This article describes how to integrate Fortanix Data Security Manager (DSM) with Scality SC3 for Transparent Bucket Encryption using generic Key Management Interoperability Protocol (KMIP).
2.0 Fortanix Data Security Manager Setup
The key management cloud service needs to be set up using https://sdkms.fortanix.com/ before configuring Scality for bucket encryption. This document assumes that access to the Fortanix DSM UI and licensing has been established.
- Log in to https://sdkms.fortanix.com.
- In the Fortanix DSM UI, create a group:
- Click the Groups tab in the Fortanix DSM left menu.
- Click the add new group icon to add a new group.
- In the Add new group form, enter a name for the group.
For example: Scality S3C
- Create an application:
- Click the Apps tab in the Fortanix DSM left menu.
- Click the add new application icon to add a new application.
- In the Adding new app form, enter a name for the application.
For example: Scality S3C Bucket Encryption
- Assign the app to the group you created in Step 2.
- Click Save.
- Now copy the UUID of the newly created application.
3.0 Get the Fortanix Certificate Authority (CA)
- Open Google Chrome and browse to https://sdkms.fortanix.com.
- In the URL address bar select the padlock icon and then certificate.
Figure 1: Create new application
- Select the certification path and then highlight the root – “DST Root CA X3”.
- Select view certificate.
Figure 2: View certificate
- Select the Details tab and then click the Copy to File button.
Figure 3: Copy to file
- Click Next and then select the radio button for Base-64 encoded X.509 (.CER) before saving it and choosing a filename (Example:
Figure 4: Base64 Encoded
4.0 Generate a certificate
On a host with OpenSSL create the certificates that you need to authenticate to the KMIP service you just created.
# openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem \
-out cert.pem -days 365 \
-subj "/CN=<UUID you copied from the app>"
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days
365 -subj "/CN=c6ad2ad7-4948-4b60-8cd6-f33c00a01428"
You should now have the following:
- The Fortanix CA certificate (
- A private (
- A certificate (
5.0 Apply the New Cert to the Fortanix Data Security Manager Application Object
In the Fortanix DSM interface:
- Click the Apps
- Select the application (Scality S3C Bucket Encryption) you created in Section 2.0.
- In the detailed view of the app, in the INFO tab click the Change authentication method drop down under the API Key
- Select Certificate and click SAVE.
- This will open a dialog for entering the certificate. Copy and paste the contents of the
cert.pemfile into the provided text area and click UPDATE.
The application object is configured to use the generated asymmetric key/cert pair you created for authentication.
6.0 Enable Audit logging in Fortanix Data Security Manager
Audit logging is required to confirm that things are working (or why they are not).
In the Fortanix DSM UI:
- Click the Apps tab from the left menu.
- In the Apps table, click the application you created in Section 2.0.
- In the detailed view of the app, in the INFO tab, under the Groups section click the grid for App permissions to edit the app permissions.
Figure 5: App permissions
- In the Set app permissions for objects in the group dialog, select the Allow access to audit log option.
Figure 6: Enable audit logging
7.0 Configure Scality S3C
Refer to the S3 Connector Install Guide for current information on configuring a KMS. Navigate to https://documentation.scality.com/, select your RING version under RING, then scroll down to the S3 documentation.
In summary: the relevant section in your
group_vars/all file will look like this:
All certs go in the kmip directory under your environment (
env>/kmip). Also note that, at the time of this writing, there is no boiler-plate in the
group_vars/all file for the above “
kmip” section, nor is there a pre-created “
kmip” directory for the certs. So please create them.
8.0 Create an Encrypted Bucket
Encrypted buckets with S3C cannot be created with the Amazon API call. It has to be done with a special header on bucket creation. There is a script for doing this in any cloudserver (s3) container. Follow the documentation (see Using Bucket Encryption in the S3 Connector Operation doc.)
If there is an issue (you get a 50x when trying to create the bucket) errors will show up in the S3 log on the host you are using (For example:
/var/log/s3/scality-s3-1/logs/s3-0.log). If you did not get an error, congratulations! You have an encrypted bucket.
You will see a new security object in the Fortanix interface confirming communication.