Administration
CipherTrust Manager Administration
- Authentication
  - Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Key Policies
- Changing Passwords
- Groups
- Quorums
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Microsoft Azure
  - Salesforce
  - SAP Data Custodian
  - CIFS/SMB
  - Oracle Cloud Infrastructure (OCI)
  - OIDC
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Prerequisites
  - Communication with KACLS
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Downloading SAP Metadata
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Key Material Export and Upload
CTE Administration
- Overview
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Multifactor Authentication
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes

AWS Resources

This section describes prerequisites to manage AWS resources on the CCKM.

Prerequisites

Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Data Security Platform Service. A CipherTrust Data Security Platform Service administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Data Security Platform Service GUI. Refer to Connection Manager for details.

Appropriate permissions to manage the AWS KMS must be added on the AWS console.

Permissions to list regions: Add the IAM permission ec2:DescribeRegions to list the AWS regions.
For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        }
    ]
}

Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:

kms:ListAliases
kms:ListKeyPolicies
kms:ListKeys
kms:ListResourceTags
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:GetParametersForImport
kms:GetPublicKey
kms:TagResource
kms:UntagResource
kms:CancelKeyDeletion
kms:CreateAlias
kms:CreateKey
kms:DeleteAlias
kms:DeleteImportedKeyMaterial
kms:DisableKey
kms:DisableKeyRotation
kms:DescribeCustomKeyStores
kms:EnableKey
kms:EnableKeyRotation
kms:ImportKeyMaterial
kms:ScheduleKeyDeletion
kms:UpdateAlias
kms:UpdateKeyDescription
kms:PutKeyPolicy
iam:ListGroups
iam:ListRoles
iam:ListUsers
logs:DescribeLogGroups
logs:FilterLogEvents

For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DisableKey",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:GetParametersForImport",
                "kms:GetPublicKey",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:CancelKeyDeletion",
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:DeleteImportedKeyMaterial",
                "kms:DescribeCustomKeyStores",
                "kms:DisableKeyRotation",
                "kms:EnableKey",
                "kms:EnableKeyRotation",
                "kms:ImportKeyMaterial",
                "kms:ScheduleKeyDeletion",
                "kms:UpdateAlias",
                "kms:UpdateKeyDescription",
                "kms:PutKeyPolicy",
                "iam:ListGroups",
                "iam:ListRoles",
                "iam:ListUsers",
                "logs:DescribeLogGroups",
                "logs:FilterLogEvents"                            
            ],
            "Resource": "*"
        }
    ]
}

Note

To manage a multi-region key, an additional IAM permission iam:CreateServiceLinkedRole is required.
To manage the External Custom Key Stores or CloudHSM Key Stores, additional IAM permissions required to use AWS resources are:
- cloudhsm:DescribeClusters
- kms:CreateCustomKeyStore
- kms:ConnectCustomKeyStore
- kms:DeleteCustomKeyStore
- kms:DisconnectCustomKeyStore
- kms:UpdateCustomKeyStore
- iam:CreateServiceLinkedRole
Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.

Now, AWS accounts and AWS keys can be managed on the CipherTrust Data Security Platform Service.

Note

To use AWS IAM Roles Anywhere with CCKM, additional configuration is required.

Additional Configuration for AWS IAM Roles Anywhere

The AWS IAM Roles Anywhere service allows non-federated identities outside AWS to assume IAM roles and use their permissions to access resources. The service provides a secure way for the workloads that run outside of AWS such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credential. This eliminates the need to manage long-term credentials for external workloads.

To use IAM Roles Anywhere, external workloads must use X.509 certificates issued by a Certificate Authority (CA). The CA needs to be registered as a trust anchor with the IAM Roles Anywhere service to establish trust between them. Alternatively, AWS Private Certificate Authority (AWS Private CA) can be used to create a CA and then use that to establish trust with IAM Roles Anywhere.

CA and Client Certificate Requirements

Client certificates must satisfy the following requirements for authentication:
- The certificates must be X.509v3
- Basic constraints must include CA: false
- The key usage must include Digital Signature
- The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected)
Certificates used as trust anchors must satisfy the following requirements for signature algorithm:
- The certificates must be X.509v3
- Basic constraints MUST include CA: true
- The key usage must include Certificate Sign, and may include CRL Sign
- The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected)
- Certificate Revocation Lists (CRLs) are an optional feature of IAM Roles Anywhere

Configuration Steps

To use IAM Roles Anywhere for authentication to AWS from external workloads:

Create a trust anchor. This anchor is essentially a reference to a CA that IAM Roles Anywhere service will use to validate the authentication requests. Both the root and intermediate CAs can be used as trust anchors.
Create an IAM role that trusts the IAM Roles Anywhere service principal.
Create a profile that lists the roles IAM Roles Anywhere assumes. In the profile, you can limit the permissions for a created session with IAM managed policies.

By adding one or more roles to a profile and enabling IAM Roles Anywhere to assume these roles, a non-AWS workload can use the client certificate issued by the trusted CA to make secure requests to AWS and get temporary credentials to access the AWS environment.
Note
- Refer to the AWS IAM Roles Anywhere documentation for detailed instructions.
Add an AWS connection on the CipherTrust Data Security Platform Service with IAM Roles Anywhere enabled. While adding the connection for IAM Roles Anywhere, you need to specify:
- The AWS Resource Names (ARNs) of the trust anchor, IAM role, and profile created in the above steps
- Client's private key and certificate
Refer to Connection Manager for details.

Note

If you are using an access key and secrets-based AWS connection and you want to move to an AWS IAM Roles-based connection, refer to Migrating to IAM Roles Anywhere Connections.

Suggest A Change

AWS Resources

Prerequisites

Additional Configuration for AWS IAM Roles Anywhere

CA and Client Certificate Requirements

Configuration Steps

On this page