POST SSH/Rotate

Starts rotation of specified keyset. The SSH/Rotate API returns immediately after rotation starts. It does not wait until the key is actually provisioned on specified device, which can take time depending on the configured Agent schedule). To track rotation progress, call POST SSH/KeysetDetails.

Requirements

  • Token scope:  SSH:Manage

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

AllowSkipOnRotation

The setting to manage keyset rotation of devices based on connectivity to Trust Protection Platform:

false: Halt keyset rotation when one or more devices have a broken connection.

true: Rotate keysets only for devices that currently have a connection to Trust Protection Platform. If a device has a broken connection, skip rotation of its keyset for now. Later, when the device is online, use an agentless SSH scan to automatically rotate the keyset. Requires scheduling an agentless SSH scan. For more information, see Assigning work for agentless discovery and remediation.

KeysetId

The identifier of a set of public and private key pairs. Depending on your environment, the value may be expressed with or without curly braces {}. You can get the KeysetId, from POST SSH/KeyUsage or the SSH Keyset Inventory. For example:

Location of KeysetID in the UI

Options

(Optional) To halt keyset rotation when one or more devices have a broken connection, omit this parameter.

Otherwise, to Retry keyset rotation every 15 minutes when there is an error, use any combination: 

  • 0: Default. Halt rotation for any error.
  • 1: RetryonError. If a device has a broken connection, skip rotation of its keyset for now. Later, when the device is online, you can use an agentless SSH scan to automatically rotate the keyset. Requires scheduling an agentless SSH scan. For more information, see Assigning work for agentless discovery and remediation.
  • [2] ConnectionErrors. Retry for device connection errors.
  • [3] Retry only for ConnectionErrors.
  • [6] AnyErrors. Retry on any other error.
  • [7] Retry for any errors

Returns

Response description

Name

Description

Success

The SshWebResponse object with result of the operation. For more information, see SSH SshWebResponse object.

Example: Rotate Keyset

Request

POST https://tpp.venafi.example/vedsdk/SSH/Rotate 
Authorization:Bearer 4MyGeneratedBearerTknz==
{
   "Options":0,
   "KeysetId":"310E64EF92231B55A34E02A2779E14236CC7A326"
}

Response

HTTP/1.1 200 OK
{
   "Success":true
}