Using Data Security Manager with IDcentral Key Management

1.0 Introduction

This article describes the configuration steps required on Fortanix-Data-Security-Manager (DSM) and Sixscape’s IDcentral Key Management platform to securely escrow S/MIME encryption key pairs using Sixscape Email Security Suite and IDcentral Identity Registration platform.

2.0 Prerequisites

This integration requires the following:

• Fortanix PKCS#11 client in the Windows server where the IDcentral Key Management is installed. You can download the latest version from here.

• Fortanix application API Key to configure IDcentral Key Management Platform. Refer to Section 4.0: Configure Fortanix DSM for more details.

• IDcentral Identity Registration Platform (IRP) installed in the enterprise network and configured with the required issuing CA connection and certificate profile to generate the S/MIME certificates.

• IDcentral Key Management must be installed and configured with IDcentral IRP.

• End-user devices should be installed with Sixscape’s Email Security Suite Add-In.

3.0 Architecture Workflow

The following image illustrates the workflow:

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to be used later.

5.0 Configure PKCS#11

Perform the following steps to configure PKCS#11 on your system:

1. Install the Fortanix PKCS#11 client in the Windows server where the IDcentral Key Management is installed.

2. Configure the Fortanix PKCS#11 client using the steps described in the Clients: PKCS#11 Library documentation.

6.0 Configure IDcentral Key Management

The following sections describe the steps required to integrate IDcentral Key Management with Fortanix DSM.

6.1 Configure Crypto Token

Perform the following steps to add the Fortanix DSM as a PKCS#11 cryptographic token in IDcentral Key Management:

1. Log in to the IDcentral Key Management Snap-In, navigate to Crypto Tokens to add a new token.

   

2. On the Add Token Configuration page, select the key store type as HSM PKCS#11 Keystore and enter a name for the token configuration.

3. Click the file upload icon to browse the Fortanix DSM PKCS#11 DLL file.

4. After the correct DLL file is selected, the list of available token slots is listed under the Token drop down menu. Select the required token slot.

5. Enter the Token PIN. This value is the Fortanix DSM API Key created in Section 4.5: Copying the API Key.

6. Click the Save button to save the configuration.

   

6.2 Create Encryption Key Manager

This section describes the steps to create and activate an Encryption Key Manager (EKM) after the crypto token is added to IDcentral Key Management. This process involves the creation of an asymmetric key pair and a certificate for the key manager in the Fortanix DSM. The end-user’s S/MIME encryption keys are securely wrapped and escrowed using the Key Manager’s keypair, which is securely protected inside the Fortanix DSM.

Perform the following steps to add a new Key Manager:

1. Log in to IDcentral Key Management Snap-In, navigate to Key Managers → Add Key Manager.

2. Enter a name for the key manager in the Manager Name field.

3. Enter a subject distinguished name (DN) for the Key Manager in the General Information section.

   NOTE

   This configuration will be used later in the steps to generate the CSR for the Key Manager.

4. In the Private Key Specification section, select Encryption as the Intended Purpose of the Key Manager.

5. From the Key Algorithm drop down menu, select the appropriate key algorithm.

6. From the Key store type drop down menu, select HSM PKCS#11 Keystore, and select the newly added Fortanix DSM Keystore in the Keystore field.

7. Click the Save button and provide the Keystore PIN which is the Fortanix DSM PKCS#11 PIN (API Key) to successfully create the Key Manager.

   

8. After the Key Manager is added successfully, click the Download CSR button to export the PEM CSR file for the newly created encryption Key Manager.

   

   You should also be able to view the newly generated Security-object in the Security Objects table in Fortanix DSM UI.

   

6.3 Activate Encryption Key Manager

This section describes the steps to activate the encryption key manager by requesting a digital certificate from a CA and importing it into Fortanix DSM. The issuance of the key manager certificate by the CA is out of the scope of this article. Refer to the respective CA documentation on how to request a digital certificate for a Key Escrow Manager from the CA.

1. After the certificate has been generated, log in to the IDcentral Key Management, navigate to Key Managers, select the key manager, and then click the View button.

2. Click the Upload Certificate button and select the certificate file to import the key manager certificate.

   

   A prompt is displayed on the screen for the keystore PIN. Provide the Fortanix DSM PKCS#11 PIN (API Key) to authenticate and reassociate the certificate with the keypair of the key manager.

3. After the successful import of the certificate, the new encryption key manager will be activated and is ready to receive secure key escrow and key recovery requests from clients.

   

   NOTE

   Ensure that the Key Management Service is restarted from “services.msc” for the changes to take effect. Additionally, ensure that the IDcentral registration service is also synchronized with the new created Key Manager configuration.

7.0 Certificate Enrolment using Email Security Suite

After the necessary backend configurations have been completed, end-user devices can be provisioned with Sixscape’s Email Security Suite (ESS). ESS is available for all major operating system platforms, enabling enterprise users to seamlessly request S/MIME certificates for secure, digitally signed, and encrypted email communication. ESS automates the complete lifecycle management of S/MIME digital certificates, including certificate requests, renewals, key storage, key escrow, and revocation.

This article focuses on ESS for Microsoft Outlook on the Windows platform. Note that the deployment of ESS to user’s devices is beyond the scope of this article. For technical assistance with deployment, contact your respective system administrator.

After the successful deployment of ESS to the user’s device, the ESS ribbon button is displayed in the Outlook Explorer ribbon, as shown in the following image:

Perform the following steps:

1. Compose a new email to any recipient and click the Send button.

2. The ESS Add-in at this stage automatically identifies if you have a valid S/MIME certificate to digitally sign and encrypt the email and will prompt the user to request a new S/MIME certificate.

3. Click the Request Certificate button.

   

4. In the next screen, authenticate using your enterprise authentication credentials, such as your Active Directory credentials.

   

5. After the authentication is successful, ESS will automatically generate key pairs and a CSR as specified in the certificate profile, and the CSR will be submitted to IDcentral IRP to request the S/MIME certificate from the configured certifying authority.

6. After the certificate is received, ESS will reassociate the certificate with the key pair, publish the public certificate to the Global Address Book, securely escrow the encryption key and certificate using the Encryption Key Manager protected by Fortanix DSM, and finally install the certificate in the user certificate store as non-exportable.

7. After the entire certificate process is completed, click the Done button, and send the first signed email.

   

8. The escrowed user’s encryption keys can be located under the Key Archives section of IDcentral Key Management Service.

   

   NOTE

   Repeat all these Steps 1-8 on the other devices and platforms to recover the newly created key and certificate securely and automatically from the Escrow Key Manager protected by Fortanix DSM.

8.0 Manual Recovery by Administrator

According to organizational policies or the law, enterprises must keep the email communications of their former employees for a specific amount of time for legal and compliance purposes. This, in turn, means that any encrypted data, including encrypted email communications, must be recoverable while simultaneously being protected from unauthorized access. Furthermore, the loss of the private key could result in data loss; hence, a secure escrow mechanism should be set up to seamlessly and securely protect the email encryption keys and certificates. Security can be further enhanced by enabling hardware-based security, such as a hardware security module (HSM), to protect the encryption private keys.

Sixscape’s IDcentral Key Management, integrated with Fortanix DSM, enables a secure escrow mechanism to seamlessly protect the email encryption private keys of users. Wrapping them in an Escrow Key Manager key and certificate—both of which are secure within the Fortanix DSM—accomplishes this.

This section outlines the steps for manually recovering the full key history of an end-user if the employee has left the organization.

1. Log in to IDcentral Key Management Administrator Snap-In and navigate to Key Archives.

2. Type the relevant email address in the Search Bar to look for the user’s key archive.

3. Select the user’s record to expand and view the key history.

   

    

4. Click the Recover icon in the header row to export the complete key history to a single PKCS#12 file.

   NOTE

   If a single key pair needs to be exported, select the individual records from the exported list and click the corresponding Recover Icon.

5. Enter the Fortanix DSM Keystore PIN (API Key) and click the OK button.

   

6. After the authentication is successful, the administrator will be prompted to set a passphrase for the exported PKCS#12.

   

   The exported PKCS#12 will be successfully recovered and exported to the C:\Users\Pubic\SixEscrow\ClientPKCS12s directory.