Fortanix Data Security Manager with Cloudflare Integration

  • Updated on Mar 12, 2025
  • Published on Aug 9, 2024
  • 10 minute(s) read

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Cloudflare Keyless Security Socket Layer (SSL) to provide higher-level security for keys.

By leveraging Fortanix DSM's capabilities with Cloudflare, you can achieve enhanced key protection and maintain ownership.

Using Cloudflare Keyless SSL alongside Fortanix DSM integrates the operational advantages of a globally distributed content delivery network (CDN) with the security and compliance benefits offered by a dedicated Fortanix DSM hardware security module (HSM).

2.0 Prerequisites

Ensure the following before initiating the integration of Cloudflare with Fortanix DSM:

  • Access to a Fortanix DSM account. For more information, refer to Section 5.1: Signing Up and Section 5.2: Creating an Account.

  • The Cloudflare key server Virtual Machine (VM) has been provisioned. Refer to the key server requirements to understand the supported operating systems and platforms.

  • Access to the target Cloudflare sites:

    • Administrative access is required to configure the integration.

    • Zone with HTTPS/TLS settings: Ensure you have set up a zone in Cloudflare that requires encryption (HTTPS/TLS settings) to configure Fortanix DSM.

  • Network port 2407 is open between the Cloudflare sites and the Cloudflare key server VM.

  • Network port 443 is open between the Cloudflare key server VM and Fortanix DSM.

3.0 Product Version Tested

Fortanix has validated this integration with the following:

  • DSM version 4.24

  • Cloudflare gokeyless version 1.6.13

4.0 Architecture Diagram

Refer to the following architecture diagram for Fortanix DSM integration with Cloudflare using the Cloudflare Tunnel approach:

Cloudflare Integration_Architecture

Figure 1: Architecture Diagram

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 2: Logging In

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. Click the Groups menu item in the DSM left navigation bar and click + button on the Groups page to add a new group.

    Clouflare Integration_Add a group

    Figure 3: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group.

    • Description (optional)

  3. Click SAVE to create a new group.

The new group has been added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click + button on the Apps page to add a new app.

    Clouflare Integration_Add an App

    Figure 4: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application.

    • Interface (optional): Select the REST option as interface type from the drop-down menu.

    • ADD DESCRIPTION (optional):

    • Authentication method: Select the default API Key as the method of authentication from the list. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application has been added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click the VIEW API KEY DETAILS button.

  3. From the API Key Details dialog box, copy the API Key of the app to use it later.

    Clouflare Integration_Copy API Key

    Figure 5: Copy API Key

6.0 Initial Setup for Cloudflare Key Server

The following are the initial steps to set up the Cloudflare key server.

For more information, refer to Cloudflare Public DNS Setup.

  1. Run the following command to generate a long and random Cloudflare key server hostname. For example, d63de826d549ebef337bad80. 

    openssl rand -hex 12

  2. Run the following command to create the configuration file needed to create a certificate signing request (CSR): 

    nano cloudflare.conf

    Refer to the example configuration file provided below: 

    [ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[ req_distinguished_name ]
countryName                = GB
stateOrProvinceName        = England
localityName               = London
organizationName           = Fortanix
commonName                 = d63de826d549ebef337bad80.test-cloudflare-fortanix.us
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = d63de826d549ebef337bad80.test-cloudflare-fortanix.us

  3. Run the following command to create a CSR: 

    sudo openssl req -out keyserver.csr -newkey rsa:2048 -nodes -keyout keyserver.key -config cloudflare.conf

    NOTE

    The generated CSR must be signed by a public or private certificate authority (CA).

  4. Run the following commands to create a directory for keyrings and add the Cloudflare GPG key:

    sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null

  5. Run the following command to add the Cloudflare repository to your system:

    echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/gokeyless buster main' | sudo tee /etc/apt/sources.list.d/cloudflare.list

  6. Run the following commands to update the system and install GoKeyless:

    sudo apt-get update
sudo apt-get install gokeyless

  7. Run the following commands to set up your private key for use with GoKeyless:

    1. Set file permissions to 400 (read-only for the owner):

      sudo chmod 400 keyserver.key

    2. Copy the key to the appropriate directory:

      sudo cp keyserver.key /etc/keyless/keys/

    3. Change ownership of the key to the keyless user and group:

      sudo chown keyless:keyless /etc/keyless/keys/keyserver.key

    4. Verify the file ownership and permissions:

      sudo ls -l /etc/keyless/keys/

  8. Run the following commands to download and set up the Fortanix PKCS#11 module:

    1. Download the shared object file:

      wget https://download.fortanix.com/clients//fortanix_pkcs11_.so

    2. Copy the file to the /etc/keyless/ directory:

      sudo cp fortanix_pkcs11_.so /etc/keyless/

    3. Open the configuration file for editing:

      sudo nano /etc/keyless/p11.conf

  9. After the Cloudflare key server VM is set up, refer to the following example configuration file to authenticate with Fortanix DSM:

    api_endpoint = ""
# For example, https://eu.smartkey.io
api_key = "NjVhZDE…TGVDa1"
ca_certs_file = "/etc/keyless/dsmca.pem"
[log]
file = "/etc/keyless/p11.log"
level = "trace"

    NOTE

    If the Fortanix DSM cluster is signed by a private CA, you must obtain the CA certificate. The root CA certificate can be acquired through a web browser.

    After obtaining the certificate, use the following command to copy the certificate to the Fortanix DSM keyless directory:

    sudo mv dsmca.pem /etc/keyless/

  10. Run the following command to install the PKCS#11 tool for testing connectivity:

    sudo apt install opensc -y

  11. Run the following commands to verify connectivity and list objects in Fortanix DSM:

    1. Check token slots:

      sudo pkcs11-tool --module /etc/keyless/fortanix_pkcs11_.so --pin file:///etc/keyless/p11.conf --list-token-slots

    2. Log in and list objects:

      sudo pkcs11-tool --module /etc/keyless/fortanix_pkcs11_.so --pin file:///etc/keyless/p11.conf --login --list-objects

7.0 Import the Cloudflare Private Key to Fortanix DSM

Perform the following steps to import the Cloudflare site private key to Fortanix DSM:

  1. Click the Security Objects menu item in the DSM left navigation bar and click the button on the Security Objects page to add a security object.

    Figure 5: Add Security Object

  2. On the Add New Security Object page, enter the following details:

    • Security Object name: Enter the name of your security object. For example, keyserverkey.

    • Group: Select the group as created in Section 5.3: Creating a Group.

    • Select the IMPORT radio button.

    • Choose a type: Select the RSA key type.

    • Key Size: Indicates the size of the key in bits.

    • Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

    • In the Place value here or import from file section, select the value format type as Base64 and click the UPLOAD A FILE button to upload the key file. For example, the value of /etc/keyless/keyserver.key, configured in Step 7 of Section 6.0: Initial Setup for Cloudflare Key Server.

    • Add the required attributes if required using ADD ATTRIBUTES.

    • Enter the key Deactivation Date and key Activation Date.

  3. Click the IMPORT button to create the new security object.

The new security object is added to the Fortanix DSM successfully.

8.0 Configure Networking and Domain Name System (DNS)

When configuring networking and DNS between Cloudflare and Fortanix DSM,

  1. Ensure that Cloudflare has access to the deployed Cloudflare key server on port 2407. Also, ensure that port 443 is open between the Cloudflare key server and Fortanix DSM cluster URL.

  2. Create a DNS A record for the Cloudflare key server fully qualified domain name (FQDN). This DNS A record facilitates the mapping of a domain name to the specific IP address of the Cloudflare key server VM.

    FQDN example: "d63de826d549ebef337bad80.test-cloudflare-fortanix.us"

    If Cloudflare is your DNS provider, refer to the following steps to create a DNS A record:

    • Navigate to the Cloudflare dashboard and log in with your credentials.

    • From the dashboard, select the domain for which you want to add the DNS A record.

    • Click the DNS icon at the top of the dashboard to access the DNS settings for your domain.

    • In the DNS management section, locate the A record section.

    • Enter the following details for your A record:

      • Name: This is the hostname or subdomain for your Cloudflare key server. For example, keyserver.

      • IPv4 address: Enter the public IP address of your Cloudflare key server.  This is the IP address that Cloudflare will resolve when you query the FQDN.

    • After entering the details, click Save or +Add record to create the DNS A record.

    Cloudflare Integration_DNS Connection

    Figure 7: Setup DNS A Record

9.0 Test and Finalize the Cloudflare Configuration

Perform the following steps to test and finalize the Cloudflare configuration:

  1. Log in to the Cloudflare dashboard and select your account and zone.

  2. Navigate to SSL/TLS → Edge Certificates.

  3. Select Upload Keyless SSL Certificate and configure the following details:

    1. Key server label: Any unique identifier for your key server.

    2. Key server hostname: The hostname of your key server that holds the key for this certificate. For example, d63de826d549ebef337bad80.test-cloudflare-fortanix.us

    3. Key server port: 2407

    4. SSL Certificate: The valid X509v3 SSL certificate in PEM form for which you hold the private key. For example, the keyserver.csr configured in Step 3 of Section 6.0: Initial Setup for Cloudflare Key Server.

    5. Bundle method: Set the value as User Defined when using a private CA. For more details, refer to Cloudflare Bundle Methodologies.

  4. Click Upload Keyless SSL Certificate.

    Cloudflare Integration_Configure Cloudflare

    Figure 8: Configure Cloudflare

  5. Modify the uploaded gokeyless.yaml configuration file and provide your environment parameters.

    1. Run the following command to add your Cloudflare account details to the configuration file located at /etc/keyless/gokeyless.yaml: 

      sudo nano /etc/keyless/gokeyless.yaml

      The output is as follows:

      # Set the log level (0 = DEBUG, 5 = FATAL).
loglevel: 1
# Hostname must match the key server hostname that was configured in the Cloudflare dashboard during custom certificate upload.
hostname: <your host name>

# Zone ID can be found on the Cloudflare dashboard 'Overview' tab.
zone_id: <your zone ID>

# Origin CA API Key can be found on the Cloudflare dashboard under the 'My Profile' section.
origin_ca_api_key: <your origin CA API key>

# Configure one or more private key directories.
private_key_stores:
- uri: pkcs11:token=Fortanix%20Token;object=keyserverkey?module-path=/etc/keyless/ fortanix_pkcs11_<your DSM version>.so&pin-value=file:///etc/keyless/p11.conf&max-sessions=1
#- dir: /etc/keyless/keys

# Optionally, customize the location of the certificates used for mutual authentication with Cloudflare keyless clients.
auth_cert: /etc/keyless/server.pem
auth_key: /etc/keyless/server-key.pem
auth_csr: /etc/keyless/server.csr
cloudflare_ca_cert: /etc/keyless/keyless_cacert.pem

# Optionally customize the listen ports.
port: 2407
metrics_port: 2406

# Optionally write the PID to a file (note that sysv-based systems will ignore this value and always use /var/run/gokeyless.pid).
pid_file:

    2. Run the following commands to modify the configuration file details: 

      cd /etc/keyless
sudo chown keyless fortanix_pkcs11_<your DSM version>.so
sudo chown keyless p11.conf
sudo chown keyless p11.log
sudo chown keyless dsmca.pem
sudo chgrp keyless fortanix_pkcs11_<your DSM version>.so
sudo chgrp keyless p11.conf 
sudo chgrp keyless p11.log
sudo chgrp keyless dsmca.pem

    3. Run the command ls -l and verify the following output: 

      total 14976
-rw-rw-r-- 1 keyless keyless     1099 Jan 23 17:32 dsmca.pem
-rw-rw-r-- 1 keyless keyless 15205984 Nov 10 12:58 fortanix_pkcs11_<your DSM version>.so
-rw------- 1 keyless keyless     1395 Jan 23 19:36 gokeyless.yaml
-rw-r--r-- 1 keyless keyless     1452 May 18 2023 keyless_cacert.pem
drwx------ 2 keyless keyless     4096 Jan 23 15:26 keys
-rw-r--r-- 1 keyless keyless      317 Jan 23 19:39 p11.conf
-rw-r--r-- 1 keyless keyless    87474 Jan 23 19:37 p11.log
-rw------- 1 keyless keyless      595 Jan 23 19:34 server.csr
-rw------- 1 keyless keyless      288 Jan 23 19:34 server-key.pem
-rw-r--r-- 1 keyless keyless     1395 Jan 23 19:34 server.pem

    4. Run the following command to restart the gokeyless service: 

      sudo service gokeyless restart

    5. Run the following command to check the status of the gokeyless service: 

      sudo service gokeyless status

  6. From the Fortanix DSM user interface (UI), verify the audit log for signing operations using the stored private key(s).

    Cloudflare Integration_Audit log

    Figure 9: Verify Security Object Activity Logs