1.0 Introduction
This article describes how to integrate Fortanix Data Security Manager (DSM) with ShardSecure.
2.0 Installing Fortanix DSM PKCS#11 Library
Download and Install Fortanix DSM PKCS#11 library. For complete instructions on Fortanix DSM PKCS#11 integration, please refer to the article PKCS#11 Library.
3.0 Configuring Fortanix DSM
You must configure Fortanix DSM before you configure the ShardSecure cluster. Contact Fortanix Support to obtain an account and login information to access the Fortanix DSM interface. To generate a hardware security module (HSM) protected key and make it available to the ShardSecure Cluster, log in to the Fortanix DSM interface and follow the steps below.
3.1 Create a Key
-
In the Fortanix DSM UI, click the Security Objects tab, and then click
to create a new object.
Figure 1: Creating a Security Object
- Enter a suitable name for the key. Fortanix suggests using cluster.master.key as the key name.
Figure 2: Naming the Key
- Select a group where you want the ShardSecure key to belong, or create a new group.
Figure 3: Selecting a Group
- Select GENERATE to start the key generation workflow.
- Select AES as the key type.
- For Key size, leave it as the default 256 bits.
Figure 4: Selecting Key Configuration
- In the Key operations permitted section, select all the available options except Export.
Figure 5: Selecting Permitted Key Operations
- Click GENERATE to create the key.
Figure 6: Generating the Security Object
3.2 Create an Application Client
- Click the Apps tab, and then click
to create an app.
Figure 7: Creating an App
- Give a name to the app and select PKCS#11 as the interface.
Figure 8: Naming the App and Selecting the Interface
- Assign the app to the same group that you used while creating the key in Section 3.1.
Figure 9: Assigning the App to a Group
- Click SAVE to save the app.
Figure 10: Saving the App
- Click COPY API KEY, and then in the modal window click COPY API KEY again to copy the API key of the app. This key will be used for the
shardsecure.cluster.encryption.hsm.password
parameter in theapplication.properties
configuration.Figure 11: Copying the API Key
Create a New Configuration file for PKCS#11
- Create a new configuration file for the Fortanix DSM PKCS#11 configuration.
- Place the configuration file in the ShardSecure configuration directory.
- Add the name of this file to properties as the parameter
shardsecure.cluster.encryption.hsm.configfile
.
For example,shardsecure.cluster.encryption.hsm.configfile=fortanix.cfg
.
In this example, the Fortanix PKCS#11 module has been installed at the path/opt/fortanix/pkcs11/fortanix_pkcs11.so
.
The slot number is not critical in the Fortanix configuration, and you may leave it as displayed in the example below.
name = FortanixHSM
library = /opt/fortanix/pkcs11/fortanix_pkcs11.so
slot = 0
attributes(generate, *, *) = {
CKA_TOKEN = true
}
attributes(*, CKO_CERTIFICATE, *) = {
CKA_PRIVATE = false
}
attributes(*, CKO_PUBLIC_KEY, *) = {
CKA_PRIVATE = false
}
Comments
Please sign in to leave a comment.