Introduction

CyberArk Privilege Access Security Enterprise Password Vault (CyberArk PAS EPV) manages privileged credentials and access rights. This integration guide provides the steps to integrate CyberArk PAS EPV with an Entrust nShield Hardware Security Modules (HSM). The integration uses the PKCS#11 cryptographic API.

Product configuration

Entrust tested the integration with the following versions:

Product	Version
Vault Server	v14.2.1
Central Policy Manager (CPM)	v14.2
Password Vault Web Access (PVWA)	v14.2.1
Windows Server	2022

Product

Version

Vault Server

v14.2.1

Central Policy Manager (CPM)

v14.2

Password Vault Web Access (PVWA)

v14.2.1

Windows Server

2022

Supported nShield hardware and software versions

Entrust has successfully tested nShield HSM integration with CyberArk PAS in the following configurations:

CyberArk PAS	nShield Hardware	nShield (Connect) Image	nShield HSM Firmware	Security World Software
12.1	Connect XC	12.60.10	12.50.11 (FIPS 140-2 certified)	12.60.11
12.1	Connect Plus	12.60.10	12.50.8 (FIPS 140-2 certified)	12.60.11
12.6	Connect XC	12.80.4	12.50.11 (FIPS 140-2 certified)	12.80.4
12.6	Connect Plus	12.80.4	12.50.8 (FIPS 140-2 certified)	12.80.4
12.6	Connect XC	12.80.5	12.72.1 (FIPS 140-2 certified)	12.80.4
12.6	Connect Plus	12.80.5	12.72.0 (FIPS 140-2 certified)	12.80.4
12.6	nShield Edge ¹	N/A	12.50.8 (FIPS 140-2 certified)	12.71.0
12.6	nShield 5c	13.2.2	13.2.2	13.2.2
13.2	Connect XC	12.80.5	12.72.1 (FIPS 140-2 certified)	13.4.4
13.2	nShield Edge	N/A	12.72.0 (FIPS 140-2 certified)	13.4.4
13.2	nShield 5c	13.3.2	13.2.2	13.4.4
14.2	nShield 5c	13.6.1	13.2.4 (FIPS 140-3 certified)	13.6.3

¹ This nShield Edge test case tested by CyberArk.

Supported nShield functionality

Feature	Support
Key Generation	Yes
1-of-N Operator Card Set	Yes
FIPS 140 Level 3 mode support	Yes
Key Management	Yes
K-of-N Operator Card Set	Yes
Common Criteria mode support	N/A
Key Import	Yes
Softcards	No
Load Sharing	Yes
Key Recovery	N/A
Module-only keys	Yes
Failover	Yes

Feature

Support

Key Generation

Yes

1-of-N Operator Card Set

Yes

FIPS 140 Level 3 mode support

Yes

Key Management

Yes

K-of-N Operator Card Set

Yes

Common Criteria mode support

N/A

Key Import

Yes

Softcards

Load Sharing

Yes

Key Recovery

N/A

Module-only keys

Yes

Failover

Yes

Requirements

To integrate the Entrust nShield HSM and the CyberArk PAS EPV, you require:

Two dedicated Windows servers for the installation of CyberArk PAS EPV.
Access to the CyberArk Market Place at https://cyberark.my.site.com/mplace/s/#software.
Access to Entrust TrustedCare Portal https://trustedcare.Entrust.com/.

Familiarize yourself with:

The documentation and set-up process for CyberArk PAS EPV.
The Entrust nShield HSM: Installation Guide and User Guide.
Your organizational Security Policy or Procedure in place:
- The number and quorum of administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.
- The number and quorum of operator cards in the Operator Card Set (OCS) and the policy for managing these cards.
- The keys protection method: Module, or OCS.
- The level of compliance for the Security World, FIPS 140 Level 3.
- Key attributes such as key size, time-out, or needed for auditing key usage.