Fortanix Data Security Manager Installation from Azure Marketplace

1.0 Introduction

This article describes the steps required to install Fortanix-Data-Security-Manager (DSM) from Microsoft Azure Marketplace.

2.0 Security Updates

From time to time, security updates will need to be applied by the cloud provider to the platform running your Fortanix DSM virtual machines. Azure will notify you through email of “Action required for your Azure Confidential Computing workload” or similar. Generally, they will inform you of a time frame in which you must reboot each of your VMs. At the end of the time period, VMs that have not yet been rebooted will be forcibly rebooted by the system. To ensure the continued availability of your service and stored data, Fortanix urges you do a rolling reboot of all the VMs during the reboot opt-in period.

3.0 Maintenance

During any type of VM maintenance, if the VMs are being rebooted or replaced, then only one VM should be rebooted or replaced. The next VM should be rebooted or replaced only after the previously rebooted/replaced VM is fully functional as part of the Fortanix DSM cluster.

4.0 Prerequisites

To install Fortanix DSM, the following requirements have to be met:

1. A valid account in Microsoft Azure

2. It is recommended to create a minimum 3-node cluster

NOTE

Ensure your Azure account has the necessary permissions to create the required number of Confidential Computing VMs for SGX (DC4s_v3 or DC8_v2 type) and General Compute VMs for non SGX (D8ds_v4 type) in the target region. Contact your Azure support for an increase in the limit if required.

5.0 List of Required Open Ports

For port requirements, refer to the article fortanix-data-security-manager-port-requirements 

6.0 Fortanix Data Security Manager Deployment from Azure Marketplace

A system administrator should follow the steps described in the following sections to deploy the Fortanix DSM software from Microsoft Azure Marketplace and install it on a Microsoft Azure Virtual Machine (VM). A VM can fail due to various reasons, such as connectivity issues, system failures, and so on. Since we are going to host Fortanix DSM on a VM, we have to ensure that the service is available and running even during these failures. To handle this, we use multiple VMs so that the cluster is highly available for the Fortanix DSM applications running on these VMs and the user does not face any issues in scenarios when a VM downtime occurs (planned or unplanned).

6.1 Creating a Virtual Machine from Azure Marketplace

1. Go to Azure Marketplace and visit the Fortanix DSM page in the following URL: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.fortanix-sdkms-sgx  

   

2. Click the GET IT NOW button on the left to enter the Azure portal and create the app in Azure.  

   

3. In the Create this app in Azure pop-up window, click Continue to agree to the Microsoft Standard Contract terms of use.  

   

   This will take you to the Fortanix DSM page to complete the process.

4. In the Fortanix DSM page, click Create.  

   

5. In the form under Project details section, for the Region field:

   1. For SGX - Select either East US, West US2, UK South, West Europe, or Southeast Asia region (more regions will be added as Azure adds Confidential Computing support to more regions).

   2. For Non-SGX - Select any region supporting VM sizes: D8ds_v4.

   NOTE

   Fortanix DSM service is currently available in the above regions.

   

6. Enter Cluster Name, Cluster Size (the default cluster size is 3), Username, Authentication type, and VM Size.

7. For SGX, select the required SGX DSM Version and the DSM Plan as sgx-plan.  

   

   NOTE

   The user must allocate a minimum of 512GB of disk space while launching the marketplace image on the Fortanix DSM.

8. For non-SGX, select the required non-SGX DSM Version and the DSM Plan as non-sgx-plan.  

   

9. Click the Review + create to create the VM. 

10. A deployment verification will start and will validate the inputs provided.  

    

11. Click the “Create” button to start the SDKMS deployment.  

    

    Wait for the deployment process to finish. Based on the size of the cluster it can take around 30 minutes for this process to complete.

12. Gather information regarding the Load balancer IP and the VM IP for the next steps. After the deployment completes, go to the resource group that was used to create the Fortanix DSM cluster.

    • Go to the “<cluster-name>-lbPublicIP” resource to get the Load Balancer IP.  

      

    • Go to “<cluster-name>-vm<number>” resource and click the Connect option in the left panel to get the VM IP address.  

      

6.2 Creating and Configuring a Cluster for Fortanix Data Security Manager

1. Log in all the three VMs and reboot them.

   #Log in
   ssh user@ip
   #Reboot
   sudo reboot

2. Run the following command to reset the cluster on all the three VMs.

   sudo sdkms-cluster reset --delete-data --reset-iptables

3. Reboot the node to apply the changes.

4. Copy config.yaml file to the current directory on the master VM sdkms-server-vm1.

   cp /opt/fortanix/sdkms/config/config.yaml.example config.yaml

5. Modify config.yaml as below on the master VM <cluster-name>-vm1. Set the externalLoadBalancer value to true.

   global:
    externalLoadBalancer: true
   sdkms:
    clusterIp: 
   keepalived:
    nwIface: eth0

   For online DCAP attestation support on Azure DCsv3, edit the config.yaml file on the master VM <cluster-name> -vm1 as below:

   global:
     rebootEnabled: true
     attestation:
       dcap: online
     externalLoadBalancer: true
     allowedSgxTypes:
       - standard
       - scalable
   sdkms:
     clusterIp: 10.197.65.253
     dcapProviderConfig:
       pcs: Azure
       azure:
         api_version: 3
   keepalived:
           nwIface: eno1
   

6. Run the command below to create the cluster on sdkms-server-vm1.

   sudo sdkms-cluster create --self=<server ip address/subnet mask> --config config.yaml

   

   In the above snapshot, 10.0.1.5 is the private IP of sdkms-server-vm1.

7. If the creation of a cluster is successful, then you will see a command to make/configure the other nodes/servers (other VMs).  

   

8. Verify if the sdkms-server-vm1 pod is running using the get pods command.  

   

   NOTE

   After the cluster is created, wait for ten minutes before proceeding with the following steps.

9. Run the cluster join commands on sdkms-server-vm2 and vm3. Make sure that the join command on one server runs after completion of the previous.

   sdkms-cluster join –-peer=10.0.1.5/24 –-token=c34608.771dd4c4dace2721

10. If the joining of the node is successful, then you would see the sdkms-server-vm2 and vm3 in the pod view.  

    

    From the snapshot above, the pods are crashing, and this is due to certificates not being installed.

6.3 Create, Install Certificates and Access the Cluster from Browser

The Fortanix DSM requires 2 SSL certificates for the services, one for Main API service, and another for Static asset service. We support Certificate Signing Request (CSR) generation for both these certificates which can be signed by your preferred CA provider.

1. Generate a CSR to get an SSL certificate. The CSR contains information (for example: common name, organization, country) which the Certificate Authority (CA) will use to create your certificate. Run the following command to generate the CSR in pem format on the node where the cluster was created (sdkms-server-vm1). Save the CSR to sdkms.csr.

   sudo get_csrs

   The tool supports 2 ways of generating each CSR:

   1. A simple way (option 1): where Domain name and SANS can be provided. For ex: "fortanix.com". 

   2. Distinguished (option 2): where full DN string can be provided. For ex: CN=www.fortanix.com O=Fortanix L=Mountain View ST=California

   There is also an option to add Subject Alternative Names. More than one can be added, each one on a new line.

   The following will be then asked to enter through the script:

   1. The domain name for the cluster (Main)

   2. The domain name for the UI (Assets)

   3. Cluster name

   4. Sysadmin email address

   5. Sysadmin password

   

   Two CSRs are generated for Main and Assets as shown in the figure below:

   

   NOTE

   For the purpose of this demo the “domain name” has been defined as “http://azure-sdkms.com” for both Main and Assets section. You could also use a different domain name if required. This would create a certificate request for both the CSRs. You will need to sign both the CSRs from one of the CA or locally sign it yourself.

2.  If you want to self-sign the CSRs, run the below command to sign the sdkms.csr, and generate the sdkms.crt.

   Untar tarball (tar zxvf test_ca.tgz)
   go to folder: cd test_ca
   ./setup
   ./sign sdkms.csr sdkms.crt

   The URL to download test_ca.tgz is:
   https://sdkms-release.s3-us-west-1.amazonaws.com/test_ca.tgz 
   And then use that signed certificate when doing install_certs.

3. Install the certificate by running the following command and add this certificate for both Main and Assets.

   sudo install_certs

   

   

4. You should now see a message “deployment of sdkms successfully rolled out” for the certificate installation status.  

   

5. With the successful installation of certificates, none of your pods will crash.

   NOTE

   If the domain name “azure-sdkms.com” is registered, there is an additional procedure that you need to follow in Azure. Since this domain is not registered and the certificates are not digitally signed by CA, we will bypass this task.

6. Modify  /etc/hosts  on the machine where you would access the browser and map the IP address of the Azure load balancer with the domain name “azure-sdkms.com”.

   • On Linux based machines, you can do this by adding an entry in the file  /etc/hosts.

   • On Windows machines, you can do this by adding an entry in the file c:\Windows\System32\Drivers\etc\hosts

   To get the IP Address of the Azure load balancer, see t­he screenshot below.  

   

7. If you are using a self-signed certificate in your setup, then you will need to install root CA that was used to sign the Fortanix  DSM CSR into your browser's trusted CA.

6.4 Testing the Fortanix Data Security Manager Installation on Azure

1. In your browser open the URL https://<> balancer IP> OR DNS associated with the IP. You will now see the Fortanix DSM login page as shown below.

   

6.5 Configure Data Center Labeling

After all nodes have successfully joined the cluster, you must perform data center labeling. In a multi-site deployment, data center labeling configuration helps achieve better read resiliency by allowing requests to read data from the local data center and supports the Read-Only mode of operation when a global quorum is lost and a local quorum is available. Please refer to the Fortanix DSM Data Center Labeling guide (use the automated script to configure DC labeling).

For more details, refer to Fortanix DSM Read-Only Mode of Operation.