This article describes how to use Key Management Service (KMS) in Fortanix Data Security Manager (DSM) to manage data in IBM Informix storage spaces using Key Management Interoperability Protocol (KMIP). It also contains the information that a user requires for:
- Creating a KMIP type keystore
- Configuration on IBM Informix
- Migrating key store
IBM Informix® is a fast and flexible database with the ability to seamlessly integrate SQL, NoSQL/JSON, and time series and spatial data. Its versatility and ease of use make Informix a preferred solution for a wide range of environments, from enterprise data warehouses to individual application development. Also, with its small footprint and self-managing capabilities, Informix is well suited for embedded data-management solutions.
Why Use Fortanix KMS With IBM Informix
IBM Informix supports storage space (dbspaces, blobspaces, and smart blobspaces) encryption.
The data in encrypted storage spaces is unintelligible without the encryption key. Encrypting storage spaces is an effective way to protect sensitive information that is stored on the disk.
Encrypting Storage Spaces
Prerequisites for Encrypting Storage Spaces
- IBM® Global Security Kit (GSKit) installed to enable storage space encryption. GSKit is installed by default when you install the database server.
- Access to Enable storage space encryption by setting the
Enable Storage Space
Each storage space is encrypted separately with its own encryption key. By default, the encryption cipher is set to AES with 128-bit keys. You can specify a stronger encryption key by including the cipher option in the DISK_ENCRYPTION conﬁguration parameter value.
Any storage space that you create when “storage space encryption” is enabled is automatically encrypted unless you explicitly specify to create it as unencrypted with the
onspaces utility. If you initialize a new database server before setting the
DISK_ENCRYPTION conﬁguration parameter, the root dbspace and all storage spaces created before setting
DISK_ENCRYPTION are not encrypted. However, you can encrypt unencrypted storage spaces, including the root dbspace, by running a restore that encrypts the spaces.
As mentioned above, each storage space is encrypted with its own Space Encryption Key (SEK). The SEKs are generated by the system (
oninit) based on a Master Encryption Key (MEK). The MEK is created by the
onkstore utility and can be stored locally in the keystore created by the
onkstore utility, or remotely in a Remote Key Server (RKS). In both cases, you must use the
onkstore utility to create a keystore that will contain a MEK or the credentials necessary to reach the MEK at an RKS.
Figure 1: Storage space encryption
Once you have created and veriﬁed your keystore ﬁle, you enable storage space encryption by setting the
DISK_ENCRYPTION conﬁguration parameter to point to the keystore you created and then restarting the database server. The value of the
DISK_ENCRYPTION parameter is a comma-separated list of attributes, one of which points to your keystore ﬁle.
Securing Data in IBM Informix
IBM Informix allows keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.
IBM allows six types of Keystore:
1 - Local Keystore
2 - AWS EAR Keystore
3 - AWS BAR Keystore
4 - KMIP EAR Keystore
5 - AZURE EAR Keystore
6 – AZURE BAR Keystore
Fortanix supports KMIP EAR Keystore integration with IBM Informix.
Create a KMIP Type Keystore
If your remote key server is located in a server/cluster supporting the KMIP standard you can create a single type of keystore (KMIP). At this moment, the same keystore type can be used by both the Storage Space Encryption and Integrated Backup Encryption features.
Figure 2: Manage the MEK
- Create an app in Fortanix DSM.
- The app must be created in an appropriate group or a new group. For instructions on how to create a group or app please refer to the Fortanix DSM Getting Started Guide. Figure 3: Create an app
- Note down the application’s App-ID by copying the App UUID from the detailed view of the app. To copy the App UUID:
- Go to the detailed view of an app and click the icon for “Copy UUID” as shown below. You will need this App-ID for the certificate.
- Create a security object/key in Fortanix DSM in the same group as shown below. Figure 5: Create security object
Configuration on IBM Informix
- Log in to the IBM Informix machine and log in as the Informix user as shown below. Figure 6: Log in to Informix
- Create a self-signed certificate and make sure that you should have the App-ID handy as we need to update the Common Name for the self-signed certificate.
- Create a directory for all certificates to be created for the KMIP keystore. In the following example, a folder called
SDKMS. Figure 7: Create a directory
- Change directory to
SDKMSand run the following command to create a self-signed certificate.
openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt
- For getting the configuration for KMIP Keystore we need the following:
- KMIP Server: the IP address or hostname where the KMIP server is listening for request if the port where the server listens is different from the default (5696).
- KMIP Username: the username to access the KMIP server.
- KMIP Password: the password for the given username.
- KMIP Client Certificate File: a file containing the certificate for the client, the file must also contain the Private Key matching the certificate.
- KMIP CA Certificate File: a file containing the root CA used to sign both the KMIP Client Certificate File and the KMIP Server Certificate File.
- KMIP Key Name: the name of the KMIP Key used as MEK by the Storage Spaces Encryption feature or as RMEK by the Integrated Backup Encryption feature
- Create the client certificate file using the following command.
cat certificate.crt private.key > kmip.crt
- Create KMIP Certificate file. Export the root certificate of the KMIP Server and save the same as shown in the following figure. Figure 11: KMIP certificate file
- Run the following command to create a new KIMP Keystore command.
onkstore -create -file Fortanix -cipher aes256
Fortanixis the Keystore file name
- You will now be prompted to select the type of keystore from the Keystore list. Figure 12: Select keystore
- Select the Keystore as
4-KMIP EAR Keystoreand update the following details. Figure 13: Keystore selected
- Once the KMIP keystore has been created, verify the keystore using the following command. Figure 14: Verify the keystore
- Now view the Fortanix DSM activity log. Figure 15: Activity log
Migrating the Keystore
The convert feature is currently used only for EAR types of keystores. It supports downloading the MEK contained in the RKS (i.e., a KMIP server) to the local keystore. The old keystore containing the credentials to the RKS will be renamed and will be replaced with a new one of type “
Figure 16: Convert keystore
Currently, the only option:
1 – Local Keystore (converting to a local keystore file) is supported. The original keystore file is copied to a backup file (
my_keystore.p12.bak#) before being overwritten during the conversion.