This article describes how to integrate Bloombase Storesafe with Fortanix Data Security Manager (DSM).
2.0 Configuring Fortanix DSM for Integration with Bloombase Storesafe
- In Fortanix DSM, create an app with the interface set to Key Management Interoperability Protocol (KMIP) and the authentication method set to API Key. After the app is created, copy the App ID (UUID). The App ID is needed as the Common Name (CN) for the Bloombase Client KMIP Certificate. After the Bloombase Client Certificate is created, you should change the authentication method to certificate as described in Section 4.0.
Figure 1: Creating a New App
- Copy the UUID.
Figure 2: Copying the UUID
3.0 Configuring Bloombase Storesafe for Integration with Fortanix DSM
- On the Bloombase Storesafe Console, select OASIS KMIP Key Manager from the Bloombase Storesafe main menu.
Figure 3: OASIS KMIP Key Manager
- Click Add.
- On the Modify KMIP Key Manager page:
- Fill in the name that you want to use to identify with this instance of Fortanix DSM as the KMIP Server.
- For the Model field, select Generic.
- Specify the Hostname/IP Address of the Fortanix DSM cluster.
- Leave the Port as default 5696.
- Leave the Timeout and Retry Count info as default unless you have a specific setting you want to use.
- Leave the Username and Password as blank.
- Click Submit to save the information.
Figure 4: Modifying the KMIP Key Manager
- Select Create for the client keystore, to create a Rivest, Shamir, Adleman (RSA) Keypair, and a Certificate Signing Request (CSR).
Figure 5: Creating an RSA Keypair and a CSR Request
- Specify the algorithm/key sizes you want for your keypair, the values for the certificate Distinguished Name (DN), and then click Generate to generate the certificate request.
Figure 6: Generating a Certificate Request
- Click Certificate Request to download the CSR and send it to your CA for certificate issuance.
Figure 7: Sending a Certificate Request
- Upload the CA Public Certificate used to sign the CSR to the Trust Certificate Store.
Figure 8: Uploading the Trust Certificate
- Upload the signed certificate to the Client Keystore.
Figure 9: Uploading the Signed Certificate
- Upload the Fortanix DSM cluster certificate to the Trust Certificate Store.
Figure 10: Uploading the Fortanix DSM Cluster Certificate
- Click Submit to save the configuration.
Figure 11: Submitting the Certificates
4.0 Uploading a Certificate and Generating a Key in Fortanix DSM
- Go to the detailed view of the app that you created in Section 2.0 and click Change authentication method.
Figure 12: Changing the Authentication Method
- Select Certificate as the authentication method, and then click SAVE.
Figure 13: Selecting Certificate as the Authentication Method
- Upload the Bloombase KMIP Client Certificate you created in Section 3.0 and then click UPDATE.
Figure 14: Uploading the Bloombase KMIP Client Certificate
- Click the Security Objects tab, and click to create the symmetric key that will be used by Bloombase Storesafe.
Figure 15: Adding a Security Object
- Specify a name for the symmetric key, select the group you created previously in Section 2.0, and then select GENERATE for the create key workflow.
Figure 16: Generating a New Key
- Select the key type, key size, and the key operations permitted. The recommended algorithm is AES and the recommended key size is 256 bit.
Figure 17: Selecting Key Type and Size
- Click GENERATE to generate the key. The key is generated as shown in the figure below.
Figure 18: Key is Successfully Generated
5.0 Configuring Fortanix DSM KMIP Entity in Bloombase Storesafe
- In the Bloombase Console for the KMIP Key Manager, open the Fortanix DSM KMIP entity.
Figure 19: Fortanix DSM KMIP Entity
- Click Test.
Figure 20: Testing the Connection
- The successful test confirms that Bloombase Storesafe can authenticate and connect to Fortanix DSM.
Figure 21: Connection is Successful
- To select the key created in Fortanix DSM in Bloombase Storesafe Key Wrapper, click Create Key Wrapper.
Figure 22: Creating a Key Wrapper
- Under Modify Key Wrapper, select the Fortanix DSM entity that you configured in Bloombase Storesafe in Section 3.0 and select the key created under the Object drop down menu and click Select Key.
Figure 23: Selecting the Key
- Click Submit to submit the updated configuration.
Figure 24: Submitting the Updated Configuration
- Confirm the key has been properly selected by clicking Find Key Wrapper, and then click Find.
Figure 25: Finding the Key
You can now use the Fortanix DSM KMIP server as a Key Management System (KMS) for all storage encryption implemented with Bloombase Storesafe. Please refer to the Bloombase Storesafe documentation for implementing the specific storage encryption use case you have.