Using Fortanix Data Security Manager with Skyhigh Secure Web Gateway (SWG)

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Skyhigh Secure Web Gateway (SWG) to deliver Hardware Security Module (HSM) capabilities. The HSM serves the purpose of safeguarding private keys utilized in SSL communication.

After it is installed, the HSM assumes responsibility for private key operations associated with the keys under its protection. To facilitate seamless integration with the hardware module, HSM software is installed on the Web Gateway.

2.0 Prerequisites

Ensure the following:

  • Command Line Interface (CLI) accessibility.
  • Secure Web Gateway v12.2.3 is supported.

3.0 Accessing the Fortanix DSM UI

Access the Fortanix DSM website to administer Fortanix DSM, managing tasks such as API key creation, key operations, and settings and configurations. For detailed steps and procedures, refer to Getting Started with Fortanix Data Security Manager.

Perform the following steps:

  1. Log in to Fortanix DSM UI.
    figure 12.png
    Figure 1: Landing Screen
  2. Access the Apps menu to create or delete Fortanix DSM Apps. For more information, refer to the Section: Add an Application.
    figure 13.png
    Figure 2: Apps
  3. Access the Settings menu to modify the setting of the Fortanix DSM account.
    figure 15.png
    Figure 3: Settings
  4. Navigate to the Client Configuration section.
    figure 16.png
    Figure 4: Client Configuration

    For logging, enable the option and set the file log path to /opt/mwg/log/debug/fortanix/fortanix.log.
    figure 17-1.png
    figure 17-2.png
    figure 17-3.png

    Figure 5: Add Path

4.0 Loading the Private Key Identifiers

To enable SWG to utilize keys within Fortanix DSM, it is essential to enumerate the available keys in the SWG User Interface (UI).

Perform the following steps:

  1. Open the Skyhigh Secure Web Gateway User Interface (UI).
  2. Navigate to ConfigurationAppliancesHardware Security Module.
    figure 1.png
    Figure 6: Hardware Security Module
  3. Select the radio button for Start local HSM server.
    figure 2.png
    Figure 7: HSM Server
  4. From the Crypto Module drop down menu, select the Fortanix DSM (from Fortanix) option.
    figure 3.png
    Figure 8: Select Module
  5. Enter the Fortanix DSM App API key and click the Set button to confirm. To know this App API key, refer to the Section 4.0: Accessing the Fortanix DSM UI, Step 2.
    figure 4.png
    Figure 9: Enter Fortanix DSM API Key
  6. Enter the Fortanix DSM App API Key as a Password and click the OK button.figure 6.png
    Figure 10: Enter Password
    To modify the Fortanix DSM App API Key, select the Change button.figure 7.png
    Figure 11: Modify Fortanix DSM API Key
  7. In the Keys to be loaded section, click the "+" icon to add the key as a string.figure 8.png
    Figure 12: Add Keys
  8. The format for adding keys is <engine-label>:<pkcs11-URI>.
    • The engine-label should be "pkcs11" to inform SWG that these are PKCS#11 keys.
    • Enter the key as a string using the format: pkcs11:pkcs11:object=<Key>. The value of 'Key' is based on the Key Label name created in Fortanix DSM UI.
      figure 9.png
      Figure 13: Add the String

5.0 Creating Certificate Using Fortanix DSM Private Keys

You can create certificates seamlessly in SWG using Fortanix DSM private keys by setting up the App API key and executing OpenSSL commands through CLI access.

Perform the following steps:

  1. Open the SWG backend through the CLI.
  2. In the root directory, create a new file named fortanix.cfg to store the API_KEY value as created in Section 3.0: Accessing the Fortanix DSM UI, Step 2:
    api_key = "API_KEY"
  3. Run the following commands to provide the required permissions:
    chmod 777 fortanix.cfg
  4. Run the following commands to export the file:
    # export FORTANIX_PKCS11_NUM_SLOTS=1
    # echo $FORTANIX_PKCS11_NUM_SLOTS 1
  5. Use the following OpenSSL commands:
    openssl1.1
    OpenSSL> engine -pre MODULE_PATH:/opt/fortanix/pkcs11/fortanix_pkcs11.so -pre VERBOSE pkcs11
    This command generates the following sample output:
    figure 10.png
  6. Run the following OpenSSL "req" command to generate the certificate:
    OpenSSL> req -engine pkcs11 -keyform engine -new -key "pkcs11:object=<Key>;pin-value=file:///root/fortanix.cfg" -x509 -days 3650 -out FILENAME.crt -set_serial 0xdeadbeef
    This command successfully creates the certificate file.
    figure 11.png

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful