Using Fortanix Data Security Manager with Cassandra TDE

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with DataStax Cassandra for Transparent Data Encryption. It contains the information that a user requires for:

• Facilitating the communication and authentication between Fortanix DSM and Cassandra using KMIP and Certificates.

• Setting up Fortanix DSM.

• Creating client certificates.

• Configuring DataStax node for Apache Cassandra.

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Cassandra cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.
X.509 certificates are used to facilitate communication and authentication for both the Fortanix DSM and the Cassandra Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Cassandra cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

3.0 Prerequisites

Ensure the following:

• Fortanix DSM version 4.4 or later installed and operational.

• Fortanix DSM is accessible by the Cassandra cluster on port 5696 (for default) or a custom KMIP port.

• Users should have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

• Enable the Java Cryptography Extension (JCE) on DataStax Enterprise.

4.0 Configure Fortanix DSM

Fortanix DSM supports KMIP clients to authenticate using a certificate through applications (apps). To successfully connect the Cassandra cluster to authenticate with Fortanix DSM, the Cassandra cluster also requires you to extract the Fortanix DSM internal CA certificate.

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list. Keys created by the Cassandra cluster will be owned by this group.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 4.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 4.6: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate and a private key.

4.6 Generating the Certificate

Perform the following steps to generate a client certificate using the app ID as Common Name (CN):

Perform the following steps:

1. Run the following command to change the directory to DSM:

   mkdir dsm

   

2. Run the following command to generate an RSA key for authenticating with Fortanix DSM:

   openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-cert.pem

   When prompted for Common Name, enter the app UUID you noted earlier.   This will generate the following two files:

   • client-cert.pem

   • client-key.pem

   

4.7 Updating Client Configuration

Perform the following steps to modify the client configuration in the Fortanix DSM UI:

1. For the KMIP app created in Section 4.4: Creating an Application, do the following:

   1. Click Settings → CLIENT CONFIGURATION → KMIP.

   2. Select Allow secrets with unknown operations.

   3. Click SAVE.

   

4.8 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.4: Creating an Application and click the Change the authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in Section 4.6: Generating the Certificate.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

5.0 Configuration on DataStax Node

5.1 Creating the DSM.P12

1. Generate a PKCS12 format file from the PEM files created in Section 4.6: Generating the Certificate.

   openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "my-dsm-app" -out client-dsm.p12

   

2. Create a Java KeyStore (JKS) keystore.

   keytool -importkeystore -destkeystore kmip_keystore.jks -srcstoretype PKCS12 -srckeystore client-dsm.p12

   

   Where,

   • kmip_keystore.jks is the keystore file name that is created.

   • client-sdkms.p12 is the PKCS12 file generated in Step 1 above.

   NOTE

   Enter a password for the keystore at the prompt and fill out the host information.

3. The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry-standard format using the following command:

   keytool -importkeystore -srckeystore kmip_keystore.jks -destkeystore kmip_keystore.jks -deststoretype pkcs12

   

4. Install the KMIP root certificate into the JKS truststore using the following command:

   keytool -import -alias kmipCA -file kmipCA -keystore kmip_truststore.jks

   Where,

   • KmipCA is the Fortanix DSM certificate chain.

   NOTE

   Enter a password for the truststore at the prompt, fill out the host information, and type yes when prompted for confirmation.

   

5. Move the keystore and truststore to a directory accessible by DataStax Enterprise (DSE) and change the file to allow the DSE account read or write access.
   For example:
   Move the file kmip_keystore.jks to /etc/dse/dsm/.
   Move the file kmip_truststore.jks to /etc/dse/dsm/.

6. Delete or secure the files used to create the keystore and truststore.

7. Add the host details to the kmip_hosts section of the dse.yaml file:
   For example:

   kmip_hosts:                                                    
     fortanix:
       hosts: <fortanix_dsm_url>:5696
       keystore_path: /etc/dse/dsm/kmip_keystore.jks
       keystore_type: jks
       keystore_password: redhat
       truststore_path: /etc/dse/dsm/kmip_truststore.jks
       truststore_type: jks
       truststore_password: redhat
       key_cache_update_millis: 300000

   

   Where,

   • fortanix: The kmip_group_name which is a user-defined group name that identifies the KMIP host in DSE related commands.

   • hosts: A comma separated list of fully qualified domain names (FQDN) of KMIP hosts. DSE tries the hosts in the order listed.

   • keystore_path: The location of the keystore created.

   • keystore_type: The jks keystore format. Must be set to jks.

   • keystore_password: The password of the keystore file created.

   • truststore_path: The location of the truststore file created.

   • truststore_type: The jks Truststore format. Must be set to jks.

   • truststore_password: The password of the truststore file created.

8. Make the dsm directory owner as cassandra using the following command:

   chown -R cassandra:cassandra dsm

   

9. Verify that the DataStax node can connect to the KMIP host by listing encryption keys on the remote KMIP server.

   NOTE

   The dsetool picks up the changes from dse.yaml file without requiring a restart.

5.2 Testing the Connection

1. To test the connection, create a key, for example: Testkey of type AES and size 256-bits on Fortanix DSM, and then run the following command:

   NOTE

   The key must have Export permission.

   dsetool managekmip list fortanix

   

2. Check the DataStax application audit logs in Fortanix DSM.  

   

3. Delete or keep the key (Testkey) created in the above step for testing.

6.0 Encrypt the Table

6.1 Creating a New Encrypted Table

The following example creates a new encrypted table using a key from a KMIP server.

CREATE TABLE table1( 
   emp_id int PRIMARY KEY, 
   emp_name text, emp_city text, 
   emp_sal varint, 
   emp_phone varint 
   ) 
WITH COMPRESSION = 
    { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 
    'kmip_host': 'fortanix', 
	'cipher_algorithm': 'AES', 
	'secret_key_strength': 128 };

Where the first column, that is, ID matches with the UUID of the DSM key.

6.2 Encrypting an Existing Table

Following is an example to create an unencrypted table and insert data into the table.
Example:

CREATE TABLE unencrypted( emp_id int PRIMARY KEY, emp_name text, emp_city text, emp_sal varint, emp_phone varint );

INSERT INTO unencrypted(emp_id, emp_name, emp_city, emp_phone, emp_sal) VALUES(1,'Dan', 'Eindhoven', 12345678, 50000);

select * from unencrypted ;

To perform encryption without compression, run the following query:

ALTER TABLE unencrypted
WITH COMPRESSION =
        { 'class': 'Encryptor',
        'key_provider': 'KmipKeyProviderFactory',
        'kmip_host': 'fortanix',
        'cipher_algorithm': 'AES',
        'secret_key_strength': 192};

6.3 Encrypted Table Properties

The following example shows how to describe a namespace to find out encrypted table properties.

DESC KEYSPACE tutorialspoint ;

CREATE TABLE tutorialspoint.table1 (
    emp_id int PRIMARY KEY,
    emp_city text,
    emp_name text,
    emp_phone varint,
    emp_sal varint
) WITH additional_write_policy = '99PERCENTILE'
    AND bloom_filter_fp_chance = 0.01
    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
    AND comment = ''
    AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
    AND compression = {'chunk_length_in_kb': '64', 'cipher_algorithm': 'AES', 'class': 'org.apache.cassandra.io.compress.Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'fortanix', 'secret_key_strength': '128'}
    AND crc_check_chance = 1.0
    AND default_time_to_live = 0
    AND gc_grace_seconds = 864000
    AND max_index_interval = 2048
    AND memtable_flush_period_in_ms = 0
    AND min_index_interval = 128
    AND nodesync = {'enabled': 'true', 'incremental': 'true'}
    AND read_repair = 'BLOCKING'
    AND speculative_retry = '99PERCENTILE';

To check if the table is encrypted, run the following command:

cqlsh:tutorialspoint> DESCRIBE TABLE tutorialspoint.table1