Using Fortanix Data Security Manager as External KMIP in Rubrik

1.0 Introduction

1.1 Purpose

The purpose of this article is to describe the methods to configure and integrate Fortanix Data Security Manager (DSM) solution with Rubrik Cloud Data Management (CDM). Such information will prove valuable while evaluating, designing, or implementing the technologies described herein.

1.2 Intended Audience

The intended audience of this document includes Rubrik and Fortanix Sales Engineers, Field and Technical Support Engineers, and customer architects and engineers who want to learn and understand how to implement the Fortanix DSM into their Rubrik CDM data management solution.

2.0 Fortanix Data Security Manager

Fortanix DSM is the world's first cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

3.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Rubrik cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

The X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Rubrik Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA).

The username and password from Fortanix DSM can be used for authenticating the Rubrik cluster, or alternatively, a client certificate for the Rubrik cluster can be created using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

3.1 Prerequisites

  • Rubrik CDM version 5.3.0 or later is installed and operational.
  • The Cluster is configured to use encryption.
    • Encryption can only be enabled at the cluster level during the bootstrap process.
  • Fortanix DSM version 3.23 or later is installed and operational.
    • The Fortanix DSM is contactable by the Rubrik cluster on port 5696 or a custom KMIP port.
  • Access to OpenSSL or another tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

3.2 Considerations

The following key points should be understood on the Fortanix DSM and Rubrik CDM integration:

  • Once encryption is enabled at the cluster level in Rubrik CDM, it cannot then be disabled in the future.
  • Rubrik CDM supports only one (1) external KMS at a time.
  • Once a TLS connection with the Fortanix DSM has been established, Rubrik CDM maintains that connection unless services are restarted or stopped. This results in a persistent TLS connection.

4.0 Create an App in Fortanix Data Security Manager

Fortanix DSM supports KMIP clients to authenticate using a certificate using Apps. To successfully connect the Rubrik cluster to authenticate with Fortanix DSM, the Rubrik cluster requires you to extract the Fortanix DSM CA certificate for mutual-TLS communications.

There are two ways to create an app in Fortanix DSM:

4.1 Using Fortanix DSM On-Premises Deployment

  1. Log in to the Fortanix DSM UI.
  2. Click the Apps tab. On the Apps page click the create new app icon Rubrik_2.png to create a new app.
      Rubrik_1.png
    Figure 1: Create new application
  3. Enter the following information:
    1. App name: This is the name to identify the Rubrik CDM cluster (customizable).
    2. Interface: KMIP.
    3. Authentication method: This can be left at the default of API Key or updated to use a client certificate if so desired (configurable).
    4. Group: This is a logical construct that will contain keys created and owned by the Rubrik CDM cluster. 
  4. Click Save to complete creating the application.
      Rubrik_3.png
    Figure 2: Create application  
  5. Note down the application’s App-ID by copying the App UUID from the detailed view of the app. This will be used as the Common Name (CN) when generating the client certificate. To copy the App UUID:
    1. Go to the detailed view of an app and click the icon for “Copy UUID” as shown below. 
    Rubrik_4.png
    Figure 3: Copy app UUID
  6. Change the authentication method of the Fortanix DSM App created to ‘Certificate’ and click SAVE.
  7. Continue to Section 5.0 for authentication using a client certificate.
  8. Click UPDATE to update the authentication method.

4.2 Using Fortanix DSM SaaS Deployment

To create an app using the Rubrik wizard in Fortanix DSM SaaS:

  1. Sign up at https://smartkey.io/.
  2. Log in to the Fortanix DSM UI.
  3. Click the Integrations tab in the left panel.
  4. On the Integrations page, click ADD INSTANCE on the Rubrik wizard.
  5. Enter the details as shown in the screenshot below:Add_instance.png
    Figure 4: Add instance
    1. Add Instance: This is the name to identify the instance created.
    2. Authentication method: Select the desired authentication method. There are two options to choose from:
      1. API key: This method is used to authenticate the application with the API Gateway.
      2. Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. To upload the client certificate, click UPLOAD CERTIFICATE. Alternatively, the client certificate can be pasted in the field provided.
  6. Continue to Section 5.0 for authentication using a client certificate.
  7. Click SAVE INSTANCE. With saving an instance a new Group, an App, and Keys are created within Fortanix DSM.

4.2.1 Rubrik Wizard Instance Detailed View

In the instance detailed view page, the created instances are listed as shown below:delete_instance.png
Figure 5: Instance details

In the instance details you will notice the following:

  • Credentials: This is the App authentication method used.
    • Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
    • Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
  • MANAGE: Click MANAGE to manage the keys created.
  • Instance status: To disable the instance created, click the toggle Disabled.
  1. To delete the instance created click the delete_button.png  button. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.

4.3 Extract Fortanix Data Security Manager CA Certificate - CLI Method

  1. Log into a system that has OpenSSL, or equivalent, installed.
  2. Enter the following OpenSSL comm,brand to display the certificates of Fortanix DSM. The first certificate is the Fortanix DSM certificate and the second is the root CA certificate:
    openssl s_client -connect <sdkms_hostname_or_ip>:5696 -showcerts
    An example output is as follows:
    Rubrik_5.png
                                                               Figure 6: Certificates
  3. Copy the output of the second certificate into a file and save this on a system that will be used to access the Rubrik UI.
    NOTE
    If there are chains required, ensure all intermediate and root CA are copied as well. 

4.4 Extract Fortanix Data Security Manager CA Certificate  - UI Method

The Fortanix DSM CA certificate can also be extracted from your local device/computer.

  • Download the root CA certificate (and if exists the intermediate CA certificate) from the Web Browser that is pointing to the Fortanix DSM.
  • Sample of the root and intermediate CA can be as follows:
    • Root CA: DST Root CA
    • Intermediate CA: R3
       
    Rubrik_6.png
    Figure 7: Root CA and intermediate CA
  • If not already in PEM format (such as DER), convert both the CA certificate information from the saved binary with the following OpenSSL command:
      Rubrik_7.png
    Figure 8: Enroll compute node
  • This must be added to the Rubrik CDM UI to configure the appropriate certificate settings for Fortanix DSM after creating the client certificate.

5.0 Create Client Certificate and Private Key (Optional)

If it is not desirable to use password-based authentication against Fortanix DSM, certificate-based authentication can be configured using client certificates.

There are two different types of client certificates:

  • Self-signed Certificates: These are generated and signed by the end-user.
  • Externally signed Certificates: These require a Certificate Signing Request generating and then must be signed by an external Trusted Certificate Authority (CA).

5.1 Generate Self-Signed Certificate and Private Key

To generate a self-signed certificate and private key for the Rubrik cluster:

  1. Log in to a system with OpenSSL installed.
  2. Use the genrsa command to generate the private key that will be written to the key filename and length specified.
    Rubrik_8.png
    Figure 9: Generate the private key
  3. Enter the following OpenSSL command to create the self-signed certificate as per customer security policy.
      Rubrik_9.png
    Figure 10: Create self-signed certificate
  4. Enter the following information:
    • Country Name: The two-letter country code
    • State or Province Name: The full state name
    • City: The full city name
    • Organisation: Full organisation name
    • Organisational Unit: Full department name
    • Common Name: The App UUID from the Fortanix DSM
    • Others: Optional
       
  5. Ensure both the client certificate and private key are stored securely on the system.
      Rubrik_10.png
    Figure 11:Client cert and private key

5.2 Generate an Externally Signed Certificate and Private Key

To sign a certificate from a trusted CA, you must first create a private key along with a certificate signing request:

  1. Log in to a system with OpenSSL installed.
  2. Use the genrsa command to generate the private key that will be written to the key filename and length specified.

      Rubrik_11.png
    Figure 12:Generate the private key
  3. Enter the following OpenSSL command to generate a CSR file as per customer security policy.
      Rubrik_12.png
    Figure 13: Generate private key
  4. Enter the following information:
    • Country Name: The two-letter country code
    • State or Province Name: The full state name
    • City: The full city name
    • Organisation: Full organisation name
    • Organisational Unit: Full department name
    • Common Name: The App UUID from the Fortanix DSM
    • Others: Optional
       
  5. Ensure both the client certificate and private key are stored securely on the system.
      Rubrik_13.png
    Figure 14: Client cert and private key

5.3 Update the Fortanix Data Security Manager App

To enable certificate-based authentication with the Fortanix DSM, the client certificate must now be uploaded in the app settings.

  1. Copy the desired client certificate file and upload it the Upload certificate text box in Fortanix DSM and save the details.
  2. The Fortanix DSM app is now configured to authenticate the Rubrik cluster using the client certificate and private key.

6.0 Configure Rubrik CDM Key Management Settings

When the previous steps have all been completed, Rubrik CDM can then be configured to use Fortanix DSM as an external key manager.

6.1 Configure Certificates within Rubrik

  1. Log in to the CDM UI and navigate to Settings and Certificate Management.
      Rubrik_16.png
    Figure 15: CDM certificate management
  2. Create a new entry and import the saved CA certificate(s) for the DSM.
      Rubrik_17.png
    Figure 16: Import saved CA certificate 
  3. Enter the following information:
    • Display Name: To identify the certificate in the UI
    • Description: This is optional.
    • Certificate: Paste the Fortanix DSM CA cert gathered earlier in this field.
    • Key Type: None - there is no private key required for this certificate. 
  4. If a client certificate is going to be used to authenticate against the Fortanix DSM, the client certificate also needs to be added here with the following information:
    • Display Name: To identify the certificate in the UI.
    • Description: This is optional.
    • Certificate: Paste the client certificate in this field.
    • Key Type: Key.
    • Key: The private key for the client certificate. 
    Now the required certificates have been added to Rubrik CDM and the Fortanix DSM can be configured as an external key manager.

6.2 Configure Fortanix Data Security Manager as External Key Manager

  1. Log in to the CDM UI and browse to Settings then Manage Encryption.
      Rubrik_18.png
    Figure 17: Manage encryption
  2. Select Configure Client Settings.
      Rubrik_19.png
    Figure 18: Configure client settings
  3. Enter the required settings into the Configure Client Settings form for either client certificate authentication or username/password authentication.
  4. For Client Certificate Authentication:
      Rubrik_20.png
    Figure 19: Enroll compute node
    1. Username: Enter the App UUID from the Fortanix DSM.
    2. TLS Certificate: Select the client certificate created earlier.
       
  5. For Username and Password Authentication:
      Rubrik_21.png
    Figure 20: Client settings
    1. Username: Enter the App UUID from the Fortanix DSM.
    2. TLS Certificate: Enter the App API Key Credentials from the Fortanix DSM.
       
    Rubrik_22.png
    Figure 21: Username/password
  6. Setup the Fortanix DSM as a KMIP Server:
      Rubrik_23.png
    Figure 22: Add KMIP server
    1. Server Address: KMIP IP Address or Hostname.
    2. Port: KMIP Port (5696 is the default).
    3. TLS Certificate: The Fortanix DSM CA certificate.
       
  7. Before using the KMIP server, the current keys must be rotated away from the internal KMS to generate a new key in the Fortanix DSM:
      Rubrik_24.png
    Figure 23: Rotate keys
  8. Ensure the keys have been rotated successfully.
      Rubrik_25.png
    Figure 24: Rotation successful

6.3 Verify Within Fortanix Data Security Manager

Once the external KMS has been successfully registered within CDM, the Fortanix DSM will show activity in the App logs, as follows:

Rubrik_26.png
Figure 25: Activity logs

7.0 Summary

This document should provide the required information needed to configure Rubrik CDM to use Fortanix’s DSM for key management. Further information can be found at https://support.rubrik.com or https://www.fortanix.com.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful