--- title: "Fortanix DSM with Imperva Cloud WAF" slug: "fortanix-data-security-manager-with-imperva-cloud-waf" updated: 2026-04-01T08:50:33Z published: 2026-03-19T07:17:55Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Fortanix DSM with Imperva Cloud WAF ## 1.0 Introduction This article describes how to integrate **Fortanix-Data-Security-Manager (DSM)** with **Imperva Cloud Web Application Firewall (WAF)** (formerly Incapsula) services. ## 2.0 Configure Fortanix DSM A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections: ### 2.1 Signing Up To get started with the Fortanix DSM cloud service, you must register an account at . For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region. *For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.* ### 2.2 Creating an Account Access in a web browser and enter your credentials to log in to Fortanix DSM. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png) **Figure 1: Logging in** *For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.* ### 2.3 Creating a Group Perform the following steps to create a group in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(2).png) **Figure 2: Add groups** 2. On the**Adding new group**page: 1. **Title**: Enter a name for your group. 2. **Description**(optional): Enter a short description of the group. 3. Click **SAVE**to create the new group. The new group is added to the Fortanix DSM successfully. ### 2.4 Creating an Application Perform the following steps to create an application (app) in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(4).png) **Figure 3: Add application** 2. On the **Adding new app**page: 1. **App name**: Enter the name for your application. 2. **ADD DESCRIPTION**(optional): Enter a short description of the application. 3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.* 4. **Assigning the new app to groups**: Select the group created in [*Section 2.3: Creating a Group*](/v1/docs/fortanix-data-security-manager-with-imperva-cloud-waf#23-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list. 3. Click **SAVE**to add the new application. The new application is added to the Fortanix DSM successfully. ### 2.5 Creating a Security Object Perform the following steps to import an RSA key in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Security Objects**menu item, and then click **ADD SECURITY OBJECT** to create a new security object. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-SO(1).png) **Figure 4: Adding security object** 2. On the **Add new Security Object**page: 1. **Security Object Name**: Enter a name for your security object. 2. **Group**: Select the group as created in [*Section 2.3: Creating a Group*](/v1/docs/fortanix-data-security-manager-with-imperva-cloud-waf#23-creating-a-group). 3. Select **IMPORT**. 4. In the **Choose a type** section, select the **RSA** key type. 5. In the **Place value here or import from file**section, select the value format type as **Hex**, **Base64**, or **Raw**and click **UPLOAD A FILE** to upload the key file. 6. In the **Key operations permitted**section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying. For the Cloud WAF integration, Imperva recommends only selecting **Encrypt** and **Decrypt** permissions to limit functions specifically to what is needed by Imperva. > [!NOTE] > NOTE > > Key operations are selected at the time of importing a security object or during the creation of a new security object from Fortanix DSM. The key operations can be removed after the security object has been created but permissions cannot be added after security object creation. 3. Click **IMPORT**to create the new security object. 4. You must modify the **Padding Policy** to include **Raw (Decryption only)**. Click **SAVE**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/WAF_Padding_Policy(1).png) **Figure 5: Padding Policy** The new security object is added to the Fortanix DSM successfully. ## 3.0 Details of Fortanix DSM Used in Imperva Provide Imperva with the following from Fortanix DSM. ### 3.1 Identify the Data Security Manager Region(s) At Imperva, Fortanix regions are referred to as hostnames. These hostnames appear at the beginning of the Fortanix API subdomain URL and help determine the correct regional endpoint for API requests. For example, `api.amer.smartkey.io`, `api.eu.smartkey.io`, `api.uk.smartkey.io`, `api.apac.smartkey.io`, `api.au.smartkey.io`. Perform the following steps to copy the Google EKMS URI from the Fortanix DSM: 1. In the DSM left navigation panel, click the **Security Objects**menu item and then click the security object created in[*Section 2.5: Creating a Security Object*](/v1/docs/fortanix-data-security-manager-with-imperva-cloud-waf#25-creating-a-security-object)to go to the detailed view of the security object. 2. Click the **COPY ID** drop down menu and select **COPY GOOGLE EKMS URI** to copy the URI. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EKM_URI.png) **Figure 6: Copy URI** ### 3.2 Copying the API Key Perform the following steps to copy the API key from the Fortanix DSM: 1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 2.4: Creating an Application*](/v1/docs/fortanix-data-security-manager-with-imperva-cloud-waf#24-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app. 2. On the **INFO**tab, click **VIEW API KEY DETAILS**. 3. From the **API Key Details** dialog box, copy the **API Key**of the app to use it later. ### 3.3 Copying the App UUID Perform the following steps to copy the app UUID from the Fortanix DSM: 1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 2.4: Creating an Application*](/v1/docs/fortanix-data-security-manager-with-imperva-cloud-waf#24-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app. 2. From the top of the app’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the app **UUID**to copy it to use to generate the certificate. > [!NOTE] > NOTE > > Rotate Key is not supported today for Imperva Cloud WAF integration. ### 3.4 Summary Together with the custom certificate, you will need to provide the following information from Fortanix DSM user interface (UI) as explained above. | **host_name (Region)** | **key_id (Key UUID)** | **api_key** | **Object Name** | | --- | --- | --- | --- | | api.amer.smartkey.io | UUID1 | API1 | mycompany.com web certificate.US | | api.au.smartkey.io | UUID2 | API2 | mycompany.com web certificate.AUS | Use the following APIs to provision your HSM certificate on Imperva: 1. Action: Upload Certificate **URL**: `https://my.impervaservices.com/api/v2/sites/{extSiteId}/hsmCertificate/upload` **HTTP Method**: PUT **Headers**: **api_key**: **api_id**: **Parameters:** **Path Parameter**: `extSiteId`: This is a path parameter representing the external site ID for the Imperva site. **Query Parameters**: `certificate`: This is a query parameter and represents a certificate string, encoded in base64 format. For example, `LS0tLS1CRUdJTiBDRVJUSUZJQ0..`. **Body:**your Fortanix connection details. The schema should look like the following: ```bash {"hsm_data":[       {       "key_id":"123abcde-1234-1234-abcd-123456789abc",       "api_key":"MTAyYThmMz...",                     "host_name":"api.amer.smartkey.io"       }] } ``` **Remarks**: **Response**: If the certificate was uploaded successfully (and replaced the previous HSM custom certificate on the site, you should get the following response: ```plaintext Status Code: 200 Response Message: succeed to save the certificate. ``` The certificate is validated and connection to Fortanix service is done before the certificate is uploaded. - `key_id`: Your security object UUID on Fortanix. - `api_key`: Your API key on Fortanix. - `host_name`: The address of your assets on Fortanix. NOTE - it should start with API. You can find your host address under your security object section, by clicking **COPY URI**. 2. Action: Remove Certificate **URL**: `https://my.impervaservices.com/api/v2/sites/{extSiteId}/hsmCertificate/remove` **HTTP Method**: DELETE **Headers**: **api_key**: **api_id**: **Parameters:** **Path Parameter**: extSiteId- your Imperva Site ID. **Response**: If the certificate was removed successfully, you should get the following response: ```bash Status Code: 200 Response Message: OK. ``` 3. Action: Test Connectivity **URL**: `https://my.impervaservices.com/api/v2/sites/{extSiteId}/hsmCertificate/testConnectivity` **HTTP Method**: GET **Headers**: **api_key**: **api_id**: **Parameters:** **Path Parameter**: extSiteId- your Imperva Site ID. **Response**: If connection with HSM performed successfully, you should get the following response: ```bash Status Code: 200 Response Message: HSM connection established successfully. ``` ## 4.0 References *For more information on Imperva’s documentation, refer to*[*Uploading a Custom Certificate with HSM support*](https://docs.imperva.com/bundle/cloud-application-security/page/hsm-support.htm). Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [Sign Up for Fortanix DSM SaaS](/users-guide-sign-up-for-fortanix-data-security-manager-saas.md) - [Key Lifecycle Management](/users-guide-fortanix-data-security-manager-key-lifecycle-management.md) - [Getting Started with Cloud Connection](/fortanix-key-insight-getting-started-with-cloud-connection.md)