Managing SAP Keys
This section describes how to manage SAP keys on CCKM. Before proceeding, you must have a SAP Data Custodian group added to the CCKM. Refer to Managing SAP Groups for details.
Key Creation Methods and Sources
Methods to create SAP cloud keys using CCKM are:
Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key. The key source can be:
CipherTrust (External): A new key is first created on the external CipherTrust Manager. Then, this key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CipherTrust (External)
.CipherTrust (Local): A new key is first created on the CipherTrust Manager. Then, this key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.SAP (Native): A new key is directly created on SAP cloud using a native SAP application. The key origin is
NATIVE
.Vormetric DSM: A new DSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Luna HSM: A new Luna HSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Cloning Existing Key Material: Clone key material from an existing key to create a new key. The key source can be:
CipherTrust (Local): An existing local CipherTrust Manager key is first cloned on the CipherTrust Manager. Then, the cloned key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.CipherTrust (External): An existing key is first cloned on the external CipherTrust Manager. Then, this key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CipherTrust (External)
.Vormetric DSM: An existing DSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Luna HSM: An existing Luna HSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Creating/Uploading New Key Material
To add a SAP cloud key by creating/uploading new key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click Add Key. The Select Material Origin screen of the Add SAP Key wizard is displayed.
Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following:
CipherTrust (External): Refer to Uploading CipherTrust (External) Key Material for details.
CipherTrust (Local): Refer to Uploading CipherTrust (Local) Key Material for details.
SAP (Native): Refer to Creating SAP (Native) Key Material for details.
Luna HSM: Refer to Uploading Luna HSM Key Material for details.
Vormetric DSM: Refer to Uploading Vormetric DSM Key Material for details.
Refer to Key Creation Methods and Sources for details on key sources.
Note
The following key types and sizes/curves are supported for AWS keystore.
Size/Curve Native BYOK AES 256 256, applicable to all the key materials. RSA 2048, 3072, and 4096 2048, 3072, and 4096. Applicable to all the key materials. EC ECC_NIST_P256 (SECP256R1, PRIME256V1), ECC_NIST_P384 (SECP384R1), ECC_NIST_P521 (SECP521R1), and ECC_SECG_P256K1 (SECP256K1). Applicable to asymmetric keys only. ECC_NIST_P256 (SECP256R1, PRIME256V1), ECC_NIST_P384 (SECP384R1), ECC_NIST_P521 (SECP521R1), and ECC_SECG_P256K1 (SECP256K1). Applicable to CipherTrust (External) and CipherTrust (Local) key materials. If a SAP group has an AWS keystore, you cannot export the key.
The following key types and sizes/curves are supported for the ESK keystore.
Size/Curve Native BYOK AES 128, 192, and 256 128, 192, and 256. 192 is not applicable to DSM key material. RSA 2048, 3072, 4096, and 8192 2048, 3072, and 4096. For Luna HSM, you can also select 8192. EC SECP192K1, SECP224K1, SECP256K1, NISTP192, NISTP224, NISTP256, NISTP384, and NlSTP521 ECC_SECG_P224K1 (SECP224K1), ECC_SECG_P256K1 (SECP256K1), ECC_NIST_P224 (SECP224R1), ECC_NIST_P256 (PRIME256V1), ECC_NIST_P384 (SECP384R1), and ECC_NIST_P521 (SECP521R1). Applicable to CipherTrust (External) and CipherTrust (Local) key materials.
Uploading CipherTrust (External) Key Material
Upload the key material of an external CipherTrust Manager key using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (External).
Click Next. The Configure CipherTrust (External) Key screen is displayed.
Configure CipherTrust (External) Key
Select Domain from the drop-down list. The drop-down list shows the external CM domains linked with the configured external CM connection.
(Optional) Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to SAP cloud.
Select the Algorithm for the key. The options are:
AES: Creates and uploads an AES key.
RSA: Creates and uploads an RSA key pair.
EC: Creates and uploads an EC key.
Select the Key Size / Elliptic Curve based on the key type.
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Uploading CipherTrust (Local) Key Material
Upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (Local).
Click Next. The Configure CipherTrust Key screen is displayed.
Configure CipherTrust (Local) Key
Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to SAP cloud.
Select Key Type. The options are:
AES: Creates and uploads an AES key.
RSA: Creates and uploads an RSA key pair.
EC: Creates and uploads an EC key.
Select the Key Size / Elliptic Curve based on the key type.
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Creating SAP (Native) Key Material
Create the key material directly using a native SAP application.
Select Material Origin > Select Source
Select SAP (Native).
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
Select Key Type. The options are:
AES: Creates and uploads an AES key.
RSA: Creates and uploads an RSA key pair.
EC: Creates and uploads an EC key.
Select the Key Size / Elliptic Curve based on the key type.
!!! note The key size 8192 is applicable to a non-FIPS Luna HSM.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and NATIVE KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys. The origin of the key is NATIVE
.
Uploading Vormetric DSM Key Material
Upload the local key material using the Vormetric DSM to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Configure DSM Key screen is displayed.
Configure DSM Key
Enter a DSM Key Name. A new key with this name will be created on the DSM and its key material will be uploaded to SAP cloud.
(Optional) Provide a Description for the key.
Select a DSM Domain for the key. The drop-down list shows the DSM domains linked with the configured DSM connection.
Select Key Type. The options are:
AES: Creates and uploads an AES key.
RSA: Creates and uploads an RSA key pair.
Select the Key Size based on the key type.
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the DSM Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Note
For AES keys, Sign and Verify are not available.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Uploading Luna HSM Key Material
Upload the local key material using the Luna HSM to configure the source key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Select Material Origin > Select Source
Select CipherTrust Luna HSM.
Click Next. The Configure HSM Key screen is displayed. The drop-down list shows the HSM partitions linked with the configured Luna HSM connection.
Configure HSM Key
Select the Partition ID of the desired Luna HSM partition.
Enter an HSM Key Name. A new key with this name will be created on the Luna HSM and its key material will be uploaded to SAP cloud.
Select Key Type as RSA. It creates and uploads an RSA key pair.
Select the Key Size. For an RSA key, the options are 2048, 3072, and 4096.
Select the key Mechanism. The supported key mechanisms are:
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
CKM_RSA_X9_31_KEY_PAIR_GEN
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
CKM_RSA_PKCS_KEY_PAIR_GEN
Select the Key Attributes. The options are:
Modifiable, Extractable, Sensitive (all three are selected for a BYOK Compatible key)
Encrypt, Decrypt, Wrap, Unwrap
Sign, Verify, Derive
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the HSM Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Cloning Existing Key Material
To add a new SAP cloud key by cloning key material existing on the CipherTrust Manager (External), CipherTrust Manager (Local), DSM, or Luna HSM:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click Add Key. The Select Material Origin screen of the Add SAP Key wizard is displayed.
Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following:
CipherTrust (External): Refer to Cloning CipherTrust (External) Key Material for details.
CipherTrust (Local): Refer to Cloning CipherTrust (Local) Key Material for details.
Vormetric DSM: Refer to Cloning Vormetric DSM Key Material for details.
Luna HSM: Refer to Cloning Luna HSM Key Material for details.
Refer to Key Creation Methods and Sources for details on these key sources.
Cloning CipherTrust (External) Key Material
Clone and upload the key material of an external CipherTrust Manager key using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (External).
Click Next. The Select CipherTrust (External) Key screen is displayed.
Select CipherTrust (External) Key
Select Domain from the drop-down list. The drop-down list shows the external CM domains linked with the configured external CM connection.
Select the Algorithm for the key. The options are:
AES: Creates and uploads an AES key.
RSA: Creates and uploads an RSA key pair.
EC: Creates and uploads an EC key.
Select the Key Size / Elliptic Curve based on the key type.
Select the desired key from the Key Name drop-down list. This field shows the available local CipherTrust Manager keys.
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the CipherTrust Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Cloning CipherTrust (Local) Key Material
Clone and upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (Local).
Click Next. The Select CipherTrust Key screen is displayed.
Select CipherTrust (Local) Key
Select Key Type. The options are:
AES: Creates and uploads an AES key.
RSA: Creates and uploads an RSA key pair.
EC: Creates and uploads an EC key.
Select the Key Size / Elliptic Curve based on the key type.
Select the desired key from the Key Name drop-down list. This field shows the available local CipherTrust Manager keys.
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the CipherTrust Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Cloning Vormetric DSM Key Material
Clone and upload the local key material using the Vormetric DSM to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Select DSM Key screen is displayed.
Select DSM Key
Select Key Type. The options are:
AES: Creates and uploads an AES key.
RSA: Creates and uploads an RSA key pair.
Select the Key Size based on the key type.
Select the desired key from the DSM Key Name drop-down list. This field displays the available DSM keys.
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the DSM Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Note
For AES keys, Sign and Verify are not available.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Cloning Luna HSM Key Material
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Clone and upload the local key material using the Luna HSM to configure the source key.
Select Material Origin > Select Source
Select Luna HSM.
Click Next. The Select HSM Key screen is displayed.
Select HSM Key
Select Key Type. Select the available option RSA. It creates and uploads an RSA key pair.
Select the Key Size. For an RSA key, the options are 2048, 3072, and 4096.
Select the desired key from the HSM Key Name drop-down list. This field displays the available Luna HSM keys.
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the HSM Key Name you specified on the previous screen is populated.
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
(Optional) Provide a basic Description for the key.
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Sign
Verify, Wrap, Unwrap
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Viewing SAP Keys
The SAP Keys page shows the list of SAP cloud keys available on the CipherTrust Manager.
To view the SAP keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP. The list of available SAP keys is displayed. The SAP Keys page displays the following details:
Field Description Key Name Unique, user-friendly name of the SAP key. Click the link to view additional details of the key or edit the key. Refer to Viewing or Editing Details of SAP Keys. This name is useful in searching for specific keys. Algorithm Algorithm of the SAP key. AES, RSA, and EC algorithms with different keys sizes and elliptic curves are supported. Status State of the SAP key. The status can be:
• Available
• Not Available
• DeletedKey State State of the SAP key. The status can be Enabled or Disabled. Created By Name of the user who created the key.
Note: SAP excludes the creator identifiable fields from the API responses for the technical users. If the connection to the SAP Data Custodian is established by a technical user, this field will be blank.Version Count Number of key versions. Creation Date Date and time when the SAP key is created. Operations Operations allowed using the SAP key. Group SAP group where the SAP key resides. Version Version of the key. Origin Source of the key material used for the version. The origin can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
Refer to Key Creation Methods and Sources for details.Application SAP application (for example, SAP S/4HANA Cloud) where the key is used. Tenant SAP tenant in which the key is created. Allow Key Export Whether the key export is allowed. The setting can be:
• Enabled: The key export is allowed.
• Disabled: The key export is not allowed.The Operations, Group, Version, Origin, Application, Tenant, and Allow Key Export columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Refreshing SAP Keys
Refreshing is the process of downloading keys created in SAP groups to CCKM. You can refresh keys from all SAP groups at once.
To refresh all keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP. The SAP Keys page is displayed. This page displays the list of SAP keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > SAP > SAP Keys page.
Viewing Versions of a Key
To view the versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click the expand icon () to the left of the desired key. The key versions are displayed.
Disabling a SAP Key
If required, you can disable an enabled key. A disabled key cannot operate on data. Disabling a key disables all versions of the key.
To disable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click the overflow icon () corresponding to the desired key.
Click Disable. The Disable Key dialog box is displayed.
Click Disable to confirm the action.
The state of the key changes to Disabled.
Enabling a SAP Key
If required, you can enable a disabled key. Enabling a key enables all versions of the key.
To enable a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click the overflow icon () corresponding to the desired key.
Click Enable. The Enable Key dialog box is displayed.
Click Enable to confirm the action.
The state of the key changes to Enabled.
Adding a Key Version
CCKM provides two methods to add a new version to a key. Refer to Key Creation Methods and Sources for details on key creation methods and key sources.
To add a new key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click the overflow icon () corresponding to the desired key.
Click Add Version. The Add Version dialog box is displayed.
Select Method. The options are:
Create/Upload New Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
Clone Existing Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
Adding Key Version by Creating New Key Material
Select Create/Upload New Key Material as the method.
Select Source. The options are:
CipherTrust (External): Select this option, select the Domain Name, and specify a Key Name for the new key version.
CipherTrust (Local): Select this option and specify Key Name for the new key version.
SAP (Native): Select this option to create a new native SAP key.
Vormetric DSM: Select this option, specify Key Name for the new key version and select the DSM Domain.
Luna HSM: Select this option, select the Partition ID, select Key Attributes, and specify Key Name for the new key version.
The key attributes Modifiable, Extractable, and Sensitive are selected for a BYOK Compatible key.
Click Add Version.
A new version is added to the key. The Version Count increases by one on the SAP Keys page.
Adding Key Version by Cloning Existing Key Material
Select Clone Existing Key Material as the method.
Select Source. The options are:
CipherTrust (External): Select this option and Select a source key for the new key version.
CipherTrust (Local): Select this option and Select a key source for the new key version.
Vormetric DSM: Select this option and Select a key source for the new key version.
Luna HSM: Select this option and Select a key source for the new key version.
Click Add Version.
A new version is added to the key. The Version Count increases by one on the SAP Keys page.
Deleting a SAP Key
If no longer required, you can delete a key. The delete operation deletes the key from SAP cloud.
Deleting a Non Exportable Key
Deletion of a non exportable key is irrecoverable. Because the key is not exportable, CCKM cannot back up this key, so it cannot be restored after deletion.
To delete a non exportable key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click the overflow icon () corresponding to the desired key.
Click Delete. The Remove dialog box is displayed.
Warning
This will delete the key from SAP. This operation is not recoverable. Because the key is not exportable, CCKM is unable to backup this key, so it cannot be restored after deletion. Are you sure you want to delete the key?
Click Delete. The Delete Key dialog box is displayed. It shows the name of the key being deleted in bold.
This dialog box acts as a secondary confirmation so that you are aware of the consequences of the delete operation.
Type the name of the key to be deleted. When the typed key name matches the given key name, the Delete button is enabled.
Click Delete to confirm the deletion. To cancel the key deletion, click Cancel.
A message stating that delete key is in progress is displayed. After the key is deleted successfully, it is removed from the list of SAP keys.
Deleting an Exportable Key
When deleting an exportable key, you have the option to proceed with the key deletion even if the key backup fails. If you select this option, CCKM will automatically take a fresh backup of the key before deleting it. If the backup process fails, it will proceed with deleting the key anyway. This may mean the key cannot be restored to its current state.
To delete an exportable key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP.
Click the overflow icon () corresponding to the desired key.
Click Delete. The Delete Key dialog box is displayed.
(Optional) Select Delete even if backup fails.
Note
If you select this option, CCKM will automatically take a fresh backup of the key before deleting it. If the backup process fails, it will proceed with deleting the key anyway. This may mean the key cannot be restored to its current state.
Click Delete. The Delete Key dialog box is displayed. It shows the name of the key being deleted in bold.
This dialog box acts as a secondary confirmation so that you are aware of the consequences of the delete operation.
Type the name of the key to be deleted. When the typed key name matches the given key name, the Delete button is enabled.
Click Delete to confirm the deletion. To cancel the key deletion, click Cancel.
A message stating that delete key is in progress is displayed. After the key is deleted successfully, it is removed from the list of SAP keys.
Viewing or Editing Details of SAP Keys
After a key is created, you can update key name and description, change exportability, and modify key attributes.
In the edit view of a key, you can view all the key details such as its purpose, protection level, and location etc.
To view or edit an SAP key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > SAP. The list of available SAP keys is displayed.
Click the overflow icon () corresponding to the desired key and click View/Edit. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:
GENERAL INFO: View and update key name and its description (refer to Changing Key Details). Also, you can change the exportability of the key (refer to Changing Key Exportability) and key attributes (refer to Changing Key Attributes).
KEY SCHEDULE: Add, update, and disable a key rotation schedule. Refer to Adding or Changing Key Rotation Schedule and Disabling Key Rotation Schedule.
KEY VERSIONS: View details of key versions. Refer to Viewing Key Version Details.
Changing Key Details
To modify the key details:
Expand the GENERAL INFO section, if needed.
Update the SAP Key Name.
Add or update Description.
Click Update.
The key details are updated.
Changing Key Exportability
To change key exportability:
Expand the GENERAL INFO section, if needed.
Clear or select Allow Key Export.
Select the check box to allow the key export.
Clear the check box to prevent the key export.
When Allow Key Export is disabled, the CipherTrust Manager cannot back up the key.
Click Update.
The key exportability is changed.
Changing Key Attributes
To modify key attributes:
Expand the GENERAL INFO section.
Under Key Attributes, select or clear the desired attributes.
Click Update.
The key attributes are updated.
Adding or Changing Key Rotation Schedule
To add or update a key rotation schedule:
Expand the KEY SCHEDULE section.
From Select Rotation Schedule drop-down list, select the desired schedule.
Select the Key Origin. The options are:
CipherTrust (External)
CipherTrust (Local)
Native
Luna, also select the Luna HSM Partition.
DSM, also select the DSM Domain.
Click Update.
The key rotation schedule is added/updated. The selected schedule is now assigned to the key. To view all the keys assigned to a schedule, refer to Viewing Keys Assigned to Schedules.
Disabling Key Rotation Schedule
To disable a key rotation schedule:
Expand the KEY SCHEDULE section.
Next to the Key Rotation Schedule drop-down list, click the close icon ().
Auto key rotation is disabled.
Viewing Key Version Details
To view the details of key versions, expand the KEY VERSIONS section. The key version details are displayed:
Field | Description |
---|---|
Version | Version number of the key. |
Key State | State of the key version. The state can be enabled or disabled. |
Created By | User who created the key. |
Creation Date | Date and time when the SAP key is created. |
Operations | Operations allowed using the SAP key. |
Source Key | Source key for the version. |
Origin | Source of the key material. The origin of the key can be: • CCKM: Key material is created on CCKM. • Native: Key material is created on the cloud. • External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud. |