Endpoints
This section describes how to create, edit, disable/enable, archive, recover, and delete endpoints. Creation of an endpoint requires identity providers. At least one identity provider must be added to an endpoint. Identity providers can be created in advance or when creating the endpoints. This section assumes that you have already created identity providers, as described in Creating Identity Providers.
Note
Do not edit the KEK through the general CipherTrust Manager key management functions. Do not modify the KEK through the Keys menu in the GUI, ksctl keys
commands in the CLI, or the /v1/vault/keys2
endpoint in the REST API. This can result in the KEK becoming unavailable to the Google Workspace CSE service unexpectedly.
Creating KACLS Endpoints
To create an endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE. The Google Workspace Client Side Encryption page is displayed.
Click Create Endpoint. The Create Endpoint screen is displayed.
Specify a unique Name for the endpoint. This is a mandatory field.
Specify the Authentication Audience. This is a mandatory field.
Authentication Audience is the ID of the third-party identity provider. For example, for Auth0, it is represented by the
Client ID
.Specify the Endpoint URL Hostname. This is a mandatory field. Enter the fully qualified domain name (FQDN) of the CCKM/CipherTrust Manager appliance. Specify the hostname and port (
<hostname>:<port>
). If the port is not specified,443
is the default port.Note
The web interface port within CipherTrust Manager can be changed from the default port of
443
to another port. If you plan to change the default port for the CipherTrust Manager web interface, ensure to change it before configuring the Google Workspace CSE service on CCKM. Also, reflect this port change when creating a KACLS endpoint on CCKM. Changing the default port after configuring Google Workspace CSE is not supported. Refer to Support for Changing the Default Port of Web Interface Setting for instructions on changing the port when configuring a Google Workspace CSE endpoint.Select an Identity Provider. The options are:
All: This is the default option. All the available identity providers will be trusted by the endpoint.
Selected: Select this option to select/remove the desired identity providers.
Optionally, you can add a new identity provider by clicking Create Identity Provider. Refer to Creating Identity Providers for details.
Click Save.
The newly created endpoint appears in the endpoints list, with an Active status. Similarly, add as many endpoints as required.
Every endpoint has an associated endpoint URL. This URL is needed to access the Thales key service. Google Workspace administrators use this URL to configure Google Workspace to communicate with the KACLS.
Viewing Endpoints
The Google Workspace Client Side Encryption page shows the available endpoints. The ENDPOINTS section shows Name, Endpoint URL (or KACLS URL), Status, Key Name, Key ID, and Key Version.
To view details of an endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE. The ENDPOINTS section shows the following details:
Column | Description |
---|---|
Name | Name of the endpoint. |
Endpoint URL | (KACLS URL) URL of the endpoint. This URL is needed to access the Thales key service. Google Workspace administrators use this URL to configure Google Workspace to communicate with the KACLS. |
Status | Status of the endpoint. The status can be: • Active: The endpoint is enabled. An endpoint is active when it is created, and can be disabled, archived, or deleted. • Disabled: The endpoint is disabled and cannot be used for encryption and decryption of data. A disabled endpoint can be enabled, archived, or deleted. • Archived: The endpoint is archived. An archived endpoint can be recovered later, if required. |
Key Name | Name of the linked encryption key. |
Key ID | ID of the linked encryption key. The ID changes on endpoint key rotation. |
Key Version | Version of the encryption key. The key version changes on endpoint key rotation. |
To view the perimeters of an endpoint, click the expand icon to the left of the desired endpoint.
Viewing or Editing Endpoints
After an endpoint is created, you can view and modify the linked authentication audience, hostname for the endpoint URL, and identity provider.
To view and edit an endpoint details:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE.
Under ENDPOINTS, click the overflow icon corresponding to the endpoint you want to edit.
Note
The web interface port within CipherTrust Manager can be changed from the default port of
443
to another port. If you plan to change the default port for the CipherTrust Manager web interface, ensure to change it before configuring the Google Workspace CSE service on CCKM. Also, reflect this port change when creating a KACLS endpoint on CCKM. Changing the default port after configuring Google Workspace CSE is not supported. Refer to Support for Changing the Default Port of Web Interface Setting for instructions on changing the port when configuring a Google Workspace CSE endpoint.Click View/Edit. The edit view of the endpoint is shown.
Modify the Authentication Audience, Endpoint URL Hostname, and/or Identity Provider, as appropriate. The name cannot be changed.
Click Save.
The endpoint details are updated.
Rotating Endpoint Keys
Key rotation is process of changing an endpoint's existing key used to encrypt or decrypt the DEK.
To rotate encryption key for an endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE.
Under ENDPOINTS, click the overflow icon corresponding to the desired endpoint.
Click Rotate Keys. A message appears prompting to confirm the action.
Click Rotate Key.
The endpoint key is rotated successfully.
Disabling Endpoints
When an endpoint is not needed for certain period of time, it can be disabled from the CipherTrust Manager.
Note
Before disabling the endpoint, ensure that it is not in use. If an in-use endpoint is disabled, Google Workspace cannot encrypt or decrypt content using the endpoint URL. Also, disabling an endpoint does not delete the associated encryption key.
To disable an endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE.
Under ENDPOINTS, click the overflow icon corresponding to the endpoint you want to disable.
Click Disable.
The endpoint status becomes Disabled.
Enabling Endpoints
When a disabled endpoint is needed again, enable it from the CipherTrust Manager.
To enable an endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE.
Under ENDPOINTS, click the overflow icon corresponding to the endpoint you want to enable.
Click Enable.
The endpoint status becomes Active.
Archiving Endpoints
Whenever needed, you can archive an endpoint from the CipherTrust Manager. An archived endpoint can be recovered later, if needed.
To archive an endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE.
Under ENDPOINTS, click the overflow icon corresponding to the endpoint you want to archive.
Click Archive.
The endpoint status becomes Archived.
Recovering Archived Endpoints
An archived endpoint can be recovered from the CipherTrust Manager. A recovered endpoint can be used again to encrypt and decrypt data.
To recover an archived endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE.
Under ENDPOINTS, click the overflow icon corresponding to the archived endpoint you want to recover.
Click Recover.
The endpoint status becomes Active.
Deleting Endpoints
When an endpoint is no longer needed, delete it from the CipherTrust Manager.
Note
Before deleting the endpoint, ensure that it is not in use. If an in-use endpoint is deleted, Google Workspace cannot encrypt or decrypt content using the endpoint URL. Also, deleting an endpoint does not delete the associated encryption key.
To delete an endpoint:
Open the Cloud Key Manager Application.
In the left pane, click Services > Google Workspace CSE.
Under ENDPOINTS, click the overflow icon corresponding to the endpoint you want to delete.
Click Delete.
A warning message appears stating that the endpoint will be deleted permanently. Do you want to delete this endpoint?
Select I wish to delete this endpoint.
Click Delete.
The endpoint is removed from the endpoints list.