CCKM supports the SAP Data Custodian cloud.
Before you can manage SAP resources on CCKM:
Click each link to view details.
Get a Service Admin User Account
Get a Service Admin user account from SAP. You will be provided service account credentials (a Data Custodian URL, tenant, and username.) These are required to access the Data Custodian system.
To log on to the SAP cloud as the Service Admin:
Open the URL for your SAP Data Custodian environment.
Enter your tenant name.
Enter your Username and Password.
Next, you need to create a new group.
Create a New Group
Key Management Service groups are used to organize encryption keys and KMS users. Every group is associated with a specific application type, key store provider, key store type, and service tier.
A user with the Key Administrator role in KMS can create new groups.
To create a new group:
Log on to the SAP cloud as the Key Admin user.
Navigate to Home > Dashboard. The Key Management Service Dashboard is displayed.
On the Key Management Service tab, select an application, for example General/IAAS Applications.
Click Create Group. The Group Details screen is displayed.
Specify the group details:
Specify the Group Name.
Add the Group Description.
(Optional) If applicable, provide the Landscape type, System ID, and Tenant. These fields are optional.
Click Step 2. The Key Store Selection screen is displayed.
Specify the key store details:
Select SAP Data Custodian Provided Key Store.
Select a Key Store (for example, AWS, ESK, Azure).
Select the Key Store Region where your key store is located.
Click Review to verify the group details. Click Edit to make any changes.
The group is created and its details are displayed. After you have created the group, you need to add a new user to Data Custodian's Identity Service Management (ISM). New Data Custodian users must be added to ISM before they can be added to the Key Management Service.
Create a User or Application Technical User in ISM
Click the desired tab to view the instructions.
Add a user to Data Custodian's Identity Service Management (ISM). SAP Data Custodian users with an administrator role in ISM can create new users and edit their service roles.
To add a user in ISM:
Log on to the SAP cloud as the Service Admin.
Go to top left Menu > Tenant Management > Users.
Enter the user's First Name and Last Name.
Enter the user's Email Address.
Select optional ISM administrator Roles to assign to the user.
Select an optional Active Time Range for the user.
Active From: Allows you to activate the user at a specific time.
Active To: Allows you to deactivate the user at a specific time.
Click Review. Verify the user details. Click Edit to make changes, if required.
The user is created. Next, you need to add this user to the Key Management Service, as described below.
Add an application technical user to Data Custodian's Identity Service Management (ISM). SAP Data Custodian users with a key administrator (Key Admin) role in ISM can create new technical users and edit their permissions.
To add a technical user in ISM:
Log on to the SAP cloud as the Key Admin.
Go to top left Menu > Home > Dashboard.
Click the desired application.
Click the desired group.
On the Users tab, click Technical Users.
Click Create Technical User.
Enter the Username and Description (optional), and click Step 2.
Select an Active Time Range and click Step 3.
To specify the range:
Active From: Allows you to activate the technical user at a specific time. The technical user remains inactive until the Active From time is specified.
Active To: Allows you to deactivate the technical user at a specific time.
Select the following permissions.
View all audit logs for this technical user's group
Backup and restore keys
Read all keys in group
Export all keys in group
Service Availability Check
Read Dynamic Key References
Click Generate Credential.
Enter Credential Name, select Expiry Date (optional), and click Download.
The credentials (access key, secret key, and API endpoints) are downloaded in a ZIP file named
<credential-name>.zip. These credentials are needed to create a SAP connection on the CipherTrust Manager. It is recommended to use the latest API endpoint URL listed in the extracted
API endpoints.txt file. Refer to Add SAP Connection on CipherTrust Manager for details.
Add the User to Key Management Service
This section is applicable to non-technical SAP users. Skip the section when adding SAP Technical Users.
Add the user created in the previous step to the Key Management Service. Only the Key Management Service users with an Administrator role can add other users to KMS.
To add the user to the Key Administrator service:
Navigate to Tenant Management > Users.
From the All Users section, select the user (created above).
Click Add to Service. You might need to open the menu on the top-right, to see this button.
Select Key Management Service (KMS).
Select the Key Administrator role to assign to the user. The user with the Key Administrator role is referred to as the Key Admin user in this document.
Optionally, assign one or more existing groups to the user. Refer to User Roles in the Key Management Service in SAP documentation for more information.
After assigning the Key Administrator role to the user, add SAP connection on CipherTrust Manager.
Add SAP Connection on CipherTrust Manager
Before you can add a SAP group to the CCKM, a connection to your SAP account must already exist on the CipherTrust Manager. After you have created a SAP group, add a connection to the SAP cloud using your SAP tenant and the Key Admin username and password.
A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.
After completing the prerequisites, you can view linked SAP groups and manage keys on the CipherTrust Manager.
Refer to the following sections:
The mandatory API request parameters are written in bold.