Administration
CipherTrust Manager Administration
- Authentication
  - Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Key Policies
- Changing Passwords
- Groups
- Quorums
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Microsoft Azure
  - Salesforce
  - SAP Data Custodian
  - CIFS/SMB
  - Oracle Cloud Infrastructure (OCI)
  - OIDC
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Prerequisites
  - Communication with KACLS
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Downloading SAP Metadata
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Key Material Export and Upload
CTE Administration
- Overview
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Multifactor Authentication
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes

AWS External Key Store Resources

External Key Store (XKS) resources for integration with Amazon Web Services Key Management Service (AWS KMS) allow you to manage keys held in CipherTrust Data Security Platform Service, and allows AWS KMS to use the keys for cryptographic operations on demand.

The external custom key store entity on CipherTrust Cloud Key Manager (CCKM) provides access to AWS KMS to use source key material in CipherTrust Data Security Platform Service, while preserving end user control to manage those source keys outside of AWS KMS.

The external custom key store contains Hold Your Own Key (HYOK) keys, which acts as an intermediary to the source key material stored in CipherTrust Data Security Platform Service. CipherTrust Data Security Platform Service executes the cryptographic operations.

External custom key stores and HYOK keys on CCKM can be created as linked or unlinked to an external key store in AWS KMS. Linked key stores and keys automatically synchronize with objects in AWS KMS, and unlinked key stores do not. Unlinked key stores and HYOK keys require you to either link those objects, which automatically creates corresponding external key stores and KMS keys on AWS KMS, or to manually create corresponding objects in AWS KMS.

Required Resources

An AWS Account.

Network Topology

Network Considerations for Optimal Stability and Performance

There are some important network considerations for deployments of an external key store.

When CipherTrust Data Security Platform Service is the key source, we recommend a network latency of round-trip communication of 35 ms or less between AWS KMS and the CipherTrust Data Security Platform Service.
We recommend preparing only one or two external key stores per deployment.

High Level Integration Process Using CipherTrust Manager as a Key Source

These are the high level steps to allow AWS KMS to begin making cryptographic requests to CipherTrust Data Security Platform Service source keys through external custom key stores within CCKM. Unlinked external custom key stores and HYOK keys require additional steps.

Prepare an External Custom Key Store.

As part of this process, you establish a CipherTrust Data Security Platform Service connection to the AWS account and create an external custom key store on CCKM.
If you created an unlinked key store on CCKM, you must either link the key store or create a corresponding external key store on AWS KMS, as described in AWS Key Management Service Deployment Guide.
Create an AWS External Custom Key Store on CCKM.
If you have created an unlinked HYOK key on CCKM, either link the key or create a KMS key in the AWS external key store, associated with the the HYOK key on CCKM.

AWS and CCKM Terminology

Terms used in AWS documentation, API, or AWS Console can differ from terms used in CCKM documentation, CipherTrust Data Security Platform Service REST API, and CipherTrust Data Security Platform Service web console for the same concepts. The following table provides equivalencies.

AWS term(s)	CCKM term(s)	Notes
External key	CipherTrust Data Security Platform Service source key	Generally refers to the key material which performs cryptographic operations.
`External Key ID`, `XksKeyId`	`XKS ID`, `XksKeyConfiguration:Id`, `HYOK ID`	This is the key identifier which AWS KMS specifies in cryptographic requests. Important Note: This `XKS ID` is associated with the HYOK. It is not the source CipherTrust Data Security Platform Service or Luna HSM key's ID.
External Key Store	External Custom Key Store, Custom Key Store	CCKM documentation refers to the CCKM object as external custom key store and the AWS object as external key store. Product interfaces may use these terms interchangeably.
`Proxy URI endpoint`	`XKS Proxy URI Endpoint`	This value is the CipherTrust Data Security Platform Service domain name, `https://ciphertrust.dpondemand.io`. This is the hostname to which AWS KMS first connects for cryptographic requests.
`Proxy URI Path`	XKS Proxy URI Path	This is the path associated with an external custom key store in CCKM.
XKS proxy configuration file	Credentials file	The downloadable file available in CCKM when you create a new external custom key store or rotate the credentials for an external custom key store. This file contains the external custom key store's Proxy URI path prefix, Access key ID, and Secret access key values.

Suggest A Change

AWS External Key Store Resources

Required Resources

Network Topology

Network Considerations for Optimal Stability and Performance

High Level Integration Process Using CipherTrust Manager as a Key Source

AWS and CCKM Terminology

On this page