Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

CCKM Administration

OCI External Resources

Please Note:

Administration
CipherTrust Manager Administration
- Authentication
  - Authentication Settings for NAE, KMIP, and Web Interfaces
  - Users
  - Certificate Based Authentication for Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Attribute-based Access Control Permissions for Resources
  - Backup
  - Certificate Authority
  - Client Management
  - Cluster
  - Keys
  - Connection Managers
  - Proxies & Allowed Proxies
  - DNS Hosts
  - Domains
  - Groups & Groupmaps
  - Interfaces
  - Connections
  - Logs
  - Log Forwarders
  - Quorum
  - Records
  - Users
  - Scheduler
  - Servers
  - SNMP
  - Policies
  - Migrations
  - Licensing
  - HSM
  - Miscellaneous
  - Network
  - ProtectApp
  - Secrets
- Password Policy
- Key Policies
- Changing Passwords
- Domain Management
- Groups
- Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Banners
- Basic Interface Configuration
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Secure Copy Protocol (SCP)
  - Microsoft Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure (OCI)
  - DSM Connection
  - OIDC
  - LDAP
  - CM Connection/External CM
    - Managing CM Connections using GUI
    - Configuring CM Connections using ksctl
      - Managing External CM Server Connections using ksctl
      - Managing CM Connections using ksctl
  - Akeyless Gateway
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- System Info
- System Properties
- Network Diagnostics
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
Application Data Protection Administration
- Overview
- Interfaces
- Managing Applications
  - Defining Applications
  - Modifying Applications
  - Deleting Applications
  - Viewing Application Details
  - Viewing Registration Token
  - Cleaning Application
  - DPG Policies
- Managing Character Sets
  - Creating Character Sets
  - Deleting Character Sets
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing User Set
  - Viewing user set
  - Creating user set
  - Deleting user set
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Deleting masking format
  - Modifying masking format
- Single Pane of Glass
- Heartbeat Configuration
- FPE/AES/UNICODE Cardinality Block-Size Table
- Auto Renewal of Client Certificates
- Fetch Latest Data from CipherTrust Manager
- Frequently Asked Questions
BDT Administration
- Protection Profiles
- BDT Policies
- BDT Containers
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
  - Allowing AD Users to Manage Azure Vaults
  - Configuring Connection to Azure Using Private Link
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- External CipherTrust Resources
  - Managing External CipherTrust Domains
  - Managing External CipherTrust Keys
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Performance Summary
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
  - Managing Google EKM Cryptospaces
  - Managing Google EKM Cryptospace Endpoints
- Google Workspace CSE Resources
  - Access Policies
  - Prerequisites
  - High Level Architecture
  - Licensing
  - Communication with KACLS
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Migrate from CCKM Appliance
- Backup and Restore
- Key Material Export and Upload
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CipherTrust Intelligent Protection
- Overview
- Configuration
- Concepts
- Scans
- Reports
- CTE Policies
- File Operations with CIP
- Backup and Restore
- Troubleshooting
CTE UserSpace Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Local Data Stores
- Network Storage Data Stores
- Database Data Stores
- Big Data Data Stores
- Cloud Data Stores
- AWS S3
- Office365: Exchange Online
- G-Suite
- Server Data Stores
- Managing Scans
- Managing Reports
- Managing Agents
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption
Secrets Management Administration
- Configure Secrets Management
- Create and Protect Akeyless Secrets
- Configuring Hashicorp Vault Proxy with CSM

CipherTrust Manager
Administration
CCKM Administration
OCI External Resources

OCI External Resources

Oracle Cloud Infrastructure (OCI) Key Management Service (KMS) with external vault capability allows you to use a third-party on-premises key management system like CipherTrust Manager. This provides greater control over encryption keys that protect your data in the Oracle cloud.

CipherTrust Cloud Key Manager (CCKM) on the CipherTrust Manager uses external keys for performing cryptographic (encrypt/decrypt) operations on demand, while preserving end-user control to manage external keys. The lifecycle of external keys on the CipherTrust Manager is managed by CCKM only. The OCI KMS does not have any control over these keys.

The CipherTrust Manager exposes a network endpoint. This allows the OCI KMS to forward any cryptographic requests to the CipherTrust Manager for processing.

Prerequisites

Before integrating the CipherTrust Manager as an External Key Manager (EKM), make sure the following.

CipherTrust Manager

A CipherTrust Manager is deployed. Refer to Getting Started for details.
The NTP server is added. Refer to Add an NTP Server for details.
The web interface must have a TLS certificate signed by an external or local Certificate Authority (CA). The CA bundle should be provided while creating a private endpoint on OCI.
The Subject Alternative Name (SAN) in the web interface certificate must have specific IP Addresses.
- A good default value for the SAN is the IP address of the CipherTrust Manager.
- If you are using a load balancer, and it is set to do SSL passthrough, include the IP address of the load balancer in the SAN.
Refer to SSL/TLS server certificate (NAE, KMIP, and WEB) for details.

Note

OCI does not provide any option to update the IP address or the CA bundle in private endpoints. If you change the CA of the web interface certificate or the IP address of the CipherTrust Manager or Load Balancer, the network connectivity is disrupted. As a result, OCI faces network connectivity issues and all operations with the CipherTrust Manager stop working. In this case, you need to reconfigure the complete setup on OCI.
It is recommended to use the IAM Domain version of Oracle Identity Cloud Service (IDCS) for managing OCI vaults under EKM and keys (OCI HYOK). To use OCI HYOK with the tenancy that doesn't support the IAM Domain version, please contact Thales Customer Support.

Oracle Cloud Infrastructure (OCI)

A Virtual Cloud Network (VCN) is created in OCI Networking. Refer to the Creating a Virtual Cloud Network for details.
(Optional, recommended) FastConnect (Co-lo) is created in OCI Networking. This is required to have direct connectivity between the OCI VCN and the CipherTrust Manager on premises. Refer to the FastConnect documentation for details.
Policies are created in OCI Identity.
A policy is a document that specifies who can access which OCI resources that your company has, and how. A policy simply allows a group to work in certain ways with specific types of resources in a particular compartment.
Refer to Getting Started with Policies for details.
A private endpoint is created. Refer to Creating a Private Endpoint for details.

After ensuring the prerequisites, perform the steps described in the subsequent sections.

Note

Currently, only commercial OCI regions are supported.

Add OCI Tenancy on CipherTrust Manager

On the CipherTrust Manager, add an OCI tenancy. You can add OCI tenancies manually (without Oracle connection) or using an Oracle connection configured on the CipherTrust Manager. Refer to Adding Oracle Tenancies for details.

After adding the OCI tenancy, register the CipherTrust Manager with OCI Identity Domain as a confidential application.

Register CipherTrust Manager with OCI Identity Domain

Register the CipherTrust Manager (an External Key Manager) as a confidential resource application with Oracle Identity Domain and enable the client credentials grant, if the Identity Domain is protected.

While registering the CipherTrust Manager, add the oci_ekms scope.

Refer to Creating Confidential Resource App for details.

After registration, the CipherTrust Manager application's client credentials are generated if the Identity Domain is protected. Note down the credentials and the Identity Domain URL. These will be required for registering the JWT issuer (identity provider).

Register Identity Provider with CipherTrust Manager

Register an identity provider on the CipherTrust Manager. Specify the JWKS URI or OpenID configuration URL (the Identity Domain URL and the suffix string, /.well-known/openid-configuration) and CipherTrust Manager application’s client credentials (if the OCI Identity Domain is protected). These details are generated during the step Register CipherTrust Manager with OCI Identity Domain.

To register the identity provider with the CipherTrust Manager:

Log on to the CipherTrust Manager GUI.
Add the identity provider. Refer to Creating Identity Providers for details.

CipherTrust Manager verifies the provided JWKS URI and credentials from the OCI Identity Domain and saves the credentials securely on successful verification.

A JWT issuer ID is generated. This ID is required when creating an external vault on the CipherTrust Manager.

Register OCI KMS Application

Register the OCI KMS application as a confidential client application and enable the client credentials grant. Next, bind the CipherTrust Manager, which you registered as a confidential resource application. This binding is required to associate the OCI KMS client to the CCKM authorized resource (CipherTrust Manager).

Refer to the Oracle documentation for details.

On OCI:

Register the OCI KMS Client application as a confidential client application.
Bind the OCI KMS Client application with the CipherTrust Manager application that you registered as a confidential resource application.

After the KMS client application registration and binding, a KMS client ID is generated. This ID is required for creating an external vault on the CipherTrust Manager.

Creating External Vaults

To create an external vault:

On the CipherTrust Manager, create an external vault using the KMS client ID created in Register OCI KMS Client Application and the JWT issuer ID generated in Register Identity Provider with CipherTrust Manager.
During this step, an external vault is created locally on the CipherTrust Manager and an external vault endpoint URI is generated. This URI can be found in the details of the external vault resource.
Refer to Adding External Vaults for details.
On OCI, create a vault under EKM using the external vault endpoint URI generated in the previous step. Refer to the External Key Management Service documentation for details.
Note
If the CipherTrust Manager's web interface is configured on a port other than 443, the port number should be added to the external vault endpoint URI while creating a vault under EKM on OCI.

The vault created under EKM on the OCI KMS is mapped with the external vault created on the CipherTrust Manager.

Creating External Keys

To create an external key:

On the CipherTrust Manager, create a key in the external vault created on the CipherTrust Manager (refer to the previous step). You can select an existing source key or create a new key.
An external key ID is generated. This external key ID can be found in the details of the external key resource.
Refer to Adding External Keys for details.
On OCI, create an external key reference using the external key ID generated in the previous step. Refer to the External Key Management Service documentation for details.

The external key reference created on the OCI KMS is mapped with the external key created on the CipherTrust Manager.

Rotating External Keys

To rotate an external key:

On the CipherTrust Manager, create a new key version in the external vault created on the CipherTrust Manager (refer to the previous step). You can select an existing source key or create a new key.
A version ID is generated. This version ID can be found in the details of the external key resource.
Refer to Adding a Key Version for details.
On OCI, rotate an external key reference using the version ID generated in the previous step. Refer to the External Key Management Service documentation for details.

The external key reference created on the OCI KMS is mapped with the version ID created on the CipherTrust Manager.

What Next?

After completing the prerequisites, you can manage external vaults and keys on the CipherTrust Manager.

Managing Identity Providers
Managing External Vaults
Managing External Keys

On this page

CipherTrust Manager

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com