Configure CyberArk
Before proceeding with the tasks in this section, you must install the CyberArk PAS solution. For instructions on installing this solution, refer to the CyberArk online documentation here.
After you install the CyberArk Vault and start it successfully, you can generate a new Server key on the .
The Server Key is the key used to open the Vault, much like the key of a physical Vault. You need the key to start the Vault, and then you can remove the Server key until you need to restart the Server. When you stop the Vault, the information stored in the Vault is completely inaccessible without that key.
To use a that is attached to the network, configure the Firewall in order to allow communication to the device. In DBParm.ini, configure the AllowNonStandardFWAddresses parameter to open the Firewall and allow access to the device, as shown in the following example:
If using a instance hosted in VirtuCrypt that is accessible through the internet (rather than a physical connected to the local network), do not define AllowNonStandardFWAddresses in the DBParm.ini file.
Configure the PKCS #11 provider DLL and specify it in the PKCS11ProviderPath parameter in DBParm.ini, as shown in the following example:
Save DBParm.ini and close it.
Define the PIN or passphrase to be used by the Vault when accessing the . From a command line, run the following command, specifying your own PIN or passcode for accessing the Server key. The PIN or passcode cannot begin with a forward slash (/):
The hsmpincode you pass into the command below must be the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
Open DBParm.ini and make sure that you added the HSMPinCode parameter with the encrypted value of the PIN or passcode.
Restart the PrivateArk Server to apply the new firewall rules.
Shut down the PrivateArk Server.
The following process installs and stores the Server key in . After this process completes, the Server key is stored as non-exportable key on the and the Vault can use it.
Make sure that the Vault Server is not running.
Run the CAVaultManager command to generate the server key on the :
This command generates a new key for the Vault server and stores it in the device, returning the key generation keyword (such as HSM#5).
Each time you create a key generation, the keyword allocated is one number higher than the current server key generation specified in DBParm.ini. To successfully create additional key generations, you must manually delete the first generation of the server key; otherwise, an error is returned. If the ServerKey parameter in the CAVaultManager command specifies a path instead of a keyword, the first key generation is created (such as HSM#1).
Re-encrypt the Vault data and metadata with the newly generated keys in .
- Run the ChangeServerKeys command to change the encryption keys used for the Vault server.
Open DBParm.ini and, in the ServerKey parameter, specify the value of the key generation version generated and specified in the output of the preceding CAVaultManager command, as shown in the following example.
Start the Vault server and make sure you can log onto the Vault.