Salesforce Resources
CCKM supports the Salesforce and Salesforce Sandbox clouds. The Salesforce Sandbox is a copy of your production Salesforce environment used primarily for testing, development, or training. In this document, the information about Salesforce is applicable to both Salesforce and Salesforce Sandbox unless stated otherwise.
Your login credentials for Salesforce and Salesforce Sandbox are unique to each cloud. If you are configuring the setup for Salesforce Sandbox, ensure to configure within the Salesforce Sandbox cloud.
Manage the Salesforce organizations and tenant secrets stored in your Salesforce account using CCKM.
Note
The instructions provided in this section are specific to the Salesforce Classic interface. If you are using Salesforce Lightning, you will notice a different interface. So, refer to the corresponding sections of the Salesforce Lightning interface documentation to complete the prerequisites.
• Salesforce's Shield Platform Encryption Service must be enabled.
• To generate Salesforce reports, Event Monitoring (a paid feature) must be enabled in the Salesforce cloud.
• Salesforce provides two profile interfaces: Original Profile Interface and Enhanced Profile User Interface. Steps in this section are based on the Enhanced Profile User Interface. To enable the Enhanced Profile User Interface, refer to
Note
Enable the Enhanced Profile User Interface in the Salesforce documentation.
Prerequisites
Access to Salesforce resources can be configured using profiles and permission sets. Depending on your requirements, use either method. However, permission sets is the recommended method to configure access. After configuring the access, you can add a Salesforce connection on the CipherTrust Manager.
Before you can manage Salesforce resources on CCKM:
Configure Access to Salesforce
Click a tab to view details.
1. Create a New Profile
Create a new profile or use an existing one. Creating a new profile is recommended. This section describes steps to create a new profile.
Log on to your Salesforce cloud account.
At the top right, click Setup.
In the left pane, under Administer, click Manage Users > Profiles. The Profiles page shows the list of existing profiles.
Click New profile. The Clone Profile page is displayed.
From the Existing Profile drop-down list, select Minimum Access - Salesforce.
Enter Profile Name, for example, no_permission_profile.
Click Save.
The profile is created.
Scroll down to the System section.
Click the System Permissions link. The list of permissions assigned to the profile is displayed. These permissions are based on the profile you selected from the Existing Profile drop-down list.
Next to System Permissions, click Edit. The edit view of the profile is displayed.
Clear all the set permissions.
Scroll up the page.
Click Save. The Permission Changes Confirmation dialog box is displayed.
Click Save to confirm the changes.
2. Create a New User
Create a new user or edit an existing one to change the profile. This section describes steps to create a new user.
In the left pane, under Administer, click Manage Users > Users. The All Users page is displayed.
In the middle of the page, click New User. The New User page is displayed.
Specify the user details such as name, last name, alias, email address, username, and nickname.
Select the User License that has the Manage Encryption Keys and View Event Log Files system permissions.
From the Profile drop-down list, select no_permission_profile (the profile created in 1. Create a New Profile).
Click Save.
The user is created.
3. Create a New Permission Set
In the left pane, under Administer, click Manage Users > Permission Sets. The Permission Sets page displays the list of existing permission sets.
Click New. The Create page is displayed.
Enter permission set information such as Label, API Name, and Description.
Under Select the type of users who will use this permission set, make sure that None is selected in the License drop-down list.
Click Save.
The permission set is created.
4. Add Permissions to the Permission Set
Scroll down to the System section.
Click the System Permissions link. The list of System Permissions is displayed.
Next to System Permissions, click Edit. The edit view of the permissions set is displayed.
Make sure the following permissions are selected:
API Enabled: To access any Salesforce.com API.
Manage Encryption Keys: To manage tenant secrets.
Modify Metadata Through Metadata API Functions: To synchronize certificates.
View Event Log Files: To run reports.
View Setup and Configuration: To get list of SFDC organizations and their details.
View Roles and Role Hierarchy: To view roles and role hierarchy.
Scroll up the page.
Click Save. The Permission Changes Confirmation dialog box is displayed.
Click Save to confirm the changes.
5. Assign the User to the Permission Set
At the top of the page, click Manage Assignments. The Assigned Users page of the permission set is displayed.
Click Add Assignments. The All Users page displays the list of existing users.
Select the user created in 2. Create a New User.
Click Assign. The permission set is assigned to the selected user.
Click Done.
The user assigned to the permission set is displayed in the list of assigned users.
6. Create a Connected App
Create a new Connected App or use an existing one. If you are using an existing App, then remove any profiles currently assigned to the Connected App and assign the permission set created in 3. Create a New Permission Set. This section describes steps to create a new Connected App.
In the left pane, under Build, click Create > Apps. The Apps page shows the list of available apps. On this page, you can create a new Connected App.
Navigate to the Connected Apps section. Scroll down the page if needed.
Click New. The New Connected App page is displayed.
Specify the Basic Information, for example, the app’s name, logo, and contact information. The mandatory fields are:
Connected App Name: A unique name for your Connected App. The name can only contain underscores and alphanumeric characters. The name must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
API Name: A name for the connected API. It is populated automatically with the Connected App Name you specified above. Change the API name if you want.
Contact Email: A valid email address.
You can also specify additional (optional) details such as contact phone number, URLs, and description.
Under API (Enable OAuth Settings):
Select Enable OAuth Settings. More fields are displayed.
Specify a Callback URL, for example,
https://localhost
.(Optional but recommended. Applicable to certificate-based authentication.) Select Use digital signatures. This specifies that a digital certificate is used to make API calls to Salesforce. The digital certificate is the public key of an RSA key pair (a public-private key pair) created on the CipherTrust Manager.
Click Choose File to upload the desired digital certificate (public key). This certificate can be downloaded on the CipherTrust Manager when a connection to the Salesforce cloud is added. Refer to Connection Management for details.
Under Selected OAuth Scopes, select the OAuth scopes to apply to the Connected App. OAuth scopes define permissions for the Connected App that are granted as tokens after the app is authorized. The OAuth token name is in parentheses.
To select an OAuth scope:
From the Available OAuth Scopes list, select the desired OAuth scope.
CipherTrust Manager requires the following OAuth scopes:
Access the identity URL service (id, profile, email, address, phone)
Manage user data via APIs (api)
Perform requests at any time (refresh_token, offline_access)
Use the Ctrl key to select multiple scopes.
Click the Add button (between Available OAuth Scopes and Selected OAuth Scopes sections). The selected OAuth scope moves under the Selected OAuth Scopes section.
It is recommended to not select the Full access (full) scope.
Make sure that Require Secret for Web Server Flow is selected. This ensures the app’s client secret is required in exchange for an access token.
Clear Require Secret for Refresh Token Flow.
Click Save. Changes can take up to 10 minutes to take effect.
Click Continue.
When the Connected App is created, the app details are displayed. Note down the Consumer Key, Consumer Secret, and Salesforce username with its password. This information is required when adding a Salesforce connection to the CipherTrust Manager.
To gather this information any time:
Log on to your Salesforce cloud account.
In the left pane, under Build, click Create > Apps. The Apps page shows available apps.
Navigate to the Connected Apps section. Scroll down the page if needed.
Click your Connected App to view its details. The Consumer Key and Consumer Secret are displayed under the API (Enable OAuth Settings) section.
On the Add Connection page of the CipherTrust Manager GUI, the Salesforce Consumer Key and Consumer Secret are called Client ID and Client Secret respectively.
Client ID and Client Secret are required for Client Secret as the Authentication type. For Certificate as the Authentication type, only Username and Client ID are required.
7. Add OAuth Policies on Salesforce
Next, you need to specify who all can access the Connected App. This is done by adding appropriate OAuth policy to the Connected App on the Salesforce cloud.
In the left pane, under Administer, click Manage Apps > Connected Apps. The Connected Apps page shows the available apps.
Under Master Label, click your Connected App. The Connected App Detail page is displayed.
Click Edit Policies. The edit view of the Connected App is displayed.
Under the OAuth Policies section, from the Permitted Users drop-down list, select Admin approved users are pre-authorized.
Changing the OAuth policies can cause access deny issues for users currently using the app.
Click OK to confirm the action.
From the IP Relaxation drop-down list, select an appropriate option. Consult your Salesforce administrator for the appropriate option.
Note
It is recommended to select Enforce IP restrictions for higher security. However, if you face any issues, you might need to select Relax IP restrictions.
Select Refresh token is valid until revoked.
Click Save. You are returned to the Connected App Detail page.
8. Assign the Permission Set to the Connected App
Scroll down to the Permission Sets section.
Click Manage Permission Sets. The Application Permission Set Assignment page is displayed.
Select the permission set created in 3. Create a New Permission Set.
Click Save.
The selected permission set is assigned to the Connected App.
1. Create a New Profile
Log on to your Salesforce cloud account.
At the top right, click Setup.
In the left pane, under Administer, click Manage Users > Profiles. The Profiles page shows the list of existing profiles.
Click New profile. The Clone Profile page is displayed.
From the Existing Profile drop-down list, select Minimum Access - Salesforce.
Enter Profile Name.
Click Save.
The profile is created.
2. Assign Permissions to the Profile
Scroll down to the System section.
Click the System Permissions link. The list of permissions assigned to the profile is displayed. These permissions are based on the profile you selected from the Existing Profile drop-down list.
Next to System Permissions, click Edit. The edit view of the profile is displayed.
Make sure the following permissions are selected:
API Enabled: To access any Salesforce.com API.
Manage Encryption Keys: To manage tenant secrets.
Modify Metadata Through Metadata API Functions: To synchronize certificates.
View Event Log Files: To run reports.
View Setup and Configuration: To get list of SFDC organizations and their details.
View Roles and Role Hierarchy: To view roles and role hierarchy.
Scroll up the page.
Click Save. The Permission Changes Confirmation dialog box is displayed.
Click Save to confirm the changes.
3. Create a New User
Create a new user or edit an existing one to change the profile. This section describes steps to create a new user.
In the left pane, under Administer, click Manage Users > Users. The All Users page is displayed.
In the middle of the page, click New User. The New User page is displayed.
Specify the user details such as name, last name, alias, email address, username, and nickname.
Select the User License that has the Manage Encryption Keys and View Event Log Files system permissions.
From the Profile drop-down list, select the profile created in 1. Create a New Profile.
Click Save.
The user is created.
4. Create a Connected App
In the left pane, under Build, click Create > Apps. The Apps page shows available apps. On this page, you can create a new connected app.
Navigate to the Connected Apps section. Scroll down the page if needed.
Click New. The New Connected App page is displayed.
Specify the Basic Information, for example, the app’s name, logo, and contact information. The mandatory fields are:
Connected App Name: A unique name for your connected app. The name can only contain underscores and alphanumeric characters. The name must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
API Name: A name for the connected API. It is populated automatically with the Connected App Name you specified above. Change the API name if you want.
Contact Email: A valid email address.
You can also specify additional (optional) details such as contact phone number, URLs, and description.
Under API (Enable OAuth Settings):
Select Enable OAuth Settings. More fields are displayed.
Specify the Callback URL, for example,
https://localhost
.(Optional but recommended. Applicable to certificate-based authentication.) Select Use digital signatures. This specifies that a digital certificate is used to make API calls to Salesforce. The digital certificate is the public key of an RSA key pair (a public-private key pair) created on the CipherTrust Manager.
Click Choose File to upload the desired digital certificate (public key). This certificate can be downloaded on the CipherTrust Manager when a connection to the Salesforce cloud is added. Refer to Connection Management for details.
Under Selected OAuth Scopes, select the OAuth scopes to apply to the connected app. OAuth scopes define permissions for the connected app that are granted as tokens after the app is authorized. The OAuth token name is in parentheses.
To select an OAuth scope:
From the Available OAuth Scopes list, select the desired OAuth scope.
CipherTrust Manager requires the following OAuth scopes:
Access the identity URL service (id, profile, email, address, phone)
Manage user data via APIs (api)
Perform requests at any time (refresh_token, offline_access)
Use the Ctrl key to select multiple scopes.
Click the Add button (between Available OAuth Scopes and Selected OAuth Scopes sections). The selected OAuth scope moves under the Selected OAuth Scopes section.
It is recommended to not select the Full access (full) scope.
Make sure that Require Secret for Web Server Flow is selected. This ensures that the app’s client secret is required in exchange for an access token.
Clear Require Secret for Refresh Token Flow.
Click Save. Changes can take up to 10 minutes to take effect.
Click Continue.
When the connected app is created, the app details are displayed. Note down the Consumer Key, Consumer Secret, and Salesforce username with its password. This information is required when adding a Salesforce connection to the CipherTrust Manager.
To gather this information any time:
Log on to your Salesforce cloud account.
In the left pane, under Build, click Create > Apps. The Apps page shows available apps.
Navigate to the Connected Apps section. Scroll down the page if needed.
Click your connected app to view its details. The Consumer Key and Consumer Secret are displayed under the API (Enable OAuth Settings) section.
On the Add Connection page of the CipherTrust Manager GUI, the Salesforce Consumer Key and Consumer Secret are called Client ID and Client Secret respectively.
Client ID and Client Secret are required for Client Secret as the Authentication type. For Certificate as the Authentication type, only Username and Client ID are required.
5. Add OAuth Policies on Salesforce
Next, you need to specify who all can access the Connected App. This is done by adding appropriate OAuth policy to the Connected App on the Salesforce cloud.
In the left pane, under Administer, click Manage Apps > Connected Apps. The Connected Apps page shows available apps.
Under Master Label, click your Connected App.
Click Edit Policies. The edit view of the Connected App is displayed.
Under the OAuth Policies section, from the Permitted Users drop-down list, select Admin approved users are pre-authorized.
Changing the OAuth policies can cause access deny issues for users currently using the app.
Click OK to confirm the action.
From the IP Relaxation drop-down list, select an appropriate option. Consult your Salesforce administrator for the appropriate option.
Note
It is recommended to select Enforce IP restrictions for higher security. However, if you face any issues, you might need to select Relax IP restrictions.
Select Refresh token is valid until revoked.
Click Save. You are returned to the Connected App Detail page.
6. Assign the Profile to the Connected App
Next, you need to select the appropriate profiles to choose which users have access to this application.
Scroll down to the Profiles section.
Click Manage Profiles. The Application Profile Assignment page is displayed.
Select the profile created in 1. Create a New Profile.
Click Save.
The selected profile is assigned to the Connected App.
Configure Advanced Settings on Salesforce
Additionally, configure the following settings on Salesforce (Security > Platform Encryption > Advanced Settings).
Allow BYOK to Opt Out of Key Derivation: Enable or disable the Salesforce key derivation process.
Turn ON to disable the Salesforce key derivation process and use your uploaded key material as the final encryption key. If this option is disabled, the BYOK upload will fail.
Turn OFF to use key derivation.
Allow Cache-Only Keys with BYOK: Allow or deny the use of cache-only keys with BYOK.
Turn ON to use cache-only keys. This lets Salesforce fetch remotely-stored encryption keys from an endpoint that you provide.
Turn OFF for non cache-only keys.
Enable Replay Detection for Cache-Only Keys: Replay detection protects your cache-only keys if a callout is fraudulently intercepted.
Turn ON to insert an auto-generated, unique marker called a request identifier into every callout. Any callout with missing or mismatched request identifiers is aborted by Salesforce.
Turn OFF to disable replay detection.
Add Salesforce Connection on CipherTrust Manager
Before you can add a Salesforce organization to the CCKM, a connection to your Salesforce account must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.
If you need a connection with certificate-based authentication, specify Username and Client ID, select Certificate as the Authentication type, and generate and download the certificate. The downloaded certificate needs to be uploaded to the connected app on the Salesforce cloud. Refer to Upload Public Certificate to Salesforce for details.
After completing the prerequisites, you can view linked Salesforce organizations and manage linked tenant secrets on the CipherTrust Manager.
Refer to the following sections: