Procedures

Prerequisites

Ensure the following prerequisites are implemented:

  1. Install the Entrust nShield HSM using the instructions in the Installation Guide for the HSM.

  2. Install the Entrust nShield Security World Software, and configure the Security World as described in the User Guide for the HSM.

  3. Edit the cknfastrc file located in %NFAST_HOME%\cknfastrc.

    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness,wrapping_crypt
CKNFAST_FAKE_ACCELERATOR_LOGIN=1
CKNFAST_LOADSHARING=1

  4. Install CyberArk Trust Protection Foundation. For more information, see the Online documentation.

Enable CyberArk Advanced Key Protect

CyberArk Advanced Key Protect is required for Central and Remote HSM Private Key Generation. In addition, CyberArk Code Signing Certificate Private Key Storage requires this feature to be enabled.

To enable CyberArk Advanced Key Protect:

  1. Open the CyberArk Configuration Console.

  2. Select the Connectors node.

  3. Select Enable CyberArk Advanced Key Protect in the Actions panel.

    enablekeyprotector

  4. Review the information and confirm the action by selecting Enable.

  5. Restart the platform services:

    Select the Product node. Under Windows Services do the following:

    1. Select Website and then select Restart in the Actions panel.

    2. Select Trust Protection Foundation Services and then select Restart in the Actions panel.

    3. Select Logging and then select Restart in the Actions panel.

Create an HSM (Cryptoki) connector

You must setup an HSM connector before the nShield HSM functionally can be used within CyberArk Trust Protection Foundation.

To create an HSM (Cryptoki) connector:

  1. Open the CyberArk Configuration Console.

  2. Select the Connectors node.

  3. Select Create HSM Connector in the Actions panel.

  4. Enter your CyberArk TPF user credentials if required.

  5. For Name, enter any name for the HSM connector.

  6. For Cryptoki Dll Path, select Browse and locate the following path to the DLL file:

    C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll.

  7. Select Load Slots.

  8. Select a slot to use for the intended key protection type. This is the partition on the HSM where CyberArk Trust Protection Foundation will access the encryption keys.

    Since Softcard and OCS protection methods are not currently support in the integration, select the loadshared accelerator slot.

  9. For User Type, select the required user to access the HSM keys on the designated partition.

  10. For Pin, enter the passphrase of the Card Set being used. Since Module protection is being used, leave the pin blank.

    hsmconnector

  11. Select Verify.

  12. Generate a HSM protected key.

    HSM-protected keys can be generated to encrypt data stored in the Trust Protection Foundation Secret Store.

    • Select New Key.

    • On the Create New HSM Key page, enter a Name and select a Type for the key.

    • Select Create.

    • The key gets shown in the Permitted Keys field.

  13. Select Allow Key Storage checkbox.

  14. Select the Key you just created.

  15. Select Create.

    keyselected

    The HSM Connector gets created and displayed under the Encryption Connectors section under Platform Connectors.

    5cdetail
    Notice the details of the Connector. It should say: Key Generation, Data Encryption & Key Storage. This is important for the rest of the integration.

  16. To list the newly created key and its protection type, open a command prompt and run the following command:

    nfkminfo -l

Keys with module protection:
 key_pkcs11_ua63b67f4b141c2babd1f5f47e7aab4a3f68fbb851 `5cmodulekey'

HSM Central Private Key Generation

CyberArk Trust Protection Foundation uses the Entrust nShield HSM for private key generation for SSH keys and certificates.

Certificate Authority (CA) template objects are used in CyberArk Trust Protection Foundation to manage the certificate lifecycle. Creating one is a prerequisite to HSM Central Key Generation. For more information, see the online documentation.

We already configured the CyberArk platform policy to enable the Entrust nShield HSM for central HSM key generation.

  1. Log in to admin console: https://[IP_address_of_CyberArk_TPF]/Aperture.

  2. In the Application Menu in the top right side of the application, select Certificate Manager.

    applicationmenu

  3. Select Policy Tree under the Certificate Manager Menu.

  4. Select Policy, on the left pane.

  5. On the right pane, select the Certificate tab.

  6. Under Other Information, select your HSM Connector in the Key Generation drop-down menu.

    keygeneration

  7. Select Save.

Generate the certificate:

  1. Select Policy.

  2. Select Add > Certificates > The Certificate Type you Want.

  3. In the General Information tab:

    1. Enter the Certificate Name and another other required information.

    2. For Management Type, select Provisioning or Enrollment.

  4. In the CSR Handling tab:

    1. For CSR Generation, select Service Generated CSR.

    2. For Generate Key/CSR on Application, select No.

  5. In the Subject DN tab, enter the required information.

  6. In the Private Key tab, enter the key information.

    For Post Quantum, we selected ML-DSA44.

    The current version of the Post Quantum HSM firmware does not support wrapping of Post Quantum keys. When a Post Quantum algorithm is used, an error will take place when you try to renew the certificate. The error is listed below. So for now use the system default algorithm RSA-2048 or a non Post Quantum algorithm.
    pqwrapkeyerror

  7. In the Other Information tab, search for the previously configured CA Template.

  8. Select Save.

  9. Select the newly generated certificate from the policy tree.

    The Certificate Status should be OK.

    certificateok

  10. Select Renew Now.

  11. After a minute, Refresh the browser window.

    Select the certificate and the certificate details will appear.

  12. If you selected Provisioning for Management Type, associate the certificate to the intended application object.

  13. Check to see if the certificate was installed on this application server.

Code signing

CyberArk Code Sign Manager can store private code signing keys in the Entrust nShield HSM. This section of the document describes the basic steps used to achieve this functionality for the integration. For more detailed procedures, see the online documentation.

Certificate Authority (CA) template objects are used in CyberArk Trust Protection Foundation to manage the certificate lifecycle. Creating one is a prerequisite to CodeSign. For more information, see the online documentation.

To use an HSM for key storage, you must first enable Key Storage on the HSM Connector:

This should have been done already when the HSM connector was setup. Here are the instructions just in case.

  1. Open the CyberArk Configuration Console.

  2. Select the Connectors node.

  3. Select the HSM Component generated in an earlier step.

  4. Select Properties in the Actions panel under Encryption Driver.

  5. Enter your CyberArk Trust Protection Foundation user credentials if required.

  6. Select Allow Key Storage.

  7. Select Apply.

  8. Select OK.

To choose a code signing Administrator:

  1. Open the CyberArk Configuration Console.

  2. Select the System Roles node.

  3. Select Add CodeSign Manager Administrator in the Actions panel.

  4. Select a user to gain CodeSign Manager Administrator rights.

To create a code signing flow:

  1. Open the CyberArk Configuration Console.

  2. Under the Code Signing node, select Custom Flows.

  3. Select Add new Code Signing Flow in the Actions panel.

  4. Enter a name for the Code Signing Flow and select Create.

  5. Select the newly created Code Signing Flow and add an approver through the Actions panel.

    1. Select Standard in the Actions panel.

    2. Enter the name for the Approver.

    3. When the properties window comes up, Select OK.

To create an environment template for the code signing project:

  1. Open the CyberArk Configuration Console.

  2. Under the Code Signing node, select Environment Templates.

  3. Select Certificate in the Actions panel under Add Single Template.

  4. Enter a name for the Code Signing Environment Template.

  5. In the Properties window that appears, enter the Description, Certificate Container, and Signing Flow within the Settings tab.

    certificatesettings

  6. Open the Certificate Authority tab and search for the previously configured CA Template.

    certificateauthoritysettings

    1. Select Add.

  7. Open the Keys tab and select which key sizes to allow.

    For Post Quantum testing, you can select the ML-DSA types.
    keysettings

  8. Open the Key Storage and open the drop-down menu.

  9. Select the previously created HSM Connector.

  10. Enter any optional information in the remaining tabs.

  11. Select Apply and then OK.

To create a new code signing project:

  1. Log in to Aperture: https://[IP_address_of_CyberArk_TPF]/Aperture.

  2. In the Application Menu in the top right side of the application, select CodeSign Manager.

    applicationmenu

  3. Select Projects under the CodeSign Project Menu.

  4. Select Create Project.

  5. Enter a Project Name and Description.

  6. Select Create.

To create an environment for the project with a new HSM private key and certificate:

  1. Select the Environments tab.

  2. Select Create.

  3. Enter the Environment Name.

  4. For Environment Type, select Certificate & Key.

  5. For Environment Template, select the previously created Environment Template.

    myenvironmentform

  6. Optionally enter a value for Time Constraint and IP Restrictions.

  7. Select Next.

  8. For Key Storage Location, select the HSM Connector.

  9. For Creation Type, select Create new key.

  10. For Certificate Provider, select a CA.

  11. For Key Algorithm, select a key algorithm.

    For Post Quantum, select one of the Post Quantum algorithms that are available.

  12. Enter any other necessary information for the certificate.

  13. Select Create Environment.

  14. Select Submit for Approval to generate a new certificate and private key once it is approved.

To create an environment for the project with an existing HSM private key and certificate:

  1. Select the Environments tab.

  2. Select Create.

  3. Enter the Environment Name.

  4. For Environment Type, select Certificate & Key.

  5. For Environment Template, select the previously created Environment Template.

  6. Optionally enter a value for Time Constraint and IP Restrictions.

  7. Select Next.

  8. Signing Flow should list your code signing flow and Key Storage Location should list your HSM Connector.

  9. For Creation Type, select Use Existing Key in HSM.

  10. Select an existing Private HSM Key and Public HSM Key.

  11. Import an existing certificate or manually enter its details.

  12. Select Create Environment.

  13. Select Submit for Approval to generate a new certificate and private key once it is approved.

To approve the project:

  1. Log in to Aperture: https://[IP_address_of_CyberArk_TPF]/Aperture.

  2. In the Application Menu in the top right side of the application, select CodeSign Manager.

    applicationmenu

  3. Select Approvals under the CodeSign Project Menu.

  4. Select Pending Approvals.

  5. Select the request.

  6. Select Approve/Reject.

  7. Enter a Comment for the approval.

  8. Select Approve.

  9. If you selected the option to generate new keys, the keys are now created on the Entrust nShield HSM. To list it, open a command prompt and run the following command:

    nfkminfo -l

Keys with module protection:
 key_pkcs11_ua0b301946b84b585e6d90fa676e24400a3ccb1d7f 'ML-DSA44 41b427bcf9a241b18d455a3584df5c1f'