Using Fortanix Data Security Manager with IBM Informix

1.0 Introduction

This article describes how to use Key Management Service (KMS) in Fortanix-Data-Security-Manager (DSM) to manage data in IBM Informix storage spaces using Key Management Interoperability Protocol (KMIP). It also contains the information that a user requires for:

• Creating a KMIP type keystore

• Configuration on IBM Informix

• Migrating key store

IBM Informix® is a fast and flexible database with the ability to seamlessly integrate SQL, NoSQL/JSON, and time series and spatial data. Its versatility and ease of use make Informix a preferred solution for a wide range of environments, from enterprise data warehouses to individual application development. Also, with its small footprint and self-managing capabilities, Informix is well suited for embedded data-management solutions.

2.0 Why Use Fortanix KMS With IBM Informix

IBM Informix supports storage space (dbspaces, blobspaces, and smart blobspaces) encryption.

The data in encrypted storage spaces is unintelligible without the encryption key. Encrypting storage spaces is an effective way to protect sensitive information that is stored on the disk.

3.0 Encrypting Storage Spaces

3.1 Prerequisites for Encrypting Storage Spaces

• IBM® Global Security Kit (GSKit) installed to enable storage space encryption. GSKit is installed by default when you install the database server.

• Access to Enable storage space encryption by setting the DISK_ENCRYPTION configuration parameter.

3.2 Enable Storage Space

Each storage space is encrypted separately with its own encryption key. By default, the encryption cipher is set to AES with 128-bit keys. You can specify a stronger encryption key by including the cipher option in the DISK_ENCRYPTION configuration parameter value.

Any storage space that you create when “storage space encryption” is enabled is automatically encrypted unless you explicitly specify to create it as unencrypted with the onspaces utility. If you initialize a new database server before setting the DISK_ENCRYPTION configuration parameter, the root dbspace and all storage spaces created before setting DISK_ENCRYPTION are not encrypted. However, you can encrypt unencrypted storage spaces, including the root dbspace, by running a restore that encrypts the spaces.

As mentioned above, each storage space is encrypted with its own Space Encryption Key (SEK). The SEKs are generated by the system (oninit) based on a Master Encryption Key (MEK). The MEK is created by the onkstore utility and can be stored locally in the keystore created by the onkstore utility, or remotely in a Remote Key Server (RKS). In both cases, you must use the onkstore utility to create a keystore that will contain a MEK or the credentials necessary to reach the MEK at an RKS.

Once you have created and verified your keystore file, you enable storage space encryption by setting the DISK_ENCRYPTION configuration parameter to point to the keystore you created and then restarting the database server. The value of the DISK_ENCRYPTION parameter is a comma-separated list of attributes, one of which points to your keystore file.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application. For example, Informix 14.10.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 3.4: Creating an Application to go to the detailed view of the app. 

2. From the top of the app’s page, copy the app UUID to be used in Section 4.2: Configuration on IBM Informix as the value of Common Name (CN) to generate a self-signed certificate and a private key.

3.6 Creating a Security Object

Perform the following steps to generate a tokenization key in the Fortanix DSM:

1. Click the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to add a security object.

   

2. On the Add New Security Object page, enter the following details:

   • Security Object name: Enter the name of your security object. 

   • Group: Select the group as created in Section 3.3: Creating a Group.

   • Select the GENERATE radio button.

   • Choose a type: Select an AES key type.

   • Key Size: Indicates the size of the key in bits. Keep it as 256.

   • Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, verifying, and export.

     NOTE

     Ensure you select the Export option while creating the key

3. Click the GENERATE button to create the new security object.

4.0 Securing Data in IBM Informix

IBM Informix allows keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.

IBM allows six types of Keystore:

1 - Local Keystore
2 - AWS EAR Keystore
3 - AWS BAR Keystore
4 - KMIP EAR Keystore
5 - AZURE EAR Keystore
6 – AZURE BAR Keystore

Fortanix supports KMIP EAR Keystore integration with IBM Informix.

4.1 Create a KMIP Type Keystore

If your remote key server is located in a server/cluster supporting the KMIP standard you can create a single type of keystore (KMIP). At this moment, the same keystore type can be used by both the Storage Space Encryption and Integrated Backup Encryption features.

4.2 Configuration on IBM Informix

Perform the following steps:

1. Log in to the IBM Informix machine and log in as the Informix user as shown below.  

   

2. Create a self-signed certificate and make sure that you should have the App-ID handy as we need to update the Common Name for the self-signed certificate.

3. Create a directory for all certificates to be created for the KMIP keystore. In the following example, a folder called SDKMS.  

   

4. Change directory to SDKMS and run the following command to create a self-signed certificate.

   openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt

   

   

5. For getting the configuration for KMIP Keystore we need the following:

   • KMIP Server: the IP address or hostname where the KMIP server is listening for request if the port where the server listens is different from the default (5696).

   • KMIP Username: the username to access the KMIP server.

   • KMIP Password: the password for the given username.

   • KMIP Client Certificate File: a file containing the certificate for the client, the file must also contain the Private Key matching the certificate.

   • KMIP CA Certificate File: a file containing the root CA used to sign both the KMIP Client Certificate File and the KMIP Server Certificate File.

   • KMIP Key Name: the name of the KMIP Key used as MEK by the Storage Spaces Encryption feature or as RMEK by the Integrated Backup Encryption feature
      

6. Create the client certificate file using the following command.

   cat certificate.crt private.key > kmip.crt

   

7. Create KMIP Certificate file. Export the root certificate of the KMIP Server and save the same as shown in the following figure.  

   

8. Run the following command to create a new KIMP Keystore command.

   onkstore -create -file Fortanix -cipher aes256

     Where,

   • Fortanix is the Keystore file name

   • cipher is aes256
      

9. You will now be prompted to select the type of keystore from the Keystore list.  

   

10. Select the Keystore as 4-KMIP EAR Keystore and update the following details.  

    

11. Once the KMIP keystore has been created, verify the keystore using the following command.  

    

12. Navigate to the Activity Logs section of the app in the Fortanix DSM to view the logs.

    

5.0 Migrating the Keystore

The convert feature is currently used only for EAR types of keystores. It supports downloading the MEK contained in the RKS (i.e., a KMIP server) to the local keystore. The old keystore containing the credentials to the RKS will be renamed and will be replaced with a new one of type “local”.

Currently, the only option: 1 – Local Keystore (converting to a local keystore file) is supported. The original keystore file is copied to a backup file (my_keystore.p12.bak#) before being overwritten during the conversion.