Creating KACLS Endpoints
Use the POST /v1/cckm/GoogleWorkspaceCSE/endpoints API to create or update KACLS endpoints for Google Workspace CSE. The API also creates a KEK for wrapping and unwrapping DEK.
When creating an endpoint, specify the following details:
-
Unique name for the endpoint.
-
Authentication audience (third-party identity provider's client ID) for the endpoint.
-
Hostname of the endpoint URL. This is the fully qualified domain name (FQDN) of the CCKM/CipherTrust Manager appliance.
-
Identity provider (issuer): Select from the list of available identity providers by providing the issuer ID in endpoint creation parameters. If not selected, by default, all the identity providers are added to the endpoint.
Syntax
curl -k '<IP>/api/v1/cckm/GoogleWorkspaceCSE/endpoints' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "name": "<endpoint-name>",\n "endpoint_url_hostname": "<endpoint_url_hostname>",\n "issuer": [\n "<issuer-id-1>"\n, \n "<issuer-id-2>"\n ],\n "authenticationAud": [\n "<authentication-aud>"\n ]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| authenticationAud | array of strings | List of supported audience for authentication JWT. This is the ID of the third-party identity provider. For example, for Auth0, it is represented by the Client ID. |
| endpoint_url_hostname | string | Hostname for the endpoint URL. Enter the fully qualified domain name (FQDN) of the CCKM/CipherTrust Manager appliance. |
| name | string | Name for the endpoint. |
| authorizationAud | array of strings | List of supported audience for authorization JWT. |
| cors | array of strings | List of Cross-Origin Resource Sharing (CORS) to support. |
| endpoint_url | string | Unique base URL for the endpoint. |
| issuer | array of strings | List of trusted issuer IDs to use with this endpoint. This issuer is managed through the /GoogleWorkspaceCSE/issuers URL. |
| meta | JSON | Additional information about the endpoint. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "name": "endpoint_demo",\n "endpoint_url_hostname": "demo.thalesgwsintegration.net",\n "issuer": [\n "39a9e91b-7a95-4fbf-bf79-30930eeb1d2c",\n "39a9e91b-7a95-4fbf-bf79-30930eeb1d2d"\n ],\n "authenticationAud": [\n "122334a33qr31038dekfhfl"\n ]\n}' --compressed
Example Response
{
"issuer": [
"39a9e91b-7a95-4fbf-bf79-30930eeb1d2c",
"39a9e91b-7a95-4fbf-bf79-30930eeb1d2d"
],
"id": "c1583936-7d03-4e2d-a0ae-3a1ae2d2e200",
"uri": "kylo:kylo:cckm:kacls-endpoint:demo",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-10-15T13:30:57.560148051Z",
"name": "endpoint_demo",
"endpoint_url_hostname": "demo.thalesgwsintegration.net",
"updatedAt": "2020-10-15T13:30:57.560148051Z",
"cors": null,
"authorizationAud": null,
"authenticationAud": [
"122334a33qr31038dekfhfl"
],
"endpoint_url": "https://demo.thalesgwsintegration.net/api/v1/cckm/GoogleWorkspaceCSE/endpoints/c1583936-7d03-4e2d-a0ae-3a1ae2d2e200 ",
"kekName": "ks-cc84e97b53e5457cbd6b664174a0f1df57570a3aa4044ee887077203940f1221",
"kekID": "cc84e97b53e5457cbd6b664174a0f1df57570a3aa4044ee887073303940f10c1",
"meta": null
}
The output shows the endpoint ID "c1583936-7d03-4e2d-a0ae-3a1ae2d2e200". Each endpoint has a unique ID. The endpoint ID is required when viewing, modifying, wrapping, unwrapping, and deleting the endpoint. The ID is also required when rotating encryption key of the endpoint, and viewing and updating the KACLS perimeters.
A KEK "kekName" with the ID "kekID" is also created. This KEK is used for wrapping and unwrapping DEK.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
Refer to HTTP status codes for details.