Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

CDP Administration

Concepts

Please Note:

Administration
CipherTrust Manager Administration
- Password Policy
- Users
- Key Policies
- Certificate Based Authentication
- Changing Passwords
- Domain Management
- Groups
- Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Tokens
- Banners
- Interfaces
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Secure Copy Protocol (SCP)
  - Microsoft Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure (OCI)
  - DSM Connection
  - OIDC
  - LDAP
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Client Management
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- Data Protection
  - Protection Profiles
  - BDT Policies
  - BDT Containers
- REST API
- System Info
- System Properties
- Network Diagnostics
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
Application Data Protection Administration
- Overview
- Interfaces
- Managing Applications
  - Defining Applications
  - Modifying Applications
  - Deleting Applications
  - Viewing Application Details
  - Viewing Registration Token
  - DPG Policies
- Managing Character Sets
  - Creating Character Sets
  - Modifying Character Sets
  - Deleting Character Sets
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing User Set
  - Viewing user set
  - Creating user set
  - Deleting user set
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Modifying masking format
  - Deleting masking format
- Single Pane of Glass
- Heartbeat Configuration
- Frequently Asked Questions
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
  - Allowing AD Users to Manage Azure Vaults
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Performance Summary
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Communication with KACLS
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
- Migrate from CCKM Appliance
  - Migrate Cloud Keys Only
  - Migrate DSM Source Keys
- Migrate from CCKM Appliance with CipherTrust Manager as Key Source
- Migration from CCKM Appliance to Child Domain
- Backup and Restore
- Key Material Export and Upload
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CipherTrust Intelligent Protection
- Overview
- Configuration
- Concepts
- Scans
- Reports
- CTE Policies
- File Operations with CIP
- Backup and Restore
- Troubleshooting
CTE UserSpace Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating GuardPoints for Efficient Storage Devices
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Ransomware Protection
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Local Data Stores
- Network Storage Data Stores
- Database Data Stores
- Big Data Data Stores
- Cloud Data Stores
- Server Data Stores
- Office365: Exchange Online
- Managing Scans
- Managing Reports
- Managing Agents
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption
Secrets Management Administration
- Configure Secrets Management
- Create and Protect Akeyless Secrets

CipherTrust Manager
Administration
CDP Administration
Concepts

Concepts

Keys

A key is used to perform cryptographic operations on data . The key is created, stored, and managed on the CipherTrust Manager.

Data Migration

Data migration is the process of encrypting data, altering existing tables so that they can store the resulting ciphertext, and creating views and triggers so that the existing applications can seamlessly and automatically encrypt new data and request decrypted data when needed.

Multi Domain

When a domain is created and a user becomes part of domain, a user can access resources (such as keys and alias name) of domain. One user can be part of multiple domains and a user can switch between the domains. By default, root domain is created. A user who is part of a domain can view/access only the database connections created under that particular domain.

Creating a CipherTrust Manager User

To create a CipherTrust Manager user:

Log on to the CipherTrust Manager GUI.
Click to expand Access Management.
Click the Users tab on the left. The Users page is displayed.
On the Users page, click Add User.
On the Add User in Domain <dom1> screen, enter the details and click Add User.

Creating User Defined Group

To create a user defined group in CipherTrust Manager:

Log on to the CipherTrust Manager GUI.
Click to expand Access Management.
Click the Groups tab in the left pane. A page with existing groups is displayed.
Click Create New Group. The Create New Group wizard is displayed. Follow the steps to complete the setup.
a. Add general info
b. Assign members
c. Review

Add general info

In the Name filed, enter a group name.
Click Next to go to the Assign Members screen.

Assign members

From the list of available options, select the members who will be the part of the group.
Click Next to go to the Review screen.

Review

On the Review screen, verify the group details.
To modify any field, click Edit and update details.
Click Add Group.
Click Close to exit the wizard.

Mapping CipherTrust Manager Users to Group

To map a CipherTrust Manager user to a group:

Log on to the CipherTrust Manager GUI.
Click to expand Access Management.
Click the Groups tab in the left pane.
Click the group with which the CipherTrust Manager user is to be mapped.
From the list of available users, select the name of the user to be mapped to the group and click Add.

Mapping Key to Group

A key can be created and mapped to a group. A group can have various permissions such as encrypt and decrypt on a key. For more information, refer to the NAE-XML Interface Development Guide.

Mapping CipherTrust Manager User to Database User

The user mapping can be done using any of the following interfaces:

API Playground
pdbctl Utility
CipherTrust Manager's GUI

Setting Up Role Based Permission

The CipherTrust Manager allows its users to set the group policies (permissions) with keys (using the CDP client in remote mode only). The users associated with the group can perform encryption/decryption as per the permission set for the group. During encryption and decryption, CDP will behave as per the permissions set for the group.

This section explains how to map a database user to the CipherTrust Manager user which is also mapped to access policy set for a group. The group with encryption/decryption permission is mapped to a key.

For example, create two database users dbusr1 and dbsur2 and map them to the CipherTrust Manager user so that dbusr1 has only insert permission and dbusr2 has only select/delete data on the database tables.

Perform the following steps in the given order:

Create two users encUser and decUser. Refer to Creating a CipherTrust Manager User.
Create two groups encryptGroup and decryptGroup. Refer to Creating User Defined Group in CipherTrust Manager.
Map encUser to encryptGroup and decUser to decryptGroup. Refer to Mapping CipherTrust Manager Users to Group.
Create key and assign encrypt permissions to encryptGroup and decrypt permission to decryptGroup. Refer to Mapping Key to Group.
Create the database connection.
Map encUser to dbusr1 and decUser to dbusr2. After the mapping is done, dbusr1 will have only insert permission and dbusr2 will have only select/delete permissions on the database table.

On this page

CipherTrust Manager

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com