Using Fortanix Data Security Manager for InterSystems Cache using KMIP

1.0 Introduction

InterSystems Cache is a high-performance database that powers transaction processing applications around the world. It is used for everything from mapping a billion stars in the Milky Way, to processing a billion equity trades in a day, to managing smart energy grids.

InterSystems Cache powers customers’ most mission-critical applications with the ability to store, use, and analyze transactional and historical data concurrently in whatever forms required. High-speed SQL runs consistently and seamlessly across all data models.

1.1 Why Use Fortanix Data Security Manager with InterSystems Cache

InterSystems Cache supports encryption of data at rest. It supports a keyring service that enables internal server components and plugins to securely store sensitive information for later retrieval.

Cryptographically secure generation and secure management of encryption keys are required for true security of data at rest encrypted by InterSystems Cache. Fortanix-Data-Security-Manager (DSM) with its KMIP support provides a secure and flexible solution for this.

InterSystems Cache KMIP keyring plugin authenticates to a KMIP enabled key management server using a client certificate. DSM supports clients/apps to authenticate using API Key, app ID, and certificate or just certificate.

2.0 Prerequisites

Ensure the following:

• Fortanix DSM

• InterSystems Management Console

• Access to create a certificate for KMIP Server

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 3.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 3.6: Generating the Certificate as the value of Common Name (CN) to generate the self-signed certificate and a private key.

3.6 Generating the Certificate

Run the following OpenSSL command to create a new certificate, which you will be using to upload in the Fortanix DSM app:

openssl req -newkey rsa:2048 -nodes -keyout sdkms.key -x509 -days 365 -out sdkms.crt

3.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 3.4: Creating an Application and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

4.0 Enabling the Security in InterSystems Cache

4.1 Create a new SSL/TLS Configuration

1. Log in to the Management Console for IRIS.  

   

2. Once you log in you will see the InterSystems Management Console homepage.  

   

3. On the Cache instance that will communicate with the KMIP server, create an SSL/TLS configuration that will represent the instance to the KMIP server:

   1. In the portal, go to the SSL/TLS Configurations page (Home → System Administration → Security → SSL/TLS Configurations).  

      

4. On the SSL/TLS Configurations page (Figure 9), click the Create New Configuration button, which displays the New SSL/TLS Configuration page.

5. On the New SSL/TLS Configuration page, set up the SSL/TLS configuration. For the fields listed below, specify or select values as follows:

   1. Enabled — Select this check box.

   2. Type — Select Client.

   3. Update the client certificate, the private key, which was created, and the certificate which was updated in the DSM portal.

   

6. Click the Test icon on the Management portal (Figure 10).  

   

7. Update the Port number as 5696 and click OK.  

   

8. You will then receive the Success status of the connection and click Save to save it.  

   

   Once configured, the management console for SSL/TLS configuration will be as follows:  

   

4.2 Create KMIP Server Configuration Using Terminal

1. Start the Terminal and log in as a sufficiently privileged user.  

   

2. At the terminal prompt, go to the %SYS namespace and run ^SECURITY.

        zn "%SYS"
   %SYS>do ^SECURITY
   

   

3. In the ^SECURITY, select option 14) KMIP server setup.

4. In the KMIP server setup choices, select option 1) Create KMIP server.

5. At the Create KMIP server prompt, specify values for the following:

   1. KMIP server to create? — The name of the KMIP server configuration.

   2. Description? — A text description.

   3. Server host DNS name? — The fully-qualified DNS name or IP address of the KMIP server.

   4. TCP port number? — The port number on which the KMIP server accepts connections.

   5. OASIS KMIP protocol version? — The number associated with your KMIP server’s supported version of the protocol. This is part of the information that you have received from the vendor that provides the KMIP server.

   6. SSL/TLS Configuration name? — The name of the SSL/TLS configuration that you created in the previous step.

   

   • Select option 1) Create KMIP Server and update the requested information:

     KMIP Server to create? DSM
     Description? DSM
     Server host DNS Name?  
     TCP Port number? 5696 => 5696
     OASIS KMIP protocol version
     0) 1.0
     1) 1.1
     2) 1.2
     3) 1.3
     4) 1.4
     OASIS KMIP protocol version? 2 => 2
     SSL/TLS configuration name? KMIP => DSM
     Non-blocking I/O? Yes => Yes
     Auto-reconnect? No => Yes
     I/O timeout, in seconds? 10 => 10
     Log KMIP messages? No => Yes
     Debug SSL/TLS? No => Yes
     Confirm creation of KMIP server DSM? Yes => Yes
     KMIP server DSM created
     

     

     You can list the KMIP server by selecting option 4) Detailed list KMIP server.  

     

4.3 Create a New Key in KMIP Server

To activate a database encryption key from a KMIP server:

1. For the relevant instance, start the Terminal and log in as a sufficiently privileged user.

2. At the terminal prompt, go to the %SYS namespace and run ^EncryptionKey.

        zn "%SYS"
   %SYS>do ^EncryptionKey
   

   

3. Select Option 5) Manage KMIP server and you will be prompted the KMIP Server name.
   In the following screenshot, the KMIP server we have is DSM.

4. We can list the keys in KMIP Server (Option 1), create a Key (Option 2), and Destroy the key (Option 3).

   

5. Select Option 2) Create new key on KMIP server.  

   

   The key is created but not activated as seen in Figure 21.

6. Since the key is now created in the KMIP Server, we can see the same in Fortanix DSM Portal as shown in the following screenshot.

   

4.4 Activate the Data-Element Encryption Key from a KMIP Server

To activate a database encryption key from a KMIP server:

The cache supports up to four activated keys at one time for data-element encryption. To activate a key for data-element encryption from a KMIP server:

1. For the relevant instance, start the Terminal and log in as a sufficiently privileged user.

2. At the terminal prompt, go to the %SYS namespace and run ^EncryptionKey.

        zn "%SYS"
   %SYS>do ^EncryptionKey
   

3. In ^EncryptionKey, select option 4) Data element encryption for applications.

4. In the Data element encryption for applications choices, select option 1) Activate data element encryption key.

5. In the Activate data element encryption key choices, select option 2) Use KMIP server.

6. At the KMIP server prompt, enter the name of the configuration of the KMIP server from which you wish to activate the key.
   The routine then lists the keys on the KMIP server and prompts for the key to activate.

7. Specify a key at the Select key prompt.

8. The routine then activates the key, displaying its ID.

   

9. For each key that the Cache activates, the Data Element Encryption page (System Administration → Encryption → Data Element Encryption) adds the key to the table of activated keys and displays the key’s identifier.

10. You can now log in to the IRIS Management console and see the activated key.