CyberArk Conjur nShield HSM Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
Procedures

Introduction

CyberArk Conjur offers secrets management for applications and services. There are four different deployment models. The model tested in this integration guide is the Dynamic Access Provider (DAP): https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Get%20Started/Enterprise_vs_OpenSource.htm?TocPath=Get%20started%7C_3 .

The base product is provided as a containerized appliance and can be executed in Docker or Kubernetes. The testing in this integration guide uses a basic deployment of nSCOP in Docker.

Container images

Two container images were created for the purpose of this integration: a hardserver container, and a CyberArk Conjur application container. These images are stored in an external registry:

nshield-hwsp

A hardserver container image that controls communication between the HSM(s) and the application containers.
conjur-appliance

An Application Access Manager (AAM) container image from CyberArk that will host the Master DAP Server.

Product configurations

We have successfully tested nShield HSM integration with CyberArk Conjur in the following configurations:

Software	Version
nSCOP	1.1.1
Operating System	CentOS 8
CyberArk Conjur Appliance Image	12.3.0

Supported nShield hardware and software versions

We have successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.71.0	12.50.11	12.60.10	✓	✓	✓

Connect +

Security World Software	Firmware	Image	OCS	Softcard	Module
12.71.0	12.50.8	12.60.10	✓	✓	✓

Supported nShield HSM functionality

Feature	Support
Module-only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140-2 Level 3	Yes

Requirements

Before installing these products, read the associated documentation:

For the nShield HSM: Installation Guide and User Guide .
If nShield Remote Administration is to be used: nShield Remote Administration User Guide .
nShield Container Option Pack User Guide .
AAM DAP Deployment ( https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/12.3/en/Content/Deployment/DAP/dap-deploy-dap.htm?tocpath=Setup%7CSet%20up%20Conjur%20Enterprise%20(Docker)%7C _ 3)
HSM Master Key Encryption ( https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/12.3/en/Content/Deployment/DAP/dap-deploy-dap.htm?tocpath=Setup%7CSet%20up%20Conjur%20Enterprise%20(Docker)%7C_3 )

Furthermore, the following design decisions have an impact on how the HSM is installed and configured:

Whether your Security World must comply with FIPS 140-2 Level 3 standards.

If using FIPS Restricted mode, it is advisable to create an OCS for FIPS authorization. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
Whether to instantiate the Security World as recoverable or not.

More information

For more information about OS support, contact your CyberArk sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com .

Procedures

Prerequisites

Before you can use nSCOP and run the container images, complete the following steps:

Install Docker. For information, see https://docs.docker.com/get-docker/ .
Gain access to the Conjur appliance image. The following command can be used to load the conjur-appliance .tar file into the local Docker repository:
```
% docker load -i conjur-appliance-12.3.0.tar.gz
```
Set up the HSM. See the Installation Guide for your HSM.
Configure the HSM(s) to have the IP address of your container host machine as a client.
Load an existing Security World or create a new one on the HSM.
Copy the Security World and module files to your container host machine at a directory of your choice.
Create or edit the cknfastrc file in /opt/nfast , and add one of the following config settings:

OCS or Softcard protection:

CKNFAST_LOADSHARING=1
CKNFAST_NO_ACCELERATOR_SLOTS=1

Module protection:
```
CKNFAST_FAKE_ACCELERATOR_LOGIN=1
```

Create a pkcs11.yml file with the following content:

library: /opt/nfast/toolkits/pkcs11/libcknfast.so
wrapping_key: <wrapping_key name>
pin: <passphrase of ocs/softcard if needed>

For more information on configuring and managing nShield HSMs, Security Worlds, and Remote File Systems, see the User Guide for your HSM(s).

Create and configure the nshield-hwsp container

The nShield hardserver container has to be configured to enable it to communicate with the CyberArk Conjur Master DAP Server in a later step, see Create and configure the Conjur application container and the Master DAP Server .

To deploy an nSCOP container image for use with CyberArk Conjur:

Set up the nSCOP working directory.

% mkdir -p /opt/nscop

% tar xf nscop-1.1.0.tar –C /opt/nscop

Mount the Security World.

% mkdir SecWorld-12.71.0

% mount -o loop SecWorld_Lin64-12.71.0.iso SecWorld-12.71.0

Set up the hardserver image.
```
% ./make-nshield-hwsp SecWorld-12.71.0
```

Configure nshield-hwsp :

Set up the hardserver configuration file and directory.

% mkdir -p /opt/nscop/config1

% ./make-nshield-hwsp-config --output /opt/nscop/config1 config <hsm ip address>

% cat /opt/nscop/config1/config

Create a new socket so that application containers can use the hardserver.
```
% docker volume create socket1
```

Run the nshield-hwsp container.

% docker run -d -v /opt/nscop/config1:/opt/nfast/kmdata/config:ro -v socket1:/opt/nfast/sockets nshield-hwsp:12.71.0

Check the status of nshield-hwsp using the enquiry command.

% NFAST_SERVER=/var/lib/docker/volumes/socket1/_data/nserver /opt/nfast/bin/enquiry

Create and configure the Conjur application container and the Master DAP Server

Extend the conjur-appliance image with the nfast utilities.

% ./extend-nshield-application --from conjur-appliance:12.3.0 --pkcs11 SecWorld-12.71.0

Tag the generated application image for convenience.

% docker tag <IMAGEID> conjor-appliance-wnfast:12.3.0

Run the conjur-appliance container with the nfast container.

% docker run --name dap-wnfast -d --restart=always --security-opt seccomp=unconfined -p "443:443" -p "5432:5432" -p "1999:1999" -v /opt/nfast/kmdata:/opt/nfast/kmdata:rw -v socket1:/opt/nfast/sockets conjur-appliance-wnfast:12.3.0

Perform the initial configuration of Conjur. The username is admin . For password requirements, see https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/12.3/en/Content/Deployment/DAP/dap-deploy-dap.htm?tocpath=Setup%7CSet%20up%20Conjur%20Enterprise%20(Docker)%7C_3 .
```
% docker exec dap-wnfast evoke configure master --accept-eula --hostname dap-wnfast.example.com --admin-password Mypassw0rD1! org1
```

Copy the cknfastrc and pkcs11.yml configuration files into the running container.

% docker cp cknfastrc dap-wnfast:/opt/nfast/cknfastrc

% docker cp pkcs11.yml dap-wnfast:/opt/conjur/etc/pkcs11.yml

Generate a new Key Encryption Key (KEK) for Conjur to be stored on the HSM.
```
% docker exec dap-wnfast evoke pkcs11 generate
```
Start the conjur-appliance container, which will act as the Master DAP Server, in interactive mode.
```
% docker exec -i -t dap-wnfast /bin/bash
```

The KEK is now ready for use.

Example commands used with the KEK

% evoke pkcs11 wrap
% evoke keys lock
% evoke keys unlock

For more examples, see the CyberArk Conjur documentation on Server Key Encryption Methods: https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Deployment/MasterKeyEncryption/ServerKeyEncryptionMethods.htm

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
CyberArk Conjur nShield® HSM Integration Guide
Web Page
nShield® Integration with CyberArk Conjur

Table of Contents