Fortanix Data Security Manager Using Delinea Secret Server

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Delinea Secret Server to protect encryption key using Fortanix DSM.

2.0 Prerequisites

Ensure the following:

• The Fortanix CNG Client must be installed and configured.

• Port 443 must be accessible from the SQL target machine to Fortanix DSM.

  Protocol	Inbound/ Outbound	Port Number	Load balancer (Yes/No)	Purpose
  TCP	Outbound	443	No	HTTPS – Used for calling the REST API. Delinea server will access the cluster/SaaS URL on this port. Each individual node will also need this port open.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use in Section 4.2: Configuring CNG Client.

4.0 Fortanix CNG Provider

The Fortanix CNG Provider must be installed on every target machine. Refer to the Fortanix CNG/EKM to download the CNG Provider.

FortanixKmsClient.msi installs the Fortanix CNG Provider, as well as an EKM provider and the PKCS#11 library. Next, to configure the CNG client, Fortanix CNG Provider communicates with Fortanix DSM for crypto operations.

4.1 Installing Fortanix CNG Client

Perform the following steps to complete the installation on your machine:

1. On the Fortanix KMS Client Setup dialog box, click Next.

   

2. Select the check box for I accept the terms in the License Agreement and click Next.

   

3. Enter the location for installing the Fortanix KMS Client as C:\Program Files\Fortanix\KMS Client\.

   

4. Click Install to install the Fortanix KMS client.

   

5. After the installation is done, click Finish.

   

4.2 Configuring CNG Client

The Fortanix KMS Server URL and proxy information are configured in the Windows registry for the local machine or the current user.

1. Run the following command to navigate to FortanixKmsClientConfig.exe file:

   cd C:\Program Files\Fortanix\KmsClient\

   The machine key store uses the local machine configuration, and the user key store uses the current user configuration.
   For example, run the following command to configure the Fortanix KMS Server URL for the local machine:

   FortanixKmsClientConfig.exe machine --api-endpoint {KMS_URL}

   Where,

   KMS_URL refers to the Fortanix DSM URL. On-premises customers use the KMS URL and SaaS customers can use the URLs based on the region. DSM SaaS supports multiple regions, as listed here.

   For example,

   FortanixKmsClientConfig.exe machine --api-endpoint https://<fortanix_dsm_url> 

2. Run the following command to configure the Fortanix KMS Server URL for the current user:

   FortanixKmsClientConfig.exe user --api-endpoint {KMS_URL} 

   To configure proxy information, add --proxy http://proxy.com or --proxy none to unconfigure proxy.

3. Run the following command to configure the API key as copied in Section 3.5: Copying the API Key: 

   FortanixKmsClientConfig.exe machine --api-key <key>

4. Run the following command for the user key store:

   FortanixKmsClientConfig.exe user --api-key <key> 

5.0 Enable Fortanix HSM

Perform the following steps to enable Fortanix HSM:

1. Log in to the Delinea Secret Server.

2. From the left pane menu, select Administration → Actions → Configuration → HSM. The Configuration page appears on the screen with the HSM tab selected by default.

3. Click Enable HSM and then click Next.

   

4. Under the HSM Providers section:

   1. For Persistent Provider, select the Fortanix KMS CNG Provider option from the drop down menu.

      

   2. Select the required Key size. For example, 2048.

5. Click Next.
   The HSM provider is tested, and the results are displayed on the screen.

6. Check the HSM Provider Test Results. For example:

   

7. Click Next.
   A verification page appears on the screen.

8. Click Save to update the HSM configuration.
   A confirmation page appears on the screen.

9. Click Finish.

   

   The Fortanix KMS CNG Provider is now enabled, and the Secret Server encryption key is stored in it. The configuration details appear on the Secret Server HSM tab.