Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

CCKM API

Microsoft DKE APIs

Please Note:

Reference
PFMigrate Utility
CCKM API
- Overview
- RESTful APIs
- AWS APIs
  - AWS Custom Key Store APIs
  - AWS KMS Management APIs
  - Key Life Cycle Management APIs
    - Creating AWS Keys on CCKM
    - Fetching List of AWS Keys
    - Viewing Details of AWS Keys
    - Deleting AWS Keys from CCKM
    - Downloading Keys Created on AWS to CCKM
    - Synchronizing AWS Keys
    - Viewing Synchronization Status
    - Aborting Synchronization Jobs
    - Viewing Details of Synchronization Jobs
    - Uploading Keys to AWS KMS
    - Importing Key Material to AWS KMS
    - Deleting Imported Key Material
    - Scheduling Key Deletion
    - Canceling Deletion of Keys
    - Updating Key Policy
    - Updating Key Description
    - Enabling AWS Keys
    - Disabling AWS Keys
    - Adding Tags to AWS Keys
    - Removing Tags from AWS Keys
    - Adding Alias to AWS Keys
    - Deleting Alias from AWS Keys
    - Verifying Alias on AWS KMS
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Automatic Key Rotation
    - Disabling Automatic Key Rotation
    - Rotating Keys on AWS KMS
    - Replicating Multi-Region AWS Keys
    - Changing the Primary Key of a Multi-Region AWS Key
    - Creating a Bulk Job
    - Viewing the List of Bulk Jobs
    - Viewing Details of a Bulk Job
    - Canceling a Bulk Job
  - Policy Template Management APIs
  - AWS Reports APIs
  - Response Parameters of AWS KMS Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Azure APIs
  - Subscription APIs
  - Vault Management APIs
  - Key Life Cycle Management APIs
    - Creating Azure Keys
    - Fetching List of Azure Keys
    - Viewing Details of Azure Keys
    - Updating Key Parameters
    - Deleting Keys from CCKM
    - Refreshing an Azure Key
    - Soft-Deleting Azure Keys
    - Purging Azure Keys
    - Uploading Keys to Azure Key Vault
    - Downloading Keys Created on Azure Vault to CCKM
    - Synchronizing Azure Keys
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Aborting Synchronization Jobs
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Key for Backup Job
    - Disabling Key for Backup Job
  - Azure Secrets Management APIs
    - Creating Azure Secrets
    - Fetching List of Azure Secrets
    - Viewing Details of Azure Secrets
    - Updating Attributes of Azure Secrets
    - Deleting Azure Secrets with Backup from CCKM
    - Soft-Deleting Azure Secrets
    - Recovering Soft-Deleted Azure Secrets
    - Purging Azure Secrets
    - Restoring Deleted Azure Secrets
    - Synchronizing Azure Secrets
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
  - Azure Certificates Management APIs
    - Creating Azure Certificates
    - Fetching List of Azure Certificates
    - Viewing Details of Azure Certificates
    - Updating Attributes of Azure Certificates
    - Deleting Azure Certificates with Backup from CCKM
    - Soft-Deleting Azure Certificates
    - Recovering Soft-Deleted Azure Certificates
    - Purging Azure Certificates
    - Restoring Deleted Azure Certificates
    - Synchronizing Azure Certificates
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
    - Importing Azure Certificates
  - Disaster Management APIs
  - Azure Reports APIs
  - Azure Bulk Job Management APIs
    - Creating Azure Bulk Job
    - Fetching List of Azure Bulk Jobs
    - Viewing Details of an Azure Bulk Job
    - Canceling an Azure Bulk Job
  - Response Parameters of Azure Vault Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Luna HSM APIs
  - Luna HSM Partition APIs
  - Luna HSM Key APIs
- DSM APIs
  - DSM Domain APIs
    - Getting DSM Domains
    - Adding DSM Domains
    - Viewing DSM Domains
    - Viewing Details of a DSM Domain
    - Changing Connection of a DSM Domain
    - Deleting a DSM Domain
    - Granting Permissions to Users or Groups
  - DSM Key APIs
    - Creating a DSM Key
    - Viewing DSM Keys
    - Getting Details of a DSM Key
    - Deleting a DSM Key from CCKM
    - Deleting a Key from DSM
    - Refreshing DSM Domains
    - Getting Refresh Status of DSM Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Google Cloud APIs
  - Google Cloud Project APIs
    - Fetching a Project from Google Cloud
    - Viewing Google Cloud Projects
    - Adding Google Cloud Projects
    - Viewing Details of a Google Cloud Project
    - Granting Permissions to Users or Groups in a Google Cloud Project
    - Deleting a Google Cloud Project
    - Updating a Google Cloud Project
  - Google Cloud Key Ring APIs
    - Getting Google Cloud Key Rings
    - Adding Google Cloud Key Rings
    - Listing Google Cloud Key Rings
    - Viewing Details of a Google Cloud Key Ring
    - Updating a Google Cloud Key Ring
    - Granting Permissions to Users or Groups
    - Deleting Google Cloud Key Rings
  - Google Cloud Key APIs
    - Creating a Google Cloud Key
    - Viewing Google Cloud Keys
    - Getting Details of a Google Cloud Key
    - Updating a Google Cloud Key
    - Viewing Versions of a Google Cloud Key
    - Adding a Version to a Google Cloud Key
    - Viewing Details of a Google Cloud Key Version
    - Refreshing Details of a Google Cloud Key Version
    - Refreshing Details of Google Cloud Key and All Its Versions
    - Updating All Versions of a Google Cloud Key
    - Viewing Details of an Update All Versions Operation
    - Enabling a Version of a Google Cloud Key
    - Disabling a Version of a Google Cloud Key
    - Scheduling Destruction of a Google Cloud Key Version
    - Canceling Scheduled Destruction of a Google Cloud Key Version
    - Downloading Public Key for an Asymmetric Version
    - Uploading a New Key to Google Cloud
    - Synchronizing Google Cloud Keys
    - Viewing Synchronization Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Enabling Auto Rotation of Google Cloud Keys
    - Disabling Auto Rotation of Google Cloud Keys
    - Viewing the IAM Policy Attached to a Key
    - Attaching an IAM Policy to a Key
    - Viewing the IAM Roles
  - Google Cloud Location API
  - Google Cloud Report APIs
- Google Cloud EKM APIs
- Microsoft DKE APIs
  - Creating DKE Endpoints
  - Fetching List of DKE Endpoints
  - Viewing Details of a DKE Endpoint
  - Updating a DKE Endpoint
  - Deleting a DKE Endpoint
  - Rotating a DKE Endpoint
  - Enabling DKE Endpoint
  - Disabling DKE Endpoint
  - Enabling Key-Rotation Schedule for DKE Endpoint
  - Disabling Key-Rotation Schedule for DKE Endpoint
  - Archiving a DKE Endpoint
  - Recovering a DKE Endpoint
  - Creating DKE Authorized Tenants
  - Viewing Details of a DKE Authorized Tenant
  - Fetching List of DKE Authorized Tenants
  - Updating a DKE Authorized Tenant
  - Deleting a DKE Authorized Tenant
  - Fetching List of DKE Roles
- SAP APIs
  - SAP Applications API
  - SAP Groups APIs
    - Fetching List of Groups from SAP
    - Managing Permissions on SAP Users or Groups
    - Adding SAP Groups
    - Viewing SAP Groups Added to CipherTrust Manager
    - Viewing Details of SAP Groups
    - Updating Connection of SAP Groups
    - Deleting a SAP Group
  - SAP Keys APIs
    - Creating SAP Key
    - Fetching SAP Keys
    - Getting Details of a SAP Key
    - Updating SAP Key Attributes
    - Deleting a SAP Key Backup from CCKM
    - Deleting a Key from SAP
    - Deleting a SAP Key
    - Adding SAP Key Version
    - Viewing SAP Key Versions
    - Getting Details of a SAP Key Version
    - Synchronizing SAP Keys
    - Updating a SAP Key Version
    - Viewing Synchronization Status
    - Viewing the Job Status
    - Creating New Jobs
    - Uploading Keys to SAP
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Enabling Auto Rotation of SAP Keys
    - Disabling Auto Rotation of SAP Keys
    - Creating a Dynamic Key Reference (DKR)
    - Viewing the List of DKRs
    - Getting Details of a DKR
    - Updating Details of a DKR
    - Deleting a DKR from CCKM
    - Deleting a DKR from SAP
  - SAP Reports APIs
- Salesforce APIs
  - Salesforce Organization APIs
    - Getting Salesforce Organizations
    - Adding Salesforce Organizations
    - Listing Salesforce Organizations
    - Viewing Details of a Salesforce Organization
    - Updating a Salesforce Organization
    - Granting Permissions to Users or Groups
    - Deleting Salesforce Organizations
  - Salesforce Tenant Secret APIs
    - Creating a Salesforce Tenant Secret
    - Viewing Salesforce Tenant Secrets
    - Getting Details of a Salesforce Tenant Secret
    - Destroying a Salesforce Tenant Secret
    - Synchronizing Tenant Secrets
    - Importing a Tenant Secret
    - Viewing Synchronizing Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Uploading Salesforce Tenant Secrets
    - Deleting Backup of a Salesforce Tenant Secret
    - Activate a Cache-Only Key
    - Fetching a Salesforce Cache-Only Key for a Given Identifier
    - Updating a Salesforce Cache-Only Key
    - Uploading a Salesforce Cache-Only Key
  - Salesforce Reports APIs
  - Salesforce Cache Only Key Endpoints APIs
  - Salesforce Cloud Certificates APIs
  - Salesforce Named Credentials APIs
- Oracle Cloud APIs
  - OCI Vaults APIs
    - Fetching List of OCI Vaults from Oracle
    - Adding OCI Vaults
    - Viewing OCI Vaults Added to CipherTrust Manager
    - Viewing Details of OCI Vaults
    - Managing Permissions on OCI Users or Groups
    - Deleting OCI Vaults
    - Updating Connection of OCI Vaults
  - OCI Keys APIs
    - Creating OCI Keys
    - Fetching OCI Keys
    - Getting Details of an OCI Key
    - Updating OCI Key Attributes
    - Deleting an OCI Key
    - Canceling Deletion of an OCI Key
    - Deleting an OCI Key Backup from CCKM
    - Restoring a Deleted OCI Key
    - Scheduling Deletion of an OCI Key
    - Adding OCI Key Version
    - Viewing OCI Key Versions
    - Getting Details of an OCI Key Version
    - Scheduling Deletion of an OCI Key Version
    - Canceling Scheduled Deletion of an OCI Key Version
    - Uploading Keys to OCI
    - Synchronizing OCI Keys
    - Viewing Synchronization Status
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Changing the Compartment of an OCI Key
    - Disabling an OCI Key
    - Enabling an OCI Key
    - Refreshing an OCI Key
    - Enabling Auto Rotation of OCI Keys
    - Disabling Auto Rotation of OCI Keys
  - OCI Subscribed Regions API
  - OCI Compartments API
  - OCI Reports APIs
- OCI External APIs
  - Issuers APIs
    - Creating an Issuer
    - Returning a List of Issuers
    - Viewing Details of an Issuer
    - Updating Issuers
    - Deleting Issuers
  - External Vaults APIs
    - Creating an External vault
    - Blocking Access to External Vaults
    - Unblocking Access to External vaults
  - External Keys APIs
    - Creating an External Key
    - Blocking Access to External keys
    - Unblocking Access to External keys
  - OCI Invoked APIs
    - Fetching the Metadata of External Vaults
    - Fetching the Metadata of External Keys
    - Fetching the Metadata of a Version of External Keys
    - Encrypting Data Using External Keys
    - Decrypting Data Using External Keys
    - Generating Random Bytes
- CipherTrust Manager as External Keystore APIs
  - External CipherTrust Manager Domain APIs
    - Getting external CipherTrust Manager Domains
    - Adding External CipherTrust Manager Domains
    - Viewing External CipherTrust Manager Domains
    - Viewing Details of an External CipherTrust Manager Domain
    - Changing Connection of an External CipherTrust Manager Domain
    - Deleting an External CipherTrust Manager Domain
    - Granting Permissions to Users or Groups
  - External CipherTrust Manager Key APIs
    - Creating an External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Keys
    - Getting Details of an External CipherTrust Manager Key
    - Deleting an External CipherTrust Manager Key from CCKM
    - Deleting a Key from External CipherTrust Manager
    - Creating a New Version of External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Key Versions
    - Refreshing External CipherTrust Manager Domains
    - Getting Refresh Status of External CipherTrust Manager Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Key Material Export and Upload
- Scheduler APIs
  - Scheduling Synchronization
  - Scheduling Key Rotation
  - Scheduling Key Rotation and Auto Rotation of Credentials
  - Automatic Cloud Key Discovery
  - Response Parameters
- Google Workspace CSE APIs
  - Creating an Issuer
  - Viewing Issuers
  - Viewing Details of an Issuer
  - Deleting an Issuer
  - Creating KACLS Endpoints
  - Viewing KACLS Endpoints
  - Viewing Details of a KACLS Endpoint
  - Updating a KACLS Endpoint
  - Disabling a KACLS Endpoint
  - Enabling a KACLS Endpoint
  - Archiving a KACLS Endpoint
  - Recovering a KACLS Endpoint
  - Deleting a KACLS Endpoint
  - Rotating Endpoint Keys (rotate-key)
  - Viewing KACLS Endpoint Perimeters
  - Updating a KACLS Endpoint Perimeter
  - Encrypting Private Keys (wrapprivatekey)
  - Viewing KACLS Endpoint Rewrap Configuration
  - Updating a Rewrap Configuration
  - Viewing KACLS Endpoint Privileged-Unwrap Configuration
  - Updating a KACLS Endpoint Privileged-Unwrap Configuration
  - Google Invoked APIs
    - Encrypting Data Encryption Keys (wrap)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (privilegedunwrap)
    - Viewing the KACLS Endpoint Status
    - Signing Private Keys (privatekeysign)
    - Decrypting Content Encryption Keys (privatekeydecrypt)
    - Decrypting and Downloading Gmail Message (privilegedprivatekeydecrypt)
    - Listing KACLS Public JWKS
    - Migrating from an Old KACLS to a New KACLS
    - Validating the Resource Key Hash
    - Publishing Public JSON Web Key Set (JWKS) at /Certs
    - Decrypting Data in a Privileged Context
DDC Architecture Guidelines
DDC GLASS Reference
DDC ELK Reference
KMIP Reference
Server Audit Record Reference
- KMIP Errors
- Key Errors
- Certificate Errors
- SNMP Errors
- SMTP Errors
- LDAP Errors
- Authentication Errors
- NAE Errors
- Clustering Errors
- HSM Errors
- Backup and Restore Errors
- General Errors
tcpdump utility
NAE-XML Interface Development
- Starting an XML Session
- NAE Client Registration
- User Requests
- User Group Requests
- Key Management Operations
- Importing, Exporting, and Replicating Keys
- Secret Management Operations
- Certificate and CA Requests
- Cryptographic Operations
- Logging
- Error Messages
- Supported Key Algorithms
- Differences Between Key Managers

CipherTrust Manager
Reference
CCKM API
Microsoft DKE APIs

Microsoft DKE APIs

CCKM provides support for Double Key Encryption (DKE) for Microsoft 365. With DKE, two keys are used to access content (such as files or documents) that is protected with the sensitivity labels that you apply when using any one of the supported Microsoft Office apps. You hold one key in CCKM, which you maintain full control over using the using Microsoft’s Double Key Encryption service. The other is securely stored within Microsoft Azure. To decrypt and gain access to the protected content, both keys are required. Since Microsoft holds only one of the keys, this solution ensures that Microsoft cannot independently access this content. Only your authorized users can access the protected content.

Only your highly confidential data should be protected by DKE, which is typically a small percentage of your organization’s overall data. For more information about DKE, guidance on what type of content to protect, the supported office applications, and other information, refer to Double Key Encryption.

DKE encryption workflow

User adds a DKE label to a document. The Microsoft Office client connects to Azure RMS (Protection Service).
User certificate, API templates, and Azure RMS key are sent to the Microsoft Office client.
Microsoft Office client requests CCKM for the DKE public key associated with the applied label.
CCKM verifies the request. After authorization succeeds, CCKM sends the DKE public key to the Microsoft Office client.
Microsoft Office client encrypts the document content with the content key.
Microsoft Office client encrypts the part of the metadata that controls access to the content with the DKE public key.
Microsoft Office client encrypts the encrypted metadata with the Azure RMS key.

The content is protected with the double-encrypted content key, RMS key and DKE public key. The following illustration shows the DKE encryption workflow:

Diagram of the DKE encryption workflow

DKE decryption workflow

User opens a document which has a DKE label. The Microsoft Office client first sends the double-encrypted metadata to Azure RMS (Protection Service).
Azure RMS (Protection Service) decrypts the double-encrypted metadata using the Azure RMS key and returns the simple-encrypted metadata.
Microsoft Office client sends the simple-encrypted metadata to CCKM and requests CCKM to decrypt it.
CCKM verifies the request and goes through the authorization process. When authorization passes successfully, CCKM decrypts the simple-encrypted metadata and returns the decrypted metadata to the Microsoft Office client.
Microsoft Office client uses the content key to decrypt the document. The user can view the document content.

The following illustration shows the DKE decryption workflow:

The following are the high-level steps to configure DKE within Microsoft and CipherTrust Manager/CCKM:

Complete the prerequisites.
Configure DKE on CCKM.
Register your DKE service from Microsoft Azure portal.
Create your DKE sensitivity labels from Microsoft Compliance portal.

Prerequisites

In preparation for deploying DKE, ensure that the following prerequisites are met:

Ensure CipherTrust Manager/CCKM is installed and running. In addition, ensure to activate and install the CCKM license. Refer to the CipherTrust Manager Deployment Guide and Licensing for details.
Microsoft 365 E5 License: Windows clients must have a Microsoft 365 E5 license. Refer to information about system and licensing requirements for DKE for more information these licensing requirements.
Note
CCKM supports built-in sensitivity labeling with Office apps. CCKM does not support Azure Information Protection unified labeling client, which is to be deprecated in the future.
User Presence in Azure Directory: Users who are to create and share documents or files protected by DKE must be part of the Azure Active Directory (Azure AD) associated with the organization's tenant.
Note
- DKE is not supported on applications running on mobile devices.
- DKE is only tested with Windows clients. DKE is not tested with Mac, iOS, and Android clients.
- To configure the B2B cross-tenant access settings, refer to Configure cross-tenant access settings for B2B collaboration.

Configure DKE on CCKM

To configure DKE on CCKM, do the following:

Install a third-party CA certificate on the web interface.
Note
We recommend obtaining a CA-signed certificate for the web interface from trusted CAs that are part of the Microsoft Trusted Root Program. For more information, refer to Microsoft Trusted Root Program participants.
From CCKM GUI or API, create a DKE endpoint. Refer to Creating Microsoft DKE Endpoints for details on how to create a DKE endpoint from CCKM GUI or Creating Microsoft DKE Endpoints using CCKM API.
Note
- Only Azure AD users are currently supported. The email addresses included in the API call must be associated with a user Azure AD. The email address parameter an optional field applicable only if authorization_type is set to email.
  If you specified one or more email addresses in a DKE endpoint, this field would be validated against JWT received in the decrypt operation.
- A Microsoft Office 365 client user and email (if configured in CipherTrust Manager) must match.
- The Issuer field must be specific to the tenant configured in the Microsoft Azure Portal.
- The web interface port within CipherTrust Manager can be changed from the default port of 443 to another port. If you plan to change the default port for the CipherTrust Manager web interface, ensure to change it BEFORE configuring the Microsoft DKE service on CCKM. Also reflect this port change when creating a DKE endpoint on CCKM as part of the prerequisites for deploying DKE. Changing the default port AFTER configuring Microsoft DKE is not supported.

Register your DKE service

After creating a DKE endpoint, proceed to register your DKE service from the Microsoft Azure portal. Refer to Register your key store for details.

Note

When registering your DKE service, ensure that Application ID URI matches the FQDN of the CipherTrust Manager. In the case where you are using a load balancer in front of the CipherTrust Manager, ensure that Application ID URI matches the FQDN of the load balancer. You can only register one DKE service per one instance of CipherTrust Manager.

Also, ensure that the publisher domain on the Branding and Properties page is set to the domain in which CipherTrust Manager is deployed. For example, if CipherTrust Manager is test.thalescpl.io, then ensure that the publisher domain includes thalescpl.io.

Create your DKE sensitivity labels

After successfully registering your key store, you are ready to create your DKE sensitivity labels from the Microsoft Compliance portal. Refer to Create sensitivity labels using DKE for details.

When creating a sensitivity label, ensure to do the following:

Select Apply or remove Encryption on the protection settings for labeled items page.
Select the Use Double Key Encryption checkbox to enable DKE on the Encryption page. Enter the the value of the key_urireceived in the API response when you created a DKE endpoint using the create DKE endpoint API.

Note

After a label is published by the defining policy, it may take up to 24 hours for a label to be made available (after the label policy is published) for use in a Microsoft 365 Apps, such as Word or PowerPoint.

Note

For labels that are configured to have Offline Access set to Never, the decrypt requests will be sent to the CipherTrust Manager. Otherwise, if labels are configured to have Offline Access set to Always, the decrypt requests will not be sent to the CipherTrust Manager

Refer to the following DKE API sections:

Creating DKE Endpoints
Fetching List of DKE Endpoints
Viewing Details of DKE Endpoints
Updating Attributes of DKE Endpoints
Deleting DKE Endpoints
Rotating DKE Endpoints
Enabling Key-Rotation Schedule for DKE Endpoint
Disabling Key-Rotation Schedule for DKE Endpoint
Enabling DKE Endpoints
Disabling DKE Endpoints
Archiving DKE Endpoints
Recovering DKE Endpoints
Creating DKE Authorized Tenants
Viewing Details of DKE Authorized Tenants
Fetching List of DKE Authorized Tenants
Updating Attributes of DKE Authorized Tenants
Deleting DKE Authorized Tenants
Fetching List of DKE Roles

Note

Users of the CCKM Admins group can manage DKE endpoints, whereas the users of the CCKM Users group can only view the DKE endpoints.

Tip

The mandatory API request parameters are written in bold.

On this page

CipherTrust Manager

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com