Background
This document will guide you through the Virtru Gateway + Google Virtru Private Keystore (for Google Workspace CSE)n installation from Google Marketplace
Specific steps for this section include:
- Sync your Google Workspace tenant with Virtru
- Gather the required information from your IDP
- Generate SSL Certificates
- Log into Marketplace
-
Follow the gateway installation steps from our previous article
- Configure KMS
- Configure DNS
- Google Workspace Configuration
Sync your Google Workspace tenant with Virtru
If you have not already done so, please follow this guide to sync your Google Workspace domain with Virtru, this is a prerequisite for provisioning your Virtru Gateway in GKE.
Gather the required information from your IDP
https://support.google.com/a/answer/10743588?hl=en&ref_topic=10742486
Generate SSL Certificates
As part of the CSE configuration, you will need to include a Base64 encoded SSL Certificate and Base64 encoded Private key for the domain which will be used for CSE. This step should be completed before you start the CSE deployment.
It is required that you use certificate partner in order to obtain the CA Signed SSL Certificate & Key.
It’s important to know what the FQDN will be for the CSE domain, Virtru recommends using https://csesrv.yourdomain.com - this will be the FQDN used in the generation of the Certificate and Key.
Your SSL Certificate will be a combined value of your Certificate, Intermediate, and Root cert(s) that you obtain from your CA in a base 64 encoded value
If your certs are provided to you by your CA in separate files use the following command to Base64 encoded the full chain. The Base64 encoded value is what you will use in the marketplace configuration.
- Google Client Side Encryption SSL Certificate
- <Base64 encoded SSL Cert Value>
- Command:
cat csesrv.customer.com.crtchain | base64
Your SSL Private key will be the same key that you used to request your certs in a base 64 encoded value.
- Google Client Side Encryption SSL Private Key
- <Base64 encoded SSL Key Value>
- Command:
cat csesrv.customer.com.key | base64
Log into marketplace
Direct link
Or Search the marketplace
-
- https://cloud.google.com/marketplace
- Search for “Virtru”
- Click “Configure”
Follow the gateway installation steps from our previous article
Note:
If you are going to use the marketplace deployment for billing ONLY or for CSE (Client Side Encryption) only and do not intend to use the Virtru Gateway you can use the following values in this configuration.
- Gateway Token ID
- GATEWAY_TOKEN_ID
- Gateway Token
- GATEWAY_TOKEN
- Amplitude API Key
- AMPLITUDE_TOKEN
Configure KMS
- Select the check mark to include Google Client Side Encryption Key Management
- Google Client Side Encryption KMS Token ID
- <Provided by Virtru>
- Google Client Side Encryption KMS Token Secret
- <Provided by Virtru>
- Google Client Side Encryption KMS Secret Key
- <Secret key env value>
- Example:
my-key-name:00000000000000000000000000000000
- Command:
echo "my-key-name:$(openssl rand 32 | base64)" 2>&1 | tee cseSecret.txt
- Google Client Side Encryption SSL Certificate
- <Base64 encoded SSL Cert Value>
- Command:
echo -n "VALUE OF CERTS" | base64
- Google Client Side Encryption SSL Private Key
- <Base64 encoded SSL Key Value>
- Command:
echo -n "VALUE OF KEY" | base64
- Authz Issuers
- <Base64 encoded AuthZ Issuers>
- If you’re using CloudShell or another terminal to encode the string, copy the following command, the output will be your base64 encoded value:
echo '{ "gsuitecse-tokenissuer-drive@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-drive@system.gserviceaccount.com","gsuitecse-tokenissuer-meet@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-meet@system.gserviceaccount.com","gsuitecse-tokenissuer-calendar@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-calendar@system.gserviceaccount.com" }' | base64
- Authn Issuers
- <Base64 encoded value of Auth N key + Auth N value>
- If you’re using CloudShell or another terminal to encode the string, copy the following command, the output will be your base64 encoded value:
- Command Example if using Google IDP:
echo '{ "https://accounts.google.com": "https://www.googleapis.com/oauth2/v3/certs" }' | base64
- Command Example if using Google IDP:
- Issuer Names
- <Base64 encoded value of JWT Aud values>
- This include Authn and Authz values. In this case:
- Authn = OAuth Client ID String (specific to your organization)
- For Google Auth, this is found by navigating to your GCP project where you configured OAuth following the instructions from Google found here. From your GCP project, go to API & Services > Credentials, and copy the Client ID on the right side of the table under OAuth 2.0 Client ID's
- Authz = cse-authorization (constant for all CSE installations)
- Authn = OAuth Client ID String (specific to your organization)
- This include Authn and Authz values. In this case:
- If you’re using CloudShell or another terminal to encode the string, copy the following command, the output will be your base64 encoded value:
- Command Example if using Google IDP:
echo '{ "authn": "000000000000000000000000000000000.apps.googleusercontent.com", "authz":"cse-authorization" }' | base64
- Command Example if using Google IDP:
- <Base64 encoded value of JWT Aud values>
- Google Client Side Encryption URL
- <FQDN of the KMS Service (Example: https://csesrv.customer.com)>
- Google Client Side Encryption Domain Name
- <Hostname of the KMS service (Example: csesrv.customer.com),
- This value must match your SSL cert
- Reporting Service Account
- <Leave default>
- Click "Deploy"
Set Static IP for External Load balancer
Once your application is running you will want to set your new External Load Balancer public IP address to static.
If you go to Kubernetes Engine → Services & Ingress → you'll see the list of endpoints, look for the one that has "CSE" in the name and port 443 appended to the IP, that's the IP you want to assign as the static IP/add to your DNS.
- In your Cloud console navigate to
Networking>VPC Network>External IP addresses
- Find your public IP that matches your new ingress service.
- Click
Reserve
to the right of your address - Give the Reservation a name that matches your deployment and click
Reserve
Configure DNS
For all the services to communicate with one another and CSE to function properly you will need to modify your DNS to create an A record that points to the public IP of your ingress service.
As outlined in the Marketplace CSE Installation Guide you will need to add a new A record in your DNS that points to the server hosting the application.
Depending on the environment you’re hosting CSE, you may be able to use the FQDN, but in environments that need the public IP address, you will need to make the DNS entry once you’ve gone through the configuration/deployment process which will then generate the public IP address.
As mentioned on earlier sections, just make sure you’re using the same FQDN (https://csesrv.yourdomain.com) for this value as well.
The A record will correlate to the FQDN you’ve selected for the CSE domain: (https://csesrv.yourdomain.com)
Since you’ve already obtained the new CA Signed SSL certificate and Key in the previous step, the FQDN being used for CSE is already fully qualified & publicly accessible.
-
CSE:
-
Create an A record that points to the server hosting the application. Needs to be fully qualified domain name, publicly accessible, and needs a CA signed SSL certificate.
-
Example:
-
csesrv.customer.com
-
-
-
-
Optional: Only needed if following customer identity management,
-
Create a CNAME record for the .well-known/cse-configuration file. This record must be named cse.customer_domain because this is where Google has configured Docs to look for these files. (referenced in the Google documentation Here)
-
Google Workspace Configuration
Follow the steps from Google for connecting your CSE server to your Google Workspace tenant
https://support.google.com/a/answer/10742487?hl=en&ref_topic=10742486
Reference:
CSE environment variables
https://support.virtru.com/hc/en-us/articles/4409220098199-Reference-CSE-ENV-variables-
Google IDP requirements
https://support.google.com/a/answer/10743588?hl=en&ref_topic=10742486
Reserving a static IP
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address
Billing IAM permissions referenced by Google
https://cloud.google.com/marketplace/docs/manage-billing?_ga=2.34876642.-233929100.1619574310