1.0 Introduction
This article describes how to use Fortanix Data Security Manager (DSM) to manage Cohesity Encryption Keys.
2.0 KMIP and Certificate Requirements
The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cohesity cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection. Fortanix DSM also uses TLS to authenticate a KMIP client so that it can create, retrieve, and use keys stored in Fortanix DSM.
Both Fortanix DSM and the Cohesity Cluster use X.509 certificates to facilitate communication and authentication and authenticate with each other. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to use tools like OpenSSL to create a client certificate for the Cohesity server. The certificate may be signed externally or can be self-signed.
2.1 Prerequisites
- Cohesity DataPlatform version 6.5.1a or later is installed and operational, and the cluster is configured to use encryption. You can only enable encryption at the cluster level when you create the Cohesity cluster.
- Fortanix DSM version 3.21 or later.
- Fortanix DSM is installed and operational, and the Cohesity cluster can connect to it on port 5696 or a custom KMIP port.
- You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.
2.2 Considerations
The following are some key points to understand how Fortanix DSM and Cohesity DataPlatform work together:
- After encryption is enabled at the cluster level in the Cohesity Data Platform, it cannot be disabled in the future.
- After you configure a Cohesity cluster to use an external Key Management System (KMS), you cannot change it back to using the internal KMS.
- The Cohesity cluster supports only one (1) external KMS, and the IP address of the KMS cannot be altered once configured.
- After it establishes a TLS connection with Fortanix DSM, a Cohesity cluster never tears down that connection unless services are restarted or stopped. This results in a persistent TLS connection.
3.0 Create an App in Fortanix Data Security Manager
Fortanix DSM supports KMIP clients to authenticate using a certificate through applications. To successfully connect the Cohesity cluster to authenticate with Fortanix DSM, the Cohesity cluster also requires you to extract the Fortanix DSM internal CA certificate.
There are two ways to configure Fortanix DSM for Cohesity encryption.
3.1 Method 1: Installation Through Wizard
3.1.1 Create an Instance
To create an app using the Cohesity wizard in Fortanix DSM SaaS:
- Sign up at https://smartkey.io/. This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
- Log in to the Fortanix DSM UI.
- Click the Integrations tab in the left panel.
- On the Integrations page, click ADD INSTANCE on the Cohesity wizard.
- Enter the details as shown in the screenshot below:
Figure 4: Add instance- Add Instance: This is the name to identify the instance created.
- Authentication method: The Cohesity app must be configured to accept connections from the Cohesity cluster that authenticates using the client certificate and private key.
- API key: This method is used to generate an app with API key-based authentication. This API key is required for certificate-based authentication later.
- Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. For more information on creating a client certificate, refer to Section 5.0.
- Click SAVE INSTANCE. With saving an instance a new group, an app, and keys are created within Fortanix DSM.
3.1.2 Authenticate Using a Client Certificate
Perform the following steps to authenticate using a client certificate:
- First, create an instance with the Authentication method as API Key. With creating an instance, a new group and app are created within Fortanix DSM.
- In the Cohesity instance table, under the Credentials column, for the instance created, click COPY API KEY.
- In the "Copy the API key" dialog box, select the USERNAME/PASSWORD tab and copy the Username (app UUID).
- To ensure the client certificate is used to authenticate with Fortanix DSM, the client certificate needs to be uploaded to the app settings. Go to Section 5.0 and follow the instructions to generate a client certificate and private key.
- Now, go to the detailed view of the app that the instance automatically created.
- In the app's detailed view, click Change the authentication method and select Certificate to change the authentication method to Certificate.
- Click SAVE.
- In the Add certificate dialog box, copy or upload the Certificate generated in Step 4 above in the Upload certificate text box and update the authentication method.
Now the app is configured to accept connections from the Cohesity cluster that authenticates using the client certificate and private key.
3.1.3 Cohesity Wizard Instance Detailed View
In the instance detailed view page, the created instances are listed as shown below:
Figure 5: Instance details
In the instance details you will notice the following:
- Credentials: This is the App authentication method used.
- Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
- Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
- MANAGE: Click MANAGE to manage the keys created.
- Instance status: To disable the instance created, click the toggle Disabled.
To delete the instance created click the button. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.
3.2 Method 2: Manual Installation
3.2.1 Create an App
- Log in to the Fortanix DSM UI.
- Click the Application
icon , and then click
to create a new application.
- Enter the following details:
- App name: This is the name to identify your Cohesity cluster (customizable)
- Interface: KMIP
- Authentication method: This will need to be updated later and the default API Key is ok at this stage.
- Assigning the new app to groups: Keys created by the Cohesity cluster will be owned by this Group.
Figure 1: Create an app - Click SAVE to complete creating the app.
3.2.2 Authenticate Using a Client Certificate
Perform the following steps to authenticate using a client certificate:
- After the app has been created, go to the detailed view of the app created in Section 3.2.1 and copy the app UUID as it will be used as the Common Name (CN) when generating the client certificate.
Figure 3: App UUID - To ensure the client certificate is used to authenticate with Fortanix DSM, the client certificate needs to be uploaded to the app settings. Go to Section 5.0 to generate a client certificate.
- In the app's detailed view, click Change the authentication method and select Certificate to change the authentication method to Certificate.
- Click SAVE.
- In the Add certificate dialog box, copy or upload the vCenter Certificate generated in Step 4 above in the Upload certificate text box and update the authentication method.
- Change the authentication method of the Fortanix DSM app to ‘Certificate’ and click SAVE.
- Continue to Section 5.0 for authentication using a client certificate.
- Click UPDATE to update the authentication method.
Now the app is configured to accept connections from the Cohesity cluster that authenticates using the client certificate and private key.
4.0 Extract Fortanix DSM Internal CA Certificate
- Log in to a system with OpenSSL installed.
- Enter the following OpenSSL command to display the certificates of Fortanix DSM. The first certificate is the server certificate and the second is the root certificate:
$ openssl s_client -connect <Fortanix_DSM_Address>:5696 - showcerts
Figure 6: Server and root certificate - Copy the second certificate in the command output and save this into a file on the system you will be accessing the Cohesity UI / CLI.
5.0 Create Client Certificate and Private Key
There are two different types of client certificates:
- Self-Signed Certificates: If your security policy allows it, you may generate and sign your client certificate yourself.
- Externally-Signed Certificates: Generate a Certificate Signing Request and sign using a Certificate Authority (CA).
5.1 Generate a Self-Signed Certificate and Private Key
To generate a self-signed certificate and private key for the Cohesity cluster:
- Log in to a system with OpenSSL installed.
- Use the following genrsa command to generate the private key that will be written to the key filename and key length you specify:
- Enter the following OpenSSL command to create the self-signed certificate as per your security policy:
- Enter the following details:
- Country Name: Your two-letter country code
- State or Province Name: Your full state name
- City: Your full city name
- Organisation: Your full organisation name
- Organisational Unit: Your full department name
- Common Name: The App UUID you have noted down when creating an App in Fortanix DSM
- Others: Optional
- Ensure both the client certificate and private key file are stored securely on your system.
5.2 Generate an Externally Signed Certificate and Private Key
To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request.
- Log in to a system with OpenSSL installed.
- Use the following genrsa command to generate the private key that will be written to the key filename and key length you specify:
- Enter the following OpenSSL command to generate a CSR file as per your security policy.
- Enter the following details:
- Country Name: Your two-letter country code
- State or Province Name: Your full state name
- City: Your full city name
- Organisation: Your full organisation name
- Organisational Unit: Your full department name
- Common Name: The App UUID you have noted down when creating an App in Fortanix DSM
- Others: Optional
- Ensure both the client certificate and private key file are stored securely on your system.
- Have a trusted CA sign the CSR file and store the signed certificate securely.
6.0 Configure Cohesity Key Management Settings
You may configure Fortanix DSM as an external KMS using the Cohesity DataPlatform UI or from the Cohesity DataPlatform CLI.
6.1 Configure Fortanix-Data Security Manager Using Cohesity Dataplatform UI
- Log in to Cohesity DataPlatform UI.
- Navigate to Settings -> Cluster -> Summary.
Figure 7: Summary in Cohesity dataplatform - Navigate to Key Management System.
Figure 8: Cohesity key management system - In the Key Management System form, enter the following details:
- Server Type: Select KMIP Compliant for Fortanix DSM
- Server Name: This is the name to identify your Fortanix DSM (customizable).
- Protocol Version: Currently Fortanix DSM supports KMIP2_0 with Cohesity DataPlatform.
- Server IP: Fortanix DSM IP address. (KMS IP cannot be modified once configured).
- Port: The default port for KMIP is 5696.
- Client Certificate: Select the client certificate file which you created above.
- Client Key: Select the private key file which you created above.
- CA Certificate: Select the root CA certificate file of Fortanix DSM extracted above in Section 4.0.
Figure 9: Key management system details - Click Save.
- The Cohesity cluster immediately attempts to establish a TLS session with Fortanix DSM and initiate the KMIP communication.
6.2 Configure Fortanix Data Security Manager Using Cohesity Dataplatform CLI
You may also configure Fortanix DSM using the Cohesity DataPlatform CLI.
- SSH to the cluster using the following command:
- Enter the Cohesity DataPlatform CLI.
- In the CLI, use the kms create command:
Figure 10: KMS create command
Where,ca-certificate
is the root CA certificate file of Fortanix DSM extracted above in Section 4.0. - Once successfully created, kms list command shows you the current settings and the status:
Figure 11: KMS list command
6.3 Modifying Cohesity Data Platform KMS Settings
If you update the Key Management settings at some point after initially configuring them, the keychain service must be restarted for the new settings to take effect. This restart is done using the CLI using the following steps:
- Enter the Cohesity DataPlatform CLI.
- Issue the following command to restart the service.
Figure 12: Restart the service
6.4 Verification on Fortanix Data Security Manager
After the external KMS has been successfully created on the Cohesity cluster using DataPlatform UI or DataPlatform CLI, Fortanix DSM will show logs of the connection and key created as well.
Figure 13: Key generation and connection logs
6.5 Enable Cohesity Dataplatform Storagedomain Encryption
Cohesity cluster supports enabling encryption per each Storage Domain.
- Log in to Cohesity DataPlatform UI.
- Navigate to Settings -> Cluster -> Summary.
- Navigate to Storage Domains.
Figure 14: Storage domains - Click Add Storage Domain.
- Ensure Encryption is enabled when creating the new Storage Domain.
Figure 15: Enable encryption - Verify that Encryption is enabled for the new Storage Domain.
Figure 16: Encryption enabled
Comments
Please sign in to leave a comment.