Perform the tasks in this section to integrate the CyberArk Trust Protection Foundation (TPF) with a Futurex Vectera Plus HSM for data encryption, key generation, and key storage.
Create a connector and key
Perform the following steps to create an HSM connector and generate an HSM-protected encryption key:
Open the CyberArk Configuration Console application.
Select the Connectors node.
Select [ Create HSM Connector ] in the Actions panel.
Enter the local master admin username and password and select [ OK ].
In the Create new HSM (Cryptoki) Connector window, for Name, enter any name for the HSM connector.
For Cryptoki Dll Path, select [ Browse ] and locate the following path to the Futurex PKCS #11 DLL file:C:\Program Files\Futurex\fxpkcs11\fxpkcs11.dll
Select the slot number configured in your Futurex PKCS #11 configuration file (the default is slot 0). This is where TPP accesses the encryption keys.
For User Type, leave the default option selected, Crypto Officer (User). CyberArk TPF uses the identity configured in the Futurex PKCS #11 file to connect to the Vectera Plus.
For Pin, enter the password for the identity configured in the Futurex PKCS #11 file.
Select [ Verify ].If the connection to the HSM succeeds, a new Permitted Keys section displays.
In the Create New HSM Key window, enter a Name and select the Type for the key. Then, select [ Create ].
If you plan to use CyberArk CodeSign Protect to store private code signing keys in the Vectera Plus select the Allow Key Storage checkbox.
Select [ Create ] to save and close the window.
Enable CyberArk Advanced Key Protect
You need CyberArk Advanced Key Protect to generate HSM private keys. In addition, CyberArk Code Signing Certificate Private Key Storage requires you to enable the feature. To enable CyberArk Advanced Key Protect, perform the following steps.
Open the CyberArk Configuration Console application.
Select [ Enable CyberArk Advanced Key Protect ] in the Actions panel.
Enter the local master admin username and password and select [ OK ].
Review the information in the following dialog, and select [ Enable ] if you want to proceed.
Perform the following steps to restart the IIS, CyberArk TPF Platform, and Logging services:
- Select the Product node.
- Select Website and select [ Restart ] in the Actions panel.
- Select CyberArk TPF Platform and select [ Restart ] in the Actions panel.
- Select Logging and select [ Restart ] in the Actions panel.
Generate an HSM private key
CyberArk Trust Protection Foundation uses the Vectera Plus HSM to generate private keys for SSH keys and certificates.
You must create a Certificate Authority (CA) template object in CyberArk TPF to manage the certificate life cycle and generate an HSM key. See CyberArk TPF documentation for more information.
Log in to the admin console: https://[IP_address_of_CyberArk_TPF]/vedadmin.
Select Policy Tree in the main menu at the top of the page.
In the Policy : Certificate window, go to the Certificate tab.
Under Other Information:
- Select the name of the HSM Connector you created for the Vectera Plus in the Key Generation drop-down menu.
- Select the name of the HSM-Protected Encryption Key you created on the Vectera Plus HSM.
- Select [ Save ] at the bottom of the page.
Generate the certificate
Perform the following steps to generate the certificate:
Select Policy Tree in the main menu at the top of the page.
On the left-hand side of the page, select [ Add ] under the Policy drop-down menu and select Certificates > Certificate.
Under General Information, enter the required information, and for Management Type, select Provisioning or Enrollment.
Under CSR Handling, leave Service Generated CSR selected for CSR Generation and leave Generate Key/CSR on Application set to No.
Under Subject DN, enter the required information.
Under Private Key, select the Key Algorithm to use and the desired Key Strength in bits.
Under Other Information, search for and select the previously configured CA Template.
Select the newly generated certificate from the policy tree.The Certificate Status should be OK.
Select [ Renew Now ].The Certificate Status changes to Queued for renewal.
After about a minute, select [ Refresh ].The certificate details appear in the window.
Optionally, if you selected Provisioning for Management Type, associate the certificate with the intended application object.
CyberArk TPF uses Certificate Authority (CA) template objects to manage the certificate life cycle. You must create one to use code signing. See CyberArk TPF documentation for more information.
To use the Vectera Plus for key storage, you must enable Key Storage on the HSM Connector.
Assign permissions
Perform the following steps to assign permissions to a code signing administrator:
Open the CyberArk Configuration Console application.
Select the System Roles node.
Select [ Add CodeSign Protect Administrator ] in the Actions panel.
Select a user to grant CodeSign Protect Administrator permissions.
Create a code signing flow
Perform the following steps to create a code signing flow:
Open the CyberArk Configuration Console application.
Under the Code Signing node, select Custom Flows.
Select [ Add new Code Signing Flow ] in the Actions panel.
Enter a name for the code signing flow.
Select the newly created code signing flow and add an approver through the Actions panel.
Create an environment template
Perform the following steps to create an environment template for the code signing project:
Open the CyberArk Configuration Console application.
Under the Code Signing node, select Environment Templates.
Select Certificate in the Actions panel under Add Single Template.
Enter a name for the Code Signing Environment Template and select [ Create ].
In the Properties window, within the Settings tab, enter a Description and select a Certificate Container and Signing Flow.
Go to the Certificate Authority tab and select a CA Template, and select [ Add ].
Go to the Keys tab and select which key sizes to allow for RSA and Elliptic Curve keys.
Go to the Key Storage tab and select the Futurex HSM Connector. Then, select [ Add ].
Enter any optional information in the remaining tabs, and select [ OK ].
Create a new code signing project
Perform the following steps to create a new code signing project:
Log in to Aperture: https://[IP_address_of_CyberArk_TPF]/aperture/codesign.
Select Projects in the main menu at the top of the page.
Select [ Create Project ].
Enter a Project Name and Description.
Create an environment
Perform the following steps to create an environment for the project with a new HSM private key and certificate:
Inside the newly created code signing project, go to the Environments tab and select Add Environment >
Certificate & Key.
Enter the Environment Name.
Select the Environment Template that you created for this code signing project.
For Creation Type, select Create New.The Key Storage Location should now list the Futurex HSM Connector.
Enter any other necessary information for the certificate.
Select [ Submit For Approval ] to generate a new certificate and private key after you approve it in the next step.
Approve the project
Perform the following steps to approve the project:
Log in to Aperture: https://[IP_address_of_CyberArk_TPF]/aperture/codesign.
Select Approvals in the main menu at the top of the page.
Under Pending Approvals, select the Project Creation request you just submitted.
Select [ Approve ].You should see a message similar to Approval processed successfully.
Go back to the project, and on the Environments tab, make sure you see that a Certificate & Key were created in Hardware (such as the Vectera Plus).
