Creating KACLS Endpoints
Use the POST /v1/cckm/GoogleWorkspaceCSE/endpoints
API to create or update KACLS endpoints for Google Workspace CSE. The API also creates a KEK for wrapping and unwrapping DEK.
When creating an endpoint, specify the following details:
Unique name for the endpoint.
Authentication audience (third-party identity provider's client ID) for the endpoint.
Hostname of the endpoint URL. This is the fully qualified domain name (FQDN) of the CCKM/CipherTrust Manager appliance.
Identity provider (issuer): Select from the list of available identity providers by providing the issuer ID in endpoint creation parameters. If not selected, by default, all the identity providers are added to the endpoint.
Syntax
curl -k '<IP>/api/v1/cckm/GoogleWorkspaceCSE/endpoints' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "name": "<endpoint-name>",\n "endpoint_url_hostname": "<endpoint_url_hostname>",\n "issuer": [\n "<issuer-id-1>"\n, \n "<issuer-id-2>"\n ],\n "authenticationAud": [\n "<authentication-aud>"\n ]\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
authenticationAud | array of strings | List of supported audience for authentication JWT. This is the ID of the third-party identity provider. For example, for Auth0, it is represented by the Client ID . |
endpoint_url_hostname | string | Hostname for the endpoint URL. Enter the fully qualified domain name (FQDN) of the CCKM/CipherTrust Manager appliance. |
name | string | Name for the endpoint. |
authorizationAud | array of strings | List of supported audience for authorization JWT. |
cors | array of strings | List of Cross-Origin Resource Sharing (CORS) to support. |
endpoint_url | string | Unique base URL for the endpoint. |
issuer | array of strings | List of trusted issuer IDs to use with this endpoint. This issuer is managed through the /GoogleWorkspaceCSE/issuers URL. |
meta | JSON | Additional information about the endpoint. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "name": "endpoint_demo",\n "endpoint_url_hostname": "demo.thalesgwsintegration.net",\n "issuer": [\n "39a9e91b-7a95-4fbf-bf79-30930eeb1d2c",\n "39a9e91b-7a95-4fbf-bf79-30930eeb1d2d"\n ],\n "authenticationAud": [\n "122334a33qr31038dekfhfl"\n ]\n}' --compressed
Example Response
{
"issuer": [
"39a9e91b-7a95-4fbf-bf79-30930eeb1d2c",
"39a9e91b-7a95-4fbf-bf79-30930eeb1d2d"
],
"id": "c1583936-7d03-4e2d-a0ae-3a1ae2d2e200",
"uri": "kylo:kylo:cckm:kacls-endpoint:demo",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-10-15T13:30:57.560148051Z",
"name": "endpoint_demo",
"endpoint_url_hostname": "demo.thalesgwsintegration.net",
"updatedAt": "2020-10-15T13:30:57.560148051Z",
"cors": null,
"authorizationAud": null,
"authenticationAud": [
"122334a33qr31038dekfhfl"
],
"endpoint_url": "https://demo.thalesgwsintegration.net/api/v1/cckm/GoogleWorkspaceCSE/endpoints/c1583936-7d03-4e2d-a0ae-3a1ae2d2e200 ",
"kekName": "ks-cc84e97b53e5457cbd6b664174a0f1df57570a3aa4044ee887077203940f1221",
"kekID": "cc84e97b53e5457cbd6b664174a0f1df57570a3aa4044ee887073303940f10c1",
"meta": null
}
The output shows the endpoint ID "c1583936-7d03-4e2d-a0ae-3a1ae2d2e200"
. Each endpoint has a unique ID. The endpoint ID is required when viewing, modifying, wrapping, unwrapping, and deleting the endpoint. The ID is also required when rotating encryption key of the endpoint, and viewing and updating the KACLS perimeters.
A KEK "kekName" with the ID "kekID" is also created. The latest version of KEK is used for wrapping and unwrapping DEK. The default version is 0, and the version increases on subsequent key rotations.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
Refer to HTTP status codes for details.