1.0 Introduction
This article outlines the steps to configure and integrate the Fortanix-Data-Security-Manager (DSM) solution with Rubrik Cloud Data Management (CDM). The guidance provided will be valuable for users evaluating, designing, or implementing these technologies to enhance their data security management and streamline cloud data protection workflows.
1.1 Intended Audience
The intended audience of this document includes Rubrik and Fortanix Sales Engineers, Field and Technical Support Engineers, and customer architects and engineers who want to learn and understand how to implement the Fortanix DSM into their Rubrik CDM data management solution.
2.0 Fortanix Data Security Manager
Fortanix DSM is the world's first cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.
3.0 KMIP and Certificate Requirements
The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Rubrik cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.
The X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Rubrik Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA).
The username and password from Fortanix DSM can be used for authenticating the Rubrik cluster, or alternatively, a client certificate for the Rubrik cluster can be created using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.
3.1 Prerequisites
Ensure the following:
Rubrik CDM version 5.3.0 or later is installed and operational.
The Cluster is configured to use encryption.
Encryption can only be enabled at the cluster level during the bootstrap process.
Fortanix DSM version 3.23 or later is installed and operational.
The Fortanix DSM is contactable by the Rubrik cluster on port 5696 or a custom KMIP port.
Access to OpenSSL or another tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.
3.2 Considerations
The following key points should be understood on the Fortanix DSM and Rubrik CDM integration:
Once encryption is enabled at the cluster level in Rubrik CDM, it cannot then be disabled in the future.
Rubrik CDM supports only one (1) external KMS at a time.
Once a TLS connection with the Fortanix DSM has been established, Rubrik CDM maintains that connection unless services are restarted or stopped. This results in a persistent TLS connection.
4.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
4.1 Signing Up
To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
4.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
4.3 Using On-Premises Deployment
4.3.1 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
4.3.2 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
Interface (optional): Select the KMIP option as interface type from the drop down menu.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 4.3.1: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully.
4.3.3 Copying the App UUID
Perform the following steps to copy the app UUID from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 4.3.2: Creating an Application to go to the detailed view of the app.
From the top of the app’s page, copy the app UUID to be used in Section 5.0: Extract Fortanix DSM CA Certificate as the value of Common Name (CN) to generate the Certificate Signing Request (CSR).
4.3.4 Changing the Authentication Method
Perform the following steps to change the application authentication method to Certificate:
In the detailed view of the app, under the INFO tab, click the Change authentication method option from the drop down menu and select Certificate as the new authentication method for the app.
In the Add Certificate form, paste the generated certificate in the Upload Certificate text box. To generate the certificate, refer to the Section 5.0: Extract Fortanix DSM CA Certificate.
Click the UPDATE button to update the app authentication method to the certificate.
4.4 Using SaaS Deployment
4.4.1 Create a Rubrik Instance
Perform the following steps to create an application (app) using the Rubrikwizard in Fortanix DSM SaaS:
Sign up at https://smartkey.io/ to access DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
Log in to the Fortanix DSM UI and click the Integrations menu item from the left panel.
On the Integrations page, search the Rubrik wizard and click the ADD INSTANCE button.
On the Add Instance page, enter the following details:
Instance Name: Enter the required name to identify the instance created.
Authentication method: Select either of the following option:
API key: Select this option to authenticate the application with the API Gateway.
Client Certificate: Select this option to authenticate the application with the Client Certificate.
If you select this option, the UPLOAD CERTIFICATE field is enabled on the UI screen. Click the UPLOAD CERTIFCATE option to upload the certificate file from your system or paste the content of the certificate in the provided space.
NOTE
Since you do not have a certificate, you must select the API key option as the authentication method to capture the UUID of the app.
Figure 4: Add Instance
Click the SAVE INSTANCE button. This action will automatically create an instance, a new group and app within the Fortanix DSM.
4.4.2 Rubrik Wizard Instance Detailed View
Navigate to the Integrations menu item → Rubrik wizard → Rubrik instances table. In the instance detailed view page, the following information is represented:
Credentials: Indicates the method used for app authentication.
Click the CERTIFICATE button to download the Client Certificate. This is applicable only if the app authentication method is Client Certificate.
Click the VIEW API KEY DETAILS button to view the details of API key, such as username and password. This is applicable only if the app authentication method is API Key.
Manage Keys: Click the MANAGE button to oversee the keys created.
Instance status: To disable the created instance, toggle the Disabled option.
DELETE: To delete the instance, click the overflow menu (three dots) and select the DELETE option. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible.
Figure 5: Instance details
5.0 Extract Fortanix DSM CA Certificate
5.1 Through CLI Method
Log into a system that has OpenSSL, or equivalent, installed.
Enter the following OpenSSL command to display the certificates of Fortanix DSM:
openssl s_client -connect <dsm_hostname_or_ip>:5696 -showcertsAn example output is as follows:
Figure 6: Certificates
Copy the output of the DSM Root certificate into a file and save it on a system that will be used to access the Rubrik user interface (UI).
Figure 7: DSM Root Certificate Output for EU Region
5.2 Through UI Method
The Fortanix DSM CA certificate can also be extracted from your local device/computer.
Download the root CA certificate (and if exists the intermediate CA certificate) from the Web Browser that is pointing to the Fortanix DSM.
Sample of the root and intermediate CA can be as follows:
Root CA: DST Root CA
Intermediate CA: R3
Figure 8: Root CA and intermediate CA
If not already in PEM format (such as DER), convert both the CA certificate information from the saved binary with the following OpenSSL command:
Figure 9: Enroll compute node
This must be added to the Rubrik CDM UI to configure the appropriate certificate settings for Fortanix DSM after creating the client certificate.
6.0 Create Client Certificate and Private Key (Optional)
If it is not desirable to use password-based authentication against Fortanix DSM, certificate-based authentication can be configured using client certificates.
There are two different types of client certificates:
Self-signed Certificates: These are generated and signed by the end-user.
Externally signed Certificates: These require a Certificate Signing Request generating and then must be signed by an external Trusted Certificate Authority (CA).
6.1 Generate Self-Signed Certificate and Private Key
To generate a self-signed certificate and private key for the Rubrik cluster:
Log in to a system with OpenSSL installed.
Use the
genrsacommand to generate the private key that will be written to the key filename and length specified.
Figure 10: Generate the private key
Enter the following OpenSSL command to create the self-signed certificate as per customer security policy.
Figure 11: Create self-signed certificate
Enter the following information:
Country Name: The two-letter country code
State or Province Name: The full state name
City: The full city name
Organisation: Full organisation name
Organisational Unit: Full department name
Common Name: The app UUID from the Fortanix DSM
Others: Optional
Ensure both the client certificate and private key are stored securely on the system.
Figure 12: Client cert and private key
6.2 Generate an Externally Signed Certificate and Private Key
To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request:
Log in to a system with OpenSSL installed.
Use the
genrsacommand to generate the private key that will be written to the key filename and length specified.
Figure 13: Generate the private key
Enter the following OpenSSL command to generate a CSR file as per customer security policy.
Figure 14: Generate private key
Enter the following information:
Country Name: The two-letter country code
State or Province Name: The full state name
City: The full city name
Organisation: Full organisation name
Organisational Unit: Full department name
Common Name: The app UUID from the Fortanix DSM
Others: Optional
Ensure both the client certificate and private key are stored securely on the system.
Figure 15: Client cert and private key
7.0 Configure Rubrik CDM Key Management Settings
When the previous steps have all been completed, Rubrik CDM can then be configured to use Fortanix DSM as an external key manager.
7.1 Configure Certificates within Rubrik
Log in to the CDM UI and navigate to Settings and Certificate Management.
Figure 16: CDM certificate management
Create a new entry and import the saved CA certificate(s) for the DSM.
Figure 17: Import saved CA certificate
Enter the following information:
Display Name: To identify the certificate in the UI
Description: This is optional.
Certificate: Paste the Fortanix DSM CA cert gathered earlier in this field.
Key Type: None - there is no private key required for this certificate.
If a client certificate is going to be used to authenticate against the Fortanix DSM, the client certificate also needs to be added here with the following information:
Display Name: To identify the certificate in the UI.
Description: This is optional.
Certificate: Paste the client certificate in this field.
Key Type: Key.
Key: The private key for the client certificate.
Now the required certificates have been added to Rubrik CDM and the Fortanix DSM can be configured as an external key manager.
7.2 Configure Fortanix DSM as External Key Manager
Perform the following steps:
Log in to the CDM UI and browse to Settings then Manage Encryption.
Figure 18: Manage encryption
Select Configure Client Settings.
Figure 19: Configure client settings
Enter the required settings into the Configure Client Settings form for either client certificate authentication or username/password authentication.
For Client Certificate Authentication:
Figure 20: Enroll compute node
Username: Enter the app UUID from the Fortanix DSM.
TLS Certificate: Select the client certificate as created in Section 6.0: Create Client certificate and Private Key.
For Username and Password Authentication:
Figure 21: Client settings
Username: Enter the app UUID from the Fortanix DSM.
Password: Enter the app API key credentials from the Fortanix DSM.
Figure 22: Username/password
Setup the Fortanix DSM as a KMIP Server:
Figure 23: Add KMIP server
Server Address: KMIP IP Address or Hostname.
Port: KMIP Port (5696 is the default).
TLS Certificate: The Fortanix DSM CA certificate.
Before using the KMIP server, the current keys must be rotated away from the internal KMS to generate a new key in the Fortanix DSM:
Figure 24: Rotate keys
Ensure the keys have been rotated successfully.
Figure 25: Rotation successful
7.3 Verify Within Fortanix DSM
Once the external KMS has been successfully registered within CDM, the Fortanix DSM will show activity in the app logs, as follows:
Figure 26: Activity logs
8.0 Summary
This document should provide the required information needed to configure Rubrik CDM to use Fortanix’s DSM for key management. Further information can be found at https://support.rubrik.com or https://www.fortanix.com.