Let Me Ask You a Question 

I need to implement a key management service (KMS) to manage my organization’s TLS keys. The KMS/HSM needs to be cloud-agnostic, secure, scalable, and available to handle crypto operations offloaded from web applications deployed on a variety of platforms across the globe. What’s more, there is a requirement that the organization maintains full control and ownership of the KMS and it’s operations so using a SaaS offering is not an option. Here’s the question, what can I use? 

Why Fortanix?

Answering the above question isn’t an easy one. When I hear phrases like “scalable and highly available” and “...across the globe”, I immediately start looking at the public cloud. But, I still need to be cloud agnostic and maintain full control so cloud HSMs and SaaS offerings don’t fit the bill.  

To address the above requirements, I turned to one of F5’s partners and deployed the Fortanix Self-Defending Key Management Service (SDKMS). The Fortanix SDKMS system checks all the boxes, including:  

• Cloud Agnostic - I am able to make use of KMS services across all public cloud platforms as well as on-premises.
• Secure/Scalable/Highly-Available - Deploys in the public cloud on hardware that utilizes Intel SGX technology and runs every operation in HSM-grade security.
• Full Control - Deploys in your infrastructure and provides web-based UI for centralized management.

Solution Overview

In this article, we’ll walk through configuring the BIG-IP to offload TLS crypto operations to a Fortanix SDKMS. The deployment process is quite similar to F5’s integration with Equinix SmartKey, (Fortanix SDKMS SaaS offering). The following steps are based upon F5’s guidance for implementing a network HSM.

Okay, let’s take a look at how I did it.

Prerequisites

• F5 BIG-IP LTM 14.1.0 or later - Virtual Edition (VE) utilized for this article. Both hardware and virtual edition platforms support network HSM integration. Additionally, you will need to provide a license covering the network HSM module.
• Fortanix SDKMS Cluster - We’re going to go right to the source, (Fortanix installation guidance). Setting up the SDKMS cluster is relatively straightforward and runs on Azure’s new DC-series instances, (currently in preview). Currently, the DC-series is available for public preview in the US East region only. The cool thing about the DC-series is that it makes use of Intel SGX technology. A better way to put it is it allows Azure infrastructure customers to make use of SGX. Fortanix SDKMS makes use of the underlying SGX technology to provide secure scalable data at rest.

Step 1 - Create SDKMS Application

Assuming the prerequisites have been met, (i.e. I have a Fortanix SDKMS stood up), the first thing I need to do is create an application object in SDKMS. The application object can access certificates, keys, and secrets that will be used by my application, (delivered via the BIG-IP)..

A. Login to the Fortanix SDKMS UI. Select the ‘Apps’ icon from the left blade and then the ‘+’ to open a new application form.

B. Provide the name of the application and select ‘API Key’ for the authentication method. 

C. Create a group and assign the application to the group. The group represents a collection of security objects, (applications, keys, certificates, etc.) that are available to members of the group.  

D. Select ‘Save’ to create the application, (see below left).

With the application created, select ‘COPY API KEY’, (see above right) to capture the api key and store for later use. The key will be used by the BIG-IP to authenticate calls to SDKMS.

Step 2 - Install Fortanix Plugin

Now that we have SDKMS prepared, I need to turn my attention to the BIG-IP. In this step, I will use my favorite ssh client to log into the BIG-IP as root. From there I will use the following commands to download and install the Fortanix plugin onto the BIG-IP. The plugin, (RPM) is available for download from here.

cd /shared/
mkdir nethsm
cd nethsm

curl -O https://d2bzqwib4mjc49.cloudfront.net/3.11.1281/fortanix-pkcs11-3.11.1281-0.x86_64.rpm
rpm -ivh ./fortanix-pkcs11-3.11.1281-0.x86_64.rpm

Step 3 - Configure BIG-IP netHSM Integration

A. Add the Fortanix HSM library to the BIG-IP 

tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/fortanix/pkcs11/fortanix_pkcs11.sofortanix-pkcs11-3.11.1281-0.x86_64.rpm

B. Create /config/fortanix.cfg file

vi /config/fortanix.cfg

Add the following lines and save the file:

### sample fortanix config file
# cat /config/fortanix.cfg
api_endpoint="https://fortanix.aserracorp.com"
api_key=""
# specify if endpoint uses self-signed certificate 
ca_certs_file = ""
[log]
file = "/var/log/fortanix.log"

C. Configure the netHSM partition

tmsh create sys crypto fips nethsm-partition fortanix password "file:///config/fortanix.cfg"

D. Restart the pkcs11d service

bigstart restart pkcs11d tmm

E. Testing Connectivity

I will now use the BIG-IP management GUI to test connectivity between the BIG-IP and SDKMS. After logging into the BIG-IP GUI navigate to System --> Certificate Management --> HSM Management --> External HSM. Under the 'Partitions' section check the checkbox next to the partition in the partition list and select 'Test'. Below is example output of a successful connectivity test.

Step 4 - Import SSL Certificate/key to BIG-IP and SDKMS

A. Import private key into SDKMS

Now that we have our external HSM, (Fortanix), https://fortanix.aserracorp.com integrated with our BIG-IP let’s put it to use. To start with, I will import a private key into SDKMS.

1. Login to the Fortanix SDKMS UI and select the ‘Security Objects’ icon from the left blade and then the ‘+’ to open a new security object form.
2. Provide the name for the key and select ‘Import’. 
3. Select 'RSA' for the object type
4. Select 'Base64' and upload the my key.
5. Associate the key to previously created group.
6. Select ‘Import' to create the security object, (see below).

B. Import SSL Certificate and netHSM Key Pointer into BIG-IP

With the SDKMS now hostng the private key, I now import the corresponding certificate into the BIG-IP. Additionally, I must create a key resource pointing to the Fortanix SDKMS-hosted key.

1. Login to the BIG-IP management GUI and navigate to System --> Certificate Management --> SSL Certificate List --> Import
2. Select 'Certificate' for import type and provide a name.
3. Browse to and upload certificate, select 'Import', (see below left).
4. navigate to System --> Certificate Management --> SSL Certificate List --> Import
5. Select 'Key' for import type and provide a name. The name must match the security object name of the SDKMS-stored key.
6. Select 'From NetHSM' for 'Key Source', select 'Import', (see below right).

C. Create SSL Profile and Attach to Virtual Server

The last thing I need to do is create a Client SSL profile and associate it with my virtual server.

1. Login to the BIG-IP management GUI and navigate to Local Traffic --> Profiles --> SSL --> CLIENT --> +
2. Provide a name and check the 'Custom' checkbox.
3. In the 'Certificate Key Chain' section select 'Add'
4. Select the previously imported certificate and key from the drop-down menus
5. Select 'Finished' to create the profile, (see below left)
6. navigate to Local Traffic --> Virtual Servers and select the appropriate virtual server
7. Under the 'SSLProfile (Client)' section select the previously create SSL profile, (see below right).
8. Select 'Update' to save the modified virtual server.

Well, that's how I did it. Now with the setup and configuration completed, my application, (https://app.aserracorp.com) is now secured with the BIG-IP offloading the crypto workload to Fortanix SDKMS.

Additional Links

• Fortanix Self-Defending Key Management Service
• Setting Up the Network HSM
• BIG-IP Local Traffic Manager
• Azure Confidential Computing