.initialValue.PolicyKCIAAttrETfield includes if your key creation and importation policy previously required keys to be imported through import token. - The
requestData.newValue.PolicyKCIAAttrETfield includes if your key creation and importation policy requires keys to be imported through import token.
Import token events
Create import token
The following fields include extra information:
- The
responseData.expirationDatefield includes the expiration date of the import token. - The
responseData.maxAllowedRetrievalsfield includes the maximum number of times the import token can be retrieved within the expiration time before it is no longer accessible.
Retrieve import token
The following fields include extra information:
- The
responseData.maxAllowedRetrievalsfield includes the maximum number of times the import token can be retrieved within the expiration time before it is no longer accessible. - The
responseData.remainingRetrievalsfield includes the number of times the import token can be retrieved within the expiration time before it is no longer accessible.
Registration events
List registrations
The following field includes extra information:
- The
responseData.totalResourcesfield includes the total number of registrations that are returned in the response.
Trusted Key Entry events
The following table lists the returned values that indicate a successful TKE event.
| Field name | Returned value |
|---|---|
outcome |
success |
reason.reasonCode |
200 |
reason.reasonType |
OK |
The following common fields for TKE events include extra information:
-
The
requestData.locationfield includes the specific location of the crypto unit. The location follows this format:[region].[availability zone].[hardware security module (HSM) module index].[HSM domain index].
For example, if you provision your instance in the
us-eastregion, the value that is returned is similar to[us-east].[AZ2-CSSTAG2].[03].[22]. -
The
target.idfield includes the Cloud Resource Name (CRN) of the crypto unit. -
The
target.namefield also includes the location of the crypto unit. -
The
target.typeURIfield includes the URI of the object that the action is targeting at. For example, if you perform thehs-crypto.tke-cryptounit-master-key-register.addaction, the value that is returned ishs-crypto/tke-cryptounit/master-key-register.
For the following TKE events, some specific fields indicate more information.
Add a crypto unit administrator
- The
requestData.adminIdfield includes the SHA-256 hash of the signature key file that is associated with the administrator to be added. - The
responseData.adminIdsfield lists the SHA-256 hashes of the signature key files associated with all the administrators that are added to the crypto unit.
Remove a crypto unit administrator
- The
requestData.adminIdfield includes the SHA-256 hash of the signature key file that is associated with the administrator to be removed. - The
responseData.adminIdsfield lists the SHA-256 hashes of the signature key files that are associated with all the administrators that are added to the crypto unit.
Set the signature thresholds
- The
requestData.signatureThresholdfield includes the main signature threshold that you set on the crypto unit. - The
requestData.revocationSignatureThresholdfield includes the revocation signature threshold that you set on the crypto unit. - The
responseData.signatureThresholdfield includes the main signature threshold that is successfully set on the crypto unit. - The
responseData.revocationSignatureThresholdfield includes the revocation signature threshold that is successfully set on the crypto unit.
Load the new master key register
- The
requestData.masterKeyIdsfield lists the SHA-256 hashes of all the master key parts files that you select to load to the crypto unit. - The
responseData.verificationPatternfield includes the SHA-256 hash of the master key that is composed of the selected master key parts and is loaded to the new master key register.
Commit the new master key register
- The
requestData.verificationPatternfield includes the SHA-256 hash of the master key that is loaded to the new master key register. - The
responseData.masterKeyIdsfield lists the SHA-256 hashes of all the master key parts files that compose the master key.
Activate the current master key register
- The
requestData.verificationPatternfield includes the SHA-256 hash of the master key that is loaded and committed to the new master key register. - The
responseData.verificationPatternfield includes the SHA-256 hash of the master key that is activated.
Certificate manager events
The following table lists the returned values that indicate a successful certificate manager event.
| Field name | Returned value |
|---|---|
outcome |
success |
reason.reasonCode |
200 |
reason.reasonType |
OK |
The following common fields for certificate manager events include extra information:
- The
target.idfield includes the Cloud Resource Name (CRN) of the event. - The
target.namefield indicates the target name of the event, such as "mtlscert-admin-key" or "mtlscert-cert". - The
target.typeURIfield includes the URI of the object that the action is targeting at. For example, if you perform thehs-crypto.mtlscert-admin-key.createaction, the value that is returned ishs-crypto/mtlscert-admin-key.
The specified fields of the following certificate manager events can indicate more information.
Create the administrator signature key for the certificate administrator
The following fields include extra information:
- The
requestData.accountIdfield includes the current user ID. - The
responseData.actionfield includes the action details of the current user.
Update the administrator signature key for the certificate administrator
The following fields include extra information:
- The
requestData.accountIdfield includes the current user ID. - The
responseData.actionfield includes the action details of the current user.
Remove the administrator signature key of the certificate administrator
The following fields include extra information:
- The
requestData.accountIdfield includes the current user ID. - The
responseData.actionfield includes the action details of the current user.
Get the administrator signature key of the certificate administrator
The following fields include extra information:
- The
requestData.accountIdfield includes the current user ID. - The
responseData.actionfield includes the action details of the current user.
Create or updating certificates by the certificate administrator
The following fields include extra information:
- The
requestData.certificateIdfield indicates the target certificate. - The
responseData.actionfield indicates that the certificate is to be created or updated.
List certificates by the certificate administrator
The following field includes extra information:
- The
responseData.actionfield indicates all certificates that are managed by current administrator are to be listed.
Get certificates by the certificate administrator
The following fields include extra information:
- The
requestData.certificateIdfield indicates the target certificate. - The
responseData.actionfield indicates that the certificate is to be fetched and displayed.
Remove certificates by the certificate administrator
The following fields include extra information:
- The
requestData.certificateIdfield indicates the target mTLS certificate. - The
responseData.actionfield indicates that the certificate is to be deleted.
EP11 keystore events
The following table lists the returned values that indicate a successful EP11 keystore event:
| Field name | Returned value |
|---|---|
| outcome | success |
| reason.reasonCode | 200 |
| reason.reasonType | OK |
The following common fields for EP11 keystore events include extra information:
- The
target.namefield includes the IDs of the keystore or key.
EP11 crypto events
The following table lists the returned values that indicate a successful EP11 crypto event:
| Field name | Returned value |
|---|---|
| outcome | success |
| reason.reasonCode | 200 |
| reason.reasonType | OK |
Analyzing failed events
Unable to delete a key
If the delete key event has a reason.reasonCodeof 409, the key cannot be deleted because it is possibly protecting one or more cloud resources that have a retention policy. Make a GET request to /keys/{id}/registrations to learn which resources this key is associated with. A registration with "preventKeyDeletion": true indicates that the associated resource has a retention policy. To enable deletion, contact an account owner to remove
the retention policy on each resource that is associated with this key.
A delete key event might also receive a reason.reasonCode of 409 due to a dual auth deletion policy on the key. Make a GET request to /api/v2/keys/{id}/policies to see whether a dual authorization policy
is associated with your key. If there is a policy set, contact the other authorized user to delete the key.
Unable to authenticate while making a request
If the event has a reason.reasonCode of 401, you might not have the correct authorization to perform Hyper Protect Crypto Services actions in the specified service instance. Verify with an administrator that you are
assigned the correct platform and service access roles in the applicable service instance. For more information about roles, see Roles and permissions.
Check that you are using a valid token that is associated with an account that is authorized to perform the service action.
Unable to view or list keys in a service instance
You can call GET api/v2/keys to list the keys that are available in your service instance. If responseData.totalResources is 0, query for keys in the deleted state by using the state parameter or adjust
the offset and limit parameters in your request.
Lifecycle action on a key with registrations did not complete
The responseData.reasonForFailure and responseData.resourceCRN fields contain information about why the action wasn't able to be completed.
If the event has a reason.reasonCode of 409, the action cannot be completed due to the adopting service's key state conflicting with the key state that Hyper Protect Crypto Services has.
If the event has a reason.reasonCode of 408, the action cannot be completed because Hyper Protect Crypto Services was not notified that all appropriate actions were taken within 4 hours of the action request.
Unable to perform Trusted Key Entry actions
Failed TKE events have an outcome of failure. The reason.reasonType and reason.reasonForFailure fields contain information about why the action wasn't able to be completed.
If the event has a reason.reasonCode of 400, the action cannot be completed because the operation to the crypto units is not supported or is not valid. Check whether the TKE command that you use is valid by referring
to the TKE CLI reference.
If the event has a reason.reasonCode of 401 or 403, the action cannot be completed because your access token is not valid or does not have the necessary permissions to access this instance. Refresh your access token and check whether you have appropriate permissions to perform the corresponding actions.
If the event has a reason.reasonCode of 500, check out the value of reason.reasonForFailure to identify the reasons of failure and the corresponding actions that you need to take.
Event severity
The severity for all Activity Tracker events with Hyper Protect Crypto Services is based on the type of request that was made, then status code. For example, you might request to create a key with an invalid key and are not authenticated in
the service instance. The unauthentication takes precedence and the event is evaluated as a 401 bad request call with a severity of
critical.
The severity level for all TKE events is critical due to the sensitivity of the actions.
The following table lists the actions that are associated with each severity level:
| Severity | Actions |
|---|---|
Critical |
hs-crypto.secrets.delete
|
Warning |
hs-crypto.secrets.rotate
|
Normal |
hs-crypto.secrets.create
|
The following table lists the status codes that are associated with each severity level:
| Severity | Status code |
|---|---|
| Critical | 400 (For TKE events only), 401, 403, 500, 503, 507 |
| Warning | 400, 409, 424, 502, 504, 505 |