All Products
Search

This Product

    Key Management Service:Initialize client

    Document Center

    Key Management Service:Initialize client

    Last Updated:Mar 16, 2025

    To initiate an API request using the Key Management Service (KMS) instance SDK, you must first initialize a client. This topic describes the steps to do so.

    Sample code

    import com.aliyun.dkms.gcs.openapi.models.Config;
import com.aliyun.dkms.gcs.sdk.Client;

                           
 public static void initClient() throws Exception {

        // The connection protocol. Set the value to https. The KMS instance service only allows access through the HTTPS protocol.
        Config config = new Config();
        config.setProtocol("https");
    
        // Client key.
        config.setClientKeyFile("<CLIENT_KEY_FILE>");
     
         // Client key password.
        config.setPassword("<PASSWORD>");
       
         // The endpoint of your KMS instance. Set the value in the following format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
        config.setEndpoint("<ENDPOINT>");
        
        // The certificate authority (CA) certificate of the KMS instance. You can specify the path to the CA certificate file or enter the content of the CA certificate.
        config.setCaFilePath("<CA_CERTIFICATE_PATH>");
        // Alternatively, set the content of the CA certificate of the KMS instance.
        //config.setCa("<CA_CERTIFICATE_CONTENT");
        client = new Client(config);
    }
    Important

    Configuring the instance CA certificate is important for securing communications in a production environment by verifying the SSL/TLS certificate's authenticity. We recommend keeping this security measure enabled at all times. If you must disable SSL/TLS certificate verification, such as for offline testing, you can do so by setting the IgnoreSSL field in the RuntimeOptions parameter to true.

    Parameter description

    Endpoint

    The Endpoint refers to a dedicated gateway endpoint, representing the domain address of the KMS instance.

    1. Navigate to the Instances page, click on either the Software Key Management or Hardware Key Management tab, then click the KMS instance you want.

    2. In the Basic Information section, find the endpoint in the Instance VPC Endpoint field.image

    ClientKeyFile

    The ClientKeyFilePath is where the application's identity credentials are stored. Upon creation of the ClientKey, it will be automatically downloaded by the browser, typically with a default filename like clientKey_****.json.

    Password

    The Password is the security token for the ClientKey. Similar to the ClientKey, it will be automatically downloaded by the browser upon creation, with a default filename such as clientKey_****_Password.txt.

    Ca, CaFilePath

    The CA certificate refers to the one that is associated with the KMS instance.

    1. On the Instances page, select either Software Key Management or Hardware Key Management tab, then choose the target instance.

    2. Click the instance ID or Details in the Actions column. On the details page, click download next to the Instance CA Certificate.

      Save the certificate securely. The downloaded file will be named PrivateKmsCA_kst-******.pem by default.

      image