Using Fortanix Data Security Manager with Versasec

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Versasec (vSEC) to enhance data security measures and manage digital identities. By integrating these solutions, you can effectively manage identities and access controls while protecting your data from breaches and cyber threats.

The following are the advantages of vSEC:

• It is a cutting-edge, easily integrated, and cost-effective Credential Management System (CMS) designed to help organizations deploy and manage credentials effectively.

• It supports Minidriver-enabled credentials, such as Virtual Smart Cards (VSC), Universal Serial Bus (USB) tokens, and virtual smart cards, as well as Windows Hello for Business (WHfB).

• It simplifies the entire credential management process by seamlessly integrating with enterprise directories, certificate authorities, physical access control systems, email servers, log servers, biometric fingerprint readers, PIN mailers, and much more.

Using vSEC CMS, you can issue credentials to employees, customize them with authentication details, and manage the entire credential lifecycle, all from this ready-to-use product.

2.0 Why Use Fortanix DSM with Versasec?

The integration of Fortanix DSM with vSEC leverages the strengths of both solutions, offering a unified approach to identity management and data security. This seamless integration enables efficient identity management while ensuring data remains encrypted and secure.

Fortanix DSM can store the master key(s) used during administrative key operations with vSEC CMS, such as registering credentials or unblocking PINs. Fortanix provides the PKCS#11 interface for vSEC. All management functions related to the master key(s) stored in Fortanix DSM should be handled using the Hardware Security Module (HSM) key management tools.

NOTE

• You must install and configure the HSM PKCS#11 module on the server where you deploy vSEC. Depending on whether vSEC is 32-bit or 64-bit, ensure that the corresponding version of the HSM PKCS#11 module is installed. vSEC will search for the PKCS#11 module in the system path.

• A fully licensed version of vSEC is required to set up and utilize an HSM.

• vSEC requires an available slot on any partition within the HSM being used. The master key utilized by vSEC can be of AES or DES3 key type.

3.0 Architecture Diagram

Fortanix DSM securely stores and manages the master keys, while vSEC is the central hub for coordinating communication and operations.

The vSEC CMS server acts as the central hub where every request for administration key operations, such as registering a credential or unblocking a PIN, is first handled.

The Fortanix DSM is introduced as the trusted HSM to store the master keys using standardized protocols such as PKCS#11. Whenever the vSEC CMS services require keys for their operations, they connect to Fortanix DSM to securely retrieve these keys, ensuring that only authorized entities can access them.

This collaborative approach between Fortanix DSM and vSEC ensures that security, authentication, and credential management converge seamlessly, providing a guarded environment for the organization’s digital operations.

4.0 Product Versions Tested

The following product versions were tested:

• Fortanix DSM version 4.31

• Fortanix Microsoft CNG client supported version 4.32.2474

• vSEC CMS version 6.11.4.0

5.0 Prerequisites

Ensure the following:

• Versasec version 6.11 must be installed on the system.

• Fortanix DSM must be accessible. For more information, refer to Section 6.1: Signing Up and Section 6.2: Creating an Account.

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

6.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

6.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 6.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

6.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 6.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it later.

7.0 Configure Fortanix DSM with vSEC

Perform the following steps to configure Fortanix DSM with vSEC:

1. Download the latest version of Fortanix EKM Library from here.

2. Use FortanixKmsClientConfig.exe to configure the Fortanix KMS Server URL and proxy settings.

   1. Run the following command to configure for the local machine:

      FortanixKmsClientConfig.exe machine --api-endpoint https://amer.smartkey.io

   2. Run the following command to configure for the current user:

      FortanixKmsClientConfig.exe user --api-endpoint https://amer.smartkey.io

   3. Run the following command to configure for the proxy user:

      FortanixKmsClientConfig.exe user --proxy http://proxy.com FortanixKmsClientConfig.exe user --proxy none

3. Obtain the API key from Fortanix DSM apps and configure it using FortanixKmsClientConfig.exe:

   1. Run the following command to obtain the API key for the machine key store:

      FortanixKmsClientConfig.exe machine --api-key <key>

   2. Run the following command to obtain the API key for the user key store:

      FortanixKmsClientConfig.exe user --api-key <key> 

7.1 Configure HSM in vSEC CMS

Perform the following steps to configure HSM in the vSEC application:

1. Open the vSEC application and navigate to Options → Connections.

2. Click Configure and select the Hardware Security Module (HSM) option.

3. Click Hardware Security Module (HSM) → Add to set up a template.

4. Enter a template name and select the required HSM from the drop down menu.

   The PKCS#11 module and URL will be automatically populated into the PKCS11 DLL name field.

5. Select the slot for the master key from the drop down menu and enter the Personal Identification Number (PIN) credential, if required. Click Check connection to test connectivity.

   

   NOTE

   The PIN credential might not be necessary if the HSM does not require it directly through its interface.

6. Click Save.

   A dialog box appears if the connectivity to the HSM functions correctly as expected.

   

7. Click OK to close the configuration.

7.2 Create Operator Service Key Store

After the connection with HSM is configured, you need to create an Operator Service Key Store (OSKS).

Perform the following steps:

1. From the vSEC application, navigate to Options → Operators and click Add service key store.

2. Enter a name in the Store name field and click Add.

   

   All vSEC master keys will be transferred to the HSM during this process. The following dialog box appears on the screen:

   

3. Click OK to close the configuration.

7.3 Verify Configuration

You can perform the following steps to check if the configuration is successful:

1. Check the Operators table to confirm the HSM is listed as the key store as indicated by the * character.

   

2. Navigate to Options → Connections → Hardware Security Module (HSM) and select the required HSM connector. Click Edit. Click Check connection to verify successful integration. The following dialog box appears on the screen, indicating that the master key used by vSEC:CMS was found in the slot on the HSM.

   

8.0 Generate Master Key

NOTE

The new credential administration keys will be associated with the newly generated master key. Any existing credential administration keys linked to older master keys of the vSEC will continue to function. However, Fortanix recommends re-registering the credentials issued from older vSEC master keys to update them to the new master key. This update aligns the user's credential administration key with the new master key for improved security.

Perform the following steps to generate a new master key to enhance security:

1. From the vSEC application, navigate to Options → Master Key and click the Generate new master key option.

2. From the vSEC:CMS dialog box, select the On server side HSM radio button and select the required Key type from the drop down menu.

   

   NOTE

   The National Institute of Standards and Technology (NIST) recommends selecting AES due to the withdrawal of DES as a standard. The migration from DES-managed master keys to AES is supported from vSEC:CSM version 6.5.

3. Click OK. A dialog box appears on the screen confirming the system change. Click Yes to complete the setup.

4. Navigate to Repository → Master keys to verify the new master key entry. The * character indicates the master key that vSEC:CMS is actively using.

   

   The following figure illustrates the key generated in Fortanix DSM:

   

8.1 Update Credentials Managed by Older Keys

In the Repository section → Smart Cards tab, you will notice that credentials managed by older master keys will display an Update needed message.

NOTE

After the HSM master key is generated, it cannot be reverted to an older master key. However, you can still manage the credentials previously handled by vSEC:CMS with an older master key not generated by the HSM, but it is advised to update them to use the newly created master key for better management.

Use one of the following methods to update the credentials managed by older master keys to use the newly generated master key:

• From the vSEC application:

  Navigate to Actions → Smart Card Update, attach the credential that needs an update, and click Execute.

• From a client host with vSEC:

  It has a user installed and is configured for updates. Navigate to the Update tab to perform the update.

8.2 Master Key Labeling in HSM

Any master key added to the HSM will have a label starting with CMS MK. The value of the label varies depending on whether the master key is generated only on the HSM or created and stored on a full-featured operator card and synced with the HSM.

• For a master key generated solely on the HSM, the label will be CMS MK 4099 (a hex value) for the first key. Additional keys will increment by one; thus, the second master key would be CMS MK 4100, and so on.

• For a master key created and stored on a full-featured operator card and synced with the HSM, the label will be CMS MK 00 for the first key. Additional keys will increment by one; hence, the second master key would be CMS MK 01, and so on.

8.3 Using the Fortanix PKCS#11 Tool

The Fortanix PKCS#11 tool is included for troubleshooting issues when setting up and using an HSM with vSEC. The Fortanix PKCS#11 tool should be run directly on the server where vSEC is installed.

On the server with vSEC installed, open the command prompt and locate the Fortanix PKCS#11 tool. Update its path to the directory containing the installed tool.

The following are the default installation paths:

• For 64-bit version: C:\Program Files\Versasec\vSEC_CMS S-Series\tools

• For 32-bit version: C:\Program Files (x86)\Versasec\vSEC_CMS S-Series\tools

8.4 Setting up and Testing Fortanix HSM Connectivity

Perform the following steps to set up and test connectivity to the Fortanix HSM using the Fortanix PKCS#11 tool:

1. Launch the tool with the parameter -debug on:

   

2. Enter the DLL path for the Fortanix PKCS#11 module. By default, the Fortanix PKCS#11 module is installed at the location: C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll.

   To enter the DLL path, select option 9 to use the Fortanix PKCS#11 commands to check and test the connectivity to the HSM.

   The following prompt appears on the screen for the slot details:

   

3. Select the slot 1.

   

4. Select option 14 to log in to Fortanix successfully.

   When prompted for the password, enter the API Key copied in Section 5.5: Copying the API Key.

   

5. Select option 16 to create a security object in Fortanix HSM. Select the object type, ID, label, and hex key value.

   1. The following is an example of AES key creation.

      

   2. The following is an example of DES key creation.

      

After the update is completed, you can verify these keys in the vSEC application. Navigate to the Repository section → Master Keys tab.