Fortanix Data Security Manager Using Delinea Secret Server

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Delinea Secret Server to protect encryption key using Fortanix DSM.

2.0 Prerequisites

Ensure the following:

• The Fortanix CNG Client must be installed and configured.

• The port 443 must be accessible from the SQL target machine to Fortanix DSM.

  Protocol	Inbound/ Outbound	Port Number	Load balancer (Yes/No)	Purpose
  TCP	Outbound	443	No	HTTPS – Used for calling REST API. Delinea server will access the cluster/SaaS URL on this port. Each individual node will also need this port open.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the required option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to be used later in Section 4.2: Configuring CNG Client.

4.0 Fortanix CNG Provider

The Fortanix CNG Provider must be installed on every target machine. Refer to cng-ekm to download the CNG Provider.

FortanixKmsClient.msi installs the Fortanix CNG Provider, as well as an EKM provider and the PKCS#11 library. Next, to configure the CNG client Fortanix CNG Provider communicates with Fortanix DSM for crypto operations.

4.1 Installing Fortanix CNG Client

Perform the following steps to complete the installation on your machine:

1. On the Fortanix KMS Client Setup dialog box, click the Next button.

   

2. Select the checkbox for I accept the terms in the License Agreement and click the Next Button.

   

3. Enter the location for installing the Fortanix KMS Client as C:\Program Files\Fortanix\KMS Client\.

   

4. Click the Install button to install the Fortanix KMS client.

   

5. After the installation is done, click the Finish button.

   

4.2 Configuring CNG Client

The Fortanix KMS Server URL and proxy information are configured in the Windows registry for the local machine or the current user.

1. Run the following command to navigate to FortanixKmsClientConfig.exe file:

   cd C:\Program Files\Fortanix\KmsClient\

   The machine key store uses the local machine configuration, and the user key store uses the current user configuration.
   For example, run the following command to configure the Fortanix KMS Server URL for the local machine:

   FortanixKmsClientConfig.exe machine --api-endpoint {KMS_URL}

   Where,

   KMS_URL refers to the Fortanix DSM URL. On-premises customers use KMS URL and SaaS customers can use the URLs based on the region. DSM SaaS supports multiple regions, as listed here.

   For example,

   FortanixKmsClientConfig.exe machine --api-endpoint https://<fortanix_dsm_url> 

2. Run the following command to configure the Fortanix KMS Server URL for the current user:

   FortanixKmsClientConfig.exe user --api-endpoint {KMS_URL} 

   To configure proxy information, add --proxy http://proxy.com or --proxy none to unconfigure proxy.

3. Run the following command to configure the API key copied in Section 3.5: Copying the API Key: 

   FortanixKmsClientConfig.exe machine --api-key <key>

4. Run the following command for user key store:

   FortanixKmsClientConfig.exe user --api-key <key> 

5.0 Enable Fortanix HSM

Perform the following steps:

1. Log in to Delinea Secret Server.

2. From the left pane menu, select Administration → Actions → Configuration → HSM. The Configuration page appears on the screen with the HSM tab selected by default.

3. Click the Enable HSM button and click the Next button.

   

4. Under the HSM Providers section:

   1. For Persistent Provider, select the Fortanix KMS CNG Provider option from the drop down menu.

      

   2. Select the required Key size. For example, 2048.

5. Click the Next button.
   The HSM provider is tested, and the results are displayed on the screen.

6. Check the HSM Provider Test Results. For example:

   

7. Click the Next button.
   A verification page appears on the screen.

8. Click the Save button to update the HSM configuration.
   A confirmation page appears on the screen.

9. Click the Finish button.

   

   The Fortanix KMS CNG Provider is now enabled, and the Secret Server encryption key is stored in it. The configuration details appear on the Secret Server HSM tab.