Introduction
This article describes how to integrate Fortanix Data Security Manager (DSM) with Commvault.
It also contains the information that a user requires to:
- Create an App in Fortanix DSM.
- Configure Commvault Key Management Server.
- Rotate keys in Commvault Key Management Server.
Prerequisites
- Fortanix DSM
- Commvault
- Access to create a Certificate for the KMIP server
Integration Steps
Create an App in Fortanix DSM
- Log in to the Fortanix DSM UI.
- Click the Apps On the Apps page click the create a new app icon
to create a new app.
Figure 1: Create new app
- Enter the following information:
- App name: This is the name to identify the Commvault app.
- Authentication method: This can be left at the default API Key.
- Group: This is a logical construct that will contain keys created and owned by the EJBCA cluster.
- Click Save to complete creating the application.
- Note down the application’s UUID by clicking the icon for “Copy UUID”. You will need this App-ID for the certificate.
Figure 2: Copy app UUID
- If an App / Client needs to authenticate to Fortanix DSM using only a certificate, then the App ID needs to be embedded in the certificate in one of the following ways:
- Provided as the value of a custom OID
3.6.1.4.1.49690.1.2.1
in the certificate. The OID here is just an example. - Standard human-readable UUID encoding:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
provided as the value of CN. CN example:070e0690-9230-4db3-9212-27a7bcf1c303
.
- Provided as the value of a custom OID
- Create a new certificate using the OpenSSL command. You will use this certificate to upload to the Fortanix DSM app.
openssl req -newkey rsa:2048 -nodes -keyout commvault.key -x509 -days 365 -out commvault.crt
Figure 3: Create a new certificate
- Now go to the Fortanix DSM app and click change authentication method and update it to Certificate.
Figure 4: Authentication using certificate
- Upload the Certificate created in Step 7 in the "Add certificate" window.
Figure 5: Upload certificate
- The certificate is now updated.
Figure 6: Certificate updated
Configuring Commvault Key Management Server
- Log in to the Commvault Command Center.
Figure 7: Log in to Commvault
- Search for Key Management Server or navigate to Manage > Security > Key Management Servers.
Figure 8: Key management server
- Configure the KMIP Server in Commvault.
Figure 9: Configure KMIP server
- Configure the Key Management Server with KMIP protocol details:
- Name
- Key length
- Server details
- Port
- Upload the self-signed Certificate
- Upload the Certificate key
- Upload the Fortanix DSM CA Certificate as shown below
Figure 10: Configure KMIP details
- Save the configuration.
- Open the Commvault CommCell console and click System. The System window opens.
- Click the Encryption On the Software Encryption tab, configure the software encryption settings and select the Key Management Server.
Figure 11: Commonvault Commcell console
- Save the configuration.
- Go to Storage Policies and create a new policy for testing the encryption.
Figure 12: Create new storage policy
- Go to Commvault Command Center > Storage > Select the Storage Type, that is Disk.
- In the Configuration tab:
- Select the Key management server configured earlier.
Figure 13: Disk storage configuration
- Enable the toggle for Encrypt.
Figure 14: Configure encryption
- Select the Key management server configured earlier.
- Run the backup jobs for testing.
Figure 15: Run backup job
- Verify the Key in Key Management Server.
Figure 16: Verify the key
Figure 17: Verify the key
Key Rotation
- For key rotation, follow the steps below:
- Go back to the Storage -> Diskb page.
- Click the storage that you were testing.
- Next, go to the Configuration tab and change back to Built-in Key management server.
- Once saved, change it back to the Fortanix KMS.
- This will force the Key Rotation in KMS.
- Verify the logs in Commvault logs.
Figure 18: Verify logs
Comments
Please sign in to leave a comment.