Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments

1.0 Overview

The following instructions describe how to set up Fortanix Data Security Manager (DSM) as a KMS server in vSphere from the vSphere Web Client. There are two proven ways of establishing trust/authenticating vSphere to Fortanix DSM:

  • Using API Keys
  • Using Certificates

After setting up, Fortanix DSM can be used for both vSphere VM encryption and VSAN encryption.

2.0 Prerequisites

Create a Fortanix Data Security Manager account.

3.0 Create a Fortanix Data Security Manager App for VMware

There are two ways to configure Fortanix DSM for VMware encryption.

3.1 Method 1: Installation Through Wizard

3.1.1 Create an Instance

To create an app using the VMware wizard in Fortanix DSM SaaS:

  1. Sign up at https://smartkey.io/. This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
  2. Log in to the Fortanix DSM UI.
  3. Click the Integrations tab in the left panel.
  4. On the Integrations page, click ADD INSTANCE on the VMware wizard.
  5. Enter the details as shown in the screenshot below:vmware_addinstance.png
    Figure 1: Add instance
    1. Add Instance: This is the name to identify the instance created.
    2. Authentication method: Select the desired authentication method. There are two options to choose from:
      • API key: This method is used to authenticate the application with the API Gateway.
      • Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. Refer to Section 3.1.2.
  6. Click SAVE INSTANCE

3.1.2 Authenticate Using a Client Certificate

Perform the following steps to authenticate using a client certificate:

    1. First, create an instance with the Authentication method as API Key. With creating an instance, a new group and app are created within Fortanix DSM.
    2. In the VMware instance table, under the Credentials column, for the instance created, click COPY API KEY.
    3. In the "Copy the API key" dialog box, select the USERNAME/PASSWORD tab and copy the Username (app UUID).
    4. Continue to Step 1 in Section 5.0 to generate a client certificate.
    5. Now, go to the detailed view of the app that the instance automatically created.
    6. In the app's detailed view, click Change the authentication method and select Certificate to change the authentication method to Certificate.
    7. Click SAVE.
    8. In the Add certificate dialog box, copy or upload the vCenter Certificate generated in Step 4 above in the Upload certificate text box and update the authentication method.

3.1.3 VMware Wizard Instance Detailed View

In the instance detailed view page, the instances created are listed as shown below:

vmware_detailed_instance.png
Figure 2: Detailed instance

In the instance details you will notice the following:

  • Credentials: This is the App authentication method used.
    • Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
    • Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
  • MANAGE: Click MANAGE to manage the keys created.
  • Instance status: To disable the instance created, click the toggle Disabled

To delete the instance created, select the instance and click DELETE SELECTED. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.

3.2 Method 2: Manual Installation

3.2.1 Create an App

  1. Inside the Fortanix DSM account, go to the Applications tab and create a new Fortanix DSM app.
  2. In the Adding new app form, for the Interface field choose KMIP and for the Authentication method option select API key.
    • API key: This method is used to authenticate the application with the API Gateway. To authenticate the application with Fortanix DSM using a Client Certificate. Refer to Section 3.2.2.
  3. Click SAVE to complete creating the app.
    create_app.png
    Figure 3: Create App

3.2.2 Authenticate Using a Client Certificate

Perform the following steps to authenticate using a client certificate:

  1. Go to the detailed view of the app created in Section 3.2.1 and click COPY API KEY.
  2. In the "Copy the API key" dialog box, select the USERNAME/PASSWORD tab and copy the Username (app UUID).
  3. Continue to Step 1 in Section 5.0 to generate a client certificate.
  4. In the app's detailed view, click Change the authentication method and select Certificate to change the authentication method to Certificate.
  5. Click SAVE.
  6. In the Add certificate dialog box, copy or upload the vCenter Certificate generated in Step 4 above in the Upload certificate text box and update the authentication method.

4.0 Configuring KMS in vCenter Using Password

4.1 Obtain App Credentials

Go back to the “Applications” page and click VIEW CREDENTIALS of the app you just created. Then, click the USERNAME/PASSWORD tab as shown below.

2.pngFigure 4: Obtain app credentials

4.2 Configure Fortanix DSM in vCenter

You may configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

  1. Log in to vCenter using vSphere Client UI.
  2. Navigate to Configure -> Key Providers. ClientUI.png
    Figure 5: vSphere Client UI
     
  3. In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:
    • Name: Name of KMS - DSM
    • Address: Either the IP address or URL of the Fortanix DSM cluster you are using, for example: SaaS customers can use the following URLs based on the region.
    • Port: 5696
    • Username: Copy the value from Fortanix DSM App
    • Password: Copy the value from Fortanix DSM App KMS_Config_Details1.png
      Figure 6: Key Management configuration details


      UserNameSDKMS.png
      Figure 7: Username and Password from Data Security Manager


      KMS_Config_Details2.png
      Figure 8: Key Management configuration details
       
  4. Click Add Key Provider.
  5. Establish trust between Fortanix DSM and vCentre by clicking Establish Trust -> Make vCenter Trust KMS. Click TRUST. TrustKMS.png
    Figure 9: Establish Trust

5.0 Configuring KMS in vCenter using Client Certificate

5.1 Generate Client Certificate and Create a Cluster

  1. To generate a client certificate, use OpenSSL, and create a new key+cert with CN=FORTANIX_APP_UUID.
    $ export FORTANIX_APP_UUID=ce59838b-1d24-49a7-9fb1-011adbc891e6

    $ openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 \
    -days 365 -out certificate.crt -subj \
    "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID"
  2. Copy or upload the vCenter Certificate in the Upload certificate text box for the Fortanix DSM app and save the details.
  3. Create a new Key Management Service, make it DEFAULT, and make sure the fields User name and Password are empty. Vmware-KMS-4.png
    Figure 10: Create key management service

5.2 Establishing Trust with Fortanix Data Security Manager

  1. To import the key+cert to vSphere click Establish Trust > Make KMS trust vCenter > KMS Certificate and Private Key. Vmware-KMS5.png Figure 11: Initiate importing cert and private key
    1. Import the certificate and private key and establish trust.Vmware-KMS6.png Figure 12: importing cert and private key

6.0 Setting up Encrypted VM

  1. Create a VM and select the default VM Encryption Policy. Vmware-KMS7.png Figure 13: Create a VM
  2. The VM is successfully created. Vmware-KMS8.png Figure 14: VM created
  3. Log in to Fortanix DSM to see the logs of the connection that captures all the crypto operations performed by the application and the key created as well. Vmware-KMS9.1.png Figure 15: Audit logs showing crypto operations security_object_created.pngFigure 16: Key created

7.0 Renewing the VM Trust Certificates

If your KMS certificate is expired, the connection status might change, and VMware shows an error as Not Connected as shown in the following figure:

error screen.png

Figure 17: Error Screen

  1. Click the radio tab button to renew the KMS certificate:
    renew KMS certificate.png
    Figure 18: Renew KMS Certificate
  2. After the KMS certificate is updated, click the Trust button to confirm the updated KMS certificates in the prompted dialog box.
    trust button.png
    Figure 19: Trust Button
    image (3).png
    Figure 20: Connection Status
  3. In case the KMS application certificate has expired, run the following command to create the new certificate and private key using OpenSSL using the same UUID of the app:
    openssl req -newkey rsa:2048 -nodes -keyout renewsdkms.key -x509 -days 365
        -out renewsdkms.crt
  4. Update the renewsdkms.crt to the Fortanix DSM application (app) associated with VMware.
  5. Update the same renewsdkms.crt and renewsdkms.key certificates in VMware as shown in the following figure:
    image (2).png
    Figure 21: Upload the Certificates
  6. After the KMS Certificate and KMS Private Key are uploaded, click the ESTABLISH TRUST button.
  7. After the trust is established, the connection is updated as shown in the following figure:
    image.png
    Figure 22: Updated Connection Status

Watch Fortanix Data Security Manager VSAN KMIP demo

Comments

Please sign in to leave a comment.

Was this article helpful?
2 out of 2 found this helpful