Overview
The banking sector is increasingly becoming a target for cyberattacks, primarily due to the vast amounts of sensitive financial data it handles. With the rise of digital banking, mobile banking applications and financial technologies, there is an urgent need for robust security mechanisms to protect banking data, such as personally identifiable information (PII), transaction details, and account credentials. One of the key approaches to securing sensitive data in a compliant and scalable way is through effective key management solutions.
Key Management Interoperability Protocol (KMIP) offers a standardized framework for the management of cryptographic keys, which is essential for securing data at rest and in transit. It delivers enhanced data security while minimizing expenditures on various products by removing redundant, incompatible key management protocols. Integrating KMIP with Guardium Key Lifecycle Management (GKLM) systems can help the banking sector to enhance the security and meet compliance, regulatory requirements while ensuring that data remains protected from unauthorized access.
This tutorial will guide you through the process of integrating Guardium Key Lifecycle Management (GKLM) with the Key Management Interoperability Protocol (KMIP) to secure banking data. You'll learn how to implement KMIP for encryption, key creation, key rotation, ensuring secure data storage and transaction protection in digital banking environments.
Prerequisites
To complete this tutorial, you require:
• Administrative access to Guardium Key Life Cycle Manager GUI V4.2.1
• Banking Web Application
• Node.js to run the web application locally
• Python 3.9.20
Usecase
A bank called Easebank wants to secure its banking application, where customers access sensitive account information, make transfers, and check balances. The bank needs to ensure that all the sensitive data handled by the app (e.g., account numbers, passwords, transaction records) is encrypted both at rest and in transit.
The bank integrates a GKLM system with KMIP to securely manage the cryptographic keys used to encrypt data across its infrastructure. The keys used for encrypting customer data are centrally managed, stored securely in compliance with industry standards, and periodically rotated for enhanced security. It uses encrypted channels, whenever the banking application communicates with the backend servers. KMIP ensures that the cryptographic keys used in the communication between banking application and GKLM server are properly managed. When a customer initiates a financial transaction, the sensitive data is encrypted before being sent, and only authorized users (e.g., backend services with the proper decryption keys) can access the data.
In this scenario, the bank leverages the KMIP standard for key management to simplify the secure handling of cryptographic keys, ensuring compliance with regulations such as PCI DSS, and improving overall security across its digital banking ecosystem.
High Level Diagram
Steps
To complete this tutorial, you need to perform the following steps:
- Download and set up the web application
- Create GKLM server certificate and import to the client
- Configure KMIP Client
- KMIP Connection Setup
- Perform Key Related Operations
Step 1. Download and set up the web application
1. Ensure you have installed Node.js and Python 3.9.20.
2. Download the application code as a .ZIP and extract the file.You will find two folders backend and frontend.
3. The backend is implemented using Python and uses the PyKMIP library to handle KMIP communications. Navigate to the back end directory and set up a Python virtual environment by running below commands
cd backend
pip install virtualenv
python3.9.20 -m venv kmip
source kmip/bin/activate
4. Install the required Python libraries from backend:
pip install -r requirements.txt
5. Inside the backend directory, create a folder named certs:
mkdir certs
cd certs
6. To establish secure KMIP communication, generate a private key and self signed certificate:
openssl req -nodes -x509 -days 365 -newkey rsa:4096 -keyout ca _key.pem -out ca_cert.pem
This creates a private key (ca _key.pem) and a self-signed certificate (ca_cert.pem).
7. Generate a certificate signing request (CSR):
openssl req -new -key ca _key.pem -out my_cert_req.pem
This CSR (my_cert_req.pem) is used to request a signed certificate.
8. Create a signed client certificate:
openssl x509 -req -in my_cert_req.pem -days 365 -CA ca_cert.pem -CAkey ca _key.pem -CAcreateserial -out my_signed_client_cert.pem
This generates a signed client certificate (my_signed_client_cert.pem) using the self signed certificate as the signing authority.
9. In the back end directory, create a .env file to store the GKLM configuration:
hostname=Your GKLM hostname
port=Your GKLM port (default: 5696)
username=Your GKLM login username
password=Your GKLM login password
Replace placeholders with your GKLM details.
10. Now proceed for the frontend setup. The frontend application provides the user interface for interacting with the backend.
Navigate to the frontend directory and Install the required Node.js dependencies by running below commands
cd ../frontend
npm install
11. Build and run the front end in production mode:
npm run prod
12. Start the back end server:
cd backend
source kmip/bin/activate
python app.py
13. Start the front end server:
cd frontend
npm start
14. Open the URL in browser that displays in the terminal.Now the application is now ready to demonstrate KMIP communication between IBM GKLM and Banking client application.
Step 2: Create GKLM server certificate and import to the client
1. Log in to your GKLM GUI, go to the configuration page, and click to launch Server Configuration Wizard:
2. Select Create a self-signed certificate.
3. Specify the certificate details as shown:
· Certificate label in keystore: gklmservercert
· Certificate description: GKLM Server Certificate
· Keep the defaults for the remaining fields.
4. Scroll to the bottom of the page and click Create Certificate.
5. Specify the certificate details as shown:
· Certificate name: gklmservercert
· File name: gklmservercert.cer
· Keep the defaults for the remaining fields.
6. Click Export Certificate.
7. Download the server certificate from GKLM GUI and Import into Banking client application.
Step 3. KMIP client configuration
1. To configure the application client in GKLM, go to the GKLM GUI, click the Client tab and then click Create.
2. Specify the client name and in the Usage menu, select Generic. Click Save.
3. In the client certificate section, add a client certificate(my_signed_client_cert.pem) that you created on step 1.
Step 4. KMIP Connection Setup
To connect to the GKLM Server using PyKMIP library in Python, we create a proxy client function provided by the library.
Host – The hosted endpoint GKLM server is running on
Port - Port on which the GKLM server instance is serving the KMIP connection (default – 5690)
Username & password – GKLM server credentials
Cert – Path to client certificate
Key – Path to encryption key certificate of the client certificate
Ca – Path to certificate signing authority certificate
You can get more details on each of the parameter mentioned here and other additional arguments supported by the library on its official documentation page - https://pykmip.readthedocs.io/en/latest/client.html
5. Key Related Operations:
Create Key:
1. You can use the function shown below given by the PyKMIP library to perform a create key operation
2. Now you’ll review the key generation operation from the Banking application using GKLM.
3. On the home page, click the Creat New Key tab to create new encryption keys to encrypt the upcoming transactions.
V Verify the same key has been created from GKLM end.
Delete Key:
1. You can use the function shown below given by the PyKMIP library to perform a delete key operation
2. To delete the key from the application end, click Delete Key on the home page and specify the key UUID. Click the Delete Key button. The key is deleted.
Fetch Key:
1. You can use the function shown below given by the PyKMIP library to perform a fetch key operation
2. To retrieve the key attributes from the application end, go to the home page and click the Fetch Keys tab from admin page. You can now specify the key UUID and click on Fetch Key.
3. Review the key attributes related to the selected key, such as activation date,key algorithm, key length, and object type.
Rekey:
“Rekey” generally refers to the process of changing the current encryption key used for the encryption mechanism so that it can work with a new key.
To use the rekey function from your Banking application, complete the following steps.
1. Check the current set key. The current key used to encrypt the latest transaction.
3. Click on the Rekey tab from admin page to change the current set key.
4. Verify under current set key tab if new key is reflecting.
1. Now make a transaction from home page.
If If you try to decrypt with the old key, transaction details will not be visible since key has been changed with rekey option.
Decrypt with new key to view the transaction details.
Summary:
Integrating KMIP with Guardium Key Lifecycle Management provides a comprehensive, secure, and compliant solution for managing cryptographic keys in the banking sector. By streamlining key management, enhancing interoperability, and ensuring compliance with regulatory standards, this approach supports the bank’s broader objectives of safeguarding sensitive data, reducing risk, and improving operational efficiency.
Next steps
Now that you've completed this tutorial, continue to learn about Guardium Key Life Cycle and KMIP from the following resources:
Demo Video of the asset is embedded below.
Contributing Team
Monali Behera (monali.behera@ibm.com), Yash Sawlani (yash.sawlani@ibm.com), Sudhagar Tiroucamou (stirouca@in.ibm.com)
EESI Labs, India