Using Fortanix Data Security Manager for Cohesity Encryption Keys

Introduction

This article describes how to use Fortanix Data Security Manager (DSM) to manage Cohesity Encryption Keys.

KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cohesity cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Cohesity Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Cohesity cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

Prerequisites

  • Cohesity DataPlatform version 6.5.1a or later is installed and operational, and the cluster is configured to use encryption. You can only enable encryption at the cluster level when you create the Cohesity cluster.
  • Fortanix DSM version 3.21 or later.
  • Fortanix DSM is installed and operational, and is accessible by the Cohesity cluster on port 5696 (for default) or custom KMIP port.
  • You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

Considerations

The following are some key points to understanding the Fortanix DSM and Cohesity DataPlatform integration:

  • Once encryption is enabled at the cluster level in Cohesity DataPlatform, it cannot be disabled in the future.
  • Once you configure a Cohesity cluster to use an external Key Management System (KMS), it cannot be returned to using the internal KMS.
  • The Cohesity cluster supports only one (1) external KMS, and the IP address of the KMS cannot be altered once configured.
  • Once it establishes a TLS connection with Fortanix DSM, a Cohesity cluster never tears down that connection unless services are restarted or stopped. This results in a persistent TLS connection.

Setting up Fortanix Data Security Manager

Fortanix DSM supports KMIP clients to authenticate using a certificate through Apps. To successfully connect the Cohesity cluster to authenticate with Fortanix DSM, the Cohesity cluster also requires you to extract the Fortanix DSM internal CA certificate.

Configure App in Fortanix Data Security Manager

  1. Log in to the Fortanix DSM UI.
  2. Click the Application App.png icon , and then click Add.png to create a new application.
  3. Enter the following details:
    • App name: This is the name to identify your Cohesity cluster (customizable)
    • Interface: KMIP
    • Authentication method: This will need to be updated later and the default of API Key is ok at this stage.
    • Assigning the new app to groups: Keys created by the Cohesity cluster will be owned by this Group.
    Cohesity_1.png
    Figure 1: Create an app
     
    Cohesity_2.png
    Figure 2: App created
     
  4. Once the App has been created, note the App UUID as it will be used as the Common Name (CN) when generating the client certificate: Cohesity_3.png
    Figure 3: App UUID 

Extract Fortanix Data Security Manager Internal CA Certificate

  1. Log in to a system with OpenSSL installed.
  2. Enter the following OpenSSL command to display the certificates of Fortanix DSM. The first certificate is the server certificate and the second is the root certificate: Cohesity_4.png
  3. An example would look like: Cohesity_5.png
    Figure 4: Server and root certificate 
  4. Copy the second certificate in the command output and save this into a file on the system you will be accessing the Cohesity UI / CLI.

Create Client Certificate and Private Key

There are two different types of client certificates:

  • Self-Signed Certificates: If your security policy allows it, you may generate and sign your client certificate yourself.
  • Externally-Signed Certificates: Generate a Certificate Signing Request and sign using a Certificate Authority (CA).

Generate a Self-Signed Certificate and Private Key

To generate a self-signed certificate and private key for the Cohesity cluster:

  1. Log in to a system with OpenSSL installed.
  2. Use the genrsa command to generate the private key that will be written to the key filename and key length you specify. Cohesity_6.png
  3. Enter the following OpenSSL command to create the self-signed certificate per your security policy.Cohesity_7.png
    • Country Name: Your two-letter country code
    • State or Province Name: Your full state name
    • City: Your full city name
    • Organisation: Your full organisation name
    • Organisational Unit: Your full department name
    • Common Name: The App UUID you have noted down when creating an App in Fortanix DSM 
    • Others: Optional
  4. Ensure both the client certificate and private key file are stored securely on your system.Cohesity_8.png

Generate an Externally Signed Certificate and Private Key

To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request

  1. Log in to a system with OpenSSL installed.
  2. Use the genrsa command to generate the private key that will be written to the key filename and key length you specify. Cohesity_6.png
  3. Enter the following OpenSSL command to generate a CSR file as per your security policy.Cohesity_10.png
  4. Enter the following details:
    • Country Name: Your two-letter country code
    • State or Province Name: Your full state name
    • City: Your full city name
    • Organisation: Your full organisation name
    • Organisational Unit: Your full department name
    • Common Name: The App UUID you have noted down when creating an App in Fortanix DSM
    • Others: Optional
  5. Ensure both the client certificate and private key file are stored securely on your system.Cohesity_8.png
  6. Have a trusted CA sign the CSR file and store the signed certificate securely.

Update Fortanix Data Security Manager App

To ensure the client certificate is used to authenticate with Fortanix DSM, the client certificate needs to be uploaded to the App settings.

  1. Log in to the Fortanix DSM UI.
  2. Click the Application App.png icon , and select the application that you want to update from the Apps table.
  3. In the App detailed view, click the Change authentication method drop down, and select the Certificate option. Cohesity_12.png
    Figure 5: Change authentication method
     
  4. Copy or upload the client certificate. Cohesity_13.png
    Figure 6: Upload client certificate
     
  5. Click Update. Now the App is configured to accept connections from the Cohesity cluster that authenticates using the client certificate and private key.

Configure Cohesity Key Management Settings

You may configure Fortanix DSM as an external KMS using the Cohesity DataPlatform UI or from the Cohesity DataPlatform CLI.

Configure Fortanix-Data Security Manager Using Cohesity Dataplatform UI

  1. Log in to Cohesity DataPlatform UI.
  2. Navigate to Settings -> Cluster -> Summary. Cohesity_16.png
    Figure 7: Summary in Cohesity Data Platform
     
  3. Navigate to Key Management System. Cohesity_15.png
    Figure 8: Cohesity key management system
     
  4. In the Key Management System form, enter the following details:
    • Server Type: Select KMIP Compliant for Fortanix DSM
    • Server Name: This is the name to identify your Fortanix DSM (customizable).
    • Protocol Version: Currently Fortanix DSM supports KMIP2_0 with Cohesity DataPlatform.
    • Server IP: Fortanix DSM IP address. (KMS IP cannot be modified once configured).
    • Port: Default port for KMIP is 5696.
    • Client Certificate: Select the client certificate file which you created above.
    • Client Key: Select the private key file which you created above.
    • CA Certificate: Select the root CA certificate file of the Fortanix DSM extracted above.
    Cohesity_17.png
    Figure 9: Key management system details
  5. Click Save.
  6. The Cohesity cluster immediately attempts to establish a TLS session with Fortanix DSM and initiate the KMIP communication.

Configure Fortanix Data Security Manager Using Cohesity Dataplatform CLI

You may also configure Fortanix DSM using the Cohesity DataPlatform CLI.

  1. SSH to the cluster using the following command: Cohesity_18.png
  2. Enter the Cohesity DataPlatform CLI. Cohesity_19.png
  3. In the CLI, use the kms create command: Cohesity_20.png
    Figure 10: KMS create command
     
  4. Once successfully created, kms list command shows you the current settings and the status: Cohesity_21.png
    Figure 11: KMS list command 

Modifying Cohesity Data Platform KMS Settings

If you update the Key Management settings at some point after initially configuring them, the keychain service must be restarted for the new settings to take effect. This restart is done using the CLI using the following steps.

NOTE
For instructions on accessing and general use of the Cohesity CLI, please see the Cohesity CLI section of the Cohesity Virtual Edition Setup Guide.
  1. Enter the Cohesity DataPlatform CLI. Cohesity_22.png
  2. Issue the following command to restart the service. Cohesity_23.png
    Figure 12: Restart the service 

Verification on Fortanix Data Security Manager

Once the external KMS has been successfully created on the Cohesity cluster using DataPlatform UI or DataPlatform CLI, Fortanix DSM will show logs of the connection and key created as well. Cohesity_24.png

Figure 13: Key generation and connection logs

Enable Cohesity Dataplatform Storagedomain Encryption

Cohesity cluster also supports enabling encryption per each Storage Domain.

  1. Log in to Cohesity DataPlatform UI.
  2. Navigate to Settings -> Cluster -> Summary.
  3. Navigate to Storage Domains. Cohesity_25.png
    Figure 14: Storage domains
     
  4. Click Add Storage Domain.
  5. Ensure Encryption is enabled when creating the new Storage Domain. Cohesity_26.png
                                  Figure 15: Enable Encryption
     
  6. Verify that Encryption is enabled for the new Storage Domain. Cohesity_27.png
    Figure 16: Encryption enabled
     
Was this article helpful?
0 out of 0 found this helpful