Using Fortanix Data Security Manager with Bloombase Storesafe

1.0 Introduction

This article describes how to integrate Bloombase Storesafe with Fortanix Data Security Manager (DSM).

2.0 Configuring Fortanix DSM for Integration with Bloombase Storesafe

  1. In Fortanix DSM, create an app with the interface set to Key Management Interoperability Protocol (KMIP) and the authentication method set to API Key. After the app is created, copy the App ID (UUID). The App ID is needed as the Common Name (CN) for the Bloombase Client KMIP Certificate. After the Bloombase Client Certificate is created, you should change the authentication method to certificate as described in Section 4.0.
    Picture1.png Figure 1: Creating a New App
  2. Copy the UUID.
    Picture2.png Figure 2: Copying the UUID

3.0 Configuring Bloombase Storesafe for Integration with Fortanix DSM

  1. On the Bloombase Storesafe Console, select OASIS KMIP Key Manager from the Bloombase Storesafe main menu.
    Picture3.png
    Figure 3: OASIS KMIP Key Manager
  2. Click Add.
  3. On the Modify KMIP Key Manager page:
    1. Fill in the name that you want to use to identify with this instance of Fortanix DSM as the KMIP Server.
    2. For the Model field, select Generic.
    3. Specify the Hostname/IP Address of the Fortanix DSM cluster.
    4. Leave the Port as default 5696.
    5. Leave the Timeout and Retry Count info as default unless you have a specific setting you want to use.
    6. Leave the Username and Password as blank.
    7. Click Submit to save the information.
      Picture4.pngFigure 4: Modifying the KMIP Key Manager
  4. Select Create for the client keystore, to create a Rivest, Shamir, Adleman (RSA) Keypair, and a Certificate Signing Request (CSR).
    Picture5.png Figure 5: Creating an RSA Keypair and a CSR Request
  5. Specify the algorithm/key sizes you want for your keypair, the values for the certificate Distinguished Name (DN), and then click Generate to generate the certificate request.
    Picture6.png
    Figure 6: Generating a Certificate Request
    NOTE
    You must specify the app UUID copied previously in Section 2.0 as the CN of the certificate request.
  6. Click Certificate Request to download the CSR and send it to your CA for certificate issuance.
    Picture7.pngFigure 7: Sending a Certificate Request
  7. Upload the CA Public Certificate used to sign the CSR to the Trust Certificate Store.
    Picture8.pngFigure 8: Uploading the Trust Certificate
  8. Upload the signed certificate to the Client Keystore.
    Picture9.pngFigure 9: Uploading the Signed Certificate
  9. Upload the Fortanix DSM cluster certificate to the Trust Certificate Store.
    Picture10.pngFigure 10: Uploading the Fortanix DSM Cluster Certificate
  10. Click Submit to save the configuration.
    Picture11.pngFigure 11: Submitting the Certificates

4.0 Uploading a Certificate and Generating a Key in Fortanix DSM

  1. Go to the detailed view of the app that you created in Section 2.0 and click Change authentication method.
    Picture12.png
                                                        Figure 12: Changing the Authentication Method
  2. Select Certificate as the authentication method, and then click SAVE.
    Picture13.png
                        Figure 13: Selecting Certificate as the Authentication Method
  3. Upload the Bloombase KMIP Client Certificate you created in Section 3.0 and then click UPDATE.
    Picture14.pngFigure 14: Uploading the Bloombase KMIP Client Certificate
  4. Click the Security Objects tab, and click add.png to create the symmetric key that will be used by Bloombase Storesafe.
    Picture15.pngFigure 15: Adding a Security Object
  5. Specify a name for the symmetric key, select the group you created previously in Section 2.0, and then select GENERATE for the create key workflow.
    Picture16.pngFigure 16: Generating a New Key
  6. Select the key type, key size, and the key operations permitted. The recommended algorithm is AES and the recommended key size is 256 bit.
    Picture17.pngFigure 17: Selecting Key Type and Size
  7. Click GENERATE to generate the key. The key is generated as shown in the figure below.
    Picture18.pngFigure 18: Key is Successfully Generated

5.0 Configuring Fortanix DSM KMIP Entity in Bloombase Storesafe

  1. In the Bloombase Console for the KMIP Key Manager, open the Fortanix DSM KMIP entity.
    Picture19.png
                                                                  Figure 19: Fortanix DSM KMIP Entity
  2. Click Test.
    Picture20.pngFigure 20: Testing the Connection
  3. The successful test confirms that Bloombase Storesafe can authenticate and connect to Fortanix DSM.
    Picture21.pngFigure 21: Connection is Successful
  4. To select the key created in Fortanix DSM in Bloombase Storesafe Key Wrapper, click Create Key Wrapper.
    Picture22.png
                           Figure 22: Creating a Key Wrapper
  5. Under Modify Key Wrapper, select the Fortanix DSM entity that you configured in Bloombase Storesafe in Section 3.0 and select the key created under the Object drop down menu and click Select Key.
    Picture23.pngFigure 23: Selecting the Key
  6. Click Submit to submit the updated configuration.
    Picture24.pngFigure 24: Submitting the Updated Configuration
  7. Confirm the key has been properly selected by clicking Find Key Wrapper, and then click Find.
    Picture25.pngFigure 25: Finding the Key

You can now use the Fortanix DSM KMIP server as a Key Management System (KMS) for all storage encryption implemented with Bloombase Storesafe. Please refer to the Bloombase Storesafe documentation for implementing the specific storage encryption use case you have.  

Comments

Please sign in to leave a comment.

Was this article helpful?
1 out of 1 found this helpful