CCKM supports the SAP Data Custodian cloud.
Before you can manage SAP resources on CCKM:
Click each link to view details.
Get a Service Admin User Account
Get a Service Admin user account from SAP. You will be provided service account credentials (a Data Custodian URL, tenant, and username.) These are required to access the Data Custodian system.
To log on to the SAP cloud as the Service Admin:
Open the URL for your SAP Data Custodian environment.
Enter your tenant name.
Enter your Username and Password.
Next, you need to add a new user to Data Custodian's Identity Service Management (ISM). New Data Custodian users must be added to ISM before they can be added to the Key Management Service.
Create a User in ISM
Add a user to Data Custodian's Identity Service Management (ISM). SAP Data Custodian users with an administrator role in ISM can create new users and edit service roles.
To add a user in ISM:
Log on to the SAP cloud as the Service Admin.
Navigate to Tenant Management > Users.
Enter the user's First Name and Last Name.
Enter the user's Email Address.
Select optional ISM administrator Roles to assign to the user.
Select an optional Active Time Range for the user.
Active From: Allows you to activate the user at a specific time.
Active To: Allows you to deactivate the user at a specific time.
Click Review. Verify the user details. Click Edit to make changes, if required.
The user is created. Next, you need to add this user to the Key Management Service, as described below.
Add the User to Key Management Service
Add the user created in the previous step to the Key Management Service. Only the Key Management Service users with an Administrator role can add other users to KMS.
To add the user to the Key Administrator service:
Navigate to Tenant Management > Users.
From the All Users section, select the user (created above).
Click Add to Service. You might need to open the menu on the top-right, to see this button.
Select Key Management Service (KMS).
Select the Key Administrator role to assign to the user. The user with the Key Administrator role is referred to as the Key Admin user in this document.
Optionally, assign one or more existing groups to the user. Refer to User Roles in the Key Management Service in SAP documentation for more information.
After assigning the Key Administrator role to the user, create a new group.
Create a New Group
Key Management Service groups are used to organize encryption keys and KMS users. Every group is associated with a specific application type, key store provider, key store type, and service tier.
A user with the Key Administrator role in KMS can create new groups.
To create a new group:
Log on to the SAP cloud as the Key Admin user.
Navigate to Home > Dashboard. The Key Management Service Dashboard is displayed.
On the Key Management Service tab, select an application, for example General/IAAS Applications.
Click Create Group. The Group Details screen is displayed.
Specify the group details:
Specify the Group Name.
Add the Group Description.
(Optional) If applicable, provide the Landscape type, System ID, and Tenant. These fields are optional.
Click Step 2. The Key Store Selection screen is displayed.
Specify the key store details:
Select SAP Data Custodian Provided Key Store.
Select a Key Store (for example, AWS, ESK, Azure).
Select the Key Store Region where your key store is located.
Click Review to verify the group details. Click Edit to make any changes.
The group is created and its details are displayed. After you have created the group, you can add an SAP connection on the CipherTrust Manager.
Add SAP Connection on CipherTrust Manager
Before you can add a SAP group to the CCKM, a connection to your SAP account must already exist on the CipherTrust Manager. After you have created a SAP group, add a connection to the SAP cloud using your SAP tenant and the Key Admin username and password.
A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.
After completing the prerequisites, you can view linked SAP groups and manage keys on the CipherTrust Manager.
Refer to the following sections: