Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CCKM API

SAP HYOK APIs

search

Please Note:

printsuggest an edit

SAP HYOK APIs

Caution

This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, limited functionality for customer feedback as we work on the feature. Details and functionality are subject to change. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.

SAP Data Custodian KMS supports a customer-managed keystore that allows you to create HYOK keys residing in your external key manager. You manage the full lifecycle of HYOK keys within your external key manager. SAP Data Custodian KMS does not have any control over these keys.

Your external key manager handles crypto operations within its secure enclave, using a network endpoint. SAP KMS forwards these requests to your external key manager, where the key material remains protected.

copy link to clipboardPrerequisites

Before integrating CipherTrust Manager as your external key manager:

  1. Ensure that CipherTrust Manager is up and running. Activate and install the CCKM license. Refer to the CipherTrust Manager Deployment Guide and Licensing for details.

  2. Ensure CipherTrust Manager has a valid hostname and a trusted third-party CA certificate installed on its web interface.

  3. Add the SAP Cloud Root CA as both an external CA and an external trusted CA on CipherTrust Manager:

    1. Download the SAP Cloud Root CA.crt file from the Download section of the SAP Trust Center Services page.

    2. Rename the extension of the file from CRT to PEM.

    3. Add the SAP Cloud Root CA.pem file as an external CA on CipherTrust Manager. Refer to Add an external CA.

    4. Add the SAP Cloud Root CA.pem file as an external trusted CA on CipherTrust Manager. Refer to Add an external trusted CA.

copy link to clipboardManaging the SAP HYOK APIs

Tip

The mandatory API request parameters are written in bold.

On this page