CCKM Licensing Model
CCKM is offered through the Trialware and Term License licensing models. This section describes these models and how to activate them.
Trialware
Provides the fully-functional CCKM solution for 90 days with pre-installed trial license. After the trial period expires, CCKM configurations on the CipherTrust Manager become read-only.
Term License
Provides the fully-functional CCKM solution for a prepaid charge for a specific period of time, for a specific number of cloud units.
This license comes with a grace period of 90 days. After the license period expires, the grace period starts. During the grace period, CCKM continues working normally. However, after the grace period is over, CCKM configurations on the CipherTrust Manager become read-only.
The CipherTrust Manager GUI starts showing a notification about the remaining license time. The license renewal can be ordered before the license expires.
Note
The number of cloud license enforced entities such as AWS accounts, Azure subscriptions, Salesforce Organizations, and Google Workspace endpoints that can be added to the CipherTrust Manager is limited by the number of licenses purchased. Refer to License Enforcement for CCKM for the list of clouds and related entities where the CCKM cloud licenses are enforced.
For example, if a 1-year license is purchased for 10 cloud units, then only a total of 10 different types of cloud license enforced entities can be added to the CipherTrust Manager.
In addition, Google Cloud External Key Manager (EKM) endpoints require Google Cloud Projects, and one Google Cloud Project registered on CipherTrust Manager consumes one CCKM cloud unit.
You can adjust the number of different cloud units until the total reaches the purchased license limit. As an example, you can add five AWS accounts, three Azure subscriptions, and two Google Workspace endpoints or 10 AWS accounts.
Note
The CipherTrust Manager acts as a Luna HSM client for root of trust (RoT) and CCKM Embedded (with Luna HSM as a key source). Separate client licenses for Luna HSMs are not required on the CipherTrust Manager. However, you need to apply usual partition licenses on the Luna HSM side.
Activating CCKM Licenses
Activating a CCKM license requires a license string for the CipherTrust Manager to which the AWS accounts, Azure subscriptions, and Google Workspace endpoints will be added. This string is generated when a license is activated. You can find the details about your EID and available licenses on the License Portal.
Refer to Activating a Connector License for details.
After the CCKM license is activated, its state becomes Active on the Features tab of the Licensing page of the CipherTrust Manager GUI. The license is displayed with the feature name CCKM.
License Enforcement for CCKM
Expected behavior with CCKM licenses is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When CCKM licenses are activated and uploaded to a CipherTrust Manager, you can add clouds to the license capacity. This number cannot exceed the license count. Here is the list of clouds and related entities where the CCKM cloud licenses are enforced.
Cloud Enforced On AWS AWS Accounts Azure Azure Subscriptions Google Google Projects Google Workspace CSE Endpoints SFDC SFDC Organizations SAP SAP Applications Oracle OCI Tenancies Note
Cloud license count is enforced on the KMS containers added to the KMS Containers page of the Cloud Key Manager GUI, not on the cloud connections added to the CipherTrust Manager. So, until a KMS container is added, no cloud license unit is consumed even if a cloud connection exists on the CipherTrust Manager.
When one of the entities specified in the table above is added to the KMS Containers page, one CCKM cloud license unit is consumed. If two entities are added, two cloud license units are consumed, and so on.
Google Workspace CSE consumes one CCKM license (cloud unit) per endpoint. Endpoint URLs are assigned at the Google Workspace CSE Domain or Organization Unit (OU).
Google EKM consumes one CCKM license (cloud unit) per project.
Microsoft DKE consumes one CCKM license (cloud unit) per endpoint. One CCKM DKE endpoint can be used to create one or more labels across one or more Azure tenants.
In the CipherTrust Manager 2.12 and older versions, Oracle BYOK was licensed based on OCI Compartments. Release 2.13 onward, both BYOK and HYOK use cases are licensed based on the OCI Tenancies.
The CipherTrust Manager acts as a Luna HSM client for root of trust (RoT) and CCKM Embedded (with Luna HSM as a key source). Separate client licenses for Luna HSMs are not required on the CipherTrust Manager. However, you need to apply usual partition licenses on the Luna HSM side.
Reaching license capacity: Additional accounts cannot be added because the license count has been exhausted. In this case, (for example, for AWS), users can delete currently configured AWS accounts or buy additional licenses to add more accounts.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. At this time, no new cloud license enforced entities can be added. However, users can still manage currently added accounts for 90 days from license expiry. After 90 days, the CCKM configurations on the CipherTrust Manager become read-only. It means that no new (BYOK or HYOK) resources can be created via CCKM. Existing uploaded BYOK keys to the cloud will continue being used by the cloud services. For HYOK keys, cryptographic operations will continue to work on CCKM.
CCKM License Units Consumption per Domain
A CCKM license unit is marked as consumed for a licensing entity (cloud account) in the domain where the licensing entity is registered first. A licensing entity can be registered in more than one domain. However, the number of CCKM license units consumption remains the same. It just counts the unique licensing entities.
The number of CCKM license units consumption per domain can be retrieved through API. To know more about License consumption entities, refer to License Enforcement for CCKM.
Releasing CCKM Licenses
When a licensing entity of a cloud is deleted:
if the licensing entity is only registered in one domain, then CCKM license unit is released.
if the licensing entity is registered in more than one domain and deleted in one of the domains, CCKM license unit consumption moves to the next registered licensing entity across any domain.
If the domain is deleted, the CCKM license unit consumed by that domain is released, provided it is not consumed by any other domain/s.
Example
Consider licensing entity E1 is registered first in domain D1 and then in domain D2. CCKM license unit L1 is consumed by licensing entity E1 in domain D1.
Licensing entity deletion: At any point, if E1 in the domain D1 is deleted, the CCKM license unit L1 will move from D1 to E1 registered in domain D2.
Domain Deletion: At any point, if domain D1 is deleted, the CCKM license unit L1 will be consumed by E1 registered in domain D2
Note
It is not recommended to delete a domain before deleting the licensing entity.
After domain deletion, it may take upto 15 minutes to reflect the changes.
BYOK
To release the license of AWS, Azure, Google, Oracle, Salesforce, and SAP, you need to delete the KMS container. For cloud KMS container details, refer to the list of clouds and related entities in License Enforcement for CCKM section.
HYOK
To release the license of the following.
AWS: Delete all the XKS keys in the AWS external key store and then the AWS external key store, and then delete the AWS account from the KMS Container page
Google EKM: Delete all the Google EKM endpoints, and then delete the Google Project from the KMS Container page
Google EKM Cryptospace: Delete all the EKM keys from the Google console, make sure all the endpoints are in the destroyed state, then delete the Cryptosapce, and then delete the related Google Project from the KMS Container page
Google Workspace CSE: Delete the Google Workspace CSE Endpoints from the Services page
Microsoft DKE: Delete the Microsoft DKE Endpoints from the Services page.
Oracle HYOK: Delete all the HYOK keys in the Oracle External Vault, and then delete the Oracle External Vault and Oracle Tenancy from the KMS Container page