Using Fortanix Data Security Manager for InterSystems Cache using KMIP

Introduction

InterSystems Cache is a high-performance database that powers transaction processing applications around the world. It is used for everything from mapping a billion stars in the Milky Way, to processing a billion equity trades in a day, to managing smart energy grids.

InterSystems Cache powers customers’ most mission-critical applications with the ability to store, use, and analyze transactional and historical data concurrently in whatever forms required. High-speed SQL runs consistently and seamlessly across all data models.

Why Use Fortanix Data Security Manager (DSM) with InterSystems Cache

InterSystems Cache supports encryption of data at rest. It supports a keyring service that enables internal server components and plugins to securely store sensitive information for later retrieval.

Cryptographically secure generation and secure management of encryption keys are required for true security of data at rest encrypted by InterSystems Cache. Fortanix DSM with its KMIP support provides a secure and flexible solution for this.

InterSystems Cache KMIP keyring plugin authenticates to a KMIP enabled key management server using a client certificate. SDKMS supports clients/apps to authenticate using API Key, App Id, and certificate or just certificate.

Prerequisites

  • Fortanix DSM
  • InterSystems Management Console
  • Access to create a certificate for KMIP Server

Adding App in Fortanix Data Security Manager

  1. Add an app in the Fortanix DSM in an appropriate group or a new group. For instructions on how to add a group or app please refer to the Fortanix DSM Getting Started Guide.
    1.png
                                                           Figure 1: Create New App
  2.  Once you have added the application, note down its App-ID by copying App UUID from the App table view by clicking the icon for “Copy UUID” as shown below. You will need this App-ID for the certificate.
    2.png
                                                           Figure 2: Copy UUID
  3. If an App / Client needs to authenticate to Fortanix DSM using the only certificate, then the App ID needs to be embedded in the certificate in one of the following ways:
    • Provided as the value of a custom OID in the certificate 1.3.6.1.4.1.49690.1.2.1
    • Standard human-readable UUID encoding: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx provided as the value of CN.

    CN example: a36bb135-8a49-46f8-979b-bc5bbd3e7f7e

    Create a new certificate using the OpenSSL command which you will be using to upload in the Fortanix DSM app.

    OpenSSL Command:

     openssl req -newkey rsa:2048 -nodes -keyout sdkms.key -x509 -days 365 -out sdkms.crt
    3.png
                                                           Figure 3: Create a new certificate
  4. Now go to the Fortanix DSM app and change the Authentication method to Certificate.
    4.png
                                          Figure 4: Change the Authentication method to Certificate
  5. Update the Certificate created above and upload the same in Fortanix DSM as per the following screenshot.
    5.png
                                                   Figure 5: Upload Certificate

Enabling the Security in InterSystems Cache

Create a new SSL/TLS Configuration

  1. Log in to the Management Console for IRIS.
    6.png
                                                   Figure 6: IRIS Management Console
  2. Once you log in you will see the InterSystems Management Console homepage.
    7.png
                                                   Figure 7: InterSystems Management Portal
  3. On the Cache instance that will communicate with the KMIP server, create an SSL/TLS configuration that will represent the instance to the KMIP server:
    1. In the portal, go to the SSL/TLS Configurations page (Home > System Administration > Security > SSL/TLS Configurations).
      8.png
                                                     Figure 8: SSL/TLS Configuration page
  4. On the SSL/TLS Configurations page (Figure 8), click the Create New Configuration button, which displays the New SSL/TLS Configuration page.
  5. On the New SSL/TLS Configuration page, set up the SSL/TLS configuration. For the fields listed below, specify or select values as follows:
    1. Enabled — Select this check box.
    2. Type — Select Client.
    3. Update the client certificate, the private key, which was created, and the certificate which was updated in the SDKMS portal.
    9.png
                                                   Figure 9:  Update the SSL/TLS Configuration
  6. Click the Test icon on the Management portal (Figure 9).
    10.png
                                                 Figure 10:  Test server hostname
  7. Update the Port number as 5696 and click OK.
    11.png
                                                 Figure 11:  Update port number
  8. You will then receive the Success status of the connection and click Save to save it.
    12.png
                                                 Figure 12:  Connection Success
    Once configured, the management console for SSL/TLS configuration will be as follows:
    post_config.png
                                                    Figure 13:  Configuration success

Create KMIP Server Configuration Using Terminal

  1. Start the Terminal and log in as a sufficiently privileged user.
    13.png
                                                 Figure 14: Log in to Terminal
  2. At the terminal prompt, go to the %SYS namespace and run ^SECURITY.
         zn "%SYS"
    %SYS>do ^SECURITY
    14.png
                                                 Figure 15: Run ^Security
  3. In the ^SECURITY, select option 14) KMIP server setup.
  4. In the KMIP server setup choices, select option 1) Create KMIP server.
  5. At the Create KMIP server prompt, specify values for the following:
    1. KMIP server to create? — The name of the KMIP server configuration.
    2. Description? — A text description.
    3. Server host DNS name? — The fully-qualified DNS name or IP address of the KMIP server.
    4. TCP port number? — The port number on which the KMIP server accepts connections.
    5. OASIS KMIP protocol version? — The number associated with your KMIP server’s supported version of the protocol. This is part of the information that you have received from the vendor that provides the KMIP server.
    6. SSL/TLS Configuration name? — The name of the SSL/TLS configuration that you created in the previous step.
    15.png
                                                 Figure 16: KMIP Server Setup
    • Select option 1) Create KMIP Server and update the requested information:
      KMIP Server to create? SDKMS
      Description? SDKMS
      Server host DNS Name? sdkms.fortanix.com
      TCP Port number? 5696 => 5696
      OASIS KMIP protocol version
      0) 1.0
      1) 1.1
      2) 1.2
      3) 1.3
      4) 1.4
      OASIS KMIP protocol version? 2 => 2
      SSL/TLS configuration name? KMIP => SDKMS
      Non-blocking I/O? Yes => Yes
      Auto-reconnect? No => Yes
      I/O timeout, in seconds? 10 => 10
      Log KMIP messages? No => Yes
      Debug SSL/TLS? No => Yes
      Confirm creation of KMIP server SDKMS? Yes => Yes
      KMIP server SDKMS created
      16.png
                                                 Figure 17: Create KMIP Server
      You can list the KMIP server by selecting option 4) Detailed list KMIP server.
      17.png
                                                 Figure 18: List the KMIP Server

Create a New Key in KMIP Server

To activate a database encryption key from a KMIP server:

  1. For the relevant instance, start the Terminal and log in as a sufficiently privileged user.
  2. At the terminal prompt, go to the %SYS namespace and run ^EncryptionKey.
         zn "%SYS"
    %SYS>do ^EncryptionKey
    Run_Encryption_key.png
                                               Figure 19: Run Encryption key
  3. Select Option 5) Manage KMIP server and you will be prompted the KMIP Server name.
    In the following screenshot, the KMIP server we have is SDKMS.
  4. We can list the keys in KMIP Server (Option 1), create a Key (Option 2), and Destroy the key (Option 3).
    18.png
                                               Figure 20: KMIP server - SDKMS
  5. Select Option 2) Create new key on KMIP server.
    19.png
                                              Figure 21: Create new key on KMIP server
    The key is created but not activated as seen in Figure 21.
  6. Since the key is now created in the KMIP Server, we can see the same in Fortanix DSM Portal as shown in the following screenshot.
    20.png
                                   Figure 22: Key created in Fortanix DSM Portal

Activate the Data-Element Encryption Key from a KMIP Server

To activate a database encryption key from a KMIP server:

The cache supports up to four activated keys at one time for data-element encryption. To activate a key for data-element encryption from a KMIP server:

  1. For the relevant instance, start the Terminal and log in as a sufficiently privileged user.
  2. At the terminal prompt, go to the %SYS namespace and run ^EncryptionKey.
         zn "%SYS"
    %SYS>do ^EncryptionKey
  3. In ^EncryptionKey, select option 4) Data element encryption for applications.
  4. In the Data element encryption for applications choices, select option 1) Activate data element encryption key.
  5. In the Activate data element encryption key choices, select option 2) Use KMIP server.
  6. At the KMIP server prompt, enter the name of the configuration of the KMIP server from which you wish to activate the key.
    The routine then lists the keys on the KMIP server and prompts for the key to activate.
  7. Specify a key at the Select key prompt.
  8. The routine then activates the key, displaying its ID.
    21.png
                                                            Figure 23: Activate Key
  9. For each key that the Cache activates, the Data Element Encryption page (System Administration > Encryption > Data Element Encryption) adds the key to the table of activated keys and displays the key’s identifier.
  10. You can now log in to the IRIS Management console and see the activated key.
    22.png
                                              Figure 24: Key added to table of activated keys
Was this article helpful?
0 out of 0 found this helpful