SAP Data Custodian
SAP Data Custodian connections to the CipherTrust Manager can be configured using the following:
Note
- It is recommended to use Technical Users when creating new connections for SAP Data Custodian on the CipherTrust Manager. 
- If you don't use Technical Users when the SAP Data Custodian KMS is integrated with the SAP Cloud Identity Services, the connection to SAP may not work. 
Managing SAP Data Custodian Connections using GUI
- Log on to CipherTrust Manager UI as an administrator. 
- Navigate to Access Management > Connections. 
- Click Add Connection. 
- On the Add Connection screen, select category as Cloud. 
- Select Select Cloud Type as SAP Data Custodian and click Next. 
- Specify connection Name and Description and click Next. 
- Configure the below parameters. - Technical Users are essentially API clients. The technical users can have full admin access to an entire service such as Key Management Service. - Note - Technical User credentials are activated internally at the back end while creating/updating connections. Therefore, the create/update connection won't accept the already activated technical user credentials. - API Endpoint - this is the KMS API endpoint of the SAP Data Custodian. Provide HTTP URL with the API version in it. Only v2 version of the KMS API is supported. To get the SAP API endpoint: - Create a technical user (TU). 
- Generate its credentials and download them. 
 - The downloaded file "API Endpoints.txt" contains ISM and KMS API endpoints. Use the KMS API endpoint to make the connection. 
- Secret - provide secret (password). 
- API Key - provide API key of the technical user. 
 - The Test Credentials will fail until the credentials are activated. The credentials will activate only after creating a connection. Therefore, it is recommended to test the connection after creating it. To do so, click the Test Connection button corresponding to the newly added connection, on the Connections page. - Standard users are owned by the IAM service, and represent human users. Standard users need to be assigned to the Key Management Service, with a certain role, and then need to be added to groups to see those groups. The standard users can access both the UI and the API. - API Endpoint - this is the KMS API endpoint of the SAP Data Custodian. Provide HTTP URL with the API version in it. Only v2 version of the KMS API is supported. Example - https://kms-api-demo.datacustodian.cloud.sap/kms/v2. 
- Username - provide username to access the SAP data custodian server. 
- Secret - provide secret (password). 
- Tenant - provide tenant. 
 
- Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is - OKelse the status is- Fail.- You can proceed with adding the SAP connection even if clicking the Test Credentials returns an error message. You can test the connection after adding it. Click the Test Connection button corresponding to the newly added connection, on the Connections page. 
- Click Next to move to the Add Products screen of the Add Connection wizard. 
Note
Currently, the only product supported for SAP Data Custodian connection is Cloud Key Manager.
Managing SAP Data Custodian Connections using ksctl
The following operations can be performed:
- Create/Get/Update/Delete an SAP Data Custodian connection 
- List all SAP Data Custodian connections 
- Test an existing SAP Data Custodian connection 
- Test parameters for a SAP Data Custodian connection 
Parameter Details
| Parameter | Mandatory/Optional | Description | 
|---|---|---|
| name | Mandatory | Name of the connection. | 
| description | Optional | Connection description. | 
| products | Optional | List of products. | 
| api-endpoint | Mandatory | KMS API endpoint of the SAP Data Custodian. Provide HTTP URL with the API version in it. Only v2 version of KMS API is supported. For example, https://kms-api-demo.datacustodian.cloud.sap/kms/v2. | 
| tech-user-creds | Optional | Technical User Credentials for SAP Data Custodian connection. | 
| api_key | Mandatory | API key of the technical user. | 
| secret | Mandatory | Secret/Password of the standard/technical user. | 
| user-creds | Optional | Standard User Credentials for SAP Data Custodian connection. | 
| user | Mandatory | Username. | 
| tenant | Mandatory | Tenant of the user. | 
| meta | Optional | Meta information in json format. This information is provided in --meta "{\"color\":\"blue\",\"foo\":\"bar\"}". | 
| json-file | Optional | Connection information provided in a JSON file format. Command line parameters will take precedence over values specified in the JSON file. | 
Note
The examples are provided for the Windows platform. To run these examples on Linux, see CLI usage with JSON parameters.
Technical Users are essentially API clients. The technical users can have full admin access to an entire service such as Key Management Service.
Note
Technical User credentials are activated internally at the back end while creating/updating connections. Therefore, the create/update connection won't accept the already activated technical user credentials.
Creating a SAP Data Custodian Connection
To create a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc create --name <Connection-Name> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --tech-user-creds <API key,secret>
Here, --api-endpoint is the KMS API endpoint of the SAP Data Custodian. Provide HTTP URL with the API version in it. Only v2 version of the KMS API is supported. To get the SAP API endpoint:
- Create a technical user (TU). 
- Generate its credentials and download them. 
The downloaded file "API Endpoints.txt" contains ISM and KMS API endpoints. Use the KMS API endpoint to make the connection.
Example Request
ksctl connectionmgmt sap-dc create --name "test-tu-conn" --api-endpoint "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2" --tech-user-creds "{\"api_key\":\"ey----NhcCJ9\",\"secret\":\"0U6myfwji--ye\"}"
Example Response
{
    "id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
    "uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2024-01-09T06:22:48.058817364Z",
    "updatedAt": "2024-01-09T06:22:48.057206571Z",
    "service": "sap-data-custodian",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "test-tu-conn",
    "api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
    "technical_user_credentials": {
        "api_key": "ey----NhcCJ9"
    }
}
Getting Details of a SAP Data Custodian Connection
To get details of a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc get --id 9a6a728b-5beb-465a-8e2e-5e4332039b2d
Example Response
{
        "id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
        "uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
        "account": "kylo:kylo:admin:accounts:kylo",
        "createdAt": "2024-01-09T06:22:48.058817364Z",
        "updatedAt": "2024-01-09T06:22:48.057206571Z",
        "service": "sap-data-custodian",
        "category": "cloud",
        "last_connection_ok": null,
        "last_connection_at": "0001-01-01T00:00:00Z",
        "name": "test-tu-conn",
        "api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
        "technical_user_credentials": {
            "api_key": "ey----NhcCJ9"
        }
}
Updating a SAP Data Custodian Connection
To update a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc modify --id <Connection-Name/ID> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --tech-user-creds <api-key,secret> --meta <Key:Values>
Example Request
ksctl connectionmgmt sap-dc modify --id "9a6a728b-5beb-465a-8e2e-5e4332039b2d" --api-endpoint "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2" --tech-user-creds "{\"api_key\":\"eyJjcmVkZW-------cCJ9\",\"secret\":\"oYtZk-----wnWGi\"}"
Example Response
{
    "id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
    "uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2024-01-09T06:22:48.058817Z",
    "updatedAt": "2024-01-09T06:34:30.297756622Z",
    "service": "sap-data-custodian",
    "category": "cloud",
    "last_connection_ok": true,
    "last_connection_at": "2024-01-09T06:29:56.429799Z",
    "name": "test-tu-conn",
    "api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
    "technical_user_credentials": {
        "api_key": "eyJjcmVkZW-------cCJ9"
    }
}
Deleting a SAP Data Custodian Connection
To delete a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc delete --id 9a6a728b-5beb-465a-8e2e-5e4332039b2d
Example Response
There will be no response if SAP Data Custodian connection is deleted successfully.
Getting List of SAP Data Custodian Connections
To list all the SAP Data Custodian connections, run:
Syntax
ksctl connectionmgmt sap-dc list
Example Request
ksctl connectionmgmt sap-dc list
Example Response
{
  "skip": 0,
  "limit": 10,
  "total": 1,
  "resources": [
    {
      "id": "9a6a728b-5beb-465a-8e2e-5e4332039b2d",
      "uri": "kylo:kylo:connectionmgmt:connections:test-tu-conn-9a6a728b-5beb-465a-8e2e-5e4332039b2d",
      "account": "kylo:kylo:admin:accounts:kylo",
      "createdAt": "2024-01-09T06:22:48.058817Z",
      "updatedAt": "2024-01-09T06:34:30.297756622Z",
      "service": "sap-data-custodian",
      "category": "cloud",
      "last_connection_ok": true,
      "last_connection_at": "2024-01-09T06:29:56.429799Z",
      "name": "test-tu-conn",
      "api_endpoint": "https://kms-api-aws-demo.datacustodian.cloud.sap/kms/v2",
      "technical_user_credentials": {
        "api_key": "eyJjcmVkZW-------cCJ9"
      }
    }
  ]
}
Testing an Existing SAP Data Custodian Connection
To test an existing SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc test --id "9a6a728b-5beb-465a-8e2e-5e4332039b2d"
Example Response
{
    "connection_ok": true
}
Testing Parameters for a SAP Data Custodian Connection
Testing parameters API doesn't activate the technical user credentials. It will only make an API call to api_endpoint/auth/request.
To test parameters for a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --api-endpoint <SAPDataCustodian-API-Endpoint> --tech-user-creds <api-key,secret>
Example Request
ksctl connectionmgmt sap-dc test --api-endpoint "https://test-endpoint.com" --tech-user-creds "{\"api_key\":\"eyJjcmVkZW-------cCJ9\",\"secret\":\"oYtZk-----wnWGi\"}"
Example Response
{
    "connection_ok": true
}
Standard users are owned by the IAM service, and represent human users. Standard users need to be assigned to the Key Management Service, with a certain role, and then need to be added to Groups to see those groups. The standard users can access both the UI and the API.
Creating a SAP Data Custodian Connection
To create a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc create --name <Connection-Name> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --user-creds <user,secret,tenant-JSON-Format-String>
Example Request
ksctl connectionmgmt sap-dc create --name test-conn --products "cckm" --api-endpoint "https://test-endpoint.com" --user-creds "{\"user\":\"testuser\",\"secret\":\"testsecret\",\"tenant\":\"testtenant\"}"
Example Response
{
    "id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
    "uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2021-10-27T07:21:22.77127493Z",
    "updatedAt": "2021-10-27T07:21:22.770209257Z",
    "service": "sap-data-custodian",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "test-conn",
    "products": [
        "cckm"
    ],
    "api_endpoint": "https://test-endpoint.com",
    "user_credentials": {
        "tenant": "testtenant",
        "user": "testuser"
    }
}
Getting Details of a SAP Data Custodian Connection
To get details of a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc get --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18
Example Response
{
    "id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
    "uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2021-10-27T07:21:22.771275Z",
    "updatedAt": "2021-10-27T07:21:22.770209Z",
    "service": "sap-data-custodian",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "test-conn",
    "products": [
        "cckm"
    ],
    "api_endpoint": "https://test-endpoint.com",
    "user_credentials": {
        "tenant": "testtenant",
        "user": "testuser"
    }
}
Updating a SAP Data Custodian Connection
To update a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc modify --id <Connection-Name/ID> --products <Products-Names> --api-endpoint <SAPDataCustodian-API-Endpoint> --user-creds <user,secret,tenant-JSON-Format-String> --meta <Key:Values>
Example Request
ksctl connectionmgmt sap-dc modify --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18 --products "cckm" --api-endpoint "https://test2-endpoint.com" --user-creds "{\"user\":\"testuser2\",\"secret\":\"testsecret2\",\"tenant\":\"testtenant2\"}"
Example Response
{
    "id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
    "uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2021-10-27T07:21:22.771275Z",
    "updatedAt": "2021-10-27T07:26:11.431339116Z",
    "service": "sap-data-custodian",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "test-conn",
    "products": [
        "cckm"
    ],
    "api_endpoint": "https://test2-endpoint.com",
    "user_credentials": {
        "tenant": "testtenant2",
        "user": "testuser2"
    }
}
Deleting a SAP Data Custodian Connection
To delete a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc delete --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18
Example Response
There will be no response if SAP Data Custodian connection is deleted successfully.
Getting List of SAP Data Custodian Connections
To list all the SAP Data Custodian connections, run:
Syntax
ksctl connectionmgmt sap-dc list
Example Request
ksctl connectionmgmt sap-dc list
Example Response
{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": [
        {
            "id": "d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
            "uri": "kylo:kylo:connectionmgmt:connections:test-conn-d2e25ea2-de0f-488a-94f4-d3c925cd5d18",
            "account": "kylo:kylo:admin:accounts:kylo",
            "createdAt": "2021-10-27T07:21:22.771275Z",
            "updatedAt": "2021-10-27T07:21:22.770209Z",
            "service": "sap-data-custodian",
            "category": "cloud",
            "last_connection_ok": null,
            "last_connection_at": "0001-01-01T00:00:00Z",
            "name": "test-conn",
            "products": [
                "cckm"
            ],
            "api_endpoint": "https://test-endpoint.com",
            "user_credentials": {
                "tenant": "testtenant",
                "user": "testuser"
            }
        }
    ]
}
Testing an Existing SAP Data Custodian Connection
To test an existing SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt sap-dc test --id d2e25ea2-de0f-488a-94f4-d3c925cd5d18
Example Response
{
    "connection_ok": true
}
Testing Parameters for a SAP Data Custodian Connection
To test parameters for a SAP Data Custodian connection, run:
Syntax
ksctl connectionmgmt sap-dc test --api-endpoint <SAPDataCustodian-API-Endpoint> --user-creds <user,secret,tenant-JSON-Format-String>
Example Request
ksctl connectionmgmt sap-dc test --api-endpoint "https://test-endpoint.com" --user-creds "{\"user\":\"testuser\",\"secret\":\"testsecret\",\"tenant\":\"testtenant\"}"
Example Response
{
    "connection_ok": true
}