Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

CCKM Administration

SAP Resources

Please Note:

Administration
CipherTrust Manager Administration
- Password Policy
- Users
- Certificate Based Authentication
- Changing Passwords
- Domain Management
- Groups
- LDAP Group Mapping
- Services
- Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Tokens
- Policies
- Banners
- Interfaces
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Microsoft Azure
  - Salesforce
  - SAP Data Custodian
  - Oracle Cloud Infrastructure (OCI)
  - Google Cloud Platform (GCP)
  - Hadoop Knox
  - Luna Network HSM
  - Server Message Block (SMB)
  - DSM Connection
  - Secure Copy Protocol (SCP)
- System Upgrade/Downgrade
- Client Management
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- Data Protection
  - Protection Profiles
  - BDT Policies
  - BDT Containers
- REST API
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
Application Data Protection Administration
- Overview
- Interfaces
- Managing Applications
  - Defining Applications
  - Modifying Applications
  - Deleting Applications
  - Viewing Application Details
  - Viewing Registration Token
  - DPG Policies
- Managing Character Sets
  - Creating Character Sets
  - Modifying Character Sets
  - Deleting Character Sets
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
- Single Pane of Glass
- Heartbeat Configuration
- Frequently Asked Questions
CCKM Administration
- Overview
- Interfaces
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Records
  - Related APIs
    - Creating an Issuer
    - Viewing Issuers
    - Viewing Details of an Issuer
    - Deleting an Issuer
    - Creating KACLS Endpoints
    - Viewing KACLS Endpoints
    - Viewing Details of a KACLS Endpoint
    - Updating a KACLS Endpoint
    - Disabling a KACLS Endpoint
    - Enabling a KACLS Endpoint
    - Archiving a KACLS Endpoint
    - Recovering a KACLS Endpoint
    - Deleting a KACLS Endpoint
    - Encrypting Data Encryption Keys (wrap)
    - Rotating Endpoint Keys (rotate-key)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (privileged_unwrap)
    - Viewing KACLS Endpoint Perimeters
    - Updating a KACLS Endpoint Perimeter
    - Viewing the KACLS Endpoint Status
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
- Oracle Cloud Resources
- Migrate from CCKM Appliance
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Troubleshooting
CipherTrust Intelligent Protection
- Overview
- Configuration
- Concepts
- Scans
- Reports
- CTE Policies
- File Operations with CIP
- Backup and Restore
- Troubleshooting
CTE UserSpace Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Making loginuid Immutable
- Operations
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating GuardPoints for Efficient Storage Devices
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Backup and Restore
- Troubleshooting
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Communication with CipherTrust Manager
- Permissions
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Local Data Stores
- Network Data Stores
- Database Data Stores
- Big Data Data Stores
- Cloud Data Stores
- Server Data Stores
- Managing Scans
- Managing Reports
- Managing Agents
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption
ProtectV Administration
- Interfaces
- Concepts
- Operations
- Managing Images
- Managing Instances
- Viewing Encryption Keys
- Configuring a Keystore
- Configuring Key Management Settings
- Configuring Global Autoscaling
- Using Proxy with ProtectV Clients

CipherTrust Manager
Administration
CCKM Administration
SAP Resources

SAP Resources

CCKM supports the SAP Data Custodian cloud.

Prerequisites

Before you can manage SAP resources on CCKM:

Get a Service Admin User Account
Create a User in ISM
Add the User to Key Management Service
Create a New Group
Add SAP Connection on CipherTrust Manager

Click each link to view details.

Get a Service Admin User Account

Get a Service Admin user account from SAP. You will be provided service account credentials (a Data Custodian URL, tenant, and username.) These are required to access the Data Custodian system.

To log on to the SAP cloud as the Service Admin:

Open the URL for your SAP Data Custodian environment.
Enter your tenant name.
Click Continue.
Enter your Username and Password.
Click Login.

Next, you need to add a new user to Data Custodian's Identity Service Management (ISM). New Data Custodian users must be added to ISM before they can be added to the Key Management Service.

Create a User in ISM

Add a user to Data Custodian's Identity Service Management (ISM). SAP Data Custodian users with an administrator role in ISM can create new users and edit service roles.

To add a user in ISM:

Log on to the SAP cloud as the Service Admin.
Navigate to Tenant Management > Users.
Click Create.
Enter the user's First Name and Last Name.
Enter the user's Email Address.
Select optional ISM administrator Roles to assign to the user.
Select an optional Active Time Range for the user.
1. Active From: Allows you to activate the user at a specific time.
2. Active To: Allows you to deactivate the user at a specific time.
Click Review. Verify the user details. Click Edit to make changes, if required.
Click Create.

The user is created. Next, you need to add this user to the Key Management Service, as described below.

Add the User to Key Management Service

Add the user created in the previous step to the Key Management Service. Only the Key Management Service users with an Administrator role can add other users to KMS.

To add the user to the Key Administrator service:

Navigate to Tenant Management > Users.
From the All Users section, select the user (created above).
Click Add to Service. You might need to open the menu on the top-right, to see this button.
Select Key Management Service (KMS).
Select the Key Administrator role to assign to the user. The user with the Key Administrator role is referred to as the Key Admin user in this document.
Note
Optionally, assign one or more existing groups to the user. Refer to User Roles in the Key Management Service in SAP documentation for more information.
Click Add.

After assigning the Key Administrator role to the user, create a new group.

Create a New Group

Key Management Service groups are used to organize encryption keys and KMS users. Every group is associated with a specific application type, key store provider, key store type, and service tier.

A user with the Key Administrator role in KMS can create new groups.

To create a new group:

Log on to the SAP cloud as the Key Admin user.
Navigate to Home > Dashboard. The Key Management Service Dashboard is displayed.
On the Key Management Service tab, select an application, for example General/IAAS Applications.
Click Create Group. The Group Details screen is displayed.
Specify the group details:
1. Specify the Group Name.
2. Add the Group Description.
3. (Optional) If applicable, provide the Landscape type, System ID, and Tenant. These fields are optional.
Click Step 2. The Key Store Selection screen is displayed.
Specify the key store details:
1. Select SAP Data Custodian Provided Key Store.
2. Select a Key Store (for example, AWS, ESK, Azure).
3. Select the Key Store Region where your key store is located.
4. Click Review to verify the group details. Click Edit to make any changes.
5. Click Create.

The group is created and its details are displayed. After you have created the group, you can add an SAP connection on the CipherTrust Manager.

Add SAP Connection on CipherTrust Manager

Before you can add a SAP group to the CCKM, a connection to your SAP account must already exist on the CipherTrust Manager. After you have created a SAP group, add a connection to the SAP cloud using your SAP tenant and the Key Admin username and password.

A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.

What Next?

After completing the prerequisites, you can view linked SAP groups and manage keys on the CipherTrust Manager.

Refer to the following sections:

Managing SAP Groups
Managing SAP Keys
Scheduling Operations
Managing SAP Reports
Viewing Linked SAP Applications

On this page

CipherTrust Manager

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com