Using Fortanix Data Security Manager for Hewlett Packard Enterprise (HPE) Morpheus Cypher Module

  • Updated on Jan 27, 2026
  • Published on Jan 27, 2026
  • 10 minute(s) read
Prev Next

1.0 Introduction

The Fortanix-Data-Security-Manager (DSM) Morpheus Plugin delivers secure, seamless integration between Hewlett Packard Enterprise (HPE) Morpheus and Fortanix DSM for centralized management, retrieval, and lifecycle control of sensitive secrets - including passwords, API keys, certificates, and other credentials. The plugin supports both the Morpheus Cypher module and the Credential Provider interface, enabling secure, dynamic injection of secrets into automation workflows, provisioning tasks, and application deployments.

By leveraging Fortanix DSM as a central source of truth, Morpheus benefits from externalized secret storage and strict governance. Sensitive values are created, stored, and managed entirely within Fortanix DSM, ensuring they never reside within the Morpheus environment. This architecture enhances security posture, reduces operational risk, and simplifies compliance.

Through the DSM Plugin Client, the Morpheus Cypher module interacts with Fortanix DSM to create, retrieve, and manage secrets required for automation and cloud provisioning. Each secret defined in Morpheus is provisioned as a secure object in Fortanix DSM. Likewise, the Credential Provider integration securely retrieves credentials - such as passwords, tokens, and API keys from Fortanix DSM through authenticated API calls, ensuring these values are tightly controlled and never stored in the Morpheus database.

At runtime, Fortanix DSM enforces fine-grained access controls, provides detailed audit logging for all secret interactions, and delivers centralized visibility and governance across environments. This integration ensures that every secret and credential used by Morpheus is externally managed, securely handled, and aligned with enterprise-grade security and compliance requirements.

2.0 Prerequisites

Ensure the following:

  • Fortanix DSM must be accessible. For more information, refer to Section 5.0: Configure Fortanix DSM.

  • Administrator access to the Morpheus console.

  • Network connectivity between Morpheus and Fortanix DSM endpoint.

3.0 Product Version Tested

The following product versions were tested:

  • Fortanix DSM version 5.2 or later

  • Java versions 11 and 17

  • Morpheus version 8.0.x or later

4.0 Architecture Workflow

Figure 1: Architecture diagram

This figure presents a high-level view of the Fortanix DSM–HPE Morpheus integration workflow. The integration is enabled through the dsm-hpe-morpheus-plugin-x.x.x-all.jar, which establishes a secure, authenticated communication channel between the Morpheus platform and Fortanix DSM.

As shown, the Morpheus Cypher module and the Credential Provider interface both interact with Fortanix DSM using the DSM Plugin Client. These components request secrets and credentials on demand during automation workflows, provisioning operations, and application deployments.

The Morpheus Cypher module communicates with Fortanix DSM through the DSM Plugin Client to create, retrieve, and manage secrets for automation tasks, provisioning, and cloud integrations. Each secret created in Morpheus is provisioned as a security object in Fortanix DSM.

All secret and credential operations are executed through authenticated API calls to Fortanix DSM, which acts as the authoritative control plane for access enforcement, auditing, and lifecycle management. This design ensures that Morpheus consumes sensitive values dynamically at runtime while Fortanix DSM maintains centralized visibility, policy enforcement, and governance across all environments.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://amer.smartkey.io. On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed  here  based on the application region.

For more information on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 2: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click ADD GROUP to create a new group.

    Figure 3: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click ADD APP to create a new app.

    Figure 4: Add application

  2. On the Adding new app page, do the following:

    • App name: Enter the name for your application.

    • ADD DESCRIPTION (optional): Enter a short description of the application.

    • Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

  3. Click SAVE to add the new application. 

The new application is added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS .

  3. From the API Key Details dialog box, copy the API Key of the app to use in Section 6.2: Configuring the Fortanix DSM Plugin.

6.0 Fortanix DSM Plugin

This section describes how to install and configure the Fortanix DSM plugin in Morpheus.

6.1 Installing the Fortanix DSM Plugin Client

Perform the following steps to install the plugin:

  1. Download the plugin source code from the GitHub repository.

  2. Run the following command in the local project directory to generate the bundled JAR:

    ./gradlew shadowJar

  3. After the build completes successfully, the dsm-hpe-morpheus-plugin-x.x.x-all.jar file is generated in the build/libs directory.

  4. In the Morpheus console, navigate to AdministrationIntegrations Plugins tab and click ADD.

    Figure 5: Upload Fortanix DSM Plugin JAR

  5. In the ADD PLUGIN dialog box, upload the dsm-hpe-morpheus-plugin-x.x.x-all.jar file that is generated in Step 3.

    Figure 6: Fortanix DSM Plugin listed in Morpheus

  6. Click SAVE.

  7. After a successful upload, verify that the Fortanix DSM plugin appears in the list.

    Figure 7: Fortanix DSM Plugin is listed

6.2 Configuring the Fortanix DSM Plugin

Perform the following steps to configure the plugin:

  1. Click the Edit icon corresponding to the Fortanix DSM plugin.

  2. In the EDIT PLUGIN dialog box, provide the following mandatory fields:

    1. DSM API URL: Enter the Fortanix DSM endpoint.

    2. DSM API KEY: Enter the Fortanix DSM app API key of the Fortanix DSM created in Section 5.4: Creating an Application.

    3. Select the CLEAR SECRET ON DELETION check box to ensure that when a Cypher entry is deleted in Morpheus, the corresponding security object in Fortanix DSM is also deleted.

    4. Lease Timeout (optional): The Lease Timeout parameter is applicable only when creating a Cypher object, not during plugin configuration. Refer to Figure 7 for all available plugin configuration options.

    5. Click SAVE to update the configuration.

    Figure 8: Edit plugin configuration

7.0 Using the Cypher Module with Fortanix DSM

This section describes how to use the Cypher module in Morpheus with Fortanix DSM to create, validate, and manage secrets.

7.1 Creating a Cypher Entry

Perform the following steps to create a Cypher entry in Morpheus and store the secret in Fortanix DSM:

  1. In the Morpheus console, navigate to ToolsCypher and click ADD to create a new Cypher entry.

  2. In the ADD KEY dialog box, provide the following details:

    1. KEY: Use the dsm mount point prefix to indicate that the secret will be managed in Fortanix DSM.

      The expected naming convention is dsm/{name_of_the_security_object_in_DSM}. For example, dsm/db-password.

      NOTE

      The syntax after dsm/ must exactly match the security object name created in Fortanix DSM.

    2. VALUE: Enter the secret in plain text. For example, a password or API key.

      Figure 9: Add key configuration

  3. Click SAVE to confirm.

When you save the Cypher entry, Morpheus automatically creates a SECRET type of security object in Fortanix DSM. The security object is imported into the default Fortanix DSM group associated with the app as configured in Section 6.2: Configuring the Fortanix DSM Plugin. When you delete the key in Morpheus, the associated Fortanix DSM security object will be deleted based on the Fortanix DSM plugin configuration.

NOTE

The Cypher module always uses the Fortanix DSM plugin configuration. Even if additional credential stores are created under Infrastructure Trust Integrations, the Cypher module does not use them.

7.2 Validating the Secret

  • In Morpheus,

    • After saving, the secret appears in the Cypher table.

    • Click DECRYPT next to the entry to view the value in base64 format. You can decrypt the base64 to obtain the raw secret.

    Figure 10: Viewing a DSM-backed Cypher entry and using decrypt

  • In Fortanix DSM,

    1. Log in to your Fortanix DSM account.

    2. Navigate to Groups Security Objects for the group linked to your Morpheus app as configured in Section 6.2: Configuring the Fortanix DSM Plugin.

    3. Confirm that a new security object of type SECRET exists with the same name added after dsm/ in Step 2 of Section 7.1: Creating a Cypher Entry.

    Figure 11: Secret type security object

NOTE

Updating an existing Cypher secret is not supported in the current release of the plugin. To change any value, delete the old entry and create a new one. Additionally, the Update Secret feature is not implemented for the plugin.

7.3 Deleting a Cypher Entry

Perform the following steps to remove a Cypher entry and (optionally) the corresponding Fortanix DSM security object:

  1. In Morpheus, navigate to ToolsCypher and locate the entry and delete it.

  2. The outcome depends on the plugin configuration set in Section 6.2: Configuring the Fortanix DSM Plugin:

    • If the CLEAR SECRET ON DELETION check box is selected, the associated Fortanix DSM security object is also deleted.

      Figure 12: Deleting a Cypher entry in Fortanix DSM

    • If the CLEAR SECRET ON DELETION check box is not selected, the Fortanix DSM security object remains in Fortanix DSM.

8.0 Use the Credential Provider

This section describes how to configure and use the Credential Provider in Morpheus with Fortanix DSM.

8.1 Configuring Fortanix DSM as a Credential Store

Perform the following steps to configure Fortanix DSM as a Credential Store in Morpheus

  1. In the Morpheus console, navigate to Infrastructure TrustIntegrations and click ADD.

  2. From the Secret Stores drop down menu, select DSM.

    Figure 13: Adding new DSM integration

  3. In the ADD INTEGRATION dialog box, provide the following details:

    • NAME (mandatory): Enter a title for your integration. For example, Fortanix-DSM.

    • API URL (optional): Enter the Fortanix DSM service URL. For example, https://smartkey.io/ or regional endpoint.

    • API KEY (optional): Enter the Fortanix DSM app API key as copied in Section 5.5: Copying an API Key.

    NOTE

    If a Fortanix DSM Endpoint or API Key is provided here, it overrides the plugin-level configuration. If left blank, Morpheus uses the plugin settings as defined in Section 6.2: Configuring the Fortanix DSM Plugin.

  4. Click SAVE CHANGES to add the DSM credential store in the Integrations list.

    Figure 14: Adding DSM as credential store

8.2 Adding a Credential

Perform the following steps to add and manage a credential in Fortanix DSM:

  1. In the Morpheus console, navigate to Infrastructure Trust Credentials.

  2. Click ADD and select a credential option from the drop down menu. In this example, the Access Key and Secret Key credential type is selected.

    Figure 15: Adding new credentials

  3. In the ADD CREDENTIALS dialog box,

    • CREDENTIAL STORE: Select Fortanix DSM from the drop down menu as created in Section 8.1: Configuring Fortanix DSM as Credential Store.

    • NAME: Unique identifier for the credential. For example, my-creds-aws.

    • DESCRIPTION (optional): Description of the credential.

    • ENABLED: Select this check box to activate the credential.

    • ACCESS KEY: Enter the access key value.

    • SECRET KEY: Enter the secret key value.

    Figure 16: Configuring DSM-backed credential details

  4. Click ADD CREDENTIALS to update the configuration.

NOTE

  • You can create multiple Fortanix DSM credential stores with different app API keys to maintain granular access control across applications or teams.

  • The Cypher plugin provides a fallback mechanism. If the Credential Provider configuration is missing, the plugin retrieves the configuration details from the Cypher plugin configuration.

Outcome: In Morpheus, the credential appears under Infrastructure Trust Credentials. In Fortanix DSM, the credential is created as a SECRET type of security object within the default group linked to the app defined in the credential store (unlike Cypher, which always uses the plugin configuration). The value is stored in Fortanix DSM as a base64-encoded JSON string.

8.3 Configuration in a Private Network

When Fortanix DSM and HPE Morpheus are deployed within a private network, the Morpheus server must trust the DSM root Certificate Authority (CA) to establish secure communication. To enable this, the DSM server root CA certificate must be added to the Morpheus server.

Perform the following steps to add the DSM server root CA certificate:

  1. Download the root CA certificate from the Fortanix DSM instance.

  2. Run the following command to copy the certificate to the following directory on the Morpheus server:

    /etc/morpheus/ssl/trusted_certs

  3. Run the following command to reconfigure the Morpheus service to apply the certificate changes:

    morpheus-ctl reconfigure

  4. Run the following command to restart the Morpheus service to complete the configuration:

    morpheus-ctl restart

After completing the configuration, perform the required sanity tests to verify that Morpheus can successfully communicate with Fortanix DSM.

Related articles