1.0 Introduction
This article describes how to integrate Fortanix Data Security Manager (DSM) with DataStax Cassandra for Transparent Data Encryption. It contains the information that a user requires for:
- Facilitating the communication and authentication between Fortanix DSM and Cassandra using KMIP and Certificates.
- Setting up Fortanix DSM.
- Creating client certificates.
- Configuring DataStax node for Apache Cassandra.
2.0 KMIP and Certificate Requirements
The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cassandra cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.
X.509 certificates are used to facilitate communication and authentication for both the Fortanix DSM and the Cassandra Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Cassandra cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.
2.1 Prerequisites
- Fortanix DSM version 4.4 or later installed and operational.
- Fortanix DSM is accessible by the Cassandra cluster on port 5696 (for default) or a custom KMIP port.
- Users should have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.
- Enable the Java Cryptography Extension (JCE) on DataStax Enterprise.
3.0 Create an App and Configure Fortanix DSM Account
Fortanix DSM supports KMIP clients to authenticate using a certificate through applications (apps). To successfully connect the Cassandra cluster to authenticate with Fortanix DSM, the Cassandra cluster also requires you to extract the Fortanix DSM internal CA certificate.
- Log in to the Fortanix DSM UI.
- Click the Application icon
, and then click
to create a new application. You will need the app for the Fortanix DSM node in the Cassandra Cluster.
For instructions on how to add a group or app please refer to the DSM Getting Started Guide. - Enter the following details:
- App name: This is the name to identify your Cassandra cluster (customizable)
- Interface: KMIP
- Authentication method: This will need to be updated later and the default selection of API Key is ok at this stage.
- Assigning the new app to groups: Keys created by the Cassandra cluster will be owned by this group.
Figure 1: Create DataStax App
- After you have added the application, copy the app UUID from the app table view by clicking the icon for Copy UUID as shown below. You will need this app UUID as it will be used as the Common Name (CN) when generating the client certificate.
For example:
- App UUID = ae044928-f670-48d1-a4aa-111baf5640a6
Figure 2: Copy App UUID
4.0 Configuration on DataStax Node
4.1 Create Certificate with App ID as Common Name
- If an app or client needs to authenticate to Fortanix DSM using only the certificate, then the App ID needs to be embedded in the certificate. Create a self-signed certificate and make sure that you have the App ID to embed in the self-signed certificate provided as the value of Common Name (CN):
CN example: ae044928-f670-48d1-a4aa-111baf5640a6 - Change the directory to DSM using the following command:
mkdir dsm
- Generate an RSA key for authenticating with Fortanix DSM using the following command:
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-cert.pem
This will generate the following two files:
client-cert.pem
client-key.pem
4.2 Update Certificate in Fortanix DSM
To update the certificate in the authentication method:
- First, change the configuration to KMIP from the default, which is, REST API for the Fortanix DSM app created in Section 3.0: Create an App and Configure Fortanix DSM Account.
- Click Settings -> CLIENT CONFIGURATION -> KMIP.
- Select Allow secrets with unknown operations.
- Click SAVE.
Figure 3: Update client configuration
- Paste or upload the certificate that was generated in Section 4.1: Create Certificate with App ID as Common Name in the Upload certificate text box in the Fortanix DSM app authentication and save the details.
- In the detailed view of the app, under the INFO tab, click the Change authentication method drop down menu and select Certificate as the new authentication method for the app.
- Click SAVE.
Figure 4: Update app authentication
- In the “Add certificate” form, click Upload New Certificate to upload the new certificate or paste the generated certificate in the Upload certificate text box provided.
- Click UPDATE to update the app authentication method to certificate.
Figure 5: Upload certificate
4.3 Create DSM.P12
- Generate a PKCS12 format file from the PEM files created in Section 4.1: Create Certificate with App ID as Common Name.
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "my-dsm-app" -out client-dsm.p12
- Create a Java KeyStore (JKS) keystore.
keytool -importkeystore -destkeystore kmip_keystore.jks -srcstoretype PKCS12 -srckeystore client-dsm.p12
Where,
kmip_keystore.jks
is the keystore file name that is created.client-sdkms.p12
is the PKCS12 file generated in Step 1 above.
- The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry-standard format using the following command:
keytool -importkeystore -srckeystore kmip_keystore.jks -destkeystore kmip_keystore.jks -deststoretype pkcs12
- Install the KMIP root certificate into the JKS truststore using the following command:
keytool -import -alias kmipCA -file kmipCA -keystore kmip_truststore.jks
KmipCA
is the Fortanix DSM certificate chain.
- Move the keystore and truststore to a directory accessible by DataStax Enterprise (DSE) and change the file to allow the DSE account read or write access.
For example:
Move the filekmip_keystore.jks
to/etc/dse/dsm/
.
Move the filekmip_truststore.jks
to/etc/dse/dsm/
. - Delete or secure the files used to create the keystore and truststore.
- Add the host details to the
kmip_hosts
section of thedse.yaml
file:
For example:
kmip_hosts: fortanix: hosts: <fortanix_dsm_url>:5696 keystore_path: /etc/dse/dsm/kmip_keystore.jks keystore_type: jks keystore_password: redhat truststore_path: /etc/dse/dsm/kmip_truststore.jks truststore_type: jks truststore_password: redhat key_cache_update_millis: 300000
Where,
fortanix
: Thekmip_group_name
which is a user-defined group name that identifies the KMIP host in DSE related commands.hosts
: A comma separated list of fully qualified domain names (FQDN) of KMIP hosts. DSE tries the hosts in the order listed.keystore_path
: The location of the keystore created.keystore_type
: Thejks
keystore format. Must be set tojks
.keystore_password
: The password of the keystore file created.truststore_path
: The location of the truststore file created.truststore_type
: Thejks
Truststore format. Must be set tojks
.truststore_password
: The password of the truststore file created.
- Make the
dsm
directory owner ascassandra
using the following command:chown -R cassandra:cassandra dsm
- Verify that the DataStax node can connect to the KMIP host by listing encryption keys on the remote KMIP server.
4.4 Test the Connection
- To test the connection, create a key, for example: Testkey of type AES and size 256-bits on Fortanix DSM, and then run the following command:
dsetool managekmip list fortanix
- Check the DataStax application audit logs in Fortanix DSM.
Figure 7: Audit log
- Delete or keep the key (Testkey) created in the above step for testing.
5.0 Encrypting Table
5.1 Creating a New Encrypted Table
Following is an example of creating a new encrypted table using a key from a KMIP server.
Example:
CREATE TABLE table1(
emp_id int PRIMARY KEY,
emp_name text, emp_city text,
emp_sal varint,
emp_phone varint
)
WITH COMPRESSION =
{ 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory',
'kmip_host': 'fortanix',
'cipher_algorithm': 'AES',
'secret_key_strength': 128 };
Figure 8: KMIP key
Where the first column, that is, ID matches with the UUID of the DSM key.
5.2 Encrypt an Existing Table
Following is an example to create an unencrypted table and insert data into the table.
Example:
CREATE TABLE unencrypted( emp_id int PRIMARY KEY, emp_name text, emp_city text, emp_sal varint, emp_phone varint );
INSERT INTO unencrypted(emp_id, emp_name, emp_city, emp_phone, emp_sal) VALUES(1,'Dan', 'Eindhoven', 12345678, 50000);
select * from unencrypted ;
To perform encryption without compression, run the following query:
ALTER TABLE unencrypted
WITH COMPRESSION =
{ 'class': 'Encryptor',
'key_provider': 'KmipKeyProviderFactory',
'kmip_host': 'fortanix',
'cipher_algorithm': 'AES',
'secret_key_strength': 192};
Figure 9: KMIP key
5.3 Encrypted Table Properties
The following example shows how to describe a namespace to find out encrypted table properties.
DESC KEYSPACE tutorialspoint ;
CREATE TABLE tutorialspoint.table1 (
emp_id int PRIMARY KEY,
emp_city text,
emp_name text,
emp_phone varint,
emp_sal varint
) WITH additional_write_policy = '99PERCENTILE'
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'cipher_algorithm': 'AES', 'class': 'org.apache.cassandra.io.compress.Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'fortanix', 'secret_key_strength': '128'}
AND crc_check_chance = 1.0
AND default_time_to_live = 0
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND nodesync = {'enabled': 'true', 'incremental': 'true'}
AND read_repair = 'BLOCKING'
AND speculative_retry = '99PERCENTILE';
To check if the table is encrypted, run the following command:
cqlsh:tutorialspoint> DESCRIBE TABLE tutorialspoint.table1
Comments
Please sign in to leave a comment.