Using Fortanix Data Security Manager with NetApp ONTAP

1.0  Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with NetApp ONTAP to manage keys.

2.0  Create a KMIP App in Fortanix Data Security Manager

  1. Open a web browser and connect to the URL of your Fortanix DSM cluster. (
  2. Select an account, and then create a new group, for example: NETAPP ONTAP
  3. Within the newly created group, create a new app with the interface set to use KMIP.
  4. Copy the App UUID. NetApp_AppUUID.pngFigure 1: App UUID
  5. Use OpenSSL to generate a self-signed certificate and private key with the common name (CN) being equal to the Fortanix DSM App UUID.
    openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN= {Fortanix DSM App UUID}"
  6. Print the output of the cert.pem file.
  7. Change the authentication method of the Fortanix DSM App created to ‘Certificate’ and click SAVE.
  8. In the Add certificate dialog box, copy the output of the cert.pem file in the Upload certificate text box, and click UPDATE. NetApp_UpdateAuth.pngFigure 2: Update auth method
  9. You also require the root CA certificate for the Fortanix DSM cluster. You can obtain this using the Google Chrome web browser.
    1. Navigate to “https://{Fortanix DSM URL}” and click the View site information icon. NetApp_ViewSiteInfo.pngFigure 3: View site information
    2. View the ‘Certificate’ under Security settings.
    3. Select the Certificate Path tab. Highlight the root CA option and then click the View Certificate button to view the certificate. NetApp_ViewCert.pngFigure 4: View certificate
    4. In the Certificate dialog box, select the Details tab, and then click Copy to File and select the Base-64 encoded X.509 (.CER) option. Give the file a name, for example: Fortanix_DSM_CA.cer. NetApp_Base64.pngFigure 5: Export certificate

3.0  Configuration on NetApp ONTAP - Adding KMS

  1. Print the output of the cert.pem and key.pem files which were generated in the previous section.
  2. Update the certificate and key for the client.
    security certificate install -type client

    Copy and paste the output of the certificate and key from Step 1 when prompted.

    Do you want to continue entering root and/or intermediate certificates: n
  3. Open the Fortanix DSM root CA certificate (Fortanix_DSM_CA.cer) saved previously with a text editor and copy the certificate value.
  4. Update the certificate and key for the server.
    security certificate install -type server-ca

    {Paste the output of the certificate from Step 3 when prompted}

  5. Confirm the name given to the imported client and server-ca certificates using the command.
    security certificate show-user-installed
    NetApp_ConfirmName.pngFigure 6: Confirm name of imported certificate
  6. Run the following command to enable the external key servers.
    security key-manager external enable -key-servers {Fortanix DSM FQDN}:5696 -client-cert {Client
    Certificate Name} -server-ca-certs {Server CA Certificate Name}
    For example:
    security key-manager external enable -key-servers -client-cert 76ddf566-
    c4f0-4c62-b711-c944cd4cfbc0 -server-ca-certs DSTRootCAX3
  7. Run the following command to verify the status of the external key manager.
    security key-manager external show-status
    NetApp_KMStatus.pngFigure 7: Key manager status

4.0  NetApp ONTAP - Volume Encryption

  1. Open an SSH client and connect to the set node IP address.
  2. set diag.
    Do you want to continue? Y
  3. Run the following command to configure the diag.
    storage aggregate create -aggregate {test aggregate name} -node {NetApp Node Name} -diskcount 5
    -encrypt-with-aggr-key false
    Do you want to continue? Y
    vserver create -vserver {test vserver name} -aggregate {aggregate name from step 3} -rootvolumesecurity-
    style mixed
    volume create -vserver {vserver name from step 4} -aggregate {aggregate name from step 3} -
    encrypt true -size 20Mb -volume {test volume name}
  4. Check the state of the vserver using the following command:
    volume show -is-encrypted true -state online
    NetApp_vserverState.pngFigure 8: Vserver state
  5. Query the key status by running the following command:
    security key-manager key query
    NetApp_KeyStatus.pngFigure 9:Key status

5.0  Fortanix Data Security Manager - Viewing Keys

  1. Open a web browser and connect to the URL of your Fortanix DSM cluster.
  2. Select the Fortanix DSM Account, Group, and then the Security Objects tab. NetApp_DSMSO.pngFigure 10: View keys in DSM
  3. Select the Apps tab and then the configured KMIP App to view the activity log. NetApp_DSMactivitylogs.pngFigure 11: View activity logs


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful