Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrating Skyhigh CASB On-Prem Proxy with a Key Management Server

The Skyhigh CASB on-premises proxy integrates directly with third-party Key Management Servers (KMS). The proxy initiates all connections with the KMS via the Key Management Interoperability Protocol (KMIP). The proxy requests data encrypting keys from the KMS during these connections. Connections are secured with Transport Layer Security (TLS).

proxy_and_kms_logical.png

The location of the KMS (IP and port, or hostname and port) is specified during the installation of the proxy OVF. 

The KMIP protocol requires mutual authentication of the TLS connection. This is done with certificates. Follow these directions to install a certificate into the proxy for KMIP authentication.

There are two options for installing this certificate: via signed Certificate Signing Request (CSR) or Java Key Store (JKS) file upload. 

Option 1: Generate and Install the Certificate

Provide the following information so that Skyhigh CASB can generate a CSR. You will then take the CSR to your SSL certificate authority, and they will issue you a digital certificate.

  1. Login to the Skyhigh CASB Proxy Server admin console. The Status tab displays the status of the proxy server and the options to install a certificate for KMIP support.
  2. Click Generate CSR.
  3. Enter the information in the fields, and click Generate CSR.
    csr_generate.png
  4. Download and copy the CSR.
  5. Sign the CSR with a Certificate Authority. Make sure to get the signed certificate and the root CA certificate.
  6. Click Upload Certificate Files and copy the certificate file contents into their respective fields.

To be successful, the server certificate must validate with the root certificate. Also, the server certificate must match the CSR.

Option 2: Upload the JKS File

Upload the keystore file in JKS format. The keystore should contain the certificates needed to connect to the key server.

  1. Login to the Skyhigh CASB Proxy Server admin console. The Status tab displays the status of the proxy server and the options to install a certificate for KMIP support.
  2. Click Upload Keystore
  3. Browse to select your JKS file, then enter the password.
  4. Click Upload.
    upload_keystore_jks.png

Next Steps

The proxy will ask for keys by name and uses a wildcard in order to request all keys for a given application. The best practice is to use a key naming scheme within your KMS that is easy to associate with the application, such as {company name}.{application}.{key version}.

For example, suppose your company is RKS corporation and your are managing keys for Salesforce in your KMS. The key scheme in this example would be rks.crm.key.0; rks.crm.key.1, etc. The proxy asks for the keys using a wildcard: rks.crm.key.*.

Key naming needs to be different when using a Dyadic Key Management Server. In this case please see the topic Dyadic Enterprise Key Manager

The key management server replies with the keys. Keys are updated periodically as needed. The Skyhigh CASB proxy will compute a hash of each key as a way to remember which key it has seen before and which key may be new. 

Encryption is always done with the most recent key. The proxy will retain up to 16 generations of keys in memory so that it can always decrypt data that may be in the cloud, encrypted with old versions of the key. 

Check the logs of your KMS to make sure that the Skyhigh CASB proxy is successfully requesting and downloading keys.

  • Was this article helpful?