Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Guides

Thycotic Secret Server

search
printsuggest an edit

Thycotic Secret Server

This guide outlines step-by-step instructions for seamlessly integrating Thycotic Secret Server with a Luna HSM device or Luna Cloud HSM service. Thycotic Secret Server is a comprehensive cybersecurity solution designed to address the critical need for effective privilege access management (PAM) within organizations. It plays a significant role in enhancing security by managing, controlling, and securing privileged accounts and sensitive information.

The key benefits of this integration are:

  • Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.

  • Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.

  • Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.

  • Significant performance enhancements by offloading cryptographic operations from application servers.


copy link to clipboardPrerequisites

The prerequisites for this integration are:

1Set up Luna HSM

2Set up Thycotic Secret Server

copy link to clipboardSet up Luna HSM

As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.

copy link to clipboardSet up On-Premise Luna HSM

Follow these steps to set up your on-premise Luna HSM:

1Ensure that the HSM is set up, initialized, provisioned and ready for deployment. Refer to the HSM product documentation for help.

2Create a partition that will be later used by Thycotic Secret Server.

3Create and exchange certificate between the Luna Network HSM and Client system. Register client and assign partition to create an NTLS connection. Initialize Crypto Officer and Crypto User roles for the registered partition.

4Run the following command to verify that the partition has been successfully registered and configured: 

/usr/safenet/lunaclient/bin/lunacm

You should see the following output:

lunacm.exe (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved.
Available HSMs:
Slot Id ->              0
Label ->                Thycotic
Serial Number ->        1280780175917
Model ->                LunaSA 7.4.0
Firmware Version ->     7.3.0
Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->     Net Token Slot
Current Slot ID>        0

5Enable partition policies 22 and 23 to allow activation and auto-activation, in case you are using PED-authenticated HSMs.

note

Note

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

copy link to clipboardSet up Luna HSM High-Availability Group

Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.

note

Note

This integration is tested in both HA and FIPS mode.


copy link to clipboardSet up Luna Cloud HSM

Follow these steps to set up your Luna Cloud HSM:

1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

note

Note

This integration has been certified on the RHEL platform.

2Extract the .zip file into a directory on your client workstation.

3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

tar -xvf cvclient-min.tar

4Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.

source ./setenv
note

Note

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

5Run the LunaCM utility and verify the Cloud HSM service is listed.

note

Note

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.

copy link to clipboardSet up Thycotic Secret Server

Install Thycotic Secret Server on the target machine. Refer to Thycotic Documentation for detailed instructions.


copy link to clipboardUse Case I: Integrating Luna HSM with Thycotic Secret Server

The integration of Luna HSM with Thycotic Secret Server involves two key steps:

1Configure SafeNet Key Storage Provider

2Configure HSM

copy link to clipboardConfigure SafeNet Key Storage Provider

To configure SafeNet Key Storage Provider:

1Navigate to the directory where the SafeNet Key Storage Provider (KSP) is installed. If you are using a Luna Cloud HSM service, you'll find the KSP directory within the service client package.

2Double-click KspConfig.exe to open the SafeNet KSP configuration wizard.

3Within the configuration wizard, double-click Register or View Security Library in the left pane.

4Click Browse and select a cryptographic library file, such as <Luna HSM Client installation Directory>\cryptoki.dll>.

5Click Register. If you are using a Luna Cloud HSM service client, the required cryptographic libraries are typically included in the service client package. Upon successful registration, you will receive a confirmation message: Success registering the security library.

6Double-click Register HSM Slots and provide the slot (partition) password.

7Click Register Slot to register the slot for the Domain and Service Account that has access to database and is running the IIS Application Pool(s) dedicated to Secret Server. On successful registration, you will receive a confirmation message: The slot was successfully and securely registered.

8Register the same slot for NT_AUTHORITY\SYSTEM.

9If you are using a Luna Cloud HSM service client, copy the SafeNetKSP.dll file from the service client package and paste it into the C:\Windows\System32 directory, .

10Restart the IIS to apply the configuration changes.


copy link to clipboardConfigure HSM

To configure the HSM for Thycotic Secret Service integration, follow these steps:

1Navigate to the Admin menu and select Configuration.

2Click the HSM tab.

3Click the Enable HSM option to initiate the HSM configuration process.

4Click Next to continue with the configuration.

5Choose SafeNet Key Storage Provider from the Persistent Provider dropdown under the HSM PROVIDERS section.

6Select the RSA key size from the Key size dropdown.

7Click Next. Secret Server will perform simulated encryption and decryption operations as part of the setup.

8Verify whether the configuration has been successful by checking the details under the HSM PROVIDERS TEST RESULTS section.

9Click Next to access the HSM VERIFY CONFIGURATION section.

10Review the HSM configuration and then click Save to enable the HSM.

11Click Finished after you see the message The HSM is now enabled. under the HSM SETUP COMPLETE section.

12Restart the IIS to apply the configuration changes. You can now view the HSM configuration details under the HSM tab. The Secret Server encryption key is now stored on Luna Network HSM partition.

13Verify the key using the lunacm utility.

This completes the integration of Thycotic Secret Server with Thales Luna HSM. Secrets created in Thycotic Secret Server will now use encryption keys stored within the HSM partition.

copy link to clipboardUse Case II: Integrating Luna HSM with Thycotic Secret Server Cluster

The integration of Luna HSM with Thycotic Secret Server Cluster involves two key steps:

1Configure SafeNet Key Storage Provider

2Configure HSM

copy link to clipboardConfigure SafeNet Key Storage Provider

Perform the following steps across all the nodes of the Thycotic Secret Server Cluster:

1Navigate to the directory where the SafeNet Key Storage Provider (KSP) is installed. If you are using a Luna Cloud HSM service, you'll find the KSP directory within the service client package.

2Double-click KspConfig.exe to open the SafeNet KSP configuration wizard.

3Within the configuration wizard, double-click Register or View Security Library in the left pane.

4Click Browse and select a cryptographic library file, such as <Luna HSM Client installation Directory>\cryptoki.dll>.

5Click Register. If you are using a Luna Cloud HSM service client, the required cryptographic libraries are typically included in the service client package. Upon successful registration, you will receive a confirmation message: Success registering the security library.

6Double-click Register HSM Slots and provide the slot (partition) password.

7Click Register Slot to register the slot for the Domain and Service Account that has access to database and is running the IIS Application Pool(s) dedicated to Secret Server. On successful registration, you will receive a confirmation message: The slot was successfully and securely registered.

8Register the same slot for NT_AUTHORITY\SYSTEM.

9If you are using a Luna Cloud HSM service client, copy the SafeNetKSP.dll file from the service client package and paste it into the C:\Windows\System32 directory, .

10Restart the IIS to apply the configuration changes.

copy link to clipboardConfigure HSM

To configure the HSM for Thycotic Secret Server Cluster integration, follow these steps on one of the cluster nodes:

1Log in to Secret Server via your web browser: http://localhost:80/SecretServer.

2From the Admin menu, select Configuration.

3Select the HSM tab. This will guidw you through selecting the HSM’s CNG provider.

4Click Enable HSM to initiate the configuration process.

note

Note

Ensure that you have backed up the encryption.config file before proceeding with HSM activation.

5Click Next to proceed.

6Select SafeNet Key Storage Provider from the Persistent Provider dropdown under the HSM PROVIDERS section.

7Select the RSA key size from the Key size dropdown.

8Click Next. Secret Server will simulate encryption and decryption operations.

9Verify whether the configuration has been successful by checking the details in the HSM PROVIDERS TEST RESULTS section.

10Click Next. Review your HSM configuration under the HSM VERIFY CONFIGURATION section.

11Click Save to complete the HSM setup. You will receive a message confirming the successful enabling of HSM: The HSM is now enabled.

12Click Finished and then proceed to restart the IIS to apply the configuration changes.

13The HSM configuration is now saved and can be viewed via the HSM tab. The Secret Server encryption key is now stored on the Luna Network HSM partition.

14Verify the key using the lunacm utility.

15Copy the encryption.config file from this node to all other nodes.

16Restart the Application Pool on each node to ensure that changes take effect.

17Log in to Secret Server from any node and verify that the HSM is enabled and the key identifier displayed is correct.

This completes the integration of Thycotic Secret Server Cluster with a Thales Luna Network HSM. Secrets created in Thycotic Secret Server Cluster from any node will now use encryption keys stored within the HSM partition.

On this page