Using Fortanix Data Security Manager with Commvault

Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Commvault.

It also contains the information that a user requires to:

• Create an App in Fortanix DSM.
• Configure Commvault Key Management Server.
• Rotate keys in Commvault Key Management Server.

Prerequisites

• Fortanix DSM
• Commvault
• Access to create a Certificate for the KMIP server

Integration Steps

Create an App in Fortanix DSM

1. Log in to the Fortanix DSM UI.
2. Click the Apps On the Apps page click the create a new app icon to create a new app. Figure 1: Create new app
3. Enter the following information:
   • App name: This is the name to identify the Commvault app.
   • Authentication method: This can be left at the default API Key.
   • Group: This is a logical construct that will contain keys created and owned by the EJBCA cluster.
4. Click Save to complete creating the application.
5. Note down the application’s UUID by clicking the icon for “Copy UUID”. You will need this App-ID for the certificate. Figure 2: Copy app UUID
6. If an App / Client needs to authenticate to Fortanix DSM using only a certificate, then the App ID needs to be embedded in the certificate in one of the following ways:
   1. Provided as the value of a custom OID 3.6.1.4.1.49690.1.2.1 in the certificate. The OID here is just an example.
   2. Standard human-readable UUID encoding: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx provided as the value of CN. CN example: 070e0690-9230-4db3-9212-27a7bcf1c303.
7. Create a new certificate using the OpenSSL command. You will use this certificate to upload to the Fortanix DSM app.

   openssl req -newkey rsa:2048 -nodes -keyout commvault.key -x509 -days 365 -out commvault.crt

   Figure 3: Create a new certificate
8. Now go to the Fortanix DSM app and click change authentication method and update it to Certificate. Figure 4: Authentication using certificate
9. Upload the Certificate created in Step 7 in the "Add certificate" window. Figure 5: Upload certificate
10. The certificate is now updated. Figure 6: Certificate updated

Configuring Commvault Key Management Server

1. Log in to the Commvault Command Center. Figure 7: Log in to Commvault
2. Search for Key Management Server or navigate to Manage > Security > Key Management Servers. Figure 8: Key management server
3. Configure the KMIP Server in Commvault. Figure 9: Configure KMIP server
4. Configure the Key Management Server with KMIP protocol details:
   • Name
   • Key length
   • Server details
   • Port
   • Upload the self-signed Certificate
   • Upload the Certificate key
   • Upload the Fortanix DSM CA Certificate as shown below
   Figure 10: Configure KMIP details
5. Save the configuration.
6. Open the Commvault CommCell console and click System. The System window opens.
7. Click the Encryption On the Software Encryption tab, configure the software encryption settings and select the Key Management Server. Figure 11: Commonvault Commcell console
8. Save the configuration.
9. Go to Storage Policies and create a new policy for testing the encryption. Figure 12: Create new storage policy
10. Go to Commvault Command Center > Storage > Select the Storage Type, that is Disk.
11. In the Configuration tab:
    1. Select the Key management server configured earlier. Figure 13: Disk storage configuration
    2. Enable the toggle for Encrypt. Figure 14: Configure encryption
12. Run the backup jobs for testing. Figure 15: Run backup job
13. Verify the Key in Key Management Server. Figure 16: Verify the key Figure 17: Verify the key

Key Rotation

1. For key rotation, follow the steps below:
   1. Go back to the Storage -> Diskb page.
   2. Click the storage that you were testing.
   3. Next, go to the Configuration tab and change back to Built-in Key management server.
   4. Once saved, change it back to the Fortanix KMS.
2. This will force the Key Rotation in KMS.
3. Verify the logs in Commvault logs. Figure 18: Verify logs