Using Fortanix Data Security Manager for Apache Web Server TLS Keys

Prev Next

1.0 Introduction

Apache web server is a popular open-source HTTP server. Fortanix-Data-Security-Manager (DSM) can be used to protect the TLS private key for your Apache web server, keeping the private key secure even if the host running the Apache webserver is compromised.

This article describes how to set up your Apache webserver to use a TLS private key stored in Fortanix DSM. To get started quickly, you can use a Fortanix-provided docker image. Retrieve the image by running docker pull fortanix/sdkms-apache.

2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

2.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

2.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 1: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

    Figure 2: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 3: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

2.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS.

  3. From the API Key Details dialog box, copy the API Key of the app to be used in Section 4.0: Installing the TLS Key and Certificate.

3.0 Obtaining a TLS Key and Certificate

The Managing Fortanix Data Security Manager Keys With OpenSSL article describes several ways of generating or importing a TLS key and certificate. If you aren’t sure which flow to use and just want to test things out, you can use the section titled “Generating a TLS key and self-signed certificate”.

4.0 Installing the TLS Key and Certificate

Create a file docker.env to configure the container. In the template below, change the API key and the key and certificate labels. The PKCS11 label and Fortanix DSM Security-object description are the same. You can obtain this either from the commands you used to import the key or from the web interface in the security object detail view.

The API key is sensitive, so for production deployments, this file should be protected appropriately.

FORTANIX_API_ENDPOINT=https://<fortanix_dsm_url>
FORTANIX_API_KEY=<API key from web UI>
FORTANIX_PKCS11_LIBRARY=/usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
FORTANIX_CERTIFICATE_LABEL=<label of certificate>

5.0 Running the Container

Run the container with:

docker run -p 8443:443 --env-file docker.env fortanix/sdkms-apache

And open https://localhost:8443 in your browser. If you used a self-signed certificate, your browser will display a certificate warning, but regardless, the server’s private key is now protected by Fortanix DSM.