Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CyberArk Vault

Getting started

search

Getting started

Refer to the sections below to get started with the integration.

Supported configurations

Thales has tested integration with CyberArk Vault 12.1 using the configurations shown in the table below.

Operating system PTK version PS3 HSM hardware PS3 HSM firmware
Windows Server 2019 7.2.1 PSE3 7.02.01

Setting up your environment for the integration

Before beginning the integration, you must set up your environment for the integration.

To set up your environment for the integration

  1. Install one of the supported operating systems on the client machine. Refer to Supported configurations for more information.

  2. Set up, initialize, provision, and prepare a ProtectServer 3 HSM for deployment. Refer to ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration for more information.

  3. Install the ProtectToolkit-C Runtime on the client machine. Refer to ProtectToolkit 7 software installation for more information.

  4. Configure the ProtectServer 3 HSM for the integration.

    1. Create a slot on the HSM that will be used by the CyberArk Vault. Refer to Adding and removing slots for more information.

    2. Verify that the the HSM is successfully configured by running hsmstate.

      [root@localhost ~]# hsmstate
HSM device 0:   HSM in NORMAL MODE. RESPONDING. Usage Level=0%
[root@localhost ~]# ctkmu l
ProtectToolkit C Key Management Utility 7.2.1
Copyright (c) Safenet, Inc. 2009-2023
Cryptoki Version  = 2.20
Manufacturer      = Safenet, Inc.
Test                             (Slot 0)
AdminToken (524128)              (Slot 1)
[root@localhost ~]#

  5. Download and install the CyberArk Vault and PrivateArk Client on the target machine. For more information, refer to the CyberArk Documentation.

  6. Configure the CyberArk Vault.

    1. Configure the firewall to allow communication to the ProtectServer 3 HSM by editing or adding the AllowNonStandardFWAddresses parameter to dbparam.ini, which is located at C:\Program Files (x86)\PrivateArk\Server\Conf.

      AllowNonStandardFWAddresses= [HSM IP/Hostname],Yes,12396:inbound/tcp,12396:outbound/tcp

      Note

      When editing firewall rules in dbparm.ini, the separator between two rules is a comma. For example,

      AllowNonStandardFWAddresses= [IP/Hostname],Yes,80:outbound/tcp,80:inbound/tcp,[IP/Hostname],Yes,12396:inbound/tcp,12396:outbound/tcp

    2. Configure the PKCS#11 provider DLL and specify it in the PKCS11ProviderPath parameter in the [main] section of dparam.ini.

      PKCS11ProviderPath="C:\Program Files\Safenet\ProtectToolkit 7\Runtime\lib\cryptoki.dll"

    3. Configure the HSM slot index and specify it in the HSMSlotIndex parameter in the [main] section of dparam.ini.

      HSMSlotIndex=<HSM_slot_index\>

      Valid values: 0-63

    4. Navigate to C:\Program Files(x86)\PrivateArk\Server and run the following command to specify the slot password that will be used to access the server key:

      CAVaultManager.exe SecureSecretFiles /SecretType HSM /Secret <slot_password>

    5. Verify that the HSMPinCode parameter was added with the encrypted value of the PIN code in dbparam.ini.

    6. Restart the CyberArk Server to apply the changes.

    7. Shut down the CyberArk Server.

Begin the integration by Generating a CyberArk Vault server key on a ProtectServer 3 HSM or Migrating an existing CyberArk Vault server key to a ProtectServer 3 HSM.

On this page