Using Fortanix Data Security Manager for Hewlett Packard Enterprise (HPE) Alletra 9000

1.0 Introduction

This article describes the steps for integrating Fortanix-Data-Security-Manager (DSM) with HPE Alletra 9000 through KMIP server configuration.

The Hewlett Packard Enterprise (HPE) Alletra 9000 is a comprehensive edge-to-core solution crafted to provide a cloud-like experience wherever your data resides. Specifically tailored for mission-critical tasks, the HPE Alletra 9000 ensures exceptionally low latency, robust reliability, and optimal performance density within a 4U enclosure. This solution empowers IT by transitioning from owning and managing data infrastructure to effortlessly accessing and utilizing it on-demand, following a flexible as-a-service model. Utilizing a unique, highly parallel, multi-node, and all-active platform, the HPE Alletra 9000 seamlessly consolidates traditional and next-gen mission-critical applications at scale, promising consistent performance and ultra-low latency, all backed by a 100% availability guarantee.

It includes the details necessary for users to:

• Add an application in Fortanix DSM.

• Establish an SSL/TLS configuration in HPE Alletra 9000 using HPE CLI.

• Set up a KMIP server and generate a key.

1.1 Why Use Fortanix DSM with HPE Alletra 9000

In today's cybersecurity landscape, where threats persist, there is a growing need for heightened security measures in both individual and corporate contexts. Enterprises must take proactive steps to fortify their perimeters, data center infrastructure, and hosted software applications, aligning with industry standards, security best practices, and their own security policies.

To ensure the security of customer data at rest, HPE 3PAR employs FIPS-certified self-encrypted drives (SEDs) and FIPS-certified KeyStore technologies, creating a secure environment within the data center. The protection of data at rest on HPE 3PAR and HPE Primera storage arrays involves two crucial components that play a pivotal role in preventing unauthorized access to secured data on the disks.
Through the collaborative efforts of HPE 3PAR and HPE Primera storage, along with the Fortanix DSM, a secure environment is established, eliminating the risk of unauthorized data access.

This integration document is designed for customers, guiding them in securing their information through HPE 3PAR and HPE Primera storage with Fortanix DSM.

1.2 Prerequisites

To successfully integrate Fortanix DSM with HPE Alletra 9000, ensure the following:

• Fortanix DSM

• HPE Alletra 9000

• Access to create a certificate for KMIP Server

2.0 Product Versions Tested

This integration has been tested on the following versions:

• Fortanix DSM version 4.23.

• HPE Alletra 9000 release version 9.5.18.20.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Navigate to the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Navigate to the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 3.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 4.1: Configuring Encryption as the value of Common Name (CN) to generate a Certificate Signing Request (CSR). Also, copy the Username (app UUID) and Password to be used in Section 4.1: Configuring Encryption to configure the Enterprise Key Manager (EKM)/Fortanix.

3.6 Regenerate the Key

Perform the following steps to update the secret size of the key:

1. Go to the Fortanix DSM app detail view as created in Section 3.4: Creating an Application.

2. In the API Key section, click the REGENERATE button.

   

3. In the Regenerate API key dialog box, click the Set app secret key size button and update the value to 16  bytes.

   

4. Select both the check boxes to confirm your understanding about the action and click the UPDATE button.

The API key is now successfully regenerated successfully.

4.0 Enable Security in HPE Alletra 9000

4.1 Configuring Encryption

Perform the following steps to prepare the HPE Alletra 9000 array for encryption:

1. Log in to the HPE Alletra 9000 using SSH with the local 3paradm admin user account.

2. Generate a Certificate Signing Request (CSR) using SSH or the HPE 3PAR CLI. This certificate will be used later to sign with your external Key Management System (KMS). The format of the createcert command is as follows:

   createcert ekm-client -csr -CN <common name> -C US -ST <State> -L <City> -O “<Company Name>” -OU <Dept>

   For example,

   createcert ekm-client -csr -CN 4208e3b2-6a27-448b-bbba-36aafe -C US -ST Texas -L Houston -O HPE -OU ATC

   NOTE

   The CN must match the UUID of the Fortanix app copied in the previous section.

   

3. Run the following command to import the CA-Bundle for the EKM Server in HPE. The root and intermediate certificates must be imported one by one.

   importcert ekm-server -ca stdin

   Importing Root Certificate

   

   Importing Intermediate Certificate

   

4. Run the following command to import the certificate for the EKM client:

   importcert ekm-client -ca stdin

   Importing Root Certificate

   

   
   Importing Intermediate Certificate

   

5. Sign the CSR created in Step 2 with the same Certificate Authority (CA) imported above and import the signed certificate (Only Leaf certificate) in HPE Alletra using the command as shown below:

   importcert ekm-client stdin

   

   Use the CLI command showcert to verify the presence of ekm-client or ekm-server certificate.

   NOTE

   This command needs to be run from HPE CLI.

6. Run the following command to verify the status of the drives present:

   shownode -drive

   

   showpd -s

   

7. Run the following command to verify if EKM is configured:

   showencryption -d

   

8. Run the following command to configure the EKM/Fortanix:

   controlencryption setekm -setserver <Server FQDN/IP Address> -port 5696 -ekmuser <Username> -kmipprotocols 1.4 -passwordnoprompt <Password> 

   Where, <Username> and <password> are the values copied previously while creating the app in Section 3.0: Configure Fortanix DSM.
   Example:

   controlencryption setekm -setserver 10.10.10.151 -port 5696 -ekmuser 487XXXXXX -kmipprotocols 1.4 -passwordnoprompt r8cXXXXXXXXXX

   

9. Run the following command to verify if the EKM has been configured:

   showencryption -d

   

10. Run the following command to verify that all the certificates are successfully configured within HPE:

    showcert

    

11. Run the following command to enable the encryption on HP:

    controlencryption enable -ekm firstinetgrationhpe9k

    

12. Run the following command to verify the task created for encryption 12436:

    waittask -v 12436

    

    

13. Run the following command to verify if the drives have been encrypted:

    showpd -s

    

14. You can view and confirm that all the keys have been created in Fortanix EKM:

    

    

15. Run the following command to verify if restore of the backup was successful.

    controlencryption restore firstintegrationonhpe9k 

    

16. Run the following command to review the task 12438 was successful:

    waittask -v 12438

    

4.2 Rotating the Key

Perform the following steps to rotate the key in HPE Alletra 9000:

1. Run the following command to take the backup of the key:

   controlencryption backup firstintegrationbackuphpe9k

   The backup file will be created with the name of firstintegrationbackuphpe9k.

2. Run the following command to rotate the key:

   controlencryption rekey secondintegrationonhpe9k

   This will create a new task in HPE, and a new rotated key is created in Fortanix DSM.

   

   

3. Run the following command to verify the task:

   showtask -d 12609

   

   NOTE

   Each task in HPE triggers a new task ID.

5.0 Group Key Encryption Key (KEK)

For additional security, you can also create a group KEK to encrypt all the apps within the HPE Alletra 9000 group in Fortanix DSM. Perform the following steps:

To configure another group in Fortanix DSM, which will act as the Group Root Key, refer to the User's Guide: Group Key Encryption Key.

After the group KEK is configured, the group will appear as shown below:

6.0 Verification Steps

Run the following HPE Alletra 9000 tests as below.

1. Backup and restore:
   Take a backup and restore of the key as shown below:

   

   Verify the logs from the Task ID as shown below:

   waittask -v 12652

   

2. Rotate the HPE Alletra 9000 array:

   

   Verify if the key has been created in Fortanix.

   

3. Rotate the Group KEK:

   NOTE

   Do not deactivate the original key after rotation.
   After the Group KEK rotation is successful, verify the backup and restore the key again by performing Step 1 above again.

4. Verify key rotation:

   

5. Proceed with Backup and restore operation again:

   

6. Verify that the Restore operation is successful: