Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Nutanix Virtual Computing Platform

Integration with CipherTrust Manager

search

Integration with CipherTrust Manager

This section lists the steps to integrate Nutanix AHV with CipherTrust Manager.

Prerequisites

This section provides the prerequisites for integration of Nutanix AHV with CipherTrust Manager.

  • Ensure that CipherTrust Manager is installed and configured. For more details, refer to the CipherTrust Manager Documentation.

  • IP address of the CipherTrust Manager and port of the KMIP interface must be accessible from the Nutanix cluster.

  • CipherTrust Manager recognizes only registered KMIP clients. Ensure that each node of the Nutanix cluster is registered as a KMIP client on the CipherTrust Manager.

Configuration on CipherTrust Manager

To configure the CipherTrust Manager for the integration, you need to perform the following steps:

  1. Creating a Domain (optional)

  2. Creating a User

  3. Assigning User to a Group

  4. Registering a KMIP Client

  5. Configuring the KMIP Interface

Creating a Domain (Optional)

Perform the following steps on CipherTrust Manager:

Note

This step is optional and needs to be performed only if you want to integrate within a domain.

  1. Navigate to Admin Settings > Domains.

  2. Click Add Domain. The Add Domain page appears.

  3. Specify the following information:

    • Name: Enter the domain name.

    • Admins: Select the admins (one or more) from the list available in the drop down. For example, admin.

    • Parent CA: Select parent CA as root CA.

    • Allow Subdomain User Management: Select this check box if you want to enable user management in the subdomain through this domain.

  4. Click Save.

  5. Click on the current domain name at the top right corner to switch to this newly created domain.

Creating a User

To create a user, perform the following steps:

  1. Log on to the CipherTrust Manager UI.

  2. Navigate to Access Management > Users.

  3. On the Users page, click Create User.

  4. Provide the following details:

    • Username

    • Password

    • Email

  5. Click Add User. The newly created user is now listed on the Users page.

To create a user, perform the following steps:

Note

You can only create users in sub domains if you have enabled Allow Subdomain User Management while creating a domain.

  1. Log on to the CipherTrust Manager UI with the User you created within the Sub Domain.

  2. Navigate to Access Management > Users.

  3. On the Users page, click Create User.

  4. Provide the following details:

    • Username

    • Password

    • Email

  5. Click Add User. The newly created user is now listed on the Users page.

Assigning the User to a Group

Perform the following steps to add user to a group:

  1. Click on the ellipsis corresponding to the user that you created in the previous step.

  2. Click Edit/View > Groups.

  3. In the search bar, type Key Admins or Key Users and select Add, depending on the level of access you want to grant the user.

Registering a KMIP Client

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Create a Registration Token using the following steps:

    1. Log on to the CipherTrust Manager in the root domain.

    2. Go to Access Management > Registration Tokens.

    3. Click Add New Registration Token > Begin.

    4. Add a Name Prefix and specify a Token Lifetime value along with the Client Capacity for the token.

    5. Click Select CA.

    6. Select the CA type as Local/External depending on your preference.

    7. Select the appropriate CA from the dropdown and click Create Token.

    8. Copy the value of the Registration Token once it is created.

  2. Enable Auto Registration using the following steps:

    1. Go to Admin Settings > Interfaces.

    2. Click on the ellipsis corresponding to the KMIP interface.

    3. Click View/Edit.

    4. Select the Auto Registration checkbox and paste the copied value of the Registration Token.

    5. Select OU for the field Username Location in Certificate.

    6. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    7. Scroll down and click Update to save your settings.

  1. Log on to the CipherTrust Manager.

  2. Go to Products > KMIP.

  3. Create a Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select OU for the Username Location in Certificate field.

    4. Expand the Certificate Details section.

    5. Paste the contents of the CSRs obtained from Nutanix.

    6. Click Save.

  4. Create Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on what your preference.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

      Note

      If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager. For more details, refer to the CipherTrust Manager Documentation.

  5. Go to Registered Clients and click Add Client.

    • Specify client name and paste the Registration Token generated in the above step.

      Note

      If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.

    • Click Save to save a copy of the client certificate.

    • Repeat this process for each CSR corresponding to a a node on Nutanix AHV.

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Create a Registration Token in the sub-domain using the following steps:

    1. Log on to the CipherTrust Manager in your specified subdomain.

    2. Go to Access Management > Registration Tokens.

    3. Click Add Registration Token > Begin.

    4. Add a Name Prefix.

    5. Specify a value for the Token Lifetime along with the Client Capacity for the token.

    6. Click Select CA.

    7. Select the CA type as Local/External depending on your requirements.

    8. Copy the value of the Registration Token once it is created.

Note

By default, Auto Registration is disabled.

  1. Enable Auto Registration using the following steps:

    1. Log on to CipherTrust Manager in the root domain.

    2. Go to Admin Settings > Interfaces.

    3. Click the ellipsis corresponding to the KMIP interface.

    4. Click View/Edit.

    5. Select the checkbox corresponding to Auto Registration.

    6. Select OU for the field Username Location in Certificate.

    7. Paste the copied value of the Registration Token.

    8. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    9. Scroll down and click Update to save your interface configuration.

  1. Log on to the CipherTrust Manager into your domain.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select OU in Username Location in Certificate.

    4. Expand the Certificate Details section.

    5. Paste the content from the CSRs generated by Nutanix.

    6. Click Save.

  4. Create a Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on your requirements.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token and click Done.

      Note

      If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager. For more details, refer to the CipherTrust Manager Documentation.

  5. Go to Registered Clients and click Add Client.

    1. Specify client name and paste the Registration Token generated in the above step.

      Note

      If you are using External CA then you need to paste the signed client certificate in the Client Certificate field.

    2. Click Save to save the client certificate.

Configuring the KMIP Interface

The KMIP interface can be configured through:

  1. Go to Admin Settings > Interfaces.

  2. On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.

  3. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, Auto Registration is disabled.

  4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

  6. Select the CA according to your preference:

    • If you are using External CA then select the CA under External Trusted CAs

    • If you are using Local CA then select the CA under Local Trusted CAs

  7. If you are using an External CA, expand the Upload Certificate section:

    • In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.

    • Select certificate Format as PEM.

    • Password field is optional and can be skipped.

    • Click Update.

  1. Switch to Root Domain.

  2. Go to Admin Settings > Interfaces.

  3. On the KMIP Interface, click the ellipsis and then click View/Edit.

  4. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, Auto Registration is disabled.

  5. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  6. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

  7. Select the CA according to your preference.

    1. Login to your sub-domain. Go to CA > Local. Click the ellipsis (...) and copy the contents of your CA Certificate.

    2. Logout of your sub-domain and now login to the root domain.

    3. Go to CA > External > Add External CA.

    4. Enter a name for this Domain CA and select the text radio button and paste the certificate contents.

    5. Click Add External CA.

    6. Go to Admin Settings > Interfaces.

    7. Click the Add icon to add the External CA.

    8. Click Update.

    Note

    If you are using an External CA in the root Domain, you need to add the CA as an External CA in both the root domain as well as the sub-domain and modify the interface accordingly.

    1. Go to Admin Settings > Interfaces.

    2. Click the Add icon to add the External CA.

    3. Click Update.

    4. On the KMIP interface, click the ellipsis (...) > Certificate Options > Upload New Certificate > Ok.

    5. Select the Certificate Chain option and click Build Certificate Chain.

    6. Click on Text and paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space, character or symbol between the contents of these files.

    7. Select certificate Format as PEM.

    8. Click on Upload Certificate.

Issuing CSR(s) for Each Node of Nutanix AHV

  1. Log on to the Nutanix Prism Element, go to Settings > Data-at-Rest-Encryption.

  2. Click Edit Configuration.

  3. Under Select Key Management Server (KMS), select An external KMS and click Save KMS Type.

  4. In the Certificate Signing Request Information section:

    1. Specify Email, Organization, Organizational Unit, Country Code, City, and State.

    Note

    The value for the OU field should be the same as the user you created on CipherTrust Manager in one of the previous steps.

    1. Click Save CSR Info.

    2. Click Download CSRs.

    3. This will initiate a download of a compressed zip containing all your CSRs. Save this file locally and extract it's contents to a folder.

    Note

    In case of domains, the Organizational Unit field for the CSR must be of the format: domainName||domainUser.

Getting the CSR(s) signed from CipherTrust Manager

Note

In this section, we are using the Local Root CA of CipherTrust Manager to sign the CSRs. However, you can use any other CA as per your convenience.

Note

This step is applicable only for Auto-Registered KMIP clients.

  1. Log on to CipherTrust Manager.

  2. Go to CA > Local.

  3. Click on the ellipsis corresponding to the existing Local CA and click Download to save a copy of the CA certificate.

  4. Click on the Name of this Local CA and click Upload CSR

  5. Paste the contents of one of the CSR files, specify a name for the certificate.

  6. Select the Certificate Purpose as client and click Issue Certificate.

  7. Repeat the signing process for all the remaining CSRs for each of the nodes.

Configuring CipherTrust Manager as an External KMS on Nutanix AHV

To configure the CipherTrust Manager as an external KMS:

  1. On the Nutanix Prism Element UI, go to Settings > Data at Rest Encryption.

  2. Click Edit Configuration.

  3. Scroll down to Key Management Server and perform the following steps:

    1. Click Add New Key Management Server > Add Address.

    2. Enter a name for the Key Management Server.

    3. Enter the IP address and the KMIP port of the CipherTrust Manager.

    4. Repeat the above steps for each node of CipherTrust Manager if you have a clustered setup.

  4. Scroll down to the KMS CA Certificates section and perform the following steps:

    1. Click Add New Certificate Authority.

    2. Click Upload CA Certificate.

    3. Specify a name for the CA.

    4. Click Save.

  5. Scroll down to the Key Management Server section and perform the following steps:

    1. Click Manage Certificates for the desired key management server. The Manage Signed Certificates screen is displayed.

    2. Upload the node certificates. Perform either of the following:

      • Click Upload Files and upload all the certificates at once.

      • Click the Upload link for each node separately.

    3. Test whether the certificates are correct. Perform either of the following:

      • Click Test all nodes to test the certificates for all nodes at once.

      • Click the Test CS (or Re-Test CS) link for each node separately.

      • Confirm that the status has changed to Verified.

Enabling encryption on Nutanix AHV

  • Log on to the Nutanix Prism Element UI.

  • Click on the Settings icon on the toolbar's right side to open the Settings menu.

  • Navigate to Data-at-rest Encryption under Security in the left pane of the Settings.

  • Toggle on the Encryption option.

  • In the confirmation pop-up window, type ENCRYPT and then click Encrypt.

  • This will trigger the encryption of the Nutanix cluster. This step usually takes some time to complete. Once done, the cluster encryption is configured and enabled.

On this page