Using Fortanix Data Security Manager for Hewlett Packard Enterprise (HPE) Alletra 9000

1.0 Introduction

The Hewlett Packard Enterprise (HPE) Alletra 9000 is a comprehensive edge-to-core solution crafted to provide a cloud-like experience wherever your data resides. Specifically tailored for mission-critical tasks, the HPE Alletra 9000 ensures exceptionally low latency, robust reliability, and optimal performance density within a 4U enclosure. This solution empowers IT by transitioning from owning and managing data infrastructure to effortlessly accessing and utilizing it on-demand, following a flexible as-a-service model. Utilizing a unique, highly parallel, multi-node, and all-active platform, the HPE Alletra 9000 seamlessly consolidates traditional and next-gen mission-critical applications at scale, promising consistent performance and ultra-low latency, all backed by a 100% availability guarantee.

This article describes the steps for integrating Fortanix Data Security Manager (DSM) with HPE Alletra 9000 through KMIP server configuration.

It includes the details necessary for users to:

  • Add an application in Fortanix DSM.
  • Establish an SSL/TLS configuration in HPE Alletra 9000 using HPE CLI.
  • Set up a KMIP server and generate a key.

1.1 Why Use Fortanix DSM with HPE Alletra 9000

In today's cybersecurity landscape, where threats persist, there is a growing need for heightened security measures in both individual and corporate contexts. Enterprises must take proactive steps to fortify their perimeters, data center infrastructure, and hosted software applications, aligning with industry standards, security best practices, and their own security policies.

To ensure the security of customer data at rest, HPE 3PAR employs FIPS-certified self-encrypted drives (SEDs) and FIPS-certified KeyStore technologies, creating a secure environment within the data center. The protection of data at rest on HPE 3PAR and HPE Primera storage arrays involves two crucial components that play a pivotal role in preventing unauthorized access to secured data on the disks.
Through the collaborative efforts of HPE 3PAR and HPE Primera storage, along with the Fortanix DSM, a secure environment is established, eliminating the risk of unauthorized data access.

This integration document is designed for customers, guiding them in securing their information through HPE 3PAR and HPE Primera storage with Fortanix DSM.

1.2 Prerequisites

To successfully integrate Fortanix DSM with HPE Alletra 9000, ensure the following:

  • Fortanix DSM
  • HPE Alletra 9000
  • Access to create a certificate for KMIP Server

2.0 Product Versions Tested

This integration has been tested on the following versions:

  • Fortanix DSM version 4.23.
  • HPE Alletra 9k release version 9.5.18.20.

3.0 Configuring Fortanix DSM Account

Perform the following steps to facilitate KMIP clients' authentication using app username and password within Fortanix DSM:

  1. Log in to the Fortanix DSM UI.
  2. Click the Application 1.png icon from the menu list, and then click 2.png to create new applications.
    For instructions on how to add a group or app, refer to the Fortanix DSM Getting Started Guide.
  3. Enter the following details:
    • App name: This is the name to identify your application.
    • Interface: KMIP
    • Authentication method: Select the default API Key as the authentication method.
    • Assigning the new app to groups: This group will own the keys created.
      Figure1.png
      Figure 1: Create an App
  4. Click VIEW API KEY DETAILS in Figure 1 above and copy the app Username (app UUID) to be used in Section 4.1: Configuring Encryption as the value of Common Name (CN) to generate a Certificate Signing Request (CSR).
    Also, copy the app Username (app UUID) and Password to be used in Section 4.1: Configuring Encryption to configure the Enterprise Key Manager (EKM)/Fortanix.
    Figure2.png
    Figure 2: Copy App Username (UUID) and Password
  5. Navigate to the Fortanix DSM app, click REGENERATE, and set the app Secret size to 16 bytes.
    Figure3.png
    Figure 3: Regenerate the Key
    Figure4.png
    Figure 4: Secret Key Size Change

4.0 Enabling the Security in HPE Alletra 9000

4.1 Configuring Encryption

Perform the following steps to prepare the HPE Alletra 9000 array for encryption:

  1. Log in to the HPE Alletra 9000 using SSH with the local 3paradm admin user account.
  2. Generate a Certificate Signing Request (CSR) using SSH or the HPE 3PAR CLI. This certificate will be used later to sign with your external Key Management System (KMS). The format of the createcert command is as follows:
    createcert ekm-client -csr -CN <common name> -C US -ST <State> -L <City> -O “<Company Name>” -OU <Dept>
    For example,
    createcert ekm-client -csr -CN 4208e3b2-6a27-448b-bbba-36aafe -C US -ST Texas -L Houston -O HPE -OU ATC
    NOTE
    The CN must match the UUID of the Fortanix app copied in the previous section.
    Picture8.pngFigure 5: Certificate
  3. Run the following command to import the CA-Bundle for the EKM Server in HPE. The root and intermediate certificates must be imported one by one.
    importcert ekm-server -ca stdin
    Importing Root Certificate
    Figure6.png
    Figure 6: Root Certificate Importing Intermediate Certificate
    Figure7.png
    Figure 7: Intermediate Certificate
  4. Run the following command to import the certificate for the EKM client:
    importcert ekm-client -ca stdin
    Importing Root Certificate
    Figure8.png
    Figure 8: Root Certificate Importing Intermediate Certificate
    Figure9.png
    Figure 9: Intermediate Certificate
  5. Sign the CSR created in Step 2 with the same Certificate Authority (CA) imported above and import the signed certificate (Only Leaf certificate) in HPE Alletra using the command as shown below:
    importcert ekm-client stdin
    Figure11.png
    Figure 10: Import Signed Certificate Use the CLI command showcert to verify the presence of ekm-client or ekm-server certificate.
    NOTE
    This command needs to be run from HPE CLI.
  6. Run the following command to verify the status of the drives present:
    shownode -drive
    Figure12.png
    Figure 11: Drive Status
    showpd -s
    Figure13.png
    Figure 12: Drive Status
  7. Run the following command to verify if EKM is configured:
    showencryption -d
    Figure14.png
    Figure 13: EKM Configuration Check
  8. Run the following command to configure the EKM/Fortanix:
    controlencryption setekm -setserver <Server FQDN/IP Address> -port 5696 -ekmuser <Username> -kmipprotocols 1.4 -passwordnoprompt <Password>
    Where, <Username> and <Password> are the values copied previously while creating the app in Section 3.0: Configuring Fortanix DSM Account.
    Example:
    controlencryption setekm -setserver 10.10.10.151 -port 5696 -ekmuser 487XXXXXX -kmipprotocols 1.4 -passwordnoprompt r8cXXXXXXXXXX
    Figure15.png
    Figure 14: Configure EKM
  9. Run the following command to verify if the EKM has been configured:
    showencryption -d
    Figure16.png
    Figure 15: Verify EKM Configuration 
  10. Run the following command to verify that all the certificates are successfully configured within HPE:
    showcert
    Figure17.png
    Figure 16: Verify Certificate Configuration
  11. Run the following command to enable the encryption on HP:
    controlencryption enable -ekm firstinetgrationhpe9k
    Picture15.png
    Figure 17: Enable Encryption
  12. Run the following command to verify the task created for encryption 12436:
    waittask -v 12436
    Figure18.png
    Figure 18: Verify Encryption Task Output:
    Figure19.png
    Figure 19: Encryption Task Output
  13. Run the following command to verify if the drives have been encrypted:
    showpd -s
    Figure20.png
    Figure 20: Verify Drives Encryption
  14. You can view and confirm that all the keys have been created in Fortanix EKM:
    Figure21.png
    Figure 21: Key Successful Created Figure22.png
    Figure 22: Key Detailed View
  15. Run the following command to verify if restore of the backup was successful.
    controlencryption restore firstintegrationonhpe9k 
    Figure23.png
    Figure 23: Verify Restore of the Backup
  16. Run the following command to review the task 12438 was successful:
    waittask -v 12438
    Figure28.png
    Figure 24: Review Task 12438

4.2 Rotating the Key

Perform the following steps to rotate the key in HPE Alletra 9000:

  1. Run the following command to take the backup of the key:
    controlencryption backup firstintegrationbackuphpe9k
    The backup file will be created with the name of firstintegrationbackuphpe9k.
  2. Run the following command to rotate the key:
    controlencryption rekey secondintegrationonhpe9k
    This will create a new task in HPE, and a new rotated key is created in Fortanix DSM.
    Figure26.png
    Figure 25: Rotate the Key Figure27.png
    Figure 26: New Rotated Key
  3. Run the following command to verify the task:
    showtask -d 12609
    Figure28.png
    Figure 27: Verify the Task
    NOTE
    Each task in HPE triggers a new task ID.

5.0 Group Key Encryption Key (KEK)

For additional security, you can also create a group KEK to encrypt all the apps within the HPE Alletra 9k group in Fortanix DSM. Perform the following steps:

Configure another group in Fortanix DSM, which will act as the Group Root Key. Refer to the following guide for steps to configuring the Group KEK.
https://support.fortanix.com/hc/en-us/articles/8144952406932-User-s-Guide-Group-Key-Encryption-Key

Figure29.png
Figure 28: Create Group KEK

After the group KEK is configured, the group will appear as shown below:
Figure30.png
Figure 29: Group KEK Created

6.0 Verification Steps

Run the following HPE Alletra 9000 tests as below.

  1. Backup and restore:
    Take a backup and restore of the key as shown below:
    Figure31.png
    Figure 30: Backup and Restore
    Verify the logs from the Task ID as shown below:
    waittask -v 12652
    Figure32.png
    Figure 31: Verify the Logs
  2. Rotate the HPE Alletra 9000 array:
    Figure33.png
    Figure 32: Rotate the Key
    Verify if the key has been created in Fortanix.
    Figure34.png
    Figure 33: Verfiy Key Rotation
  3. Rotate the Group KEK:
    NOTE
    Do not deactivate the original key after rotation.
    After the Group KEK rotation is successful, verify the backup and restore the key again by performing Step 1 above again.
  4. Verify key rotation:
    Figure35.png
    Figure 34: Verify Key Rotation
  5. Proceed with Backup and restore operation again:
    Figure36.png
    Figure 35: Backup and Restore
  6. Verify that the Restore operation is successful:
    Figure37.png
    Figure 36: Restore Successful

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful