Creating KACLS Endpoints
Use the POST /v1/cckm/GoogleWorkspaceCSE/endpoints API to create or update KACLS endpoints for Google Workspace CSE. The API also creates a KEK for wrapping and unwrapping DEK.
When creating an endpoint, specify the following details:
Unique name for the endpoint.
Authentication audience (third-party identity provider's client ID) for the endpoint.
Hostname and port (
<hostname>:<port>) of the endpoint URL. This is the fully qualified domain name (FQDN) of the CCKM/CipherTrust Manager. If the port is not specified,443is the default port.Note
The web interface port within CipherTrust Manager can be changed from the default port of
443to another port. If you plan to change the default port for the CipherTrust Manager web interface, ensure to change it before configuring the Google Workspace CSE service on CCKM. Also, reflect this port change when creating a KACLS endpoint on CCKM. Changing the default port after configuring Google Workspace CSE is not supported. Refer to Support for Changing the Default Port of Web Interface Setting for instructions on changing the port when configuring a Google Workspace CSE endpoint.Identity provider (issuer): Select from the list of available identity providers by providing the issuer ID in endpoint creation parameters. If not selected, by default, all the identity providers are added to the endpoint.
Syntax
curl -k '<IP>/api/v1/cckm/GoogleWorkspaceCSE/endpoints' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "name": "<endpoint-name>",\n "endpoint_url_hostname": "<endpoint_url_hostname>",\n "issuer": [\n "<issuer-id-1>"\n, \n "<issuer-id-2>"\n ],\n "authenticationAud": [\n "<authentication-aud>"\n ]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| authenticationAud | array of strings | List of supported audience for authentication JWT. This is the ID of the third-party identity provider. For example, for Auth0, it is represented by the Client ID. |
| endpoint_url_hostname | string | Hostname and port (<hostname>:<port>) of the endpoint URL. Enter the fully qualified domain name (FQDN) of the CCKM/CipherTrust Manager appliance. If the port is not specified, 443 is the default port.NOTE: The web interface port within CipherTrust Manager can be changed from the default port of 443 to another port. If you plan to change the default port for the CipherTrust Manager web interface, ensure to change it before configuring the Google Workspace CSE service on CCKM. Also, reflect this port change when creating a KACLS endpoint on CCKM. Changing the default port after configuring Google Workspace CSE is not supported. Refer to Support for Changing the Default Port of Web Interface Setting for instructions on changing the port when configuring a Google Workspace CSE endpoint. |
| name | string | Name for the endpoint. |
| authorizationAud | array of strings | List of supported audience for authorization JWT. |
| cors | array of strings | List of Cross-Origin Resource Sharing (CORS) to support. |
| endpoint_url | string | Unique base URL for the endpoint. |
| issuer | array of strings | List of trusted issuer IDs to use with this endpoint. This issuer is managed through the /GoogleWorkspaceCSE/issuers URL. |
| meta | JSON | Additional information about the endpoint. |
| allow_privileged_unwrap (optional) | boolean | Whether to enable privileged-unwrap configuration for this endpoint. Set to true to enable. Default is false. |
| allow_rewrap (optional) | boolean | Whether to enable rewrap configuration for this endpoint. Set to true to enable. Default is false. |
| allow_guest_access (optional) | boolean | Whether to enable guest access for this KACLS endpoint. Set true to enable. Default is false. |
Note
To perform the key migration, the value of allow_rewrap parameter should be true for the endpoint and the rewrap configuration must be set. Refer to Updating a Rewrap Configuration.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "name": "endpoint_demo",\n "endpoint_url_hostname": "demo.thalesgwsintegration.net",\n "issuer": [\n "39a9e91b-7a95-4fbf-bf79-30930eeb1d2c",\n "39a9e91b-7a95-4fbf-bf79-30930eeb1d2d"\n ],\n "authenticationAud": [\n "122334a33qr31038dekfhfl"\n ]\n}' --compressed
Example Response
{
"issuer": [
"39a9e91b-7a95-4fbf-bf79-30930eeb1d2c",
"39a9e91b-7a95-4fbf-bf79-30930eeb1d2d"
],
"id": "c1583936-7d03-4e2d-a0ae-3a1ae2d2e200",
"uri": "kylo:kylo:cckm:kacls-endpoint:demo",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-10-15T13:30:57.560148051Z",
"name": "endpoint_demo",
"endpoint_url_hostname": "demo.thalesgwsintegration.net",
"updatedAt": "2020-10-15T13:30:57.560148051Z",
"cors": null,
"authorizationAud": null,
"authenticationAud": [
"122334a33qr31038dekfhfl"
],
"endpoint_url": "https://demo.thalesgwsintegration.net/api/v1/cckm/GoogleWorkspaceCSE/endpoints/c1583936-7d03-4e2d-a0ae-3a1ae2d2e200 ",
"kekName": "ks-cc84e97b53e5457cbd6b664174a0f1df57570a3aa4044ee887077203940f1221",
"kekID": "cc84e97b53e5457cbd6b664174a0f1df57570a3aa4044ee887073303940f10c1",
"meta": null
}
The output shows the endpoint ID "c1583936-7d03-4e2d-a0ae-3a1ae2d2e200". Each endpoint has a unique ID. The endpoint ID is required when viewing, modifying, wrapping, unwrapping, and deleting the endpoint. The ID is also required when rotating encryption key of the endpoint, and viewing and updating the KACLS perimeters.
A KEK "kekName" with the ID "kekID" is also created. The latest version of KEK is used for wrapping and unwrapping DEK. The default version is 0, and the version increases on subsequent key rotations.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
Refer to HTTP status codes for details.
