Using Fortanix Data Security Manager for InterSystems Cache using KMIP

1.0 Introduction

InterSystems Cache is a high-performance database that powers transaction processing applications around the world. It is used for everything from mapping a billion stars in the Milky Way, to processing a billion equity trades in a day, to managing smart energy grids.

InterSystems Cache powers customers’ most mission-critical applications with the ability to store, use, and analyze transactional and historical data concurrently in whatever forms required. High-speed SQL runs consistently and seamlessly across all data models.

2.0 Why Use Fortanix DSM with InterSystems Cache?

InterSystems Cache supports encryption of data at rest. It supports a keyring service that enables internal server components and plugins to securely store sensitive information for later retrieval.

Cryptographically secure generation and secure management of encryption keys are required for true security of data at rest encrypted by InterSystems Cache. Fortanix-Data-Security-Manager (DSM), with its KMIP support, provides a secure and flexible solution for this.

InterSystems Cache KMIP keyring plugin authenticates to a KMIP-enabled key management server using a client certificate. DSM supports clients/apps to authenticate using API Key, app ID, and certificate or just certificate.

3.0 Prerequisites

Ensure the following:

• Fortanix DSM

• InterSystems Management Console

• Access to create a certificate for KMIP Server

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 4.6: Generating the Certificate as the value of Common Name (CN) to generate the self-signed certificate and a private key.

4.6 Generating the Certificate

Run the following OpenSSL command to create a new certificate, which you will be using to upload in the Fortanix DSM app:

openssl req -newkey rsa:2048 -nodes -keyout sdkms.key -x509 -days 365 -out sdkms.crt

4.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

2. Click SAVE.

3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE to save the changes.

5.0 Enabling the Security in InterSystems Cache

5.1 Create a new SSL/TLS Configuration

1. Log in to the IRIS Management Console.

   

2. After logging in, the InterSystems Management Console homepage is displayed.

   

3. On the IRIS instance that will connect to the KMIP server, create an SSL/TLS Configuration that will represent the instance to the KMIP server:

   1. Navigate to Home → System Administration → Security → SSL/TLS Configurations.

      

   2. Click Create New Configuration to open the New SSL/TLS Configuration page and do the following:

      1. Enabled — Select this check box.

      2. Type — Select Client.

      3. Client Certificate and Key — Upload the client certificate and private key generated in Section 4.6: Generating the Certificate.

      4. CA Certificate — Upload the certificate authority used to sign the DSM server certificate.

   

4. Click the Test icon to validate the connection.

   

5. In the prompt, set the Test server port as 5696 and click OK.

   

6. Upon successful connection, click Save.

   

   Once the SSL/TLS configuration is successfully set up, the final configuration details are displayed in the Management Console as shown below.

   

5.2 Create KMIP Server Configuration Using Terminal

Perform the following steps to configure a KMIP server using the terminal:

1. Start the Terminal and log in with a sufficiently privileged user account.

   

2. Navigate to the %SYS namespace and run the ^SECURITY routine:

        zn "%SYS"
   %SYS>do ^SECURITY
   

   

3. In the ^SECURITY menu, select option 14) KMIP server setup.

4. In the KMIP server setup menu, select option 1) Create KMIP server and provide the following configuration values:

   1. KMIP server to create? — Enter the name of the KMIP server configuration.

   2. Server host DNS name? — Enter the fully qualified DNS name or IP address of the Fortanix DSM server.

   3. TCP port number? — The port number on which the KMIP server accepts connections.

   4. OASIS KMIP protocol version? — The number associated with your KMIP server’s supported version of the protocol. This is part of the information that you have received from the vendor that provides the KMIP server.

   5. SSL/TLS Configuration name? — Enter the name of the SSL/TLS configuration created in the previous step.

   6. Non-blocking I/O? — Enter Yes.

   7. Auto-reconnect? — Enter Yes.

   8. I/O timeout, in seconds? — Enter 10.

   9. Log KMIP messages? — Enter Yes.

   10. Debug SSL/TLS? — Enter Yes.

   11. Confirm creation of KMIP server DSM? — Enter Yes.

   KMIP Server to create? DSM
   Description? DSM
   Server host DNS Name?  <fortanix_dsm_url>
   Port number? 5696 => 5696
   OASIS KMIP protocol version
   0) 1.0
   1) 1.1
   2) 1.2
   3) 1.3
   4) 1.4
   OASIS KMIP protocol version? 2 => 2
   SSL/TLS configuration name? KMIP => DSM
   Non-blocking I/O? Yes => Yes
   Auto-reconnect? No => Yes
   I/O timeout, in seconds? 10 => 10
   Log KMIP messages? No => Yes
   Debug SSL/TLS? No => Yes
   Confirm creation of KMIP server DSM? Yes => Yes
   KMIP server DSM created

   

5. Once complete, the terminal will confirm as KMIP server DSM created.

6. To view the configuration, select option 4) Detailed list KMIP server in the KMIP server setup menu.

   

5.3 Create a New Key in KMIP Server

Perform the following steps to activate a database encryption key from a KMIP server:

1. Start the Terminal for the relevant InterSystems IRIS instance and log in with a sufficiently privileged user account.

2. At the terminal prompt, switch to the %SYS namespace and run the ^EncryptionKey routine:

        zn "%SYS"
   %SYS>do ^EncryptionKey

   

3. In the Encryption Key Management menu, select option 5) Manage KMIP server.

4. When prompted, enter the name of the configured KMIP server, which is DSM.

5. In the KMIP server management menu, the following options are available:

   1. Option 1: List keys in the KMIP server.

   2. Option 2: Create a new key.

   3. Option 3: Destroy a key

      

6. Select option 2) Create new key on KMIP server to generate a new encryption key.

   NOTE

   The key is created on the KMIP server but is not activated at this stage.

   

7. After the key is created, it will appear in the Fortanix DSM under the Security Objects menu item for the corresponding app.

   

5.4 Activate the Data-Element Encryption Key from a KMIP Server

The cache supports up to four activated keys at one time for data-element encryption.

Perform the following steps to activate a key for data-element encryption from a KMIP server:

1. Start the Terminal for the relevant instance and log in as a user with sufficient privileges.

2. At the terminal prompt, switch to the %SYS namespace and run the ^EncryptionKey routine:

        zn "%SYS"
   %SYS>do ^EncryptionKey

3. In ^EncryptionKey, select option 4) Data element encryption for applications.

4. In the Data element encryption for applications choices, select option 1) Activate data element encryption key.

5. In the Activate data element encryption key choices, select option 2) Use KMIP server.

6. At the KMIP server prompt, enter the name of the configuration of the KMIP server from which you wish to activate the key. The routine lists the available keys from the KMIP server and prompts for selection.

7. At the Select key prompt, specify the desired key.

8. The routine activates the selected key and displays its Key ID.

   

9. For each activated key, the Data Element Encryption page, (System Administration → Encryption → Data Element Encryption) adds the key to the table of activated keys and displays its identifier.

10. You can now log in to the IRIS Management Console and verify the activated key.