Configure the Futurex PKCS #11 library with CyberArk Vault

before performing the following steps, install the cyberark pas solution for instructions, refer to the cyberark online documentation https //docs cyberark com/product doc/onlinehelp/pas/latest/en/content/pas%20inst/installationoverview\ htm after you install and start the cyberark vault, you can generate a new server key on the {{k3}} the server key opens the vault, similarly to the key of a physical vault use the key to start the vault, and remove it until you need to restart the server when you stop the vault, the information stored in the vault is completely inaccessible without that key configure the vault initially perform the following steps to configure the vault initially to use a {{k}} attached to the network, configure the firewall to allow communication to the {{k}} device in dbparm ini , configure the allownonstandardfwadresses parameter to open the firewall and allow access to the device, as shown in this example allownonstandardfwaddresses=\[hsm ip],yes,1024\ inbound/tcp,1024\ outbound/tcp if you use a cloud {{k}} that is accessible through the internet (rather than a physical {{k}} connected to the local network), do not define allownonstandardfwaddresses in the dbparm ini file configure the pkcs #11 provider dll and specify it in the pkcs11providerpath parameter in dbparm ini , as shown pkcs11providerpath=\<path to pkcs#11 provider dll> save dbparm ini and close it define the pin/passphrase that the vault uses when accessing a {{k}} device from a command line, run the following command, specifying the password of the identity created on the {{k}} for this integration cavaultmanager securesecretfiles /secrettype hsm /secret \<hsmpincode> replace \<hsmpincode> with the password of the identity created on the {{k}} for this integration open dbparm ini and ensure you added the hsmpincode parameter with the encrypted value of the pin/passcode restart the privateark server to apply the new firewall rules shut down the privateark server load the server key into the {{k3}} the following process installs and stores the server key on the {{k3}} after you complete this process, the server key is stored as a non exportable key on the {{k}} , and the vault can use it generate the server key perform the following steps to generate the server key in the {{k}} ensure that the vault server is stopped run the following cavaultmanager command to generate the server key on the {{k}} cavaultmanager exe generatekeyonhsm /serverkey this command generates a new key for the vault server, stores it in the {{k3}} , and returns the key generation keyword for example hsm#5 each time you create a key generation, the keyword allocated is one number higher than the current server key generation specified in dbparm ini to create additional key generations successfully, you must manually delete the first generation of the server key otherwise, an error occurs if the serverkey parameter in the cavaultmanager command specifies a path instead of an hsm keyword, the first key generation is created (such as hsm#1 ) re encrypt the vault data and metadata with the newly generated keys on the {{k}} run the following changeserverkeys command to change the encryption keys used for the vault server changeserverkeys pathtokeys pathtoemergencyfile hsmkeyword for example, the following command re encrypts the vault data and metadata with the encryption keys in k \privateark\keys , and the hsm#1 key becomes the server key changeserverkeys k \privateark\keys k \privateark\keys\vaultemergency pass hsm#1 open dbparm ini and specify in the serverkey parameter the value of the key generation version returned by the preceding cavaultmanager command, as shown in the following output example serverkey=hsm#1 start the vault server and make sure you can log into the vault