Managing DKE Authorized Tenants
This section describes how to manage DKE authorized tenants from CCKM.
Creating a DKE Authorized Tenant
To create a DKE authorized tenant from the CCKM GUI:
Log in to the CipherTrust Manager GUI as a member of the CCKM Admins group.
Open the Cloud Key Manager application.
In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed.
Go to the AUTHORIZED TENANTS section.
Click Create Tenant. The General Info screen of the Add Double Key Encryption (DKE) Authorized Tenant wizard is displayed.
General Info
Enter the Name
Enter the Description.
Click Next. The Issuer Settings screen is displayed.
Issuer Settings
Enter a Valid Issuer. A trusted issuer for the DKE authorized tenant. An example of a valid issuer is
https://sts.windows.net/<azure_tenant_ID>/
.Note
The following requirements apply for the issuer:
Must match the issuer within the JWT that the CCKM receives.
If the issuer's hostname is
https://sts.windows.net/<azure_tenant_ID>/
, you must include the trailing slash/
.
Click Next. The Authorization Parameters screen is displayed.
Authorization Parameters
Select an authorization method to the access settings of DKE keys. The options are Use Email(s) and Use Role(s).
Click the desired tab to view the instructions.
Use Email(s) allows your organization to authorize access to the DKE keys based on email addresses.
Under Add Email(s), enter the email addresses that are authorized to use the DKE key and click Add Email(s). The added emails are displayed in the list of Emails.
Note
The use of wildcards '*' and '?' are supported for email addresses. The following are examples of supported wildcard formats:
abc*@gmail.com: supports any email that starts with abc and ends with "@gmail.com".
abc@?.com: supports any email that starts with abc, contains "@" followed by at least one character and ends with ".com".
abc@?.?*: supports any email that starts with abc, contains "@" followed by at least one character, followed by the dot character (.), and ends with at least one character.
?*@gmail.com: supports any email that starts with at least one character and ends with "@gmail.com".
Use Role(s) allows your organization to authorize access to the DKE keys based on Active Directory groups. The format is
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
wherex
is an alphanumeric character.From the Select Azure Connection drop-down menu, select an Azure connection to use for this DKE authorized tenant, and add the role IDs that are authorized to use the DKE key.
You can select the roles from the list and you can add the roles manually. Click the desired tab to view the instructions.
Click List Roles and select the desired roles from the list.
Scroll down the page, enter the Role ID(s) that are authorized to use the DKE key, and click Add Role ID(s). The added role IDs are displayed in the list of Role IDs.
To find out the role ID in Azure:
Log on to the Microsoft Entra portal.
In the left pane, click Identity > Users > All users.
On the Users page, search for the desired user.
Under Display Name, click the user name link. The details of the selected user are displayed.
Click Assigned roles. The Active assignments tab shows the roles currently assigned to the user.
Note down the role for which you want to find out the role ID.
In the left pane, click Roles & admins > Roles & admins. The Roles and administrators page displays all roles on the right.
Search and select the role you noted down earlier. The "<user role> | Assignments" page is displayed.
Under Manage, click Description. The Summary of the role is displayed.
Copy the value of the Template ID.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the authorized tenant details that you have provided. These details are divided into GENERAL INFO, ISSUER SEITINGS, and AUTHORIZATION PARAMETERS sections.
Before adding the authorized tenant, review all details. After the authorized tenant is added, certain features will no longer be editable.
Review the authorized tenant details displayed on the screen.
If the details are incorrect or you want to make any changes, click Edit next to the GENERAL INFO, ISSUER SEITINGS, and AUTHORIZATION PARAMETERS sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Authorized Tenant.
Click Close.
The newly created authorized tenant is displayed in the list of Microsoft DKE authorized tenants.
Viewing DKE Authorized Tenants
The Microsoft Double Key Encryption (DKE) page shows the list of existing DKE authorized tenants residing within a given ID. Search for the authorized tenants by name or ID.
To view the list of DKE authorized tenants available on CCKM:
Log in to the CipherTrust Manager GUI as a member of the CCKM Admins group.
Open the Cloud Key Manager application.
In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed.
Go to the AUTHORIZED TENANTS section. The list of DKE authorized tenants added to the CCKM is displayed. The page displays the following details:
Field Description Name Name of the DKE authorized tenant. Tenant ID ID of the authorized tenant. Authorization Method Authorization type for DKE key: Email or Role ID. Creation Date Time when the authorized tenant was created. Last Modified Date and time the authorized tenant was modified. Timestamp in format Day-Month-Year time in 24-hour notation. Description Description of the authorized tenant.
Viewing and Editing Details of a DKE Authorized Tenant
After an authorized tenant is created, you can view and modify the authorized tenant details, such as the name and authorization parameters.
This section describes how to view the details of a DKE authorized tenant and update details relating to GENERAL INFORMATION and AUTHORIZATION PARAMETERS as needed.
To view or edit a DKE authorized tenant:
Log in to the CipherTrust Manager GUI as a member of the CCKM Admins group.
Open the Cloud Key Manager application.
In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed.
Go to the AUTHORIZED TENANTS section. The list of DKE authorized tenants added to CCKM is displayed.
Click the Name link of the desired DKE authorized tenant.
Alternatively, click the overflow icon () corresponding to the desired DKE authorized tenant, and click View/Edit.
The edit view of the Microsoft Double Key Encryption (DKE) page is displayed.
Under GENERAL INFORMATION
(Optional) Update the Name.
(Optional) Update the Description.
Click Update.
Under AUTHORIZATION PARAMETERS
(Optional) Depending on which authorization method you previously configured:
If using Email authorization
- In Add Email(s), enter additional email addresses and click Add Email(s). Your entries are displayed under Email(s). You can also edit and delete the desired email address by clicking the Edit and Delete icon, respectively.
If using Role authorization
(Optional) In Select Azure Connection, change an Azure connection.
In Add Role ID(s), you can add additional role IDs by clicking Edit Authorized Roles. Your entries are displayed under Role ID(s). You can also edit and delete the desired role ID by clicking the Edit and Delete icon, respectively.
Click Update.
Deleting a DKE Authorized Tenant
To delete a DKE authorized tenant from CCKM:
Log in to the CipherTrust Manager GUI as a member of the CCKM Admins group.
Open the Cloud Key Manager application.
In the left pane, click Services > Microsoft DKE. The Microsoft Double Key Encryption (DKE) page is displayed.
Go to the AUTHORIZED TENANTS section.
Click the overflow icon () corresponding to the desired DKE authorized tenant, and click Delete. The Delete Authorized Tenant message is displayed.
Select I wish to delete this authorized tenant.
Click Delete.
After the authorized tenant is successfully deleted, a message displays indicating "Successfully deleted Authorized Tenant.".