Using Fortanix Data Security Manager as External KMIP in Rubrik

Introduction

Purpose

The purpose of this article is to describe the methods to configure and integrate Fortanix Data Security Manager (DSM) solution with Rubrik Cloud Data Management (CDM). Such information will prove valuable while evaluating, designing, or implementing the technologies described herein.

Intended Audience

The intended audience of this document includes Rubrik and Fortanix Sales Engineers, Field and Technical Support Engineers, and customer architects and engineers who want to learn and understand how to implement the Fortanix DSM into their Rubrik CDM data management solution.

Fortanix Data Security Manager

Fortanix DSM is the world's first cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Rubrik cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

The X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Rubrik Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA).

The username and password from Fortanix DSM can be used for authenticating the Rubrik cluster, or alternatively, a client certificate for the Rubrik cluster can be created using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

Prerequisites

  • Rubrik CDM version 5.3.0 or later is installed and operational.
  • The Cluster is configured to use encryption.
    • Encryption can only be enabled at the cluster level during the bootstrap process.
  • Fortanix DSM version 3.23 or later is installed and operational.
    • The Fortanix DSM is contactable by the Rubrik cluster on port 5696 or a custom KMIP port.
  • Access to OpenSSL or another tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

Considerations

The following key points should be understood on the Fortanix DSM and Rubrik CDM integration:

  • Once encryption is enabled at the cluster level in Rubrik CDM, it cannot then be disabled in the future.
  • Rubrik CDM supports only one (1) external KMS at a time.
  • Once a TLS connection with the Fortanix DSM has been established, Rubrik CDM maintains that connection unless services are restarted or stopped. This results in a persistent TLS connection.

Setting up Fortanix Data Security Manager

Fortanix DSM supports KMIP clients to authenticate using a certificate using Apps. To successfully connect the Rubrik cluster to authenticate with Fortanix DSM, the Rubrik cluster requires you to extract the Fortanix DSM CA certificate for mutual-TLS communications.

Configure an App in Fortanix Data Security Manager

  1. Log in to the Fortanix DSM UI.
  2. Click the Apps tab. On the Apps page click the create new app icon Rubrik_2.png to create a new app.
      Rubrik_1.png
                                                                   Figure 1: Create new application
     
  3. Enter the following information:
    1. App name: This is the name to identify the Rubrik CDM cluster (customizable).
    2. Interface: KMIP.
    3. Authentication method: This can be left at the default of API Key or updated to use a client certificate if so desired (configurable).
    4. Group: This is a logical construct that will contain keys created and owned by the Rubrik CDM cluster.
       
  4. Click Save to complete creating the application.
      Rubrik_3.png
                                                                   Figure 2: Create the application
     
  5. Note down the application’s App-ID by copying the App UUID from the detailed view of the app. This will be used as the Common Name (CN) when generating the client certificate. To copy the App UUID:
    1. Go to the detailed view of an app and click the icon for “Copy UUID” as shown below.
       
    Rubrik_4.png
                                                                        Figure 3: Copy App UUID

Extract Fortanix Data Security Manager CA Certificate - CLI Method

  1. Log into a system that has OpenSSL, or equivalent, installed
  2. Enter the following OpenSSL command to display the certificates of DSM. The first certificate is the Fortanix DSM certificate and the second is the root CA certificate:
    openssl s_client -connect <sdkms_hostname_or_ip>:5696 -showcerts
     An example output is as follows: Rubrik_5.png
                                                      Figure 4: Certificates
     
  3. Copy the output of the second certificate into a file and save this on a system that will be used to access the Rubrik UI.
     
    NOTE
    If there are chains required, ensure all intermediate and root CA are copied as well. 

Extract Fortanix Data Security Manager CA Certificate  - UI Method

The Fortanix DSM CA certificate can also be extracted from your local device/computer.

  • Download the root CA certificate (and if exists the intermediate CA certificate) from the Web Browser that is pointing to the Fortanix DSM.
  • Sample of the root and intermediate CA can be as follows:
    • Root CA: DST Root CA
    • Intermediate CA: R3
       
    Rubrik_6.png
                                                            Figure 5: Root CA and Intermediate CA
     
  • If not already in PEM format (such as DER), convert both the CA certificate information from the saved binary with the following OpenSSL command:
      Rubrik_7.png
                                                            Figure 6: Convert certificate information
     
  • This must be added to the Rubrik CDM UI to configure the appropriate certificate settings for Fortanix DSM after creating the client certificate.

Create Client Certificate and Private Key

If it is not desirable to use password-based authentication against Fortanix DSM, certificate-based authentication can be configured using client certificates.

There are two different types of client certificates:

  • Self-signed Certificates: These are generated and signed by the end-user.
  • Externally signed Certificates: These require a Certificate Signing Request generating and then must be signed by an external Trusted Certificate Authority (CA).

Generate Self-Signed Certificate and Private Key

To generate a self-signed certificate and private key for the Rubrik cluster:

  1. Log in to a system with OpenSSL installed.
  2. Use the genrsa command to generate the private key that will be written to the key filename and length specified.
      Rubrik_8.png
                                                                Figure 7: Generate the private key
     
  3. Enter the following OpenSSL command to create the self-signed certificate as per customer security policy.
      Rubrik_9.png
                                                             Figure 8: Create self-signed certificate
     
  4. Enter the following information:
    • Country Name: The two-letter country code
    • State or Province Name: The full state name
    • City: The full city name
    • Organisation: Full organisation name
    • Organisational Unit: Full department name
    • Common Name: The App UUID from the Fortanix DSM
    • Others: Optional
       
  5. Ensure both the client certificate and private key are stored securely on the system.
      Rubrik_10.png
                                                            Figure 9: Client cert and private key

Generate an Externally Signed Certificate and Private Key

To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request:

  1. Log in to a system with OpenSSL installed.
  2. Use the genrsa command to generate the private key that will be written to the key filename and length specified.

      Rubrik_11.png
                                                               Figure 10: Generate the private key
     
  3. Enter the following OpenSSL command to generate a CSR file as per customer security policy.
      Rubrik_12.png
                                                                     Figure 11: Generate CSR
     
  4. Enter the following information:
    • Country Name: The two-letter country code
    • State or Province Name: The full state name
    • City: The full city name
    • Organisation: Full organisation name
    • Organisational Unit: Full department name
    • Common Name: The App UUID from the Fortanix DSM
    • Others: Optional
       
  5. Ensure both the client certificate and private key are stored securely on the system.
      Rubrik_13.png
                                                                Figure 12: Client cert and private key

Update the Fortanix Data Security Manager App

To enable certificate-based authentication with the Fortanix DSM, the client certificate must now be uploaded in the app settings.

  1. Log in to the Fortanix DSM UI.
  2. Click the Apps tab, and in the Apps table select the App you want to update.
  3. In the detailed view of the app, Select Change Authentication Methods, and then choose Certificate.
      Rubrik_14.png
                                                                 Figure 13: Change authentication method
     
  4. Copy the desired client certificate and the DST Root CA.
      Rubrik_15.png
                                                                 Figure 14: Update the certificate
     
  5. Click Update - the Fortanix DSM is now configured to authenticate the Rubrik cluster using the client certificate and private key.

Configure Rubrik CDM Key Management Settings

When the previous steps have all been completed, Rubrik CDM can then be configured to use Fortanix DSM as an external key manager.

Configure Certificates within Rubrik

  1. Log in to the CDM UI and navigate to Settings and Certificate Management.
      Rubrik_16.png
                                                          Figure 15: CDM certificate management
     
  2. Create a new entry and import the saved CA certificate(s) for the DSM.
      Rubrik_17.png
                                                                   Figure 16: Import saved CA cert
     
  3. Enter the following information:
    • Display Name: To identify the certificate in the UI
    • Description: This is optional.
    • Certificate: Paste the Fortanix DSM CA cert gathered earlier in this field.
    • Key Type: None - there is no private key required for this certificate.
       
  4. If a client certificate is going to be used to authenticate against the Fortanix DSM, the client certificate also needs to be added here with the following information:
    • Display Name: To identify the certificate in the UI.
    • Description: This is optional.
    • Certificate: Paste the client certificate in this field.
    • Key Type: Key.
    • Key: The private key for the client certificate.
       
    Now the required certificates have been added to Rubrik CDM and the Fortanix DSM can be configured as an external key manager.

Configure Fortanix Data Security Manager as External Key Manager

  1. Log in to the CDM UI and browse to Settings then Manage Encryption.
      Rubrik_18.png
                                                                   Figure 17: Manage encryption
     
  2. Select Configure Client Settings.
      Rubrik_19.png
                                                                Figure 18: Configure client settings
     
  3. Enter the required settings into the Configure Client Settings form for either client certificate authentication or username/password authentication.
  4. For Client Certificate Authentication:
      Rubrik_20.png
                                                                       Figure 19: Client settings
     
    1. Username: Enter the App UUID from the Fortanix DSM.
    2. TLS Certificate: Select the client certificate created earlier.
       
  5. For Username and Password Authentication:
      Rubrik_21.png
                                                        Figure 20: Username and password authentication
     
    1. Username: Enter the App UUID from the Fortanix DSM.
    2. TLS Certificate: Enter the App API Key Credentials from the Fortanix DSM.
       
    Rubrik_22.png
                                                 Figure 21: Username/password
     
  6. Setup the Fortanix DSM as a KMIP Server:
      Rubrik_23.png
                                                                        Figure 22: Add KMIP server
     
    1. Server Address: KMIP IP Address or Hostname.
    2. Port: KMIP Port (5696 is the default).
    3. TLS Certificate: The Fortanix DSM CA certificate.
       
  7. Before using the KMIP server, the current keys must be rotated away from the internal KMS to generate a new key in the Fortanix DSM:
      Rubrik_24.png
                                                                       Figure 23: Rotate keys
     
  8. Ensure the keys have been rotated successfully.
      Rubrik_25.png
                                                                    Figure 24: Rotation successful

Verify Within Fortanix Data Security Manager

Once the external KMS has been successfully registered within CDM, the Fortanix DSM will show activity in the App logs, as follows:

Rubrik_26.png
                                                                        Figure 25: Activity logs

Summary

This document should provide the required information needed to configure Rubrik CDM to use Fortanix’s DSM for key management. Further information can be found at https://support.rubrik.com or https://www.fortanix.com.

Was this article helpful?
0 out of 0 found this helpful