Using Fortanix Data Security Manager With Nutanix

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Nutanix for storage encryption.

Nutanix offers support for Fortanix DSM to manage the encryption keys for encrypting sensitive data at rest. Fortanix DSM is a specialized device / service that provides secure key management and cryptographic operations through industry standard API's.

Nutanix uses Fortanix DSM to generate, store and provide authorized access to data encryption keys. Nutanix communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys.

Using Fortanix DSM with Nutanix provides additional security for your data, ensuring that the data encryption keys can only be used with authorized access.

It also contains the information that a user requires for:

• Facilitating the communication and authentication between Fortanix DSM and Nutanix using KMIP and Certificates.

• Setting up Fortanix DSM.

• Creating client certificate.

• Configuring Nutanix Key Management settings.

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Nutanix cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.

X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Nutanix Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Nutanix cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.

2.1 Prerequisites

Ensure the following:

• Nutanix GA version of LTS 6.5.2.x and in STS 6.6.1+.

• Fortanix DSM version 4.4 or later.

• Fortanix DSM is installed and operational and is accessible by the Nutanix cluster on port 5696 (for default) or a custom KMIP port.

• You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

NOTE

You must create three applications for each node in the Nutanix Cluster. For example: 3 nodes = 3 applications.

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in the Section 3.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, copy the app UUID to be used in Section 4.0: Configure Nutanix Nodes with Fortanix UUIDs as the Common Name (CN) when generating the client certificate.

   For example:

   • Node 1 = 3030a8c0-c520-4f0f-912a-d3bff6a272fd

   • Node 2 = 99d5cafd-95e0-4898-b93d-f46ce9550287

   • Node 3 = c0b83293-ae04-4735-90af-9b4f406f884e

3.6 Updating the Account Settings

Perform the following steps:

1. Click Settings → CLIENT CONFIGURATION → KMIP.

2. Select the Allow secrets with unknown operations check box.

3. Click the SAVE button.

4.0 Configure Nutanix Nodes with Fortanix UUIDs

Perform the following steps to generate an RSA key for authenticating to Fortanix DSM for each Nutanix node:

1. Use the SSH protocol to log into the Nutanix cluster.

2. Run the following command to identify all nodes in the cluster:

   svmips

3. Each IP address returned will represent your cluster nodes.

4. Log into each cluster node and run the following command:

   genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=<APP_UUID>" restart

   Replace the <APP_UUID> you copied for each node in Section 3.5: Copying an App UUID. Execute the above command for each node in the cluster, where the should match the node.
   Sample output:

   nutanix@NTNX-17SM6B050002-A-CVM:10.16.0.135:~$ genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=5bf6acc7-ebe3-4e6e-a88a-70572b18c96a" restart
   2022-11-01 07:45:23.042344: Stopping genesis (pids [15503, 15561, 15585, 15586, 30032, 30033])
   2022-11-01 07:45:27.540170: Genesis started on pids [2948]

5.0 Configure Encryption Settings

Perform the following steps:

1. Log in to Nutanix Prism.  

   

2. Using the drop down menu, select Settings.

3. On the left pane, select Data-at-rest Encryption.  

   

4. Select An External KMS.

5. Fill in the Certificate Signing Request information and click Save CSR Info.

6. Click Add New Key Management Server.

   1. Name the key management server.

   2. Provide the address to your Fortanix DSM deployment (On-premises or SaaS).

   3. Click Save.

   4. Click Back.

7. Click Add New Certificate Authority.

   NOTE

   This will be the root CA certificate for the Fortanix DSM environment to which you will be connecting. Download a copy and have it ready for the next section.

   1. Name the Certificate Authority.

   2. Click Upload CA Certificate.

   3. Browse for the CA Certificate.

   4. Click Save.

   5. Click Back.

6.0 Issue Certificate for Each Node

Perform the following steps:

1. From the Data-at-rest Encryption settings, under the Certificate Signing Request section.

   1. Click Download CSRs for all nodes.  

      

   2. Save these to any location.

   3. Submit these to your organization's team that handles Certificates or PKI.
      Depending on the size of your organization and processes, you may need to return to the procedure at a later time. After you have obtained your signed certificates, they will need to be added to the Key Management Server configuration and in Fortanix DSM.

7.0 Install Node Certificates in Nutanix Prism

Perform the following steps:

1. In the Data-at-rest Encryption settings, under Key Management Server, click Manage Certificates.  

   

2. Click Upload Files.

3. Find and select your certificate files and click Submit.

4. Click Test all nodes. If successful, click Back.  

   

8.0 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 3.4: Creating an Application and click the Change authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

9.0 Enable Encryption

After all of the above steps have been completed, you must enable encryption.

Perform the following steps:

1. Log in to Nutanix Prism.

2. Go to Data-at-rest Encryption settings and scroll to the bottom of the page.

3. Click Enable Encryption.

4. At the prompt type ENCRYPT and click Encrypt.

5. If done properly, you will be presented with a screen that states success and that the system is encrypted.  

   

10.0 Verification

There are two places to verify the encryption.

1. In Nutanix Prism:

   • Click the Recent Tasks drop down menu to see the current encryption progress per container.

2. In Fortanix DSM:

   • Observe the contents of your Nutanix group. You should see that the security objects have been created.  

     

   • Also observe the activity logs for each of the apps. You should see that the apps are authenticating and retrieving keys.  

     

   • Verify the logs from Nutanix CLI, go to cat ~/data/logs/mantle.INFO.  

     

   NOTE

   Fortanix suggests being highly available to make sure no interruption in the services. Fortanix calculates the same using the formula N/2 + 1 where N= Number of Nodes. The minimum no of Fortanix deployment has to be three nodes.