Configure settings in the KMES Series 3 application interface
Complete the following tasks in the KMES interface:- Define the Key Access Control List (KACL) URL.
- Enable the Host API commands.
Define the KACL URL
Perform the following steps to define the KACL URL for Google client-side encryption:In KACL URL, enter the URL for your key service (for example,
https://<server ip>:<port>/kmes/v7/key-encrypt/client).Google requires this connection to be TLS with a publicly trusted certificate. The connection can be through NAT or reverse proxy.
Enable the commands
Perform the following steps to enable the required Host API commands:Configure settings in the Google Admin console
The Key Access Control List Service (KACLS) is your external key service (such as KMES Series 3) that uses an API to control access to encryption keys stored in an external system. The (Identity Provider) IdP, discussed in previous sections of this guide, authenticates users before they can encrypt files or access encrypted files. This integration uses VirtuCrypt as the IdP, but you can use any IdP that supports OAuth. Complete the following tasks in the Google Admin console for client-side encryption:- Configure the KACLS.
- Configure the IdP.
Configure the KACLS
Perform the following steps to configure the KACLS:Sign in to your Google admin console by using an account with super administrator privileges.
Enter the URL for your key service (such as
https://<server ip>:<port>/kmes/v7/key-encrypt/client).Google requires this connection to be TLS with a publicly trusted certificate. The connection can be through NAT or a reverse proxy.
To confirm that Google Workspace can communicate with the external key service, select [ Test connection ].
Configure the IdP
To connect Google Workspace to your IdP, you can use a.well-known file or the Admin console. After establishing the connection, you must allowlist your IdP in the Admin console.
This section shows how to connect Google Workspace to your IdP by using the Admin console. However, this method serves as a fallback method for the .well-known file method. See the following Google Workspace documentation instructions on connecting Google Workspace to your IdP using a .well-known file: https://support.google.com/a/answer/10743588#config_wellknown&zippy=%2Coption-to-connect-to-your-idp-using-a-well-known-file
Sign in (admin.google.com/) to your Google admin console (support.google.com/a/answer/182076) by using an account with super administrator privileges (support.google.com/a/answer/2405986#super_admin).
In Name, specify a descriptive name to help identify your IdP. This name displays in IdP messages for users.
In Client ID, specify the OpenID Connect (OIDC) client ID that the CSE client application uses to acquire a JSON Web Token (JWT) based on the following scenarios:
- If you’re using a third-party IdP: Generate this ID by using your IdP admin console.
- If you’re using Google identity: Generate this ID by using the Google Cloud Platform (GCP) Admin console. For instructions, go to the following link: Create a client ID for Google identity.
In Discovery URI, specify the OIDC discovery URL, as defined in this OpenID specification (openid.net/specs/openid-connect-discovery-1_0.html), based on the following scenarios:-If you’re using a third-party IdP: Your IdP provides you with this URL, which usually ends with
/.wellknown/openid-configuration.
-If you’re using Google identity: Use https://accounts.google.com/.well-known/openidconfiguration.Configure your discovery URI to allow origin URLs for Cross-Origin Resource Sharing (CORS) calls, as follows:- Methods: GET
- Allowed origins:
https://admin.google.comhttps://client-side-encryption.google.comhttps://krahsc.google.com/callbackhttps://krahsc.google.com/oidc/cse/callbackhttps://krahsc.google.com/oidc/drive/callbackhttps://krahsc.google.com/oidc/gmail/callbackhttps://krahsc.google.com/oidc/meet/callbackhttps://krahsc.google.com/oidc/calendar/callbackhttps://krahsc.google.com/oidc/docs/callbackhttps://krahsc.google.com/oidc/sheets/callbackhttps://krahsc.google.com/oidc/slides/callbackhttps://client-side-encryption.google.com/callbackhttps://client-side-encryption.google.com/oidc/cse/callbackhttps://client-side-encryption.google.com/oidc/drive/callbackhttps://client-side-encryption.google.com/oidc/gmail/callbackhttps://client-side-encryption.google.com/oidc/meet/callbackhttps://client-side-encryption.google.com/oidc/calendar/callbackhttps://client-side-encryption.google.com/oidc/docs/callbackhttps://client-side-encryption.google.com/oidc/sheets/callbackhttps://client-side-encryption.google.com/oidc/slides/callback
In the Grant type field, select the OAuth flow you want to use for OIDC based on the following scenarios:
- If you’re using a third-party IdP: Use either the Implicit or Authorization code with PKCE grant type.
- If you’re using Google identity: Use only the Implicit grant type.
Select [ Test Connection ].
If Google Workspace can connect to your IdP, the Connection success message displays.