1.0 Overview
The following instructions describe how to set up Fortanix Data Security Manager (DSM) as a KMS server in vSphere from the vSphere Web Client. There are two proven ways of establishing trust/authenticating vSphere to Fortanix DSM:
- Using API Keys
- Using Certificates
After setting up, Fortanix DSM can be used for both vSphere VM encryption and VSAN encryption.
2.0 Prerequisites
Create a Fortanix Data Security Manager account.
3.0 Create a Fortanix Data Security Manager App for VMware
There are two ways to configure Fortanix DSM for VMware encryption.
3.1 Method 1: Installation Through Wizard
3.1.1 Create an Instance
To create an app using the VMware wizard in Fortanix DSM SaaS:
- Sign up at https://smartkey.io/. This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
- Log in to the Fortanix DSM UI.
- Click the Integrations tab in the left panel.
- On the Integrations page, click ADD INSTANCE on the VMware wizard.
- Enter the details as shown in the screenshot below:
Figure 1: Add instance- Add Instance: This is the name to identify the instance created.
-
Authentication method: Select the desired authentication method. There are two options to choose from:
- API key: This method is used to authenticate the application with the API Gateway.
- Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. Refer to Section 3.1.2.
- Click SAVE INSTANCE.
3.1.2 Authenticate Using a Client Certificate
Perform the following steps to authenticate using a client certificate:
-
- First, create an instance with the Authentication method as API Key. With creating an instance, a new group and app are created within Fortanix DSM.
- In the VMware instance table, under the Credentials column, for the instance created, click COPY API KEY.
- In the "Copy the API key" dialog box, select the USERNAME/PASSWORD tab and copy the Username (app UUID).
- Continue to Step 1 in Section 5.0 to generate a client certificate.
- Now, go to the detailed view of the app that the instance automatically created.
- In the app's detailed view, click Change the authentication method and select Certificate to change the authentication method to Certificate.
- Click SAVE.
- In the Add certificate dialog box, copy or upload the vCenter Certificate generated in Step 4 above in the Upload certificate text box and update the authentication method.
3.1.3 VMware Wizard Instance Detailed View
In the instance detailed view page, the instances created are listed as shown below:
Figure 2: Detailed instance
In the instance details you will notice the following:
-
Credentials: This is the App authentication method used.
- Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
- Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
- MANAGE: Click MANAGE to manage the keys created.
- Instance status: To disable the instance created, click the toggle Disabled.
To delete the instance created, select the instance and click DELETE SELECTED. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.
3.2 Method 2: Manual Installation
3.2.1 Create an App
- Inside the Fortanix DSM account, go to the Applications tab and create a new Fortanix DSM app.
- In the Adding new app form, for the Interface field choose KMIP and for the Authentication method option select API key.
- API key: This method is used to authenticate the application with the API Gateway. To authenticate the application with Fortanix DSM using a Client Certificate. Refer to Section 3.2.2.
- Click SAVE to complete creating the app.
Figure 3: Create App
3.2.2 Authenticate Using a Client Certificate
Perform the following steps to authenticate using a client certificate:
- Go to the detailed view of the app created in Section 3.2.1 and click COPY API KEY.
- In the "Copy the API key" dialog box, select the USERNAME/PASSWORD tab and copy the Username (app UUID).
- Continue to Step 1 in Section 5.0 to generate a client certificate.
- In the app's detailed view, click Change the authentication method and select Certificate to change the authentication method to Certificate.
- Click SAVE.
- In the Add certificate dialog box, copy or upload the vCenter Certificate generated in Step 4 above in the Upload certificate text box and update the authentication method.
4.0 Configuring KMS in vCenter Using Password
4.1 Obtain App Credentials
Go back to the “Applications” page and click VIEW CREDENTIALS of the app you just created. Then, click the USERNAME/PASSWORD tab as shown below.
Figure 4: Obtain app credentials
4.2 Configure Fortanix DSM in vCenter
You may configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.
- Log in to vCenter using vSphere Client UI.
- Navigate to Configure -> Key Providers.
Figure 5: vSphere Client UI - In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:
- Name: Name of KMS - DSM
-
Address: Either the IP address or URL of the Fortanix DSM cluster you are using, for example: SaaS customers can use the following URLs based on the region.
- Europe: https://eu.smartkey.io/
- APAC: https://apac.smartkey.io/
- United States of America: https://amer.smartkey.io/
- Port: 5696
- Username: Copy the value from Fortanix DSM App
-
Password: Copy the value from Fortanix DSM App
Figure 6: Key Management configuration details Figure 7: Username and Password from Data Security Manager Figure 8: Key Management configuration details
- Click Add Key Provider.
- Establish trust between Fortanix DSM and vCentre by clicking Establish Trust -> Make vCenter Trust KMS. Click TRUST.
Figure 9: Establish Trust
5.0 Configuring KMS in vCenter using Client Certificate
5.1 Generate Client Certificate and Create a Cluster
- To generate a client certificate, use OpenSSL, and create a new key+cert with CN=FORTANIX_APP_UUID.
$ export FORTANIX_APP_UUID=ce59838b-1d24-49a7-9fb1-011adbc891e6
$ openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 \
-days 365 -out certificate.crt -subj \
"/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID" - Copy or upload the vCenter Certificate in the Upload certificate text box for the Fortanix DSM app and save the details.
- Create a new Key Management Service, make it DEFAULT, and make sure the fields User name and Password are empty.
Figure 10: Create key management service
5.2 Establishing Trust with Fortanix Data Security Manager
- To import the key+cert to vSphere click Establish Trust > Make KMS trust vCenter > KMS Certificate and Private Key.
Figure 11: Initiate importing cert and private key
- Import the certificate and private key and establish trust.
Figure 12: importing cert and private key
- Import the certificate and private key and establish trust.
6.0 Setting up Encrypted VM
- Create a VM and select the default VM Encryption Policy.
Figure 13: Create a VM
- The VM is successfully created.
Figure 14: VM created
- Log in to Fortanix DSM to see the logs of the connection that captures all the crypto operations performed by the application and the key created as well.
Figure 15: Audit logs showing crypto operations
Figure 16: Key created
7.0 Renewing the VM Trust Certificates
If your KMS certificate is expired, the connection status might change, and VMware shows an error as Not Connected as shown in the following figure:
Figure 17: Error Screen
- Click the radio tab button to renew the KMS certificate:
Figure 18: Renew KMS Certificate - After the KMS certificate is updated, click the Trust button to confirm the updated KMS certificates in the prompted dialog box.
Figure 19: Trust Button
Figure 20: Connection Status - In case the KMS application certificate has expired, run the following command to create the new certificate and private key using OpenSSL using the same UUID of the app:
openssl req -newkey rsa:2048 -nodes -keyout renewsdkms.key -x509 -days 365 -out renewsdkms.crt
- Update the
renewsdkms.crt
to the Fortanix DSM application (app) associated with VMware. - Update the same
renewsdkms.crt
andrenewsdkms.key
certificates in VMware as shown in the following figure:
Figure 21: Upload the Certificates - After the KMS Certificate and KMS Private Key are uploaded, click the ESTABLISH TRUST button.
- After the trust is established, the connection is updated as shown in the following figure:
Figure 22: Updated Connection Status
Comments
Please sign in to leave a comment.