Skip to main content
This section describes the following tasks for integrating CyberArk TPF (Trust Protection Platform) with the KMES Series 3 for data encryption, key generation, and key storage:
  1. Create an HSM connector and generate an HSM Protected encryption key.
  2. Enable CyberArk Advanced Key Protect.
  3. Set up HSM private key generation.
  4. Configure code signing.

Create a connector and key

Perform the following steps to create an HSM connector and generate an HSM Protected encryption key:
1
Open the CyberArk Configuration Console application.
2
Select the Connectors node.
3
Select [ Create HSM Connector ] in the Actions panel.
4
Enter the local master admin username and password and select [ OK ].
5
In the Create new HSM (Cryptoki) Connector window, enter any name for the HSM connector in the Name field.
6
For Cryptoki DLL Path, select [ Browse ] and locate the following path to the Futurex PKCS #11 DLL file:
None
C:\Program Files\Futurex\fxpkcs11\fxpkcs11.dll
7
Select [ Load Slots ].
8
Select the slot number configured in your Futurex PKCS #11 configuration file (the default is slot 0). This is where TPP accesses the encryption keys.
9
For User Type, leave the default option selected, Crypto Officer (User). CyberArk TPF uses the identity configured in the Futurex PKCS #11 file to connect to the KMES Series 3.
10
For Pin, enter the password for the identity configured in the Futurex PKCS #11 file.
11
Select [ Verify ].
If the connection to the KMES Series 3 is successful, a new Permitted Keys section populates in the window.
12
Select [ New Key ].
13
In the Create New HSM Key window, enter a key Name and select the Type for the key.Select Allow Key Storage checkbox if you plan to use CyberArk CodeSign Protect to store private code-signing keys in the KMES Series 3.Select [ Create ].
If key creation is successful, the key is now viewable in the keys menu on the KMES Series 3. The name of the key displays in the list of Permitted Key in the Create New HSM Key window.
14
Select [ Create ] to save and close the window.

Enable CyberArk Advanced Key Protect

CyberArk Advanced Key Protect is required for HSM Private Key Generation. In addition, CyberArk Code Signing Certificate Private Key Storage requires you to enable this feature. To enable CyberArk Advanced Key Protect, perform the following steps:
1
Open the CyberArk Configuration Console application.
2
Select [ Enable CyberArk Advanced Key Protect ] in the Actions panel.
3
Enter the local master admin username and password and select [ OK ].
4
Review the information in the Enable CyberArk Advanced Key Protect window, and select [ Enable ] to proceed.
5
Restart the IIS service. Select the Product node, select Website, and then select [ Restart ] in the Actions panel.
6
Restart the CyberArk TPF Platform service. Select the Product node, select CyberArk TPF Platform, then select [ Restart ] in the Actions panel.
7
Restart the Logging service. Select the Product node, select Logging, then select [ Restart ] in the Actions panel.

Set up HSM private key generation

CyberArk TPF uses the KMES Series 3 for private key generation for SSH keys and certificates. CyberArk TPF uses Certificate Authority (CA) template objects to manage the certificate lifecycle. Creating one is a prerequisite to HSM Key Generation. See CyberArk TPF documentation for more information. Perform the following tasks to configure HSM private key generation settings:
  1. Configure the CyberArk TPF platform policy.
  2. Generate the certificate.

Configure the policy

Perform the following steps to configure the CyberArk TPF platform policy to enable the KMES Series 3 for HSM key generation:
1
Log in to the admin console: https://[IP_address_of_CyberArk_TPF]/vedadmin
2
Select the Policy Tree in the main menu at the top of the page.
3
In the Policy : Certificate window, go to the Certificate tab.
4
Under Other Information, select the name of the HSM Connector you created for the KMES Series 3 in the Key Generation drop-down menu.
5
Under Other Information, select the name of the HSM-Protected Encryption Key you created on the KMES Series 3.
6
Select [ Save ] at the bottom of the page to finish.

Generate the certificate

Perform the following steps to generate the certificate:
1
Select Policy Tree in the main menu at the top of the page.
2
On the left side of the page, select [ Add ] under the Policy drop-down list and select Certificates > Certificate.
3
Under General Information, enter the required information, and for Management Type, select Provisioning or Enrollment.
4
Under CSR Handling, leave Service Generated CSR selected for CSR Generation and leave Generate Key/CSR on Application set to No.
5
Under Subject DN, enter the required information.
6
Under Private Key, select the Key Algorithm to use and the desired Key Strength in bits.
7
Under Other Information, search for and select the previously configured CA Template.
8
Select [ Save ].
9
Select the newly generated certificate from the policy tree. The Certificate Status should be OK.
10
Select [ Renew Now ].
The Certificate Status changes to Queued for renewal.
11
After about a minute, select [ Refresh ].
The certificate details display in the window.
12
If you selected Provisioning for Management Type, associate the certificate with the intended application object.

Configure code signing

CyberArk CodeSign Protect can store private code signing keys in the KMES Series 3. This section describes the basic steps to configure this functionality for the integration. See CyberArk TPF documentation for more details. To take advantage of the CodeSign Project, you must create a CA template object, which CyberArk TPF uses to manage the certificate lifecycle. See CyberArk TPF documentation for more information.
To use an HSM for key storage, you must first complete the steps in the Set up HSM private key generation section.

Assign permissions

Perform the following steps to assign permissions to a code signing administrator:
1
Open the CyberArk Configuration Console application.
2
Select the System Roles node.
3
Select [ Add CodeSign Protect Administrator ] in the Actions panel.
4
Select a user and grant that user CodeSign Protect Administrator permissions.

Create a code signing flow

Perform the following steps to create a code signing flow:
1
Open the CyberArk Configuration Console application.
2
Under the Code Signing node, select [ Custom Flows ].
3
Select [ Add new Code Signing Flow ] in the Actions panel.
4
Enter a name for the Code Signing Flow.
5
Select the newly created Code Signing Flow and add an approver through the Actions panel.

Create a template

Perform the following steps to create an environment template for the code signing project:
1
Open the CyberArk Configuration Console application.
2
Under the Code Signing node, select [ Environment Templates ].
3
Select [ Certificate ] in the Actions panel under Add Single Template.
4
Enter a name for the Code Signing Environment Template and select [ Create ].
5
On the Settings tab of the Properties window, enter a Description and select a Certificate Container and Signing Flow.
6
Open the Certificate Authority tab, select a CA Template, and select [ Add ].
7
On the Keys tab, select which key sizes to allow for RSA and Elliptic Curve keys.
8
On the Key Storage tab, select the Futurex HSM Connector and select [ Add ].
9
Enter any optional information in the remaining tabs and select [ OK ].

Create a new project

Perform the following steps to create a new code signing project:
1
Log in to Aperture: https://[IP_address_of_CyberArk_TPF]/aperture/codesign.
2
Select Projects in the main menu at the top of the page
3
Select [ Create Project ].
4
Enter a Project Name and Description.
5
Select [ Create ].

Create an environment

Perform the following steps to create an environment for the project with a new HSM private key and certificate:
1
In the newly created code signing project, go to the Environments tab and select Add Environment > Certificate & Key.
2
Enter the Environment Name.
3
Select the Environment Template that you created for this code signing project.
4
For Creation Type, select Create New.
The Key Storage Location should now list the Futurex HSM Connector.
5
Enter any other necessary information for the certificate.
6
Select [ Save ].
7
Select [ Submit For Approval ] to generate a new certificate and private key after approval.

Approve the project

Perform the following steps to approve the project:
1
Log in to Aperture: https://[IP_address_of_CyberArk_TPF]/aperture/codesign
2
Select Approvals in the main menu at the top of the page.
3
Under Pending Approvals, select the Project Creation request you just submitted.
4
Select [ Approve ].
5
Navigate back to the project, and under the Environments tab you should see that a Certificate & Key were created in Hardware (i.e., the KMES Series 3).