Scheduling Operations
CCKM allows you to periodically refresh or rotate keys in the background. To refresh or rotate keys, you need to create schedule configuration. A schedule configuration defines when to run a refresh or rotation job. You can use either basic format or cron format to specify the time when the rotation or refresh job will run.
Specify basic format in the following order:
[Repeats, at]
Where,
Repeats: frequency of the scheduler. Possible values are daily, weekly, monthly, and yearly.
at: specific time at which the rotation or refresh operation will be performed. Possible value lies between 12:00-11:00 AM/PM UTC.
Specify cron format in the following order:
"* * * * *"
These five values indicate when the job should be executed. These values are mandatory and must be specified in order of minute, hour, day of month, month, and day of week.
The following table lists the accepted values:
Field | Allowed values | Allowed special characters |
---|---|---|
Minute | 0-59 | * / , - |
Hour | 0-23 | * / , - |
Day of month | 1-31 | * / , - ? |
Month | 1-12 or JAN-DEC | * / , - |
Day of week | 0-6 or SUN-SAT | * / , - ? |
Adding Key Rotation Schedule
A key rotation schedule replaces selected keys with new cryptographic keys at the specified time.
To add key rotation schedule:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click Add Schedule. The Add New Schedule wizard is displayed.
Select Schedule Type as Key Rotation.
Click Next.
On the General Info screen, enter or select following details:
Enter a unique Scheduler Name.
From the Cloud Name drop-down list, select AWS.
Add Description for the scheduler in a maximum of 250 characters.
Select Enable Schedule to enable the schedule.
Click Next.
Set the values on the Schedule Config screen.
You can schedule configuration for:
All Keys: Refer to Configuring Rotation Schedule for All Keys for details.
Only Expiring Keys: Refer to Configuring Rotation Schedule for Expiring Keys for details.
All Keys Based on Creation/Last Rotation Date: Refer to Configuring Rotation Schedule for All Keys Based on Creation or Last Rotation Date for details.
Configuring Rotation Schedule for All Keys
To configure rotation schedule for all keys:
Configure DURATION for the scheduler. Specify the following values:
Schedule Starts
Schedule Ends
If you select the Never check box, the scheduler configuration will never expire, and the Schedule Ends field becomes unavailable.
Configure FREQUENCY of the scheduler. The frequency determines how often the scheduler will rotate keys. Select either the Basic or the Raw (Cron) format to specify the value.
(Optional) Set the expiry of the new key that will be created through rotation. If not specified, the new key material never expires. For example, if you set the expiry time to 6 Hours, the key material of the new key will expire in 6 hours.
(Optional) Enable Rotate Key Material (Imported AES Keys).
Warning
Key material rotation is only available for imported symmetric AES single-region keys (BYOK). Other key types can be rotated by creating a new key and reassigning the alias.
Select Apply Gravestone Alias on Current Key to retain the key alias with timestamp on the archived key after rotation. The format of the Gravestone alias is
<current alias>-rotated-<timestamp>
. The alias will only be applied to keys with an existing alias.Click Save.
A message Schedule successfully created is displayed on the screen.
Configuring Rotation Schedule for Expiring Keys
To configure rotation schedule for expiring keys:
In the SELECTION section, select the keys to be rotated based on their expiry time. In the Only rotate keys within _ of material expiration field, select or enter the key expiry time. For example, if the value of Only rotate keys within _ of material expiration field is set to 4 Days, then the rotation schedule is created for all the keys that will expire in 4 days.
Configure DURATION for scheduler. Specify the following values:
Schedule Starts
Schedule Ends
If you select the Never check box, the scheduler configuration will never expire, and the Schedule Ends field becomes unavailable.
(Optional) Set the expiry of the new key that will be created through rotation. If not specified, the new key material never expires. For example, if you set the expiry time to 6 Hours, the key material of the new key will expire in 6 hours.
(Optional) Enable Rotate Key Material (Imported AES Keys).
Warning
Key material rotation is only available for imported symmetric AES single-region keys (BYOK). Other key types can be rotated by creating a new key and reassigning the alias.
Select Apply Gravestone Alias on Current Key to retain the key alias with timestamp on the archived key after rotation. The format of the Gravestone alias is
<current alias>-rotated-<timestamp>
. The alias will only be applied to keys with an existing alias.Click Save.
A message Schedule successfully created is displayed on the screen.
Configuring Rotation Schedule for All Keys Based on Creation or Last Rotation Date
To configure rotation schedule for all keys based on their creation or last rotation date:
In the SELECTION section, select the keys to be rotated based on their creation or last rotation date.
In the Only rotate keys after _ of creation/last rotation date field, select or enter the number of days, weeks, months, or years. For example, if the value of Only rotate keys after _ of creation/last rotation date field is set to 4 Days, then all the keys will rotate after 4 days of their creation or last rotation date. The default duration is 7 Days.
Configure DURATION for scheduler. Specify the following values:
Schedule Starts
Schedule Ends
If you select the Never check box, the scheduler configuration will never expire, and the Schedule Ends field becomes unavailable.
(Optional) Set the expiry of the new key that will be created through rotation. If not specified, the new key material never expires. For example, if you set the expiry time to 6 Hours, the key material of the new key will expire in 6 hours.
(Optional) Enable Rotate Key Material (Imported AES Keys).
Warning
Key material rotation is only available for imported symmetric AES single-region keys (BYOK). Other key types can be rotated by creating a new key and reassigning the alias.
Select Apply Gravestone Alias on Current Key to retain the key alias with timestamp on the archived key after rotation. The format of the Gravestone alias is
<current alias>-rotated-<timestamp>
. The alias will only be applied to keys with an existing alias.Click Save.
A message Schedule successfully created is displayed on the screen.
Adding Key Refresh Schedule
Note
With support for on-demand rotation of both native and imported BYOK keys, the refresh operation now takes longer than in previous releases. This is because detailed rotation information must be synchronized from AWS KMS to CCKM.
To add a key refresh schedule:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click Add Schedule. The Add New Schedule wizard is displayed.
Select Schedule Type as Key Refresh.
Click Next.
On the General Info screen, enter or select following details:
Enter a unique Scheduler Name.
Select AWS from the Cloud Name drop-down list.
Add Description for the scheduler in a maximum of 250 characters.
Select Enable Schedule to enable the schedule.
Click Next.
On the Schedule Config screen, enter or select the following details.
Configure Duration for the scheduler. Specify the following values:
Schedule Starts
Schedule Ends
If you select the Never check box, the scheduler configuration will never expire, and the Schedule Ends field becomes unavailable.
Configure Frequency of the scheduler. The frequency determines how often the scheduler will rotate keys. Select either Basic or Raw (Cron) format to specify the value.
Click Next.
On the Add Accounts screen:
Select the account name from the Refresh Keys from Selected Account(s) drop-down list.
Click + button.
Similarly, you can add more accounts.
Select the Refresh All Accounts option if you want to refresh all the existing accounts.
Click Save.
A message Schedule successfully created is displayed on the screen.
Automatic Cloud Key Discovery
A KMS container schedule automatically detects the KMS containers based on the AWS Cloud connection and adds them to the CipherTrust Cloud Key Manager.
Note
When adding a KMS container schedule, select a connection that has access to the management account of your AWS organization. The connection must have permissions to list all organizational units (OUs) and accounts within the organization.
Refer to configurations to discover all AWS accounts for details.
Adding a KMS container (vault or subscription) to CCKM consumes one CCKM license count.
To add a KMS container schedule:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click Add Schedule. The Select Schedule Type screen of the Add New Schedule wizard is displayed.
Schedule Type
Select Schedule Type as Add KMS Container.
Click Next. The General Info screen is displayed.
General Info
Enter a unique Schedule Name.
Select AWS from the Cloud Name drop-down list.
(Optional) Add Description for the scheduler in a maximum of 250 characters.
(Optional) Select Enable Schedule to enable the schedule.
Select a job type from Define Job Type. The options are:
Discover Only: Lists all the discovered containers.
Discover and Add: Adds all the discovered containers to the CCKM.
(Optional) Enable Archive Accounts.
Click Next. The Connection screen is displayed.
Select a Connection.
Enter a Role.
(Optional) Enter a AWS Role External ID.
(Optional) Add the Filters.
Select a Name.
You can select only one of the following names: [Root] Arn, [Root] Id, [Root] Name, [Root] Tag, [OrganizationalUnit] Arn, [OrganizationalUnit] Id, [OrganizationalUnit] Name, [OrganizationalUnit] Tag, [Account] Arn, [Account] Email, [Account] Id, [Account] Name, and [Account] Tag.
Enter a Value.
Click + (plus).
Note
A name can have only one value.
You can add multiple filters.
Click Next. The Region & ACLs screen is displayed.
(Optional) In Select Regions section, add regions to the schedule.
Select the desired regions.
Click right arrow (
). The selected regions move to the All Selected Regions list.
(Optional) In the ACCESS CONTROL section.
Click Keys, Certificates, Secrets, or Reports tab.
Click the All Keys, BYOK Keys, Native Keys, HYOK Keys, Cloud HSM Keys, Custom Key Store, or Reports tab.
Click Assign User/Group. The Assign User/Group dialog box is displayed.
Select the desired user or group from the User/Group drop-down list.
Click Save. The newly added user/group is displayed under Name in the ACCESS CONTROL section.
Grant the permissions to the user/group, as appropriate.
Granting additional permissions
To grant additional permissions, select the check box under the desired operation corresponding to the desired users or groups. You can grant the following permissions.
All Keys: Cancel Key Delete, Schedule Key Delete, Delete Material, Import Material, Rotate Key, Refresh Key, and Edit Key.
BYOK Keys: View Key and Add Key.
Native Keys: View Key and Add Key.
HYOK Keys: View Key, Add Key, Block/Unblock, Link Key, and Delete Key.
Cloud HSM Keys: View Key, Add Key, and Delete Key.
Custom Key Store: View, Add, Edit, Delete, Block, Unblock, Connect, Disconnect, and Link.
Reports: View Report, Add Report, Download Report, and Delete Report.
To remove a permission, clear the check box under the desired operation.
Remove a user or group.
Under Unassign, click X corresponding to the desired user/group. The Remove Group dialog box is displayed.
Click Remove.
Click Next. The Schedule Config screen is displayed.
Configure DURATION for the scheduler. Specify the schedule start and end time:
Schedule Starts: Specify time when the schedule starts.
Schedule Ends: Unavailable by default, that is, the scheduler never expires.
Never: Selected by default, that is, the scheduler configuration never expires.
To set an end time for the scheduler, clear the Never check box, and specify the Scheduler Ends time.
Configure FREQUENCY of the scheduler. The frequency determines how often the scheduler will rotate keys. Select either Basic or Raw (Cron) format to specify the value.
Click Save.
A message Schedule successfully created is displayed on the screen. The newly created schedule is displayed in the schedules list.
After the schedule is run successfully, AWS KMS Accounts will be added to the CCKM. You can see them in the Vaults section, of the AWS KMS Accounts page in the CCKM.
Adding Credential Rotation Schedule (AWS XKS only)
A credential rotation schedule auto rotates the selected key store's credentials with new credentials. You can assign a credential rotation schedule for the credentials of a given external custom key store in CCKM. You must first create one or more rotation schedules for the key store's credentials. Thereafter, these schedules are made available within a list under Schedules of the details page for the given custom key store, which you can then assign to the key store.
To add credential rotation schedule:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click Add Schedule. The Add New Schedule wizard is displayed.
Select Schedule Type as Credential Rotation (AWS XKS only).
Click Next.
On the General Info screen, enter or select following details:
Enter a unique Scheduler Name.
Add Description for the scheduler in a maximum of 250 characters.
Select Enable Schedule to enable the schedule.
Click Next.
On the Schedule Config screen, enter or select the following details.
Configure Duration for the scheduler. Specify the following values:
Schedule Starts
Schedule Ends
If you select the Never check box, the scheduler configuration will never expire, and the Schedule Ends field becomes unavailable.
Configure Frequency of the scheduler. The frequency determines how often the scheduler will rotate keys. Select either Basic or Raw (Cron) format to specify the value.
Click Save.
Viewing/Editing Schedules
To view/edit a schedule:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The Schedules page displays following details:
Field Description Name Unique name of the scheduler configuration. Schedule Type Type of the schedule. Possible types are:
• Key Rotation
• Key Refresh
• Add KMS Container (GCP, Azure, and AWS only)
• Credential Rotation (AWS XKS only)Cloud Name Name of the cloud. Note: For the schedule type of Credential Rotation, only the AWS cloud is supported. Last Modified Time when the schedule is modified. Frequency Frequency of the scheduler configuration. Start Date Creation time of the scheduler configuration. End Date Expiry time of the scheduler configuration. Status Status of the scheduler configuration. Possible values are:
• Enabled
• DisabledClick the overflow icon (
) corresponding to the desired schedule and click View/Edit.
Edit or configure the following fields:
Description.
Status of the scheduler configuration.
Connection settings, refer to Connection for details.
(Applicable to KMS container schedule) Regions and Access Control settings. Refer to Region & ACLs for details.
Scheduler configuration parameters, such as duration and frequency. Refer to Schedule Config for details on key rotation schedule fields.
Click Update to save the changes.
JOB HISTORY
The Schedules page also contains a section named JOB HISTORY. Every time a schedule is run, a Job is created.
This section displays information related to a job such as Run Date, Job ID, and Status.
To view the details of the job, click the Job ID link corresponding to the desired job. The Job details page is displayed. It shows the list of AWS Accounts along with their Health and Status.
The health can be:
Error: Failed to manage the KMS accounts.
Warning: KMS accounts managed partially.
Healthy: Successfully managed all the KMS accounts.
The status can be:
FailedToAccess: KMS account can't fetch AWS regions because it doesn't have access to regions.
AlreadyManaged: Regions are already managed by a KMS container within the KMS account.
NewlyManaged: Regions are newly managed by a KMS container within the KMS account.
FailedToManage: Regions couldn't be managed by a KMS container within the KMS account.
NotManaged: None of the regions is managed by a KMS container within the KMS account.
Archived: All regions are archived by a KMS container within the KMS account.
Note
- You can view the details of successfully completed jobs that belong to a KMS container schedule.
To download the reports of AWS Accounts, go to the top left of the Job details page, click Download, and select an AWS Accounts from the drop-down menu.
Disabling Schedules
To disable a schedule configuration:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click the overflow icon (
) corresponding to the desired schedule and click Disable. The Disable Schedule message is displayed.
Click Disable Schedule.
A message Successfully disabled the schedule is displayed on the screen.
Enabling Schedules
To enable a schedule configuration:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click the overflow icon (
) corresponding to the desired schedule and click Enable. The Enable Schedule message is displayed.
Click Enable Schedule.
A message Successfully enabled the schedule is displayed on the screen.
Manually Running Schedules
To manually run a schedule:
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click the overflow icon (
) corresponding to the desired schedule and click Run Now.
The Run Now schedule is started in the background. A message Schedule is running now. It will take a few seconds to finish. is displayed on the screen. After the schedule is run successfully, a message Successfully finished running the schedule is displayed.
Deleting Schedules
Open the Cloud Key Manager application.
In the left pane, click Schedules. The list of available schedules is displayed.
Click the overflow icon (
) corresponding to the desired schedule and click Delete Schedule. The Delete Schedule message is displayed.
Click Delete.
A message Successfully deleted schedule is displayed on the screen.