CCKM Administration
This document explains how to:
-
Add AWS KMS accounts, Azure vaults, Google Cloud key rings, Salesforce organizations, SAP Data Custodian groups, and Oracle Cloud Infrastructure (OCI) vaults to CCKM
-
Manage AWS, Azure, Google CMEK, Google Cloud External Key Manager (EKM) keys, Salesforce tenant secrets, SAP, and OCI keys on CCKM
-
Manage AWS custom key stores on CCKM
-
Schedule key rotation for AWS, Azure, Google Cloud, Salesforce, SAP, and OCI keys
-
Schedule key refresh for AWS, Azure, Google Cloud, Salesforce, SAP, and OCI keys
Workflow
This section describes the high level steps to manage keys using CCKM:
-
Add a connection between the CipherTrust Manager and the desired cloud or key source. This is needed to grant CCKM the access to any of the cloud service or key source users with valid user credentials.
-
Test the connection. The connection must be in the ready state.
-
Add the KMS container that contains the keys to be managed. A KMS container can be:
-
An AWS account
-
An Azure vault
-
A Google Cloud key ring
-
A Salesforce organization
-
A SAP group
-
An OCI vault
When adding a KMS container, you need to select the corresponding connection.
-
-
Refresh the KMS container to download its keys to CCKM. Refreshing a KMS container might take significant amount of time depending on the number of keys stored in it.
CCKM provides options to refresh keys of an individual or all KMS containers of a cloud service or key source.
After a KMS container is refreshed successfully, the downloaded keys can be managed on CCKM itself.
-
Manage keys. With CCKM, you can perform supported key operations such as adding, editing, and rotating keys.
CCKM also provides options to schedule key operations and generate reports for the supported clouds. Refer to relevant sections in the CCKM Administration and CCKM API documentation for more details about the steps listed above and other CCKM features.
