Using Fortanix Data Security Manager for Cohesity Encryption Keys

1.0 Introduction

This article describes how to use Fortanix Data Security Manager (DSM) to manage Cohesity Encryption Keys.

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cohesity cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Cohesity Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Cohesity cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

2.1 Prerequisites

  • Cohesity DataPlatform version 6.5.1a or later is installed and operational, and the cluster is configured to use encryption. You can only enable encryption at the cluster level when you create the Cohesity cluster.
  • Fortanix DSM version 3.21 or later.
  • Fortanix DSM is installed and operational, and is accessible by the Cohesity cluster on port 5696 (for default) or custom KMIP port.
  • You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

2.2 Considerations

The following are some key points to understanding the Fortanix DSM and Cohesity DataPlatform integration:

  • Once encryption is enabled at the cluster level in Cohesity DataPlatform, it cannot be disabled in the future.
  • Once you configure a Cohesity cluster to use an external Key Management System (KMS), it cannot be returned to using the internal KMS.
  • The Cohesity cluster supports only one (1) external KMS, and the IP address of the KMS cannot be altered once configured.
  • Once it establishes a TLS connection with Fortanix DSM, a Cohesity cluster never tears down that connection unless services are restarted or stopped. This results in a persistent TLS connection.

3.0 Create an App in Fortanix Data Security Manager

Fortanix DSM supports KMIP clients to authenticate using a certificate through Apps. To successfully connect the Cohesity cluster to authenticate with Fortanix DSM, the Cohesity cluster also requires you to extract the Fortanix DSM internal CA certificate.

There are two ways to create an app in Fortanix DSM:

3.1 Using Fortanix DSM On-Premises Deployments

  1. Log in to the Fortanix DSM UI.
  2. Click the Application App.png icon , and then click Add.png to create a new application.
  3. Enter the following details:
    • App name: This is the name to identify your Cohesity cluster (customizable)
    • Interface: KMIP
    • Authentication method: This will need to be updated later and the default of API Key is ok at this stage.
    • Assigning the new app to groups: Keys created by the Cohesity cluster will be owned by this Group.
    Cohesity_1.png
    Figure 1: Create an app Cohesity_2.png
    Figure 2: App created
  4. Once the App has been created, note the App UUID as it will be used as the Common Name (CN) when generating the client certificate: Cohesity_3.png
    Figure 3: App UUID
  5. Change the authentication method of the Fortanix DSM App created to ‘Certificate’ and click SAVE.
  6. Continue to Section 5.0 for authentication using client certificate.
  7. Click UPDATE to update the authentication method.

3.2 Using Fortanix DSM SaaS Deployment

To configure Cohesity wizard in Fortanix DSM SaaS:

  1. Sign up at https://smartkey.io/.
  2. Log in to the Fortanix DSM UI.
  3. Click the Integrations tab in the left panel.
  4. On the Integrations page, click ADD INSTANCE on the Cohesity wizard.
  5. Enter the details as shown in the screenshot below:cohesity_instance_details.png
    Figure 4: Add instance
    1. Add Instance: This is the name to identify the instance created.
    2. Authentication method: Select the desired authentication method. There are two options to choose from:
      1. API key: This method is used to authenticate the App with the API Gateway using an API key. 
      2. Client Certificate:  This method is used to authenticate the App/Client to Fortanix DSM using a Client Certificate. To upload the client certificate, click UPLOAD CERTIFICATE. Alternatively, the client certificate can be pasted in the field provided. For more information on creating a client certificate, refer to Section 4.0.
  6. Continue to Section 5.0 for authentication using a client certificate.
  7. Click SAVE INSTANCE. With saving an instance a new group, an app, and keys are created within Fortanix DSM.

3.2.1 Cohesity Wizard Instance Detailed View

In the instance detailed view page, the created instances are listed as shown below:

delete_instance.png
Figure 5: Instance details

In the instance details you will notice the following:

  • Credentials: This is the App authentication method used.
    • Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
    • Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
  • MANAGE: Click MANAGE to manage the keys created.
  • Instance status: To disable the instance created, click the toggle Disabled.
  1. To delete the instance created click the delete_button.png button. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.

4.0 Extract Fortanix Data Security Manager Internal CA Certificate

  1. Log in to a system with OpenSSL installed.
  2. Enter the following OpenSSL command to display the certificates of Fortanix DSM. The first certificate is the server certificate and the second is the root certificate: Cohesity_4.png
  3. An example would look like: Cohesity_5.png
    Figure 6: Server and root certificate
  4. Copy the second certificate in the command output and save this into a file on the system you will be accessing the Cohesity UI / CLI.

5.0 Create Client Certificate and Private Key

There are two different types of client certificates:

  • Self-Signed Certificates: If your security policy allows it, you may generate and sign your client certificate yourself.
  • Externally-Signed Certificates: Generate a Certificate Signing Request and sign using a Certificate Authority (CA).

5.1 Generate a Self-Signed Certificate and Private Key

To generate a self-signed certificate and private key for the Cohesity cluster:

  1. Log in to a system with OpenSSL installed.
  2. Use the following genrsa command to generate the private key that will be written to the key filename and key length you specify: Cohesity_6.png
  3. Enter the following OpenSSL command to create the self-signed certificate as per your security policy:Cohesity_7.png
  4. Enter the following details: 
    • Country Name: Your two-letter country code
    • State or Province Name: Your full state name
    • City: Your full city name
    • Organisation: Your full organisation name
    • Organisational Unit: Your full department name
    • Common Name: The App UUID you have noted down when creating an App in Fortanix DSM 
    • Others: Optional
  5. Ensure both the client certificate and private key file are stored securely on your system.Cohesity_8.png

5.2 Generate an Externally Signed Certificate and Private Key

To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request.

  1. Log in to a system with OpenSSL installed.
  2. Use the following genrsa command to generate the private key that will be written to the key filename and key length you specify: Cohesity_6.png
  3. Enter the following OpenSSL command to generate a CSR file as per your security policy.Cohesity_10.png
  4. Enter the following details:
    • Country Name: Your two-letter country code
    • State or Province Name: Your full state name
    • City: Your full city name
    • Organisation: Your full organisation name
    • Organisational Unit: Your full department name
    • Common Name: The App UUID you have noted down when creating an App in Fortanix DSM
    • Others: Optional
  5. Ensure both the client certificate and private key file are stored securely on your system.Cohesity_8.png
  6. Have a trusted CA sign the CSR file and store the signed certificate securely.

5.3 Update Fortanix Data Security Manager App

To ensure the client certificate is used to authenticate with Fortanix DSM, the client certificate needs to be uploaded to the App settings.

  1. Copy the desired client certificate file and upload it to the Upload certificate text box in Fortanix DSM app and save the details.
  2. Now the App is configured to accept connections from the Cohesity cluster that authenticates using the client certificate and private key.

6.0 Configure Cohesity Key Management Settings

You may configure Fortanix DSM as an external KMS using the Cohesity DataPlatform UI or from the Cohesity DataPlatform CLI.

6.1 Configure Fortanix-Data Security Manager Using Cohesity Dataplatform UI

  1. Log in to Cohesity DataPlatform UI.
  2. Navigate to Settings -> Cluster -> Summary. Cohesity_16.png
    Figure 7: Summary in Cohesity dataplatform
  3. Navigate to Key Management System. Cohesity_15.png
    Figure 8: Cohesity key management system
  4. In the Key Management System form, enter the following details:
    • Server Type: Select KMIP Compliant for Fortanix DSM
    • Server Name: This is the name to identify your Fortanix DSM (customizable).
    • Protocol Version: Currently Fortanix DSM supports KMIP2_0 with Cohesity DataPlatform.
    • Server IP: Fortanix DSM IP address. (KMS IP cannot be modified once configured).
    • Port: Default port for KMIP is 5696.
    • Client Certificate: Select the client certificate file which you created above.
    • Client Key: Select the private key file which you created above.
    • CA Certificate: Select the root CA certificate file of the Fortanix DSM extracted above.
    Cohesity_17.png
    Figure 9: Key management system details
  5. Click Save.
  6. The Cohesity cluster immediately attempts to establish a TLS session with Fortanix DSM and initiate the KMIP communication.

6.2 Configure Fortanix Data Security Manager Using Cohesity Dataplatform CLI

You may also configure Fortanix DSM using the Cohesity DataPlatform CLI.

  1. SSH to the cluster using the following command: Cohesity_18.png
  2. Enter the Cohesity DataPlatform CLI. Cohesity_19.png
  3. In the CLI, use the kms create command: Cohesity_20.png Figure 10: KMS create command
  4. Once successfully created, kms list command shows you the current settings and the status: Cohesity_21.png Figure 11: KMS list command

6.3 Modifying Cohesity Data Platform KMS Settings

If you update the Key Management settings at some point after initially configuring them, the keychain service must be restarted for the new settings to take effect. This restart is done using the CLI using the following steps:

NOTE
For instructions on accessing and general use of the Cohesity CLI, please see the Cohesity CLI section of the Cohesity Virtual Edition Setup Guide.
  1. Enter the Cohesity DataPlatform CLI. Cohesity_22.png
  2. Issue the following command to restart the service. Cohesity_23.png Figure 12: Restart the service

6.4 Verification on Fortanix Data Security Manager

Once the external KMS has been successfully created on the Cohesity cluster using DataPlatform UI or DataPlatform CLI, Fortanix DSM will show logs of the connection and key created as well. Cohesity_24.png

Figure 13: Key generation and connection logs

6.5 Enable Cohesity Dataplatform Storagedomain Encryption

Cohesity cluster also supports enabling encryption per each Storage Domain.

  1. Log in to Cohesity DataPlatform UI.
  2. Navigate to Settings -> Cluster -> Summary.
  3. Navigate to Storage Domains. Cohesity_25.png
    Figure 14: Storage domains
  4. Click Add Storage Domain.
  5. Ensure Encryption is enabled when creating the new Storage Domain. Cohesity_26.png
    Figure 15: Enable encryption
  6. Verify that Encryption is enabled for the new Storage Domain. Cohesity_27.png
    Figure 16: Encryption enabled

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful