Administration
CipherTrust Manager Administration
- Authentication
  - Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Key Policies
- Changing Passwords
- Groups
- Quorums
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Microsoft Azure
  - Salesforce
  - SAP Data Custodian
  - CIFS/SMB
  - Oracle Cloud Infrastructure (OCI)
  - OIDC
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Prerequisites
  - Communication with KACLS
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Downloading SAP Metadata
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Key Material Export and Upload
CTE Administration
- Overview
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Multifactor Authentication
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes

Prerequisites

Common Prerequisites

Before you can perform client side encryption:

Make sure you have a stable release of Google Chrome or Microsoft Edge installed and running.
Make sure your access to KACLS is not blocked by web filters, for example, Zscaler.
Make sure you have the CCKM Admins rights to perform Google Workspace CSE operations on the CipherTrust Manager.
Make sure that an identity provider system is set up correctly. For this, the identity provider admin uses either of following methods:

Using .well-known File Configuration
1. Host the cse-configuration JSON file on a Web server. A sample JSON file looks like this:
```
{
  "name": "CSE IDP",
  "client_id": "<authenticationAud>",
  "discovery_uri": "<openidConfigurationURL>",
  "audience": "cse-test"
}
```
  Here,
  - <authenticationAud> is the ID of the third-party identity provider. For example, for Auth0, it is represented by the Client ID.
  - <openidConfigurationURL> is the identity provider configuration URL. For example, for Auth0, it can be https://demo.auth0.com/.well-known/openid-configuration.
2. Create a sub-domain on the Google domain portal for the hosted Web server. Navigate to the Google domain > DNS > Customer resource records and add the IP address of the Web server with the name cse.
Using IdP Fallback Settings
1. On the Google Admin Console, set identity provider configuration.
2. Specify the following fields:
  - Name: Name for the identity provider.
  - Client ID: The ID of the third-party identity provider. For example, for Auth0 and STA, it is represented by the Client ID.
  - Discovery URI: The identity provider configuration URL. For example, for Auth0, it can be https://demo.auth0.com/.well-known/openid-configuration, and for STA, it is represented by WELL KNOWN CONFIGURATION URL.
  - Grant type: Set as Implicit.
3. Test and save the settings.
(Applicable when a valid public DNS for the CipherTrust Manager is unavailable.) Create a subdomain for Thales key service (KACLS) on Google domain. Refer to Creating a Subdomain on Google Domain.
Create a URL to access the KACLS. This URL is referred to as KACLS Endpoint URL in this document. Refer to Creating a KACLS Endpoint URL below.
Configure Google Workspace connection to KACLS. Refer to Configure Google Workspace Connection to KACLS for details.

Creating a Subdomain on Google Domain

Note

This section is applicable when a valid public DNS for the CipherTrust Manager is unavailable.

Log on to Google domain as a super admin for the user domain.
Navigate to DNS > Custom resource records.
Create a subdomain for the KACLS. Specify a name for your subdomain and the IP address or hostname of the KACLS.

Creating a KACLS Endpoint URL

A KACLS URL is needed to access the Thales key service. Google Workspace administrators use this URL to configure Google Workspace to communicate with the KACLS. Creating a KACLS URL requires an identity provider and a KACLS endpoint.

To create a KACLS endpoint URL:

Create an identity provider.
- GUI: Refer to Creating Identity Providers.
- API: Refer to Creating Identity Providers.
Create a KACLS endpoint.
- GUI: Refer to Creating KACLS Endpoints.
- API: Refer to Creating KACLS Endpoints.

Note

Before proceeding, make sure that the KACLS endpoint URL is accessible from the internet and KACLS is running.

Configure Google Workspace Connection to KACLS

To configure the Google Workspace connection to KACLS:

Open the Google Admin console, http://admin.google.com.
Log on to the user domain as a super admin.
Navigate to CSE settings: Security > Client Side Encryption.
Click Add external key service.
Specify Name of external key service. This name will appear in error messages if Google Workspace cannot contact the key service.
Enter URL of external key service. This URL was created in Creating a KACLS Endpoint URL.
Click TEST CONNECTION to test that Google Workspace can communicate with the KACLS.

If the connection fails, correct the KACLS endpoint URL, ensure the Internet connectivity, and retry.
Click CONTINUE.
Click SAVE. The Google Workspace connection to KACLS is configured.

Additional Prerequisites for Gmail

Apart from the prerequisites described above, perform these additional steps for Gmail:

Create a test environment and enroll it with Google.
Enable Google Workspace CSE for intended Gmail users (senders and recipients).
1. Open the Google Admin console, http://admin.google.com.
2. Log on to the user domain as a super admin.
3. Navigate to CSE settings: Data > Compliance > Client-Side Encryption.
4. Scroll down to the Apps section and click the Gmail link.
5. Select an organizational unit or group for which you want to enable Gmail CSE.
6. Under User access, select ON.
7. Save the settings.
Prepare your certificates.
1. Generate S/MIME certificates. Adhere to the Google-specified certificate chain rules.
2. Wrap associated private keys using your KACLS endpoint URLs. Refer to Encrypting Private Keys (wrapprivatekey) for details.
3. Upload the wrapped private keys and certificates to Google.
  1. Using Google Workspace Admin Console: Use this method if you want Google to trust your own root CA.
    1. Open the Google Admin console, http://admin.google.com.
    2. Log on to the user domain as a super admin.
    3. Navigate to CSE settings: Apps > Google Workspace > Gmail.
    4. On the right, click User settings.
    5. Click S/MIME and select Enable S/MIME encryption for sending and receiving emails and Allow users to upload their own certificates.
    6. Click ADD to upload the root certificate. This root CA is the chain of intermediate and root certificates.
    7. Save the changes.
  2. Using Gmail API client libraries: Use this method to upload each user's S/MIME certificates and wrapped private keys using the API client libraries provided by Google.

Additional Prerequisites for Key Migration

Browser Requirement

The latest stable version of Google Chrome is installed and running.

Configure External Key Management (EKM) Service

To configure the external key management service.

Create a sub-domain for KACLS in the Google domain. Refer to Creating a subdomain on Google domain for details.
Create a KACLS Endpoint URL, refer to Creating a KACLS Endpoint URL.

Configure Migration on KACLS

Using the API, you need to update the rewrap and privilegedUnwrap configurations on the following.

Old KACL
New KACL

Refer to the Update a Rewrap Configuration and Update a Privileged Unwrap Configuration APIs.

Configure Google Workspace Connection to KACLS

Refer to Configure Google Workspace Connection to KACLS for details.

Note

To enable the key migration feature, you need to add an EKM service with backup enabled.
You can only have one backup EKM service enabled at a time.
Ensure to turn on the "migration" toggle.

Suggest A Change

Prerequisites

Common Prerequisites

Creating a Subdomain on Google Domain

Creating a KACLS Endpoint URL

Configure Google Workspace Connection to KACLS

Additional Prerequisites for Gmail

Additional Prerequisites for Key Migration

Browser Requirement

Configure External Key Management (EKM) Service

Configure Migration on KACLS

Configure Google Workspace Connection to KACLS

On this page