1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Scality SC3 for Transparent Bucket Encryption using generic Key Management Interoperability Protocol (KMIP).
It also contains the information that a user requires to:
Set up Fortanix DSM
Grab the Fortanix CA and generate a certificate
Apply the certificate to the Fortanix DSM Application Object
Enable audit logging in Fortanix DSM
Configure S3C and
Create an encrypted bucket
2.0 Prerequisites
The key management cloud service needs to be set up using https://sdkms.fortanix.com/ before configuring Scality for bucket encryption. This document assumes that access to the Fortanix DSM UI and licensing has been established.
This article assumes that access to the Fortanix DSM UI and licensing has been established.
3.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
3.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
3.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
3.3 Using On-Premises Deployment
3.3.1 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group. For example, Scality S3C.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
3.3.2 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application. For example, Scality S3C Bucket Encryption.
Interface (optional): Keep the default value.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 3.3.1: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully.
3.3.3 Copying the App UUID
Perform the following steps to copy the app UUID from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 3.3.2: Creating an Application to go to the detailed view of the app.
From the top of the app’s page, copy the app UUID to be used in Section 3.3.4: Generating the Certificate as the value of Common Name (CN) to generate a certificate.
3.3.4 Generating a Certificate
On a host with OpenSSL create the certificates that you need to authenticate to the KMIP service you just created.
# openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem \
-out cert.pem -days 365 \
-subj "/CN=<UUID you copied from the app>"For example:
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days
365 -subj "/CN=c6ad2ad7-4948-4b60-8cd6-f33c00a01428"You should now have the following:
The Fortanix CA certificate (
fortanix_ca_cer).A private (
key.pem).A certificate (
cert.pem).
3.3.5 Updating the Authentication Method
Perform the following steps to change the authentication method:
Go to the detailed view of the app created in Section 3.3.2: Creating an Application and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.
Click the SAVE button.
On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.
Select both the check boxes to confirm your understanding about the action.
Click the UPDATE button to save the changes.
3.4 Using SaaS Deployment
Perform the following steps to configure Scality wizard in Fortanix DSM SaaS:
Sign up at https://smartkey.io/. This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
Log in to the Fortanix DSM UI.
Click the Integrations tab in the left panel.
On the Integrations page, click ADD INSTANCE on the Scality wizard.
Enter the details as shown in the screenshot below:
Add Instance: This is the name to identify the instance created.
Authentication method: Select the desired authentication method. There are two options to choose from:
API key: This method is used to authenticate the application with the API Gateway.
Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. To upload the client certificate, click UPLOAD CERTIFICATE. Alternatively, the client certificate can be pasted in the field provided.
.png?sv=2022-11-02&spr=https&st=2025-04-15T03%3A14%3A39Z&se=2025-04-15T03%3A31%3A39Z&sr=c&sp=r&sig=R8LoJydf3P4IHqoqHg8ZvNj2NjOvAHY0oeqgPyhBiQE%3D)
Figure 4: Add instance
Continue to Section 3.3.5: Updating the Authentication Method and Section 3.3.4: Generating a Certificate for authentication using client certificate.
Click SAVE INSTANCE. With saving an instance a new group, an app, and keys are created within Fortanix DSM.
3.4.1 Scality Wizard Instance Detailed View
In the instance details, you will notice the following:
Credentials: This is the app authentication method used.
Click CERTIFICATE to download the Client Certificate. This is applicable only if the app authentication method used is a Client Certificate.
Click COPY API KEY to copy the API key. This is applicable only if the app authentication method used is API Key.
MANAGE: Click MANAGE to manage the keys created.
Instance status: To disable the instance created, click the toggle Disabled.
Figure 5: Instance detailed view
To delete the instance created click the
button. Note that deleting an instance will delete the app, group, and all security objects belonging to the instance and all key material will become inaccessible.
4.0 Get the Fortanix Certificate Authority (CA)
Open Google Chrome and browse to "https://<fortanix_dsm_url>".
In the URL address bar select the padlock icon and then certificate.
Figure 6: Get Certificate
Select the certification path and then highlight the root – “DST Root CA X3”.
Click View Certificate.
.png?sv=2022-11-02&spr=https&st=2025-04-15T03%3A14%3A39Z&se=2025-04-15T03%3A31%3A39Z&sr=c&sp=r&sig=R8LoJydf3P4IHqoqHg8ZvNj2NjOvAHY0oeqgPyhBiQE%3D)
Figure 7: View certificate
Select the Details tab and then click the Copy to File button.
Figure 8: Copy to file
Click Next and then select the radio button for Base-64 encoded X.509 (.CER) before saving it and choosing a filename (Example:
fortanix_ca.cer).
Figure 9: Base64 Encoded
5.0 Apply the New Cert to the Fortanix DSM Application Object
Copy and paste the contents of the
cert.pemfile generated in the Upload certificate text box in the Fortanix DSM app for client certificate authentication and save the details.The application object is configured to use the generated asymmetric key/cert pair you created for authentication.
6.0 Enable Audit Logging in Fortanix DSM
Audit logging is required to confirm that things are working (or why they are not).
In the Fortanix DSM UI:
Click the Apps menu item from the left menu from the DSM navigation bar.
In the apps table, click the application you created in Section 3.3.2: Creating an Application.
In the detailed view of the app, in the INFO tab, under the Groups section click the grid for App permissions to edit the app permissions.
Figure 10: App permissions
In the Set app permissions for objects in the group dialog, select the Allow access to audit log option.
Figure 11: Enable audit logging
Click the SAVE CHANGES button.
7.0 Configure Scality S3C
Refer to the S3 Connector Install Guide for current information on configuring a KMS. Navigate to https://documentation.scality.com/, select your RING version under RING, then scroll down to the S3 documentation.
In summary: the relevant section in your group_vars/all file will look like this:
env_s3:
kmip:
port: 5696
host: <fortanix_dsm_url>
compoundCreate: false
bucketAttributeName: x-zenko-bucket
pipelineDepth: 8
key: kmip_key.pem
cert: kmip_cert.pem
ca:
- fortanix_CA.cerAll certs go in the kmip directory under your environment (s3/federation/env//kmip). Also note that, at the time of this writing, there is no boiler-plate in the group_vars/all file for the above “kmip” section, nor is there a pre-created “kmip” directory for the certs. So please create them.
8.0 Create an Encrypted Bucket
Encrypted buckets with S3C cannot be created with the Amazon API call. It has to be done with a special header on bucket creation. There is a script for doing this in any cloudserver (s3) container. Refer to the Using Bucket Encryption in the S3 Connector Operation documentation.
If there is an issue (you get a 50x when trying to create the bucket) errors will show up in the S3 log on the host you are using. For example: /var/log/s3/scality-s3-1/logs/s3-0.log. If you did not get an error, congratulations! You have an encrypted bucket.
You will see a new Security-object in the Fortanix interface confirming communication.