---
title: "Fortanix DSM for InterSystems Cache using KMIP"
slug: "using-fortanix-data-security-manager-for-intersystems-cache-using-kmip"
updated: 2026-04-01T08:18:27Z
published: 2026-03-21T17:11:18Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM for InterSystems Cache using KMIP

## 1.0 Introduction

**InterSystems Cache** is a high-performance database that powers transaction processing applications around the world. It is used for everything from mapping a billion stars in the Milky Way, to processing a billion equity trades in a day, to managing smart energy grids.

InterSystems Cache powers customers’ most mission-critical applications with the ability to store, use, and analyze transactional and historical data concurrently in whatever forms required. High-speed SQL runs consistently and seamlessly across all data models.

## 2.0 Why Use Fortanix DSM with InterSystems Cache?

InterSystems Cache supports encryption of data at rest. It supports a keyring service that enables internal server components and plugins to securely store sensitive information for later retrieval.

Cryptographically secure generation and secure management of encryption keys are required for true security of data at rest encrypted by InterSystems Cache. **Fortanix-Data-Security-Manager (DSM)**, with its KMIP support, provides a secure and flexible solution for this.

InterSystems Cache KMIP keyring plugin authenticates to a KMIP-enabled key management server using a client certificate. DSM supports clients/apps to authenticate using API Key, app ID, and certificate or just certificate.

## 3.0 Prerequisites

Ensure the following:

- Fortanix DSM
- InterSystems Management Console
- Access to create a certificate for KMIP Server

## 4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_Add_Group(11).png)

**Figure 2: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(57).png)

**Figure 3: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 4.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-intersystems-cache-using-kmip#33-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 4.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-intersystems-cache-using-kmip#34-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app.
2. From the top of the app’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the app **UUID**to copy it to use in [*Section 4.6: Generating the Certificate*](/v1/docs/using-fortanix-data-security-manager-for-intersystems-cache-using-kmip#36-generating-a-client-certificate) as the value of Common Name (CN) to generate the self-signed certificate and a private key.

### 4.6 Generating the Certificate

Run the following OpenSSL command to create a new certificate, which you will be using to upload in the Fortanix DSM app:

```bash
openssl req -newkey rsa:2048 -nodes -keyout sdkms.key -x509 -days 365 -out sdkms.crt
```

![3.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055695852.png)

**Figure 4: Create a new certificate**

### 4.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in [*Section 4.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-intersystems-cache-using-kmip#34-creating-an-application) and then click **Change authentication method** and select **Certificate**to change the authentication method to Certificate.
2. Click **SAVE**.
3. On the **Add certificat**e dialog box, click **UPLOAD NEW CERTIFICATE** to upload the certificate file or paste the content of the certificate generated in previous section.
4. Select both check boxes to confirm your understanding of the action.
5. Click **UPDATE**to save the changes.

## 5.0 Enabling the Security in InterSystems Cache

### 5.1 Create a new SSL/TLS Configuration

1. Log in to the IRIS Management Console.

![6.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055834371.png)

**Figure 5: IRIS management console**
2. After logging in, the **InterSystems Management Console**homepage is displayed.

![7.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055834451.png)

**Figure 6: InterSystems management portal**
3. On the IRIS instance that will connect to the KMIP server, create an SSL/TLS Configuration that will represent the instance to the KMIP server:

![9.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055696332.png)

**Figure 8: Update the SSL/TLS configuration**
  1. Navigate to **Home** → **System Administration** → **Security** → **SSL/TLS Configurations**.

![8.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055696252.png)

**Figure 7: SSL/TLS configuration page**
  2. Click **Create New Configuration** to open the **New SSL/TLS Configuration** page:
    1. **Enabled** — Select this check box.
    2. **Type**— Select **Client**.
    3. **Client Certificate and Key** — Upload the client certificate and private key generated in [*Section 4.6: Generating the Certificate*](/v1/docs/using-fortanix-data-security-manager-for-intersystems-cache-using-kmip#46-generating-the-certificate).
    4. **CA Certificate** — Upload the certificate authority used to sign the DSM server certificate.
4. Click the **Test**icon to validate the connection.

![10.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055696392.png)

**Figure 9: Test server hostname**
5. In the prompt, set the **Test server port** as **5696**and click **OK**.

![11.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055696432.png)

**Figure 10: Update port number**
6. Upon successful connection, click **Save**.

![12.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055835011.png)

**Figure 11: Connection success**

Once the SSL/TLS configuration is successfully set up, the final configuration details are displayed in the Management Console as shown below.

![post_config.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360056259952.png)

**Figure 12: Configuration success**

### 5.2 Create KMIP Server Configuration Using Terminal

Perform the following steps to configure a KMIP server using the terminal:

1. Start the Terminal and log in with a sufficiently privileged user account.

![13.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055732192.png)

**Figure 13: Log in to terminal**
2. Navigate to the` %SYS` namespace and run the `^SECURITY` routine:

```bash
     zn "%SYS"
%SYS>do ^SECURITY
```

![14.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055874151.png)

**Figure 14: Run ^Security**
3. In the `^SECURITY` menu, select option **14) KMIP server setup**.
4. In the **KMIP server setup** menu, select option **1**) **Create KMIP server** and provide the following configuration values:

```bash
KMIP Server to create? DSM
Description? DSM
Server host DNS Name?  <fortanix_dsm_url>
Port number? 5696 => 5696
OASIS KMIP protocol version
0) 1.0
1) 1.1
2) 1.2
3) 1.3
4) 1.4
OASIS KMIP protocol version? 2 => 2
SSL/TLS configuration name? KMIP => DSM
Non-blocking I/O? Yes => Yes
Auto-reconnect? No => Yes
I/O timeout, in seconds? 10 => 10
Log KMIP messages? No => Yes
Debug SSL/TLS? No => Yes
Confirm creation of KMIP server DSM? Yes => Yes
KMIP server DSM created
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(105).png)

**Figure 15: Create KMIP server**
  1. **KMIP server to create?** — Enter the name of the KMIP server configuration.
  2. **Server host DNS name?** — Enter the fully qualified DNS name or IP address of the Fortanix DSM server.
  3. **TCP port number?** — The port number on which the KMIP server accepts connections.
  4. **OASIS KMIP protocol version?** — The number associated with your KMIP server’s supported version of the protocol. This is part of the information that you have received from the vendor that provides the KMIP server.
  5. **SSL/TLS Configuration name?** — Enter the name of the SSL/TLS configuration created in the previous step.
  6. **Non-blocking I/O?** — Enter `Yes`.
  7. **Auto-reconnect?** — Enter `Yes`.
  8. **I/O timeout, in seconds?** — Enter `10`.
  9. **Log KMIP messages?** — Enter `Yes`.
  10. **Debug SSL/TLS?** — Enter `Yes`.
  11. **Confirm creation of KMIP server DSM?** — Enter `Yes`.
5. Once complete, the terminal will confirm as `KMIP server DSM created`.
6. To view the configuration, select option **4) Detailed list KMIP server** in the KMIP server setup menu.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(106).png)

**Figure 16: List the KMIP server**

### 5.3 Create a New Key in KMIP Server

Perform the following steps to activate a database encryption key from a KMIP server:

1. Start the Terminal for the relevant InterSystems IRIS instance and log in with a sufficiently privileged user account.
2. At the terminal prompt, switch to the `%SYS` namespace and run the `^EncryptionKey` routine:

```bash
     zn "%SYS"
%SYS>do ^EncryptionKey
```

![Run_Encryption_key.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360056259992.png)

**Figure 17: Run encryption key**
3. In the **Encryption Key Management**menu, select option **5) Manage KMIP server**.
4. When prompted, enter the name of the configured KMIP server, which is DSM.
5. In the **KMIP server management** menu, the following options are available:
  1. Option 1: List keys in the KMIP server.
  2. Option 2: Create a new key.
  3. Option 3: Destroy a key

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(107).png)

**Figure 18: KMIP server - DSM**
6. Select option **2) Create new key on KMIP server**to generate a new encryption key.

> [!NOTE]
> NOTE
> 
> The key is created on the KMIP server but is not activated at this stage.

![19.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055733692.png)

**Figure 19: Create new key on KMIP server**
7. After the key is created, it will appear in the Fortanix DSM under the **Security Objects**menu item for the corresponding app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768925330474.png)

**Figure 20: Key created in Fortanix DSM**

### 5.4 Activate the Data-Element Encryption Key from a KMIP Server

The cache supports up to four activated keys at one time for data-element encryption.

Perform the following steps to activate a key for data-element encryption from a KMIP server:

1. Start the Terminal for the relevant instance and log in as a user with sufficient privileges.
2. At the terminal prompt, switch to the `%SYS` namespace and run the `^EncryptionKey` routine:

```bash
     zn "%SYS"
%SYS>do ^EncryptionKey
```
3. In `^EncryptionKey`, select option **4) Data element encryption for applications**.
4. In the **Data element encryption for applications** choices, select option**1) Activate data element encryption key**.
5. In the **Activate data element encryption key** choices, select option **2) Use KMIP server**.
6. At the KMIP server prompt, enter the name of the configuration of the KMIP server from which you wish to activate the key. The routine lists the available keys from the KMIP server and prompts for selection.
7. At the **Select key**prompt, specify the desired key.
8. The routine activates the selected key and displays its Key ID.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(104).png)

**Figure 21: Activate key**
9. For each activated key, the **Data Element Encryption**page, (**System Administration** → **Encryption**→ **Data Element Encryption**) adds the key to the table of activated keys and displays its identifier.
10. You can now log in to the IRIS Management Console and verify the activated key.

![22.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360055874791.png)

**Figure 22: Key added to table of activated keys**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Alibaba](/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba.md)
- [Fortanix DSM with IBM Informix](/using-fortanix-data-security-manager-with-ibm-informix.md)
- [Getting Started with Fortanix DSM - UI](/users-guide-getting-started-with-fortanix-data-security-manager-ui.md)
- [AWS Connection Scanning Configuration](/fortanix-key-insight-aws-configuration-for-scanning.md)