SAP HYOK endpoints
This section describes how to manage the SAP HYOK endpoints.
Creating SAP HYOK endpoints
The creation of an endpoint requires SAP HYOK keystores. So, before creating an SAP HYOK endpoint, ensure that you've already created an SAP HYOK keystore.
To create an SAP HYOK endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed.
Click Create Endpoint. The General Info tab of the Create Endpoint screen is displayed.
General Info
Enter Name.
(Optional) Enter Description.
Click Next. The Key Material tab is displayed.
Key Material
Select a Method, the options are Create New Key and Select Existing Key.
Click the desired tab to view the instructions.
Click Create New Key.
Enter the Source Key Name.
Select Key Type, the options are AES or RSA.
Select the Key Size based on the key type:
For the AES key type, the option is 256.
For the RSA key type, the options are 3072 and 4096.
Select the Key Usage based on the key type. You need to select at least one key usage.
For the AES key type, the options are Encrypt and Decrypt.
For the RSA key type, the options are Encrypt, Decrypt, Sign, and Verify.
Click Copy Existing Key.
Select Key Type, the options are AES or RSA.
Select a Domain.
Select the Key Size based on the key type:
For the AES key type, the option is 256.
For the RSA key type, the options are 3072 and 4096.
Select a Source Key from the list.
Click Next. The Select Keystore tab is displayed.
Select Keystore
Select a Keystore from the list.
Click Next. The Add Schedule tab is displayed.
Add Schedule
(Optional) Select a Key Rotation Schedule from the list.
Click Next. The Review and Add tab is displayed.
Review and Add
This screen shows the endpoint details that you have provided. These details are divided into GENERAL INFO, KEY MATERIAL, SELECT KEYSTORE, and ADD SCHEDULE sections.
Before creating the endpoint, review all details. After the endpoint is added, certain features will no longer be editable.
Review the endpoint details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the GENERAL INFO, KEY MATERIAL, SELECT KEYSTORE, and ADD SCHEDULE sections, and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Endpoint. A success message is displayed on the screen.
Click Close. The newly created endpoint is displayed in the list of SAP HYOK endpoints.
Note
If you are planning to use this endpoint to register a master/primary key on SAP Data Custodian, please select the key usage as per SAP app requirements. Most SAP applications require master/primary key to have only encrypt and decrypt key usage.
Viewing SAP HYOK endpoints
To view the list of the available SAP HYOK endpoints:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The tab displays the following details:
Column Description Key Name Name of the SAP key. Key ID ID of the SAP key. Keystore Name Name of the SAP keystore. Blocked Indicates whether the endpoint is blocked or unblocked. Algorithm Algorithm of the SAP key. The algorithm can be AES and RSA. Size Size of the SAP Key. Version Version of the SAP key. State State of the key. The state can be Enabled or Disabled. SAP Tenant ID ID of the SAP tenant. Description Description of the endpoint. Creation At Time when the endpoint is created. Updated At Time when the endpoint is updated.
To view the custom columns, click the Customize View (
) icon, select the desired option, and click OK.
Viewing and editing details of an SAP HYOK endpoint
To view or edit the details of an SAP HYOK endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the Name link of the desired SAP HYOK endpoint.
Alternatively, click the overflow icon (
) corresponding to the desired SAP HYOK endpoint, and click View/Edit. The SAP HYOK Endpoints page is displayed.The SAP HYOK Endpoints page shows additional details of the selected endpoint under the VERSIONS, GENERAL INFORMATION, and KEY SCHEDULE sections. Expand each section to view and edit their details.
VERSIONS
Expand the VERSIONS section. The list of versions is displayed.
(Optional) You can add a version to the key, refer to Rotating an SAP HYOK Endpoint.
GENERAL INFORMATION
Expand the GENERAL INFORMATION section.
(Optional) Update the name of the SAP HYOK endpoint in the Name field.
(Optional) Update the description of the SAP HYOK endpoint in the Description field.
Click Update.
KEY SCHEDULE
Select a Rotation from the drop-down list.
Click Update.
Rotating an SAP HYOK endpoint
After rotating the endpoint, the globally unique external key ID will remain the same and a new version of the endpoint will be created which points to a new source endpoint.
To rotate an SAP HYOK Endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Rotate. The Select Material Origin tab of the Add Version screen is displayed.
Select a Key Type to rotate the SAP HYOK endpoint. The options are Create/Upload New Key Material and Clone Existing Key Material.
Click the desired tab to view the instructions.
Select the Create/Upload New Key Material option.
Click Next. The Create Source Key and Add Version tab is displayed.
Enter Source Key Name.
Select the Key Usage based on the key type. You need to select at least one key usage.
For the AES key type, the options are Encrypt and Decrypt.
For the RSA key type, the options are Encrypt, Decrypt, Sign, and Verify.
Click Add Version.
Select the Clone Existing Key Material option.
Click Next. The Select Source Key and Add Version tab is displayed
Select a Source Key from the list.
Click Add Version.
The version is added successfully.
Disabling an SAP HYOK endpoint
You can disable an endpoint to prevent it from being used for cryptographic operations. To disable an SAP HYOK endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Disable. The Disable Endpoint dialog box is displayed.
Click Disable to confirm the action.
The endpoint is disabled successfully. The state of the endpoint changes to disabled.
Enabling an SAP HYOK endpoint
You can enable an endpoint to allow it to be used for cryptographic operations. To enable an SAP HYOK endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Enable. The Enable Endpoint dialog box is displayed.
Click Enable to confirm the action.
The endpoint is enabled successfully. The state of the endpoint changes to enabled.
Blocking an SAP HYOK endpoint
You can block the access to a specific endpoint. To block an SAP HYOK endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Block. The Block Endpoint dialog box is displayed.
Click Block to confirm the action.
The endpoint is blocked successfully.
Unblocking an SAP HYOK endpoint
You can unblock the access to a specific endpoint. To block an SAP HYOK endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Unblock. The Unblock Endpoint dialog box is displayed.
Click Unblock to confirm the action.
The endpoint is unblocked successfully.
Archiving an SAP HYOK endpoint
Archiving is an intermediate state for deleting an endpoint, you need to archive an endpoint to make it deletable. To archive an SAP HYOK Endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Archive. The Archive Endpoint dialog box is displayed.
Select I wish to archive this endpoint.
Click Archive.
You will see a message that the endpoint is archived successfully. The state of the endpoint changes to archived.
Recovering an SAP HYOK endpoint
You can recover an archived endpoint. To recover an SAP HYOK Endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Recover. The Recover Endpoint dialog box is displayed.
Click Recover.
You will see a message that the endpoint is recovered successfully.
Deleting an SAP HYOK endpoint
You can delete the archived endpoint from the CCKM. To delete an SAP HYOK Endpoint:
Open the Cloud Key Manager application.
In the left pane, click Services > SAP HYOK. The Endpoints tab of the SAP HYOK page is displayed. The list of added SAP HYOK endpoints is displayed.
Click the overflow icon (
) corresponding to the desired SAP HYOK endpoint.Click Delete. The Delete Endpoint dialog box is displayed.
Select I wish to delete this endpoint.
Click Delete.
You will see a message that the endpoint is deleted successfully.
