Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SAP Hold Your Own Key (HYOK) Resources

SAP HYOK keystores

search

SAP HYOK keystores

This section describes how to manage the SAP HYOK keystores.

Creating SAP HYOK keystores

Creation of a keystore requires an SAP tenant ID, keystore URL hostname, and SAP certificate. To create an SAP HYOK keystore:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab.

  4. Click Create Keystore. The General Info tab of the Create SAP HYOK Keystore screen is displayed.

General Info

  1. Enter Name.

  2. (Optional) Enter Description.

  3. Click Next. The Configure Keystore tab is displayed.

Configure Keystore

  1. Enter SAP Tenant ID.

  2. Enter Keystore URL Hostname.

    Note

    Enable or disable audit recording of successful operations within an external keystore. The default value is false.

  3. (Optional) Enable SAP Enable success audit events.

  4. Add a SAP Certificate. You can use the following options to add the SAP Certificate.

    File Upload: Select and upload the certificate (in PEM format).

    Text: Select and paste the certificate content.

    Note

    You can create and download the SAP certificate from the SAP Data Custodian portal.

  5. Click Next. The Review and Create tab is displayed.

Review and Create

This screen shows the key details that you have provided. These details are divided into GENERAL INFO and CONFIGURE KEYSTORE sections.

Before creating the keystore, review all details. After the keystore is added, certain features will no longer be editable.

  1. Review the keystore details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the GENERAL INFO and CONFIGURE KEYSTORE sections, and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Create. A success message is displayed on the screen.

  3. Click Close. The newly created keystore is displayed in the list of SAP HYOK keystores.

Viewing SAP HYOK keystores

To view the list of the available SAP HYOK Keystores:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed. The tab displays the following details:

    ColumnDescription
    NameName of the SAP HYOK keystore.
    Keystore URL HostnameHostname for the SAP HYOK keystore URL.
    Keystore URLURL of the keystore.
    StatusStatus of the keystore. The status can be:
    • Active
    • Inactive
    BlockIndicates whether the keystore is blocked or unblocked.
    TenantID of the SAP tenant.
    Creation DateTime when the keystore is created.
    Last UpdatedTime when the keystore is updated.
    DescriptionDescription of the keystore.

To view the custom columns, click the Customize View (Custom View) icon, select the desired option, and click OK.

Viewing and editing details of an SAP HYOK keystore

To view or edit the details of an SAP HYOK keystore:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed.

  4. Click the Name link of the desired SAP HYOK keystore.

    Alternatively, click the overflow icon (Overflow Icon) corresponding to the desired SAP HYOK keystore, and click View/Edit. The SAP HYOK Keystore page is displayed.

    The SAP HYOK Keystore page shows additional details of the selected keystore under the ENDPOINT KEYS, GENERAL INFORMATION, KEYSTORE CONFIGURATION, and ACCESS CONTROL sections. Expand each section to view and edit their details.

    ENDPOINT KEYS

    1. Expand the ENDPOINT KEYS section.

    2. The list of endpoint associated with the keystore is displayed. To manage these endpoints, refer to SAP HYOK Endpoints.

    GENERAL INFORMATION

    1. Expand the GENERAL INFORMATION section.

    2. (Optional) Update the name of the SAP HYOK keystore in the Name field.

    3. (Optional) Update the description of the SAP HYOK keystore in the Description field.

    4. Click Update.

    KEYSTORE CONFIGURATION

    1. Expand the KEYSTORE CONFIGURATION section.

    2. (Optional) Enter a new Keystore URL Hostname to use a different URL hostname.

    3. (Optional) Enable or disable SAP Enable success audit events.

      Note

      Enable or disable audlt recording of successful operations within an external keystore. The default value is false.

    4. (Optional) Update the SAP Certificate. You can use the following options to update the SAP Certificate.

      File Upload: Select and upload the certificate (in PEM format).

      Text: Select and paste the certificate content.

      Note

      Create and download this certificate from SAP Data Custodian Portal Key Management Service > Configuratiom > Thales CipherTrust Manager.

    5. Click Update.

    ACCESS CONTROL

    Refer to Managing User Permissions on SAP HYOK Keystore for details.

Managing User permissions on SAP HYOK keystore

To work with the external resources, users/groups must have the minimum set of permissions that allow them to use the SAP HYOK keystores.

Note

Only the users who are member of the CCKM Users group will be granted permissions to perform operations on SAP HYOK keystores.

Users with the following characteristics can perform operations on SAP HYOK keystores:

  • Users in the CCKM Admins group

  • Users in the Admin group

  • Users who are administrators for a domain

  • Users who are in the CCKM Users group and which have had a CCKM Admin assign permissions through the UI or the /v1/cckm/sap/ekm/keystores/{id}/update-acls endpoint in the REST API.

Adding permissions for a User/Group

To add permissions for a user/group:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed.

  4. Click the Name link of the desired SAP HYOK keystore.

    Alternatively, click the overflow icon (Overflow Icon) corresponding to the desired SAP HYOK keystore, and click View/Edit. The SAP HYOK Keystore page is displayed.

  5. Expand the ACCESS CONTROL section.

  6. Click Assign User/Group. The Assign User/Group dialog box is displayed.

  7. Select the desired user or group from the User/Group drop-down list.

  8. Click Save.

The newly added user/group is displayed under Name in the ACCESS CONTROL section.

CCKM allows the following operations on the SAP HYOK keystores:

  • View Keys, Add Key, Delete Key.

  • Refresh Domain.

You can now grant additional permissions to the user/group, as appropriate. Refer to Granting Permission to Perform an Operation for details.

Granting permission to perform an operation

To grant permissions to the user or group to perform any of the above mentioned operations:

  1. In the ACCESS CONTROL section, select the check box under the desired operation corresponding to the desired users or groups.

  2. Click Update.

A success message is displayed on the screen.

To revoke permissions from a user/group, refer to Removing a Permission for details.

Removing a permission

To remove a permission assigned to a user or group:

  1. In the ACCESS CONTROL section, clear the check box under the desired operation corresponding to the desired users or groups.

  2. Click Update.

A success message is displayed on the screen.

Removing permission from a User/Group

To remove current permissions assigned to the user/group:

  1. In the ACCESS CONTROL section, under Unassign, click the X button corresponding to the desired user/group.

  2. On the Remove User / Remove Group screen, click Remove.

    Note

    Removing this user/group will remove all permissions currently assigned to the user/group.

  3. Click Remove to confirm the action. To cancel the action, click Keep It.

A success message is displayed on the screen.

Blocking an SAP HYOK keystore

You can block a keystore to deny all proxy API requests from both the keystore and its endpoints. To block an SAP HYOK keystore:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed.

  4. Click the overflow icon (Overflow Icon) corresponding to the desired SAP HYOK keystore.

  5. Click Block. The Block Keystore dialog box is displayed.

  6. Click Block to confirm the action.

The keystore is blocked successfully. The state of the keystore changes to Blocked.

Unblocking an SAP HYOK keystore

You can block a keystore to accecpt all proxy API requests from both the keystore and its endpoints. To block an SAP HYOK keystore:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed.

  4. Click the overflow icon (Overflow Icon) corresponding to the desired SAP HYOK keystore.

  5. Click Unblock. The Unblock Keystore dialog box is displayed.

  6. Click Unblock to confirm the action.

The keystore is unblocked successfully. The state of the keystore changes to Unblocked.

Deleting an SAP HYOK keystore

You can delete an archived keystore that has no endpoints from the CCKM. To delete an SAP HYOK keystore:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed.

  4. Click the overflow icon (Overflow Icon) corresponding to the desired SAP HYOK keystore.

  5. Click Delete. The Delete Keystore dialog box is displayed.

    Note

    The keystore can only be deleted if it does not contain any SAP HYOK Endpoints.

  6. Select I wish to delete key material.

  7. Click Delete.

You will see a message that the keystore is deleted successfully.

Archiving an SAP HYOK keystore

Archiving transitions a keystore to an intermediate state, a prerequisite for its deletion. When a keystore is archived, its associated endpoints are also archived, and a CCKM license is released.

To archive an SAP HYOK Endpoint:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed.

  4. Click the overflow icon (Overflow Icon) corresponding to the desired SAP HYOK keystore.

  5. Click Archive. The Archive Keystore dialog box is displayed.

  6. Select I wish to archive this keystore.

  7. Click Archive.

You will see a message that the keystore is archived successfully. The state of the keystore changes to archived.

Recovering an SAP HYOK keystore

You can recover an archived keystore. To recover an SAP HYOK Keystore:

Note

Recovering an archived SAP keystore consumes a CCKM license unit. This process does not automatically recover its previously associated endpoints; you must recover them individually. Refer to Recovering an SAP HYOK endpoint for details.

To recover an SAP HYOK Keystore:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Services > SAP HYOK. The SAP HYOK page is displayed.

  3. Click the SAP HYOK Keystores tab. The list of added SAP HYOK keystores is displayed.

  4. Click the overflow icon (Overflow Icon) corresponding to the desired SAP HYOK keystore.

  5. Click Recover. The Recover Keystore dialog box is displayed.

  6. Click Recover.

You will see a message that the keystore is recovered successfully.

On this page