Fortanix DSM with SAP

  • Updated on Apr 29, 2025
  • Published on Jun 26, 2024
  • 4 minute(s) read
Prev Next

1.0 Introduction

This article describes the different integration methods for Fortanix-Data-Security-Manager (DSM) with SAP Data Custodian for key management, generation, and cryptographic operations. It also contains the information for:

  • Generating a key in Fortanix DSM and perform Bring Your Own Key (BYOK) into SAP Data Custodian.

  • Generating a key in Fortanix DSM and hold the key in DSM so that SAP Data Custodian will use the key from DSM.

1.1 Fortanix DSM with SAP Data Custodian

Using Fortanix BYOK with Data Custodian, enterprises can securely import cryptographic keys from Fortanix DSM into the SAP Data Custodian Key Management Service. This gives Data Custodian customers control over their key, ensuring it is only used for its authorized purposes, and protecting the security of the data on the platform.

While most encryption needs can be provisioned securely using the BYOK approach, some customers may have specific use cases where sensitive data can never be shared or transmitted outside their security perimeter. The security for this sensitive content needs to be strictly on-premises, with extremely limited access and sharing. With the Hold Your Own Key (HYOK) approach of key management, the customers generate, manage, and store encryption keys in their own environment. In this scenario, cryptographic key management is provided through Fortanix DSM. SAP Data Custodian Customers can store and protect Key Encryption Keys (KEK) in the cloud or on-premises with Fortanix DSM.

2.0 BYOK to SAP Data Custodian

Fortanix provides organizations with the ability to generate cryptographic keys in DSM and retain control of those keys while making them available, as required, for use in SAP Data Custodian.

DSMwithSAPDC-BYOK.png

Figure 1: SAP Data Custodian BYOK with Fortanix DSM

Using BYOK with Fortanix DSM, SAP Data Custodian now effectively safeguards its customer’s public cloud and other SAP applications, such as SAP S/4 HANA, using keys generated in Fortanix DSM. You can use a Fortanix DSM Data Custodian Bring Your Own Key (BYOK) Plugin to implement Fortanix BYOK with SAP Data Custodian and import your keys into SAP Data Custodian.

To BYOK into SAP Data Custodian:

  1. Create a group in SAP Data Custodian to hold your imported Fortanix DSM key for BYOK. For more details, refer to the SAP - Create a Group for BYOK: Fortanix DSM.

  2. Create an Application Technical User (APP TU) for BYOK to connect your SAP applications to SAP Data Custodian. You must complete this step to generate the APP TU and the credential file needed to connect to your Fortanix DSM key store. For more details, refer to the SAP - Create an Application Technical User: Fortanix DSM.

  3. Create the APP TU credential. For more details, refer to the SAP - Generate an Application Technical User Credential: Fortanix DSM.

  4. Download the plugin from the Fortanix DSM plugin library, which also contains all the implementation details.

  5. The plugin is used to:

    • Import a Fortanix DSM key (AES or RSA) into Data Custodian

    • Rotate a key in Fortanix DSM and import the new key version of an existing key into Data Custodian

NOTE

  • The Fortanix DSM Data Custodian Bring Your Own Key (BYOK) Plugin is only available for Fortanix Data Security Manager (Fortanix DSM) applications running on Version 4.2.1528 or higher.

  • The SAP Data Custodian BYOK plugin also supports importing Fortanix DSM keys (AES and RSA) into Data Custodian groups or rotating them if they are already imported in AWS keystore providers.

3.0 HYOK to SAP Data Custodian

To manage SAP Data Custodian customers’ most sensitive data within their own security perimeter, Fortanix DSM offers the option of HYOK. In this scenario, cryptographic key management is provided through Fortanix DSM.

DSMwithSAPDC-HYOK.png

Figure 2: SAP Data Custodian HYOK with Fortanix DSM

SAP Data Custodian restricts HYOK configuration activities to the Key Administrator user role to maintain system integrity. SAP Data Custodian customers must also ensure that their Fortanix key store is enabled in the same region as the consuming SAP service and their SAP Data Custodian Key Management Service tenant. SAP Data Custodian uses JSON Web Token (JWT) based authentication and leverages Fortanix DSM Restful APIs for key management operations. The master key for wrapping and unwrapping the data encryption key in SAP Data Custodian resides in Fortanix DSM to ensure the customer maintains control over their keys from their key store.

To HYOK into SAP Data Custodian:

  1. Create a group in SAP Data Custodian to hold your registered Fortanix DSM keys for HYOK. If you are creating a key group for Fortanix DSM on-premises key store, refer to the SAP - Create a Key Group for HYOK: Fortanix DSM.

  2. Generate a key in your external Fortanix DSM key store that will be used for HYOK scenarios.

    1. Create a Fortanix DSM account.

    2. Enable the Fortanix DSM key store.

    3. Create an RSA key with the following requirements:

      • Key Type: RSA

      • Key Size: 3072, 4096

      • Required Key Operations: Encrypt, Decrypt

      • Optional Key Operations: Sign, Verify, Wrap, Unwrap

      For more details on how to create a Fortanix DSM account and generate a key, refer to the Fortanix DSM Getting Started Guide.

  3. Register keys from your Fortanix DSM key store in SAP Data Custodian for HYOK. Tenants with Connect Service workflows will be required to register a Master Key. For more details, refer to the SAP - Data Custodian HYOK Scenarios.

Related articles