Using Fortanix Data Security Manager with Scality S3C

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Scality SC3 for Transparent Bucket Encryption using generic Key Management Interoperability Protocol (KMIP).

It also contains the information that a user requires to:

• Set up Fortanix DSM

• Grab the Fortanix CA and generate a certificate

• Apply the certificate to the Fortanix DSM Application Object

• Enable audit logging in Fortanix DSM

• Configure S3C and

• Create an encrypted bucket

2.0 Prerequisites

The key management cloud service needs to be set up using https://sdkms.fortanix.com/ before configuring Scality for bucket encryption.

This article assumes that access to the Fortanix DSM user interface (UI) and licensing has been established.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.0 Using SaaS Deployment

Perform the following steps to configure Scality wizard in Fortanix DSM SaaS:

1. Sign up at https://smartkey.io/. This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.

2. In the DSM left navigation panel, click the Instances menu item, and then click the select the Storage Encryption check box. Click ADD INSTANCE on the Scality tile.

   

3. On the Add Instance page, do the following:

   1. Title: Enter a name for your instance.

   2. Authentication method: Select the API Key radio button.

      1. The API Key option authenticates the application with the API Gateway.

      2. The Client Certificate option authenticates the application with Fortanix DSM using a Client Certificate. For more information, refer to Section 7.0: Generating a Certificate.

   3. Set app secret key size: Select the application (app) key size from the available options in bytes.

4. Click SAVE INSTANCE.

   

With saving an instance a new group, an app, and keys are created within Fortanix DSM.

4.1 Scality Instance Detailed View

Navigate to the Integrations menu item → Scality wizard → Scality instances table. In the instance detailed view page, the following information is represented:

• CREDENTIALS: Indicates the method used for app authentication.

  • Click CERTIFICATE to download the Client Certificate. This is applicable only if the app authentication method is Client Certificate.

  • Click VIEW API KEY DETAILS to view the details of API key, such as username and password. This is applicable only if the app authentication method is API Key.

• MANAGE KEYS: Click MANAGE to oversee the keys created.

• INSTANCE STATUS: To disable the created instance, toggle the Disabled option.

• DELETE: To delete the instance, click the overflow menu and select the DELETE option. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible.

  

5.0 Using On-premises Deployment

5.1 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group. For example, Scality S3C.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.2 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application. For example, Scality S3C Bucket Encryption.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.1: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

6.0 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.2: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 7.0: Generating the Certificate as the value of Common Name (CN) to generate a certificate.

7.0 Generating a Certificate

On a host with OpenSSL create the certificates that you need to authenticate to the KMIP service you just created.

# openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem \
-out cert.pem -days 365 \
-subj "/CN=<UUID you copied from the app>"

For example:

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 
365 -subj "/CN=c6ad2ad7-4948-4b60-8cd6-f33c00a01428"

You should now have the following:

• The Fortanix CA certificate (fortanix_ca_cer).

• A private (key.pem).

• A certificate (cert.pem).

8.0 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 5.2: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

2. Click SAVE.

3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the certificate generated in previous section.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE to save the changes.

9.0 Retrieve Fortanix Certificate Authority (CA)

1. Go to the URL: https://<fortanix_dsm_url>.

2. In the URL address bar, click the padlock icon, then select Certificate.

   

3. Select the certification path and then highlight the root DST Root CA X3.

4. Click View Certificate.

   

5. Select the Details tab and then click Copy to File.

   

6. Click Next and then select the radio button for Base-64 encoded X.509 (.CER) before saving it and choosing a filename (Example: fortanix_ca.cer).

   

10.0 Upload Certificate to Fortanix DSM App

Perform the following steps to apply the new client certificate for app authentication:

1. In the DSM left navigation panel, click the Apps menu item, and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. In the INFO tab, click UPDATE in the App Certificate section.

3. In the dialog box, click UPLOAD NEW CERTIFICATE to browse and upload the cert.pem file.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE.

11.0 Enable Audit Logging in Fortanix DSM

Audit logging verifies the operations, such as key creation, retrieval, encryption, decryption, or deletion, are being properly executed. It also helps in troubleshooting issues by offering visibility into what actions were attempted and whether they succeeded or failed.

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.2: Creating an Application to go to the detailed view of the app.

2. In the INFO tab, under the Groups section click the grid for App permissions to edit the app permissions.

   

3. In the Set app permissions for objects in the group dialog box, select the Allow access to audit log option.

   

4. Click SAVE CHANGES.

12.0 Configure Scality S3C

This section describes how to integrate Fortanix DSM as a Key Management Server (KMS) with Scality S3 Connector (S3C).

For the latest instructions on configuring a KMS, refer to the Scality documentation.

• Select your RING version.

• Navigate to the S3 documentation section.

In your deployment's group_vars/all file, include the following KMIP configuration under env_s3:

env_s3:
 kmip:
  port: 5696
  host: <fortanix_dsm_url>
  compoundCreate: false
  bucketAttributeName: x-zenko-bucket
  pipelineDepth: 8
  key: kmip_key.pem
  cert: kmip_cert.pem
  ca:
   - fortanix_CA.cer

Replace <fortanix_dsm_url> with the actual Fortanix DSM host URL. For example, eu.smartkey.io.

All certificates must be placed in the appropriate kmip directory for your environment:

s3/federation/env/<your_environment>/kmip/

Where,

• kmip_key.pem refers to the KMIP client private key.

• kmip_cert.pem refers to the KMIP client certificate.

• fortanix_CA.cer refers to the Fortanix DSM CA certificate.

At the time of writing, there is:

• No default boilerplate kmip section in the group_vars/all file.

• No pre-created kmip directory under the environment path.

You must manually create both:

• The kmip section in the YAML configuration file.

• The kmip directory under your environment path to store the certificates.

13.0 Create an Encrypted Bucket

Encrypted buckets with S3C cannot be created using the standard Amazon API call. Instead, a special header must be included during bucket creation. A script for this is available in any CloudServer (S3) container. For more information, refer to the Using Bucket Encryption in the S3 Connector Operation documentation.

If an issue occurs (for example, you receive a 50x error when attempting to create the bucket) relevant errors will appear in the S3 log on the host you are using. For example: /var/log/s3/scality-s3-1/logs/s3-0.log. If you did not get an error, congratulations! You have successfully created an encrypted bucket.

You will see a new security object in the Fortanix DSM UI confirming successful communication.