Using Fortanix Data Security Manager with Venafi - HSM

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Venafi. The integration describes steps to add Fortanix as an HSM connector within Venafi and then leverage that connector to secure the Venafi Trust Protection (TPP) database with an AES256 key stored within the Fortanix HSM system. It also contains the information that a user requires to:

• Create a group, app, security object in Fortanix DSM.
• Install Fortanix DSM on Venafi TPP.
• Configure Venafi.

2.0 Integration Steps

2.1 Create an App and Security Object in Fortanix DSM

Perform the following steps:

1. Log in to the Fortanix DSM UI.
2. Click the Groups tab. On the Groups page, click the create a new group icon to create a new group. 
   
   Figure 1: Create a Group in DSM
3. Click the Apps tab. On the Apps page, click the create a new app icon to create a new app.
   Enter the following information:
   • App name: This is the name to identify the EJBCA app.
   • Authentication method: This can be left at the default API Key.
   • Group: This is a logical construct that will contain keys created and owned by the Venafi cluster.
4. Click Save to complete creating the application. 
   
   Figure 2: Create New App
5. Note down the application’s API Key to use later.
   1. Go to the detailed view of an app and click the COPY API KEY as shown below.
      
      Figure 3: Copy App API Key
6. Create a security object in the group created above.
   
   Figure 4: Create Security Object

2.2 Install Fortanix DSM on Venafi TPP

Perform the following steps:

1. Log in to Venafi TPP node using the service account assigned to Venafi.
2. Install the Fortanix DSM Client software:
   1. Download the MSI from the URL
      https://support.fortanix.com/hc/en-us/articles/360018084132-CNG-EKM 
   2. Run the MSI package and accept the default values.
3. Configure the Fortanix DSM Client:
   1. Navigate to the Fortanix default client directory - C:\Program Files\Fortanix\KMSClient
   2. Execute the following commands to configure the Fortanix DSM client:

      FortanixKmsClientConfig.exe user --api-endpoint [Fortanix DSM URL]
      FortanixKmsClientConfig.exe user  --api-key

   3. An example of the Fortanix DSM URL is: https://amer.smartkey.iod

For more details refer to the Developer’s Guide: Microsoft CNG Key Storage Provider.

2.3 Configure Venafi

Perform the following steps:

1. Open the Venafi Configuration Console.
   
   Figure 5: Venafi Configuration Console
2. Click Connectors under the Venafi Configuration menu to create a Connector.
   
   Figure 6: Create Connector
3. Under Connectors, click Create HSM Connector. 
   
   Figure 7: Create HSM Connector
4. Enter the following information:
   1. Name – (user defined)
   2. Cryptoki Dll Path – Enter the PCKS#11 path
      Default - C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll
   3. Select Slot as 0 from the drop down menu.
   4. Select User Type as Crypto Officer (User) from the drop down menu.
   5. In the Pin field, enter the Fortanix API Key for Venafi that you copied in Section 2.1.
5. Click Verify.
   
   Figure 8: Create New HSM Connector

2.3.1 Create a new AES256 key in Venafi

Perform the following steps:

1. Click New Key to create a new key.
2. In the Create New HSM Key window, enter a Name for the key and click Create.
   
   Figure 9: Create AES256 Key
3. Click the Create button again to complete the key creation process.
   
   Figure 10: Key Created
4. Now, verify that the new HSM configuration is listed under Encryption Connectors.
   
   Figure 11: HSM Configuration Listed

2.3.2 Re-Encrypt the Venafi TPP Database with Fortanix HSM Key

Perform the following steps:

1. Select “Rotate TPP System Protection Key”.
   
   Figure 12: Rotate TPP System Protection Key
2. Enter a New key name and select the HSM Connector. Click Rotate.
   
   Figure 13: Rotate the Key