I need to implement a key management service (KMS) to manage my organization’s TLS keys. The KMS/HSM needs to be cloud-agnostic, secure, scalable, and available to handle crypto operations offloaded from web applications deployed on a variety of platforms across the globe. What’s more, there is a requirement that the organization maintains full control and ownership of the KMS and it’s operations so using a SaaS offering is not an option. Here’s the question, what can I use?
Answering the above question isn’t an easy one. When I hear phrases like “scalable and highly available” and “...across the globe”, I immediately start looking at the public cloud. But, I still need to be cloud agnostic and maintain full control so cloud HSMs and SaaS offerings don’t fit the bill.
To address the above requirements, I turned to one of F5’s partners and deployed the Fortanix Self-Defending Key Management Service (SDKMS). The Fortanix SDKMS system checks all the boxes, including:
In this article, we’ll walk through configuring the BIG-IP to offload TLS crypto operations to a Fortanix SDKMS. The deployment process is quite similar to F5’s integration with Equinix SmartKey, (Fortanix SDKMS SaaS offering). The following steps are based upon F5’s guidance for implementing a network HSM.
Okay, let’s take a look at how I did it.
Assuming the prerequisites have been met, (i.e. I have a Fortanix SDKMS stood up), the first thing I need to do is create an application object in SDKMS. The application object can access certificates, keys, and secrets that will be used by my application, (delivered via the BIG-IP)..
A. Login to the Fortanix SDKMS UI. Select the ‘Apps’ icon from the left blade and then the ‘+’ to open a new application form.
B. Provide the name of the application and select ‘API Key’ for the authentication method.
C. Create a group and assign the application to the group. The group represents a collection of security objects, (applications, keys, certificates, etc.) that are available to members of the group.
D. Select ‘Save’ to create the application, (see below left).
With the application created, select ‘COPY API KEY’, (see above right) to capture the api key and store for later use. The key will be used by the BIG-IP to authenticate calls to SDKMS.
Now that we have SDKMS prepared, I need to turn my attention to the BIG-IP. In this step, I will use my favorite ssh client to log into the BIG-IP as root. From there I will use the following commands to download and install the Fortanix plugin onto the BIG-IP. The plugin, (RPM) is available for download from here.
cd /shared/ mkdir nethsm cd nethsm curl -O https://d2bzqwib4mjc49.cloudfront.net/3.11.1281/fortanix-pkcs11-3.11.1281-0.x86_64.rpm rpm -ivh ./fortanix-pkcs11-3.11.1281-0.x86_64.rpm
A. Add the Fortanix HSM library to the BIG-IP
tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/fortanix/pkcs11/fortanix_pkcs11.sofortanix-pkcs11-3.11.1281-0.x86_64.rpm
B. Create /config/fortanix.cfg file
Add the following lines and save the file:
### sample fortanix config file # cat /config/fortanix.cfg api_endpoint="https://fortanix.aserracorp.com" api_key="" # specify if endpoint uses self-signed certificate ca_certs_file = "" [log] file = "/var/log/fortanix.log"
C. Configure the netHSM partition
tmsh create sys crypto fips nethsm-partition fortanix password "file:///config/fortanix.cfg"
D. Restart the pkcs11d service
bigstart restart pkcs11d tmm
E. Testing Connectivity
I will now use the BIG-IP management GUI to test connectivity between the BIG-IP and SDKMS. After logging into the BIG-IP GUI navigate to System --> Certificate Management --> HSM Management --> External HSM. Under the 'Partitions' section check the checkbox next to the partition in the partition list and select 'Test'. Below is example output of a successful connectivity test.
A. Import private key into SDKMS
Now that we have our external HSM, (Fortanix), https://fortanix.aserracorp.com integrated with our BIG-IP let’s put it to use. To start with, I will import a private key into SDKMS.
B. Import SSL Certificate and netHSM Key Pointer into BIG-IP
With the SDKMS now hostng the private key, I now import the corresponding certificate into the BIG-IP. Additionally, I must create a key resource pointing to the Fortanix SDKMS-hosted key.
C. Create SSL Profile and Attach to Virtual Server
The last thing I need to do is create a Client SSL profile and associate it with my virtual server.
Well, that's how I did it. Now with the setup and configuration completed, my application, (https://app.aserracorp.com) is now secured with the BIG-IP offloading the crypto workload to Fortanix SDKMS.