Integrate Delinea Secret Server with an Entrust nShield HSM
There are two options for this integration: the CNG cryptography provider, and the PKCS #11 API. Both are covered next.
Configure the Delinea Secret Server using the CNG cryptography provider
-
Select the Windows Start > Entrust > CNG configuration wizard.
The nShield CNG Providers Configuration Wizard appears.
-
Select Next twice.
-
Select Use the existing security world if one was created in deploy-entrust-nshield.adoc#install-security-world-hsm.
-
Select Next twice.
-
Select the protection method. Either:
-
Select Module Protection, then select Next twice and then select Finish.
-
Select OCS, select the OCS created above, then select Next twice and then select Finish.
-
-
Run
certutil -cspteston a command window:certutil -csptest > <filename> -
Search for Provider Name: nCipher in the file created above, and make sure that it shows Pass. For example:
Provider Name: nCipher Security World Key Storage Provider Name: nCipher Security World Key Storage Provider HWND Handle:Binary: 0000 00 00 00 00 00 00 00 00 ........ Impl Type: 17 (0x11) NCRYPT_IMPL_HARDWARE_FLAG -- 1 NCRYPT_IMPL_HARDWARE_RNG_FLAG -- 10 (16) Version: 786512 (0xc0050) Pass ... -
Log in to Delinea Secret Server via a browser at
https://localhost/SecretServer. -
From the menu in the left pane, select Administration > Actions > Configuration > HSM.
The Configuration page appears, with the HSM tab selected
-
Select Enable HSM and then select Next.
-
Under HSM Providers:
-
For Persistent Provider, select nCipher Security World Key Storage Provider.
-
Select the required Key size. For example:
-
Select Next.
The HSM provider is tested, and results displayed.
-
-
Check the HSM Provider Test Results. For example:
-
Select Next.
A verification page appears.
-
Select Save to update the HSM configuration.
A confirmation page appears.
-
Select Finish.
The nShield Connect HSM is now enabled, and the Delinea Secret Server encryption key is stored on it. The nShield Connect HSM configuration details appear on the Delinea Secret Server HSM tab.
Configure the Delinea Secret Server using the PKCS #11 API
-
Copy the
cryptokilibrary filelocated at
C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dllto
C:\inetpub\wwwroot\SecretServer\pkcs11so that Delinea Secret Server can see it.
-
Insert your OCS card into the proper slot.
-
Select here in the pop up dialogue
-
For API Type, select PKCS#11.
For Library Name select cknfast.dll.
For Token Label enter your OCS name.
For User Pin enter your OCS passphrase.
Keep the default Key Type and Key Size.
Select Next
-
Check the HSM Configuration Test Results, then select Next:
-
Verify the HSM configuration, then select Next
Verify integration
Verify the keys generated by the Delinea Secret Server are stored in the nShield HSM.
Run the nfkmverify utility.
C:\Users\Administrator>nfkmverify
** [Security world] **
Ciphersuite: DLf3072s256mAEScSP800131Ar1
128-bit security level
1 Administrator Card(s)
(Currently in Module #1 Slot #0: Card #1)
HKNSO 78b1cbd1814e6f711cc64fe84dae2fe3bd32584a
Cardset recovery ENABLED
Passphrase recovery ENABLED
Common Criteria CMTS 419221-5 disabled
Strict FIPS 140-2 level 3 (does not improve security) disabled
SEE application non-volatile storage ENABLED
real time clock setting ENABLED
SEE debugging ENABLED
SEE debugging restricted
Foreign Token Open authorization ENABLED
Generating module ESN <ESN-of-HSM> currently #1 (in same incarnation)
Verification successful, confirm details above. 0 keys verified.This completes the integration of Delinea Secret Server with the nShield Connect HSM. Secrets created in Delinea Secret Server will use encryption keys that are stored in the nShield Connect HSM.