Using Fortanix Data Security Manager for Hewlett Packard Enterprise (HPE) Alletra 9000

1.0 Introduction

The Hewlett Packard Enterprise (HPE) Alletra 9000 is a comprehensive edge-to-core solution crafted to provide a cloud-like experience wherever your data resides. Specifically tailored for mission-critical tasks, the HPE Alletra 9000 ensures exceptionally low latency, robust reliability, and optimal performance density within a 4U enclosure. This solution empowers IT by transitioning from owning and managing data infrastructure to effortlessly accessing and utilizing it on-demand, following a flexible as-a-service model. Utilizing a unique, highly parallel, multi-node, and all-active platform, the HPE Alletra 9000 seamlessly consolidates traditional and next-gen mission-critical applications at scale, promising consistent performance and ultra-low latency, all backed by a 100% availability guarantee.

This article describes the steps for integrating Fortanix Data Security Manager (DSM) with HPE Alletra 9000 through KMIP server configuration.

It includes the details necessary for users to:

  • Add an application in Fortanix DSM.
  • Establish an SSL/TLS configuration in HPE Alletra 9000 using HPE CLI.
  • Set up a KMIP server and generate a key.

1.1 Why Use Fortanix DSM with HPE Alletra 9000

In today's cybersecurity landscape, where threats persist, there is a growing need for heightened security measures in both individual and corporate contexts. Enterprises must take proactive steps to fortify their perimeters, data center infrastructure, and hosted software applications, aligning with industry standards, security best practices, and their own security policies.

To ensure the security of customer data at rest, HPE 3PAR employs FIPS-certified self-encrypted drives (SEDs) and FIPS-certified KeyStore technologies, creating a secure environment within the data center. The protection of data at rest on HPE 3PAR and HPE Primera storage arrays involves two crucial components that play a pivotal role in preventing unauthorized access to secured data on the disks.
Through the collaborative efforts of HPE 3PAR and HPE Primera storage, along with the Fortanix DSM, a secure environment is established, eliminating the risk of unauthorized data access.

This integration document is designed for customers, guiding them in securing their information through HPE 3PAR and HPE Primera storage with Fortanix DSM.

1.2 Prerequisites

To successfully integrate Fortanix DSM with HPE Alletra 9000, ensure the following:

  • Fortanix DSM
  • HPE Alletra 9000
  • Access to create a certificate for KMIP Server

2.0 Product Versions Tested

This integration has been tested on the following versions:

  • Fortanix DSM version 4.23.
  • HPE Alletra 9k release version

3.0 Configuring Fortanix DSM Account

Perform the following steps to facilitate KMIP clients' authentication using app username and password within Fortanix DSM:

  1. Log in to the Fortanix DSM UI.
  2. Click the Application 1.png icon from the menu list, and then click 2.png to create new applications.
    For instructions on how to add a group or app, refer to the Fortanix DSM Getting Started Guide.
  3. Enter the following details:
    • App name: This is the name to identify your application.
    • Interface: KMIP
    • Authentication method: Select the default API Key as the authentication method.
    • Assigning the new app to groups: This group will own the keys created.
      Figure 1: Create an App
  4. Click VIEW API KEY DETAILS in Figure 1 above and copy the app Username (app UUID) to be used in Section 4.1: Configuring Encryption as the value of Common Name (CN) to generate a Certificate Signing Request (CSR).
    Also, copy the app Username (app UUID) and Password to be used in Section 4.1: Configuring Encryption to configure the Enterprise Key Manager (EKM)/Fortanix.
    Figure 2: Copy App Username (UUID) and Password
  5. Navigate to the Fortanix DSM app, click REGENERATE, and set the app Secret size to 16 bytes.
    Figure 3: Regenerate the Key
    Figure 4: Secret Key Size Change

4.0 Enabling the Security in HPE Alletra 9000

4.1 Configuring Encryption

Perform the following steps to prepare the HPE Alletra 9000 array for encryption:

  1. Log in to the HPE Alletra 9000 using SSH with the local 3paradm admin user account.
  2. Generate a Certificate Signing Request (CSR) using SSH or the HPE 3PAR CLI. This certificate will be used later to sign with your external Key Management System (KMS). The format of the createcert command is as follows:
    createcert ekm-client -csr -CN <common name> -C US -ST <State> -L <City> -O “<Company Name>” -OU <Dept>
    For example,
    createcert ekm-client -csr -CN 4208e3b2-6a27-448b-bbba-36aafe -C US -ST Texas -L Houston -O HPE -OU ATC
    The CN must match the UUID of the Fortanix app copied in the previous section.
    Picture8.pngFigure 5: Certificate
  3. Run the following command to import the CA-Bundle for the EKM Server in HPE. The root and intermediate certificates must be imported one by one.
    importcert ekm-server -ca stdin
    Importing Root Certificate
    Figure 6: Root Certificate Importing Intermediate Certificate
    Figure 7: Intermediate Certificate
  4. Run the following command to import the certificate for the EKM client:
    importcert ekm-client -ca stdin
    Importing Root Certificate
    Figure 8: Root Certificate Importing Intermediate Certificate
    Figure 9: Intermediate Certificate
  5. Sign the CSR created in Step 2 with the same Certificate Authority (CA) imported above and import the signed certificate (Only Leaf certificate) in HPE Alletra using the command as shown below:
    importcert ekm-client stdin
    Figure 10: Import Signed Certificate Use the CLI command showcert to verify the presence of ekm-client or ekm-server certificate.
    This command needs to be run from HPE CLI.
  6. Run the following command to verify the status of the drives present:
    shownode -drive
    Figure 11: Drive Status
    showpd -s
    Figure 12: Drive Status
  7. Run the following command to verify if EKM is configured:
    showencryption -d
    Figure 13: EKM Configuration Check
  8. Run the following command to configure the EKM/Fortanix:
    controlencryption setekm -setserver <Server FQDN/IP Address> -port 5696 -ekmuser <Username> -kmipprotocols 1.4 -passwordnoprompt <Password>
    Where, <Username> and <Password> are the values copied previously while creating the app in Section 3.0: Configuring Fortanix DSM Account.
    controlencryption setekm -setserver -port 5696 -ekmuser 487XXXXXX -kmipprotocols 1.4 -passwordnoprompt r8cXXXXXXXXXX
    Figure 14: Configure EKM
  9. Run the following command to verify if the EKM has been configured:
    showencryption -d
    Figure 15: Verify EKM Configuration 
  10. Run the following command to verify that all the certificates are successfully configured within HPE:
    Figure 16: Verify Certificate Configuration
  11. Run the following command to enable the encryption on HP:
    controlencryption enable -ekm firstinetgrationhpe9k
    Figure 17: Enable Encryption
  12. Run the following command to verify the task created for encryption 12436:
    waittask -v 12436
    Figure 18: Verify Encryption Task Output:
    Figure 19: Encryption Task Output
  13. Run the following command to verify if the drives have been encrypted:
    showpd -s
    Figure 20: Verify Drives Encryption
  14. You can view and confirm that all the keys have been created in Fortanix EKM:
    Figure 21: Key Successful Created Figure22.png
    Figure 22: Key Detailed View
  15. Run the following command to verify if restore of the backup was successful.
    controlencryption restore firstintegrationonhpe9k 
    Figure 23: Verify Restore of the Backup
  16. Run the following command to review the task 12438 was successful:
    waittask -v 12438
    Figure 24: Review Task 12438

4.2 Rotating the Key

Perform the following steps to rotate the key in HPE Alletra 9000:

  1. Run the following command to take the backup of the key:
    controlencryption backup firstintegrationbackuphpe9k
    The backup file will be created with the name of firstintegrationbackuphpe9k.
  2. Run the following command to rotate the key:
    controlencryption rekey secondintegrationonhpe9k
    This will create a new task in HPE, and a new rotated key is created in Fortanix DSM.
    Figure 25: Rotate the Key Figure27.png
    Figure 26: New Rotated Key
  3. Run the following command to verify the task:
    showtask -d 12609
    Figure 27: Verify the Task
    Each task in HPE triggers a new task ID.

5.0 Group Key Encryption Key (KEK)

For additional security, you can also create a group KEK to encrypt all the apps within the HPE Alletra 9k group in Fortanix DSM. Perform the following steps:

Configure another group in Fortanix DSM, which will act as the Group Root Key. Refer to the following guide for steps to configuring the Group KEK.

Figure 28: Create Group KEK

After the group KEK is configured, the group will appear as shown below:
Figure 29: Group KEK Created

6.0 Verification Steps

Run the following HPE Alletra 9000 tests as below.

  1. Backup and restore:
    Take a backup and restore of the key as shown below:
    Figure 30: Backup and Restore
    Verify the logs from the Task ID as shown below:
    waittask -v 12652
    Figure 31: Verify the Logs
  2. Rotate the HPE Alletra 9000 array:
    Figure 32: Rotate the Key
    Verify if the key has been created in Fortanix.
    Figure 33: Verfiy Key Rotation
  3. Rotate the Group KEK:
    Do not deactivate the original key after rotation.
    After the Group KEK rotation is successful, verify the backup and restore the key again by performing Step 1 above again.
  4. Verify key rotation:
    Figure 34: Verify Key Rotation
  5. Proceed with Backup and restore operation again:
    Figure 35: Backup and Restore
  6. Verify that the Restore operation is successful:
    Figure 36: Restore Successful


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful