Fortanix Key Insight - Getting Started With On-Premises Connection

1.0 Introduction

This article helps you get started with the Fortanix Key Insight on-premises connection.

It also describes:

• How to sign up and log in to Fortanix Key Insight.

• Configure the on-premises connection to scan keys and resources from both databases and the Fortanix DSM on-premises environment.

• Manage the on-premises connections on Fortanix Key Insight.

• Manage cryptographic policies for on-premises connections.

2.0 Terminology References

Refer to Fortanix Key Insight for On-Premises Concepts for the on-premises terminologies.

3.0 Fortanix Key Insight - Log in and Create Account

Fortanix Key Insight is a solution on the Fortanix Armor platform. So, you need to create an account on the platform if you do not already have one.

3.1 Sign Up and Log In to Fortanix Platform - New Users

If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For the subsequent access, you can log in to Fortanix Armor directly.

For more information on how to sign up or log in and create an account for Key Insight, refer to Fortanix Armor – Getting Started.

3.2 Log In to Fortanix Armor Platform - Existing Users

You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.

For more information on how to log in and create an account on Fortanix Armor, refer to Fortanix Armor – Getting Started.

4.0 Fortanix Key Insight - Configure On-Premises Connections

After you access the Fortanix Key Insight solution through Fortanix Armor, you must configure the on-premises connection to scan your keys and resources.

For detailed information on the prerequisites, installation, and configuration of the on-premises connection, refer to Fortanix Key Insight - On-Premises Configuration for Scanning.

5.0 Fortanix Key Insight - Onboard an On-Premises Connection

After you create a Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page.

Perform the following steps to onboard an on-premises connection:

1. Click GO TO KEY INSIGHT.

2. On the Let's Connect to Your Cloud, On-Premises or External Key Source Provider page, select On-Premises Connections option.

3. Click NEXT.

   

4. On the Add On-Premises Scanner page,

   1. Enter the Scanner name.

   2. You must install the on-premises scanner package to manage your on-premises keys and resources. For more information, refer to Fortanix Key Insight - On-Premises Configuration for Scanning.

   3. Select to enable I have downloaded and installed the Scanner package check box to confirm the scanner installation.

   4. Click NEXT.

      

5. The Fortanix Key Insight System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. If necessary, you can later select and apply any user-defined cryptographic policy created in the Policy Center, allowing you to meet specific requirements or use cases.

   For more information, refer to Section 7.0: Fortanix Key Insight - Manage Policy Center.

   

6. Click NEXT.

7. On the Select External Key Source page, you can select to integrate Fortanix Key Insight with an external key source, such as Fortanix DSM (SaaS or On-Premises), to correlate keys and improve key management.

   You can select any of the following options:

   1. Yes, connect now: Selecting this option allows you to add the external key source for your on-premises connection to correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more information, refer to Fortanix Key Insight - Getting Started With External Key Source Connection.

      After adding, you must select the new external key source to complete the onboarding.

      

   2. No, I’ll connect later: Selecting this option allows you to onboard the on-premises connection without adding an external key source. You can add it later if needed.

      

8. Click ADD SCANNER & GENERATE API KEY to add the scanner using the generated API key. You will be authenticating with Fortanix Key Insight using the API key.

9. On the API Key Details dialog box, click COPY API KEY to copy the API key value. This value is used to authenticate between the on-premises scanner and the Fortanix Key Insight.

10. The new on-premises connection will be added to the ON-PREMISES tab on the Connections page.

    The CONNECTION STATUS column displays one of the following statuses:

    1. Connected: The scanner package has been successfully added, and all keys and resources have been scanned without issues.

    2. Pending: The scanner package has been added, but resources are still pending. For on-premises connections in this state:

       • You must use the generated API key to connect with Fortanix Key Insight.

       • To begin scanning, you need to add the resources after establishing the connection.

    3. Disconnected: The scanner package is connected, but the session has been terminated. For on-premises connections that are disconnected, you will need to restart the scanner to re-establish the connection.

    NOTE

    The scanner polls to the Fortanix Key Insight platform every 15 seconds to check for any new commands or scan results. The frequent polling ensures that the scanner is always up to date with the latest commands and can act on them promptly.

11. You can navigate to the Fortanix Key Insight Overview page to access all the on-premises scanned keys and resources. For more information on the on-premises Overview page and its features, refer to Fortanix Key Insight- On-Premises User Interface Components.

    

    NOTE

    • If your Fortanix Armor account is deactivated and you are accessing the Fortanix Key Insight On-Premises connection, you will not be able to view data under the Overview, Assessments, Keys, Resources, or PQC Central pages. You will only have access to view and delete items within the Connections, Policy Center, and Authentication pages.

    • After creating the on-premises connection, a group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

    • If you added an external key source, such as Fortanix DSM (SaaS or On-Premises), during on-premises connection onboarding, the Overview page will display the following after the successful scan:

      • The total key counts in all sections will be updated to include correlated keys from the external key source.

      • The “Fortanix” key source field will display the correlated keys count.

6.0 Fortanix Key Insight - Manage On-Premises Connections

The Connections page allows you to manage the cloud, on-premises, and external key source connections added to Fortanix Key Insight.

NOTE

For on-premises connections, the left navigation panel will show the Resources instead of Services.

The ON-PREMISES tab on the Connections page shows all the on-premises connections configured for the selected Fortanix Key Insight account.

You can perform the following on the On-Premises Connections page:

• You can copy the connection ID if required.

• You can view the CONNECTION STATUS of the scanner. The values can be Connected, Pending, or Disconnected.

• You can check the PERIODICAL POLL time. If you encounter any warnings, you must address them by following the appropriate troubleshooting steps. By default, the periodic poll interval is set to 15 seconds.

  NOTE

  The "polling interval" for an on-premises connection is the frequency at which Fortanix Key Insight checks for updates or status changes from connected resources. This interval ensures the connection remains active and retrieves any new data.

• You can use the Search field to search for a specific on-premises connection by entering its Name.

• You can add a new on-premises connection using ADD ON-PREMISES SCANNER. For more information on how to add a new on-premises connection, refer to Section 5.0: Fortanix Key Insight - Onboard an On-Premises Connection.

  NOTE

  When adding or editing an on-premises connection,

  • You can select any policies you have configured in the Policy Center instead of the default policy on the Key Insight Policy page. If you change the policy while adding or editing the connection, you must rescan the connection to apply the new policy.

  • You cannot map more than one Fortanix DSM (SaaS or On-Premises) connection to a single on-premises connection.

  • You cannot map the external key source to any on-premises connection unless it is properly configured and mapped to Fortanix DSM (SaaS or On-Premises).

• You can click on each connection to navigate to its corresponding Overview page.

For each on-premises connection, you can perform the following:

• View connection details

• Edit connection

• Delete connection

• Rescan connection

NOTE

Users with the Account Administrator and Group Administrator roles can only perform add, edit, delete, and rescan operations for the on-premises scanner.

6.1 View the On-Premises Connection Details

• Click DOWNLOAD PACKAGE to download the package again in case you changed your machine, your current package has errors, or was not installed correctly.

• Click Edit to edit the details of the connection. For more information, refer to Section 6.2: Edit the On-Premises Connection.

• Click Delete to remove the on-premises connection. For more information, refer to Section 6.3: Delete an On-Premises Connection.

• Scanner Details

  This section provides details about the scanner's connection status, hostname, number of resources, last scan, periodic polling interval, and the date and time it was created.

• Access Type

  This section offers details about the API key, including the following:

  • Click SHOW API KEY to view the API key details. On the API Key Details dialog box, click COPY API KEY to copy the API key, if required.

  • Click REGENERATE API KEY to modify the current API key details if the existing API key is no longer suitable for the on-premises connection.

    On the Regenerate API Key dialog box, you can:

    • Set the API key expiration: Select the appropriate option to revoke the previous access immediately or after a specified duration.

    • Review and acknowledge the check boxes.

    • After updating the details, click UPDATE to apply the configured information.

    

  NOTE

  Users with the Account Administrator and Group administrator roles can only view, copy and regenerate an API key for the on-premises scanner.

• Resources

  This section displays the resources associated with the current on-premises connection. For more information on resources, refer to Fortanix Key Insight- On-Premises User Interface Components. If no resources are listed, you can add them through the on-premises scanner configuration file configured in your environment.

6.2 Edit the On-Premises Connection

Use this feature to update the name of the on-premises connection.

Perform the following steps to edit the on-premises connection:

1. Click on the required on-premises connection.

2. Select Edit.

3. On the Edit On-Premises Scanner page, update the required details in each step, if required.

   NOTE

   When you change the policy on the Key Insight Policy page while updating the on-premises connection, you must rescan the connection to apply the new policy.

4. Click SAVE to update the details.

6.3 Delete the On-Premises Connection

Use this feature to remove an on-premises connection and its associated information.

Perform the following steps to delete the on-premises connection:

1. Click on the required on-premises connection.

2. Select Delete.

3. Read all the details and enter the scanner name in the text box.

4. Click CONFIRM.

   WARNING

   Deleting the on-premises connection cannot be undone.

After deletion, the on-premises connection will no longer appear in the list on the ON-PREMISES Connections page.

6.4 Rescan the On-Premises Connection

Use this feature to retrieve the latest resources available for the on-premises scanner.

Perform the following steps to rescan an on-premises connection:

1. Click on the required on-premises connection.

2. Select Rescan.

3. Click START SCANNING to restart the scan. If the scan is successful, it will update the LAST SCAN column with the latest scan date and time.

7.0 Fortanix Key Insight - Manage Policy Center

Refer to the Manage Policy Center for information on managing policies for on-premises connections.