SAP HYOK APIs
Caution
This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, limited functionality for customer feedback as we work on the feature. Details and functionality are subject to change. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
SAP Data Custodian KMS supports a customer-managed keystore that allows you to create HYOK keys residing in your external key manager. You manage the full lifecycle of HYOK keys within your external key manager. SAP Data Custodian KMS does not have any control over these keys.
Your external key manager handles crypto operations within its secure enclave, using a network endpoint. SAP KMS forwards these requests to your external key manager, where the key material remains protected.
Prerequisites
Before integrating CipherTrust Manager as your external key manager:
Ensure that CipherTrust Manager is up and running. Activate and install the CCKM license. Refer to the CipherTrust Manager Deployment Guide and Licensing for details.
Ensure CipherTrust Manager has a valid publicly accessible hostname and a trusted third-party CA certificate installed on its web interface.
Add the SAP Cloud Root CA as both an external CA and an external trusted CA on CipherTrust Manager:
Download the SAP Cloud Root CA.crt file from the Download section of the SAP Trust Center Services page.
Rename the extension of the file from CRT to PEM.
Add the SAP Cloud Root CA.pem file as an external CA on CipherTrust Manager. Refer to Add an external CA.
Add the SAP Cloud Root CA.pem file as an external trusted CA on CipherTrust Manager. Refer to Add an external trusted CA.
After ensuring the prerequisites, perform the steps described in the subsequent sections.
Create and download the SAP certificate
Log in to your SAP Data Custodian system.
Open the Key Management menu.
Select Keystore Configuration.
Select Thales CipherTrust Manager from the Customer Managed Keystore tab.
Click Certificate Auth..
Click Create. A new certificate will be generated.
Select the new certificate.
Select Actions.
Select Download.
Copy the SAP Certificate ID.
Create a keystore
Create a keystore on the CipherTrust Manager. Refer to Creating SAP Keystores for details. After the keystore is created successfully, copy the keystore URL.
Create a group for HYOK in SAP
You need to create a group for HYOK in SAP for CipherTrust Manager. To create a group.
Log in to SAP Data Custodian tenant.
Open the Dashboard.
Select the Key Management Service tab.
Select an application context.
Click Create Group.
Complete the Group Details section.
Open the Dashboard again.
Complete the Keystore Selection section.
Select Customer Managed Keystore (HYOK).
Select Thales CipherTrust Manager from the Keystore drop-down menu.
Review Authentication Method section, auto populates to Certificate.
Select the Key Management Service tab again.
Complete the Configure Authentication Method section.
Enter Thales CipherTrust Manager keystore URL in the Keystore URL field. You copied it above while creating a SAP keystore.
Enter the SAP Certificate ID in the Certificate ID field. You copied it above while creating and downloading the certificate.
Click Review.
Review the group details.
Click Create.
Create an endpoint (key)
Create an endpoint on the CipherTrust Manager. Refer to Create External Key in SAP Keystore for details. After the endpoint is created successfully, copy the globally unique identifier of the endpoint.
Register the key for HYOK in SAP
You need to register the key for HYOK in SAP for CipherTrust Manager. To register the key.
Log in to SAP Data Custodian tenant.
Open the Dashboard.
Select the Key Management Service tab.
Select an application context.
Select the HYOK group where the endpoint will be registered.
Click the Keys tab.
Click Register New Key.
Complete the Key Details section.
Select the Key ID.
Enter the unique identifier of the endpoint that you created above.
Click Review.
Review key details.
Click Register.
Managing the SAP HYOK APIs
Tip
The mandatory API request parameters are written in bold.
