Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Administration
Release Notes
CSEG Administration
BYOK Integration
WebServices Guide
BYOK REST APIs

All

All

Advanced Topics - Centrally Managed APIs

Concepts

Please Note:

Administration
Quick Start
Alternative Deployment Method
Tasks
- Centrally Managed APIs Tasks
  - Protect Data
  - Reveal Data
  - Reprotect Data
  - Renew client certificate
- Traditional APIs Tasks
  - Generate random IV
  - Encrypt Data
  - Decrypt Data
  - Encrypt String and Write to File
  - Encrypt/Decrypt Email (Masking Domain)
  - Encrypt/Decrypt File
  - MAC Operations
    - Bulk Operations in HMAC
    - Generate MAC
    - Verify MAC
  - Sign and Sign Verify
    - Generate Digital Signature with RSA Private Key using message/text
    - Verify Digital Signature with RSA Public Key using message/text
    - Generating Digital Signature with RSA Private Key using pre-calculated hash
    - Verify Digital Signature with RSA Public Key using Pre-calculated Hash
  - Key Operations
    - Create global key
    - Create key with random name
    - Create key owned by the NAE user
    - Create EC key owned by NAE user
    - Create Symmetric Key Using HKDF Algorithm
    - Create Key and Assign Permissions
    - Create Key and Assign Custom Attributes
    - Modify Group Permissions for an Existing Key
    - Get Group Permissions on an Existing Key
    - Generate Global RSA Public-Private Key Pair
    - Generate Global EC Public-Private Key Pair
    - Generate KMIP Public-Private Key Pair
    - Export Global Key
    - Export Non-Global Key
    - Import Global Key
    - Delete Global Key
    - Get Size of Global Key
    - Return List of Global Keys on NAE Server
    - Return List of Available Keys on NAE Server
    - Access Non-Global Key
    - Wrap Key
    - Get Key Names
    - Create Versioned Key
    - Create New Version of Key
    - Alter State of a Key Version
    - Encryption, Decryption, and MAC Operations Using Versioned Key
    - Encrypt and Decrypt using All Key Versions
    - Export Versioned Key
  - User and Group Management Tasks
    - Create User
    - Delete User
    - Create User with Custom Attributes
    - Update Custom Attribute User
    - Retrieve Custom Attribute
    - Delete Custom Attribute
    - Change User Password
    - Change Key Owner
    - List Group Membership of a Specific User
    - List All Users in All Groups
    - List All Users in Single Group
    - Create Group
    - Delete Group
    - Add Users to Group
    - List All Users in Specific Group
    - Get All Information About Group
  - Certificate Management Tasks
    - Import Certificate to Key Manager
    - Export Certificate and Private Key From Key Manager
    - Export Certificate From Key Manager
    - Export CA Certificate From Key Manager
    - Delete Certificate From Key Manager
  - Session Management Tasks
    - Create Global Session
    - Create Global Session Using SSL with Client Certificates
    - Create Authenticated Session using NAE Credentials
    - Create an Authenticated Session using Domain User
    - Create session with Obfuscated Credentials
    - Create Authenticated Session using SSL with Client Certificates
    - Create Authenticated Session using SessionLevelConfig
    - Create Authenticated Session with Access to Persistent Key Cache
  - Add Multiple Key Managers
  - Refresh Cached Keys
  - KMIP Tasks
    - KMIP Session
    - Wrap Key
    - Verify Key
    - KMIP Encrypt and Decrypt
    - KMIP Encrypt and Decrypt Sample
  - Obfuscate Credentials
  - Logging Related Tasks
    - Time-based Log Rotation
    - Size-based Log Rotation
    - Time and Size -based Log Rotation
    - Include GMT Timestamp Offset
    - Log_MaxBackupIndex
    - Reloading Log Configuration
    - Targeted Logging
    - Configuring Multiple Logging Outputs
    - Implement External Logger Object
  - Obfuscate SSL Client Private Key Passphrase
  - Chain Operations
    - Create Chained Operations
    - Return Intermediate Result in a Chain of Operations
  - SSL Configuration
    - Configure SSL on CipherTrust Manager for NAE Interface
    - Configure SSL on CipherTrust Manager for KMIP Interface
  - Tokenization Related Tasks
    - Initialize and close Token Service Vaultless instance
    - Create token for the plaintext
    - Return plaintext for token
    - Tokenize and detokenize Unicode blocks
    - Tokenize and detokenize large data set
    - Tokenize/Detokenize Date
    - Java API Sample
    - REST APIs
  - Configure CADP for Java to use Remote Keystore
  - Run Multiple Web Applications on Application Server
Advanced Topics
- Advanced Topics - Centrally Managed APIs
  - Concepts
  - Protection Policy
  - CADP for Java Logging
  - Client Status
  - Integrate client status notification in your application
- Advanced Topics - Traditional APIs
  - Configuration Parameters
    - Network Configuration Parameters
    - Connection Configuration Parameters
    - Local Encryption Parameters
    - SSL Configuration Parameters
    - Logging Parameters
    - Miscellaneous Parameters
  - Connect to Server
  - Connection Pooling
  - Load Balancing
  - Multi-Tier Load Balancing
  - Format Preserving Encryption
    - FPE/AES
    - FPE/FF1
    - FPE/FF1v2
    - FPE/FF3
    - FPE/FF3-1
    - FPE Formats
    - FPE/AES/Unicode Cardinality Block-Size Table
  - CADP for Java Utilities
    - CryptoDataUtility
    - GetJCEDetails Utility
  - Supported Algorithms
    - Encryption and Decryption with Symmetric Keys
    - Encryption and Decryption with Asymmetric Keys
    - Message Authentication Codes
    - Digital Signatures
    - Supported Cryptographic Algorithms
  - KMIP Fundamentals
    - KMIP Managed Objects
    - KMIP Attribute
    - KMIP Managed Operations
    - KMIP Multiple Operation Batching
    - KMIP Support for NAECertificates
    - Certify and Recertify
    - KMIP States and Dates
  - Key Caching
    - Symmetric/Asymmetric Key Caching
    - Persistent Key Caching
  - Logging
  - Tokenization Concepts
    - AlgoSpec
    - TokenSpec
    - Bulk Migration Parameters
  - Advisory Notes and Best Practices
Troubleshooting

CADP for Java
Administration
Advanced Topics
Advanced Topics - Centrally Managed APIs
Concepts

Concepts

Application

An application, defined on the CipherTrust Manager, contains the necessary configurations that are required by the CADP for Java to protect or reveal data. After the application is defined, a registration token is generated. This token is required for the client to get registered with the application. Refer to Managing Applications for details.

Access Policy

Access policies contain set of rules that govern how the decrypted data will be revealed based on the user. Each access policy has a default reveal format for any user that is not part of any user set. Access policy can act differently for different users sets. Refer to Managing Access Policy for details.

User Set

A user set is a collection of users that you want to grant or deny access to reveal data. User sets are configured in access policies. Policies can be applied to user sets, not to individual users. Refer to Managing User Set for details.

Dynamic Masking

Creates masking format for the reveal operation. Dynamic masking format determines how the output of the reveal operation is displayed to the application users. While creating this format, you can choose to show or hide characters and the masking character that will be used mask the data. By default, X is masking character. Refer to Managing Masking Formats for details.

Heartbeat

Heartbeat is a lightweight mechanism that allows CADP for Java to poll the CipherTrust Manager for any change in policies and/or configurations. Refer to Heartbeat Configuration for details. The heartbeat parameters determine the health of your CADP for Java client. Refer to Client status for details.

The time on both the client and server machines must be synchronized. To ensure this, configure NTP (Network Time Protocol) by following these instructions. If the client is still unable to fetch latest policy after time synchronization, configure the heartbeat interval value greater than the delay between the client and server.

Key Caching

The key caching allows CADP for Java to securely cache a copy of the in-use key that it received from the CipherTrust Manager, and store it for a limited time to perform cryptographic operations locally. Keys cached are stored in secured process memory only; they are not stored on disk. Only keys that are marked exportable can be cached.

Key States

A key state determines which operations can be performed using that key. Refer to Key States for details. Based on the key states, the CADP for Java will throw exceptions for the following key states.

Compromised Key State: Cannot Protect with Compromised Key Version
Deactivated Key State: Cannot perform operation with Deactivated Key Version

On this page

CADP for Java

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com