Using Fortanix Data Security Manager with NetApp ONTAP

1.0 Introduction

This article describes the process of integrating Fortanix-Data-Security-Manager (DSM) with NetApp ONTAP to centrally manage keys for the Volume Encryption feature of ONTAP. By utilizing Fortanix DSM, organizations can achieve centralized management and control of all cryptographic keys, ensuring robust security practices.

The document provides essential information for:

• Creating a KMIP (Key Management Interoperability Protocol) application on Fortanix DSM.

• Configuring NetApp ONTAP to use external key management.

• Implementing Volume Encryption using a Fortanix DSM-based key with NetApp ONTAP.

• Viewing and managing encryption keys on Fortanix DSM.

2.0 Product Tested Version

The following product versions were tested:

• Fortanix DSM version 4.27 patch 2 or later.

• Fortanix DSM version 4.31 or later.

• NetApp ONTAP version 9.15.1 patch 6 (9.15.1P6).

3.0 Prerequisites

Ensure the following:

• NetApp OnTap version 9 is installed on the system.

• Fortanix DSM cluster is running a tested version.

4.0 Architecture Workflow

This architecture diagram illustrates the integration of NetApp ONTAP and Fortanix DSM using the Key Management Interoperability Protocol (KMIP) for secure encryption key management.

NetApp ONTAP encrypts stored data, while Fortanix DSM securely manages encryption keys separately. Instead of storing keys within the storage system, NetApp ONTAP communicates with Fortanix DSM over KMIP to retrieve encryption keys when needed, ensuring access is restricted to authorized users.

KMIP plays a crucial role in this integration by standardizing key management communication between NetApp ONTAP and Fortanix DSM. This protocol ensures seamless and secure key retrieval, rotation, and management without manual intervention.

Fortanix DSM enforces authentication for users, applications, and systems before granting access to encryption keys, preventing unauthorized decryption. Even if NetApp ONTAP storage is compromised, the encrypted data remains secure since the keys are centrally managed within DSM through KMIP, maintaining strong access control and compliance with security standards.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 5.6: Generating a Certificate.

5.6 Generating a Certificate

A certificate must be generated to identify the application through which KMIP keys will be generated and retrieved by ONTAP.

Two methods are available for generating this certificate:

5.6.1 Creating a CSR for Certificate Issuance from a Trusted CA (Production Environment)

Perform the following steps to create a Certificate Signing Request (CSR) for certificate issuance from a Trusted Certificate Authority (CA):

1. Use the following command to create a CSR:

   openssl req -out kmip.req -new -newkey rsa:2048 -nodes -keyout key.pem

2. Fill out the certificate request fields according to your organization's standards. Ensure that the Common Name (CN) field is set to the Fortanxi DSM app UUID as copied in Section 5.5: Copying the App UUID.

3. Submit the kmip.req file to your local Certificate Authority (CA) for issuance.

4. Download the issued certificate as cert.pem from the CA, ensuring it is stored in PEM format.

5. Obtain copies of the Root CA and Intermediate CA certificates in PEM format. Save them in file Fortanix_DSM_CA.cer.

   

5.6.2 Creating Self-Signed Certificate (Lab Environment)

Run the following command to generate a self-signed certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN= {Fortanix DSM App UUID}" 

Replace the {Fortanix DSM app UUID} with the actual app UUID copied in Section 5.5: Copying the App UUID.

5.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 5.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

2. Click SAVE.

3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the cert.pem certificate generated in Section 5.6: Generating a Certificate.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE to save the changes.

6.0 Configuration on NetApp ONTAP

The following section describes the procedures to add a Key Management Server (KMS) and to set up volume encryption to enhance the security of your data storage environment:

6.1 Adding Key Management Server

Perform the following steps to add a Key Management Server (KMS) to NetApp ONTAP:

1. Run the following command to update the certificate and key for the client:

   security certificate install -type client

   Copy and paste the output of the certificate and key generated in Section 5.4: Generating a Certificate when prompted.

2. When asked, Do you want to continue entering root and/or intermediate certificates?, type n:

   Do you want to continue entering root and/or intermediate certificates: n

3. If your Issuing CA for the KMIP certificate is a public CA that is kept current with ca-certificates, then proceed to Step 6.

4. Open the Fortanix DSM root CA certificate, Fortanix_DSM_CA.cer, saved previously with a text editor and copy the certificate value.

5. Run the following command to update the certificate and key for the server:

   security certificate install -type server-ca

   Paste the output of the certificate from Step 4 when prompted.

6. Run the following command to confirm the name of the Imported Client and Server-CA Certificates:

   security certificate show-user-installed

   

7. Run the following command to enable the External Key Servers (EKS):

   security key-manager external enable -key-servers {Fortanix DSM FQDN}:5696 -client-cert {Client
   Certificate Name} -server-ca-certs {Server CA Certificate Name}

   For example:

   security key-manager external enable -key-servers <fortanix_dsm_url>:5696 -client-cert 76ddf566-
   c4f0-4c62-b711-c944cd4cfbc0 -server-ca-certs DSTRootCAX3

8. Run the following command to verify the status of the External Key Manager (EKM):

   security key-manager external show-status

   

6.2 Enabling Volume Encryption

Perform the following steps to configure the volume encryption on NetApp ONTAP:

1. Open an SSH client and connect to the set node IP address.

2. Run the following command to set the diagnostic mode:

   set diag

   Type Y to continue, when prompted.

   Do you want to continue? Y

3. Run the following commands to configure the diagnostic aggregate:

   storage aggregate create -aggregate {test aggregate name} -node {NetApp Node Name} -diskcount 5
   -encrypt-with-aggr-key false

   Type Y to continue, when prompted.

   Do you want to continue? Y

4. Run the following command to create a server:

   vserver create -vserver {test vserver name} -aggregate {aggregate name from step 3} -rootvolumesecurity-
   style mixed

5. Run the following command to create an encrypted volume:

   volume create -vserver {vserver name from step 4} -aggregate {aggregate name from step 3} -
   encrypt true -size 20Mb -volume {test volume name}

6. Run the following command to check the state of the vserver:

   volume show -is-encrypted true -state online

   

7. Run the following command to query the key status:

   security key-manager key query

   

7.0 Verifying Activity Logs

Perform the following steps to view the keys in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. In the INFO tab, view the Activity Logs on the app.

   

3. Go to the Security Objects tab and view the list of the keys.

   

8.0 Migrate ONTAP Encryption Keys

This section describes the steps to remove Thales CipherTrust Manager (CTM) as a KMIP provider for NetApp ONTAP and migrate the existing ONTAP encryption keys from Thales CTM to Fortanix DSM.

Since NetApp ONTAP only allows a single authentication certificate to be used for all external KMIP key managers, it poses a challenge when integrating with multiple key management solutions that supports different certificate requirements for authentication.

• Fortanix DSM requires the CN of the certificate to be the DSM app UUID, which is used to identify the app that manages access to the keys.

• Thales CTM requires the CN to be the user ID of the entity managing keys within CTM.

Perform the following steps to migrate ONTAP keys from CTM to DSM:

1. Create a new user account in Thales CTM with the user ID matching the UUID of the Fortanix DSM app created Section 5.5: Copying the App UUID.

2. Assign the new user the same permissions and access rights as the original user managing the keys within Thales CTM.

3. The CN of the NetApp ONTAP authentication certificate is now set to the Fortanix app UUID and is used for authentication across both Fortanix DSM and Thales CTM. By ensuring the user in CTM matches the Fortanix app UUID, the certificate works for both systems.

4. Migrate all ONTAP keys from Thales CTM to Fortanix DSM.

5. After successful migration, decommission Thales CTM as a KMIP provider for ONTAP.