Managing SAP Keys
This section describes how to manage SAP keys on CCKM. Before proceeding, you must have a SAP Data Custodian group added to the CCKM. Refer to Managing SAP Groups for details.
Key Creation Methods and Sources
Methods to create SAP cloud keys using CCKM are:
-
Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key. The key source can be:
-
CipherTrust (Local): A new key is first created on the CipherTrust Manager. Then, this key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
. -
SAP (Native): A new key is directly created on SAP cloud using a native SAP application. The key origin is
NATIVE
.
-
-
Cloning Existing Key Material: Clone key material from an existing key to create a new key. The key source can be:
- CipherTrust (Local): An existing local CipherTrust Manager key is first cloned on the CipherTrust Manager. Then, the cloned key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.
- CipherTrust (Local): An existing local CipherTrust Manager key is first cloned on the CipherTrust Manager. Then, the cloned key material is uploaded to SAP cloud to create a new SAP key. As the key material is uploaded from the CipherTrust Manager, the key origin is
Creating/Uploading New Key Material
To add a SAP cloud key by creating/uploading new key material:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click Add Key. The Select Material Origin screen of the Add SAP Key wizard is displayed.
-
Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following:
-
CipherTrust (Local): Refer to Uploading CipherTrust (Local) Key Material for details.
-
SAP (Native): Refer to Creating SAP (Native) Key Material for details.
Refer to Key Creation Methods and Sources for details on key sources.
-
Uploading CipherTrust (Local) Key Material
Upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
-
Select CipherTrust (Local).
-
Click Next. The Configure CipherTrust Key screen is displayed.
Configure CipherTrust (Local) Key
-
Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to SAP cloud.
-
Select Key Type. The options are:
-
AES: Creates and uploads an AES key.
-
RSA: Creates and uploads an RSA key pair.
-
EC: Creates and uploads an EC key.
-
-
Select the Key Size / Elliptic Curve based on the key type:
-
For an AES key, select the Key Size. The options are 128, 192, and 256.
-
For an RSA key, select the Key Size. The options are 2048, 3072, and 4096.
-
For an EC key, select the Elliptic Curve. The options are SECP224K1 and SECP256K1.
-
-
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
-
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the Key Name you specified on the previous screen is populated.
-
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
-
(Optional) Provide a basic Description for the key.
-
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
-
Select the Key Attributes. The options are:
-
Encrypt, Decrypt, Sign
-
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
-
-
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
-
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
-
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
-
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Creating SAP (Native) Key Material
Create the key material directly using a native SAP application.
Select Material Origin > Select Source
-
Select SAP (Native).
-
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
-
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key.
-
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
-
(Optional) Provide a basic Description for the key.
-
Select Key Type. The options are:
-
AES: Creates and uploads an AES key.
-
RSA: Creates and uploads an RSA key pair.
-
EC: Creates and uploads an EC key.
-
-
Select the Key Size / Elliptic Curve based on the key type:
-
For an AES key, select the Key Size. The options are 128, 192, and 256.
-
For an RSA key, select the Key Size.
The options are 2048, 3072, 4096, and 8192.
-
For an EC key, select the Elliptic Curve. The options are:
-
SECP192K1, SECP224K1, and SECP256K1
-
NISTP192, NISTP224, NISTP256, NISTP384, NISTP521
-
-
-
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
-
Select the Key Attributes. The options are:
-
Encrypt, Decrypt, Sign
-
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
-
-
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and NATIVE KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
-
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.
-
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
-
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys. The origin of the key is NATIVE
.
Cloning Existing Key Material
To add a new SAP cloud key by cloning key material existing on the CipherTrust Manager:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click Add Key. The Select Material Origin screen of the Add SAP Key wizard is displayed.
-
Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following:
- CipherTrust (Local): Refer to Cloning CipherTrust (Local) Key Material for details.
Refer to Key Creation Methods and Sources for details on these key sources.
Cloning CipherTrust (Local) Key Material
Clone and upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
-
Select CipherTrust (Local).
-
Click Next. The Select CipherTrust Key screen is displayed.
Select CipherTrust (Local) Key
-
Select Key Type. The options are:
-
AES: Creates and uploads an AES key.
-
RSA: Creates and uploads an RSA key pair.
-
EC: Creates and uploads an EC key.
-
-
Select the Key Size / Elliptic Curve based on the key type:
-
For an AES key, select the Key Size. The options are 128, 192, and 256.
-
For an RSA key, select the Key Size. The options are 2048, 3072, and 4096.
-
For an EC key, select the Elliptic Curve. The options are SECP224K1 and SECP256K1.
-
-
Select the desired key from the Key Name drop-down list. This field shows the available local CipherTrust Manager keys.
-
Click Next. The Configure SAP Key screen is displayed.
Configure SAP Key
-
Enter a unique, user-friendly alias as the SAP Key Name. This will be the key name on SAP cloud. This name helps uniquely identify a SAP key. By default, the CipherTrust Key Name you specified on the previous screen is populated.
-
Select the desired SAP Group Name from the drop-down list. The drop-down shows the list of SAP groups added to the CCKM.
-
(Optional) Provide a basic Description for the key.
-
(Optional) Select Allow Key Export. Selecting this check box allows the key to be exported.
-
Select the Key Attributes. The options are:
-
Encrypt, Decrypt, Sign
-
Verify, Wrap, Unwrap
Note
For EC keys, only Sign and Verify are available. For AES keys, Sign and Verify are not available.
-
-
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
-
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
-
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
-
Click Close. The Add SAP Key wizard is closed.
The newly created key is displayed in the list of SAP keys.
Viewing SAP Keys
The SAP Keys page shows the list of SAP cloud keys available on the CipherTrust Manager.
To view the SAP keys:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP. The list of available SAP keys is displayed. The SAP Keys page displays the following details:
Field Description Key Name Unique, user-friendly name of the SAP key. Click the link to view additional details of the key or edit the key. Refer to Viewing or Editing Details of SAP Keys. This name is useful in searching for specific keys. Algorithm Algorithm of the SAP key. AES, RSA, and EC algorithms with different keys sizes and elliptic curves are supported. Status State of the SAP key. The status can be:
• Available
• Not Available
• DeletedKey State State of the SAP key. The status can be Enabled or Disabled. Created By User who created the key. Version Count Number of key versions. Creation Date Date and time when the SAP key is created. Operations Operations allowed using the SAP key. Group SAP group where the SAP key resides. Version Version of the key. Origin Source of the key material used for the version. The origin can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
Refer to Key Creation Methods and Sources for details.Application SAP application (for example, SAP S/4HANA Cloud) where the key is used. Tenant SAP tenant in which the key is created. Allow Key Export Whether the key export is allowed. The setting can be:
• Enabled: The key export is allowed.
• Disabled: The key export is not allowed.The Operations, Group, Version, Origin, Application, Tenant, and Allow Key Export columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Refreshing SAP Keys
Refreshing is the process of downloading keys created in SAP groups to CCKM. You can refresh keys from all SAP groups at once.
To refresh all keys:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP. The SAP Keys page is displayed. This page displays the list of SAP keys.
-
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
-
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > SAP > SAP Keys page.
Viewing Versions of a Key
To view the versions of a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click the expand icon () to the left of the desired key. The key versions are displayed.
Disabling a SAP Key
If required, you can disable an enabled key. A disabled key cannot operate on data. Disabling a key disables all versions of the key.
To disable a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click the overflow icon () corresponding to the desired key.
-
Click Disable. The Disable Key dialog box is displayed.
-
Click Disable to confirm the action.
The state of the key changes to Disabled.
Enabling a SAP Key
If required, you can enable a disabled key. Enabling a key enables all versions of the key.
To enable a key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click the overflow icon () corresponding to the desired key.
-
Click Enable. The Enable Key dialog box is displayed.
-
Click Enable to confirm the action.
The state of the key changes to Enabled.
Adding a Key Version
CCKM provides two methods to add a new version to a key. Refer to Key Creation Methods and Sources for details on key creation methods and key sources.
To add a new key version:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click the overflow icon () corresponding to the desired key.
-
Click Add Version. The Add Version dialog box is displayed.
-
Select Method. The options are:
-
Create/Upload New Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
-
Clone Existing Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
-
Adding Key Version by Creating New Key Material
-
Select Create/Upload New Key Material as the method.
-
Select Source. The options are:
-
CipherTrust (Local): Select this option and specify Key Name for the new key version.
-
SAP (Native): Select this option to create a new native SAP key.
-
-
Click Add Version.
A new version is added to the key. The Version Count increases by one on the SAP Keys page.
Adding Key Version by Cloning Existing Key Material
-
Select Clone Existing Key Material as the method.
-
Select Source. The options are:
- CipherTrust (Local): Select this option and Select a key source for the new key version.
-
Click Add Version.
A new version is added to the key. The Version Count increases by one on the SAP Keys page.
Deleting a SAP Key
If no longer required, you can delete a key. The delete operation deletes the key from SAP cloud.
Deleting a Non Exportable Key
Deletion of a non exportable key is irrecoverable. Because the key is not exportable, CCKM cannot back up this key, so it cannot be restored after deletion.
To delete a non exportable key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click the overflow icon () corresponding to the desired key.
-
Click Delete. The Remove dialog box is displayed.
Warning
This will delete the key from SAP. This operation is not recoverable. Because the key is not exportable, CCKM is unable to backup this key, so it cannot be restored after deletion. Are you sure you want to delete the key?
-
Click Delete. The Delete Key dialog box is displayed. It shows the name of the key being deleted in bold.
This dialog box acts as a secondary confirmation so that you are aware of the consequences of the delete operation.
-
Type the name of the key to be deleted. When the typed key name matches the given key name, the Delete button is enabled.
-
Click Delete to confirm the deletion. To cancel the key deletion, click Cancel.
A message stating that delete key is in progress is displayed. After the key is deleted successfully, it is removed from the list of SAP keys.
Deleting an Exportable Key
When deleting an exportable key, you have the option to proceed with the key deletion even if the key backup fails. If you select this option, CCKM will automatically take a fresh backup of the key before deleting it. If the backup process fails, it will proceed with deleting the key anyway. This may mean the key cannot be restored to its current state.
To delete an exportable key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP.
-
Click the overflow icon () corresponding to the desired key.
-
Click Delete. The Delete Key dialog box is displayed.
-
(Optional) Select Delete even if backup fails.
Note
If you select this option, CCKM will automatically take a fresh backup of the key before deleting it. If the backup process fails, it will proceed with deleting the key anyway. This may mean the key cannot be restored to its current state.
-
Click Delete. The Delete Key dialog box is displayed. It shows the name of the key being deleted in bold.
This dialog box acts as a secondary confirmation so that you are aware of the consequences of the delete operation.
-
Type the name of the key to be deleted. When the typed key name matches the given key name, the Delete button is enabled.
-
Click Delete to confirm the deletion. To cancel the key deletion, click Cancel.
A message stating that delete key is in progress is displayed. After the key is deleted successfully, it is removed from the list of SAP keys.
Viewing or Editing Details of SAP Keys
After a key is created, you can update key name and description, change exportability, and modify key attributes.
In the edit view of a key, you can view all the key details such as its purpose, protection level, and location etc.
To view or edit an SAP key:
-
Open the Cloud Key Manager application.
-
In the left pane, click Cloud Keys > SAP. The list of available SAP keys is displayed.
-
Click the overflow icon () corresponding to the desired key and click View/Edit. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:
-
GENERAL INFO: View and update key name and its description (refer to Changing Key Details). Also, you can change the exportability of the key (refer to Changing Key Exportability) and key attributes (refer to Changing Key Attributes).
-
KEY SCHEDULE: Add, update, and disable a key rotation schedule. Refer to Adding or Changing Key Rotation Schedule and Disabling Key Rotation Schedule.
-
KEY VERSIONS: View details of key versions. Refer to Viewing Key Version Details.
-
Changing Key Details
To modify the key details:
-
Expand the GENERAL INFO section, if needed.
-
Update the SAP Key Name.
-
Add or update Description.
-
Click Update.
The key details are updated.
Changing Key Exportability
To change key exportability:
-
Expand the GENERAL INFO section, if needed.
-
Clear or select Allow Key Export.
-
Select the check box to allow the key export.
-
Clear the check box to prevent the key export.
When Allow Key Export is disabled, the CipherTrust Manager cannot back up the key.
-
-
Click Update.
The key exportability is changed.
Changing Key Attributes
To modify key attributes:
-
Expand the GENERAL INFO section.
-
Under Key Attributes, select or clear the desired attributes.
-
Click Update.
The key attributes are updated.
Adding or Changing Key Rotation Schedule
To add or update a key rotation schedule:
-
Expand the KEY SCHEDULE section.
-
From Select Rotation Schedule drop-down list, select the desired schedule.
-
Select the Key Origin. The options are:
-
CipherTrust (Local)
-
Native
-
-
Click Update.
The key rotation schedule is added/updated. The selected schedule is now assigned to the key. To view all the keys assigned to a schedule, refer to Viewing Keys Assigned to Schedules.
Disabling Key Rotation Schedule
To disable a key rotation schedule:
-
Expand the KEY SCHEDULE section.
-
Next to the Key Rotation Schedule drop-down list, click the close icon ().
Auto key rotation is disabled.
Viewing Key Version Details
To view the details of key versions, expand the KEY VERSIONS section. The key version details are displayed:
Field | Description |
---|---|
Version | Version number of the key. |
Key State | State of the key version. The state can be enabled or disabled. |
Created By | User who created the key. |
Creation Date | Date and time when the SAP key is created. |
Operations | Operations allowed using the SAP key. |
Source Key | Source key for the version. |
Origin | Source of the key material. The origin of the key can be: • CCKM: Key material is created on CCKM. • Native: Key material is created on the cloud. • External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud. |