Fortanix Data Security Manager Using Delinea Secret Server

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Delinea Secret Server to protect encryption key using Fortanix DSM.

2.0 Prerequisites

Ensure the following:

  • The Fortanix CNG Client must be installed and configured.
  • The port 443 must be accessible from the SQL target machine to Fortanix DSM.




    Port Number

    Load balancer (Yes/No)


    TCP Outbound 443 No

    HTTPS – Used for calling REST API. Delinea server will access the cluster/SaaS URL on this port.

    Each individual node will also need this port open.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Creating Groups

A group is a collection of security objects created by and accessible by users and applications that belong to the group. The user who creates a group automatically gets assigned the role of group administrator. You can add more users to the group in the role of administrators or auditors. You can also add applications to the group to enable the applications to create and use security objects in that group.

To add a group, specify the following:

  • The title of the group (required).
  • A short description for the group (not mandatory).
  • Users in your account as members.
  • Applications in your account to add to the group so that they can use the security objects in the group. Refer to “Section 3.2- Creating Appsto know the steps for creating the app.
  • Add a quorum approval policy (optional). A group administrator may enable a quorum approval policy for a group, which mandates that all security-sensitive operations in that group would require a quorum approval.


Figure 1: Adding New Group

3.2 Creating Apps

An application can use Fortanix DSM to generate, store, and use security objects, such as cryptographic keys, certificates, or an arbitrary secret. Examples of applications include web servers, PKI servers, key vaults, and so on. An application can interact with Fortanix DSM using the REST APIs or the PKCS#11, JCE, or CNG providers.

To add an application, specify the following:

  • Name of the application (required).
  • Type of the application. Select the value as interface.
  • A short description of the application.
  • Select the authentication method as API key.
  • Assign the app to the group as created in the “Section 3.1- Creating Groups.

After the application has been added, you can use the API key to authenticate the CNG client to Fortanix DSM and start making calls to do cryptographic operations.

Figure 2: Adding New App

3.3 Copying API Key

Note down the application’s API key to use later while configuring the Fortanix DSM client.

  1. Go to the detailed view of an app and click the COPY API KEY as shown below.
    Figure 3: Copy App API Key

4.0 Fortanix CNG Provider

The Fortanix CNG Provider must be installed on every target machine. Refer to to download the CNG Provider.

FortanixKmsClient.msi installs the Fortanix CNG Provider, as well as an EKM provider and the PKCS#11 library. Next, to configure the CNG client Fortanix CNG Provider communicates with Fortanix DSM for crypto operations.

4.1 Installing Fortanix CNG Client

Perform the following steps to complete the installation on your machine:

  1. On the Fortanix KMS Client Setup dialog box, click the Next button.
    Figure 4: Fortanix KMS Client Setup
  2. Select the checkbox for I accept the terms in the License Agreement and click the Next Button.
    Figure 5: Fortanix KMS Client Setup
  3. Enter the location for installing the Fortanix KMS Client as C:\Program Files\Fortanix\KMS Client\.
    Figure 6: Fortanix KMS Client Setup
  4. Click the Install button to install the Fortanix KMS client.
    Figure 7: Fortanix KMS Client Setup
  5. After the installation is done, click the Finish button.
    Figure 8: Fortanix KMS Client Setup

4.2 Configuring CNG Client

The Fortanix KMS Server URL and proxy information are configured in the Windows registry for the local machine or the current user.

  1. Run the following command to navigate to FortanixKmsClientConfig.exe file:

    cd C:\Program Files\Fortanix\KmsClient\

    The machine key store uses the local machine configuration, and the user key store uses the current user configuration.
    For example, run the following command to configure the Fortanix KMS Server URL for the local machine:

    FortanixKmsClientConfig.exe machine --api-endpoint {KMS_URL}


    KMS_URL refers to the Fortanix DSM URL. On-premises customers use KMS URL and SaaS customers can use the following URLs based on the region.

    For example,

    FortanixKmsClientConfig.exe machine --api-endpoint https://<fortanix_dsm_url>
  2. Run the following command to configure the Fortanix KMS Server URL for the current user:

    FortanixKmsClientConfig.exe user --api-endpoint {KMS_URL} 

    To configure proxy information, add --proxy or --proxy none to unconfigure proxy.

  3. Run the following command to configure the API key created in Section 3.3
    FortanixKmsClientConfig.exe machine --api-key <key>
  4. Run the following command for user key store:
    FortanixKmsClientConfig.exe user --api-key <key>

5.0 Enable Fortanix HSM

Perform the following steps:

  1. Log in to Delinea Secret Server.
  2. From the left pane menu, select Administration > Actions > Configuration > HSM. The Configuration page appears on the screen with the HSM tab selected by default.
  3. Click the Enable HSM button and click the Next button.
    Figure 9: Enable HSM Configuration
  4. Under the HSM Providers section:
    1. For Persistent Provider, select the Fortanix KMS CNG Provider option from the drop down menu.
      Figure 10: Select Provider
    2. Select the required Key size. For example, 2048.
  5. Click the Next button.
    The HSM provider is tested, and the results are displayed on the screen.
  6. Check the HSM Provider Test Results. For example:
    Figure 11: Test Results
  7. Click the Next button.
    A verification page appears on the screen.
  8. Click the Save button to update the HSM configuration.
    A confirmation page appears on the screen.
  9. Click the Finish button.
    Figure 12: Configured the Provider
    The Fortanix KMS CNG Provider is now enabled, and the Secret Server encryption key is stored in it. The configuration details appear on the Secret Server HSM tab.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful