Using Fortanix Data Security Manager with NetApp ONTAP

1.0  Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with NetApp ONTAP to manage keys.

2.0  Create an App in Fortanix Data Security Manager

There are two ways to create an app in Fortanix DSM:

2.1 Using Fortanix DSM On-Premises Deployments

To create an app using the On-Premises deployment:

  1. Open a web browser and connect to the URL of your Fortanix DSM cluster. (https://<fortanix_dsm_url>/)
  2. Select an account, and then create a new group, for example: NETAPP ONTAP
  3. Within the newly created group, create a new app with the interface set to use KMIP.
  4. Copy the App UUID. NetApp_AppUUID.png Figure 1: App UUID
  5. Change the authentication method of the Fortanix DSM App created to ‘Certificate’ and click SAVE.
  6. Continue to Section 2.3 for authentication using client certificate.
  7. Click UPDATE to update the authentication method.

2.2 Using Fortanix DSM SaaS Deployment

To create an app using the NETAPP wizard in Fortanix DSM SaaS:

    1. Sign up at https://smartkey.io/. This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
    2. Log in to the Fortanix DSM UI.
    3. Click the Integrations tab in the left panel.
    4. On the Integrations page, click ADD INSTANCE on the NETAPP wizard.
    5. Enter the details as shown in the screenshot below:
      netapp_add_instance.png Figure 2: Add instance
      1. Add Instance: This is the name to identify the instance created.
      2. Authentication method: Select the desired authentication method. There are two options to choose from:
        1. API key: This method is used to authenticate the application with the API Gateway.
        2. Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. To upload the client certificate, click UPLOAD CERTIFICATE. Alternatively, the client certificate can be pasted in the field provided.
    6. Continue to Section 2.3 for authentication using client certificate.
    7. Click SAVE INSTANCE. With saving an instance a new Group, an App, and Keys are created within Fortanix DSM.

2.2.1 NetApp Wizard Instance Detailed View

In the instance detailed view page, the created instances are listed as shown below:

InstanceDetailed.png Figure 3: Instance detailed view

In the instance details, you will notice the following:

  • Credentials: This is the App authentication method used.
    • Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
    • Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
  • MANAGE: Click MANAGE to manage the keys created.
  • Instance status: To disable the instance created, click the toggle Disabled.
    detailed_instance.png
    Figure 4: Instance detailed view
  1. To delete the instance created click the delete_button.png  button. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.

2.3 Authentication Using Client Certificate

  1. Use OpenSSL to generate a self-signed certificate and private key with the common name (CN) being equal to the Fortanix DSM App UUID.
    openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN= {Fortanix DSM App UUID}" 
  2. Print the output of the cert.pem file.
  3. Copy the output of the cert.pem file in the Upload certificate text box in the Fortanix DSM App for authentication and save the details.
  4. You also require the root CA certificate for the Fortanix DSM cluster. You can obtain this using the Google Chrome web browser.
    1. Navigate to “https://{Fortanix DSM URL}” and click the View site information icon. NetApp_ViewSiteInfo.png
      Figure 5: View site information
    2. View the ‘Certificate’ under Security settings.
    3. Select the Certificate Path tab. Highlight the root CA option and then click the View Certificate button to view the certificate. NetApp_ViewCert.png
      Figure 6: View certificate
    4. In the Certificate dialog box, select the Details tab, and then click Copy to File and select the Base-64 encoded X.509 (.CER) option. Give the file a name, for example: Fortanix_DSM_CA.cer. detailed_instance.png
      Figure 7: Export certificate

3.0  Configuration on NetApp ONTAP - Adding KMS

  1. Print the output of the cert.pem and key.pem files which were generated in the previous section.
  2. Update the certificate and key for the client.
    security certificate install -type client

    Copy and paste the output of the certificate and key from Step 1 when prompted.

    Do you want to continue entering root and/or intermediate certificates: n
  3. Open the Fortanix DSM root CA certificate (Fortanix_DSM_CA.cer) saved previously with a text editor and copy the certificate value.
  4. Update the certificate and key for the server.
    security certificate install -type server-ca

    {Paste the output of the certificate from Step 3 when prompted}

  5. Confirm the name given to the imported client and server-ca certificates using the command.
    security certificate show-user-installed
    NetApp_ConfirmName.pngFigure 8: Confirm name of imported certificate
  6. Run the following command to enable the external key servers.
    security key-manager external enable -key-servers {Fortanix DSM FQDN}:5696 -client-cert {Client
    Certificate Name} -server-ca-certs {Server CA Certificate Name}
    
    For example:
    security key-manager external enable -key-servers <fortanix_dsm_url>:5696 -client-cert 76ddf566-
    c4f0-4c62-b711-c944cd4cfbc0 -server-ca-certs DSTRootCAX3
    
  7. Run the following command to verify the status of the external key manager.
    security key-manager external show-status
    NetApp_KMStatus.pngFigure 9: Key manager status

4.0  NetApp ONTAP - Volume Encryption

  1. Open an SSH client and connect to the set node IP address.
  2. set diag.
    Do you want to continue? Y
  3. Run the following command to configure the diag.
    storage aggregate create -aggregate {test aggregate name} -node {NetApp Node Name} -diskcount 5
    -encrypt-with-aggr-key false
    
    Do you want to continue? Y
    vserver create -vserver {test vserver name} -aggregate {aggregate name from step 3} -rootvolumesecurity-
    style mixed
    
    volume create -vserver {vserver name from step 4} -aggregate {aggregate name from step 3} -
    encrypt true -size 20Mb -volume {test volume name}
    
  4. Check the state of the vserver using the following command:
    volume show -is-encrypted true -state online
    
    NetApp_vserverState.pngFigure 10: Vserver state
  5. Query the key status by running the following command:
    security key-manager key query
    
    NetApp_KeyStatus.pngFigure 11:Key status

5.0  Fortanix Data Security Manager - Viewing Keys

  1. Open a web browser and connect to the URL of your Fortanix DSM cluster.
  2. Select the Fortanix DSM Account, Group, and then the Security Objects tab. NetApp_DSMSO.pngFigure 12: View keys in DSM
  3. Select the Apps tab and then the configured KMIP App to view the activity log. NetApp_DSMactivitylogs.pngFigure 13: View activity logs

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful