Reference
PFMigrate Utility
CCKM API
- Overview
- RESTful APIs
- AWS APIs
  - AWS Custom Key Store APIs
  - AWS KMS Management APIs
  - Key Life Cycle Management APIs
    - Creating AWS Keys on CCKM
    - Fetching List of AWS Keys
    - Viewing Details of AWS Keys
    - Deleting AWS Keys from CCKM
    - Downloading Keys Created on AWS to CCKM
    - Viewing Synchronization Status
    - Aborting Synchronization Jobs
    - Viewing Details of Synchronization Jobs
    - Uploading Keys to AWS KMS
    - Importing Key Material to AWS KMS
    - Deleting Imported Key Material
    - Scheduling Key Deletion
    - Canceling Deletion of Keys
    - Updating Key Policy
    - Updating Key Description
    - Enabling AWS Keys
    - Disabling AWS Keys
    - Adding Tags to AWS Keys
    - Removing Tags from AWS Keys
    - Adding Alias to AWS Keys
    - Deleting Alias from AWS Keys
    - Verifying Alias on AWS KMS
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Automatic Key Rotation
    - Disabling Automatic Key Rotation
    - Rotating Keys on AWS KMS
    - Replicating Multi-Region AWS Keys
    - Changing the Primary Key of a Multi-Region AWS Key
    - Creating a Bulk Job
    - Viewing the List of Bulk Jobs
    - Viewing Details of a Bulk Job
    - Canceling a Bulk Job
  - Policy Template Management APIs
  - AWS Reports APIs
  - Response Parameters of AWS KMS Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Azure APIs
  - Subscription APIs
  - Vault Management APIs
  - Key Life Cycle Management APIs
    - Creating Azure Keys
    - Fetching List of Azure Keys
    - Viewing Details of Azure Keys
    - Updating Key Parameters
    - Deleting Keys from CCKM
    - Soft-Deleting Azure Keys
    - Purging Azure Keys
    - Uploading Keys to Azure Key Vault
    - Downloading Keys Created on Azure Vault to CCKM
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Aborting Synchronization Jobs
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
  - Azure Secrets Management APIs
    - Creating Azure Secrets
    - Fetching List of Azure Secrets
    - Viewing Details of Azure Secrets
    - Updating Attributes of Azure Secrets
    - Deleting Azure Secrets with Backup from CCKM
    - Soft-Deleting Azure Secrets
    - Recovering Soft-Deleted Azure Secrets
    - Purging Azure Secrets
    - Restoring Deleted Azure Secrets
    - Synchronizing Azure Secrets
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
  - Azure Certificates Management APIs
    - Creating Azure Certificates
    - Fetching List of Azure Certificates
    - Viewing Details of Azure Certificates
    - Updating Attributes of Azure Certificates
    - Deleting Azure Certificates with Backup from CCKM
    - Soft-Deleting Azure Certificates
    - Recovering Soft-Deleted Azure Certificates
    - Purging Azure Certificates
    - Restoring Deleted Azure Certificates
    - Synchronizing Azure Certificates
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
    - Importing Azure Certificates
  - Disaster Management APIs
  - Azure Reports APIs
  - Response Parameters of Azure Vault Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Luna HSM APIs
  - Luna HSM Partition APIs
  - Luna HSM Key APIs
- DSM APIs
  - DSM Domain APIs
    - Getting DSM Domains
    - Adding DSM Domains
    - Viewing DSM Domains
    - Viewing Details of a DSM Domain
    - Changing Connection of a DSM Domain
    - Deleting a DSM Domain
    - Granting Permissions to Users or Groups
  - DSM Key APIs
    - Creating a DSM Key
    - Viewing DSM Keys
    - Getting Details of a DSM Key
    - Deleting a DSM Key from CCKM
    - Deleting a Key from DSM
    - Refreshing DSM Domains
    - Getting Refresh Status of DSM Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Google Cloud APIs
  - Google Cloud Project APIs
    - Fetching a Project from Google Cloud
    - Viewing Google Cloud Projects
    - Adding Google Cloud Projects
    - Viewing Details of a Google Cloud Project
    - Granting Permissions to Users or Groups in a Google Cloud Project
    - Deleting a Google Cloud Project
    - Updating a Google Cloud Project
  - Google Cloud Key Ring APIs
    - Getting Google Cloud Key Rings
    - Adding Google Cloud Key Rings
    - Listing Google Cloud Key Rings
    - Viewing Details of a Google Cloud Key Ring
    - Updating a Google Cloud Key Ring
    - Granting Permissions to Users or Groups
    - Deleting Google Cloud Key Rings
  - Google Cloud Key APIs
    - Creating a Google Cloud Key
    - Viewing Google Cloud Keys
    - Getting Details of a Google Cloud Key
    - Updating a Google Cloud Key
    - Viewing Versions of a Google Cloud Key
    - Adding a Version to a Google Cloud Key
    - Viewing Details of a Google Cloud Key Version
    - Refreshing Details of a Google Cloud Key Version
    - Refreshing Details of Google Cloud Key and All Its Versions
    - Updating All Versions of a Google Cloud Key
    - Viewing Details of an Update All Versions Operation
    - Enabling a Version of a Google Cloud Key
    - Disabling a Version of a Google Cloud Key
    - Scheduling Destruction of a Google Cloud Key Version
    - Canceling Scheduled Destruction of a Google Cloud Key Version
    - Downloading Public Key for an Asymmetric Version
    - Uploading a New Key to Google Cloud
    - Synchronizing Google Cloud Keys
    - Viewing Synchronization Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Enabling Auto Rotation of Google Cloud Keys
    - Disabling Auto Rotation of Google Cloud Keys
    - Viewing the IAM Policy Attached to a Key
    - Attaching an IAM Policy to a Key
    - Viewing the IAM Roles
  - Google Cloud Location API
  - Google Cloud Report APIs
- Google Cloud EKM APIs
- SAP APIs
  - SAP Applications API
  - SAP Groups APIs
    - Fetching List of Groups from SAP
    - Managing Permissions on SAP Users or Groups
    - Adding SAP Groups
    - Viewing SAP Groups Added to CipherTrust Manager
    - Viewing Details of SAP Groups
    - Updating Connection of SAP Groups
    - Deleting a SAP Group
  - SAP Keys APIs
    - Creating SAP Key
    - Fetching SAP Keys
    - Getting Details of a SAP Key
    - Updating SAP Key Attributes
    - Deleting a SAP Key Backup from CCKM
    - Deleting a Key from SAP
    - Deleting a SAP Key
    - Adding SAP Key Version
    - Viewing SAP Key Versions
    - Getting Details of a SAP Key Version
    - Synchronizing SAP Keys
    - Updating a SAP Key Version
    - Viewing Synchronization Status
    - Viewing the Job Status
    - Creating New Jobs
    - Uploading Keys to SAP
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Enabling Auto Rotation of SAP Keys
    - Disabling Auto Rotation of SAP Keys
    - Creating a Dynamic Key Reference (DKR)
    - Viewing the List of DKRs
    - Getting Details of a DKR
    - Updating Details of a DKR
    - Deleting a DKR from CCKM
    - Deleting a DKR from SAP
  - SAP Reports APIs
- Salesforce APIs
  - Salesforce Organization APIs
    - Getting Salesforce Organizations
    - Adding Salesforce Organizations
    - Listing Salesforce Organizations
    - Viewing Details of a Salesforce Organization
    - Updating a Salesforce Organization
    - Granting Permissions to Users or Groups
    - Deleting Salesforce Organizations
  - Salesforce Tenant Secret APIs
    - Creating a Salesforce Tenant Secret
    - Viewing Salesforce Tenant Secrets
    - Getting Details of a Salesforce Tenant Secret
    - Destroying a Salesforce Tenant Secret
    - Synchronizing Tenant Secrets
    - Importing a Tenant Secret
    - Viewing Synchronizing Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Uploading Salesforce Tenant Secrets
    - Deleting Backup of a Salesforce Tenant Secret
    - Activate a Cache-Only Key
    - Fetching a Salesforce Cache-Only Key for a Given Identifier
    - Updating a Salesforce Cache-Only Key
    - Uploading a Salesforce Cache-Only Key
  - Salesforce Reports APIs
  - Salesforce Cache Only Key Endpoints APIs
  - Salesforce Cloud Certificates APIs
  - Salesforce Named Credentials APIs
- Oracle Cloud APIs
  - OCI Vaults APIs
    - Fetching List of OCI Vaults from Oracle
    - Adding OCI Vaults
    - Viewing OCI Vaults Added to CipherTrust Manager
    - Viewing Details of OCI Vaults
    - Managing Permissions on OCI Users or Groups
    - Deleting OCI Vaults
    - Updating Connection of OCI Vaults
  - OCI Keys APIs
    - Creating OCI Keys
    - Fetching OCI Keys
    - Getting Details of an OCI Key
    - Updating OCI Key Attributes
    - Deleting an OCI Key
    - Canceling Deletion of an OCI Key
    - Deleting an OCI Key Backup from CCKM
    - Restoring a Deleted OCI Key
    - Scheduling Deletion of an OCI Key
    - Adding OCI Key Version
    - Viewing OCI Key Versions
    - Getting Details of an OCI Key Version
    - Scheduling Deletion of an OCI Key Version
    - Canceling Scheduled Deletion of an OCI Key Version
    - Uploading Keys to OCI
    - Synchronizing OCI Keys
    - Viewing Synchronization Status
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Changing the Compartment of an OCI Key
    - Disabling an OCI Key
    - Enabling an OCI Key
    - Refreshing an OCI Key
    - Enabling Auto Rotation of OCI Keys
    - Disabling Auto Rotation of OCI Keys
  - OCI Subscribed Regions API
  - OCI Compartments API
  - OCI Reports APIs
- OCI External APIs
  - Issuers APIs
    - Creating an Issuer
    - Returning a List of Issuers
    - Viewing Details of an Issuer
    - Updating Issuers
    - Deleting Issuers
  - External Vaults APIs
    - Creating an External vault
    - Blocking Access to External Vaults
    - Unblocking Access to External vaults
  - External Keys APIs
    - Creating an External Key
    - Blocking Access to External keys
    - Unblocking Access to External keys
  - OCI Invoked APIs
    - Fetching the Metadata of External Vaults
    - Fetching the Metadata of External Keys
    - Fetching the Metadata of a Version of External Keys
    - Encrypting Data Using External Keys
    - Decrypting Data Using External Keys
    - Generating Random Bytes
- CipherTrust Manager as External Keystore APIs
  - External CipherTrust Manager Domain APIs
    - Getting external CipherTrust Manager Domains
    - Adding External CipherTrust Manager Domains
    - Viewing External CipherTrust Manager Domains
    - Viewing Details of an External CipherTrust Manager Domain
    - Changing Connection of an External CipherTrust Manager Domain
    - Deleting an External CipherTrust Manager Domain
    - Granting Permissions to Users or Groups
  - External CipherTrust Manager Key APIs
    - Creating an External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Keys
    - Getting Details of an External CipherTrust Manager Key
    - Deleting an External CipherTrust Manager Key from CCKM
    - Deleting a Key from External CipherTrust Manager
    - Creating a New Version of External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Key Versions
    - Refreshing External CipherTrust Manager Domains
    - Getting Refresh Status of External CipherTrust Manager Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Key Material Export and Upload
- Scheduler APIs
  - Scheduling Synchronization
  - Scheduling Key Rotation
  - Scheduling Key Rotation and Auto Rotation of Credentials
  - Automatic Cloud Key Discovery
  - Response Parameters
- Google Workspace CSE APIs
  - Creating an Issuer
  - Viewing Issuers
  - Viewing Details of an Issuer
  - Deleting an Issuer
  - Creating KACLS Endpoints
  - Viewing KACLS Endpoints
  - Viewing Details of a KACLS Endpoint
  - Updating a KACLS Endpoint
  - Disabling a KACLS Endpoint
  - Enabling a KACLS Endpoint
  - Archiving a KACLS Endpoint
  - Recovering a KACLS Endpoint
  - Deleting a KACLS Endpoint
  - Rotating Endpoint Keys (rotate-key)
  - Viewing KACLS Endpoint Perimeters
  - Updating a KACLS Endpoint Perimeter
  - Encrypting Private Keys (wrapprivatekey)
  - Google Invoked APIs
    - Encrypting Data Encryption Keys (wrap)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (privilegedunwrap)
    - Viewing the KACLS Endpoint Status
    - Signing Private Keys (privatekeysign)
    - Decrypting Content Encryption Keys (privatekeydecrypt)
    - Decrypting and Downloading Gmail Message (privilegedprivatekeydecrypt)
DDC Architecture Guidelines
DDC GLASS Reference
DDC ELK Reference
KMIP Reference
Server Audit Record Reference
- KMIP Errors
- Key Errors
- Certificate Errors
- SNMP Errors
- SMTP Errors
- LDAP Errors
- Authentication Errors
- NAE Errors
- Clustering Errors
- HSM Errors
- Backup and Restore Errors
- General Errors
NAE-XML Interface Development
- Starting an XML Session
- NAE Client Registration
- User Requests
- User Group Requests
- Key Management Operations
- Importing, Exporting, and Replicating Keys
- Secret Management Operations
- Certificate and CA Requests
- Cryptographic Operations
- Logging
- Error Messages
- Supported Key Algorithms
- Differences Between Key Managers

Granting Permissions to Users or Groups in a Google Cloud Project

Use the post /v1/cckm/google/projects/{id}/update-acls API to grant permissions to users or groups to perform specified EKM ACL operations or actions relating to a CCKM EKM cryptospace within a Google Cloud project. Use the Google project ID to identify the given project.

Note

To use this API, you must have the role of a CCKM administrator or Domain administrator for the Google Cloud project.

By default, no user or user group is assigned in the EKM ACL. Access needs to be explicitly granted to the ACL. A user is required to be a member of the CCKM user group to have granular access in a Google project.

User ID and group are mutually exclusive. Specify either of the two. As a CCKM or Domain administrator of a Google Cloud project, configure the actions that are permitted or denied for a user or a group to perform relating to a CCKM EKM cryptospace within a given Google project. However, if the permissions of a user or group requires modification after the initial configuration, such as a new action is to be permitted or an existing action is to be revoked, (as the CCKM or Domain administrator) set the given action to true or false.

For example, a user or group is initially permitted the actions of cryptospacecreate, cryptospaceupdate, and cryptospacedelete. To update the actions permitted for the user or group to now permit one more action of cryptospaceblock, set "permit":true and "actions": "cryptospaceblock", and run the API. Similarly, to deny permission to the action of cryptospacecreate, set "permit":false, "actions": "cryptospacecreate", and run the API.

Note

If cryptospaceview is not previously granted as a permitted action in the ACL, this API adds it to the ACL when a user is granted one of the following permissions: cryptospacecreate, cryptospaceupdate, cryptospaceblock, cryptospaceunblock, cryptospacedelete, cryptospaceekmenable, and cryptospaceekmdisable. Additionally, this API revokes these permissions (that were previously granted as a permitted action in the ACL), if cryptospaceview is a revoked action.

Note

The granted permissions for a user or group in the given Google Cloud project are cumulative.

Refer to Actions for the supported actions.

Refer to Google Cloud EKM APIs for more information about Google Cloud EKM Cryptospace APIs.

Syntax

curl -k '<IP>/api/v1/cckm/google/projects/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "acls": [\n    {\n      "group": "<group_name>",\n      "actions": [\n        "<action1>", "<action2>"\n      ],\n      "permit": <true|false>\n    }\n  ]\n}' --compressed
"project_id": "<id_of_project>"\n    }\n  ]\n}' --compressed

Here, {id} represents the project ID of the Google Cloud project on the CipherTrust Manager.

Request Parameters

Parameter	Type	Description
AUTHTOKEN	string	Authorization token.
acls	array of JSONs	Permissions to be granted to users and groups. Refer to ACLs for details.

ACLs

Parameter	Type	Description
actions	array of strings	List of actions. Refer to Actions for the supported actions and details.
group	string	Name of the user group to be granted permissions. User ID and group are mutually exclusive. Specify either.
permit	boolean	Whether to permit users to perform specific operations. Set `true` to permit, `false` to deny.
user_id	string	ID of the user to be granted permissions. User ID and group are mutually exclusive. Specify either.

Actions

The following table lists the accepted values:

APIs	Actions Required	Description
Create Cryptospace	cryptospacecreate	Permission to create a cryptospace.
Update Cryptospace	cryptospaceupdate	Permission to update the attributes of a cryptospace.
Block Cryptospace	cryptospaceblock	Permission to block operations on EKM endpoints in a cryptospace.
Unblock Cryptospace	cryptospaceunblock	Permission to unblock operations on EKM endpoints in a cryptospace.
Delete Cryptospace	cryptospacedelete	Permission to delete a cryptospace.
Get Cryptospace	cryptospaceview	Permission to view cryptospaces.
Enable Cryptospace EKM endpoints	cryptospaceekmenable	Permission to enable operations on EKM endpoints in a cryptospace.
Disable Cryptospace EKM endpoints	cryptospaceekmdisable	Permission to disable operations on EKM endpoints in a cryptospace.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/google/projects/a2ff0283-77ce-4194-968e-0661053cad4f/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxMzRiZGY4OC1mMTMwLTQ4ZjAtYjRlMC1iYTJlZDI1MzI0Y2MiLCJzdWIiOiJsb2NhbHw0YjZmM2MwYy1iMjI2LTRjNmEtOWE4OS1kMGRmM2M3MDQ3YmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfaWQiOiI4MzdjODQwZC03NWRkLTRiNGYtYTMxOC03OWNiMTZjYTI0OGQiLCJjbGllbnRfbmFtZSI6ImFwaS1wbGF5Z3JvdW5kIiwiY2xpZW50X3R5cGUiOiJwdWJsaWMiLCJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmExYzI2MjMtZmI3ZC00MzQ3LWI5YWYtMGM2MmNmNzZmMjgzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjUyNmUxOTMzLTc3MzctNDQ2OC1hMGNhLWMxYjgwNzhkNTkxMiIsImlhdCI6MTY3NjQxMzcxMywiZXhwIjoxNjc2NDE0MDEzfQ.GjacKl5F6mSpfetUI3zWOIAQUEIFD1GoLcAJVt7Ru9Q' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "acls": []\n}' --compressed

Example Response

{
    "id": "03b24ef3-0078-4dbb-9444-a4242f992d69",
    "uri": "kylo:kylo:cckm:gcp-project:03b24ef3-0078-4dbb-9444-a4242f992d69",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2021-02-25T07:54:14.945148Z",
    "updatedAt": "2021-02-25T07:54:14.943021Z",
    "create_time": "2018-03-19T17:42:03.596Z",
    "lifecycle_state": "ACTIVE",
    "name": "cckm",
    "parent_id": "1234567891234",
    "parent_type": "folder",
    "project_id": "cckm-project",
    "project_number": "12345678912",
    "connection": "gcp-connection",
    "cloud_name": "gcp",
    "acls": [
        {
            "group": "CCKM Users",
            "actions": [
                "cryptospaceview",
                "cryptospacecreate",
                "cryptospaceekmenable",
                "cryptospaceekmdisable"
            ]
        }
    ]
}

The output shows the permissions for the group CCKM Users for the Google Cloud project with ID 03b24ef3-0078-4dbb-9444-a4242f992d69.

Response Codes

Response Code	Description
2xx	Success
4xx	Client errors
5xx	Server errors

Refer to HTTP status codes for details.

Suggest A Change

Granting Permissions to Users or Groups in a Google Cloud Project

Syntax

Request Parameters

ACLs

Actions

Example Request

Example Response

Response Codes

On this page