Using Fortanix Data Security Manager with Bloombase Storesafe

1.0 Introduction

This article describes how to integrate Bloombase Storesafe with Fortanix-Data-Security-Manager (DSM).

2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

2.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

2.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the KMIP option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

2.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the Username (app UUID) and Password to be used in Section 3.0 Configuring Bloombase Storesafe as the value of Common Name (CN) to generate the certificate.

3.0 Configuring Bloombase Storesafe

Perform the following steps:

1. On the Bloombase Storesafe Console, select OASIS KMIP Key Manager from the Bloombase Storesafe main menu.

   

2. Click Add.

3. On the Modify KMIP Key Manager page:

   1. Fill in the name that you want to use to identify with this instance of Fortanix DSM as the KMIP Server.

   2. For the Model field, select Generic.

   3. Specify the Hostname/IP Address of the Fortanix DSM cluster.

   4. Leave the Port as default 5696.

   5. Leave the Timeout and Retry Count info as default unless you have a specific setting you want to use.

   6. Leave the Username and Password as blank.

   7. Click Submit to save the information.

      

4. Select Create for the client keystore, to create a Rivest, Shamir, Adleman (RSA) Keypair, and a Certificate Signing Request (CSR).

   

5. Specify the algorithm/key sizes you want for your keypair, the values for the certificate Distinguished Name (DN), and then click Generate to generate the certificate request.

   

   NOTE

   You must specify the app UUID copied in the Section 2.5: Copying an App UUID as the CN of the certificate request.

6. Click Certificate Request to download the CSR and send it to your CA for certificate issuance.

   

7. Upload the CA Public Certificate used to sign the CSR to the Trust Certificate Store.

   

8. Upload the signed certificate to the Client Keystore.

   

9. Upload the Fortanix DSM cluster certificate to the Trust Certificate Store.

   

10. Click Submit to save the configuration.

    

4.0 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 2.4: Creating an Application and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

5.0 Creating a Security Object

Perform the following steps to generate an AES key in the Fortanix DSM:

1. Click the Security Objects menu item in the DSM left navigation panel and click the + button on the Security Objects page to add a security object.

   

2. On the Add New Security Object page, enter the following details:

   • Security Object name: Enter the name of your security object. 

   • Group: Select the group as created in Section 2.3: Creating a Group.

   • Select the GENERATE radio button.

   • Choose a type: Select the AES key type.

   • Key Size: Indicates the size of the key in bits.

   • Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

3. Click the GENERATE button to create the new security object.

6.0 Configuring Fortanix DSM KMIP Entity in Bloombase Storesafe

Perform the following steps:

1. In the Bloombase Console for the KMIP Key Manager, open the Fortanix DSM KMIP entity.

   

2. Click Test.

   

3. The successful test confirms that Bloombase Storesafe can authenticate and connect to Fortanix DSM.

   

4. To select the key created in Fortanix DSM in the Bloombase Storesafe Key Wrapper, click Create Key Wrapper.

   

5. Under Modify Key Wrapper, select the Fortanix DSM entity that you configured in Bloombase Storesafe in Section 3.0: Configuring Bloombase Storesafe and select the key created under the Object drop down menu and click Select Key.

   

6. Click Submit to submit the updated configuration.

   

7. Confirm the key has been properly selected by clicking Find Key Wrapper, and then click Find.

   

You can now use the Fortanix DSM KMIP server as a Key Management System (KMS) for all storage encryption implemented with Bloombase Storesafe. Refer to the Bloombase Storesafe documentation for implementing the specific storage encryption use case you have.