Initialize Java client and initiate instance API request - Key Management Service

Before making API calls with the Key Management Service (KMS) instance SDK, initialize a client with your instance credentials and CA certificate. This page covers the Java SDK.

Prerequisites

Before you begin, ensure that you have:

A KMS instance (Software Key Management or Hardware Key Management)
A ClientKey file (clientKey_****.json) and its password file (clientKey_****_Password.txt)
The CA certificate for your KMS instance (PrivateKmsCA_kst-******.pem)
The endpoint for your KMS instance

Get the required credentials

Get the endpoint

The endpoint is the domain address of your KMS instance. Retrieve it from the console:

On the Instances page, click the Software Key Management or Hardware Key Management tab, then click the target instance.
In the Basic Information section, copy the value of Instance VPC Endpoint.

The endpoint follows the format <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.

Download the CA certificate

The CA certificate verifies the SSL/TLS identity of your KMS instance.

On the Instances page, click the Software Key Management or Hardware Key Management tab, then click the target instance ID or Details in the Actions column.
On the instance details page, click download next to Instance CA Certificate.

The downloaded file is named PrivateKmsCA_kst-******.pem by default. Store it securely.

Initialize the client

Use the endpoint, ClientKey file, ClientKey password, and CA certificate to configure and create the client.

import com.aliyun.dkms.gcs.openapi.models.Config;
import com.aliyun.dkms.gcs.sdk.Client;

public static void initClient() throws Exception {

    Config config = new Config();

    // KMS instance only allows HTTPS connections
    config.setProtocol("https");

    // Path to the ClientKey file (clientKey_****.json)
    config.setClientKeyFile("<CLIENT_KEY_FILE>");

    // Password for the ClientKey (from clientKey_****_Password.txt)
    config.setPassword("<PASSWORD>");

    // Endpoint in the format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
    config.setEndpoint("<ENDPOINT>");

    // Path to the CA certificate file (PrivateKmsCA_kst-******.pem)
    config.setCaFilePath("<CA_CERTIFICATE_PATH>");

    // Alternatively, provide the CA certificate content directly
    // config.setCa("<CA_CERTIFICATE_CONTENT>");

    client = new Client(config);
}

Replace the following placeholders with your actual values:

Placeholder	Description	Where to find it
`<CLIENT_KEY_FILE>`	Path to your ClientKey file	Downloaded by your browser when you created the ClientKey; default filename: `clientKey_****.json`
`<PASSWORD>`	Password for the ClientKey	Downloaded alongside the ClientKey; default filename: `clientKey_****_Password.txt`
`<ENDPOINT>`	Domain address of your KMS instance	Instance VPC Endpoint field in the console (see Get the endpoint)
`<CA_CERTIFICATE_PATH>`	Path to the CA certificate file	Downloaded from the instance details page (see Download the CA certificate); default filename: `PrivateKmsCA_kst-******.pem`

SSL/TLS certificate verification

Keep CA certificate verification enabled in production. It authenticates the KMS instance's SSL/TLS certificate and prevents man-in-the-middle attacks.

For offline testing only, disable SSL/TLS verification by setting the IgnoreSSL field in the RuntimeOptions parameter to true.

Important

Never disable SSL/TLS certificate verification in a production environment.