Configure CyberArk

before proceeding with the tasks in this section, you must install the cyberark pas solution for instructions on installing this solution, refer to the cyberark online documentation ( docs cyberark com/product doc/onlinehelp/pas/latest/en/content/pas%20inst/installationoverview\ htm ) after you install the cyberark vault and start it successfully, you can generate a new server key on the {{ch}} the server key is the key used to open the vault, much like the key of a physical vault you need the key to start the vault, and then you can remove the server key until you need to restart the server when you stop the vault, the information stored in the vault is completely inaccessible without that key configure vault initially perform the following steps to configure vault for the first time to use a {{ch}} that is attached to the network, configure the firewall to allow communication to the {{ch}} device in dbparm ini , configure the allownonstandardfwaddresses parameter to open the firewall and allow access to the {{ch}} device, as shown in the following example allownonstandardfwaddresses=\[kms ip],yes,1024\ inbound/tcp,1024\ outbound/tcp if using a {{ch}} instance hosted in virtucrypt that is accessible through the internet (rather than a physical {{ch}} connected to the local network), do not define allownonstandardfwaddresses in the dbparm ini file configure the pkcs #11 provider dll and specify it in the pkcs11providerpath parameter in dbparm ini , as shown in the following example pkcs11providerpath=\<path to pkcs#11 provider dll> save dbparm ini and close it define the pin or passphrase to be used by the vault when accessing the {{ch}} from a command line, run the following command, specifying your own pin or passcode for accessing the server key the pin or passcode cannot begin with a forward slash (/) the hsmpincode you pass into the command below must be the identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file cavaultmanager securesecretfiles /secrettype hsm /secret \<hsmpincode> open dbparm ini and make sure that you added the hsmpincode parameter with the encrypted value of the pin or passcode restart the privateark server to apply the new firewall rules shut down the privateark server load the server key into the {{ch}} the following process installs and stores the server key in {{ch}} after this process completes, the server key is stored as non exportable key on the {{ch}} and the vault can use it generate the server key on the {{ch}} perform the following steps to generate the server key on the {{ch}} make sure that the vault server is not running run the cavaultmanager command to generate the server key on the {{ch}} cavaultmanager exe generatekeyonhsm /serverkey this command generates a new key for the vault server and stores it in the {{ch}} device, returning the key generation keyword (such as hsm#5 ) each time you create a key generation, the keyword allocated is one number higher than the current server key generation specified in dbparm ini to successfully create additional key generations, you must manually delete the first generation of the server key; otherwise, an error is returned if the serverkey parameter in the cavaultmanager command specifies a path instead of a {{ch}} keyword, the first key generation is created (such as hsm#1 ) re encrypt the vault data and metadata with the newly generated keys in {{ch}} run the changeserverkeys command to change the encryption keys used for the vault server open dbparm ini and, in the serverkey parameter, specify the value of the key generation version generated and specified in the output of the preceding cavaultmanager command, as shown in the following example serverkey=hsm#1 start the vault server and make sure you can log into the vault