Creating DKE Endpoints
Use the post /v1/cckm/microsoft/dke/endpoints API to create a DKE endpoint for the Microsoft Double Key Encryption service.
You can create a new key encryption key (KEK) or specify an existing KEK for the getkey and decrypt operations.
Specify the following details.
- Unique name for the endpoint
Note
-
In the Microsoft Azure application, go to the API Permissions section and configure the Directory.Read.All permission. Ensure that the
Typefor this permission is Application.
Syntax
curl -k '<CCKM IP address>/api/v1/cckm/microsoft/dke/endpoints' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "<unique_name_dke_endpoint>",\n "description": "<dke_endpoint_description>",\n "key_uri_hostname": "<base_url_hostname_for_key_uri>",\n "algorithm": "<dke_key_algorithm>",\n "enable_success_audit_event": <true|false>,\n "meta": {\n "color": "blue",\n "size": "big"\n },\n "authorization_params": {\n "valid_issuers": [\n "<a_valid_issuer_for_dke_endpts>/"\n ],\n "authorization_type": "email",\n "email_authz_params": {\n "authorized_email_addresses": [\n "<authorized_email_address>",\n "<authorized_email_address>"\n ]\n }\n }\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| auth_tenants | string | List of IDs of authorized tenants for the DKE endpoint. |
| key_uri_hostname | string | Base URL hostname for KeyURI. |
| name | string | Unique name for the endpoint. |
| algorithm | string | DKE key algorithm. The only option currently supported is RSA_DECRYPT_OAEP_2048_SHA256, which is the default value. |
| description | string | Description for the endpoint. |
| enable_success_audit_event | boolean | Flag to denote whether audit recording of successful operations for the DKE endpoint is enabled or disabled. Default value is true. |
| enabled | boolean | Flag to denote whether endpoint is enabled. Default value is true. |
| existing_key_id | string | Identifier to be used to find the latest version of an existing CipherTrust Data Security Platform Service key. This identifier can be the ID of any version or the name of a CipherTrust Data Security Platform Service key. This key is a asymmetric key type. The asymmetric key must have Sign and Verify usage masks. In addition, this key must not be exportable or deletable. A DKE endpoint will be created using the latest version of this key. If the identifier is not supplied, a new CipherTrust Data Security Platform Service key will be created. This identifier is applicable to the migration of a DKE endpoint from one CipherTrust Data Security Platform Service deployment to another. When creating a new DKE endpoint using an existing CipherTrust Data Security Platform Service key in the new deployment, CCKM uses this identifier to associate all of the existing versions of a CipherTrust Data Security Platform Service key to the new endpoint. |
| key_type | string | DKE key type. The only option currently supported is asymmetric. |
| meta | JSON | Additional information associated with this endpoint. |
Note
To change the web interface port within CipherTrust Data Security Platform Service from the default port of 443 to another port, specify the new port number along URL hostname for KeyURI when configuring key_uri_hostname. For example, https://example.com:8443.
DKE Authorization Parameters
| Parameter | Type | Description |
|---|---|---|
| authorization_type | string | Authorization type for DKE key: email and role. |
| email_authz_params | string | Parameters for email-based authorization. Required field, if authorization_type is email. |
| authorized_email_addresses | string | Allowed email addresses. Required field, if authorization_type is email. |
| role_authz_params | string | Parameters for role-based authorization. Required field, if authorization_type is set to role. |
| authorized_roles | string | Allowed roles in active directory. Required field, if authorization_type is set to role. |
| valid_issuers | string | A valid issuer for the DKE endpoint. Currently, only one issuer is supported. For example, https://sts.windows.net/azure tenant ID/. This issuer must match the issuer within the JWT that the CCKM receives. |
Note
The use of wildcards '*' and '?' are supported for email addresses. The following are examples of supported wildcard formats:
-
abc*@gmail.com: supports any email that starts with abc and ends with "@gmail.com".
-
abc@?.com: supports any email that starts with abc, contains "@" followed by at least one character and ends with ".com".
-
abc@?.?*: supports any email that starts with abc, contains "@" followed by at least one character, followed by the dot character (.), and ends with at least one character.
-
?*@gmail.com: supports any email that starts with at least one character and ends with "@gmail.com".
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/microsoft/dke/endpoints' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1ZTc3Y2Q3NC0wMmVhLTRhNzYtODIzMi1hNDY4YTg1MGQwM2UiLCJzdWIiOiJsb2NhbHw0ODMyZDM4ZS04YzdhLTRiMjYtYTc5Ni1kNjk3NWQyOTg2ZGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiIzMGJiZTYxNS1hNWQzLTQwNzAtYTNjYi01NDA0Y2YzMmE5OTYiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiOTE4YzFhZmEtYzY2My00Yzg0LWE3MDAtNzIzZWUwMzMxNzdjIiwiaWF0IjoxNjkyOTIzNzY5LCJleHAiOjE2OTI5MjQwNjl9.Dx43G2HQHnhzcHq6eXrdOfWCCMVW-j-JTMTSXorjEf8' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "my dke endpoint 7",\n "description": "demo dke endpoint 7",\n "key_uri_hostname": "dke.thales.com",\n "algorithm": "RSA_DECRYPT_OAEP_2048_SHA256",\n "enable_success_audit_event": "true",\n "meta": {\n "color": "red",\n "size": "big"\n },\n "authorization_params": {\n "valid_issuers": [\n "https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002d4b/"\n ],\n "authorization_type": "email",\n "email_authz_params": {\n "authorized_email_addresses": [\n "richard-roe@example.com",\n "gopa-desai@example.com"\n ]\n }\n }\n}' --compressed
Example Response
{
"id": "8fbd67ea-3925-4361-9326-c73a84ae872c",
"uri": "kylo:kylo:cckm:dke-endpoint:8fbd67ea-3925-4361-9326-c73a84ae872c",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-06-23T02:58:31.192776Z",
"updatedAt": "2023-06-23T02:58:31.192776Z",
"name": "TestDKEEndpoint_001",
"description": "demo dke endpoint 1",
"key_uri_hostname": "dke.thales.com",
"key_uri": "https://dke.thales.com/api/v1/cckm/microsoft/dke-data-plane/endpoints/8fbd67ea-3925-4361-9326-c73a84ae872c/keys/ks-e998720b0e8e4ccc9ecf6a6e125ccce16356ba90b31540478a4d23fed4216203",
"kek_name": "ks-e998720b0e8e4ccc9ecf6a6e125ccce16356ba90b31540478a4d23fed4216203",
"kek_id": "e998720b0e8e4ccc9ecf6a6e125ccce16356ba90b31540478a4d23fed4216203",
"kek_uuid": "efc5544d-53bd-42ab-b582-d6985458f37c",
"meta": {
"color": "blue",
"size": "big"
},
"kek_version": "0",
"key_type": "asymmetric",
"algorithm": "RSA_DECRYPT_OAEP_2048_SHA256",
"enable_success_audit_event": true,
"auth_tenants": [
"95180635-b494-4f57-b9ba-a250aeac741f"
],
"auto_rotate": false,
"status": "Enabled"
}
The sample output shows that the DKE endpoint with the name of my dke endpoint 7 and an ID of f222ffdf-80e1-4fd5-8f17-1b60a26dba5d along with other specified parameters is created.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
