CyberArk Privilege Access Security Enterprise Password Vault nShield HSM Integration Guide

- Industries
- Solutions
  - Zero Trust
    Entrust offers an unmatched suite of Zero Trust security solutions to help customers protect identities and data, reduce risk, and achieve compliance across their multi-cloud infrastructure.
    Learn More
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
    3. Secure Transactions
      Ensure authenticated agreements between businesses, customers, and citizens.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. Entrust KeyControl
      Manage cryptographic keys and secrets with decentralized vaults and a compliance management dashboard for security policies and regulations.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield 5c
    2. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    3. nShield 5s
    4. nShield Solo
      PCI-Express card-based HSMs.
    5. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction

CyberArk Privilege Access Security Enterprise Password Vault (CyberArk PAS EPV) manages privileged credentials and access rights. This integration guide provides the steps to integrate CyberArk PAS EPV with an Entrust nshield Hardware Security Modules (HSM). The integration uses the PKCS#11 cryptographic API.

Requirements

The CyberArk PAS EPV installation requires two Windows Server virtual machines (VMs), one for the Vault, and one for the components. You can download the product binaries from https://support.cyberark.com/SFE/files.aspx.

Component	Minimum Requirement
Memory	4 GB
Processor	1 CPU
Processor Cores	2
Hard Disk	60 GB
CD or DVD	Optional
Network Adapter	1 (to communicate with the HSM and between the two CyberArk PAS server VMs)
USB Controller	Optional (if nshield Remote Administration is used)
Display	Standard configuration

Component

Minimum Requirement

Memory

4 GB

Processor

1 CPU

Processor Cores

Hard Disk

60 GB

CD or DVD

Optional

Network Adapter

1 (to communicate with the HSM and between the two CyberArk PAS server VMs)

USB Controller

Optional (if nshield Remote Administration is used)

Display

Standard configuration

System components required for installation:

On the Vault Server	On the Components Server
Windows Server 2016 or Windows Server 2019	Windows Server 2016 or Windows Server 2019
Cannot be part of a domain	Active Directory (optional)¹
Windows Firewall must be active	Windows Firewall must be active (optional)
Static IP	Static IP
Disable IPv6	Disable IPv6
.NET Framework 4.8	.NET Framework 4.8
Microsoft Visual C++ Redistributable for Visual Studio 2015-2019	ASP .NET 4.6
IIS 10

On the Vault Server

On the Components Server

Windows Server 2016 or Windows Server 2019

Cannot be part of a domain

Active Directory (optional)¹

Windows Firewall must be active

Windows Firewall must be active (optional)

Static IP

Disable IPv6

.NET Framework 4.8

Microsoft Visual C++ Redistributable for Visual Studio 2015-2019

ASP .NET 4.6

IIS 10

nshield components required for installation:

On the Vault Server	On the Components Server
nshield Security World software	None

On the Vault Server

On the Components Server

nshield Security World software

None

CyberArk components required for installation:

On the Vault Server	On the Components Server
CyberArk PAS PrivateArk Vault Server v12.6	CyberArk Central Policy Manager (CPM) v12.6
CyberArk PAS PrivateArk Client v12.6	CyberArk Password Vault Web Access (PVWA) v12.6
CyberArk PrivateArk Client (optional)²
CyberArk Privileged Session Manager (optional)³

On the Vault Server

On the Components Server

CyberArk PAS PrivateArk Vault Server v12.6

CyberArk Central Policy Manager (CPM) v12.6

CyberArk PAS PrivateArk Client v12.6

CyberArk Password Vault Web Access (PVWA) v12.6

CyberArk PrivateArk Client (optional)²

CyberArk Privileged Session Manager (optional)³

¹ If you want this to be a domain to serve CyberArk clients.

² If you plan to use this server as a CyberArk client as well. Not required if only hosting the PAS web server.

³ This component requires Microsoft Remote Desktop Services (RDS) Session Host and Windows update KB2999226.

Familiarize yourself with:

The documentation for the nshield Connect HSM.
The documentation and set-up process for CyberArk PAS EPV.

The following preparations need to be made before starting to use nshield products:

For creation of the Security World, determine who within the organization act as custodians of the administrator card set (ACS).
Obtain enough blank smartcards to create the ACS. 6 cards are delivered with the nshield Connect HSM.
Define the Security World parameters. For details of the security implications of the choices, see the nshield Security Manual.

Licensing

Copy the keys folder provided by CyberArk to the C:\ directory of the VM for the CyberArk PAS Vault server. This is the location to which the installer points for the keys and license.xml file.

The keys-master folder should be kept on removable media, for example a CD.

Note

The CyberArk Digital Vault Security Standard states the following about the keys-master folder: The Recovery Private Key (Master CD) should be stored in a physical safe. The recprv.key file in this folder is considered extremely sensitive. It is normally never stored on the server. Rather, it is kept on removable media and stored in a safe until needed for the ChangeServerKeys.exe command in Rewrap the CyberArk PAS Vault key from the software to HSM.

Product configurations

Entrust has successfully tested nshield HSM integration with CyberArk PAS in the following configurations:

CyberArk PAS	nshield Hardware	nshield (Connect) Image	nshield HSM Firmware	Security World Software
12.1	Connect XC	12.60.10	12.50.11 (FIPS Certified)	12.60.11
12.1	Connect Plus	12.60.10	12.50.8 (FIPS Certified)	12.60.11
12.6	Connect XC	12.80.4	12.50.11 (FIPS Certified)	12.80.4
12.6	Connect Plus	12.80.4	12.50.8 (FIPS Certified)	12.80.4
12.6	Connect XC	12.80.5	12.72.1 (FIPS Certified)	12.80.4
12.6	Connect Plus	12.80.5	12.72.0 (FIPS Certified)	12.80.4
12.6	nShield Edge ¹	N/A	12.50.8 (FIPS Certified)	12.71.0
12.6	nShield 5c	13.2.2	13.2.2 (FIPS Pending)	13.2.2

¹ nShield Edge test case tested by CyberArk.

Supported nshield functionality

Feature	Support
Key Generation	Yes
1-of-N Operator Card Set	Yes
FIPS 140-2 Level 3 mode support	Yes
Key Management	Yes
K-of-N Operator Card Set	Yes
Common Criteria mode support	N/A
Key Import	Yes
Softcards	No
Load Sharing	Yes
Key Recovery	N/A
Module-only keys	Yes
Failover	Yes

Feature

Support

Key Generation

Yes

1-of-N Operator Card Set

Yes

FIPS 140-2 Level 3 mode support

Yes

Key Management

Yes

K-of-N Operator Card Set

Yes

Common Criteria mode support

N/A

Key Import

Yes

Softcards

Load Sharing

Yes

Key Recovery

N/A

Module-only keys

Yes

Failover

Yes

Procedures

Configure CyberArk to use the nshield HSM from the Vault VM.

Stop the Vault Server

To stop the Vault Server:

Open the PrivateArk Server application.
Select the red stoplight button.
Select Normal shutdown.
Select OK.
Select Yes.

Install and configure the nshield HSM

This guide does not cover the basic installation and configuration of the nshield HSM or the nshield Security World client software. For instructions, see the Installation Guide for your HSM.

The following lines need to be added to cknfastrc configuration file of the Security World. The file is in the %NFAST_HOME% directory, which is typically C:\Program Files\nCipher\nfast.

Note	If you get a permissions error trying to edit the file, right select cknfastrc > Properties > Security > Edit Users and check Allow for Full Control. After editing the file, you can remove full control. Ensure that the Read and Read & execute options are selected.

If you are using module-protected keys:

CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
CKNFAST_LOADSHARING=1
CKNFAST_FAKE_ACCELERATOR_LOGIN=1

If you are using OCS-protected keys and K=1:

CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
CKNFAST_LOADSHARING=1

If you are using OCS-protected keys and K>1:
```
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
CKNFAST_LOADSHARING=1
NFAST_NFKM_TOKENSFILE=C:\ProgramData\nCipher\nfast-nfkm-tokensfile
```
In this example, C:\ProgramData\nCipher\nfast-nfkm-tokensfile is the location for creating the preload file. You can change it to another location as required.

Configure the CyberArk dbparm.ini configuration file

To configure the CyberArk dbparm.ini configuration file:

Edit the Vault Server file in C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini.

To comment out items in the dbparm.ini file, use an asterisk (*) at the beginning of the line.
Add the following AllowNonStandardFWAddresses directives to the end of the [main] section. This tells the Vault server to create firewall rules for this IP/port combination.
```
AllowNonStandardFWAddresses=[HSM.IP.ADD.RESS],Yes,9004:outbound/tcp
AllowNonStandardFWAddresses=[HSM.IP.ADD.RESS],Yes,9005:outbound/tcp
```
Repeat the previous step for each HSM that needs to communicate with the Vault server.
Add the location of the PKCS#11 provider for the nshield HSM at the end of the file.
- For 12.50.xx and earlier nshield Security World clients:
  [HSM] PKCS11ProviderPath="C:\Program Files (x86)\nCipher\nfast\toolkits\pkcs11\cknfast-64.dll"
- For 12.60.xx and later nshield Security World clients:
  [HSM] PKCS11ProviderPath="C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll"
Save and close the dbparm.ini file.

Start and stop the Vault Server

Start then stop the Vault server to process the new firewall rules from the AllowNonStandardFWAddresses directives just added to the dbparm.ini file:

Open the PrivateArk Server application.
Select the green stoplight button.

When the server starts, you should the following output indicating the new firewall rules were processed:

Firewall contains external rules.
Firewall is open for client communication
Firewall is open for non standard address.
Firewall is open for non standard address.
Firewall is open for non standard address.
Firewall is open for non standard address.

Select the red stoplight button after the server comes up.
Select Normal shutdown.
Select OK.
Select Yes.
Validate that the HSM communication works:
1. Run the enquiry and nfkminfo commands in a command prompt.
2. Verify that the module is operational and the world state is Usable and Initialized.

Configure the CyberArk PAS Vault for OCS key protection

If you are using module-protected keys, skip this section and continue with Regenerate the CyberArk PAS Vault key on the HSM.

If you are using OCS-protected keys:

Open a command prompt as administrator.

Run the following command:

% cd "C:\Program Files (x86)\PrivateArk\Server"

Run CAVautManager providing the OCS passphrase as shown:

% CAVaultManager SecureSecretFiles /SecretType HSM /Secret "<OCS passphrase>"
...
CAVLT146I HSM secret was secured successfully.

Note	This command does not validate the passphrase against the OCS card, it only encrypts the passphrase and adds it to `dbparm.ini`. If you want to validate the passphrase against the OCS card to make sure have it correct, use `cardpp -m1 --check` and enter the passphrase when prompted.

Open the C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini file and verify that the following line appears towards the end:
```
HSMPinCode=<encrypted OCS passphrase>
```
Close the dbparm.ini file.

Regenerate the CyberArk PAS Vault key on the HSM

Note

If you are using a FIPS 140-2 Level 3 Security World, ensure that a recognized OCS card is inserted into an available slot of the HSM to provide FIPS authorization before running the following commands. An ACS cannot be used for FIPS authorization for this application. If you are using module protection for your Vault key in a FIPS 140-2 Level 3 world, you still need to create and use an OCS for FIPS authorization, but not key protection. If loadsharing across multiple HSMs is enabled while using module protection, insert an OCS into slot 0 of each HSM sharing the Security World. The K/N quorum must be 1/N.

Open a command prompt as administrator.
Either:
- Generate a new Vault Server key on the HSM.
- Load an existing Vault Server key to the HSM.
Verify the Vault Server key.

Generate a new Vault Server key on the HSM

To generate a new Vault Server key on the HSM:

Make the required directory current:

% cd "C:\Program Files (x86)\PrivateArk\Server"

If you are generating a new key using module protection, or OCS K-of-N with K=1:

% CAVaultManager GenerateKeyonHSM /ServerKey
...
CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#1)

If you are generating a new key using OCS K-of-N with K>1, use preload to launch CAVaultManager. Enter the OCS passphrase when prompted. For example:

% preload -m <module number> -f "<preload FilePath>" --cardset-name=<OCS Cardset-Name> CAVaultManager GenerateKeyonHSM /ServerKey

2021-07-20 07:54:32: [2432]: INFO: Preload running with: -m1 -f <preload FilePath> --cardset-name=<OCS Cardset-Name> CAVaultManager.exe GenerateKeyOnHSM /ServerKey
...
2021-07-20 07:55:17: [2432]: INFO: Loading complete. Executing subprocess CAVaultManager.exe GenerateKeyOnHSM /ServerKey
...
CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#1).

Note down the KeyID that is at the end of the command output. It is required for modifying the ServerKey directive in dbparam.ini and later steps.

Load an existing Vault Server key to the HSM

To load an existing Vault Server key to the HSM:

Note

An Entrust nshield HSM configured with a FIPS 140-2 Level 3 Security World does not permit the import of existing keys. For enhanced security, Entrust recommends using keys created and protected by the nshield HSM. The use of an HSM assures customers that keys created by the nshield are protected from issuance.

If you are using module protection or OCS K-of-N with K=1:

% CAVaultManager LoadServerKeyToHSM /WrapKey
...
CAVLT143I Server Key was successfully uploaded to HSM device

If you are loading an existing software key using OCS K-of-N with K>1, use preload to launch CAVaultManager:

% preload -m <module number> -f "<preload FilePath>" --cardset-name=<OCS Cardset-Name> CAVaultManager LoadServerKeyToHSM /WrapKey

Open the C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini file and change the ServerKey line now.
- Change from:
  ServerKey=C:\keys\server.key
- Change to:
  ServerKey=HSM
Check the new key with the following command:
```
% nfkminfo -l
```

Verify the Vault Server key

Verify in the output there is a PKCS#11 key called Cyber-Ark Server Key:

Keys protected by cardsets:
 key_pkcs11_uc... 'Cyber-Ark Server Key'

If you used OCS, the key should be listed under Keys protected by cardsets.
If you used module protection, the key should be listed under Keys with module protection.

Modify dbparm.ini to point to the recovery private key

In the C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini file, modify the RecoveryPrvKey line in the [main] section to point to the master private key so that the PAS key can be rewrapped from the software key to the HSM key.

Change from:
```
RecoveryPrvKey=D:\RecPrv.key
```

Change to:

RecoveryPrvKey=C:\keys-master\RecPrv.key

If you are keeping your Recovery Private Key on removable media as recommended, set the RecoveryPrvKey attribute to the appropriate location rather than using C:\keys-master\RecPrv.key.

Rewrap the CyberArk PAS Vault key from the software to HSM

If you are using OCS protected keys, ensure that a card from the relevant OCS is available to the HSM.

Back up the content of the keys folder (default location: C:\keys) to another location.
Open a command prompt as administrator.

Rewrap the Vault secrets.

If you are keeping your Recovery Private Key on removable media as recommended, use the appropriate path instead of C:\keys-master.

If you loaded an existing key to the HSM using CAVaultManager LoadServerKeyToHSM /WrapKey in Regenerate the CyberArk PAS Vault key on the HSM, change HSM#1 to HSM.

For a module-protected key, or for an OCS with K=1:

% ChangeServerKeys C:\keys-master C:\keys\VaultEmergency.pass HSM#1
...
HSM generation 1 was chosen, are you sure you want to change server keys to HSM (y/n)?
y
Verify that the current master key is at C:\keys-master\RecPrv.key, and press any key. [ENTER]
Verify new server's master key is at C:\keys-master, and press any key.[ENTER]
...
ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys for Vault to start.

If you are using OCS keys and K-of-N with K>1, you must use the preload command.

% preload -m <module number> -f "<preload FilePath>" --cardset-name=<OCS Cardset-Name> ChangeServerKeys C:\keys-master C:\keys\VaultEmergency.pass HSM#1

Insert the OCS cards and enter the OCS passphrase when prompted.

Verify that the KeyID (HSM#1) matches the output of Regenerate the CyberArk PAS Vault key on the HSM. If not, change it in the command to match it.

The following files in C:\keys change during this process:

backup.key
replicationuser.pass
server.pvk
vaultemergency.pass
vaultuser.pass

Modify dbparm.ini to use the new HSM key

To modify dbparm.ini to use the new HSM key:

Edit the C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini file.
Modify the ServerKey line in the [main] section to point to the new HSM key.

HSM#1 is the KeyID taken from the output of the CAVaultManager GenerateKeyonHSM /ServerKey command executed in Regenerate the CyberArk PAS Vault key on the HSM:
- Change from:
  
  ServerKey=C:\keys\Server.key
- Change to:
  
  ServerKey=HSM#1
Note
If the server key was loaded to the HSM using CAVaultManager LoadServerKeyToHSM /WrapKey in Regenerate the CyberArk PAS Vault key on the HSM, change HSM#1 to HSM.

This step may have already been completed if the ChangeServerKeys command ran successfully.
Save and close the dbparm.ini file.

Start the Vault Server

If you are using OCS-protected keys, ensure that a card from the relevant OCS is available to the HSM.

If you are using OCS key protection with K>1 for K-of-N, you have to use the preload command every time the Vault Server is started. Otherwise, skip this step.
1. Open a command prompt as administrator.
2. Run the following preload command:
  % preload -m <module number> -f "<preload FilePath>" --cardset-name=<OCS Cardset-Name> pause
3. Insert the OCS cards and enter the OCS passphrase when prompted.
Open the PrivateArk Server application.
Start the PrivateArk Server by selecting the green stoplight button.
Ensure the server starts with no errors in the output.
Once the Vault has started, you can end the paused preload session and close the command prompt if one was used.
Verify you can log in to the Vault web access using CyberArk authentication:
1. From the Components server, browse to the Password Vault Web Access URL defined during installation of the PAS Password Vault Web Access Component.
2. Log in using the credentials specified during installation.
Open the Windows Event Viewer on the Vault server to show that a client connection was made to the HSM to access the key:
1. Start Windows Event Viewer and navigate to Windows Logs > Application.
2. The following is an example of the Windows Event Viewer Windows Logs > Application Event Log:
  2021-07-16 09:30:44 t1124: Hardserver [FP]: Notice: CreateClient (v1) pid: 2660, process name: C:\Program Files (x86)\PrivateArk\Server\dbmain.exe

Rotate and migrate CyberArk Vault Server keys

To rotate and migrate CyberArk Server Keys:

Stop the Vault Server:
1. Open the PrivateArk Server application.
2. Select the red stoplight button.
3. Select Normal shutdown.
4. Select OK.
5. Select Yes.
Back up the original HSM keys from the C:\ProgramData\nCipher\Key Management Data\local and the CyberArk C:\keys directories.
Create another HSM key.

If the existing key is HSM#1, the new one should be HSM#2.
- If you are generating a new HSM key using module protection, or OCS K-of-N with K=1:
  
  % CAVaultManager GenerateKeyonHSM /ServerKey ... CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#2)
- If you are generating a new HSM key using OCS K-of-N with K>1, use preload to launch CAVaultManager. Insert the OCS cards and enter the passphrase when prompted.
  
  % preload -m <module number> -f "<preload FilePath>" --cardset-name=<OCS Cardset-Name> CAVaultManager GenerateKeyonHSM /ServerKey
Rotate the server keys to the new HSM key:
- For a module-protected key, or for an OCS with K=1, rewrap the Vault secrets with the following:
  % ChangeServerKeys C:\keys-master C:\keys\VaultEmergency.pass HSM#2
- If you are using OCS keys and K-of-N k>1, you have to use the preload command. Insert the OCS cards and enter the passphrase when prompted.
  % preload -m <module number> -f "<preload FilePath>" --cardset-name=<OCS Cardset-Name> ChangeServerKeys C:\keys-master C:\keys\VaultEmergency.pass HSM#2
Update dbparm.ini to point to the new key.
- Change from:
  
  ServerKey=HSM#1
- Change to:
  
  ServerKey=HSM#2
Note
If a key was loaded to the HSM using CAVaultManager LoadServerKeyToHSM /WrapKey, then change HSM to HSM#2, and not HSM#1 to HSM#2.
Save and close the dbparm.ini file.
Confirm that your original HSM key has been backed up.
Remove the original HSM key from C:\ProgramData\nCipher\Key Management Data\local to ensure that the Vault starts with the new key.
If you are using OCS key protection with K>1 for K-of-N:
1. Open a command prompt as administrator.
2. Run the following command:
  % preload -m <module number> -f "<preload FilePath>" --cardset-name=<OCS Cardset-Name> pause
3. Insert the OCS cards and enter the passphrase when prompted.
Start the Vault server by selecting the green stoplight button in the PrivateArk Server application.
Verify the Vault server starts with no errors in the console output.
Once the Vault has started, you can end the paused preload session and close the command prompt if one was used.
Optionally, open Windows Event Viewer. Verify in Windows Logs > Application the following line is present, indicating the new Vault server key was retrieved from the HSM to start the server:
```
Hardserver [FP]: Notice: CreateClient (v1) pid: 3788, process name: C:\Program Files (x86)\PrivateArk\Server\dbmain.exe
```

Table of Contents
Introduction
Procedures
Rotate and migrate CyberArk Vault Server keys

RESOURCES

Integration Guide
CyberArk Privilege Access Security Enterprise Password Vault nShield HSM Integration Guide
Web Page
nShield® Integration with CyberArk EPV

Table of Contents

Introduction

Requirements

Licensing

Product configurations

Supported nshield functionality

Procedures

Stop the Vault Server

Install and configure the nshield HSM

Configure the CyberArk dbparm.ini configuration file

Start and stop the Vault Server

Configure the CyberArk PAS Vault for OCS key protection

Regenerate the CyberArk PAS Vault key on the HSM

Generate a new Vault Server key on the HSM

Load an existing Vault Server key to the HSM

Verify the Vault Server key

Modify dbparm.ini to point to the recovery private key

Rewrap the CyberArk PAS Vault key from the software to HSM

Modify dbparm.ini to use the new HSM key

Start the Vault Server

Rotate and migrate CyberArk Vault Server keys