CCKM Licensing Model
CCKM is offered through the Trialware and Term License licensing models. This section describes these models and how to activate them.
Trialware
Provides the fully-functional CCKM solution for 90 days with pre-installed trial license. After the trial period expires, CCKM configurations on the CipherTrust Manager become read-only.
Term License
Provides the fully-functional CCKM solution for a prepaid charge for a specific period of time, for a specific number of cloud units.
This license comes with a grace period of 90 days. After the license period expires, the grace period starts. During the grace period, CCKM continues working normally. However, after the grace period is over, CCKM configurations on the CipherTrust Manager become read-only.
The CipherTrust Manager GUI starts showing a notification about the remaining license time. The license renewal can be ordered before the license expires.
Note
The number of cloud license enforced entities such as AWS accounts, Azure subscriptions, Salesforce Organizations, and Google Workspace endpoints that can be added to the CipherTrust Manager is limited by the number of licenses purchased. Refer to License Enforcement for CCKM for the list of clouds and related entities where the CCKM cloud licenses are enforced.
For example, if a 1-year license is purchased for 10 cloud units, then only a total of 10 different types of cloud license enforced entities can be added to the CipherTrust Manager.
In addition, Google Cloud External Key Manager (EKM) endpoints require Google Cloud Projects, and one Google Cloud Project registered on CipherTrust Manager consumes one CCKM cloud unit.
You can adjust the number of different cloud units until the total reaches the purchased license limit. As an example, you can add five AWS accounts, three Azure subscriptions, and two Google Workspace endpoints or 10 AWS accounts.
Note
The CipherTrust Manager acts as a Luna HSM client for root of trust (RoT) and CCKM Embedded (with Luna HSM as a key source). Separate client licenses for Luna HSMs are not required on the CipherTrust Manager. However, you need to apply usual partition licenses on the Luna HSM side.
Activating CCKM Licenses
Activating a CCKM license requires a license string for the CipherTrust Manager to which the AWS accounts, Azure subscriptions, and Google Workspace endpoints will be added. This string is generated when a license is activated. You can find the details about your EID and available licenses on the License Portal.
Refer to Activating a Connector License for details.
After the CCKM license is activated, its state becomes Active on the Features tab of the Licensing page of the CipherTrust Manager GUI. The license is displayed with the feature name CCKM.
License Enforcement for CCKM
Expected behavior with CCKM licenses is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When CCKM licenses are activated and uploaded to a CipherTrust Manager, you can add clouds to the license capacity. This number cannot exceed the license count. Here is the list of clouds and related entities where the CCKM cloud licenses are enforced.
Cloud Enforced On AWS AWS Accounts Azure Azure Subscriptions Google Google Projects Google Workspace CSE Endpoints SFDC SFDC Organizations SAP SAP Applications Oracle OCI Tenancies Note
Cloud license count is enforced on the KMS containers added to the KMS Containers page of the Cloud Key Manager GUI, not on the cloud connections added to the CipherTrust Manager. So, until a KMS container is added, no cloud license unit is consumed even if a cloud connection exists on the CipherTrust Manager.
When one of the entities specified in the table above is added to the KMS Containers page, one CCKM cloud license unit is consumed. If two entities are added, two cloud license units are consumed, and so on.
Google Workspace CSE consumes one CCKM license (cloud unit) per endpoint. Endpoint URLs are assigned at the Google Workspace CSE Domain or Organization Unit (OU).
Google EKM consumes one CCKM license (cloud unit) per project.
In the CipherTrust Manager 2.12 and older versions, Oracle BYOK was licensed based on OCI Compartments. Release 2.13 onward, both BYOK and HYOK use cases are licensed based on the OCI Tenancies.
The CipherTrust Manager acts as a Luna HSM client for root of trust (RoT) and CCKM Embedded (with Luna HSM as a key source). Separate client licenses for Luna HSMs are not required on the CipherTrust Manager. However, you need to apply usual partition licenses on the Luna HSM side.
Reaching license capacity: Additional accounts cannot be added because the license count has been exhausted. In this case, (for example, for AWS), users can delete currently configured AWS accounts or buy additional licenses to add more accounts.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. At this time, no new cloud license enforced entities can be added. However, users can still manage currently added accounts for 90 days from license expiry. After 90 days, the CCKM configurations on the CipherTrust Manager become read-only.
Releasing CCKM Licenses
To release a CCKM license of a particular cloud, you need to delete the KMS container entity of that cloud. The license associated with the cloud resource will be automatically released after the KMS container deletion. For cloud KMS container details, refer to the list of clouds and related entities in License Enforcement for CCKM section.
BYOK
To release the license of AWS, Azure, Google, Oracle, Salesforce, and SAP, you need to delete the KMS container. For cloud KMS container details, refer to the list of clouds and related entities in License Enforcement for CCKM section.
HYOK
To release the license of the following.
AWS: Delete all the XKS keys in the AWS external key store and then the AWS external key store, and then delete the AWS account from the KMS Container page
Google EKM: Delete all the Google EKM endpoints, and then delete the Google Project from the KMS Container page
Google EKM Cryptospace: Delete all the EKM keys from the Google console, make sure all the endpoints are in the destroyed state, then delete the Cryptosapce, and then delete the related Google Project from the KMS Container page
Google Workspace CSE: Delete the Google Workspace CSE Endpoints from the Services page
Oracle HYOK: Delete all the HYOK keys in the Oracle External Vault, and then delete the Oracle External Vault and Oracle Tenancy from the KMS Container page