Using Fortanix Data Security Manager with NetApp ONTAP

  • Updated on Mar 12, 2025
  • Published on Jun 26, 2024
  • 9 minute(s) read

1.0 Introduction

This article describes the process of integrating Fortanix-Data-Security-Manager (DSM) with NetApp ONTAP to centrally manage keys for the Volume Encryption feature of ONTAP. By utilizing Fortanix DSM, organizations can achieve centralized management and control of all cryptographic keys, ensuring robust security practices.

The document provides essential information for:

  • Creating a KMIP (Key Management Interoperability Protocol) application on Fortanix DSM.

  • Configuring NetApp ONTAP to use external key management.

  • Implementing Volume Encryption using a Fortanix DSM-based key with NetApp ONTAP.

  • Viewing and managing encryption keys on Fortanix DSM.

2.0 Product Tested Version

The following product versions were tested:

  • Fortanix DSM version 4.27 patch 2 or later.

  • Fortanix DSM version 4.31 or later.

  • NetApp ONTAP version 9.15.1 patch 6 (9.15.1P6).

3.0 Prerequisites

Ensure the following:

  • NetApp OnTap version 9 is installed on the system.

  • Fortanix DSM cluster is running a tested version.

4.0 Architecture Workflow

Figure 1: Architecture Diagram

This diagram illustrates the integration of NetApp ONTAP and Fortanix DSM using the Key Management Interoperability Protocol (KMIP) for secure encryption key management.

NetApp ONTAP encrypts data at rest, while Fortanix DSM securely manages encryption keys; separating keys from data in case of security breach. NetApp ONTAP communicates with Fortanix DSM over KMIP to retrieve encryption keys when needed, ensuring access is restricted to authorized users.

KMIP plays a crucial role in this integration by standardizing key management communication between NetApp ONTAP and Fortanix DSM. This protocol ensures seamless and secure key retrieval, rotation, and management without manual intervention.

Fortanix DSM enforces authentication for users, applications, and systems before granting access to encryption keys, preventing unauthorized use. If NetApp ONTAP storage is stolen, the encrypted data remains secure since the keys are stored and managed separately from the data being encrypted in the NetApp.

5.0 Sign Up and Log in to Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible.

5.1 Signing Up with the Cloud Provider

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Log in to the Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 2: Logging In

Figure 3: Logged in screen

6.0 Configure Fortanix DSM

The following sections describes the steps to create a NetApp ONTAP group and application (app) in the Fortanix DSM user interface (UI).

6.1 Creating a Group

For best practice, it is recommended to create an individual group for each NetApp Network-Attached Storage (NAS) or cluster within your organization. This approach ensures that the cryptography keys associated with each NAS are organized and tracked within their respective groups.

Perform the following steps to create a group in the Fortanix DSM:

  1. Click the Groups menu item in the DSM left navigation bar and click the button on the Groups page to add a new group.

    Figure 4: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group. For example, NetApp NAS.

    • Description (optional): Enter a short description for the group. The description could include a datacenter location or other useful information to help identify the specific NAS or cluster being configured.

  3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

6.2 Creating an Application (App)

The apps are used to provide controlled access to security objects by defining a set of permissions that specify the actions allowed.

Perform the following steps to create an app in the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the button on the Apps page to add a new app.

    Figure 5: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application, similar to the group name, but clearly indicating that this is an application.

    • ADD DESCRIPTION (optional): Enter a short description for the application.

    • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 6.1: Creating a Group from the list.

  3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

6.3 Retrieving App UUID for Certificate

Perform the following steps to copy the app UUID from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 6.2: Creating an Application to go to the detailed view of the app. 

  2. Click the  icon next to the UUID available just below the app name

    Figure 6: Copying App UUID

  3. Save the app UUID for later use in certificate generation.

6.4 Generating a Certificate

A certificate must be generated to identify the application through which KMIP keys will be generated and retrieved by ONTAP.

Two methods are available for generating this certificate:

6.4.1 Creating a CSR for Certificate Issuance from a Trusted CA (Production Environment)

Perform the following steps to create a Certificate Signing Request (CSR) for certificate issuance from a Trusted Certificate Authority (CA):

  1. Use the following command to create a CSR:

    openssl req -out kmip.req -new -newkey rsa:2048 -nodes -keyout key.pem

  2. Fill out the certificate request fields according to your organization's standards. Ensure that the Common Name (CN) field is set to the App UUID copied earlier in Section 6.3: Retrieving App UUID for Certificate.

  3. Submit the kmip.req file to your local Certificate Authority (CA) for issuance.

  4. Download the issued certificate as cert.pem from the CA, ensuring it is stored in PEM format.

  5. Obtain copies of the Root CA and Intermediate CA certificates in PEM format. Save them in file Fortanix_DSM_CA.cer.

    Figure 7: Example Command for Certificate Request

6.4.2 Creating Self-Signed Certificate (Lab Environment)

Run the following command to generate a self-signed certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN= {Fortanix DSM App UUID}"

Replace the {Fortanix DSM app UUID} with the actual app UUID copied in Section 6.3: Retrieving App UUID for Certificate.

6.5 Updating the Authentication Method of the App

Perform the following steps to change the authentication method of the app to use the generated certificate from the previous section:

  1. Go to the detailed view of the app created in Section 6.2: Creating an Application (app) and click the Change the authentication method button and select the Certificate option to change the authentication method to Certificate.

  2. Click the SAVE button.

  3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button upload the certificate file or paste the content of the cert.pem certificate generated in Section 6.4: Generating a Certificate.

  4. Select both the check boxes to confirm your understanding about the action.

  5. Click the UPDATE button to save the changes.

7.0 Configuration on NetApp ONTAP

The following section describes the procedures to add a Key Management Server (KMS) and to set up volume encryption to enhance the security of your data storage environment:

7.1 Adding Key Management Server

Perform the following steps to add a Key Management Server (KMS) to NetApp ONTAP:

  1. Run the following command to update the certificate and key for the client:

    security certificate install -type client

    Copy and paste the output of the certificate and key generated in Section 6.4: Generating a Certificate when prompted.

  2. When asked, Do you want to continue entering root and/or intermediate certificates?, type n:

    Do you want to continue entering root and/or intermediate certificates: n

  3. If your Issuing CA for the KMIP certificate is a public CA that is kept current with ca-certificates, then proceed to Step 6.

  4. Open the Fortanix DSM root CA certificate, Fortanix_DSM_CA.cer, saved previously with a text editor and copy the certificate value.

  5. Run the following command to update the certificate and key for the server:

    security certificate install -type server-ca

    Paste the output of the certificate from Step 4 when prompted.

  6. Run the following command to confirm the name of the Imported Client and Server-CA Certificates:

    security certificate show-user-installed
    NetApp_ConfirmName.png

    Figure 8: Confirm name of imported certificate

  7. Run the following command to enable the External Key Servers (EKS):

    security key-manager external enable -key-servers {Fortanix DSM FQDN}:5696 -client-cert {Client
Certificate Name} -server-ca-certs {Server CA Certificate Name}

    For example:

    security key-manager external enable -key-servers <fortanix_dsm_url>:5696 -client-cert 76ddf566-
c4f0-4c62-b711-c944cd4cfbc0 -server-ca-certs DSTRootCAX3

  8. Run the following command to verify the status of the External Key Manager (EKM):

    security key-manager external show-status
    NetApp_KMStatus.png

    Figure 9: Key manager status

7.2 Enabling Volume Encryption

Perform the following steps to configure the volume encryption on NetApp ONTAP:

  1. Open an SSH client and connect to the set node IP address.

  2. Run the following command to set the diagnostic mode:

    set diag

    Type Y to continue, when prompted.

    Do you want to continue? Y

  3. Run the following commands to configure the diagnostic aggregate:

    storage aggregate create -aggregate {test aggregate name} -node {NetApp Node Name} -diskcount 5
-encrypt-with-aggr-key false

    Type Y to continue, when prompted.

    Do you want to continue? Y

  4. Run the following command to create a server:

    vserver create -vserver {test vserver name} -aggregate {aggregate name from step 3} -rootvolumesecurity-
style mixed

  5. Run the following command to create an encrypted volume:

    volume create -vserver {vserver name from step 4} -aggregate {aggregate name from step 3} -
encrypt true -size 20Mb -volume {test volume name}

  6. Run the following command to check the state of the vserver:

    volume show -is-encrypted true -state online
    NetApp_vserverState.png

    Figure 10: Vserver state

  7. Run the following command to query the key status:

    security key-manager key query
    NetApp_KeyStatus.png

    Figure 11: Key status

8.0 Viewing Keys in Fortanix DSM

Perform the following steps to view the keys in Fortanix DSM:

  1. Enter the URL of your Fortanix DSM cluster in a web browser.

  2. Go to the group created in Section 6.1: Creating a Group and click the Security Objects tab.

    NetApp_DSMSO.png

    Figure 12: View keys in DSM

  3. Click the Apps tab → configured KMIP app to view the activity log.

    NetApp_DSMactivitylogs.png

    Figure 13: View activity logs

9.0 Migrate ONTAP Encryption Keys from Thales CTM to Fortanix DSM

This section describes the steps to remove Thales CipherTrust Manager (CTM) as a KMIP provider for NetApp ONTAP and migrate the existing ONTAP encryption keys from Thales CTM to Fortanix DSM.

Since NetApp ONTAP only allows a single authentication certificate to be used for all external KMIP key managers, it poses a challenge when integrating with multiple key management solutions that supports different certificate requirements for authentication.

  • Fortanix DSM requires the CN of the certificate to be the DSM app UUID, which is used to identify the app that manages access to the keys.

  • Thales CTM requires the CN to be the user ID of the entity managing keys within CTM.

Perform the following steps to migrate ONTAP keys from CTM to DSM:

  1. Create a new user account in Thales CTM with the user ID matching the UUID of the Fortanix DSM app created Section 6.3: Retrieving App UUID for Certificate.

  2. Assign the new user the same permissions and access rights as the original user managing the keys within Thales CTM.

  3. The CN of the NetApp ONTAP authentication certificate is now set to the Fortanix app UUID and is used for authentication across both Fortanix DSM and Thales CTM. By ensuring the user in CTM matches the Fortanix app UUID, the certificate works for both systems.

  4. Migrate all ONTAP keys from Thales CTM to Fortanix DSM.

  5. After successful migration, decommission Thales CTM as a KMIP provider for ONTAP.

Related articles