Administration
CipherTrust Manager Administration
- Authentication
  - Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Key Policies
- Changing Passwords
- Groups
- Quorums
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Microsoft Azure
  - Salesforce
  - SAP Data Custodian
  - CIFS/SMB
  - Oracle Cloud Infrastructure (OCI)
  - OIDC
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
- Keys
- Key Rotation
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Prerequisites
  - Communication with KACLS
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Downloading SAP Metadata
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Key Material Export and Upload
CTE UserSpace Administration
- Overview
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Multifactor Authentication
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CTE Administration
- Overview
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
- Multifactor Authentication
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes

Authenticating to the REST API

The REST API is hosted at this base URL: https://{addr}/api/v1

The specification is available here.

You can use the REST interface via curl, or from the API Guide embedded in the CipherTrust Data Security Platform Service UI.

To copy and paste the following example commands, set an environment variable to point to your CipherTrust Data Security Platform Service instance:

$ export KSCTL_URL=https://{addr}               # sh/bash
$ set -x KSCTL_URL=https://{addr}               # fish

API token generation for User Credentials

You can generate an API token with a user's username, password, and tenant.

For example, this command uses the user admin's credentials to create an API token for the my_tenant CSDPaaS tenant:

$ curl -k -X POST $KSCTL_URL/api/v1/auth/tokens/ \
     -H "Content-Type: application/json" \
     -d "{\"name\":\"admin\",\"password\":\"admin\", \"auth_domain\":\"my_tenant\"}"

The response:

{
  "jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkMzEzYzcwZS01NmYyLTQ5MTUtOGJkNy01ZmMyYmUyNzk2YzEiLCJzdWIiOiJsb2NhbHxiM2ZjOGZlNy1hN2ZlLTQ1YzEtOWU1OS0zYmUxNTRkMTZjYmQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsImN1c3QiOnsiZ3JvdXBzIjpbImFkbWluIl19LCJpYXQiOjE0ODExMjQxMzcsImV4cCI6MTQ4MTEyNDQzN30.Z9GU0YyOImHMdPmbZx66vL0NLQfeLvNGkyGkZpVbfx4",
  "duration":300
}

Copy the value of the jwt property into another environment variable:

(sh)  $ export KSCTL_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkMzEzYzcwZS01NmYyLTQ5MTUtOGJkNy01ZmMyYmUyNzk2YzEiLCJzdWIiOiJsb2NhbHxiM2ZjOGZlNy1hN2ZlLTQ1YzEtOWU1OS0zYmUxNTRkMTZjYmQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsImN1c3QiOnsiZ3JvdXBzIjpbImFkbWluIl19LCJpYXQiOjE0ODExMjQxMzcsImV4cCI6MTQ4MTEyNDQzN30.Z9GU0YyOImHMdPmbZx66vL0NLQfeLvNGkyGkZpVbfx4
(fish)$ set -x KSCTL_JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkMzEzYzcwZS01NmYyLTQ5MTUtOGJkNy01ZmMyYmUyNzk2YzEiLCJzdWIiOiJsb2NhbHxiM2ZjOGZlNy1hN2ZlLTQ1YzEtOWU1OS0zYmUxNTRkMTZjYmQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsImN1c3QiOnsiZ3JvdXBzIjpbImFkbWluIl19LCJpYXQiOjE0ODExMjQxMzcsImV4cCI6MTQ4MTEyNDQzN30.Z9GU0YyOImHMdPmbZx66vL0NLQfeLvNGkyGkZpVbfx4

Using the jq tool, we can fetch, extract, and export the token in a single shell command:

(sh)  $ export KSCTL_JWT=$(curl -k -X POST $KSCTL_URL/api/v1/auth/tokens/ \
                                    -H "Content-Type: application/json" \
                                    -d "{\"name\":\"admin\",\"password\":\"admin\"}" | jq -r '.jwt')
(fish)$ set -x KSCTL_JWT (curl -k -X POST $KSCTL_URL/api/v1/auth/tokens/ \
                                   -H "Content-Type: application/json" \
                                   -d "{\"name\":\"admin\",\"password\":\"admin\"}" | jq -r '.jwt')

We can use that API token to make other calls:

$ curl -k "$KSCTL_URL/api/v1/vault/keys2?limit=20" \
     -H "Authorization: Bearer $KSCTL_JWT"

REST API Client Registration and API Token Generation for Client Credentials

You can register a REST API client to improve monitoring and traceability on the client's actions. Registered clients can exchange their client identities and client certificates for an API token for authentication through the REST API.

Registration is especially beneficial for automated clients which act without a person initiating operations.

If you register the REST client, its client identity is recorded in the DPoD audit query records. Theclient_id value is included in the audit query records whenever a registered or public client receives an authentication token.

Registering a REST API client

Create a registration token on CipherTrust Data Security Platform Service using the client profile. You must retain the registration token.

The registration token is a randomly generated character string used to register a client.

With the REST client, make a POST /v1/client-management/clients to register the client.

Provide the registration token and certificate-related parameters. The specification file and API Guide embedded in the CipherTrust Data Security Platform Service GUI has full schema descriptions for this endpoint. The example request demonstrates providing a CSR for CipherTrust Data Security Platform Service to sign.

Example request

curl -k "$KSCTL_URL/api/v1/client-management/clients/" -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "name": "REST_CLIENT",\n  "registration_token": "12345",\n  "csr": "-----BEGIN CERTIFICATE REQUEST-----\\nMIHNMHUCAQAwEzERMA8GA1UEAxMIVGVzdCBDU1IwWTATBgcqhkjOPQIBBggqhkjO\\nPQMBBwNCAATndOIgsTp7m4bOuixxuAt2XQ3oZqp8th/woAo51z7RiAAGdm7IfB1w\\n7uWr8o5PWKBatXIgvPp8hvRWHQPHCfcLoAAwCgYIKoZIzj0EAwIDSAAwRQIgVyvz\\nhFGCKV460fNJC0vC48gI268B68Xr6osFoy9Ouw8CIQCWN1LtcyxPIvul3XF1Pj7l\\navEeIqDBcfD6VHhbnpO2Ag==\\n-----END CERTIFICATE REQUEST-----",\n  "subject_dn_field_to_modify": "DNQ",\n  "do_not_modify_subject_dn": false\n}' --compressed

Retain the ID value in the response. This represents the client identity required to obtain a token.

API Token Generation with Client Identity

To issue an API token for a client identity, you must specify grant_type:"client_credential" and client_id:<client_identity> in the data part of the request. The client identity is obtained during client registration.

In addition, the public certificate file path and private key file path are provided in the request to ensure that the client certificate is verified. These values correspond with the client certificate configuration that took place when creating a client profile and registering the client.

For example, this command generates an API token for the client 123456789, provided the presented identity and client certificate match the expected values in the client registration:

$ curl -k -X POST $KSCTL_URL/api/v1/auth/tokens/ -H "Content-Type: application/json" --cacert ".ssh/id_rsa.pub" --key ".ssh/id_rsa" -d "{\"grant_type\":\"client_credential\",\"client_id\":\"123456789\"}"

The response:

{
  "jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkMzEzYzcwZS01NmYyLTQ5MTUtOGJkNy01ZmMyYmUyNzk2YzEiLCJzdWIiOiJsb2NhbHxiM2ZjOGZlNy1hN2ZlLTQ1YzEtOWU1OS0zYmUxNTRkMTZjYmQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsImN1c3QiOnsiZ3JvdXBzIjpbImFkbWluIl19LCJpYXQiOjE0ODExMjQxMzcsImV4cCI6MTQ4MTEyNDQzN30.Z9GU0YyOImHMdPmbZx66vL0NLQfeLvNGkyGkZpVbfx4",
  "duration":300
}

Copy the value of the jwt property into another environment variable:

(sh)  $ export KSCTL_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkMzEzYzcwZS01NmYyLTQ5MTUtOGJkNy01ZmMyYmUyNzk2YzEiLCJzdWIiOiJsb2NhbHxiM2ZjOGZlNy1hN2ZlLTQ1YzEtOWU1OS0zYmUxNTRkMTZjYmQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsImN1c3QiOnsiZ3JvdXBzIjpbImFkbWluIl19LCJpYXQiOjE0ODExMjQxMzcsImV4cCI6MTQ4MTEyNDQzN30.Z9GU0YyOImHMdPmbZx66vL0NLQfeLvNGkyGkZpVbfx4
(fish)$ set -x KSCTL_JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkMzEzYzcwZS01NmYyLTQ5MTUtOGJkNy01ZmMyYmUyNzk2YzEiLCJzdWIiOiJsb2NhbHxiM2ZjOGZlNy1hN2ZlLTQ1YzEtOWU1OS0zYmUxNTRkMTZjYmQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsImN1c3QiOnsiZ3JvdXBzIjpbImFkbWluIl19LCJpYXQiOjE0ODExMjQxMzcsImV4cCI6MTQ4MTEyNDQzN30.Z9GU0YyOImHMdPmbZx66vL0NLQfeLvNGkyGkZpVbfx4

We can use that API token to make other calls:

$ curl -k "$KSCTL_URL/api/v1/vault/keys2?limit=20" -H "Authorization: Bearer $KSCTL_JWT"

Suggest A Change

Authenticating to the REST API

API token generation for User Credentials

REST API Client Registration and API Token Generation for Client Credentials

Registering a REST API client

API Token Generation with Client Identity

On this page