Thycotic Secret Server

Set up Luna HSM

Set up Thycotic Secret Server

Ensure that the HSM is set up, initialized, provisioned and ready for deployment. Refer to the HSM product documentation for help.

Create a partition that will be later used by Thycotic Secret Server.

Create and exchange certificate between the Luna Network HSM and Client system. Register client and assign partition to create an NTLS connection. Initialize Crypto Officer and Crypto User roles for the registered partition.

Run the following command to verify that the partition has been successfully registered and configured:

/usr/safenet/lunaclient/bin/lunacm

You should see the following output:

lunacm.exe (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved.
Available HSMs:
Slot Id ->              0
Label ->                Thycotic
Serial Number ->        1280780175917
Model ->                LunaSA 7.4.0
Firmware Version ->     7.3.0
Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->     Net Token Slot
Current Slot ID>        0

Enable partition policies 22 and 23 to allow activation and auto-activation, in case you are using PED-authenticated HSMs.

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

This integration has been certified on the RHEL platform.

Extract the .zip file into a directory on your client workstation.

Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

tar -xvf cvclient-min.tar

Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.

source ./setenv

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

Run the LunaCM utility and verify the Cloud HSM service is listed.

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.

Configure SafeNet Key Storage Provider

Configure HSM

Navigate to the directory where the SafeNet Key Storage Provider (KSP) is installed. If you are using a Luna Cloud HSM service, you'll find the KSP directory within the service client package.

Double-click KspConfig.exe to open the SafeNet KSP configuration wizard.

Within the configuration wizard, double-click Register or View Security Library in the left pane.

Click Browse and select a cryptographic library file, such as <Luna HSM Client installation Directory>\cryptoki.dll>.

Click Register. If you are using a Luna Cloud HSM service client, the required cryptographic libraries are typically included in the service client package. Upon successful registration, you will receive a confirmation message: Success registering the security library.

Double-click Register HSM Slots and provide the slot (partition) password.

Click Register Slot to register the slot for the Domain and Service Account that has access to database and is running the IIS Application Pool(s) dedicated to Secret Server. On successful registration, you will receive a confirmation message: The slot was successfully and securely registered.

Register the same slot for NT_AUTHORITY\SYSTEM.

If you are using a Luna Cloud HSM service client, copy the SafeNetKSP.dll file from the service client package and paste it into the C:\Windows\System32 directory, .

Restart the IIS to apply the configuration changes.

Navigate to the Admin menu and select Configuration.

Click the HSM tab.

Click the Enable HSM option to initiate the HSM configuration process.

Click Next to continue with the configuration.

Choose SafeNet Key Storage Provider from the Persistent Provider dropdown under the HSM PROVIDERS section.

Select the RSA key size from the Key size dropdown.

Click Next. Secret Server will perform simulated encryption and decryption operations as part of the setup.

Verify whether the configuration has been successful by checking the details under the HSM PROVIDERS TEST RESULTS section.

Click Next to access the HSM VERIFY CONFIGURATION section.

Review the HSM configuration and then click Save to enable the HSM.

Click Finished after you see the message The HSM is now enabled. under the HSM SETUP COMPLETE section.

Restart the IIS to apply the configuration changes. You can now view the HSM configuration details under the HSM tab. The Secret Server encryption key is now stored on Luna Network HSM partition.

Verify the key using the lunacm utility.

Configure SafeNet Key Storage Provider

Configure HSM

Navigate to the directory where the SafeNet Key Storage Provider (KSP) is installed. If you are using a Luna Cloud HSM service, you'll find the KSP directory within the service client package.

Double-click KspConfig.exe to open the SafeNet KSP configuration wizard.

Within the configuration wizard, double-click Register or View Security Library in the left pane.

Click Browse and select a cryptographic library file, such as <Luna HSM Client installation Directory>\cryptoki.dll>.

Click Register. If you are using a Luna Cloud HSM service client, the required cryptographic libraries are typically included in the service client package. Upon successful registration, you will receive a confirmation message: Success registering the security library.

Double-click Register HSM Slots and provide the slot (partition) password.

Click Register Slot to register the slot for the Domain and Service Account that has access to database and is running the IIS Application Pool(s) dedicated to Secret Server. On successful registration, you will receive a confirmation message: The slot was successfully and securely registered.

Register the same slot for NT_AUTHORITY\SYSTEM.

If you are using a Luna Cloud HSM service client, copy the SafeNetKSP.dll file from the service client package and paste it into the C:\Windows\System32 directory, .

Restart the IIS to apply the configuration changes.

Log in to Secret Server via your web browser: http://localhost:80/SecretServer.

From the Admin menu, select Configuration.

Select the HSM tab. This will guidw you through selecting the HSM’s CNG provider.

Click Enable HSM to initiate the configuration process.

Ensure that you have backed up the encryption.config file before proceeding with HSM activation.

Click Next to proceed.

Select SafeNet Key Storage Provider from the Persistent Provider dropdown under the HSM PROVIDERS section.

Select the RSA key size from the Key size dropdown.

Click Next. Secret Server will simulate encryption and decryption operations.

Verify whether the configuration has been successful by checking the details in the HSM PROVIDERS TEST RESULTS section.

Click Next. Review your HSM configuration under the HSM VERIFY CONFIGURATION section.

Click Save to complete the HSM setup. You will receive a message confirming the successful enabling of HSM: The HSM is now enabled.

Click Finished and then proceed to restart the IIS to apply the configuration changes.

The HSM configuration is now saved and can be viewed via the HSM tab. The Secret Server encryption key is now stored on the Luna Network HSM partition.

Verify the key using the lunacm utility.

Copy the encryption.config file from this node to all other nodes.

Restart the Application Pool on each node to ensure that changes take effect.

Log in to Secret Server from any node and verify that the HSM is enabled and the key identifier displayed is correct.