SAP Data Custodian
SAP Data Custodian connections to the CipherTrust Manager can be configured using the following:
Note
It is recommended to use Technical Users when creating new connections for SAP Data Custodian on the CipherTrust Manager.
If you don't use Technical Users when the SAP Data Custodian KMS is integrated with the SAP Cloud Identity Services, the connection to SAP may not work.
Managing SAP Data Custodian Connections using GUI
Standard users are owned by the IAM service, and represent human users. Standard users need to be assigned to the Key Management Service, with a certain role, and then need to be added to Groups to see those groups. The standard users can access both the UI and the API.
API Endpoint - this is the KMS API endpoint of the SAP Data Custodian. Provide HTTP URL with the API version in it. Only v2 version of the KMS API is supported. Example - https://kms-api-demo.datacustodian.cloud.sap/kms/v2.
Username - provide username to access the SAP data custodian server.
Secret - provide secret (password).
Tenant - provide tenant.
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK
else the status is Fail
.
You can proceed with adding the SAP connection even if clicking the Test Credentials returns an error message. You can test the connection after adding it. Click the Test Connection button corresponding to the newly added connection, on the Connections page.
Technical Users are essentially API clients. The technical users can have full admin access to an entire service such as Key Management Service.
Note
Technical User credentials are activated internally at the backend while creating/updating connections. Therefore, the create/update connection won't accept the already activated technical user credentials.
API Endpoint - this is the KMS API endpoint of the SAP Data Custodian. Provide HTTP URL with the API version in it. Only v2 version of the KMS API is supported. To get the SAP API endpoint:
Create a technical user (TU).
Generate its credentials and download them.
The downloaded file "API Endpoints.txt" contains ISM and KMS API endpoints. Use the KMS API endpoint to make the connection.
Secret - provide secret (password).
API Key - provide API key of the technical user.
The Test Credentials will fail until the credentials are activated. The credentials will activate only after creating a connection. Therefore, it is recommended to test the connection after creating it. To do so, click the Test Connection button corresponding to the newly added connection, on the Connections page.
Click Next to move to the Add Products screen of the Add Connection wizard.
Note
Currently, the only product supported for SAP Data Custodian connection is Cloud Key Manager.
Managing SAP Data Custodian Connections using ksctl
The following operations can be performed:
Create/Get/Update/Delete an SAP Data Custodian connection
List all SAP Data Custodian connections
Test an existing SAP Data Custodian connection
Test parameters for a SAP Data Custodian connection
Standard users are owned by the IAM service, and represent human users. Standard users need to be assigned to the Key Management Service, with a certain role, and then need to be added to Groups to see those groups. The standard users can access both the UI and the API.
Creating a SAP Data Custodian Connection
To create a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc create --name <Connection-Name> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --user-creds <user,secret,tenant-JSON-Format-String>
Example Request
ksctl connectionmgmt sap-dc create --name test-conn --products "cckm" --api-endpoint "https://test-endpoint.com" --user-creds '{"user":"testuser","secret":"testsecret","tenant":"testtenant"}'
Example Response
{
"id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-10-27T07:21:22.77127493Z",
"updatedAt": "2021-10-27T07:21:22.770209257Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-conn",
"products": [
"cckm"
],
"api_endpoint": "https://test-endpoint.com",
"user_credentials": {
"tenant": "testtenant",
"user": "testuser"
}
}
Getting Details of a SAP Data Custodian Connection
To get details of a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc get --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18
Example Response
{
"id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-10-27T07:21:22.771275Z",
"updatedAt": "2021-10-27T07:21:22.770209Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-conn",
"products": [
"cckm"
],
"api_endpoint": "https://test-endpoint.com",
"user_credentials": {
"tenant": "testtenant",
"user": "testuser"
}
}
Updating a SAP Data Custodian Connection
To update a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc modify --id <Connection-Name/ID> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --user-creds <user,secret,tenant-JSON-Format-String> --meta <Key:Values>
Example Request
ksctl connectionmgmt sap-dc modify --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18 --products "cckm" --api-endpoint "https://test2-endpoint.com" --user-creds '{"user":"testuser2","secret":"testsecret2","tenant":"testtenant2"}'
Example Response
{
"id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-10-27T07:21:22.771275Z",
"updatedAt": "2021-10-27T07:26:11.431339116Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-conn",
"products": [
"cckm"
],
"api_endpoint": "https://test2-endpoint.com",
"user_credentials": {
"tenant": "testtenant2",
"user": "testuser2"
}
}
Deleting a SAP Data Custodian Connection
To delete a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc delete --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18
Example Response
There will be no response if SAP Data Custodian connection is deleted successfully.
Getting List of SAP Data Custodian Connections
To list all the SAP Data Custodian connections, run:
Syntax
ksctl connectionmgmt sap-dc list
Example Request
ksctl connectionmgmt sap-dc list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-10-27T07:21:22.771275Z",
"updatedAt": "2021-10-27T07:21:22.770209Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-conn",
"products": [
"cckm"
],
"api_endpoint": "https://test-endpoint.com",
"user_credentials": {
"tenant": "testtenant",
"user": "testuser"
}
}
]
}
Testing an Existing SAP Data Custodian Connection
To test an existing SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc test --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18
Example Response
{
"connection_ok": true
}
Testing Parameters for a SAP Data Custodian Connection
To test parameters for a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --api-endpoint <SAPDataCustodian-API-Endpoint> --user-creds <user,secret,tenant-JSON-Format-String>
Example Request
ksctl connectionmgmt sap-dc test --api-endpoint "https://test-endpoint.com" --user-creds '{"user":"testuser","secret":"testsecret","tenant":"testtenant"}'
Example Response
{
"connection_ok": true
}
Technical Users are essentially API clients. The technical users can have full admin access to an entire service such as Key Management Service.
Note
Technical User credentials are activated internally at the back end while creating/updating connections. Therefore, the create/update connection won't accept the already activated technical user credentials.
Creating a SAP Data Custodian Connection
To create a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc create --name <Connection-Name> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --tech-user-creds <API key,secret>
Here, --api-endpoint
is the KMS API endpoint of the SAP Data Custodian. Provide HTTP URL with the API version in it. Only v2 version of the KMS API is supported. To get the SAP API endpoint:
Create a technical user (TU).
Generate its credentials and download them.
The downloaded file "API Endpoints.txt" contains ISM and KMS API endpoints. Use the KMS API endpoint to make the connection.
Example Request
ksctl connectionmgmt sap-dc create --name "test-tu-conn" --api-endpoint "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2" --tech-user-creds '{"api_key":"ey----NhcCJ9","secret":"0U6myfwji--ye"}'
Example Response
{
"id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2024-01-09T06:22:48.058817364Z",
"updatedAt": "2024-01-09T06:22:48.057206571Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-tu-conn",
"api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
"technical_user_credentials": {
"api_key": "ey----NhcCJ9"
}
}
Getting Details of a SAP Data Custodian Connection
To get details of a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc get --id 9a6a728b-5beb-465a-8e2e-5e4332039b2d
Example Response
{
"id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2024-01-09T06:22:48.058817364Z",
"updatedAt": "2024-01-09T06:22:48.057206571Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "test-tu-conn",
"api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
"technical_user_credentials": {
"api_key": "ey----NhcCJ9"
}
}
Updating a SAP Data Custodian Connection
To update a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc modify --id <Connection-Name/ID> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --tech-user-creds <api-key,secret> --meta <Key:Values>
Example Request
ksctl connectionmgmt sap-dc modify --id "9a6a728b-5beb-465a-8e2e-5e4332039b2d" --api-endpoint "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2" --tech-user-creds '{"api_key":"eyJjcmVkZW-------cCJ9","secret":"oYtZk-----wnWGi"}'
Example Response
{
"id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2024-01-09T06:22:48.058817Z",
"updatedAt": "2024-01-09T06:34:30.297756622Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": true,
"last_connection_at": "2024-01-09T06:29:56.429799Z",
"name": "test-tu-conn",
"api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
"technical_user_credentials": {
"api_key": "eyJjcmVkZW-------cCJ9"
}
}
Deleting a SAP Data Custodian Connection
To delete a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc delete --id 9a6a728b-5beb-465a-8e2e-5e4332039b2d
Example Response
There will be no response if SAP Data Custodian connection is deleted successfully.
Getting List of SAP Data Custodian Connections
To list all the SAP Data Custodian connections, run:
Syntax
ksctl connectionmgmt sap-dc list
Example Request
ksctl connectionmgmt sap-dc list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2024-01-09T06:22:48.058817Z",
"updatedAt": "2024-01-09T06:34:30.297756622Z",
"service": "sap-data-custodian",
"category": "cloud",
"last_connection_ok": true,
"last_connection_at": "2024-01-09T06:29:56.429799Z",
"name": "test-tu-conn",
"api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
"technical_user_credentials": {
"api_key": "eyJjcmVkZW-------cCJ9"
}
}
]
}
Testing an Existing SAP Data Custodian Connection
To test an existing SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc test --id "9a6a728b-5beb-465a-8e2e-5e4332039b2d"
Example Response
{
"connection_ok": true
}
Testing Parameters for a SAP Data Custodian Connection
Testing parameters API doesn't activate the technical user credentials. It will only make an API call to api_endpoint/auth/request
.
To test parameters for a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --api-endpoint <SAPDataCustodian-API-Endpoint> --tech-user-creds <api-key,secret>
Example Request
ksctl connectionmgmt sap-dc test --api-endpoint "https://test-endpoint.com" --tech-user-creds '{"api_key":"eyJjcmVkZW-------cCJ9","secret":"oYtZk-----wnWGi"}'
Example Response
{
"connection_ok": true
}