1.0 Introduction
1.1 Purpose
The purpose of this article is to describe the methods to configure and integrate Fortanix Data Security Manager (DSM) solution with Rubrik Cloud Data Management (CDM). Such information will prove valuable while evaluating, designing, or implementing the technologies described herein.
1.2 Intended Audience
The intended audience of this document includes Rubrik and Fortanix Sales Engineers, Field and Technical Support Engineers, and customer architects and engineers who want to learn and understand how to implement the Fortanix DSM into their Rubrik CDM data management solution.
2.0 Fortanix Data Security Manager
Fortanix DSM is the world's first cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.
3.0 KMIP and Certificate Requirements
The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Rubrik cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.
The X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Rubrik Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA).
The username and password from Fortanix DSM can be used for authenticating the Rubrik cluster, or alternatively, a client certificate for the Rubrik cluster can be created using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.
3.1 Prerequisites
- Rubrik CDM version 5.3.0 or later is installed and operational.
- The Cluster is configured to use encryption.
- Encryption can only be enabled at the cluster level during the bootstrap process.
- Fortanix DSM version 3.23 or later is installed and operational.
- The Fortanix DSM is contactable by the Rubrik cluster on port 5696 or a custom KMIP port.
- Access to OpenSSL or another tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.
3.2 Considerations
The following key points should be understood on the Fortanix DSM and Rubrik CDM integration:
- Once encryption is enabled at the cluster level in Rubrik CDM, it cannot then be disabled in the future.
- Rubrik CDM supports only one (1) external KMS at a time.
- Once a TLS connection with the Fortanix DSM has been established, Rubrik CDM maintains that connection unless services are restarted or stopped. This results in a persistent TLS connection.
4.0 Create an App in Fortanix Data Security Manager
Fortanix DSM supports KMIP clients to authenticate using a certificate using Apps. To successfully connect the Rubrik cluster to authenticate with Fortanix DSM, the Rubrik cluster requires you to extract the Fortanix DSM CA certificate for mutual-TLS communications.
There are two ways to create an app in Fortanix DSM:
4.1 Using Fortanix DSM On-Premises Deployment
- Log in to the Fortanix DSM UI.
- Click the Apps tab. On the Apps page click the create new app icon
to create a new app.
Figure 1: Create new application - Enter the following information:
- App name: This is the name to identify the Rubrik CDM cluster (customizable).
- Interface: KMIP.
- Authentication method: This can be left at the default of API Key or updated to use a client certificate if so desired (configurable).
- Group: This is a logical construct that will contain keys created and owned by the Rubrik CDM cluster.
- Click Save to complete creating the application.
Figure 2: Create application - Note down the application’s App-ID by copying the App UUID from the detailed view of the app. This will be used as the Common Name (CN) when generating the client certificate. To copy the App UUID:
- Go to the detailed view of an app and click the icon for “Copy UUID” as shown below.
Figure 3: Copy app UUID - Change the authentication method of the Fortanix DSM App created to ‘Certificate’ and click SAVE.
- Continue to Section 5.0 for authentication using a client certificate.
- Click UPDATE to update the authentication method.
4.2 Using Fortanix DSM SaaS Deployment
To create an app using the Rubrik wizard in Fortanix DSM SaaS:
- Sign up at https://smartkey.io/.
- Log in to the Fortanix DSM UI.
- Click the Integrations tab in the left panel.
- On the Integrations page, click ADD INSTANCE on the Rubrik wizard.
- Enter the details as shown in the screenshot below:
Figure 4: Add instance- Add Instance: This is the name to identify the instance created.
- Authentication method: Select the desired authentication method. There are two options to choose from:
- API key: This method is used to authenticate the application with the API Gateway.
- Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. To upload the client certificate, click UPLOAD CERTIFICATE. Alternatively, the client certificate can be pasted in the field provided.
- Continue to Section 5.0 for authentication using a client certificate.
- Click SAVE INSTANCE. With saving an instance a new Group, an App, and Keys are created within Fortanix DSM.
4.2.1 Rubrik Wizard Instance Detailed View
In the instance detailed view page, the created instances are listed as shown below:
Figure 5: Instance details
In the instance details you will notice the following:
- Credentials: This is the App authentication method used.
- Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
- Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
- MANAGE: Click MANAGE to manage the keys created.
- Instance status: To disable the instance created, click the toggle Disabled.
- To delete the instance created click the
button. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.
4.3 Extract Fortanix Data Security Manager CA Certificate - CLI Method
- Log into a system that has OpenSSL, or equivalent, installed.
- Enter the following OpenSSL comm,brand to display the certificates of Fortanix DSM. The first certificate is the Fortanix DSM certificate and the second is the root CA certificate:
openssl s_client -connect <dsm_hostname_or_ip>:5696 -showcerts
Figure 6: Certificates - Copy the output of the second certificate into a file and save this on a system that will be used to access the Rubrik UI.
4.4 Extract Fortanix Data Security Manager CA Certificate - UI Method
The Fortanix DSM CA certificate can also be extracted from your local device/computer.
- Download the root CA certificate (and if exists the intermediate CA certificate) from the Web Browser that is pointing to the Fortanix DSM.
- Sample of the root and intermediate CA can be as follows:
- Root CA: DST Root CA
- Intermediate CA: R3
Figure 7: Root CA and intermediate CA - If not already in PEM format (such as DER), convert both the CA certificate information from the saved binary with the following OpenSSL command:
Figure 8: Enroll compute node - This must be added to the Rubrik CDM UI to configure the appropriate certificate settings for Fortanix DSM after creating the client certificate.
5.0 Create Client Certificate and Private Key (Optional)
If it is not desirable to use password-based authentication against Fortanix DSM, certificate-based authentication can be configured using client certificates.
There are two different types of client certificates:
- Self-signed Certificates: These are generated and signed by the end-user.
- Externally signed Certificates: These require a Certificate Signing Request generating and then must be signed by an external Trusted Certificate Authority (CA).
5.1 Generate Self-Signed Certificate and Private Key
To generate a self-signed certificate and private key for the Rubrik cluster:
- Log in to a system with OpenSSL installed.
- Use the
genrsa
command to generate the private key that will be written to the key filename and length specified.
Figure 9: Generate the private key - Enter the following OpenSSL command to create the self-signed certificate as per customer security policy.
Figure 10: Create self-signed certificate - Enter the following information:
- Country Name: The two-letter country code
- State or Province Name: The full state name
- City: The full city name
- Organisation: Full organisation name
- Organisational Unit: Full department name
- Common Name: The App UUID from the Fortanix DSM
- Others: Optional
- Ensure both the client certificate and private key are stored securely on the system.
Figure 11:Client cert and private key
5.2 Generate an Externally Signed Certificate and Private Key
To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request:
- Log in to a system with OpenSSL installed.
- Use the
genrsa
command to generate the private key that will be written to the key filename and length specified.
Figure 12:Generate the private key - Enter the following OpenSSL command to generate a CSR file as per customer security policy.
Figure 13: Generate private key - Enter the following information:
- Country Name: The two-letter country code
- State or Province Name: The full state name
- City: The full city name
- Organisation: Full organisation name
- Organisational Unit: Full department name
- Common Name: The App UUID from the Fortanix DSM
- Others: Optional
- Ensure both the client certificate and private key are stored securely on the system.
Figure 14: Client cert and private key
5.3 Update the Fortanix Data Security Manager App
To enable certificate-based authentication with the Fortanix DSM, the client certificate must now be uploaded in the app settings.
- Copy the desired client certificate file and upload it the Upload certificate text box in Fortanix DSM and save the details.
- The Fortanix DSM app is now configured to authenticate the Rubrik cluster using the client certificate and private key.
6.0 Configure Rubrik CDM Key Management Settings
When the previous steps have all been completed, Rubrik CDM can then be configured to use Fortanix DSM as an external key manager.
6.1 Configure Certificates within Rubrik
- Log in to the CDM UI and navigate to Settings and Certificate Management.
Figure 15: CDM certificate management - Create a new entry and import the saved CA certificate(s) for the DSM.
Figure 16: Import saved CA certificate - Enter the following information:
- Display Name: To identify the certificate in the UI
- Description: This is optional.
- Certificate: Paste the Fortanix DSM CA cert gathered earlier in this field.
- Key Type: None - there is no private key required for this certificate.
- If a client certificate is going to be used to authenticate against the Fortanix DSM, the client certificate also needs to be added here with the following information:
- Display Name: To identify the certificate in the UI.
- Description: This is optional.
- Certificate: Paste the client certificate in this field.
- Key Type: Key.
- Key: The private key for the client certificate.
6.2 Configure Fortanix Data Security Manager as External Key Manager
- Log in to the CDM UI and browse to Settings then Manage Encryption.
Figure 17: Manage encryption - Select Configure Client Settings.
Figure 18: Configure client settings - Enter the required settings into the Configure Client Settings form for either client certificate authentication or username/password authentication.
- For Client Certificate Authentication:
Figure 19: Enroll compute node- Username: Enter the App UUID from the Fortanix DSM.
- TLS Certificate: Select the client certificate created earlier.
- For Username and Password Authentication:
Figure 20: Client settings- Username: Enter the App UUID from the Fortanix DSM.
- TLS Certificate: Enter the App API Key Credentials from the Fortanix DSM.
Figure 21: Username/password - Setup the Fortanix DSM as a KMIP Server:
Figure 22: Add KMIP server- Server Address: KMIP IP Address or Hostname.
- Port: KMIP Port (5696 is the default).
- TLS Certificate: The Fortanix DSM CA certificate.
- Before using the KMIP server, the current keys must be rotated away from the internal KMS to generate a new key in the Fortanix DSM:
Figure 23: Rotate keys - Ensure the keys have been rotated successfully.
Figure 24: Rotation successful
6.3 Verify Within Fortanix Data Security Manager
Once the external KMS has been successfully registered within CDM, the Fortanix DSM will show activity in the App logs, as follows:
Figure 25: Activity logs
7.0 Summary
This document should provide the required information needed to configure Rubrik CDM to use Fortanix’s DSM for key management. Further information can be found at https://support.rubrik.com or https://www.fortanix.com.
Comments
Please sign in to leave a comment.