Integration with CipherTrust Manager
This section lists the steps to integrate Nutanix with CipherTrust Manager.
Prerequisites
This section provides the prerequisites for integration of Nutanix with CipherTrust Manager.
Ensure that the CipherTrust Manager is installed and configured. For more details, refer to the CipherTrust Manager Documentation.
Nutanix communicates with the CipherTrust Manager using the KMIP interface. Ensure that the KMIP interface is configured on the CipherTrust Manager.
IP address of the CipherTrust Manager and port of the KMIP interface must be accessible from the Nutanix system.
CipherTrust Manager recognizes only registered KMIP clients. Ensure that each node of the Nutanix cluster is registered as a KMIP client on the CipherTrust Manager. Refer to KMIP Client Registration for more details.
Configuration on CipherTrust Manager
To configure the CipherTrust Manager, you need to perform the following steps:
Creating a Domain (Optional)
Perform the following steps to be performed on CipherTrust Manager:
Navigate to Admin Settings > Domains.
Click Add Domain. The Add Domain page appears.
Specify the following information:
Name - Enter the domain name.
Admins - Select the admins (one or more) from the list available in the drop down. For example, admin.
Parent CA - Select parent CA as root CA.
Allow Subdomain User Management - Select this check box if you want to enable the subdomain user management through this domain.
Click Save.
Switch to the newly created domain by clicking the top right on the current Domain Name.
Creating a User
To create a user, perform the following steps:
Log on to the CipherTrust Manager GUI.
Open the Keys & Access Management application.
On the left pane, click Users. The Users page is displayed.
On the Users page, click Create New User.
On the Create a New User screen provide the following details:
Enter Username.
Enter Password.
Click Create. The newly created user is listed on the Users page.
To create a user, perform the following steps:
Log on to the CipherTrust Manager GUI with the User you created within the Sub Domain.
Open the Keys & Access Management application.
On the left pane, click Users. The Users page is displayed.
On the Users page, click Create New User.
On the Create a New User screen provide the following details:
Enter Username.
Enter Password.
Click Create. The newly created user is listed on the Users page.
Assigning User to a Group
Perform the following steps to add user to a group:
Click the ellipsis button (...) corresponding to the user that you created in the previous step.
Click Edit.
Click Group Memberships > Add Group.
In the search bar, type Key Admins and select the check box corresponding to it .
Click Add Group.
Registering a KMIP Client
You can register a KMIP client on the CipherTrust Manager through:
Auto Registration
Manual Registration
Create a Registration Token using the following steps:
Log on to the CipherTrust Manager in root domain.
Go to Access Management > Registration Tokens.
Click Create New Registration Token.
Copy the
Registration Token
once it is created.Turn ON Auto Registration using the following steps:
Go to Admin Settings > Interfaces.
Click the ellipsis button (...) corresponding to the kmip interface.
Click Edit.
Under Configure KMIP window, select Auto Registration.
Paste the
Registration Token
.Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Click Update.
Log on to the CipherTrust Manager.
Go to Products > KMIP.
Create Client Profile using the following steps:
Go to Client Profile and click Add Profile.
Add a Profile Name.
Select CN in Username Location in Certificate.
Click Certificate Details.
Paste the content of
client.csr
.Click Save.
Create Registration Token using the following steps:
Go to Registration Token and click New Registration Token > Begin.
Add a Name Prefix.
Specify a Token Lifetime value along with the Client Capacity for the token.
Click Select CA.
Select the CA type as Local/External depending on what you are using.
Select the appropriate CA from the dropdown menu and click Select Profile.
Select the Client Profile from the dropdown which you have created in the above step.
Click Create Token.
Copy the value of the Token created and click Done.
If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.
Go to Registered Clients and click Add Client.
Specify client name and paste the Registration Token generated in the above step.
If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.
Click Save to save the client certificate.
You can register a KMIP client on the CipherTrust Manager through:
Auto Registration
Manual Registration
Create a Registration Token in the sub-domain using the following steps:
Log on to the CipherTrust Manager in your specified subdomain.
Go to Access Management > Registration Tokens.
Click Add Registration Token > Begin.
Add a Name Prefix.
Specify a Token Lifetime value along with the Client Capacity for the token.
Copy the value of the Registration Token once it is created.
Turn ON Auto Registration using the following steps:
Log on to the CipherTrust Manager in the root domain.
Go to Admin Settings > Interfaces.
Click the ellipsis button (...) corresponding to the kmip interface.
Click Edit.
Under Configure KMIP window, select Auto Registration.
Paste the
Registration Token
.Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Click Update.
Log on to the CipherTrust Manager into your domain.
Go to Products > KMIP.
Create Client Profile using the following steps:
Go to Client Profile and click Add Profile.
Add a Profile Name.
Select CN in Username Location in Certificate.
Expand the Certificate Details section.
You can either paste the content of a generated client.csr or you can create one, by filling in the details.
For domain, the format to enter the Common Name field of the cert is always:
domainName||domainUser
Click Save.
Create a Registration Token using the following steps:
Go to Registration Token and click New Registration Token > Begin.
Add a Name Prefix.
Specify a Token Lifetime value along with the Client Capacity for the token.
Click Select CA.
Select the CA type as Local/External depending on what you are using.
Select the appropriate CA from the dropdown menu and click Select Profile.
Select the Client Profile from the dropdown which you have created in the above step.
Click Create Token.
Copy the value of the Token created and click Done.
If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.
Go to Registered Clients and click Add Client.
Specify client name and paste the Registration Token generated in the above step.
If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.
Click Save to save the client certificate.
Configuring the KMIP Interface
The KMIP interface can be configured through:
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.
Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.
Note
By default, the Auto Registration is disabled.
Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Specify selections for Local CA for Automatic Server Certificate Generation as desired.
Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.
Select the CA according to your preference:
If you are using External CA then select the CA under External Trusted CAs
If you are using Local CA then select the CA under Local Trusted CAs
If you are using an External CA, expand the Upload Certificate section:
In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.
Select certificate Format as PEM.
Password field is optional and can be skipped.
Click Update.
Switch to Root Domain.
Go to Admin Settings > Interfaces.
On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.
Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.
Note
By default, the Auto Registration is disabled.
Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
Specify selections for Local CA for Automatic Server Certificate Generation as desired.
Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.
Select the CA according to your preference.
Login to your sub-domain. Go to CA > Local. Click the ellipsis (...) and copy the contents of your CA Certificate.
Logout of your sub-domain and now login to the root domain.
Go to CA > External > Add External CA.
Enter a name for this Domain CA and select the text radio button and paste the certificate contents.
Click Add External CA.
Go to Admin Settings > Interfaces.
Click the Add icon to add the External CA.
Click Update.
Note
If you are using an External CA in the root Domain, you need to add the CA as an External CA in both the root domain as well as the sub-domain and modify the interface accordingly.
Go to Admin Settings > Interfaces.
Click the Add icon to add the External CA.
Click Update.
On the KMIP interface, click the ellipsis (...) > Certificate Options > Upload New Certificate > Ok.
Select the Certificate Chain option and click Build Certificate Chain.
Click on Text and paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space, character or symbol between the contents of these files.
Select certificate Format as PEM.
Click on Upload Certificate.
Further, You need to perform the following configuration on CipherTrust Manager specific to Nutanix:
Issue CSR(s) for Each Node
On the Nutanix VCP UI, go to Settings > Data at Rest Encryption.
Click Edit Configuration.
Under Select Key Management Server, select An external KMS and click Save KMS Type.
In the Certificate Signing Request section:
Specify Email, Organization, Organizational Unit, Country Code, City, and State.
Click Save CSR Info.
Click Download CSRs.
Download the desired CSRs. For cluster setups, click Download CSRs for all nodes.
Get the CSR(s) Signed from CipherTrust Manager
In this section, we are using CipherTrust Manager as the CA. However, you can use any other CA as per your convenience.
Log on to the CipherTrust Manager.
Download the CA certificate.
Sign the CSRs and download the certificates for all the nodes.
Create a registration token.
Turn ON Auto Registration.
Go to Admin Settings > Interfaces.
Click the overflow icon next to the kmip interface.
Click Edit top open the Configure KMIP dialog box.
Select Auto Registration.
Paste the Registration Token.
Select OU from the Username Location in Certificate drop-down list.
Click Update.
Create a new user with the same name that was specified in the Organizational Unit field of the CSR created on Nutanix VCP.
Add the newly created user to the Key Users Group.
For more information on these steps, refer to CipherTrust Manager Administrator Guide and KMIP Reference Guide.
Configuring CipherTrust Manager as an External KMS
To configure the CipherTrust Manager as an external KMS:
On the Nutanix VCP UI, go to Settings > Data at Rest Encryption.
Click Edit Configuration.
Scroll down to Key Management Server and perform the following steps:
Click Add New Key Management Server > Add Address.
Enter a name for the Key Management Server.
Enter the IP address and the KMIP port of the CipherTrust Manager.
Repeat the above steps for each CipherTrust Manager in the cluster.
Scroll down to the KMS CA Certificates section and perform the following steps:
Click Add New Certificate Authority.
Click Upload CA Certificate.
Specify a name for the CA.
Click Save.
Scroll down to the Key Management Server section and perform the following steps:
Click Manage Certificates for the desired key management server. The Manage Signed Certificates screen is displayed.
Upload the node certificates. Perform either of the following:
Click Upload Files and upload all the certificates at once.
Click the Upload link for each node separately.
Test whether the certificates are correct. Perform either of the following:
Click Test all nodes to test the certificates for all nodes at once.
Click the Test CS (or Re-Test CS) link for each node separately.
If the status is Verified, the integration is successful.
Now, you can verify the integration. Refer to the Verifying Your Integration section.