Using Fortanix Data Security Manager With Nutanix

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Nutanix for storage encryption.

Nutanix offers support for Fortanix DSM to manage the encryption keys for encrypting sensitive data at rest. Fortanix DSM is a specialized device/service that provides secure key management and cryptographic operations through industry-standard API's.

Nutanix uses Fortanix DSM to generate, store, and provide authorized access to data encryption keys. Nutanix communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys.

Using Fortanix DSM with Nutanix provides additional security for your data, ensuring that the data encryption keys can only be used with authorized access.

It also contains the information that a user requires for:

• Facilitating the communication and authentication between Fortanix DSM and Nutanix using KMIP and Certificates.

• Setting up Fortanix DSM.

• Creating a client certificate.

• Configuring Nutanix Key Management settings.

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Nutanix cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Nutanix Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Nutanix cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

3.0 Prerequisites

Ensure the following:

• Nutanix GA version of LTS 6.5.X and 6.10.X.

• Fortanix DSM version 4.4 or later.

• Fortanix DSM is installed and operational and is accessible by the Nutanix cluster on port 5696 (for default) or a custom KMIP port.

• You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

NOTE

You must create three applications for each node in the Nutanix Cluster. For example: 3 nodes = 3 applications.

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 5.0: Configure Nutanix Nodes with Fortanix UUIDs as the Common Name (CN) when generating the client certificate.

   For example:

   • Node 1 = 3030a8c0-c520-4f0f-912a-d3bff6a272fd

   • Node 2 = 99d5cafd-95e0-4898-b93d-f46ce9550287

   • Node 3 = c0b83293-ae04-4735-90af-9b4f406f884e

4.6 Updating the Account Settings

Perform the following steps:

1. In the Fortanix DSM left navigation panel, click Settings → CLIENT CONFIGURATION → KMIP.

2. Select the Allow secrets with unknown operations check box.

3. Click SAVE.

5.0 Configure Nutanix Nodes with Fortanix UUIDs

Perform the following steps to generate an RSA key for authenticating to Fortanix DSM for each Nutanix node:

1. Use the SSH protocol to log into the Nutanix cluster.

2. Run the following command to identify all nodes in the cluster:

   svmips

3. Each IP address returned will represent your cluster nodes.

4. Log in to each cluster node and run the following command:

   genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=<APP_UUID>" restart

   Replace the <APP_UUID> with the Fortanix app UUID for each node as copied in Section 4.5: Copying an App UUID. Execute the above command for each node in the cluster, where the <APP_UUID> should match the node.
   Sample output:

   nutanix@NTNX-17SM6B050002-A-CVM:10.16.0.135:~$ genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=5bf6acc7-ebe3-4e6e-a88a-70572b18c96a" restart
   2022-11-01 07:45:23.042344: Stopping genesis (pids [15503, 15561, 15585, 15586, 30032, 30033])
   2022-11-01 07:45:27.540170: Genesis started on pids [2948]

6.0 Configure Encryption Settings

Perform the following steps:

1. Log in to Nutanix Prism.

   

2. Using the drop down menu, select Settings.

3. On the left pane, select Data-at-rest Encryption.

   

4. Select An External KMS.

5. Fill in the Certificate Signing Request information and click Save CSR Info.

6. Click Add New Key Management Server.

   1. Name the key management server.

   2. Provide the address to your Fortanix DSM deployment (On-premises or SaaS).

   3. Click Save.

   4. Click Back.

7. Click Add New Certificate Authority.

   NOTE

   This will be the root CA certificate for the Fortanix DSM environment to which you will be connecting. Download a copy and have it ready for the next section.

   1. Name the Certificate Authority.

   2. Click Upload CA Certificate.

   3. Browse for the CA Certificate.

   4. Click Save.

   5. Click Back.

7.0 Issue Certificate for Each Node

Perform the following steps:

1. From the Data-at-rest Encryption settings, under the Certificate Signing Request section.

   1. Click Download CSRs for all nodes.

      

   2. Save these to any location.

   3. Submit these to your organization's team that handles Certificates or PKI.
      Depending on the size of your organization and processes, you may need to return to the procedure at a later time. After you have obtained your signed certificates, they will need to be added to the Key Management Server configuration and in Fortanix DSM.

8.0 Install Node Certificates in Nutanix Prism

Perform the following steps:

1. In the Data-at-rest Encryption settings, under Key Management Server, click Manage Certificates.

   

2. Click Upload Files.

3. Find and select your certificate files and click Submit.

4. Click Test all nodes. If successful, click Back.

   

9.0 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

2. Click SAVE.

3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the certificate generated in Section 7.0: Issue Certificate for Each Node.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE to save the changes.

10.0 Enable Encryption

After all the above steps have been completed, you must enable encryption.

Perform the following steps:

1. Log in to Nutanix Prism.

2. Go to Data-at-rest Encryption settings and scroll to the bottom of the page.

3. Click Enable Encryption.

4. At the prompt, type ENCRYPT and click Encrypt.

5. If done properly, you will be presented with a screen that states success and that the system is encrypted.

   

11.0 Verification

There are two places to verify the encryption.

1. In Nutanix Prism:

   • Click the Recent Tasks drop down menu to see the current encryption progress per container.

2. In Fortanix DSM:

   • Observe the contents of your Nutanix group. You should see that the security objects have been created.

     

   • Also observe the activity logs for each of the apps. You should see that the apps are authenticating and retrieving keys.

     

   • Verify the logs from Nutanix CLI, go to cat ~/data/logs/mantle.INFO.

     

   NOTE

   Fortanix suggests being highly available to make sure no interruption in the services. Fortanix calculates the same using the formula N/2 + 1 where N= Number of Nodes. The minimum no of Fortanix deployment has to be three nodes.