Connect SAP Analytics Cloud to SAP Data Custodian

SAP Data Custodian Key Management Service connects with SAP Analytics Cloud to deliver simplified cryptographic key provisioning, control, and monitoring services to protect your sensitive data stored in public, private, hybrid, and multicloud environments.

Configure Customer Managed Keys for SAP Data Custodian

Prerequisites

Context

Once your team has completed the SAP Data Custodian onboarding process, you must have a Key Administrator complete the configuration process for your key scenario, create an application technical user (APP TU) in your group, and generate an application technical user credential. This credential will be needed to connect your SAP Data Custodian tenant to your SAP Analytics Cloud account.

Enable Encryption With Customer-Controlled Keys (BYOK)

Prerequisites

  1. Complete the SAP Data Custodian Key Management Service configuration guide for your team’s selected key scenario:

    Customer-Controlled Encryption Key (CCEK) Scenarios

    Bring Your Own Key (BYOK) Scenarios

    Hold Your Own Key (HYOK) Scenarios

  2. Complete the Create an Application Technical User in a Group activity.
  3. Complete the Generate an Application Technical User Credential activity.

Also, make sure that:

  • You must have a Security Administrator role with the BYOK administration privilege enabled inSAP Analytics Cloud.
  • You must complete the tasks above before adding a key to SAP Analytics Cloud.
  • You have prepared the database for BYOK by SAP. If needed, open a SAP Product Support incident using LOD-ANA-ADM: https://launchpad.support.sap.com/#/incident/createInformation published on SAP site

Context

Enabling Bring Your Own Key (BYOK) using a SAP Data Custodian Key Management Service-provided key allows you to actively manage the encryption status of your data.

Procedure

  1. Log on to your SAP Analytics Cloud tenant.
  2. Go to Start of the navigation path System Next navigation step  Administration Next navigation step External SystemsEnd of the navigation path
  3. In the Bring Your Own Key (BYOK) section, select Set Up Primary Key.
  4. Add the following information:
    1. Enter the SAP Data Custodian Tenant Name.
    2. Enter the Encryption Key ID.
      This is the key you retrieved from the steps in Generate an Encryption Key above.
    3. Enter the Technical User API Endpoint.
      Note

      Only the host part from the API Endpoint file should be filled in the form.

      For example, if the file contains: 
      https://kms-api-demo.datacustodian.cloud.sap/kms/api

      The Technical User API Enpoint is: kms-api-demo.datacustodian.cloud.sap

    4. Enter the Technical User Access Key.
      This is the key you retrieved from the steps in Generate an Application Technical User Credential above.
    5. Enter the Technical User Secret Key.
      This is the key you retrieved in the steps to Generate an Application Technical User Credential above.

(Optional) Enable Second Access Key

Prerequisites

  • You must have a Security Administrator role with the BYOK administration privilege enabled inSAP Analytics Cloud.
  • You must complete the tasks above before adding a key to SAP Analytics Cloud.
  • You must have a private / public certificate pair.

Context

Enabling a second access key for BYOK provides a recovery mechanism in the event of a critical failure of the SAP Data Custodian Key Management service. The mechanism for recovery requires the private key of the pair to trigger the procedure. Since this key would be provided to SAP in the event of a disaster, you must generate the pair with the appropriate security and access scopes.

Procedure

  1. Log on to your SAP Analytics Cloud tenant.
  2. Go to Start of the navigation path System Next navigation step  Administration Next navigation step External SystemsEnd of the navigation path
  3. In the Bring Your Own Key (BYOK) section, select Set Up Secondary Key.
  4. Add the following information:
    1. Enter the public part of the certificate key pair.
    2. Enter the Technical User Access key.
      This is the key you retrieved from the steps in Generate an Application Technical user Credential above.
    3. Enter the Technical User Secret Key.
      This is the key you retrieved from the steps to Generate an Application Technical user Credential above.

Disable Encryption with Customer-Controlled Keys (BYOK)

Prerequisites

You must have a Security Administrator role with the BYOK administration privilege enabled inSAP Analytics Cloud.

Context

Removes the integration between the SAP Data Custodian Key Management Service and the encryption of data in SAP Analytics Cloud.

Procedure

  1. Log on to your SAP Analytics Cloud tenant.
  2. Go to Start of the navigation path System Next navigation step  Administration Next navigation step External SystemsEnd of the navigation path
  3. In the Bring Your Own Key (BYOK) section, select Disable BYOK.
  4. Confirm Disable in the dialog that appears.