Create Policies, Configurations, Registration Token from the API Playground
Acquire an Authorization Token.
a. Open the CipherTrust Manager URL in a browser.
b. Click the API & CLI Documentation link. The API playground is displayed.
c. At the top right, click Authenticate.
d. Enter username and password.
e. Click POST.
On successful token generation, the remaining token expiry time in seconds is displayed. Two new buttons, Clear Credentials and Re Authenticate, are also displayed at the top right.
Note
This acquires an API token and prefills it in the playground examples. The token expires in 300 seconds (5 minutes). When it expires, use this tool again to acquire a new token.
Create character sets using the
post /v1/data-protection/character-setsAPI from the Playground.Sample Request
{ "name": "DPGAlphaNum", "range": [ "0030-0039", "0041-005A", "0061-007A" ], "encoding": "UTF-8" }Sample Response
{ "id": "e3984c47-8096-4d43-8c60-3250148a4f26", "uri": "kylo:kylo:adp-central-configuration:characterSet:dpgalphanum-e3984c47-8096-4d43-8c60-3250148a4f26", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2021-10-11T11:05:13.19053792Z", "updatedAt": "2021-10-11T11:05:13.178142065Z", "name": "DPGAlphaNum", "description": "", "alphabet": "", "encoding": "UTF-8", "predefined": false, "range": [ "0030-0039", "0041-005A", "0061-007A" ] }The sample output shows that the character set named
DPGAlphaNumis created. A unique ID (e3984c47-8096-4d43-8c60-3250148a4f26) for the character set is returned.Create protection policies using the
post /v1/data-protection/protection-policiesAPI from the playground. When creating a protection policy, ensure that the key (used to perform cryptographic operation) is created on the CipherTrust Manager. For this demo, we are using the dpgKey to perform FPE encryption. This key is marked exportable on the CipherTrust Manager.Sample Request to add protection policy for employee name
{ "name": "cvv_ProtectionPolicy", "key": "dpgKey", "tweak": "1628462495815733", "tweak_algorithm": "SHA1", "algorithm": "FPE/FF1v2/UNICODE", "character_set_id": "e3984c47-8096-4d43-8c60-3250148a4f26", "allow_single_char_input": false }** Sample Response to add protection policy for employee name**
{ "id": "38f9ee28-1ada-4c09-988a-9da452ac2376", "uri": "kylo:kylo:adp-central-configuration:protection policy:Name_ProtectionPolicy-38f9ee28-1ada-4c09-988a-9da452ac2376", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2021-10-11T11:13:28.672596835Z", "updatedAt": "2021-10-11T11:13:28.658319539Z", "name": "cvv_ProtectionPolicy", "version": 1, "latest_version": true, "description": "", "key": "dpgKey", "iv": "", "tweak": "1628462495815733", "tweak_algorithm": "SHA1", "character_set_id": "e3984c47-8096-4d43-8c60-3250148a4f26", "algorithm": "FPE/FF1v2/UNICODE", "allow_single_char_input": false }Sample Request to add protection policy for SSN
{ "name": "ssn_ProtectionPolicy", "key": "dpgKey", "tweak": "9828462495846783", "tweak_algorithm": "SHA1", "algorithm": "FPE/AES/CARD10", "character_set_id": "e3984c47-8096-4d43-8c60-3250148a4f26", "allow_single_char_input": false }** Sample Response to add protection policy for SSN**
{ "id": "58f9ee28-1ada-8c09-927a-1da432az6870", "uri": "kylo:kylo:adp-central-configuration:protection policy:SSN_ProtectionPolicy-58f9ee28-1ada-8c09-927a-1da432az6870", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2021-10-11T11:13:28.672596835Z", "updatedAt": "2021-10-11T11:13:28.658319539Z", "name": "ssn_ProtectionPolicy", "version": 1, "latest_version": true, "description": "", "key": "dpgKey", "iv": "", "tweak": "9828462495846783", "tweak_algorithm": "SHA1", "character_set_id": "e3984c47-8096-4d43-8c60-3250148a4f26", "algorithm": "FPE/AES/CARD10", "allow_single_char_input": false }The sample output shows that two protection policies named
cvv_ProtectionPolicyandssn_ProtectionPolicyare created. A unique ID for each protection policy is returned. These policies will govern the crypto operations on DPG.Create DPG policy using the
post /v1/data-protection/dpg-policiesAPI from the playground.Sample Request
{ "name":"CC_Policy", "description":"", "proxy_config":[ { "api_url":"/api/sample/resource",
"json_request_post_tokens":[ { "name":"ssn", "operation":"protect", "protection_policy":"ssn_ProtectionPolicy" }, { "name":"creditCard.[*].cvv", "operation":"protect", "protection_policy":"cvv_ProtectionPolicy" } ], "json_response_post_tokens":[ { "name":"ssn", "operation":"reveal", "protection_policy":"ssn_ProtectionPolicy" } ], "json_response_get_tokens":[ { "name":"creditCard.[*].cvv", "operation":"reveal", "protection_policy":"cvv_ProtectionPolicy" } ] } ] }Sample Response
{ "id": "0759023b-67e4-40a0-b039-3fdbb07431ee", "uri": "kylo:kylo:adp-central-configuration:dpg_policies:dpgpolicy-0759023b-67e4-40a0-b039-3fdbb07431ee", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2021-10-11T11:29:01.162744712Z", "updatedAt": "2021-10-11T11:29:01.151752881Z", "name": "CC_Policy", "version": 1, "description": "", "proxy_config": [ { "id": "f0e344d3-e0e9-4c2a-bcdf-76a0504b6add", "uri": "kylo:kylo:adp-central-configuration:dpg_api_urls:f0e344d3-e0e9-4c2a-bcdf-76a0504b6add", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2021-10-11T11:29:01.196202803Z", "updatedAt": "2021-10-11T11:29:01.184829115Z", "dpg_policy_id": "0759023b-67e4-40a0-b039-3fdbb07431ee", "api_url": "/api/sample/resource", "destination_url": "", "json_request_post_tokens": [ { "name":"ssn", "operation":"protect", "protection_policy":"ssn_ProtectionPolicy" }, { "name":"creditCard.[*].cvv", "operation":"protect", "protection_policy":"cvv_ProtectionPolicy" } ], "json_response_post_tokens": [ { "name":"ssn", "operation":"reveal", "protection_policy":"ssn_ProtectionPolicy" } ], "json_request_get_tokens": null, "json_response_get_tokens": [ { "name":"creditCard.[*].cvv", "operation":"reveal", "protection_policy":"cvv_ProtectionPolicy" } ]
} ] }The sample output shows that the DPG policy named
CC_Policyis created. A unique ID (0759023b-67e4-40a0-b039-3fdbb07431ee) for the DPG policy is returned. The DPG policy uses the protection policies created in step 3 to perform the cryptographic operations.Create client profile using the
post /v1/data-protection/client-profilesAPI from API playground.Note
The Common Name (csr_cn) must be same as the key owner.
Sample Request
{ "name": "CC_profile", "nae_iface_port": 9000, "app_connector_type": "DPG", "policy_id": "0759023b-67e4-40a0-b039-3fdbb07431ee", "lifetime": "30d", "cert_duration": 730, "max_clients": 200, "ca_id": "51941790-40af-4880-a6c0-5b75956196bc", "csr_parameters": { "csr_cn": "admin", "csr_country": "", "csr_state": "", "csr_city": "", "csr_org_name": "", "csr_org_unit": "", "csr_email": "" }, "configurations": { "symmetric_key_cache_enabled": true, "verify_ssl_certificate": false, "syslog_server_ip": "", "syslog_server_port": 514, "syslog_server_protocol": "tcp_ok", "syslog_no_of_retries": 3, "syslog_retry_interval": 1, "syslog_retry_limit": 2, "use_persistent_connections": true, "size_of_connection_pool": 300, "load_balancing_algorithm": "round-robin", "connection_idle_timeout": 600000, "connection_retry_interval": 600000, "cluster_synchronization_delay": 170, "cert_file_location": "", "credentials_encrypted": false, "asymmetric_key_cache_enabled": false, "persistent_cache_enabled": false, "persistent_cache_directory": "", "persistent_cache_expiry_keys": 43200, "persistent_cache_max_size": 100, "log_level": "INFO", "log_file": "", "log_rotation": "Daily", "log_size_limit": "100k", "log_max_backup_index": 10, "log_type": "Console", "maximum_idle_connection": 10000, "maximum_idle_connection_per_host": 10000, "dial_timeout": 10, "dial_keep_alive": 10, "key_non_exportable_policy": true, "symmetric_key_cache_expiry": 43200, "connection_timeout": 60000, "connection_read_timeout": 7000, "heartbeat_interval": 300, "heartbeat_timeout_count": -1, "tls_to_appserver": { "tls_skip_verify": true, "tls_enabled": false } } }Sample Response
{ "id": "6c5d6156-e991-4ba1-b57b-8bfc480e6109", "uri": "kylo:kylo:adp-central-configuration:clientProfile:dpg-profile-6c5d6156-e991-4ba1-b57b-8bfc480e6109", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2021-10-11T11:34:11.356503159Z", "updatedAt": "2021-10-11T11:34:11.356503159Z", "name": "CC_profile", "nae_iface_port": 9000, "owner": "local|e9b1d00b-4ada-419d-a409-a196b058ac53", "reg_token": "YZyiw0yUcuQDtPRJEtdukDjX50kSppc5qqpRq0CrBHujDt9HslA8M20bkgQzBD6g", "app_connector_type": "DPG", "csr_parameters": { "csr_cn": "admin" }, "configurations": { "symmetric_key_cache_enabled": true, "asymmetric_key_cache_enabled": false, "symmetric_key_cache_expiry": 43200, "persistent_cache_enabled": false, "persistent_cache_expiry_keys": 43200, "persistent_cache_max_size": 100, "verify_ssl_certificate": false, "use_persistent_connections": true, "size_of_connection_pool": 300, "load_balancing_algorithm": "round-robin", "connection_timeout": 60000, "connection_read_timeout": 7000, "connection_idle_timeout": 600000, "connection_retry_interval": 600000, "cluster_synchronization_delay": 170, "credentials_encrypted": false, "log_level": "INFO", "log_rotation": "Daily", "log_size_limit": "100k", "log_max_backup_index": 10, "log_type": "Console", "key_non_exportable_policy": true, "maximum_idle_connection": 10000, "maximum_idle_connection_per_host": 10000, "dial_timeout": 10, "dial_keep_alive": 10, "heartbeat_interval": 300, "heartbeat_timeout_count": -1, "tls_to_appserver": { "tls_skip_verify": true, "tls_enabled": false }, "cert_file_location": "", "log_file": "", "syslog_server_ip": "", "syslog_server_port": 514, "syslog_server_protocol": "tcp_ok", "syslog_no_of_retries": 3, "syslog_retry_interval": 1, "syslog_retry_limit": 2, "persistent_cache_directory": "" }, "policy_id": "0759023b-67e4-40a0-b039-3fdbb07431ee", "ca_id": "51941790-40af-4880-a6c0-5b75956196bc" }The sample output shows that the client profile named
CC_profileis created. A unique ID (6c5d6156-e991-4ba1-b57b-8bfc480e6109) for the client profile is returned. When a client profile is created, a reg_token (YZyiw0yUcuQDtPRJEtdukDjX50kSppc5qqpRq0CrBHujDt9HslA8M20bkgQzBD6g) is returned. The client uses thisreg_tokento register it on the CipherTrust Manager.
