Using Fortanix Data Security Manager for Hewlett Packard Enterprise (HPE) Primera A630

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with the HPE Primera A630 to manage encryption keys and certificates securely.

HPE Primera A630 is an enterprise storage solution with built-in encryption capabilities to protect data at rest. Fortanix DSM facilitates the secure generation, storage, and usage of cryptographic keys and certificates required for HPE Primera encryption. This integration ensures centralized management and enhanced security for data stored on HPE Primera.

1.1 Why Use Fortanix DSM with HPE Primera A630?

In today's cybersecurity landscape, where threats persist, there is a growing need for heightened security measures in both individual and corporate contexts. Enterprises must take proactive steps to fortify their perimeters, data center infrastructure, and hosted software applications, aligning with industry standards, security best practices, and their own security policies.

To ensure the security of customer data at rest, HPE 3PAR employs FIPS-certified self-encrypted drives (SEDs) and FIPS-certified KeyStore technologies, creating a secure environment within the data center. The protection of data at rest on HPE 3PAR and HPE Primera storage arrays involves two crucial components that play a pivotal role in preventing unauthorized access to secured data on the disks. The collaborative efforts of HPE 3PAR and HPE Primera storage, in conjunction with the Fortanix DSM, establish a secure environment, thereby eliminating the risk of unauthorized data access.

This integration article guides customers in securing their information through HPE 3PAR and HPE Primera storage with Fortanix DSM.

2.0 Prerequisites

Ensure the following:

• HPE Primera is set up and running.

• You have an administrator access to Fortanix DSM and HPE Primera.

• The Fortanix DSM is accessible. For more information, refer to Section 4.1: Signing Up and Section 4.2: Creating an Account.

3.0 Product Tested Version

This integration has been tested on the following versions:

• Fortanix DSM version 4.27.

• HPE Primera A630 model.

• HPE Primera model release version 4.5.24.7.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Navigate to the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Navigate to the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 4.4: Creating an Application to go to the detailed view of the app. 

2. From the top of the app’s page, copy the Username (app UUID) and Password values to be used later in Section 5.3: Generate CSR Request and Section 5.7: Setting Up the EKM Server.

5.0 Setting Up the Integration

This section describes the detailed configuration steps necessary to set up and verify the encryption process using Fortanix DSM with HPE Primera.

5.1 Validating Existing Encryption Status

Perform the following steps to check the various aspects of the drive encryption status:

1. Run the following command to view the current encryption status for HPE Primera:

   controlencryption status -d

   

2. Run the following command to view the current HPE Primera version:

   showversion –b

   

3. Run the following command to view the Solid State Drive (SSD) information:

   shownode -drive

   

4. Run the following command to validate the drive state:

   showpd -s

   

   NOTE

   Ensure that the encryption status is set to Capable and the FIPS Mode is in the Disabled state using the HPE Primera user interface (UI).

   You can verify the encryption status by navigating through the following paths:

   • Encryption Status: Navigate to the Settings → System → Encryption.

     

   • FIPS mode: Navigate to the Settings → System → FIPS Mode.

     

5.2 Checking Existing Available Certificates

Run the following command to check the existing certificates available on the HPE Primera system:

showcert

5.3 Generating CSR Request

Run the following command to generate a Certificate Signing Request (CSR) with the Fortanix DSM app ID as the Common Name (CN) for the External Key Manager (EKM)-client service:

createcert ekm-client –csr –CN <DSM_App_ID> -C <Country> -ST <State> -L <Location> -O <Org> -OU <Org Unit>

NOTE

Replace the value for <DSM_App_ID> with the actual Fortanix DSM app ID as copied in Section 4.5: Copying the App UUID.

5.4 Importing Root CA for EKM Server

Perform the following steps to import the root Certificate Authority (CA) for the EKM server before importing the signed certificate chain:

1. Run the following command to import the root CA certificate:

   importcert ekm-server -ca stdin

2. Paste the CA bundle for ekm-server .

3. When prompted for “Do you want to import these certificate(s) for ekm-server service?”, enter yes to confirm the action.

   

4. Run the following command to check if the ekm-server root CA certificate is available:

   showcert

   

5.5 Importing Signed Certificate Chain for EKM Client

Perform the following steps to import the signed certificate chain for the EKM client:

1. Run the following command to import the signed certificate:

   importcert ekm-client stdin

2. Paste the certificate for ekm-server.

3. When prompted for “Do you want to import these certificate(s) for ekm-client service?”, enter yes to confirm the action.

   

5.6 Validating New Certificates Import

Run the following command to validate if the new certificates are successfully imported:

showcert

5.7 Setting Up the EKM Server

Perform the following steps to set up the EKM server using the HPE Primera UI and validate the connectivity:

1. Open the HPE Primera UI.

2. Navigate to the EKM server configuration section through Settings → System → Encryption.

3. On the Set Up EKM Server page, enter the following details:

   • Server Address: Enter the URL or IP address of the Encryption Key Management (EKM) server, that is Fortanix DSM.

   • Port Number: Enter the port number used for connecting to the EKM server.

   • Username: Enter the name used to authenticate with the EKM server.

   • Key Management Interoperability Protocol: Select the required KMIP version that matches your EKM server’s setup to ensure compatibility and proper communication.

   • Username: Enter the username used for authenticating with the EKM server. This is the app UUID as copied in Section 4.5: Copying the App UUID.

   • Password: Enter the password associated with the provided username for authentication. This is the password as copied in Section 4.5: Copying the App UUID.

   • Select the I have read and understand the implications check box.

     

4. Click the Save button.

5. Next, click the Check button to validate the connectivity between the HPE Primera system and EKM server.

   

6. Navigate to the Encryption Settings and do the following to enable encryption (EKM) for the drives:

   • Select the Encryption type as External Key Management (EKM).

   • Enter the valid password.

   • Select the I have read and understand the implications check box.

   

7. Click the Configure button.

5.8 Checking Logs to Confirm Encryption Status

Perform the following steps to check the logs to confirm the encryption status of the drives from both HPE Primera user interface (UI) and CLI method:

1. Navigate to the Tasks tab to confirm if the encryption is enabled.

   

2. Run the following command to check if the encryption is enabled from HPE Primera UI:

   showencryption -d

   

3. Run the following command to view the status of physical drives:

   showpd -s

   

4. Run the following command to view the drive information:

   shownode -drive

   

5.9 Checking Audit Logs from Fortanix DSM UI

Perform the following steps to check the audit logs in the Fortanix DSM UI for the app used for EKM as created in Section 4.4: Creating an Application and verify the creation of a new security object:

1. Log into the Fortanix DSM UI.

2. Navigate to the Apps menu item and go to the detailed view of the app created in Section 4.4: Creating an Application.

3. Under the INFO tab, in the Activity Logs section, verify the logs for the app.

   

4. Go to the SECURITY OBJECTS tab and verify that a key is created by default after the encryption is enabled in Section 5.8: Checking Logs to Confirm Encryption Status.

   

5.10 Verifying Encryption Status

Perform the following steps to verify the encryption status from the HPE Primera UI:

1. Open the HPE Primera UI.

2. Navigate to the Encryption Settings section through Settings → System → Encryption.

3. Check the encryption status of the drives.

   

4. Enable the FIPS mode once EKM is configured.

   

5. On the Edit FIPS Mode page, enable the FIPS mode and click the Save button.

   

   Wait for few minutes until the mode is changed.

   

6. Next, check and confirm the status of the mode.

   

6.0 Backup, Restoration, and Rekey Testing

This section details the procedures for backing up, restoring, and performing rekey testing on the HPE Primera system integrated with Fortanix DSM.

6.1 Backup

1. Open the HPE Primera UI.

2. Locate the Backup settings to configure a backup operation.

   

3. Enter the required password to initiate the backup process. This will create a .dar file, which is used for the restoration purposes.

   

4. After the backup is completed, the recovery.dar file will be automatically downloaded to your system.

   

6.2 Restoration

1. Open the HPE Primera UI.

2. Locate the Restore settings to configure a restoration operation.

   

3. Select the previously created recovery.dar file.  

   

4. Enter the correct password associated with the backup file to restore the data to HPE Primera.

   

5. Check the logs to verify that the restoration process was completed successfully.

   

   

6. Go to the Fortanix DSM UI.

7. Go to the detailed view of the app created in Section 4.4: Creating an Application.

8. Navigate to the SECURITY OBJECTS tab and click the key available in the table.

   

6.3 Rekey Testing

1. Open the HPE Primera UI.

2. Locate the Rekey settings to configure a rekey operation.

   

3. Enter the correct password associated with the backup file to restore the data to HPE Primera.

   

4. After completing the rekey operation, a new recovery.dar file will be generated.

   

5. Check the logs to ensure that the rekey operation was successful, and no errors were encountered.

   

6. Log in to the Fortanix DSM UI.

7. Go to the detailed view of the app created in Section 4.4: Creating an Application.

8. Navigate to the SECURITY OBJECTS tab.

   

9. Review the audit logs to validate the creation of the new key and ensure all rekey activities are properly recorded.

   

10. Ensure that the task details for the rekey operation are accurately reflected and completed as expected.