CyberArk Vault
This guide outlines step-by-step instructions for seamlessly integrating CyberArk Vault with a Luna HSM device or Luna Cloud HSM service. CyberArk Vault provides a range of tools and features that enable organizations to effectively manage and secure privileged access to critical systems and resources. Users can reap the benefits of heightened security, enhanced compliance, and streamlined access management. With CyberArk Vault, you can safeguard sensitive data, protect critical assets, and fortify your organization's defenses against insider and outsider threats.
The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Platform Tested | CyberArk Vault Server | PrivateArk Client |
|---|---|---|---|
| Luna HSM, Luna Cloud HSM | Windows Server 2016 | 12.1 | 8.0 |
| Luna HSM, Luna Cloud HSM | Windows Server 2012R2 | 10.3 | 8.0 |
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned and ready for deployment. Refer to the HSM product documentation for help.
Create a partition that will be later used by CyberArk Vault.
Create and exchange certificate between the Luna Network HSM and Client system. Register client and assign partition to create an NTLS connection. Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
/usr/safenet/lunaclient/bin/lunacm
You should see the following output:
lunacm.exe (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved. Available HSMs: Slot Id -> 0 Label -> CyberArk Serial Number -> 1238696044904 Model -> LunaSA 7.4.0 Firmware Version -> 7.4.0 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> Non-FM
Enable partition policies 22 and 23 to allow activation and auto-activation, in case you are using PED-authenticated HSMs.
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
Set up Luna HSM High-Availability Group
Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
This integration is tested in both HA and FIPS mode.
Set up Luna Cloud HSM
Follow these steps to set up your Luna Cloud HSM:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
This integration has been certified on the RHEL platform.
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
tar -xvf cvclient-min.tar
Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.
source ./setenv
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Set up CyberArk Vault
CyberArk Vault and PrivateArk Client must be installed on the target machine to carry on with the integration process. For a detailed installation procedure, refer to CyberArk Documentation.
Integrate Luna HSM with CyberArk Vault
The integration of Luna HSM with CyberArk Vault involves three key steps:
Configure CyberArk Vault
To configure the CyberArk Vault:
Establish connectivity between the HSM device and the firewall by accessing the dbparam.ini file situated at C:\Program Files(x86)\PrivateArk\Server. Proceed by modifying or including the AllowNonStandardFWAddresses parameter to facilitate secure HSM device access via the firewall:
For Luna Network HSM:
AllowNonStandardFWAddresses= [HSM-IP/Hostname],Yes,1792:inbound/tcp,1792:outbound/tcp
For Luna Cloud HSM:
AllowNonStandardFWAddresses= [FQDN of Certificate Authority CRLs and OCSPs],Yes,80:inbound/tcp,80:outbound/tcp
When utilizing the Luna Cloud HSM service, it is essential to open port 80. This ensures the validation of the server certificate status through the Certificate Authority. For additional information regarding certificate authority URLs, please consult the following link:
https://www.thalesdocs.com/dpod/resources/client_resources/network_connectivity/index.html
While making adjustments to firewall rules within the dbparam.ini file, remember that the separator between two rules is a comma. For instance:
AllowNonStandardFWAddresses= [IP/Hostname],Yes,80:outbound/tcp,80:inbound/tcp,[IP/Hostname],Yes,1792:inbound/tcp,1792:outbound/tcp
Configure the PKCS#11 provider DLL and specify it in the PKCS11ProviderPath parameter in dbparam.ini file in the [main] section.
PKCS11ProviderPath=[path_to_PKCS#11_provider_library]
For example: PKCS11ProviderPath="C:\Program Files\SafeNet\LunaClient\cryptoki.dll"
Navigate to C:\Program Files(x86)\PrivateArk\Server. Execute the CAVaultManager command and specify the partition password that will be used to access the server key:
CAVaultManager.exe SecureSecretFiles /SecretType HSM /Secret [partition_password]
Open dbparam.ini file and verify that the HSMPinCode parameter was added with the encrypted value of the PIN code.
Restart the CyberArk Server to apply the changes.
Shutdown the CyberArk Server.
Generate server key in HSM
To generate the Server Key in the HSM:
Ensure that the Vault Server is not running.
Navigate to C:\Program Files(x86)\PrivateArk\Server and run the CAVaultManager command to generate a new server key on the HSM:
CAVaultManager.exe GenerateKeyOnHSM /ServerKey
The above command initiates the creation of a new key for the Vault Server, securely storing it within the HSM device. Once completed, it will provide a key generation ID, such as HSM#1, for reference.
Verify that the server key has been generated on HSM using CMU utility that comes with LunaClient.
cmu.exe list
Provide the partition password when prompted.
Confirm that the RecoveryPrvKey parameter within the dbparam.ini file accurately points to the designated private recovery key file (recprv.key).
Run the ChangeServerKeys command to update the encryption keys utilized by the Vault Server. This action involves re-encrypting both Vault data and metadata using the freshly generated encryption key from the HSM. Upon execution, you will be prompted to confirm the change by pressing 'y'.
ChangeServerKeys PathToKeys PathToEmergencyFile HSMKeyGenerationId
For instance: ChangeServerKeys C:\Keys C:\Keys\VaultEmergency.pass HSM#1
Open dbparam.ini file and and modify the ServerKey parameter to reflect the key generation ID from the HSM. For instance: ServerKey=HSM#1
Start the Vault server and log in.
This completes the integration of CyberArk Vault with Thales Luna HSM or Luna Cloud HSM.
Migrate existing server key to HSM
To migrate the existing server key to HSM:
Complete the steps provided in the Configure CyberArk Vault section.
Make sure that the Vault server is not running.
Execute the following command to initiate the transfer of the server key to the HSM device, resulting in creation of a fresh key pair. The ensuing public key assumes the role of encrypting the server key, while its private counterpart undertakes the decryption process within the HSM device. Notably, the private key is purged from the HSM upon unwrapping the server key.
CAVaultManager.exe LoadServerKeyToHSM /WrapKey
Verify that the server key has been generated on HSM using CMU utility that comes with LunaClient.
cmu.exe list
Provide the partition password when prompted.
Open dbparam.ini file and change the value of the ServerKey parameter as follows:
ServerKey=HSM
Start the PrivateArk server and make sure you can log in to the Vault.
This completes the migration of existing server key to Thales Luna HSM or Luna Cloud HSM.
