Using Fortanix Data Security Manager with VMware Cloud Director Encryption Management

Prev Next

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with the VMware Cloud Director Encryption Management Service solution to empower tenant administrators with the authority to manage encryption keys for virtual machines (VMs) within their respective virtual data centers (VDCs).

Traditionally, only provider administrators possessed the capability to configure key providers through VMware vSphere. However, the updated approach allows each tenant to configure their own individual Key Management Server (KMS). Tenant administrators now have the authority to authenticate with and allocate encryption keys from their KMS to their respective VDCs, significantly enhancing control and security within VMware Cloud Director environments.

2.0 Product Versions Tested

The following product versions were tested:

  • Fortanix DSM version 4.27.

  • VMware Cloud Director version 10.5.1.

  • VMware Cloud Director Encryption Management version 1.1.

3.0 Prerequisites

Before proceeding, ensure the following:

4.0 Architecture Diagram

Figure 1: Architecture Diagram

The architecture diagram illustrates the integration of Fortanix Data Security Manager with VMware Cloud Director for managing encryption keys across multiple virtual data center tenants. Fortanix DSM functions as the central key management solution, securely interfacing with vCenter to allow the management of keys across multiple customer tenants.

At the top level, the customer configures their VDC tenant to use Fortanix DSM as a key provider, entering their credentials to allow secure communication. This integration allows the creation of keys within Fortanix DSM to encrypt the customers VMs.

Beneath Cloud Director, there is a shared vCenter that orchestrates the resources across different customer environments labelled as Alpha and Bravo Customer VDC Tenants. Each tenant can have multiple VMs that are encrypted.

This setup ensures that a customer can encrypt their VMs and have full ownership and control of the keys, within their isolated Fortanix DSM account. The provider will have no access to the customers keys.

5.0 Infrastructure Setup

This section describes the steps required to set up the foundational infrastructure components, including the creation of the Provider VDC, Organizations, Organization VDC, the Encryption Management Catalog, and the configuration of Solution Add-Ons.

5.1 Creating the Provider VDC

Perform the following steps to create a Provider Virtual Data Center:

  1. Navigate to the Resources (top navigation) → Cloud Resources → Provider VDCs → New.

  2. On the New provide VDC form, do the following:

    1. In the General page, provide a valid name and description. Enable the State option using the toggle button. Click the NEXT button.

      Figure 2: General Tab

    2. In the Provider page, select the required vCenter. Click the NEXT button.

      Figure 3: Provider Tab

    3. In the Resource Pool page, select the cluster for the resource pool. Select the Highest supported hardware version from the drop down menu. Click the NEXT button.

      Figure 4: Resource Pool Tab

    4. In the Storage page, select all the listed storage policies. Click the NEXT button.

      Figure 5: Storage Tab

    5. In the Network Pool page, select the No network pool radio button. Click the NEXT button.

      Figure 6: Network Pool Tab

    6. In the Ready to Complete page, review all the parameters. Click the FINISH button.

      Figure 7: Summary Tab

      Wait until the status shows as Normal.

      Figure 8: Status Review

5.2 Creating the Organizations

Perform the following steps to create a new Organization:

If you already have an existing Organization and Organization VDC, you can skip to Section 7.0: Configure VMware Encryption Management.

  1. Navigate to Resources (top navigation) → Cloud Resources → Organizations → New.

  2. On the New Organization page, enter the name and full name of the organization. For example, AlphaCustomer.

    Figure 9: New Organization Form

  3. Click the CREATE button.

  4. Similarly, create another Organization. For example, Catalog.

    Figure 10: New Organization Tab

5.3 Creating the Organization VDC

Perform the following steps to create an Organization VDC:

  1. Navigate to Resources (top navigation) → Cloud Resources → Organization VDCs → New.

  2. On the New Organization VDC dialog box, do the following:

    1. In the General page, provide a name and description. Select the Enable the Organization VDC check box. Click the NEXT button.

      Figure 11: General Tab

    2. In the Organization page, select the required organization. Click the NEXT button.

      Figure 12: Organization Tab

    3. In the Provider VDC page, select the required Provider VDC radio button. Click the NEXT button.

      Figure 13: Provider VDC Tab

    4. In the Allocation Model page, select the Allocation pool option. Click the NEXT button.

      Figure 14: Allocation Model Tab

    5. In the Allocation Pool page, set the resources values. For example, CPU allocation as 4, Memory allocation as 30, and so on. Click the NEXT button.

      Figure 15: Allocation Pool Tab

    6. In the Storage Policies page, select all the storage policies. Enable the toggle button for Thin provisioning option. Click the NEXT button.

      Figure 16: Storage Policies Tab

    7. In the Network Pool page, the toggle button for Specify Network Pool can be disabled. Click the NEXT button.

      Figure 17: Network Pool Tab

    8. In the Ready to Complete page, review all the parameters. Click the FINISH button.

      Figure 18: Summary Tab

      Wait until the status shows as Normal.

      Figure 19: Review Status

  3. Similarly, create another Organization VDC. For example, Catalog.

    Figure 20: Summary Tab

    Wait until the status shows as Normal.

    Figure 21: Review Status

5.4 Creating the Catalog for Encryption Management

Perform the following steps to create a catalog under the content hub of an Organization VDC:

  1. Click the icon to open the new window for Tenant Portal.

    Figure 22: Organization VDC Page

  2. Navigate to Content Hub → Catalogs → NEW.

  3. On the Create Catalog dialog box, do the following:

    1. Enter a name of the catalog. For example, Encryption Management.

    2. Enable the toggle button for Pre-provision on specific storage policy.

    3. Set the Any option for both Org VDC and Storage Policy fields.

    4. Click the OK button.

      Figure 23: Create Catalog

      Wait until the status shows as Ready.

      Figure 24: Review Status

  4. Navigate to Networking (top navigation) → New.

  5. On the New Organization VDC Network dialog box, do the following:

    1. In the Scope page, select the Organization Virtual Data Center radio button and select the required VDC. For example, Catalog. Click the NEXT button.

      Figure 25: Scope Tab

    2. In the Network Type page, select the radio button for Direct option. Click the NEXT button.

      Figure 26: Network Type Tab

    3. In the General page, enter a valid name. For example, VM Network. Keep the Shared toggle button disabled. Click the NEXT button.

      Figure 27: General Tab

    4. In the External Network Connection page, select the VM Network radio button. Click the NEXT button.

      Figure 28: External Network Connection Tab

    5. In the Ready to Complete page, review all the parameters. Click the FINISH button.

      Figure 29: Summary Review

5.5 Configuring the Solution Add-on Management

Perform the following steps to configure the Solution Add-On Management:

  1. Return to the Provider portal and navigate to More (top navigation) → Solution Add-on Management → CONFIGURE.

    Figure 30: Configure Button

  2. Read the description of Solution Add-On Landing Zone and click the NEXT button.

    Figure 31: Read the description

  3. On the General Settings page, do the following:

    1. Organization: Select the value from the drop down menu to store the Catalog.

    2. Catalog: Select the name of the catalog from the drop down menu. For example, Encryption Management.

    3. Organization VDCs: Select the required Organization VDC from the drop down menu.

    4. Click the NEXT button.

    Figure 32: General Setting Tab

  4. Click the Overflow iconin the first column and select the Configure option.

    Figure 33: Configure Option

  5. On the Configure Catalog dialog box, do the following:

    1. In the Network page, select the Add Network → VM Network options.

    2. In the Compute Policies page, select the Add Compute Policy → System Default options.

    3. In the Storage Policies page, select the Add Storage Policy → any (*) options.

    4. Click the SAVE button to keep the changes.

    5. Click the NEXT button to proceed further.

    6. In the Review and Create page, check the settings and then click the FINISH button.

      Figure 34: Review Summary

    7. Download the VMware Encryption Management ISO file from here.

    8. Click the UPLOAD button.

      Figure 35: Upload Button

    9. Click the Browse Files button and select the required file from your system. For example, VMware-Cloud-Director-Encryption-Management-110.iso.

    10. Select the Create add-on instance after upload is completed check box.

    11. Click the UPLOAD button.

      Figure 36: Upload Add-On

    12. Review the summary and click the FINISH button.

      Figure 37: Review Summary

    13. In the Accept Licenses page, select the I Agree to the license check box.

    14. On the Input Parameters page,

      1. Leave the Add-On Instance Name as the default.

      2. Select the Deployment Configuration from the drop down menu. For example, Medium (4 vCPU, 8GB Memory).

      3. Select the Global Role as Organization Administrator.

        Figure 38: Input Parameter

      4. Click the NEXT and FINISH buttons.

        Figure 39: Next Screen

        Figure 40: Finish Button

    NOTE

    Ensure that the Bring Your Own Encryption (BYOE) instance is in READY state before proceeding further.

  6. Log in to the vSphere Web Client and observe the creation of several VMs under the resource pool for the target VDC.

    Figure 41: List of VMs

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

6.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 42: Logging In

6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. Navigate to the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

    Figure 43: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group. For example, AlphaCustomer.

    • Description (optional): Enter a short description for the group.

  3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

6.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. Navigate to the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

    Figure 44: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application.

    • Interface (optional): Select the REST API option as interface type from the drop down menu.

    • ADD DESCRIPTION (optional): Enter a short description for the application.

    • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 6.3: Creating a Group from the list.

  3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

6.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation panel and click the app created in the Section 6.4: Creating an Application to go to the detailed view of the app. 

  2. From the top of the app’s page, copy the app UUID to be used in Section 6.6: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate and a private key.

6.6 Generating the Certificate

Run the following command to generate a certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN={App UUID}"

6.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

  1. Go to the detailed view of the app created in Section 6.4: Creating an Application and click the Change the authentication method button and select the Certificate option to change the authentication method to Certificate.

  2. Click the SAVE button.

  3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the cert.pem certificate generated in Section 6.6: Generating a Certificate.

  4. Select both the check boxes to confirm your understanding about the action.

  5. Click the UPDATE button to save the changes.

NOTE

Within the same or different Fortanix DSM account, repeat all the steps mentioned in Section 6.2: Creating an Account through Section 6.7: Updating the Authentication Method to be used as the default Key Provider for vCenter.

7.0 Configure VMware Encryption Management

This section describes the steps required to provision VMware Encryption Management for a VMware Cloud Director (vCD) tenant using the Fortanix DSM.

7.1 Configuring vCenter Key Provider

Perform the following steps to configure the vCenter Key Provider:

  1. Connect directly to the vCenter using the vSphere Web Client.

  2. Configure a Standard Key Provider as per Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments using the cert.pem and key.pem obtained in Section 6.6: Generating a Certificate.

    Figure 45: Key Provider Tab

7.2 Configuring VMware Encryption Management in Provider Portal

Perform the following steps to configure the VMware Encryption Management within the Provider Portal:

  1. Navigate to the More → Encryption Management → Get Started.

  2. On the Onboard Key Provider dialog box, do the following:

    1. Name: Enter the name of the key provider to create. For example, AlphaCustomer.

    2. Description: Enter a description for the key provider.

    3. Icon: Browse any image that you to display as an icon.

    4. Address: Enter the valid Fortanix DSM endpoint. For example, eu.smartkey.io.

    5. Port: Enter the KMIP port as 5696.

    6. Click the NEXT button.

      Figure 46: Onboard Key Provider

    7. In the vCenter Information page, select the target vCenter resource.

    8. Provide the vCenter Credentials and click the Register button.

    9. Review and Trust the KMS certificate when presented.

      Figure 47: Review Summary

    10. Click the Publish button available adjacent to the name of the Key Provider.

    11. Select the target Tenant Organization and click the PUBLISH button.

      Figure 48: Publish Button

7.3 Configuring Key Provider in Tenant Portal

Ensure that a new Fortanix DSM group and app is created using the certificate-based authentication for the specific Organization. For more information, refer to the Section 6.0: Configure Fortanix DSM.

Perform the following steps to configure the Key Provider in the Tenant Portal:

  1. Log in to the Cloud Director Tenant Portal for the specified Organization.

  2. Navigate to More → Encryption Management. This screen displays the Key Providers published by the provider.

    Figure 49: Configure Button

  3. Click the CONFIGURE button.

  4. On the next screen, select the Client certificate radio button to change the authentication method.

  5. In the Certificate and Private Key boxes, paste the content of cert.pem and key.pem respectively.

  6. Click the REGISTER button.

  7. Click the GENERATE KEY button and select the Organization VDC from the available list. This key will be generated in the associated Fortanix DSM group.

    Figure 50: Encrypt Organization VDC

  8. Click the SUBMIT button.

    Figure 51: Review Summary

7.4 Encrypting the VM

Perform the following steps to encrypt a VM:

  1. Navigate to Applications (top navigation) → Virtual Machines.

  2. Click NEW VM and provision a new VM for encryption.

  3. Click the name of the VM created and EDIT.

  4. On the Edit VM page, do the following:

    1. Select the Storage Policy.

    2. Select VM Encryption Policy from the drop down menu.

    3. Click the Save button.

  5. Navigate to the General tab for the VM and click the Edit button.

  6. Update the Storage Policy to VM Encryption Policy.

  7. Click the Save button to keep the changes.

The VM KEK in DSM will be retrieved and used to encrypt the VM.

7.5 Verifying Encryption Status

Verify that the VM is encrypted using the tenant KMS.

  • VMware Cloud Director Tenant Portal

    Figure 52: VMware Cloud Director Tenant Portal

  • VMware vCenter vSphere Client

    Figure 53: VMware Vcenter Vsphere Client

  • Fortanix DSM Account

    Figure 54: Fortanix DSM UI

7.6 Auditing and Logging

Create another VM as per Section 7.4: Encrypting the VM and observe the DSM Account audit log.

Figure 55: Fortanix DSM Audit Logs