Using Fortanix Data Security Manager With Nutanix

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Nutanix for storage encryption. It also contains the information that a user requires for:

  • Facilitating the communication and authentication between Fortanix DSM and Nutanix using KMIP and Certificates.
  • Setting up Fortanix DSM.
  • Creating client certificate.
  • Configuring Nutanix Key Management settings.

1.1 Fortanix Data Security Manager with Nutanix

Nutanix offers support for Fortanix DSM to manage the encryption keys for encrypting sensitive data at rest. Fortanix DSM is a specialized device / service that provides secure key management and cryptographic operations through industry standard API's.

Nutanix uses Fortanix DSM to generate, store and provide authorized access to data encryption keys. Nutanix communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys.

Using Fortanix DSM with Nutanix provides additional security for your data, ensuring that the data encryption keys can only be used with authorized access.

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Nutanix cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Nutanix Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Nutanix cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

2.1 Prerequisites

Ensure the following:

  • Nutanix GA version of LTS 6.5.2.x and in STS 6.6.1+.
  • Fortanix DSM version 4.4 or later.
  • Fortanix DSM is installed and operational and is accessible by the Nutanix cluster on port 5696 (for default) or a custom KMIP port.
  • You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

3.0 Create an App and Configure Fortanix DSM Account

Fortanix DSM supports KMIP clients to authenticate using a certificate through Apps. To successfully connect the Nutanix cluster to authenticate with Fortanix DSM, the Nutanix cluster also requires you to extract the Fortanix DSM internal CA certificate.

Perform the following steps:

  1. Log in to the Fortanix DSM UI.
  2. Click the Application icon Nutanix-CreateAppIcon.png, and then click Nutanix-CreateAppIcon1.png to create new applications. You will need one app for each node in the Nutanix Cluster.

    For example: 3 nodes = 3 apps.

    For instructions on how to add a group or app, refer to the DSM Getting Started Guide.

  3. Enter the following details:
    • App name: This is the name to identify your Nutanix cluster (customizable)
    • Interface: KMIP
    • Authentication method: This will need to be updated later and the default selection of API Key is ok at this stage.
    • Assigning the new app to groups: Keys created by the Nutanix cluster will be owned by this group.
    Nutanix-CreateApp.png Figure 1: Create an App
  4. After you have added the application, copy the App UUID from the app table view by clicking the icon for Copy UUID as shown below. You will need this App UUID as it will be used as the Common Name (CN) when generating the client certificate.
    For example:
    • Node 1 = 3030a8c0-c520-4f0f-912a-d3bff6a272fd
    • Node 2 = 99d5cafd-95e0-4898-b93d-f46ce9550287
    • Node 3 = c0b83293-ae04-4735-90af-9b4f406f884e
    Nutanix-AppUUID.png Figure 2: App UUID
  5. If an app or client needs to authenticate to Fortanix DSM using the only certificate, then the App ID needs to be embedded in the certificate in one of the following ways:
    • Provided as the value of a custom OID in the certificate
      Standard human-readable UUID encoding: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
    • Provided as the value of CN.
      CN example: 3030a8c0-c520-4f0f-912a-d3bff6a272fd
  6. Update the Account Settings.
    1. Click Settings -> CLIENT CONFIGURATION -> KMIP.
    2. Select Allow secrets with unknown operations.
    3. Click SAVE.

4.0 Configure Nutanix Nodes with Fortanix UUIDs

Each Nutanix Node will need to generate an RSA key for authenticating to Fortanix DSM.

Perform the following steps:

  1. SSH into the Nutanix cluster.
  2. Run the following command to identify all nodes in the cluster:
  3. Each IP address returned will represent your cluster nodes.
  4. Log into each cluster node and run the following command:
    genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=<APP_UUID>" restart
    Replace the <APP_UUID> that you copied for each node in Section 3.0. Execute the above command for each node in the cluster, where the <APP_UUID> should match the node.
    Sample output:
    nutanix@NTNX-17SM6B050002-A-CVM:$ genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=5bf6acc7-ebe3-4e6e-a88a-70572b18c96a" restart
    2022-11-01 07:45:23.042344: Stopping genesis (pids [15503, 15561, 15585, 15586, 30032, 30033])
    2022-11-01 07:45:27.540170: Genesis started on pids [2948]

5.0 Configure Encryption Settings

Perform the following steps:

  1. Log in to Nutanix Prism. Nutanix-PrismHome.png Figure 3: Log in to Nutanix
  2. Using the drop down menu, select Settings.
  3. On the left pane, select Data-at-rest Encryption. Nutanix-DataAtRestEnc.png Figure 4: Data at rest encryption
  4. Select An External KMS.
  5. Fill in the Certificate Signing Request information and click Save CSR Info.
  6. Click Add New Key Management Server.
    1. Name the key management server.
    2. Provide the address to your Fortanix DSM deployment (On-premises or SaaS).
    3. Click Save.
    4. Click Back.
  7. Click Add New Certificate Authority.
    This will be the root CA certificate for the Fortanix DSM environment to which you will be connecting. Download a copy and have it ready for the next section.
    1. Name the Certificate Authority.
    2. Click Upload CA Certificate.
    3. Browse for the CA Certificate.
    4. Click Save.
    5. Click Back.

6.0 Issue Certificate for Each Node

Perform the following steps:

  1. From the Data-at-rest Encryption settings, under the Certificate Signing Request section
    1. Click Download CSRs for all nodes. Nutanix-DownloadCSRs.png Figure 5: Download CSR for all nodes
    2. Save these to any location.
    3. Submit these to your organization's team that handles Certificates or PKI.
      Depending on the size of your organization and processes, you may need to return to the procedure at a later time. After you have obtained your signed certificates, they will need to be added to the Key Management Server configuration and in Fortanix DSM.

7.0 Install Node Certificates in Nutanix Prism

Perform the following steps:

  1. In the Data-at-rest Encryption settings, under Key Management Server, click Manage Certificates. Nutanix-ManageCert.png Figure 6: Manage certificates
  2. Click Upload Files.
  3. Find and select your certificate files and click Submit.
  4. Click Test All Nodes. If successful, click Back. Nutanix-TestingSuccessful.png Figure 7: Testing Successful

8.0 Install Node Certificates in Fortanix DSM

Each app that was created in Section 3 will need to be updated. 

Perform the following steps for each app in Fortanix DSM:

  1. Go to the detailed view of the app and select Change Authentication Method.
  2. Select Certificate and click Save. Nutanix-ChangeAuth.png Figure 8: Change Authentication
  3. Click Upload New Certificate.
  4. Find and select the certificate for the appropriate app based on the node as mentioned in Section 3 and click Update.

9.0 Enable Encryption

After all of the above steps have been completed, you must enable encryption.

Perform the following steps:

  1. Log in to Nutanix Prism.
  2. Go to Data-at-rest Encryption settings and scroll to the bottom of the page.
  3. Click Enable Encryption.
  4. At the prompt type ENCRYPT and click Encrypt.
  5. If done properly, you will be presented with a screen that states success and that the system is encrypted. Nutanix-Encryption.png Figure 9: Encryption Enabled

10.0 Verification

There are two places to verify the encryption.

  1. In Nutanix Prism:
    • Click the Recent Tasks drop down menu to see the current encryption progress per container.
  2. In Fortanix DSM:
    • Observe the contents of your Nutanix group. You should see that the security objects have been created. Nutanix-SOTable.png Figure 10: Security object created
    • Also observe the activity logs for each of the apps. You should see that the apps are authenticating and retrieving keys. Nutanix-SOLogs.png Figure 11: App activity logs
    • Verify the logs from Nutanix CLI, go to cat ~/data/logs/mantle.INFO. Nutanix-CLILogs.png Figure 12: Nutanix logs
    Fortanix suggests being highly available to make sure no interruption in the services. Fortanix calculates the same using the formula N/2 + 1 where N= Number of Nodes. The minimum no of Fortanix deployment has to be three nodes.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful