Skip to main content
Before proceeding with the steps in this section, you must install the CyberArk PAS solution. For instructions on how to install the CyberArk PAS solution, refer to the CyberArk online documentation at the following URL: https://docs.cyberark.com/ProductDoc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/InstallationOverview.htm
After you install and start the CyberArk Vault, you can generate a new server key on the HSM. The Server Key is the key used to provide access to the Vault, much like the actual key of a physical vault. You need the server key to start the Vault, after which you can remove the key until you need to restart the server. When you stop the Vault, the information stored in the Vault is completely inaccessible without the key.

Configure the Vault

Perform the following steps to configure Vault initially:
1
To use an HSM attached to the network, configure the firewall to enable communication to the HSM device. In DBParm.ini, configure the AllowNonStandardFWAddresses parameter to open the firewall and permit access to the device, as shown in the following example:
None
AllowNonStandardFWAddresses=[HSM-IP],Yes,1024:inbound/tcp,1024:outbound/tcp
If you use a cloud HSM accessible through the internet (rather than a physical HSM connected to the local network), do not define AllowNonStandardFWAddresses in the DBParm.ini file.
2
Configure the PKCS #11 provider DLL and specify it in the PKCS11ProviderPath parameter in DBParm.ini, as shown in the following example:
None
PKCS11ProviderPath=<path to PKCS#11 provider dll>
3
Save DBParm.ini and close it.
4
Define the PIN/passphrase that the Vault uses when accessing an HSM. From a command line, run the following command, specifying the password of the identity created on the HSM for this integration:
Replace <hsmpincode> with the password of the identity created on the HSM for this integration.
Shell
CAVaultManager SecureSecretFiles /SecretType HSM /Secret <hsmpincode>
5
Open DBParm.ini and ensure you added the HSMPinCode parameter with the encrypted value of the PIN/passcode.
6
Restart the PrivateArk server to apply the new firewall rules.
7
Shut down the PrivateArk server.

Load the server key

The following process installs and stores the server key on the HSM. After you complete this process, storing the Server Key as a non-exportable key on the HSM, the Vault can use it.

Generate the server key

Perform the following steps to generate the server key in the HSM:
1
Stop the Vault server if it is running.
2
Run the following CAVaultManager command to generate the server key on the HSM:
Shell
CAVaultManager.exe GenerateKeyOnHSM /ServerKey
This command generates a new key for the Vault server, stores it in the HSM, and returns the key generation keyword. For example: HSM#5.Each time you create a key generation, the keyword allocated is one number higher than the current server key generation specified in DBParm.ini. To create additional key generations successfully, you must manually delete the first generation of the server key. Otherwise, an error occurs. If the ServerKey parameter in the CAVaultManager command specifies a path instead of an HSM keyword, the first key generation is created (such as HSM#1).
3
Re-encrypt the Vault data and metadata with the newly generated keys on the HSM. Run the following ChangeServerKeys command to change the encryption keys used for the Vault server:
Shell
ChangeServerKeys PathToKeys PathToEmergencyFile HSMKeyword
For example, the following command re-encrypts the Vault data and metadata with the encryption keys in K:\PrivateArk\Keys, and the HSM#1 key becomes the server key.
None
ChangeServerKeys K:\PrivateArk\Keys K:\PrivateArk\Keys\VaultEmergency.pass HSM#1
4
Open DBParm.ini and specify in the ServerKey parameter the value of the key generation version returned by the preceding CAVaultManager command, as shown in the following output example:
None
ServerKey=HSM#1
5
Start the Vault server and ensure you can log onto the Vault.