CCKM API
Note
APIs might change from version to version. Refer to the API playground URL of your CipherTrust Manager for updated APIs.
This document explains how to:
- Add AWS KMS accounts, Azure vaults, Luna HSM partitions, DSM domains, Google Cloud key rings, Salesforce organizations, SAP Data Custodian groups, Oracle Cloud Infrastructure (OCI) vaults, OCI External Key Management (EKM) (or external) vaults, and CipherTrust (external) domains to CCKM 
- Manage AWS, Azure, Luna HSM, DSM, Google CMEK, Google Cloud EKM keys, Salesforce tenant secrets, SAP, OCI keys, OCI EKM keys, CipherTrust (external) keys, and Microsoft Double Key Encryption (DKE) endpoints on CCKM 
- Manage AWS custom key stores on CCKM 
- Schedule key rotation for AWS, Azure, Google Cloud, Salesforce, SAP, Microsoft DKE, and OCI keys 
- Schedule key refresh for Luna HSM, DSM, AWS, Azure, Google Cloud, Salesforce, SAP, and OCI keys 
It is assumed, for this document, that you have already configured the CipherTrust Manager appliance. Refer to the CipherTrust Manager Deployment Guide for instructions.
The next step is to activate and install the CCKM license. Refer to Licensing for details.
Workflow
This section describes the high level steps to manage keys using CCKM:
- Add a connection between the CipherTrust Manager and the desired cloud or key source. This is needed to grant CCKM the access to any of the cloud service or key source users with valid user credentials. 
- Test the connection. The connection must be in the ready state. 
- Add the KMS container that contains the keys to be managed. A KMS container can be: - An AWS account 
- An Azure vault 
- An external CipherTrust Manager domain 
- A Luna HSM partition 
- A DSM domain 
- A Google Cloud key ring 
- A Salesforce organization 
- A SAP group 
- An OCI vault 
 - When adding a KMS container, you need to select the corresponding connection. 
- Refresh the KMS container to download its keys to CCKM. Refreshing a KMS container might take significant amount of time depending on the number of keys stored in it. - CCKM provides options to refresh keys of an individual or all KMS containers of a cloud service or key source. - After a KMS container is refreshed successfully, the downloaded keys can be managed on CCKM itself. 
- Manage keys. With CCKM, you can perform supported key operations such as adding, editing, and rotating keys. 
CCKM also provides options to schedule key operations and generate reports for the supported clouds. Refer to relevant sections in the CCKM Administration and CCKM API documentation for more details about the steps listed above and other CCKM features.