Encryption at rest protects your data on media. Data on media is “data at rest,” whereas data moving across a communications channel is known as “data in motion.” Increasing security risks and compliance requirements at times mandates the use of encryption at rest to prevent unauthorized access to data on disk.
Encryption at rest can be configured to encrypt data, log files, and configuration files separately. Encryption is only applied to newly-created files once encryption at rest is enabled, and does not apply to existing files without further action by the user. For existing data, a merge or re-index will trigger encryption of data, a configuration change will trigger encryption of configuration files, and log rotation will initiate log encryption.
MarkLogic 9.x supports any KMIP 1.2 compliant KMS system and also natively supports using an AWS KMS. The following technical material enumerates the procedure to set up, configure, and deploy Gemalto’s SafeNet KeySecure KMS appliance with MarkLogic.
The overall architecture looks like the following:
Note: To use encryption at rest with an external key management system (KMS), you must have an Advanced Security license key. For details on purchasing a license key for the Advanced Security features, contact your MarkLogic sales representative.
The following guidelines apply to all MarkLogic versions and should be completed on the SafeNet KeyServer, as per its Administration Guide.
- Ensure that the SafeNet Server is licensed for KMIP
- Setup the SafeNet KeyServer Certificate Authority (CA) and an SSL certificate for the KMIP Server instance.
- This SafeNet KeyServer CA will be used later to sign the Certificate Signing Requests for each of the MarkLogic Server instances.
- Setup the KMIP Server instance assigning the KMIP Port number that the MarkLogic server will use for communication, and assign the KMIP Server Certificate generated in the Step 2 to the KMIP Server instance.
- SafeNet KeySecure KMIP server HA setup:
- Follow the SafeNet Administration manual as to how to setup a cluster for KMIP instances
- A common CA is recommended between the cluster members.
- A separate KMIP server certificate is recommended for each member of the server.
The following steps should be done on each of the MarkLogic server instances that will have databases that will have Advanced Encryption enabled.
- Using OpenSSL or other Key management tools generate a Private Key & Certificate Signing Request. These two steps must be repeated on each of the MarkLogic Server instances that will communicate with the KMIP Server, replacing the “MLServer_hostname” with the actual Fully Qualified Domain Name (FQDN). Note that when creating the CSR, if the SafeNet Keysecure has been setup not to use “Global Keys” then you should ensure that the authentication attribute specified in the SafeNet KeySecure matches the authentication attribute value specified when generating the CSR.
- The following 2 commands will generate the Private Key and create a Certificate Signing Request file “MLServer_hostname.csr”
openssl genrsa -out kmip-key.pem 2048
openssl req -out "MLServer_hostname.csr" -key kmip-key.pem -new -sha256
- This CSR file will be uploaded to the SafeNet KeyServer which will then be signed by the Certificate Authority created in Step 2 of the SafeNet KeyServer setup
- The Signed Certificate file should then be saved and copied to Data Directory of the MarkLogic Server instance as per the instructions in chapter 12 on External Security in the MarkLogic Administrator Guide
- Ensure that the PEM encoded CA file from SafeNet KeyServer is installed into the Data Directory as specified in MarkLogic Administration Guide Section 12.9.2
- To verify that the SSL communication between the MarkLogic Server Instance and the SafeNet KeyServer has been setup correctly run the following command from the Data Directory of the MarkLogic Server instance:
openssl s_client -connect safenet-1.mydomain.com:9010 -CAfile kmip-CA.pem -cert kmip-cert.pem -key kmip-key.pem
Follow the instructions in Chapter 12 on External Security in the MarkLogic Administrator Guide to configure the rest of the External KMS Server settings for MarkLogic.
MarkLogic Server allows you to configure for users to be authenticated using an external authentication protocol. These external agents serve as centralized points of authentication or repositories for user information from which authorization decisions can be made. Here, we walked through a common key management solution, Gemalto’s SafeNet KeySecure KMS, and how to configure it appropriately.