Introduction
CyberArk Privilege Access Security Enterprise Password Vault (CyberArk PAS EPV) manages privileged credentials and access rights. This integration guide provides the steps to integrate CyberArk PAS EPV with an Entrust nShield Hardware Security Modules (HSM). The integration uses the PKCS#11 cryptographic API.
Product configuration
Entrust tested the integration with the following versions:
Product | Version |
---|---|
Vault Server |
v14.2.1 |
Central Policy Manager (CPM) |
v14.2 |
Password Vault Web Access (PVWA) |
v14.2.1 |
Windows Server |
2022 |
Supported nShield hardware and software versions
Entrust has successfully tested nShield HSM integration with CyberArk PAS in the following configurations:
CyberArk PAS | nShield Hardware | nShield (Connect) Image | nShield HSM Firmware | Security World Software |
---|---|---|---|---|
12.1 |
Connect XC |
12.60.10 |
12.60.11 |
|
12.1 |
Connect Plus |
12.60.10 |
12.60.11 |
|
12.6 |
Connect XC |
12.80.4 |
12.80.4 |
|
12.6 |
Connect Plus |
12.80.4 |
12.80.4 |
|
12.6 |
Connect XC |
12.80.5 |
12.80.4 |
|
12.6 |
Connect Plus |
12.80.5 |
12.80.4 |
|
12.6 |
nShield Edge 1 |
N/A |
12.71.0 |
|
12.6 |
nShield 5c |
13.2.2 |
13.2.2 |
13.2.2 |
13.2 |
Connect XC |
12.80.5 |
13.4.4 |
|
13.2 |
nShield Edge |
N/A |
13.4.4 |
|
13.2 |
nShield 5c |
13.3.2 |
13.2.2 |
13.4.4 |
14.2 |
nShield 5c |
13.6.1 |
13.6.3 |
1 This nShield Edge test case tested by CyberArk.
Supported nShield functionality
Feature | Support |
---|---|
Key Generation |
Yes |
1-of-N Operator Card Set |
Yes |
FIPS 140 Level 3 mode support |
Yes |
Key Management |
Yes |
K-of-N Operator Card Set |
Yes |
Common Criteria mode support |
N/A |
Key Import |
Yes |
Softcards |
No |
Load Sharing |
Yes |
Key Recovery |
N/A |
Module-only keys |
Yes |
Failover |
Yes |
Requirements
To integrate the Entrust nShield HSM and the CyberArk PAS EPV, you require:
-
Two dedicated Windows servers for the installation of CyberArk PAS EPV.
-
Access to the CyberArk Market Place at https://cyberark.my.site.com/mplace/s/#software.
-
Access to Entrust TrustedCare Portal https://trustedcare.Entrust.com/.
Familiarize yourself with:
-
The documentation and set-up process for CyberArk PAS EPV.
-
The Entrust nShield HSM: Installation Guide and User Guide.
-
Your organizational Security Policy or Procedure in place:
-
The number and quorum of administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.
-
The number and quorum of operator cards in the Operator Card Set (OCS) and the policy for managing these cards.
-
The keys protection method: Module, or OCS.
-
The level of compliance for the Security World, FIPS 140 Level 3.
-
Key attributes such as key size, time-out, or needed for auditing key usage.
-