Steps to configure the Futurex PKCS #11 Library with CyberArk Vault
Before proceeding with the steps that follow, the CyberArk PAS solution needs to be installed. For instructions on how to install the CyberArk PAS solution, please refer to CyberArk's online documentation at the following url: https://docs.cyberark.com/ProductDoc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/InstallationOverview.htm
After the CyberArk Vault has been installed and has started successfully, you can generate a new Server key on the HSM.
The Server Key is the key used to “open” the Vault, much like the key of a physical Vault. The key is required to start the Vault, after which the Server key can be removed until the Server is restarted. When the Vault is stopped, the information stored in the Vault is completely inaccessible without that key.
To use a HSM attached to the network, configure the firewall to allow communication to the HSM device. In DBParm.ini, configure the AllowNonStandardFWAdresses parameter to open the firewall and allow access to the device, as shown in this example:
If you use a cloud HSM that is accessible through the internet (rather than a physical HSM connected to the local network), do not define AllowNonStandardFWAddresses in the DBParm.ini file.
Configure the PKCS #11 provider DLL and specify it in the PKCS11ProviderPath parameter in DBParm.ini, as shown:
Save DBParm.ini and close it.
Define the PIN/passphrase that the Vault uses when accessing a HSM device. From a command line, run the following command, specifying the password of the identity created on the HSM for this integration:
Replace <hsmpincode> with the password of the identity created on the HSM for this integration.
Open DBParm.ini and make sure that you added the HSMPinCode parameter with the encrypted value of the PIN/passcode.
Restart the PrivateArk server to apply the new firewall rules.
Shut down the PrivateArk server.
The following process installs and stores the Server Key on the HSM . After you complete this process, the Server Key is stored as a non-exportable key on the HSM, and the Vault can use it.
Ensure that the Vault Server is stopped.
Run the following CAVaultManager command to generate the server key on the HSM:
This command generates a new key for the Vault server, stores it in the HSM, and returns the key generation keyword. For example: HSM#5.
Each time you create a key generation, the keyword allocated is one number higher than the current server key generation specified in DBParm.ini. To create additional key generations successfully, you must manually delete the first generation of the server key. Otherwise, an error occurs. If the ServerKey parameter in the CAVaultManager command specifies a path instead of an HSM keyword, the first key generation is created (such as, HSM#1).
Re-encrypt the Vault data and metadata with the newly generated keys on the HSM. Run the following ChangeServerKeys command to change the encryption keys used for the Vault server:
For example, the following command re-encrypts the Vault data and metadata with the encryption keys in K:\PrivateArk\Keys, and the HSM#1 key becomes the server key.
Open DBParm.ini and specify in the ServerKey parameter the value of the key generation version returned by the preceding CAVaultManager command as shown the following output example:
Start the Vault server and make sure you can log onto the Vault.