Generating a CyberArk Vault server key on a ProtectServer 3 HSM

This section describes how to generate a CyberArk Vault top-level encryption key (server key) on a ProtectServer 3 HSM. Before beginning the integration, make sure that the Vault has been configured and the Vault Server has been shut down. For more information about configuring the Vault, refer to step 6 of To set up your environment for the integration.

To generate a CyberArk Vault server key on the ProtectServer 3 HSM

1. Navigate to C:\Program Files(x86)\PrivateArk\Server and run the following command to generate a new server key on the ProtectServer 3 HSM:

   CAVaultManager.exe GenerateKeyOnHSM /ServerKey

   CyberArk Vault Manager generates a new key for the Vault Server, stores it in the ProtectServer 3 HSM, and returns the key generation id.

2. Verify that the server key was generated on the HSM slot by running the following command:

   ctkmu l -s<slot> [-v] [-n<name>]

3. Verify that the RecoveryPrvKey parameter in dbparam.ini points to the correct private recovery key (recprv.key).

4. Run the following command to change the encryption keys that will be used for Vault Server:

   ChangeServerKeys <path_to_keys> <path_to_emergency_file> <hsm_key_gen_id>

   This command re-encrypts the Vault data and metadata with the new encryption key generated on the HSM.

5. Open dbparam.ini and set the value of the ServerKey parameter to the key generation id of the HSM.

6. Start Vault Server and log on.

This completes the integration of CyberArk Vault with a ProtectServer 3 HSM.