Using Fortanix Data Security Manager with MongoDB Encryption at Rest - Windows

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with MongoDB for built-in encryption at rest.

2.0 Fortanix DSM with MongoDB

Data at rest refers to data that is stored on as media, such as hard drives or solid-state Drives (SSDs). Ensuring the security of this data is of paramount importance, especially in today's data-driven world. MongoDB, a popular NoSQL database, provides various mechanisms to protect your data at rest on a Windows platform.

Encryption is the first line of defense for data at rest security. MongoDB offers built-in encryption at rest using WiredTiger encryption. To enable this feature, you will need to set up encryption key management and configure your MongoDB instance to use encryption.

3.0 Product Version Used for Testing

  • Fortanix has tested this integration on MongoDB Enterprise version 7.0.6.
  • Fortanix has tested this integration on DSM version 4.23.

4.0 Prerequisites

Ensure the following:

  • A Fortanix DSM account. For steps to create an account, refer to the Fortanix DSM Getting Started Guide.
  • Install OpenSSL on your Windows Server.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM group, refer to the following sections:

5.1 Creating Groups

Perform the following steps to add a group to the Fortanix DSM:

  1. Navigate to the Groups menu item. Click the add-button.png button to create a new group.
  2. On the Adding new group page, enter the following details:
    • Name: The title of the group (required).
    • Description (optional): A short description of the group.
  3. Click the SAVE button.

MongoDB-CreateGroup.png

Figure 1: Adding New Group

5.2 Creating Application (App)

Perform the following steps to add a MongoDB app to the Fortanix DSM:

  1. Navigate to the Apps menu item. Click the add-button.png button to create a new app.
  2. On the Adding new app page, enter the following details:
    • Name: Name of the application (required).
    • Interface: Select the value as KMIP.
    • Description: A short description of the application.
    • Authentication method: Select the authentication method as the API key.
    • OAuth: Enable this toggle button to authorize the users to perform actions on their behalf for this app.
    • Assigning the new app to groups: Select the MongoDB group, for example: Mongo that you created in the previous section and assign it to this app.
  3. Click the SAVE button.
    MongoDB-CreateApp.png
    Figure 2: Adding New App
  4. Copy the UUID of the app to authenticate the app using a client certificate.
    MongoDB-AppUUID.png
    Figure 3: App UUID

6.0 Generate the Certificate with App UUID as Common Name

You can generate a self-signed certificate or CA certificate such that the CN contains the App UUID. The following steps describe the steps to generate self-signed certificate:

  1. Run the following command to generate a client certificate using OpenSSL.
    openssl req -newkey rsa:2048 -nodes -keyout mongotest.key -x509 -days 365 -out mongotest.pem
    The system will prompt you to enter Country Name, State or Provinence Name, Locality Name, and so on.
    It will also prompt you to enter the Common Name. Enter the APP UUID that you copied in the previous Section 5.2: Creating Application (app) as the value for the CN.
    Fig4.png
    Figure 4: Generate Certificate
  2. Update the generated certificate mongotest.pem in Fortanix app. Update the authentication type of the Mongodb app to Certificate:
    1. Navigate to the Apps menu item → Apps table. Click the Mongodb app created in Section 5.2: Creating the Application.
    2. In the detailed view of the app, click the Change authentication method button and select the Certificate option from the drop down menu.
      MongoDB-ChangeAuth.png
      Figure 5: Update App Authentication Method
    3. Click the SAVE button.
    4. In the Add certificate dialog box, perform the following:
      1. Click the UPLOAD CERTIFICATE option to upload the certificate file from your system or paste the content of the certificate in the provided space as created in Step 1 above.
      2. Optionally, update the Expiration Setting for the previous authentication method.
      3. Read and select both the check boxes to confirm your understanding of changing the app authentication method.
      4. Click the UPDATE button to complete updating the app authentication method to the certificate.

7.0 Configuring Encryption in MongoDB Windows

  1. Run the following command to convert the certificate in PFX Format.
    openssl pkcs12 -export -out mongotest.pfx -inkey mongotest.key -in mongotest.pem
    Fig6.png
    Figure 6: Convert Cert to PFX
  2. Copy the mongotest.pfx file to the Windows Server machine where MongoDB is installed.
  3. Run the following command to import the mongotest.pfx file to the Windows Server to the trusted store.
    certutil.exe -importpfx -f -p <Password for the PFX> .\ mongotest.pfx
    Where, mongotest.pfx is the PFX file.
    Fig7.png
  4. Run the following command to import the root certificate for the Fortanix DSM to the Windows Certificate Trust:
    certutil.exe -addstore -f Root .\RootCA.pem
    Fig8.png
  5. After the certificate is imported, open the Windows Certificate Store and go to PersonalCertificates.
    You will find the certificate imported above.
    Fig9.png
    Figure 9: Certificate Imported
  6. Click the certificate and go to the details. You will find the thumbprint of the certificate as shown below.
    Fig10.png
    Figure 10: Certificate Thumbprint
  7. Capture the thumbprint and run the following command from MongoDB.
    mongod --enableEncryption --kmipServerName integrationtest.eastus.cloudapp.azure.com --kmipPort 5696 --kmipClientCertificateSelector thumbprint=aobe20e64bcf04a674676f122h6g876 --dbpath D:\DBA
    Output:
    Fig11.png
    Figure 11: Certificate Thumbprint You can add -vvvvv at the end of the command to run the same command in debug mode.
  8. This will create a security object in Fortanix DSM as shown below.
    Fig12.png
    Figure 12: Security Object Created
  9. Verify the key operations using the Activity Logs.
    Fig13.png
    Figure 13: Activity Loss for Key Operations

8.0 Mongo Master Key Rotation

  1. Run the following command to process key rotation within MongoDB.
    mongod --enableEncryption --kmipServerName integrationtest.eastus.cloudapp.azure.com --kmipPort 5696 --kmipClientCertificateSelector thumbprint=28885b9c95b999b342da9ba9f4ac9bcdffa0e52b --dbpath D:\DBA –kmipRotateMasterKey
  2. After the command runs successfully a key would be created within Fortanix DSM as shown in the below:  
    Fig14.png
    Figure 14: Key Rotation

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful