---
title: "Fortanix DSM for Hewlett Packard Enterprise (HPE) Alletra 9000"
slug: "using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000"
updated: 2026-04-01T08:42:11Z
published: 2026-03-16T18:44:41Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM for Hewlett Packard Enterprise (HPE) Alletra 9000

## 1.0 Introduction

This article describes the steps for integrating **Fortanix-Data-Security-Manager (DSM)**with**HPE Alletra 9000** through KMIP server configuration.

The Hewlett Packard Enterprise (HPE) Alletra 9000 is a comprehensive edge-to-core solution that provides a cloud-like experience wherever your data resides. Specifically tailored for mission-critical tasks, the HPE Alletra 9000 ensures exceptionally low latency, robust reliability, and optimal performance density within a 4U enclosure. This solution empowers IT by transitioning from owning and managing data infrastructure to effortlessly accessing and utilizing it on-demand, following a flexible as-a-service model. Utilizing a unique, highly parallel, multi-node, and all-active platform, the HPE Alletra 9000 seamlessly consolidates traditional and next-gen mission-critical applications at scale, promising consistent performance and ultra-low latency, all backed by a 100% availability guarantee.

## 2.0 Why Use Fortanix DSM with HPE Alletra 9000

In today's cybersecurity landscape, where threats persist, there is a growing need for heightened security measures in both individual and corporate contexts. Enterprises must take proactive steps to fortify their perimeters, data center infrastructure, and hosted software applications, aligning with industry standards, security best practices, and their own security policies.

To ensure the security of customer data at rest, HPE 3PAR employs FIPS-certified self-encrypted drives (SEDs) and FIPS-certified KeyStore technologies, creating a secure environment within the data center. Protecting data at rest on HPE 3PAR and HPE Primera storage arrays involves two crucial components that play a pivotal role in preventing unauthorized access to secured data on the disks. Through the collaborative efforts of HPE 3PAR and HPE Primera storage, along with the Fortanix DSM, a secure environment is established, eliminating the risk of unauthorized data access.

This integration document is designed for customers, guiding them in securing their information through HPE 3PAR and HPE Primera storage with Fortanix DSM.

## 3.0 Prerequisites

Ensure the following:

- Fortanix DSM
- HPE Alletra 9000
- Access to create a certificate for KMIP Server

## 4.0 Product Versions Tested

This integration has been tested on the following versions:

- Fortanix DSM version 4.23.
- HPE Alletra 9000 release version 9.5.18.20.

## 5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(13).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(17).png)

**Figure 2: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(16).png)

**Figure 3: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 5.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000#53-creating-a-group) [](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 5.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and click the app created in [*Section 5.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000#54-creating-an-application) to go to the detailed view of the app.
2. From the top of the app’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot 2025-05-12 164955.png) next to the app **UUID**to copy it to use in [*Section 6.1: Configuring Encryption*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000#61-configuring-encryption) as the value of Common Name (CN) to generate a Certificate Signing Request (CSR).

Additionally, perform the following steps copy the credentials:

1. On the **INFO**tab, click **VIEW API KEY DETAILS**.
2. Click the **USERNAME/PASSWORD** tab.
3. From the **Credentials Details** dialog box, copy the **Username (app UUID)**and **Password**to use in [*Section 6.1: Configuring Encryption*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000#61-configuring-encryption) to configure the Enterprise Key Manager (EKM)/Fortanix.

### 5.6 Regenerate the Key

Perform the following steps to update the secret size of the key:

1. In the DSM left navigation panel, click the **Apps** menu item, and click the app created in [*Section 5.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000#54-creating-an-application) to go to the detailed view of the app.
2. In the **API Key** section, click **REGENERATE**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_9000_App_Created.png)

**Figure 4: Regenerate the key**
3. In the **Regenerate API key** dialog box, click **Set app secret key size** and update the value to 16 bytes.
4. Select both the check boxes to confirm your understanding about the action and click **UPDATE**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_Regenerate(1).png)

**Figure 5: Secret key size change**

The API key is now successfully regenerated successfully.

## 6.0 Enable Security in HPE Alletra 9000

### 6.1 Configuring Encryption

Perform the following steps to prepare the HPE Alletra 9000 array for encryption:

1. Log in to the HPE Alletra 9000 using SSH with the local 3paradm admin user account.
2. Generate a Certificate Signing Request (CSR) using SSH or the HPE 3PAR CLI. This certificate will be used later to sign with your external Key Management System (KMS). The format of the `createcert` command is as follows:

```bash
createcert ekm-client -csr -CN <common name> -C US -ST <State> -L <City> -O “<Company Name>” -OU <Dept>
```

For example,

```bash
createcert ekm-client -csr -CN 4208e3b2-6a27-448b-bbba-36aafe -C US -ST Texas -L Houston -O HPE -OU ATC
```

> [!NOTE]
> NOTE
> 
> The CN must match the UUID of the Fortanix app as copied in [*Section 5.5: Copying the App UUID*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000#55-copying-the-app-uuid).

![Picture8.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/23446489065236.png)

**Figure 6: Certificate**
3. Run the following command to import the CA-Bundle for the EKM Server in HPE. The root and intermediate certificates must be imported one by one.

```bash
importcert ekm-server -ca stdin
```

**Importing Root Certificate**

![Figure6.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336224803604.png)

**Figure 7: Root certificate**

**Importing Intermediate Certificate**

![Figure7.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210911252.png)

**Figure 8: Intermediate certificate**
4. Run the following command to import the certificate for the EKM client:

```bash
importcert ekm-client -ca stdin
```

**Importing Root Certificate**

![Figure8.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210912788.png)

**Figure 9: Root certificate**

**Importing Intermediate Certificate**

![Figure9.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336224812180.png)

**Figure 10: Intermediate certificate**
5. Sign the CSR created in *Step 2* with the same Certificate Authority (CA) imported above and import the signed certificate (Only Leaf certificate) in HPE Alletra using the command as shown below:

```bash
importcert ekm-client stdin
```

![Figure11.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210922132.png)

**Figure 11: Import signed certificate**

Use the CLI command `showcert` to verify the presence of `ekm-client` or `ekm-server` certificate.

> [!NOTE]
> NOTE
> 
> This command needs to be run from HPE CLI.
6. Run the following command to verify the status of the drives present:

```bash
shownode -drive
```

![Figure12.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210928148.png)

**Figure 12: Drive status**

```bash
showpd -s
```

![Figure13.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210931860.png)

**Figure 13: Drive status**
7. Run the following command to verify if EKM is configured:

```bash
showencryption -d
```

![Figure14.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210933780.png)

**Figure 14: EKM configuration check**
8. Run the following command to configure the EKM/Fortanix:

```bash
controlencryption setekm -setserver <Server FQDN/IP Address> -port 5696 -ekmuser <Username> -kmipprotocols 1.4 -passwordnoprompt <Password>
```

Where, `&lt;Username&gt;` and `&lt;Password&gt;` are the values as copied in [*Section 5.5: Copying the App UUID*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-alletra-9000#55-copying-the-app-uuid). For example,

```bash
controlencryption setekm -setserver 10.10.10.151 -port 5696 -ekmuser 487XXXXXX -kmipprotocols 1.4 -passwordnoprompt r8cXXXXXXXXXX
```

![Figure15.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336224831636.png)

**Figure 15: Configure EKM**
9. Run the following command to verify if the EKM has been configured:

```bash
showencryption -d
```

![Figure16.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336224834324.png)

**Figure 16: Verify EKM configuration**

****
10. Run the following command to verify that all the certificates are successfully configured within HPE:

```bash
showcert
```

![Figure17.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336224837396.png)

**Figure 17: Verify certificate configuration**
11. Run the following command to enable the encryption on HP:

```bash
controlencryption enable -ekm firstinetgrationhpe9k
```

![Picture15.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/23446458745620.png)

**Figure 18: Enable encryption**
12. Run the following command to verify the task created for encryption `12436`:

```bash
waittask -v 12436
```

![Figure18.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210941588.png)

**Figure 19: Verify encryption task**

Ouput:

![Figure19.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336224839956.png)

**Figure 20: Encryption task output**
13. Run the following command to verify if the drives have been encrypted:

```bash
showpd -s
```

![Figure20.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210945172.png)

**Figure 21: Verify drives encryption**
14. You can view and confirm that all the keys have been created in Fortanix EKM:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_9000_Apps_SO.png)

**Figure 22: Key successful created**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_SO_Details.png)

**Figure 23: Key detailed view**
15. Run the following command to verify if restore of the backup was successful:

```bash
controlencryption restore firstintegrationonhpe9k
```

![Figure23.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336224850068.png)

**Figure 24: Verify restore of the backup**
16. Run the following command to review the task `12438` was successful:

```bash
waittask -v 12438
```

![Figure28.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210961428.png)

**Figure 25: Review task**

### 6.2 Rotating the Key

Perform the following steps to rotate the key in HPE Alletra 9000:

1. Run the following command to take the backup of the key:

```bash
controlencryption backup firstintegrationbackuphpe9k
```

The backup file will be created with the name of `firstintegrationbackuphpe9k`.
2. Run the following command to rotate the key:

```bash
controlencryption rekey secondintegrationonhpe9k
```

This will create a new task in HPE, and a new rotated key is created in Fortanix DSM.

![Figure26.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210963988.png)

**Figure 26: Rotate the key**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_Rotated_Key(1).png)

**Figure 27: New rotated key**
3. Run the following command to verify the task:

```bash
waittask -v 12609
```

![Figure28.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210961428.png)

**Figure 28: Verify the task**

> [!NOTE]
> NOTE
> 
> Each task in HPE triggers a new task ID.

## 7.0 Group Key Encryption Key (KEK)

For additional security, you can also create a group KEK to encrypt all the apps within the HPE Alletra 9000 group in Fortanix DSM. Perform the following steps:

*To configure another group in Fortanix DSM, which will act as the Group Root Key, refer to the*[*User's Guide: Group Key Encryption Key*](https://support.fortanix.com/docs/users-guide-group-key-encryption-key)*.*

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_Group_KEK.png)

**Figure 29: Create group KEK**

After the group KEK is configured, the group will appear as shown below:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_Group_KEK_Configured.png)

**Figure 30: Group KEK created**

## 8.0 Verification Steps

Perform the following HPE Alletra 9000 tests:

1. **Backup and restore:** Take a backup and restore of the key as shown below:

![Figure31.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336526832404.png)

**Figure 31: Backup and restore**

Verify the logs from the Task ID as shown below:

```bash
waittask -v 12652
```

![Figure32.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336495365140.png)

**Figure 32: Verify the logs**
2. **Rotate the HPE Alletra 9000 array:**

![Figure33.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336495373076.png)

**Figure 33: Rotate the key**

Verify if the key has been created in Fortanix.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/HPE_Alletra_Verify_Rotation(1).png)

**Figure 34: Verify key rotation**
3. **Rotate the Group KEK:**

> [!NOTE]
> NOTE
> 
> Do not deactivate the original key after rotation. After the Group KEK rotation is successful, verify the backup and restore the key again by performing *Step 1* above again.
4. **Verify key rotation:**

![Figure35.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336526850708.png)

**Figure 35: Verify key rotation**
5. **Proceed with Backup and restore operation again:**

![Figure36.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336526855444.png)

**Figure 36: Backup and restore**
6. **Verify that the Restore operation is successful:**

![Figure37.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24336210970772.png)

**Figure 37: Restore successful**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.