Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CCKM API

SAP HYOK APIs

search

SAP HYOK APIs

Caution

This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, limited functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.

SAP Data Custodian KMS supports a customer-managed keystore that allows you to create HYOK keys residing in your external key manager. You manage the full lifecycle of HYOK keys within your external key manager. SAP Data Custodian KMS does not have any control over these keys.

Your external key manager handles crypto operations within its secure enclave, using a network endpoint. SAP KMS forwards these requests to your external key manager, where the key material remains protected.

Create and download the SAP certificate

  1. Log in to your SAP Data Custodian system.

  2. Open the Key Management menu.

  3. Select Configurations.

  4. Select Thales CipherTrust Manager from the Customer Managed Keystore tab.

  5. Click Certificate Authentication.

  6. Click Create Certificate. A new certificate will be generated.

  7. Select the new certificate.

  8. Select Actions.

  9. Select Download.

  10. Copy the SAP Certificate ID.

Create a keystore

Create a keystore on the CipherTrust Data Security Platform Service. Refer to Creating SAP HYOK Keystores for details. After the keystore is created successfully, copy the keystore URL.

Create a group for HYOK in SAP

You need to create a group for HYOK in SAP for CipherTrust Data Security Platform Service. To create a group.

  1. Log in to SAP Data Custodian tenant.

  2. Open the Dashboard.

  3. Select the Key Management Service tab.

  4. Select an application context.

  5. Click Create Group.

  6. Complete the Group Details section.

  7. Complete the Keystore Selection section.

    1. Select Customer Managed Keystore (HYOK).

    2. Select Thales CipherTrust Manager from the Keystore drop-down menu.

    3. Review Authentication Method section, auto populates to Certificate.

  8. Complete the Configure Authentication Method section.

    1. Enter Thales CipherTrust Data Security Platform Service keystore URL in the Thales Keystore URL field. You copied it above while creating a SAP keystore.

    2. Enter the SAP Certificate ID in the Certificate ID field. You copied it above while creating and downloading the certificate.

  9. Click Review.

  10. Review the group details.

  11. Click Create.

Create an endpoint (key)

Create an endpoint on the CipherTrust Data Security Platform Service. Refer to Creating SAP HYOK Endpoints for details. After the endpoint is created successfully, copy the globally unique identifier of the endpoint.

Register the key for HYOK in SAP

You need to register the key for HYOK in SAP for CipherTrust Data Security Platform Service. To register the key.

  1. Log in to SAP Data Custodian tenant.

  2. Open the Dashboard.

  3. Select the Key Management Service tab.

  4. Select an application context.

  5. Select the HYOK group where the endpoint will be registered.

  6. Click the Keys tab.

  7. Click Register New Key.

  8. Complete the Key Details section.

    1. Select the Key ID.

    2. Enter the unique identifier of the endpoint that you created above.

  9. Click Review.

  10. Review key details.

  11. Click Register.

Managing the SAP HYOK APIs

Tip

The mandatory API request parameters are written in bold.

On this page