Your suggested change has been received. Thank you.

Suggest A Change

Please Note:

Reference
PFMigrate Utility
CCKM API
- AWS APIs
  - AWS Custom Key Store APIs
  - AWS KMS Management APIs
  - Key Life Cycle Management APIs
    - Creating AWS Keys on CCKM
    - Fetching List of AWS Keys
    - Viewing Details of AWS Keys
    - Deleting AWS Keys from CCKM
    - Downloading Keys Created on AWS to CCKM
    - Synchronizing AWS Keys
    - Viewing Synchronization Status
    - Aborting Synchronization Jobs
    - Viewing Details of Synchronization Jobs
    - Uploading Keys to AWS KMS
    - Importing Key Material to AWS KMS
    - Deleting Imported Key Material
    - Scheduling Key Deletion
    - Canceling Deletion of Keys
    - Updating Key Policy
    - Updating Key Description
    - Enabling AWS Keys
    - Disabling AWS Keys
    - Adding Tags to AWS Keys
    - Removing Tags from AWS Keys
    - Adding Alias to AWS Keys
    - Deleting Alias from AWS Keys
    - Verifying Alias on AWS KMS
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Automatic Key Rotation
    - Disabling Automatic Key Rotation
    - Rotating Keys on AWS KMS
    - Replicating Multi-Region AWS Keys
    - Changing the Primary Key of a Multi-Region AWS Key
    - Creating a Bulk Job
    - Viewing the List of Bulk Jobs
    - Viewing Details of a Bulk Job
    - Canceling a Bulk Job
    - Rotating Key Material
    - Fetching List of Rotations of a Specific Key
    - Viewing the Status of Key Rotation
    - Viewing the List of Rotations of a Specified Key
  - Policy Template Management APIs
  - AWS Reports APIs
  - Response Parameters of AWS KMS Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Azure APIs
  - Subscription APIs
  - Vault Management APIs
  - Key Life Cycle Management APIs
    - Creating Azure Keys
    - Fetching List of Azure Keys
    - Viewing Details of Azure Keys
    - Updating Key Parameters
    - Deleting Keys from CCKM
    - Refreshing an Azure Key
    - Soft-Deleting Azure Keys
    - Purging Azure Keys
    - Uploading Keys to Azure Key Vault
    - Downloading Keys Created on Azure Vault to CCKM
    - Synchronizing Azure Keys
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Aborting Synchronization Jobs
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Key for Backup Job
    - Disabling Key for Backup Job
    - Restoring an Azure Key
    - Creating Azure Cloud Key Backups
    - Fetching List of Azure Cloud Key Backups
    - Viewing Details of Azure Cloud Key Backups
    - Updating the Azure Cloud Key Backups
    - Deleting the Azure Cloud Key Backups
  - Azure Secrets Management APIs
    - Creating Azure Secrets
    - Fetching List of Azure Secrets
    - Viewing Details of Azure Secrets
    - Updating Attributes of Azure Secrets
    - Deleting Azure Secrets with Backup from CCKM
    - Soft-Deleting Azure Secrets
    - Recovering Soft-Deleted Azure Secrets
    - Purging Azure Secrets
    - Restoring Deleted Azure Secrets
    - Synchronizing Azure Secrets
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
  - Azure Certificates Management APIs
    - Creating Azure Certificates
    - Fetching List of Azure Certificates
    - Viewing Details of Azure Certificates
    - Updating Attributes of Azure Certificates
    - Deleting Azure Certificates with Backup from CCKM
    - Soft-Deleting Azure Certificates
    - Recovering Soft-Deleted Azure Certificates
    - Purging Azure Certificates
    - Restoring Deleted Azure Certificates
    - Synchronizing Azure Certificates
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
    - Importing Azure Certificates
  - Disaster Management APIs
  - Azure Reports APIs
  - Azure Bulk Job Management APIs
    - Creating Azure Bulk Job
    - Fetching List of Azure Bulk Jobs
    - Viewing Details of an Azure Bulk Job
    - Canceling an Azure Bulk Job
  - Response Parameters of Azure Vault Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Luna HSM APIs
  - Luna HSM Partition APIs
  - Luna HSM Key APIs
- DSM APIs
  - DSM Domain APIs
    - Getting DSM Domains
    - Adding DSM Domains
    - Viewing DSM Domains
    - Viewing Details of a DSM Domain
    - Changing Connection of a DSM Domain
    - Deleting a DSM Domain
    - Granting Permissions to Users or Groups
  - DSM Key APIs
    - Creating a DSM Key
    - Viewing DSM Keys
    - Getting Details of a DSM Key
    - Deleting a DSM Key from CCKM
    - Deleting a Key from DSM
    - Refreshing DSM Domains
    - Getting Refresh Status of DSM Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Google Cloud APIs
  - Google Cloud Project APIs
    - Fetching a Project from Google Cloud
    - Viewing Google Cloud Projects
    - Adding Google Cloud Projects
    - Viewing Details of a Google Cloud Project
    - Granting Permissions to Users or Groups in a Google Cloud Project
    - Deleting a Google Cloud Project
    - Updating a Google Cloud Project
  - Google Cloud Key Ring APIs
    - Getting Google Cloud Key Rings
    - Adding Google Cloud Key Rings
    - Listing Google Cloud Key Rings
    - Viewing Details of a Google Cloud Key Ring
    - Updating a Google Cloud Key Ring
    - Granting Permissions to Users or Groups
    - Deleting Google Cloud Key Rings
  - Google Cloud Key APIs
    - Creating a Google Cloud Key
    - Viewing Google Cloud Keys
    - Getting Details of a Google Cloud Key
    - Updating a Google Cloud Key
    - Viewing Versions of a Google Cloud Key
    - Adding a Version to a Google Cloud Key
    - Viewing Details of a Google Cloud Key Version
    - Refreshing Details of a Google Cloud Key Version
    - Refreshing Details of Google Cloud Key and All Its Versions
    - Updating All Versions of a Google Cloud Key
    - Viewing Details of an Update All Versions Operation
    - Enabling a Version of a Google Cloud Key
    - Disabling a Version of a Google Cloud Key
    - Scheduling Destruction of a Google Cloud Key Version
    - Canceling Scheduled Destruction of a Google Cloud Key Version
    - Re-importing a Google Cloud Key Version
    - Downloading Public Key for an Asymmetric Version
    - Uploading a New Key to Google Cloud
    - Synchronizing Google Cloud Keys
    - Viewing Synchronization Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Enabling Auto Rotation of Google Cloud Keys
    - Disabling Auto Rotation of Google Cloud Keys
    - Viewing the IAM Policy Attached to a Key
    - Attaching an IAM Policy to a Key
    - Viewing the IAM Roles
  - Google Cloud Location API
  - Google Cloud Report APIs
- Google Cloud EKM APIs
- Microsoft DKE APIs
  - Creating DKE Endpoints
  - Fetching List of DKE Endpoints
  - Viewing Details of a DKE Endpoint
  - Updating a DKE Endpoint
  - Deleting a DKE Endpoint
  - Rotating a DKE Endpoint
  - Enabling DKE Endpoint
  - Disabling DKE Endpoint
  - Enabling Key-Rotation Schedule for DKE Endpoint
  - Disabling Key-Rotation Schedule for DKE Endpoint
  - Archiving a DKE Endpoint
  - Recovering a DKE Endpoint
  - Creating DKE Authorized Tenants
  - Viewing Details of a DKE Authorized Tenant
  - Fetching List of DKE Authorized Tenants
  - Updating a DKE Authorized Tenant
  - Deleting a DKE Authorized Tenant
  - Fetching List of DKE Roles
- SAP APIs
  - SAP Applications API
  - SAP Groups APIs
    - Fetching List of Groups from SAP
    - Managing Permissions on SAP Users or Groups
    - Adding SAP Groups
    - Viewing SAP Groups Added to CipherTrust Manager
    - Viewing Details of SAP Groups
    - Updating Connection of SAP Groups
    - Deleting a SAP Group
    - Fetching the Group Service Connectability Parameters from SAP
  - SAP Keys APIs
    - Creating SAP Key
    - Fetching SAP Keys
    - Getting Details of a SAP Key
    - Updating SAP Key Attributes
    - Deleting a SAP Key Backup from CCKM
    - Deleting a Key from SAP
    - Deleting a SAP Key
    - Adding SAP Key Version
    - Viewing SAP Key Versions
    - Getting Details of a SAP Key Version
    - Synchronizing SAP Keys
    - Updating a SAP Key Version
    - Viewing Synchronization Status
    - Viewing the Job Status
    - Creating New Jobs
    - Uploading Keys to SAP
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Enabling Auto Rotation of SAP Keys
    - Disabling Auto Rotation of SAP Keys
    - Creating a Dynamic Key Reference (DKR)
    - Viewing the List of DKRs
    - Getting Details of a DKR
    - Updating Details of a DKR
    - Deleting a DKR from CCKM
    - Deleting a DKR from SAP
  - SAP Reports APIs
- SAP HYOK APIs
  - Creating SAP Keystore
  - Fetching SAP Keystore
  - Viewing Details of a SAP Keystore
  - Updating SAP Keystore
  - Deleting a SAP Keystore
  - Blocking Access to the SAP External Keystore
  - Unblocking Access to the SAP External Keystore
  - Create External Key in SAP Keystore
  - Fetching SAP External Keys
  - Viewing Details of a SAP External Key in SAP Keystore
  - Updating SAP External key
  - Deleting a SAP External Key
  - Blocking Access to the SAP External Key
  - Unblocking Access to the SAP External Key
  - Enabling the SAP External Key
  - Disabling the SAP External Key
  - Viewing the Version Details for SAP HYOK
  - Fetching SAP External Key Versions
  - Archiving the SAP External Key
  - Recovering the SAP External Key
  - Archiving the SAP Keystore
  - Enabling Rotation of SAP External Key
  - Disabling Rotation of SAP External Key
  - Recovering SAP Keystore
  - Adding a New Key Version to the SAP External Key
  - Granting Permissions to Users or Groups
  - SAP Invoked APIs
    - Fetching the Keystore Metadata
    - Fetching the Key Metadata
    - Encrypting the Data using a Symmetric Key
    - Decrypting the Data using a Symmetric Key
    - Encrypting the Data using an Asymmetric Key
    - Decrypting the Data using an Asymmetric Key
    - Creating a Digital Signature
    - Verifying a Digital Signature
    - Generating the Random Bytes
    - Fetching the Public Key
    - Fetching Metadata of all Versions of a Key
- Salesforce APIs
  - Salesforce Organization APIs
    - Getting Salesforce Organizations
    - Adding Salesforce Organizations
    - Listing Salesforce Organizations
    - Viewing Details of a Salesforce Organization
    - Updating a Salesforce Organization
    - Granting Permissions to Users or Groups
    - Deleting Salesforce Organizations
  - Salesforce Tenant Secret APIs
    - Creating a Salesforce Tenant Secret
    - Viewing Salesforce Tenant Secrets
    - Getting Details of a Salesforce Tenant Secret
    - Destroying a Salesforce Tenant Secret
    - Synchronizing Tenant Secrets
    - Importing a Tenant Secret
    - Viewing Synchronizing Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Uploading Salesforce Tenant Secrets
    - Deleting Backup of a Salesforce Tenant Secret
    - Activate a Cache-Only Key
    - Fetching a Salesforce Cache-Only Key for a Given Identifier
    - Updating a Salesforce Cache-Only Key
    - Uploading a Salesforce Cache-Only Key
  - Salesforce Issuer APIs
    - Creating a Salesforce Issuer
    - Deleting a Salesforce Issuer
    - Viewing Salesforce Issuers
    - Viewing Details of a Salesforce Issuer
    - Updating a Salesforce Issuer
  - Salesforce Reports APIs
  - Salesforce Cache Only Key Endpoints APIs
  - Salesforce Cloud Certificates APIs
  - Salesforce Named Credentials APIs
- Oracle Cloud APIs
  - OCI Vaults APIs
    - Fetching List of OCI Vaults from Oracle
    - Adding OCI Vaults
    - Viewing OCI Vaults Added to CipherTrust Manager
    - Viewing Details of OCI Vaults
    - Managing Permissions on OCI Users or Groups
    - Deleting OCI Vaults
    - Updating Connection of OCI Vaults
  - OCI Keys APIs
    - Creating OCI Keys
    - Fetching OCI Keys
    - Getting Details of an OCI Key
    - Updating OCI Key Attributes
    - Deleting an OCI Key
    - Canceling Deletion of an OCI Key
    - Deleting an OCI Key Backup from CCKM
    - Restoring a Deleted OCI Key
    - Scheduling Deletion of an OCI Key
    - Adding OCI Key Version
    - Viewing OCI Key Versions
    - Getting Details of an OCI Key Version
    - Scheduling Deletion of an OCI Key Version
    - Canceling Scheduled Deletion of an OCI Key Version
    - Uploading Keys to OCI
    - Synchronizing OCI Keys
    - Viewing Synchronization Status
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Changing the Compartment of an OCI Key
    - Disabling an OCI Key
    - Enabling an OCI Key
    - Refreshing an OCI Key
    - Enabling Auto Rotation of OCI Keys
    - Disabling Auto Rotation of OCI Keys
  - OCI Subscribed Regions API
  - OCI Compartments API
  - OCI Reports APIs
- OCI External APIs
  - Issuers APIs
    - Creating an Issuer
    - Returning a List of Issuers
    - Viewing Details of an Issuer
    - Updating Issuers
    - Deleting Issuers
  - External Vaults APIs
    - Creating an External vault
    - Blocking Access to External Vaults
    - Unblocking Access to External vaults
  - External Keys APIs
    - Creating an External Key
    - Blocking Access to External keys
    - Unblocking Access to External keys
  - OCI Invoked APIs
    - Fetching the Metadata of External Vaults
    - Fetching the Metadata of External Keys
    - Fetching the Metadata of a Version of External Keys
    - Encrypting Data Using External Keys
    - Decrypting Data Using External Keys
    - Generating Random Bytes
- CipherTrust Manager as External Keystore APIs
  - External CipherTrust Manager Domain APIs
    - Getting external CipherTrust Manager Domains
    - Adding External CipherTrust Manager Domains
    - Viewing External CipherTrust Manager Domains
    - Viewing Details of an External CipherTrust Manager Domain
    - Changing Connection of an External CipherTrust Manager Domain
    - Deleting an External CipherTrust Manager Domain
    - Granting Permissions to Users or Groups
  - External CipherTrust Manager Key APIs
    - Creating an External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Keys
    - Getting Details of an External CipherTrust Manager Key
    - Deleting an External CipherTrust Manager Key from CCKM
    - Deleting a Key from External CipherTrust Manager
    - Creating a New Version of External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Key Versions
    - Refreshing External CipherTrust Manager Domains
    - Getting Refresh Status of External CipherTrust Manager Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Key Material Export and Upload
- Scheduler APIs
  - Scheduling Synchronization
  - Scheduling Key Rotation
  - Scheduling Key Rotation and Auto Rotation of Credentials
  - Automatic Cloud Key Discovery
  - CCKM Key Backup
  - Response Parameters
- Google Workspace CSE APIs
  - Creating an Issuer
  - Viewing Issuers
  - Viewing Details of an Issuer
  - Deleting an Issuer
  - Creating KACLS Endpoints
  - Viewing KACLS Endpoints
  - Viewing Details of a KACLS Endpoint
  - Updating a KACLS Endpoint
  - Disabling a KACLS Endpoint
  - Enabling a KACLS Endpoint
  - Archiving a KACLS Endpoint
  - Recovering a KACLS Endpoint
  - Deleting a KACLS Endpoint
  - Rotating Endpoint Keys (rotate-key)
  - Viewing KACLS Endpoint Perimeters
  - Updating a KACLS Endpoint Perimeter
  - Encrypting Private Keys (wrapprivatekey)
  - Viewing KACLS Endpoint Rewrap Configuration
  - Updating a Rewrap Configuration
  - Viewing KACLS Endpoint Privileged-Unwrap Configuration
  - Updating a KACLS Endpoint Privileged-Unwrap Configuration
  - Google Invoked APIs
    - Encrypting Data Encryption Keys (wrap)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (privilegedunwrap)
    - Viewing the KACLS Endpoint Status
    - Signing Private Keys (privatekeysign)
    - Decrypting Content Encryption Keys (privatekeydecrypt)
    - Decrypting and Downloading Gmail Message (privilegedprivatekeydecrypt)
    - Listing KACLS Public JWKS
    - Migrating from an Old KACLS to a New KACLS
    - Validating the Resource Key Hash
    - Publishing Public JSON Web Key Set (JWKS) at /Certs
    - Delegating Access
    - Decrypting Data in a Privileged Context
    - Encrypting the Bulk Imported Data (privilegedwrap)
- Settings APIs
  - Updating CCKM Settings
  - Fetching CCKM Settings
  - Updating the Azure Key Expiry Notification Settings
  - Fetching the Azure Key Expiry Notification Settings
  - Updating the AWS Key Expiry Notification Settings
  - Fetching the AWS Key Expiry Notification Settings
DDC Architecture Guidelines
DDC GLASS Reference
DDC ELK Reference
KMIP Reference
Server Audit Record Reference
- KMIP Errors
- Key Errors
- Certificate Errors
- SNMP Errors
- SMTP Errors
- LDAP Errors
- Authentication Errors
- NAE Errors
- Clustering Errors
- HSM Errors
- Backup and Restore Errors
- General Errors
tcpdump utility
NAE-XML Interface Development
- Starting an XML Session
- NAE Client Registration
- User Requests
- User Group Requests
- Key Management Operations
- Importing, Exporting, and Replicating Keys
- Secret Management Operations
- Certificate and CA Requests
- Cryptographic Operations
- Logging
- Error Messages
- Supported Key Algorithms
- Differences Between Key Managers

Updating a KACLS Endpoint Privileged-Unwrap Configuration

Use the PATCH /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/privileged-unwrap-configuration API to update a privileged-unwrap configuration for a KACLS endpoint.

Before using the API, make sure the value of allow_privileged_unwrap parameter is true for the endpoint. Refer to Updating a KACLS Endpoint.

Syntax

curl -k '<IP>/api//v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/privileged-unwrap-configuration' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "kacls_base_url": "<kacls_base_url>", "users": "<users>"\n}' --compressed

Request Parameters

Parameter	Type	Description
id	string	ID of the endpoint. To find out the ID of an endpoint, refer to Viewing KACLS Endpoints.
AUTHTOKEN	string	Authorization token.
kacls_base_url (optional)	array of strings	List of KACLS URLs allowed to send privilegedUnwrap from other KACLS that is new-KACLS endpoints.
users (optional)	array of strings	List of email addresses for authenticated users to perform privilegedUnwrap.

Note

You need to configure one of the following:

kacls_base_url: The list of KACLS URLS to enable KACLS key migration.
users: The list of email addresses to decrypt the data in a privileged context (takeout).

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/a873fed8-40da-4959-b0b0-376e1af2764b/privileged-unwrap-configuration' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "kacls_base_url": "<https://demo.thalescpl.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/tj03b8bc-b568-4a03-f2r6-8en42c6c6eu9>", "users": "<demo.user@thalescpl.com>"\n}' --compressed

Example Response

{
    "id": "a873fed8-40da-4959-b0b0-376e1af2764b",
    "uri": "kylo:kylo:cckm:kacls-endpoint-migration-configuration:a873fed8-40da-4959-b0b0-376e1af2764b",
    "account": "kylo:kylo:admin:accounts:101128a7-c620-4a64-9d81-08a8f72deb93",
    "createdAt": "2022-11-24T11:36:06.488958+05:30",
    "updatedAt": "2022-11-24T11:36:06.487491+05:30",
    "endpoint_id": "d7f604d6-d3c2-4aeb-bd62-b2e1429c63f4",
    "kacls_base_url": [
        "https://<KS IP1>/cckm/GoogleWorkspaceCSE/39a9e91b-7a95-4fbf-bf79-30930eeb1d23",
        "https://<KS IP2>/cckm/GoogleWorkspaceCSE/39a9e91b-7a95-4fbf-bf79-30930eeb1d2c"
    ]
}

The output shows the updated privileged-unwrap configuration details for the KACLS endpoint.

Response Codes

Response Code	Description
2xx	Success
4xx	Client errors

Refer to HTTP status codes for details.