Using Fortanix Data Security Manager with IBM Informix

Introduction

This article describes how to use Key Management Service (KMS) in Fortanix Data Security Manager (DSM) to manage data in IBM Informix storage spaces using Key Management Interoperability Protocol (KMIP). It also contains the information that a user requires for:

• Creating a KMIP type keystore
• Configuration on IBM Informix
• Migrating key store

IBM Informix® is a fast and flexible database with the ability to seamlessly integrate SQL, NoSQL/JSON, and time series and spatial data. Its versatility and ease of use make Informix a preferred solution for a wide range of environments, from enterprise data warehouses to individual application development. Also, with its small footprint and self-managing capabilities, Informix is well suited for embedded data-management solutions.

Why Use Fortanix KMS With IBM Informix

IBM Informix supports storage space (dbspaces, blobspaces, and smart blobspaces) encryption.

The data in encrypted storage spaces is unintelligible without the encryption key. Encrypting storage spaces is an effective way to protect sensitive information that is stored on the disk.

Encrypting Storage Spaces

Prerequisites for Encrypting Storage Spaces

• IBM® Global Security Kit (GSKit) installed to enable storage space encryption. GSKit is installed by default when you install the database server.
• Access to Enable storage space encryption by setting the DISK_ENCRYPTION configuration parameter.

Enable Storage Space

Each storage space is encrypted separately with its own encryption key. By default, the encryption cipher is set to AES with 128-bit keys. You can specify a stronger encryption key by including the cipher option in the DISK_ENCRYPTION configuration parameter value.

Any storage space that you create when “storage space encryption” is enabled is automatically encrypted unless you explicitly specify to create it as unencrypted with the onspaces utility. If you initialize a new database server before setting the DISK_ENCRYPTION configuration parameter, the root dbspace and all storage spaces created before setting DISK_ENCRYPTION are not encrypted. However, you can encrypt unencrypted storage spaces, including the root dbspace, by running a restore that encrypts the spaces.

As mentioned above, each storage space is encrypted with its own Space Encryption Key (SEK). The SEKs are generated by the system (oninit) based on a Master Encryption Key (MEK). The MEK is created by the onkstore utility and can be stored locally in the keystore created by the onkstore utility, or remotely in a Remote Key Server (RKS). In both cases, you must use the onkstore utility to create a keystore that will contain a MEK or the credentials necessary to reach the MEK at an RKS.

Figure 1: Storage space encryption

Once you have created and verified your keystore file, you enable storage space encryption by setting the DISK_ENCRYPTION configuration parameter to point to the keystore you created and then restarting the database server. The value of the DISK_ENCRYPTION parameter is a comma-separated list of attributes, one of which points to your keystore file.

Securing Data in IBM Informix

IBM Informix allows keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.

IBM allows six types of Keystore:

1 - Local Keystore
2 - AWS EAR Keystore
3 - AWS BAR Keystore
4 - KMIP EAR Keystore
5 - AZURE EAR Keystore
6 – AZURE BAR Keystore

Fortanix supports KMIP EAR Keystore integration with IBM Informix.

Create a KMIP Type Keystore

If your remote key server is located in a server/cluster supporting the KMIP standard you can create a single type of keystore (KMIP). At this moment, the same keystore type can be used by both the Storage Space Encryption and Integrated Backup Encryption features.

Figure 2: Manage the MEK

1. Create an app in Fortanix DSM.
2. The app must be created in an appropriate group or a new group. For instructions on how to create a group or app please refer to the Fortanix DSM Getting Started Guide. Figure 3: Create an app
3. Note down the application’s App-ID by copying the App UUID from the detailed view of the app. To copy the App UUID: 
   
   1. Go to the detailed view of an app and click the icon for “Copy UUID” as shown below. You will need this App-ID for the certificate.
    Figure 4: Copy app UUID
4. Create a security object/key in Fortanix DSM in the same group as shown below. Figure 5: Create security object
   NOTE

   Make sure you select the Export option while creating the key

Configuration on IBM Informix

1. Log in to the IBM Informix machine and log in as the Informix user as shown below. Figure 6: Log in to Informix
2. Create a self-signed certificate and make sure that you should have the App-ID handy as we need to update the Common Name for the self-signed certificate.
3. Create a directory for all certificates to be created for the KMIP keystore. In the following example, a folder called SDKMS. Figure 7: Create a directory
4. Change directory to SDKMS and run the following command to create a self-signed certificate.

   openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt

   Figure 8: Create a self-signed certificate Figure 9: Certificate generated
5. For getting the configuration for KMIP Keystore we need the following:
   • KMIP Server: the IP address or hostname where the KMIP server is listening for request if the port where the server listens is different from the default (5696).
   • KMIP Username: the username to access the KMIP server.
   • KMIP Password: the password for the given username.
   • KMIP Client Certificate File: a file containing the certificate for the client, the file must also contain the Private Key matching the certificate.
   • KMIP CA Certificate File: a file containing the root CA used to sign both the KMIP Client Certificate File and the KMIP Server Certificate File.
   • KMIP Key Name: the name of the KMIP Key used as MEK by the Storage Spaces Encryption feature or as RMEK by the Integrated Backup Encryption feature
      
6. Create the client certificate file using the following command.

   cat certificate.crt private.key > kmip.crt

     Figure 10: Client certificate
7. Create KMIP Certificate file. Export the root certificate of the KMIP Server and save the same as shown in the following figure. Figure 11: KMIP certificate file
8. Run the following command to create a new KIMP Keystore command.

   onkstore -create -file Fortanix -cipher aes256

     Where,
   
   • Fortanix is the Keystore file name
   • cipher is aes256
      
9. You will now be prompted to select the type of keystore from the Keystore list. Figure 12: Select keystore
10. Select the Keystore as 4-KMIP EAR Keystore and update the following details. Figure 13: Keystore selected
11. Once the KMIP keystore has been created, verify the keystore using the following command. Figure 14: Verify the keystore
12. Now view the Fortanix DSM activity log. Figure 15: Activity log

Migrating the Keystore

The convert feature is currently used only for EAR types of keystores. It supports downloading the MEK contained in the RKS (i.e., a KMIP server) to the local keystore. The old keystore containing the credentials to the RKS will be renamed and will be replaced with a new one of type “local”.

Figure 16: Convert keystore

Currently, the only option: 1 – Local Keystore (converting to a local keystore file) is supported. The original keystore file is copied to a backup file (my_keystore.p12.bak#) before being overwritten during the conversion.