Using Data Security Manager with Venafi

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Venafi. The integration describes steps to add Fortanix as an HSM connector within Venafi and then leverage that connector to secure the Venafi Trust Protection (TPP) database with an AES256 key stored within the Fortanix HSM system. It also contains the information that a user requires to:

  • Create a group, app, security object in Fortanix DSM.
  • Install Fortanix DSM on Venafi TPP.
  • Configure Venafi.

2.0 Integration Steps

2.1 Create an App and Security Object in Fortanix DSM

  1. Log in to the Fortanix DSM UI.
  2. Click the Groups tab. On the Groups page, click the create a new group icon to create a new group. 
    Figure_1.png
    Figure 1: Create a Group in DSM
  3. Click the Apps tab. On the Apps page, click the create a new app icon to create a new app.
    Enter the following information:
    • App name: This is the name to identify the EJBCA app.
    • Authentication method: This can be left at the default API Key.
    • Group: This is a logical construct that will contain keys created and owned by the Venafi cluster.
  4. Click Save to complete creating the application. 
    Figure_2.png
    Figure 2: Create New App
  5. Note down the application’s API Key to use later.
    1. Go to the detailed view of an app and click the COPY API KEY as shown below.
      Figure_3.png
      Figure 3: Copy App API Key
  6. Create a security object in the group created above.
    Figure_4.png
    Figure 4: Create Security Object

2.2 Install Fortanix DSM on Venafi TPP

NOTE
The following steps need to be completed on each Venafi TPP node. Any node should be able to communicate with Fortanix DSM and authenticate using the API key generated the previous section.
  1. Log in to Venafi TPP node using the service account assigned to Venafi.
  2. Install the Fortanix DSM Client software:
    1. Download the MSI from the URL
      https://support.fortanix.com/hc/en-us/articles/360018084132-CNG-EKM 
    2. Run the MSI package and accept the default values.
  3. Configure the Fortanix DSM Client:
    1. Navigate to the Fortanix default client directory - C:\Program Files\Fortanix\KMSClient
    2. Execute the following commands to configure the Fortanix DSM client:
      FortanixKmsClientConfig.exe user --api-endpoint [Fortanix DSM URL]
      FortanixKmsClientConfig.exe user  --api-key
    3. An example of the Fortanix DSM URL is: https://amer.smartkey.iod

For more details refer to the Developer’s Guide: Microsoft CNG Key Storage Provider.

2.3 Configure Venafi

  1. Open the Venafi Configuration Console.
    Figure_5.png
    Figure 5: Venafi Configuration Console
  2. Click Connectors under the Venafi Configuration menu to create a Connector.
    Figure_6.png
    Figure 6: Create Connector
  3. Under Connectors, click Create HSM Connector
    Figure_7.png
    Figure 7: Create HSM Connector
  4. Enter the following information:
    1. Name – (user defined)
    2. Cryptoki Dll Path – Enter the PCKS#11 path
      Default - C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll
    3. Select Slot as 0 from the drop down menu.
    4. Select User Type as Crypto Officer (User) from the drop down menu.
    5. In the Pin field, enter the Fortanix API Key for Venafi that you copied in Section 2.1.
  5. Click Verify.
    Figure_8.png
    Figure 8: Create New HSM Connector

2.3.1 Create a new AES256 key in Venafi

  1. Click New Key to create a new key.
  2. In the Create New HSM Key window, enter a Name for the key and click Create.
    Figure_9.png
    Figure 9: Create AES256 Key
  3. Click the Create button again to complete the key creation process.
    Figure_10.png
    Figure 10: Key Created
  4. Now, verify that the new HSM configuration is listed under Encryption Connectors.
    Figure_11.png
    Figure 11: HSM Configuration Listed

2.3.2 Re-Encrypt the Venafi TPP Database with Fortanix HSM Key

NOTE
This step may require a significant amount of time based on the size of your database.  The data is being decrypted and re-encrypted to the new key material.
  1. Select “Rotate TPP System Protection Key”.
    Figure_12.png
    Figure 12: Rotate TPP System Protection Key
  2. Enter a New key name and select the HSM Connector. Click Rotate.
    Figure_13.png
    Figure 13: Rotate the Key

 

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful