1.0 Introduction
This article describes how to use Fortanix-Data-Security-Manager (DSM) to manage Nexus Certificate Manager version 8.9.
This integration allows for the creation of cryptographic keys directly within the Certificate Manager, leveraging Fortanix's strong key management features. This safeguards important information and communications with top-notch encryption, streamlines key administrators' tasks, and meets strict security demands.
This article contains the following information:
Setting up the Fortanix DSM.
Generating cryptographic keys directly within the Nexus Certificate Manager.
Configuring the Nexus Certificate Manager settings.
2.0 Prerequisites
Ensure you have the following:
Nexus Certificate Manager version 8.9 or later is installed and operational.
Fortanix DSM version 3.21 or later is installed on the system.
Access to the Fortanix DSM application. For more information, refer to Section 5.1: Signing Up and Section 5.2: Creating an Account.
3.0 Product Version Tested
This integration has been tested on the following versions:
Nexus Certificate Manager version 8.9
Fortanix DSM version 3.21
4.0 Architecture Workflow
5.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
5.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
5.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
5.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
5.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully.
5.5 Copying the API Key and App UUID
Perform the following steps to copy the API key from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click the VIEW API KEY DETAILS button.
From the Credentials Details dialog box,
Click the API KEY tab, copy the API Key of the app to use it later as the PIN for the PKCS#11 interface.
Click the USERNAME/PASSWORD tab, copy the Username (app UUID) and Password of the app to use it later as the API ID.
Click the CLOSE button.
6.0 Install Fortanix Library
This section describes the steps to install the Fortanix library on the Nexus Certificate Manager server to facilitate the communication between the Nexus Certificate Manager and Fortanix DSM.
By installing this library, you can leverage Fortanix's advanced security features for key management within the Nexus Certificate Manager environment.
Perform the following steps:
Run the following command on the Nexus Certificate Manager server to download the Fortanix library:
curl -L https://download.fortanix.com/clients/4.24.2343/fortanix-pkcs11-4.24.2343-amd64.deb -o fortanix-pkcs11-4.24.2343-0.x86_64.debRun the following command to install the Fortanix library using the package manager:
sudo dpkg -i fortanix-pkcs11-4.24.2343-0.x86_64.debThis command generates
fortanix_pkcs11.sofile in the/opt/fortanix/pkcs11/directory. Read this generated file to verify the status of the library installation. For more details, refer to the Clients: PKCS#11 Library documentation.
7.0 Configure Nexus Certificate Manager Application
This section describes the steps to create multiple configuration files that specify important parameters required for seamless communication between the Fortanix DSM and Nexus Certificate Manager applications.
By configuring the Nexus Certificate Manager application with the appropriate settings, you can ensure that Nexus Certificate Manager can authenticate and interact with Fortanix DSM securely.
Perform the following steps:
Create a
fortanix.confconfiguration file in the/opt/cm/server/configdirectory.Add the following content to the
fortanix.conffile:api_key = <API_KEY> api_endpoint = “<API_ENDPOINT>” app_id = <APP_ID>Where,
<API_KEY>refers to the API key of the Fortanix DSM app as copied in the Section 5.5: Copying the App Key and App UUID.<APP_ID>refers to the Username (app UUID) of the Fortanix DSM app as copied in the Section 5.5: Copying the App Key and App UUID.<API_ENDPOINT>refers to the appropriate API endpoint for Fortanix DSM. The on-premises customers use KMS URL and the SaaS customers can use the URLs as listed here based on the application region.
Save the configuration file.
Run the following command to create a
cis.confconfiguration file in the/opt/cm/server/configdirectory:sudo touch /opt/cm/server/config/cis.confRun the following command to edit the
cis.conffile:sudo nano /opt/cm/server/config/cis.confAdd the following parameters for the Fortanix DSM Rivest-Shamir-Adleman (RSA) algorithm to the
cis.conffile:cis.crypto.device.13.name = Fortanix DSM cis.crypto.device.13.type = PKCS11 cis.crypto.device.13.library = /opt/fortanix/pkcs11/fortanix_pkcs11.so cis.crypto.device.13.pin = file:///opt/cm/server/config/fortanix.conf cis.crypto.device.13.algorithm = RSA cis.crypto.device.13.keysize = 2048 3072 4096 8192 cis.crypto.device.13.hashInCis = false cis.crypto.device.13.slotid = 0NOTE
These configurations specify the settings for utilizing Fortanix DSM with RSA encryption within Nexus Certificate Manager.
Add the following parameters for Fortanix DSM Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm to the
cis.conffile:cis.crypto.device.14.name = Fortanix DSM (ECDSA) cis.crypto.device.14.type = PKCS11 cis.crypto.device.14.library = /opt/fortanix/pkcs11/fortanix_pkcs11.so cis.crypto.device.14.pin = file:///opt/cm/server/config/fortanix.conf cis.crypto.device.14.algorithm = EC cis.crypto.device.14.parameter = Ed25519, secp256r1 cis.crypto.device.14.hashInCis = false cis.crypto.device.14.slotid = 0NOTE
These configurations specify the settings for utilizing Fortanix DSM with ECDSA encryption within Nexus Certificate Manager.
8.0 Restart Nexus Certificate Manager
After configuring the Nexus Certificate Manager application with the necessary settings for integrating the Fortanix DSM, it is essential to restart the Nexus Certificate Manager application to apply these changes effectively.
Perform the following steps:
Run the following command to restart the Nexus Certificate Manager application:
service cf restartAfter restarting the Nexus Certificate Manager application, monitor the logs in real time to track the restart process and check for any errors or successful restart messages.
Run the following command to tail the logs:
tail -f /opt/cm/server/logs/cf/log-XXXXXX.logSample logs:
[2024/01/04:12:33:23.861] trace fine - 1-main Starting: Nexus CF - Certificate Factory [2024/01/04:12:33:23.869] trace fine - 1-main Starting: figaro 7604ccf8db84d6277baf5bb5f1ef23b949a8ed36 [2024/01/04:12:33:23.870] trace fine - 1-main Home directory: /opt/cm/server [2024/01/04:12:33:23.870] trace fine - 1-main Build id: CM_8_9_0- 710018858ce5231f6784ec041c8e8bf1356555f9-20230706 [2024/01/04:12:33:23.870] trace fine - 1-main ------------------------------------------------------- [2024/01/04:12:33:23.870] trace fine - 1-main Operating System: Linux [2024/01/04:12:33:23.870] trace fine - 1-main Machine Architecture: amd64 [2024/01/04:12:33:23.870] trace fine - 1-main Operating System Version: 5.15.0-1041-azure [2024/01/04:12:33:23.870] trace fine - 1-main Java Version: 17.0.9 [2024/01/04:12:33:23.870] trace fine - 1-main Java Vendor: Private Build [2024/01/04:12:33:23.871] trace fine - 1-main Vendor URL: Unknown [2024/01/04:12:33:23.871] trace fine - 1-main Java Home: /usr/lib/jvm/java-17-openjdk- amd64 [2024/01/04:12:33:23.871] trace fine - 1-main Java Class Path: .:/opt/cm/server/lib/cm- s3client.jar:/opt/cm/server/lib/cm-common.jar:/opt/cm/server/lib/snmp4j-agent.jar:/opt/cm/server/lib/aws- sdk.jar:/opt/cm/server/lib/metrics-core.jar:/opt/cm/server/lib/mariadb-java-client.jar:/opt/cm/server/lib/cm- sdk.jar:/opt/cm/server/lib/snmp4j.jar:/opt/cm/server/lib/ojdbc11.jar:/opt/cm/server/lib/httpcore.jar:/opt/cm/s erver/lib/javax.json.jar:/opt/cm/server/lib/jackson-dataformat- cbor.jar:/opt/cm/server/lib/postgresql.jar:/opt/cm/server/lib/slf4j- api.jar:/opt/cm/server/lib/supervisor.jar:/opt/cm/server/lib/activation.jar:/opt/cm/server/lib/jackson- databind.jar:/opt/cm/server/lib/common.jar:/opt/cm/server/lib/jackson- annotations.jar:/opt/cm/server/lib/bcprov-jdk18on.jar:/opt/cm/server/lib/figaro.jar:/opt/cm/server/lib/bcpg- jdk18on.jar:/opt/cm/server/lib/httpclient.jar:/opt/cm/server/lib/commons-codec.jar:/opt/cm/server/lib/sqlite- jdbc.jar:/opt/cm/server/lib/jackson-core.jar:/opt/cm/server/lib/mssql-jdbc.jar:/opt/cm/server/lib/commons- logging.jar:/opt/cm/server/lib/javax.mail.jar [2024/01/04:12:33:23.871] trace fine - 1-main Java Library Path: /opt/cm/server/bin:/opt/cm/server/bin::/usr/java/packages/lib:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64- linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib [2024/01/04:12:33:23.871] trace fine - 1-main ------------------------------------------------------- [2024/01/04:12:33:24.011] trace fine - 1-main Build version of: /opt/cm/server/lib/cm- s3client.jar:cm-s3client 7604ccf8db84d6277baf5bb5f1ef23b949a8ed36 [2024/01/04:12:33:24.040] trace fine - 1-main Build version of: /opt/cm/server/lib/cm- common.jar:cm-common 7604ccf8db84d6277baf5bb5f1ef23b949a8ed36 [2024/01/04:12:33:24.953] trace fine - 1-main Build version of: /opt/cm/server/lib/cm-sdk.jar:cm- sdk 7604ccf8db84d6277baf5bb5f1ef23b949a8ed36 [2024/01/04:12:33:25.451] trace fine - 1-main Build version of: /opt/cm/server/lib/supervisor.jar:supervisor 7604ccf8db84d6277baf5bb5f1ef23b949a8ed36 [2024/01/04:12:33:25.579] trace fine - 1-main Build version of: /opt/cm/server/lib/common.jar:common 7604ccf8db84d6277baf5bb5f1ef23b949a8ed36 [2024/01/04:12:33:26.325] trace fine - 1-main Build version of: /opt/cm/server/lib/figaro.jar:figaro 7604ccf8db84d6277baf5bb5f1ef23b949a8ed36 [2024/01/04:12:33:27.550] license info - 1-main License CM8-2423 in file /opt/cm/server/license/CM8-2423_Nexus_internal_PS.license validated. [2024/01/04:12:33:28.799] trace fine - 1-main Successfully connected to DB jdbc:postgresql://localhost:5432/cmdb. [2024/01/04:12:33:29.275] trace fine - 1-main Starting AdminStore cache [2024/01/04:12:33:29.315] trace fine - 1-main Starting AdminStoreHandler [2024/01/04:12:33:29.323] trace fine - 1-main Starting Domain [2024/01/04:12:33:29.349] audit pass - 1-main Audit started [2024/01/04:12:33:29.363] audit pass - 1-main CSC: No officer with sign configuration permission was found, skipping configuration signature check. [2024/01/04:12:33:29.735] trace fine - 1-main Fortanix DSM:: Token: Fortanix Token, manID: Fortanix, model: Fortanix v1, serial: 1, flags: CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED, sessions: -1/0, rwSessions: -1/0, maxPin: 255, minPin: 4, hw: 1.0, fm: 1.0 [2024/01/04:12:33:30.240] trace fine - 1-main Keys on BouncyCastle (DSA) :: [ ] [2024/01/04:12:33:30.240] trace fine - 1-main Keys on BouncyCastle (RSASSA-PSS) :: [ ] [2024/01/04:12:33:30.241] trace fine - 1-main Keys on BouncyCastle (Edwards) :: [ ] [2024/01/04:12:33:31.108] trace fine - 1-main Keys on BouncyCastle (ECDSA) :: [ "kba131247385db4f" "k-5396442519383764271" ] [2024/01/04:12:33:33.438] trace fine - 1-main Keys on BouncyCastle (RSA) :: [ "k809824193561761066" "k-BootCAkey" "k7943038245459856263" "kce42e9ad88a5a26" "k7d6b8fb0366460f" "kbc96ec7f1881f7a" "k4693fc87ee6d3ab" "k6590422909298449724" "kfc0ce6909ab9bef" "k-126413811472053929" ] [2024/01/04:12:33:34.843] trace fine - 1-main Keys on Fortanix DSM :: [ "kMDVNR6qwtVOt4P4uyFtYCQYyzWXWR"="VatHA7gv6SU+79xnV2iEWC0O7S1sc4/ESlYYpmqemqM =" ]Review the logs thoroughly to ensure that the Nexus Certificate Manager application restarts without encountering any errors. Look for messages indicating a successful restart, such as "
CM instance restarted successfully".
If any errors occur during the restart process, troubleshoot, and address them accordingly to ensure the proper functioning of the Nexus Certificate Manager instance.
9.0 Generate Key in Nexus Certificate Manager Administrator Workbench
This section describes the steps to generate cryptographic keys by selecting Fortanix DSM as the device in the Nexus Certificate Manager Administrator Workbench. These keys will enable secure communication between Nexus Certificate Manager and Fortanix DSM.
Perform the following steps:
Log in to the Nexus Certificate Manager Administrator Workbench interface.
Navigate to the section for generating cryptographic keys.
Select the Fortanix DSM option as the Device for key generation.
On the Summary tab, review the summary of key generation parameters and click the OK button.
After the key generation process is complete, verify that the newly generated cryptographic key appears in the key management interface within the Nexus Certificate Manager Administrator Workbench.
10.0 Verify Details
10.1 Review Nexus Certificate Manager Logs
Review the Nexus Certificate Manager logs to check for any errors or messages confirming successful key generation.
[2024/01/04:12:38:12.195] trace fine - PNUMqJxeAGieBKKxfQ+uPWD06cI= Executes KeyRequest:generateKey, client: CMCLIENT/8.5.0, officer: certSerial=0x5a99f18e5b36bd5a5520c93ef2e8b495,cn=CMO1,o=Nexus Technology,c=DE [2024/01/04:12:38:12.224] oper info - PNUMqJxeAGieBKKxfQ+uPWD06cI= Generate key request. ID: PNUMqJxeAGieBKKxfQ+uPWD06cI= Label: Fortanix Test Key Device: Fortanix DSM Key: k49957285e289cf8 Algorithm: 1.2.840.113549.1.1.1 Parameter: 2048
[2024/01/04:12:38:13.211] trace fine - PNUMqJxeAGieBKKxfQ+uPWD06cI= Public key generated for k49957285e289cf8 : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7fj9Q2y4nCyXVyOJL+nYOvEJM2E1KHMQs
i7IDspP5xO2PpRtFVxh1LnYUY1jByWbkRm2XgMePl59HXgCwv/H4PmOApbczgq0X+fx03/YvE4LTid8fZ 394ghFRYfmPaKgOxNQ3ECbzDe0zF/l+BYEACqMDCpO733HGdgSeCWENl+7DABrGmC+S+euwzXO m0CH1GvzcAND+Gv6I5Pl/yjj2q0rmeG5NLnu+0mWlySTjSiQTb5rHbk9c0aM3oKLx0dYX/8QxL3o1HAoQ rHG3lzIkSYYUsolhkAj4Qs2Fwl5HYxqYd3RhdZ9PC4yVzuMNTEiBIXYVdEB4mRtSx7bahJTYwIDAQAB [2024/01/04:12:38:13.233] audit pass - PNUMqJxeAGieBKKxfQ+uPWD06cI= Request succeeded: KeyRequest.generateKey10.2 Verify Fortanix DSM User Interface Details
Navigate to the Fortanix DSM interface to verify all associated details, such as key identifier, algorithm, and key size of the generated cryptographic key.
Figure 5: Security Object Created
Figure 6: Detailed View of the Security Object