1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Imperva Cloud Web Application Firewall (WAF) (formerly Incapsula) services.
2.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
2.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to sign up for Fortanix DSM SaaS, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS.
2.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
2.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
2.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
Interface (optional): Keep the default value.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully.
2.5 Creating a Security Object
Perform the following steps to generate an RSA key in the Fortanix DSM:
Click the Security Objects menu item in the DSM left navigation panel and click the + button on the Security Objects page to add a security object.
Figure 4: Add Security Object
On the Add New Security Object page, enter the following details:
Security Object name: Enter the name of your security object.
Group: Select the group as created in Section 2.3: Creating a Group.
Select the IMPORT radio button.
Choose a type: Select the RSA key type.
In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the key file.
Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying. For the Cloud WAF integration, Imperva recommends only selecting Encrypt and Decrypt permissions to limit functions specifically to what is needed by Imperva.
NOTE
Key operations are selected at the time of importing a security object or during the creation of a new security object from Fortanix DSM. The key operations can be removed after the security object has been created but permissions cannot be added after security object creation.
Add the required attributes if required using ADD ATTRIBUTES.
Enter the key Deactivation Date and key Activation Date.
Click the IMPORT button to create the new security object.
You must modify the Padding Policy to include Raw (Decryption only). Click the SAVE button.
Figure 5: Padding Policy
The new security object is added to the Fortanix DSM successfully.
3.0 Details of Fortanix DSM Used in Imperva
Provide Imperva with the following from Fortanix DSM.
3.1 Identify the Data Security Manager Region(s)
At Imperva, Fortanix regions are called hostnames.
The hostname is the address that appears in the “COPY URI” link (in the security object detailed view, COPY UUID drop down menu), starting with the subdomain API.
The available hostnames (regions) on Fortanix: api.amer.smartkey.io, api.eu.smartkey.io, api.uk.smartkey.io, api.apac.smartkey.io, api.au.smartkey.io .
Figure 6: Copy URI
3.2 Copying the API Key
Perform the following steps to copy the API key from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click the VIEW API KEY DETAILS button.
From the API Key Details dialog box, copy the API Key of the app to be used later.
(2).png?sv=2022-11-02&spr=https&st=2025-05-05T10%3A10%3A05Z&se=2025-05-05T10%3A26%3A05Z&sr=c&sp=r&sig=DUeabURbG897Pg1g78ob7IjZjYjzseaNak6LteTB8C0%3D)
Figure 7: Copy API Key
3.3 Copying an App UUID
Perform the following steps to copy the app UUID from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 2.4: Creating an Application to go to the detailed view of the app.
From the top of the app’s page, copy the app UUID to be used to generate the certificate.
Figure 8: Copy UUID
NOTE
Rotate Key is not supported today for Imperva Cloud WAF integration.
3.4 Summary
Together with the custom certificate, you will need to provide the following information from Fortanix DSM user interface (UI) as explained above.
host_name (Region) | key_id (Key UUID) | api_key | Object Name |
|---|---|---|---|
api.amer.smartkey.io | UUID1 | API1 | mycompany.com web certificate.US |
api.au.smartkey.io | UUID2 | API2 | mycompany.com web certificate.AUS |
Use the following APIs to provision your HSM certificate on Imperva:
Action: Upload Certificate
URL: https://my.impervaservices.com/api/v2/sites/{extSiteId}/hsmCertificate/upload
HTTP Method: PUT
Headers:
api_key: <your Imperva API key>api_id: <your Imperva API ID>
Parameters:
Path Parameter:
extSiteId: This is a path parameter representing the external site ID for the Imperva site.Query Parameters:
certificate: This is a query parameter and represents a certificate string, encoded in base64 format. For example:LS0tLS1CRUdJTiBDRVJUSUZJQ0...Body: your Fortanix connection details. The schema should look like the following:
{"hsm_data":[ { "key_id":"123abcde-1234-1234-abcd-123456789abc", "api_key":"MTAyYThmMz...", "host_name":"api.amer.smartkey.io" }] }Remarks:
key_id: Your security object UUID on Fortanix.api_key: Your API key on Fortanix.host_name: The address of your assets on Fortanix. NOTE - it should start with API. You can find your host address under your security object section, by clicking the COPY URI button.
Response:
If the certificate was uploaded successfully (and replaced the previous HSM custom certificate on the site, you should get the following response:
Status Code: 200 Response Message: succeed to save the certificate.The certificate is validated and connection to Fortanix service is done before the certificate is uploaded.
Action: Remove Certificate
URL: https://my.impervaservices.com/api/v2/sites/{extSiteId}/hsmCertificate/remove
HTTP Method: DELETE
Headers:
api_key:<your Imperva API keys>api_id: <your Imperva API ID>
Parameters:
Path Parameter: extSiteId- your Imperva Site ID.
Response:
If the certificate was removed successfully, you should get the following response:
Status Code: 200 Response Message: OK.Action: Test Connectivity
URL: https://my.impervaservices.com/api/v2/sites/{extSiteId}/hsmCertificate/testConnectivity
HTTP Method: GET
Headers:
api_key: <your Imperva API key>api_id: <your Imperva API ID>
Parameters:
Path Parameter: extSiteId- your Imperva Site ID.
Response:
If connection with HSM performed successfully, you should get the following response:
Status Code: 200 Response Message: HSM connection established successfully.
4.0 References
Refer to Imperva’s documentation on Uploading a Custom Certificate with HSM support.