Using Fortanix Data Security Manager with Commvault

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Commvault.

It also contains the information that a user requires to:

• Create an App in Fortanix DSM.

• Configure Commvault Key Management Server.

• Rotate keys in Commvault Key Management Server.

2.0 Prerequisites

Ensure the following:

• Fortanix DSM

• Commvault

• Access to create a Certificate for the KMIP server

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the KMIP option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 3.4: Creating an Application to go to the detailed view of the app. 

2. From the top of the app’s page, copy the app UUID to be used in Section 3.6: Generating the Certificate as the value of Common Name (CN) to generate the self-signed certificate and a private key.  

3.6 Generating the Certificate

Perform the following steps to generate the client certificate:

Create a new certificate using the OpenSSL command. You will use this certificate to upload to the Fortanix DSM app. Ensure to update certificate parameters like country, state, organization, so on, and ensure that the common name (CN) is set to the Fortanix app UUID.

openssl req -newkey rsa:2048 -nodes -keyout commvault.key -x509 -days 365 -out commvault.crt

3.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 3.4: Creating an Application and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

4.0 Configure Commvault Key Management Server

1. Log in to the Commvault Command Center.  

   

2. Search for Key Management Server or navigate to Manage → Security → Key Management Servers.  

   

3. Configure the KMIP Server in Commvault.  

   

4. Configure the Key Management Server with KMIP protocol details:

   • Name

   • Key length

   • Server: Enter the Fortanix DSM host name. For example, eu.smartkey.io. For more details on the different regions and the host names, refer to the Fortanix DSM SaaS Global Availability Map.

   • Port: 5696

   • Upload the self-signed Certificate

   • Upload the Certificate key

   • Upload the Fortanix DSM CA Certificate as shown below

   

5. Save the configuration.

6. Open the Commvault CommCell console and click System. The System window opens.

7. Click the Encryption On the Software Encryption tab, configure the software encryption settings and select the Key Management Server.  

   

8. Save the configuration.

9. Go to Storage Policies and create a new policy for testing the encryption.  

   

10. Go to Commvault Command Center → Storage → Select the Storage Type, that is Disk.

11. In the Configuration tab:

    1. Select the Key management server configured earlier.  

       

    2. Enable the toggle for Encrypt.  

       

12. Run the backup jobs for testing.  

    

13. Verify the Key in Key Management Server.  

    

    

5.0 Key Rotation

1. For key rotation, follow the steps below:

   1. Go back to the Storage → Disk page.

   2. Click the storage that you were testing.

   3. Next, go to the Configuration tab and change back to Built-in Key management server.

   4. Once saved, change it back to the Fortanix KMS.

2. This will force the Key Rotation in KMS.

3. Verify the logs in Commvault logs.