Using Fortanix Data Security Manager with Skyhigh Secure Web Gateway (SWG)

Prev Next

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Skyhigh Secure Web Gateway (SWG) to deliver Hardware Security Module (HSM) capabilities. The HSM serves the purpose of safeguarding private keys utilized in SSL communication.

After it is installed, the HSM assumes responsibility for private key operations associated with the keys under its protection. To facilitate seamless integration with the hardware module, HSM software is installed on the Web Gateway.

2.0 Prerequisites

Ensure the following:

  • Command Line Interface (CLI) accessibility.

  • Secure Web Gateway v12.2.3 is supported.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 1: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

    Figure 2: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 3: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS.

  3. From the API Key Details dialog box, copy the API Key of the app to use it later.

3.6 Update the Client Configuration Settings

Perform the following steps:

  1. In the DSM left navigation panel, click the Settings menu item, and then click the CLIENT CONFIGURATION tab.

  2. In the COMMON tab, select Logging -> File and update the file log Path to /opt/mwg/log/debug/fortanix/fortanix.log.

    Figure 4: Add path

4.0 Loading the Private Key Identifiers

This section describes the steps to enumerate the available keys in the SWG user interface (UI).

Perform the following steps to enable SWG to utilize keys within Fortanix DSM:

  1. Open the Skyhigh Secure Web Gateway UI.

  2. Navigate to Configuration → Appliances → Hardware Security Module.

    figure 1.png

    Figure 5: Hardware Security Module

  3. Select the Start local HSM server check box.

    figure 2.png

    Figure 6: HSM Server

  4. From the Crypto Module drop down menu, select the Fortanix DSM (from Fortanix) option.

    figure 3.png

    Figure 7: Select Module

  5. Enter the Fortanix DSM API key and click Set to confirm. To know this app API key, refer to Section 3.5: Copying the API Key.

    figure 4.png

    Figure 8: Enter Fortanix DSM API Key

  6. Enter the Fortanix DSM app API Key as a Password and click OK

    figure 6.png

    Figure 9: Enter Password

    To modify the Fortanix DSM app API Key, select Change

    figure 7.png

    Figure 10: Modify Fortanix DSM API Key

  7. In the Keys to be loaded section, click the "+" icon to add the key as a string. 

    figure 8.png

    Figure 11: Add Keys

  8. The format for adding keys is <engine-label>:<pkcs11-URI> .

    • The engine-label should be "pkcs11" to inform SWG that these are PKCS#11 keys.

    • Enter the key as a string using the format: pkcs11:pkcs11:object=<key>. The value of 'Key' is based on the Key Label name created in Fortanix DSM UI.

      figure 9.png

      Figure 12: Add the String

5.0 Creating Certificate Using Fortanix DSM Private Keys

You can create certificates seamlessly in SWG using Fortanix DSM private keys by setting up the app API key and executing OpenSSL commands through CLI access.

Perform the following steps:

  1. Open the SWG console through the CLI.

  2. In the root directory, create a new file named fortanix.cfg to store the API_KEY value as created in Section 3.5: Copying the API Key:

    api_key = "API_KEY"
  3. Run the following command to provide the required permissions:

    chmod 777 fortanix.cfg
  4. Run the following commands to export the file:

    # export FORTANIX_PKCS11_NUM_SLOTS=1
    # echo $FORTANIX_PKCS11_NUM_SLOTS 1
  5. Use the following OpenSSL commands:

    openssl1.1
    OpenSSL> engine -pre MODULE_PATH:/opt/fortanix/pkcs11/fortanix_pkcs11.so -pre VERBOSE pkcs11

    This command generates the following sample output:

    figure 10.png

    Figure 13: Sample Output

  6. Run the following OpenSSL "req" command to generate the certificate:

    OpenSSL> req -engine pkcs11 -keyform engine -new -key "pkcs11:object=<key>;pin-value=file:///root/fortanix.cfg" -x509 -days 3650 -out FILENAME.crt -set_serial 0xdeadbeef

    This command successfully creates the certificate file.

    figure 11.png

    Figure 14: Certificate Generated