Introduction

CyberArk Privilege Access Security Enterprise Password Vault (CyberArk PAS EPV) manages privileged credentials and access rights. This integration guide provides the steps to integrate CyberArk PAS EPV with an Entrust nShield Hardware Security Modules (HSM). The integration uses the PKCS#11 cryptographic API.

Product configuration

Entrust tested the integration with the following versions:

Product Version

Vault Server

v14.2.1

Central Policy Manager (CPM)

v14.2

Password Vault Web Access (PVWA)

v14.2.1

Windows Server

2022

Supported nShield hardware and software versions

Entrust has successfully tested nShield HSM integration with CyberArk PAS in the following configurations:

CyberArk PAS nShield Hardware nShield (Connect) Image nShield HSM Firmware Security World Software

12.1

Connect XC

12.60.10

12.50.11 (FIPS 140-2 certified)

12.60.11

12.1

Connect Plus

12.60.10

12.50.8 (FIPS 140-2 certified)

12.60.11

12.6

Connect XC

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

12.6

Connect Plus

12.80.4

12.50.8 (FIPS 140-2 certified)

12.80.4

12.6

Connect XC

12.80.5

12.72.1 (FIPS 140-2 certified)

12.80.4

12.6

Connect Plus

12.80.5

12.72.0 (FIPS 140-2 certified)

12.80.4

12.6

nShield Edge 1

N/A

12.50.8 (FIPS 140-2 certified)

12.71.0

12.6

nShield 5c

13.2.2

13.2.2

13.2.2

13.2

Connect XC

12.80.5

12.72.1 (FIPS 140-2 certified)

13.4.4

13.2

nShield Edge

N/A

12.72.0 (FIPS 140-2 certified)

13.4.4

13.2

nShield 5c

13.3.2

13.2.2

13.4.4

14.2

nShield 5c

13.6.1

13.2.4 (FIPS 140-3 certified)

13.6.3

1 This nShield Edge test case tested by CyberArk.

Supported nShield functionality

Feature Support

Key Generation

Yes

1-of-N Operator Card Set

Yes

FIPS 140 Level 3 mode support

Yes

Key Management

Yes

K-of-N Operator Card Set

Yes

Common Criteria mode support

N/A

Key Import

Yes

Softcards

No

Load Sharing

Yes

Key Recovery

N/A

Module-only keys

Yes

Failover

Yes

Requirements

To integrate the Entrust nShield HSM and the CyberArk PAS EPV, you require:

Familiarize yourself with:

  • The documentation and set-up process for CyberArk PAS EPV.

  • The Entrust nShield HSM: Installation Guide and User Guide.

  • Your organizational Security Policy or Procedure in place:

    • The number and quorum of administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.

    • The number and quorum of operator cards in the Operator Card Set (OCS) and the policy for managing these cards.

    • The keys protection method: Module, or OCS.

    • The level of compliance for the Security World, FIPS 140 Level 3.

    • Key attributes such as key size, time-out, or needed for auditing key usage.