Introduction
Fortanix Data Security Manager (DSM), the Fortanix HSM solution, provides a mechanism for implementing additional applications called "plug-ins" to extend the functionality of the HSM.
These plug-ins allow you to run your own applications in sensitive, tamper-resistant areas within DSM and implement additional functionality such as
- Impose your own complex access control policies on Fortanix DSM keys
- Requiring multi-member approval before using a Fortanix DSM key
- Allow Fortanix DSM RSA keys to sign only certificates with specific attributes
- Require that Fortanix DSM keys can only be wrapped in certificates signed by a specific CA
- Implement secure, more advanced encryption operations, including custom audit logs, for publishing to external apps
This article describes the plugin development process and how to use the developed functionality.
Please note that the only supported programming language for plug-ins is Lua.
Implementation Method
This article has been tested with the following versions
Version: 4.14.2166
- Access DSM SaaS
Access DSM SaaS, select the region you wish to use, and log in.
- Create a new plugin
Select Plugins from the left menu and select "+ NEW PLUGIN".
This will take you to a screen where you can choose to use an existing plugin or create or import a new one. In this case, select CREATE/IMPORT A NEW PLUGIN to create a new one.On the following screen, enter the name of the plugin and select the group to which the plugin will be linked.
- Implement the code in the plugin
The next screen is for describing the code inside the plugin.After describing the process as follows, click CREATE to complete the creation of the plugin. In this example, the name is taken as an argument, and the code is simple enough to return a "hello" as input.
function run(input)
if type(input) ~= 'table' or type(input.name) ~= 'string' then
return nil, 'invalid input'
end
return {
greeting = "hello " . input.name
}
endNote down the UUID that is displayed when the plugin creation is complete, as you will need it later.
- Creating the APP (application)
APP is a daemon (service) that runs within Fortanix DSM and is the component that performs authentication using API keys and client certificates. Again, create an App for authentication in the same group as the group to which the plugin is attached. Make a note of the API Key that is displayed after creation, as it will be needed in the next step.
- Check the operation of the created plugin
Execute a call from the client to the plugin.
Example) Plugin UUID:AAAAAAAA, App API KEY:BBBBBB
$curl https://apac.smartkey.io/sys/v1/plugins/AAAAAA -H 'Authorization: Basic BBBBBB' -d '{"name": "SUZUKI"}'
{"greeting": "hello SUZUKI"}In the above, the first line is the issued API call and the second line is the returned result, and the functionality of the created plugin can be easily used via the Web API.
Conclusion
This is how to develop a Fortanix plugin. It is a highly convenient specification that allows you to add functionality in a few simple steps and use it via the Web API.
There are also plugin libraries that Fortanix has already developed, so please contact us if you are interested in these.
https://support.fortanix.com/hc/en-us/articles/360041950371-User-s -Guide-Plugin-Library
- DUKPT
- X.509 CA
- X.509 TBS CA
- JWS+JWE Encrypt/Decrypt
- AWS BYOK
- Azure BYOK
- SAP Data Custodian BYOK
- Tendermint One Time Signer
Reference
This article was compiled by Macnica based on the following Fortanix article. If there are any discrepancies or questions, please contact us.
https://support.fortanix.com/hc/en-us/articles/360015941372-Plugins-Getting-Started