Required ENV variables for Virtru Private Keystore (for Google Workspace CSE) configuration

Values to fill out if using CKS (refer to the chart at the end for the values needed for the cse.env)

HMAC_TOKEN_ID=00000000000000000000@tokens.virtru.com
HMAC_TOKEN_SECRET=00000000000000000000
CKS_HMAC_TOKEN_ID=v0000000000000000000@token.virtru.com
CKS_HMAC_TOKEN_SECRET=0000000000000000000000
JWKS_AUTHN_ISSUERS=000000000000000000000
JWKS_AUTHZ_ISSUERS=0000000000000000000000000
JWT_AUD=000000000000000000000
JWT_KACLS_URL=https://csesrv.customer.com
TAKEOUT_CLAIM=cse_takeout
ACM_URL=https://api.virtru.com/acm/api
ACCOUNTS_URL=https://api.virtru.com/accounts/api
CKS_URL=https://cks.customer.com
PORT=9000
USE_SSL=true

Values to fill out if not using CKS

HMAC_TOKEN_ID=00000000000000000000@tokens.virtru.com
HMAC_TOKEN_SECRET=00000000000000000000
#CKS_HMAC_TOKEN_ID=
#CKS_HMAC_TOKEN_SECRET=
JWKS_AUTHN_ISSUERS=000000000000000000000
JWKS_AUTHZ_ISSUERS=0000000000000000000000000
JWT_AUD=000000000000000000000
JWT_KACLS_URL=https://csesrv.customer.com
TAKEOUT_CLAIM=cse_takeout
ACM_URL=https://api.virtru.com/acm/api
ACCOUNTS_URL=https://api.virtru.com/accounts/api
#CKS_URL=
PORT=9000
USE_SSL=true
USE_CKS=false
#SECRET_KEY=0000000000000000
SECRET_KEYS_PATH=/app/cse/secrets.json

Reference for Google IDP values:

https://support.google.com/a/answer/10743588?hl=en&ref_topic=10742486

Virtru Private Keystore (for Google Workspace CSE) Values Chart

Environment Variable	Description	Example
HMAC_TOKEN_ID	The HMAC token credentials used to access Virtru SaaS <Provided by Virtru>	0000000000000000000000000@tokens.virtru.com
HMAC_TOKEN_SECRET		0000000000000000000000000
CKS_HMAC_TOKEN_ID	The HMAC token credentials used to access the CKS “Values found in the customer CKS server and in the send_to_virtru.tar.gz file” (Only if using CKS option)	0000000000000000000000000@tokens.virtru.com
CKS_HMAC_TOKEN_SECRET		0000000000000000000000000
JWKS_AUTHN_ISSUERS	A base-64 encoded map of accepted Authentication issuer ids (from the authentication JWT) to the URL where the issuer publishes its JSON Web Keyset. This is dictated by the customer via their IDP, but in the example provided it is Google OAuth.	Running the command below will give you the base 64 encoded value needed for the cse.env Example for Google IDP: echo '{ "https://accounts.google.com": "https://www.googleapis.com/oauth2/v3/certs" }' \| base64
JWKS_AUTHZ_ISSUERS	A base-64 encoded map of accepted Authorization issuer ids (from the authorization JWT) to the URL where the issuer publishes its JSON Web Keyset. This is dictated by Google.	Running the command below will give you the base 64 encoded value needed for the cse.env echo '{ "gsuitecse-tokenissuer-drive@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-drive@system.gserviceaccount.com","gsuitecse-tokenissuer-meet@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-meet@system.gserviceaccount.com","gsuitecse-tokenissuer-calendar@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-calendar@system.gserviceaccount.com" }' \| base64
JWT_AUD	Base-64 encoded JSON map of JWT audiences for authorization and authentication. These are used to ensure that we don’t accept JWTs written by authn or authz issuers for other services. The authz audience, which is sent by Google, will always be cse-authorization , but the authn audience will be configured through the customer’s IDP. For Google OAuth, the authn audience is the OAuth client ID string.	Running the command below will give you the base 64 encoded value needed for the cse.env Example for Google IDP: echo '{ "authn": "000000000000000000000000000000000.apps.googleusercontent.com", "authz":"cse-authorization" }' \| base64
JWT_KACLS_URL	The URL where the CSE service is hosted which is configured by the customer. This field allows detection of potential man-in-the-middle servers configured by insiders or rogue domain admins.	https://cse.the-customer-domain.com/
TAKEOUT_CLAIM	The JWT claim used to signify if a user has permission to submit a takeout unwrap claim. This will be configured on the authentication token from the customer’s identity provider.	cse_takeout
ACM_URL	The Virtru ACM URL	https://api.virtru.com/acm/api
ACCOUNTS_URL	The Virtru Accounts URL	https://api.virtru.com/accounts/api
CKS_URL	The CKS URL. Should be wherever the customer’s CKS is accessible from.	https://cks.the-customer-domain.com
PORT	The port to run the CSE server on	9000
USE_SSL	Whether the application should use SSL. Set to false to run over HTTP and true to use HTTPS.	true
SECRET_KEY	If NOT using CKS (only available on v3.0.0 and later) (DO NOT LOSE THIS KEY) Generate a secret key and store it locally on your server: `echo "my-key-name:$(openssl rand 32 \| base64)" 2>&1 \| tee cseSecret.txt`	`my-key-name:00000000000000000000000000000000`
HTTPS_PROXY= HTTP_PROXY=	If using an internal web proxy enter proxy IP or FQDN and listening port for these values to have the container connect via proxy.	https://myproxy-server.com:443 http://myproxy-server.com:80
SECRET_KEYS_PATH	Path to secrets.json file where secret key(s) are held in the CSE container. Required key format in secrets.json file: {"active":"secret-key","secrets":[{"name":"secret-key","value":"00000000000000000000000000000000"}]}	/app/cse/secrets.json

Required ENV variables for Virtru Private Keystore (for Google Workspace CSE) configuration

Values to fill out if using CKS (refer to the chart at the end for the values needed for the cse.env)

Values to fill out if not using CKS

Reference for Google IDP values:

Virtru Private Keystore (for Google Workspace CSE) Values Chart

Related articles