Integrate the Entrust nShield HSM with CyberArk PAS EPV

Stop the Vault Server

To stop the Vault Server:

  1. Open the PrivateArk Server application.

  2. Select the red stoplight button.

  3. Select Normal shutdown. Then select OK.

  4. Select Yes.

Configure the CyberArk dbparm.ini file

  1. In the Vault server, edit the file C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini.

    To comment out items in the dbparm.ini file, use an asterisk (*) at the beginning of the line.

  2. If you are using an nShield Connect XC or nShield 5c, add the following AllowNonStandardFWAddresses directives to the end of the [main] section. This tells the Vault server to create firewall rules for this IP/port combination.

    AllowNonStandardFWAddresses=[HSM.IP.ADD.RESS],Yes,9004:outbound/tcp
AllowNonStandardFWAddresses=[HSM.IP.ADD.RESS],Yes,9005:outbound/tcp

  3. Repeat the previous step for each HSM that needs to communicate with the Vault server.

  4. Add the location of the PKCS#11 provider for the Entrust nShield HSM at the end of the file.

    • For 12.50.xx and earlier Entrust nShield Security World clients:

      [HSM]
PKCS11ProviderPath="C:\Program Files (x86)\nCipher\nfast\toolkits\pkcs11\cknfast-64.dll"

    • For 12.60.xx and later Entrust nShield Security World clients:

      [HSM]
PKCS11ProviderPath="C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll"

  5. Save and close the dbparm.ini file.

Start and stop the Vault Server

Start then stop the Vault server to process the new firewall rules from the AllowNonStandardFWAddresses directives just added to the dbparm.ini file:

  1. Open the PrivateArk Server application.

  2. Select the green stoplight button.

  3. When the server starts, you should the following output indicating the new firewall rules were processed:

    Firewall contains external rules.
Firewall is open for client communication
Firewall is open for non standard address.
Firewall is open for non standard address.
Firewall is open for non standard address.
Firewall is open for non standard address.

  4. Select the red stoplight button after the server comes up.

  5. Select Normal shutdown. Then select OK.

  6. Select Yes.

  7. Validate that the HSM communication works:

    1. Run the enquiry and nfkminfo commands in a command prompt.

    2. Verify that the module is operational and the world state is Usable and Initialized.

Configure the CyberArk PAS EPV Vault for OCS key protection

If you are using module-protected keys, skip this section and continue with Regenerate the CyberArk PAS EPV Vault key on the HSM.

If you are using OCS-protected keys:

  1. In the Vault server, open a command window as administrator.

  2. Make the required directory current:

    C:\Users\Administrator>cd "C:\Program Files (x86)\PrivateArk\Server"

  3. Run CAVaultManager providing the OCS passphrase:

    C:\Program Files (x86)\PrivateArk\Server>CAVaultManager SecureSecretFiles /SecretType HSM /Secret "<OCS passphrase>"
ITADB518W MaxConcurrentUsersByClientID activated in dbparm.ini.
ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
CAVLT146I HSM secret was secured successfully.
    This command does not validate the passphrase against the OCS card, it only encrypts the passphrase and adds it to dbparm.ini. If you want to validate the passphrase against the OCS card to make sure have it correct, use cardpp -m1 --check and enter the passphrase when prompted.

  4. Open the C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini file and verify that the line HSMPinCode=<encrypted OCS passphrase> appears towards the end.

    For example:

    ...
[HSM]
PKCS11ProviderPath="C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll"
HSMPinCode=A4FEFBD484E3FBB8B14BAC7051F923ACFA73458B22E6DBB082ADFBE46C93626F5E97A11144872DD8BA823321759F41CB

  5. Close the dbparm.ini file.