Using Fortanix Data Security Manager with Cassandra TDE

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with DataStax Cassandra for Transparent Data Encryption. It contains the information that a user requires for:

  • Facilitating the communication and authentication between Fortanix DSM and Cassandra using KMIP and Certificates.
  • Setting up Fortanix DSM.
  • Creating client certificates.
  • Configuring DataStax node for Apache Cassandra.

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cassandra cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.
X.509 certificates are used to facilitate communication and authentication for both the Fortanix DSM and the Cassandra Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Cassandra cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

2.1 Prerequisites

  • Fortanix DSM version 4.4 or later installed and operational.
  • Fortanix DSM is accessible by the Cassandra cluster on port 5696 (for default) or a custom KMIP port.
  • Users should have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.
  • Enable the Java Cryptography Extension (JCE) on DataStax Enterprise.

3.0 Create an App and Configure Fortanix DSM Account

Fortanix DSM supports KMIP clients to authenticate using a certificate through applications (apps). To successfully connect the Cassandra cluster to authenticate with Fortanix DSM, the Cassandra cluster also requires you to extract the Fortanix DSM internal CA certificate.

  1. Log in to the Fortanix DSM UI.
  2. Click the Application icon AppTab.png, and then click Plus.png to create a new application. You will need the app for the Fortanix DSM node in the Cassandra Cluster.
    For instructions on how to add a group or app please refer to the DSM Getting Started Guide.
  3. Enter the following details:
    • App name: This is the name to identify your Cassandra cluster (customizable)
    • Interface: KMIP
    • Authentication method: This will need to be updated later and the default selection of API Key is ok at this stage.
    • Assigning the new app to groups: Keys created by the Cassandra cluster will be owned by this group.
    DataStax-CreateApp.png Figure 1: Create DataStax App
  4. After you have added the application, copy the app UUID from the app table view by clicking the icon for Copy UUID as shown below. You will need this app UUID as it will be used as the Common Name (CN) when generating the client certificate.
    For example:
    • App UUID = ae044928-f670-48d1-a4aa-111baf5640a6
    DataStax-AppUUID.png Figure 2: Copy App UUID

4.0 Configuration on DataStax Node

4.1 Create Certificate with App ID as Common Name

  1. If an app or client needs to authenticate to Fortanix DSM using only the certificate, then the App ID needs to be embedded in the certificate. Create a self-signed certificate and make sure that you have the App ID to embed in the self-signed certificate provided as the value of Common Name (CN):
    CN example: ae044928-f670-48d1-a4aa-111baf5640a6
  2. Change the directory to DSM using the following command:
    mkdir dsm
    DataStax-CreateFolder.png
  3. Generate an RSA key for authenticating with Fortanix DSM using the following command:
    openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-cert.pem
    When prompted for Common Name, enter the app UUID you noted earlier. DataStax-CreateRSAKey.png This will generate the following two files:
    • client-cert.pem
    • client-key.pem
    DataStax-Certificate.png

4.2 Update Certificate in Fortanix DSM

To update the certificate in the authentication method:

  1. First, change the configuration to KMIP from the default, which is, REST API for the Fortanix DSM app created in Section 3.0: Create an App and Configure Fortanix DSM Account.
    1. Click Settings -> CLIENT CONFIGURATION -> KMIP.
    2. Select Allow secrets with unknown operations.
    3. Click SAVE.
    DataStax-KMIP.png Figure 3: Update client configuration
  2. Paste or upload the certificate that was generated in Section 4.1: Create Certificate with App ID as Common Name in the Upload certificate text box in the Fortanix DSM app authentication and save the details.
    1. In the detailed view of the app, under the INFO tab, click the Change authentication method drop down menu and select Certificate as the new authentication method for the app.
    2. Click SAVE. DataStax-ChangeAppAuth.png Figure 4: Update app authentication
    3. In the “Add certificate” form, click Upload New Certificate to upload the new certificate or paste the generated certificate in the Upload certificate text box provided.
    4. Click UPDATE to update the app authentication method to certificate. DataStax-ChangeAppAuthConfirm.png Figure 5: Upload certificate

4.3 Create DSM.P12

  1. Generate a PKCS12 format file from the PEM files created in Section 4.1: Create Certificate with App ID as Common Name.
    openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "my-dsm-app" -out client-dsm.p12
    DataStax-p12.png
  2. Create a Java KeyStore (JKS) keystore.
    keytool -importkeystore -destkeystore kmip_keystore.jks -srcstoretype PKCS12 -srckeystore client-dsm.p12
    DataStax-JKSKeystore.png Where,
    • kmip_keystore.jks is the keystore file name that is created.
    • client-sdkms.p12 is the PKCS12 file generated in Step 1 above.
    NOTE
    Enter a password for the keystore at the prompt and fill out the host information.
  3. The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry-standard format using the following command:
    keytool -importkeystore -srckeystore kmip_keystore.jks -destkeystore kmip_keystore.jks -deststoretype pkcs12
    DataStax-JKStoP12.png
  4. Install the KMIP root certificate into the JKS truststore using the following command:
    keytool -import -alias kmipCA -file kmipCA -keystore kmip_truststore.jks
    Where,
    • KmipCA is the Fortanix DSM certificate chain.
    NOTE
    Enter a password for the truststore at the prompt, fill out the host information, and type yes when prompted for confirmation.
    DataStax-KMIPRootCert.png
  5. Move the keystore and truststore to a directory accessible by DataStax Enterprise (DSE) and change the file to allow the DSE account read or write access.
    For example:
    Move the file kmip_keystore.jks to /etc/dse/dsm/.
    Move the file kmip_truststore.jks to /etc/dse/dsm/.
  6. Delete or secure the files used to create the keystore and truststore.
  7. Add the host details to the kmip_hosts section of the dse.yaml file:
    For example:
    kmip_hosts:                                                    
      fortanix:
        hosts: <fortanix_dsm_url>:5696
        keystore_path: /etc/dse/dsm/kmip_keystore.jks
        keystore_type: jks
        keystore_password: redhat
        truststore_path: /etc/dse/dsm/kmip_truststore.jks
        truststore_type: jks
        truststore_password: redhat
        key_cache_update_millis: 300000
    
    DataStax-DSEYaml.png
    Where,
    • fortanix: The kmip_group_name which is a user-defined group name that identifies the KMIP host in DSE related commands.
    • hosts: A comma separated list of fully qualified domain names (FQDN) of KMIP hosts. DSE tries the hosts in the order listed.
    • keystore_path: The location of the keystore created.
    • keystore_type: The jks keystore format. Must be set to jks.
    • keystore_password: The password of the keystore file created.
    • truststore_path: The location of the truststore file created.
    • truststore_type: The jks Truststore format. Must be set to jks.
    • truststore_password: The password of the truststore file created.
  8. Make the dsm directory owner as cassandra using the following command:
    chown -R cassandra:cassandra dsm
    
    DataStax-DSMdirectory.png
  9. Verify that the DataStax node can connect to the KMIP host by listing encryption keys on the remote KMIP server.
    NOTE
    The dsetool picks up the changes from dse.yaml file without requiring a restart.

4.4 Test the Connection

  1. To test the connection, create a key, for example: Testkey of type AES and size 256-bits on Fortanix DSM, and then run the following command:
    NOTE
    The key must have “Export” permission
    dsetool managekmip list fortanix
    
    DataStax-testConnection.png
  2. Check the DataStax application audit logs in Fortanix DSM. DataStax-auditLogs.png Figure 7: Audit log
  3. Delete or keep the key (Testkey) created in the above step for testing.

5.0 Encrypting Table

5.1 Creating a New Encrypted Table

Following is an example of creating a new encrypted table using a key from a KMIP server.
Example:

CREATE TABLE table1( 
   emp_id int PRIMARY KEY, 
   emp_name text, emp_city text, 
   emp_sal varint, 
   emp_phone varint 
   ) 
WITH COMPRESSION = 
    { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 
    'kmip_host': 'fortanix', 
	'cipher_algorithm': 'AES', 
	'secret_key_strength': 128 };

DataStax-EncryptedTable.png

DataStax-EncryptedTableKMIPKey.pngFigure 8: KMIP key DataStax-EncryptedTableKMIPKey1.png

Where the first column, that is, ID matches with the UUID of the DSM key.

5.2 Encrypt an Existing Table

Following is an example to create an unencrypted table and insert data into the table.
Example:

CREATE TABLE unencrypted( emp_id int PRIMARY KEY, emp_name text, emp_city text, emp_sal varint, emp_phone varint );

INSERT INTO unencrypted(emp_id, emp_name, emp_city, emp_phone, emp_sal) VALUES(1,'Dan', 'Eindhoven', 12345678, 50000);

select * from unencrypted ;

To perform encryption without compression, run the following query:

ALTER TABLE unencrypted
WITH COMPRESSION =
        { 'class': 'Encryptor',
        'key_provider': 'KmipKeyProviderFactory',
        'kmip_host': 'fortanix',
        'cipher_algorithm': 'AES',
        'secret_key_strength': 192};

DataStax-ExcryptExisting.png

DataStax-EncryptedTableKMIPKey2.pngFigure 9: KMIP key

5.3 Encrypted Table Properties

The following example shows how to describe a namespace to find out encrypted table properties.

DESC KEYSPACE tutorialspoint ;

CREATE TABLE tutorialspoint.table1 (
    emp_id int PRIMARY KEY,
    emp_city text,
    emp_name text,
    emp_phone varint,
    emp_sal varint
) WITH additional_write_policy = '99PERCENTILE'
    AND bloom_filter_fp_chance = 0.01
    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
    AND comment = ''
    AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
    AND compression = {'chunk_length_in_kb': '64', 'cipher_algorithm': 'AES', 'class': 'org.apache.cassandra.io.compress.Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'fortanix', 'secret_key_strength': '128'}
    AND crc_check_chance = 1.0
    AND default_time_to_live = 0
    AND gc_grace_seconds = 864000
    AND max_index_interval = 2048
    AND memtable_flush_period_in_ms = 0
    AND min_index_interval = 128
    AND nodesync = {'enabled': 'true', 'incremental': 'true'}
    AND read_repair = 'BLOCKING'
    AND speculative_retry = '99PERCENTILE';

DataStax-namespace.png

To check if the table is encrypted, run the following command:

cqlsh:tutorialspoint> DESCRIBE TABLE tutorialspoint.table1

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful