Your suggested change has been received. Thank you.

Suggest A Change

Please Note:

Reference
PFMigrate Utility
CCKM API
- Overview
- RESTful APIs
- AWS APIs
  - AWS Custom Key Store APIs
  - AWS KMS Management APIs
  - Key Life Cycle Management APIs
    - Creating AWS Keys on CCKM
    - Fetching List of AWS Keys
    - Viewing Details of AWS Keys
    - Deleting AWS Keys from CCKM
    - Downloading Keys Created on AWS to CCKM
    - Synchronizing AWS Keys
    - Viewing Synchronization Status
    - Aborting Synchronization Jobs
    - Viewing Details of Synchronization Jobs
    - Uploading Keys to AWS KMS
    - Importing Key Material to AWS KMS
    - Deleting Imported Key Material
    - Scheduling Key Deletion
    - Canceling Deletion of Keys
    - Updating Key Policy
    - Updating Key Description
    - Enabling AWS Keys
    - Disabling AWS Keys
    - Adding Tags to AWS Keys
    - Removing Tags from AWS Keys
    - Adding Alias to AWS Keys
    - Deleting Alias from AWS Keys
    - Verifying Alias on AWS KMS
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Automatic Key Rotation
    - Disabling Automatic Key Rotation
    - Rotating Keys on AWS KMS
    - Replicating Multi-Region AWS Keys
    - Changing the Primary Key of a Multi-Region AWS Key
    - Creating a Bulk Job
    - Viewing the List of Bulk Jobs
    - Viewing Details of a Bulk Job
    - Canceling a Bulk Job
  - Policy Template Management APIs
  - AWS Reports APIs
  - Response Parameters of AWS KMS Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Azure APIs
  - Subscription APIs
  - Vault Management APIs
  - Key Life Cycle Management APIs
    - Creating Azure Keys
    - Fetching List of Azure Keys
    - Viewing Details of Azure Keys
    - Updating Key Parameters
    - Deleting Keys from CCKM
    - Refreshing an Azure Key
    - Soft-Deleting Azure Keys
    - Purging Azure Keys
    - Uploading Keys to Azure Key Vault
    - Downloading Keys Created on Azure Vault to CCKM
    - Synchronizing Azure Keys
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Aborting Synchronization Jobs
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Key for Backup Job
    - Disabling Key for Backup Job
    - Restoring an Azure Key
    - Creating Azure Cloud Key Backups
    - Fetching List of Azure Cloud Key Backups
    - Viewing Details of Azure Cloud Key Backups
    - Updating the Azure Cloud Key Backups
    - Deleting the Azure Cloud Key Backups
  - Azure Secrets Management APIs
    - Creating Azure Secrets
    - Fetching List of Azure Secrets
    - Viewing Details of Azure Secrets
    - Updating Attributes of Azure Secrets
    - Deleting Azure Secrets with Backup from CCKM
    - Soft-Deleting Azure Secrets
    - Recovering Soft-Deleted Azure Secrets
    - Purging Azure Secrets
    - Restoring Deleted Azure Secrets
    - Synchronizing Azure Secrets
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
  - Azure Certificates Management APIs
    - Creating Azure Certificates
    - Fetching List of Azure Certificates
    - Viewing Details of Azure Certificates
    - Updating Attributes of Azure Certificates
    - Deleting Azure Certificates with Backup from CCKM
    - Soft-Deleting Azure Certificates
    - Recovering Soft-Deleted Azure Certificates
    - Purging Azure Certificates
    - Restoring Deleted Azure Certificates
    - Synchronizing Azure Certificates
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
    - Importing Azure Certificates
  - Disaster Management APIs
  - Azure Reports APIs
  - Azure Bulk Job Management APIs
    - Creating Azure Bulk Job
    - Fetching List of Azure Bulk Jobs
    - Viewing Details of an Azure Bulk Job
    - Canceling an Azure Bulk Job
  - Response Parameters of Azure Vault Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Luna HSM APIs
  - Luna HSM Partition APIs
  - Luna HSM Key APIs
- DSM APIs
  - DSM Domain APIs
    - Getting DSM Domains
    - Adding DSM Domains
    - Viewing DSM Domains
    - Viewing Details of a DSM Domain
    - Changing Connection of a DSM Domain
    - Deleting a DSM Domain
    - Granting Permissions to Users or Groups
  - DSM Key APIs
    - Creating a DSM Key
    - Viewing DSM Keys
    - Getting Details of a DSM Key
    - Deleting a DSM Key from CCKM
    - Deleting a Key from DSM
    - Refreshing DSM Domains
    - Getting Refresh Status of DSM Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Google Cloud APIs
  - Google Cloud Project APIs
    - Fetching a Project from Google Cloud
    - Viewing Google Cloud Projects
    - Adding Google Cloud Projects
    - Viewing Details of a Google Cloud Project
    - Granting Permissions to Users or Groups in a Google Cloud Project
    - Deleting a Google Cloud Project
    - Updating a Google Cloud Project
  - Google Cloud Key Ring APIs
    - Getting Google Cloud Key Rings
    - Adding Google Cloud Key Rings
    - Listing Google Cloud Key Rings
    - Viewing Details of a Google Cloud Key Ring
    - Updating a Google Cloud Key Ring
    - Granting Permissions to Users or Groups
    - Deleting Google Cloud Key Rings
  - Google Cloud Key APIs
    - Creating a Google Cloud Key
    - Viewing Google Cloud Keys
    - Getting Details of a Google Cloud Key
    - Updating a Google Cloud Key
    - Viewing Versions of a Google Cloud Key
    - Adding a Version to a Google Cloud Key
    - Viewing Details of a Google Cloud Key Version
    - Refreshing Details of a Google Cloud Key Version
    - Refreshing Details of Google Cloud Key and All Its Versions
    - Updating All Versions of a Google Cloud Key
    - Viewing Details of an Update All Versions Operation
    - Enabling a Version of a Google Cloud Key
    - Disabling a Version of a Google Cloud Key
    - Scheduling Destruction of a Google Cloud Key Version
    - Canceling Scheduled Destruction of a Google Cloud Key Version
    - Re-importing a Google Cloud Key Version
    - Downloading Public Key for an Asymmetric Version
    - Uploading a New Key to Google Cloud
    - Synchronizing Google Cloud Keys
    - Viewing Synchronization Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Enabling Auto Rotation of Google Cloud Keys
    - Disabling Auto Rotation of Google Cloud Keys
    - Viewing the IAM Policy Attached to a Key
    - Attaching an IAM Policy to a Key
    - Viewing the IAM Roles
  - Google Cloud Location API
  - Google Cloud Report APIs
- Google Cloud EKM APIs
- Microsoft DKE APIs
  - Creating DKE Endpoints
  - Fetching List of DKE Endpoints
  - Viewing Details of a DKE Endpoint
  - Updating a DKE Endpoint
  - Deleting a DKE Endpoint
  - Rotating a DKE Endpoint
  - Enabling DKE Endpoint
  - Disabling DKE Endpoint
  - Enabling Key-Rotation Schedule for DKE Endpoint
  - Disabling Key-Rotation Schedule for DKE Endpoint
  - Archiving a DKE Endpoint
  - Recovering a DKE Endpoint
  - Creating DKE Authorized Tenants
  - Viewing Details of a DKE Authorized Tenant
  - Fetching List of DKE Authorized Tenants
  - Updating a DKE Authorized Tenant
  - Deleting a DKE Authorized Tenant
  - Fetching List of DKE Roles
- SAP APIs
  - SAP Applications API
  - SAP Groups APIs
    - Fetching List of Groups from SAP
    - Managing Permissions on SAP Users or Groups
    - Adding SAP Groups
    - Viewing SAP Groups Added to CipherTrust Manager
    - Viewing Details of SAP Groups
    - Updating Connection of SAP Groups
    - Deleting a SAP Group
    - Fetching the Group Service Connectability Parameters from SAP
  - SAP Keys APIs
    - Creating SAP Key
    - Fetching SAP Keys
    - Getting Details of a SAP Key
    - Updating SAP Key Attributes
    - Deleting a SAP Key Backup from CCKM
    - Deleting a Key from SAP
    - Deleting a SAP Key
    - Adding SAP Key Version
    - Viewing SAP Key Versions
    - Getting Details of a SAP Key Version
    - Synchronizing SAP Keys
    - Updating a SAP Key Version
    - Viewing Synchronization Status
    - Viewing the Job Status
    - Creating New Jobs
    - Uploading Keys to SAP
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Enabling Auto Rotation of SAP Keys
    - Disabling Auto Rotation of SAP Keys
    - Creating a Dynamic Key Reference (DKR)
    - Viewing the List of DKRs
    - Getting Details of a DKR
    - Updating Details of a DKR
    - Deleting a DKR from CCKM
    - Deleting a DKR from SAP
  - SAP Reports APIs
- Salesforce APIs
  - Salesforce Organization APIs
    - Getting Salesforce Organizations
    - Adding Salesforce Organizations
    - Listing Salesforce Organizations
    - Viewing Details of a Salesforce Organization
    - Updating a Salesforce Organization
    - Granting Permissions to Users or Groups
    - Deleting Salesforce Organizations
  - Salesforce Tenant Secret APIs
    - Creating a Salesforce Tenant Secret
    - Viewing Salesforce Tenant Secrets
    - Getting Details of a Salesforce Tenant Secret
    - Destroying a Salesforce Tenant Secret
    - Synchronizing Tenant Secrets
    - Importing a Tenant Secret
    - Viewing Synchronizing Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Uploading Salesforce Tenant Secrets
    - Deleting Backup of a Salesforce Tenant Secret
    - Activate a Cache-Only Key
    - Fetching a Salesforce Cache-Only Key for a Given Identifier
    - Updating a Salesforce Cache-Only Key
    - Uploading a Salesforce Cache-Only Key
  - Salesforce Issuer APIs
    - Creating a Salesforce Issuer
    - Deleting a Salesforce Issuer
    - Viewing Salesforce Issuers
    - Viewing Details of a Salesforce Issuer
    - Updating a Salesforce Issuer
  - Salesforce Reports APIs
  - Salesforce Cache Only Key Endpoints APIs
  - Salesforce Cloud Certificates APIs
  - Salesforce Named Credentials APIs
- Oracle Cloud APIs
  - OCI Vaults APIs
    - Fetching List of OCI Vaults from Oracle
    - Adding OCI Vaults
    - Viewing OCI Vaults Added to CipherTrust Manager
    - Viewing Details of OCI Vaults
    - Managing Permissions on OCI Users or Groups
    - Deleting OCI Vaults
    - Updating Connection of OCI Vaults
  - OCI Keys APIs
    - Creating OCI Keys
    - Fetching OCI Keys
    - Getting Details of an OCI Key
    - Updating OCI Key Attributes
    - Deleting an OCI Key
    - Canceling Deletion of an OCI Key
    - Deleting an OCI Key Backup from CCKM
    - Restoring a Deleted OCI Key
    - Scheduling Deletion of an OCI Key
    - Adding OCI Key Version
    - Viewing OCI Key Versions
    - Getting Details of an OCI Key Version
    - Scheduling Deletion of an OCI Key Version
    - Canceling Scheduled Deletion of an OCI Key Version
    - Uploading Keys to OCI
    - Synchronizing OCI Keys
    - Viewing Synchronization Status
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Changing the Compartment of an OCI Key
    - Disabling an OCI Key
    - Enabling an OCI Key
    - Refreshing an OCI Key
    - Enabling Auto Rotation of OCI Keys
    - Disabling Auto Rotation of OCI Keys
  - OCI Subscribed Regions API
  - OCI Compartments API
  - OCI Reports APIs
- OCI External APIs
  - Issuers APIs
    - Creating an Issuer
    - Returning a List of Issuers
    - Viewing Details of an Issuer
    - Updating Issuers
    - Deleting Issuers
  - External Vaults APIs
    - Creating an External vault
    - Blocking Access to External Vaults
    - Unblocking Access to External vaults
  - External Keys APIs
    - Creating an External Key
    - Blocking Access to External keys
    - Unblocking Access to External keys
  - OCI Invoked APIs
    - Fetching the Metadata of External Vaults
    - Fetching the Metadata of External Keys
    - Fetching the Metadata of a Version of External Keys
    - Encrypting Data Using External Keys
    - Decrypting Data Using External Keys
    - Generating Random Bytes
- CipherTrust Manager as External Keystore APIs
  - External CipherTrust Manager Domain APIs
    - Getting external CipherTrust Manager Domains
    - Adding External CipherTrust Manager Domains
    - Viewing External CipherTrust Manager Domains
    - Viewing Details of an External CipherTrust Manager Domain
    - Changing Connection of an External CipherTrust Manager Domain
    - Deleting an External CipherTrust Manager Domain
    - Granting Permissions to Users or Groups
  - External CipherTrust Manager Key APIs
    - Creating an External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Keys
    - Getting Details of an External CipherTrust Manager Key
    - Deleting an External CipherTrust Manager Key from CCKM
    - Deleting a Key from External CipherTrust Manager
    - Creating a New Version of External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Key Versions
    - Refreshing External CipherTrust Manager Domains
    - Getting Refresh Status of External CipherTrust Manager Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Key Material Export and Upload
- Scheduler APIs
  - Scheduling Synchronization
  - Scheduling Key Rotation
  - Scheduling Key Rotation and Auto Rotation of Credentials
  - Automatic Cloud Key Discovery
  - CCKM Key Backup
  - Response Parameters
- Google Workspace CSE APIs
  - Creating an Issuer
  - Viewing Issuers
  - Viewing Details of an Issuer
  - Deleting an Issuer
  - Creating KACLS Endpoints
  - Viewing KACLS Endpoints
  - Viewing Details of a KACLS Endpoint
  - Updating a KACLS Endpoint
  - Disabling a KACLS Endpoint
  - Enabling a KACLS Endpoint
  - Archiving a KACLS Endpoint
  - Recovering a KACLS Endpoint
  - Deleting a KACLS Endpoint
  - Rotating Endpoint Keys (rotate-key)
  - Viewing KACLS Endpoint Perimeters
  - Updating a KACLS Endpoint Perimeter
  - Encrypting Private Keys (wrapprivatekey)
  - Viewing KACLS Endpoint Rewrap Configuration
  - Updating a Rewrap Configuration
  - Viewing KACLS Endpoint Privileged-Unwrap Configuration
  - Updating a KACLS Endpoint Privileged-Unwrap Configuration
  - Google Invoked APIs
    - Encrypting Data Encryption Keys (wrap)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (privilegedunwrap)
    - Viewing the KACLS Endpoint Status
    - Signing Private Keys (privatekeysign)
    - Decrypting Content Encryption Keys (privatekeydecrypt)
    - Decrypting and Downloading Gmail Message (privilegedprivatekeydecrypt)
    - Listing KACLS Public JWKS
    - Migrating from an Old KACLS to a New KACLS
    - Validating the Resource Key Hash
    - Publishing Public JSON Web Key Set (JWKS) at /Certs
    - Decrypting Data in a Privileged Context
- Settings APIs
  - Updating CCKM Settings
  - Fetching CCKM Settings
  - Updating the Azure Key Expiry Notification Settings
  - Fetching the Azure Key Expiry Notification Settings
  - Updating the AWS Key Expiry Notification Settings
  - Updating the AWS Key Expiry Notification Settings
DDC Architecture Guidelines
DDC GLASS Reference
DDC ELK Reference
KMIP Reference
Server Audit Record Reference
- KMIP Errors
- Key Errors
- Certificate Errors
- SNMP Errors
- SMTP Errors
- LDAP Errors
- Authentication Errors
- NAE Errors
- Clustering Errors
- HSM Errors
- Backup and Restore Errors
- General Errors
tcpdump utility
NAE-XML Interface Development
- Starting an XML Session
- NAE Client Registration
- User Requests
- User Group Requests
- Key Management Operations
- Importing, Exporting, and Replicating Keys
- Secret Management Operations
- Certificate and CA Requests
- Cryptographic Operations
- Logging
- Error Messages
- Supported Key Algorithms
- Differences Between Key Managers

Migrating from an Old KACLS to a New KACLS

Use the POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/rewrap API to migrate from an old KACLS (KACLS1) to a new KACLS (KACLS2). It takes a DEK wrapped with KACLS1’s wrap API and returns a DEK wrapped with KACLS2’s wrap API.

Request Parameters

Parameter	Type	Description
original_kacls_url	string	URL of the current wrapped_key's KACLS.
authorization	string	A JWT issued by the Google service account for this rewrap request.
reason	string	Additional information about the operation.
wrapped_key	string	The base64 binary object returned by the `wrap` call.

Example Request

{   
    original_kacls_url: <Old Endpoint URL>,
    authorization: <Authz-JWT>,
    reason: "",
    wrapped_key: "eyJ3cmFwcGVkX2tleSI6IkozSnZCTEdVOFlWeWlocGpsWXpyd..."
}

Example Response

{
    wrapped_key: "eyJ3cmFwcGVkX2tleSI6IkozSnZCTEdVOFlWeWlocGpsWXpyd...",
    resource_key_hash: "SXOyPekBAUI95zuZSuJzsBlK4nO5SuJK4nNCPem5SuI="
}

Response Codes

Response Code	Description
2xx	Success
4xx	Client errors

Refer to HTTP status codes for details.