Using Fortanix Data Security Manager with CyberArk Enterprise Password Vault

Overview

CyberArk privilege account security solution integrates with Fortanix Data Security Manager (DSM) to enhance the security and availability of encryption keys. The document contains the necessary information to deploy Fortanix DSM service with the CyberArk Enterprise Password Vault (EPV®) solution. For further details, download our integration guide from the Resources.

Prerequisites

Add the following to Windows environment variables:

  • FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com
  • FORTANIX_PKCS11_LOG_FILE=D:\Program Files\Fortanix\KmsClient\logs\debug_pkcs.txt
  • FORTANIX_PKCS11_LOG_LEVEL=debug
  • FORTANIX_PKCS11_NUM_SLOTS=1

Add an application corresponding to EPV

An application can use Fortanix DSM to generate, store, and use security objects, such as cryptographic keys, certificates, or an arbitrary secret. Examples of applications include web servers, PKI servers, key vaults, etc. An application can interact with Fortanix  DSM using the REST APIs or using the PKCS#11, JCE, or CNG providers. EPV integrates with Fortanix DSM using the PKCS#11 interface. To add an application, you may specify:
 • Name of the application (required).
 • A short description of the application.
 • Choose API Key as the form of authentication.
 • Select the group created in the previous step for this application.

Download Fortanix Data Security Manager Windows Client and Configure it

  1. The Fortanix DSM client for Windows 64-bit can be downloaded from https://support.fortanix.com/hc/en-us/articles/360018312391-PKCS-11
  2. FortanixKmsClient.msi installs the Fortanix DSM PKCS#11 library.
  3. The Fortanix DSM URL needs to be configured for the PKCS#11 DLL to communicate with. This is done by running the following command:
    C:\Program Files\Fortanix\KmsClient\FortanixKmsClientConfig.exe machine –-api-endpoint https://sdkms.fortanix.com
  4. The PKCS#11 DLL gets installed in C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll. The path to this file needs to be configured in the CyberArk EPV software in the next steps.

CyberArk EPV configuration

The following steps describe the configuration that needs to be done at CyberArk EPV to use Fortanix DSM.

Network Connectivity

  1. For network access, add the following line to your windows host file on:
    %SystemRoot%\System32\drivers\etc\hosts
    <IP Address> sdkms.<your-domain>.com
  2. Allow the Fortanix DSM IP by adding a non-standard address entry in dbparm.ini 
    C:\Program Files (x86)\PrivateArk\Server\dbparm.ini 
    AllowNonStandardFWAddresses=[],Yes,443:inbound/tcp,443:outbound/tcp

Configure path to PKCS#11 DLL

  1. To configure the path to PKCS#11 DLL, browse and open the following file C:\Program Files (x86)\PrivateArk\Server\dbparm.ini add an entry to dbparm.ini at the bottom of the file:
    [HSM]
    PKCS11ProviderPath="C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll"
  2. Restart the PrivateArk Server.
  3. Set the HSM credential:
    CAVaultManager SecureSecretFiles /SecretType HSM /Secret file://C:\key\api_key.txt 
  4. Stop the PrivateArk Server.

Generate a New Server key in Fortanix Data Security Manager

  1. Generate a new server key using the following command:
    CAVaultManager.exe GenerateKeyOnHSM /ServerKey

    C:\Program Files (x86)\PrivateArk\Server>CAVaultManager.exe GenerateKeyOnHSM /ServerKey
    ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
    ITADM114I Successfully connected to Database, Database id 0.
    CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#1).
  2. Verify that the new key has been generated in Fortanix DSM. To do this, log in to the web interface of Fortanix DSM using your user credentials and go to the Group's tab. Click the group created earlier while creating an application to see a detailed view of objects in the group. Go to the Security Objects tab for the group, and find the new security object created by CyberArk EPV. Click on the security object to see the detailed view for the security object. On the bottom right, there should be an audit log stating that the key was created by the CyberArk EPV application at a specified time. 

Re-encrypt Vault

  1. Re-encrypt the vault database with the new key:
    14/08/2020 15:30:07 CHSRVK043I Signing entropy file C:\PrivateArk\Safes\entropy.rnd with new keys.
    14/08/2020 15:30:08 CHSRVK034I Encrypting server private key.
    14/08/2020 15:30:08 CHSRVK058I Encrypting Backup key.
    14/08/2020 15:30:08 CHSRVK057I Encrypting Database access passwords.
    14/08/2020 15:30:11 CHSRVK020I Keys of Safe System changed successfully.
    14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe System.
    ......
    14/08/2020 15:30:11 CHSRVK020I Keys of Safe System changed successfully.
    14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe Pictures.

    14/08/2020 15:30:11 CHSRVK020I Keys of Safe Pictures changed successfully.
    14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe VaultInternal.

    14/08/2020 15:30:11 CHSRVK020I Keys of Safe VaultInternal changed successfully.
    14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe Notification Engine.
    ......
    14/08/2020 15:30:11 CHSRVK020I Keys of Safe Notification Engine changed successfully.
    14/08/2020 15:30:11 CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys for Vault to start.
    14/08/2020 15:30:11 CHSRVK042I ChangeServerKeys process ended.

    C:\Program Files (x86)\PrivateArk\Server>
  2. Modify the ServerKey=HSM#1 in dbparm.ini and start the vault service using the PrivateArk server.
  3. Revert back to local server key:
    ChangeServerKeys.exe <keys_directory> <vault_emergency_password_full_path>
    The <keys_directory> should include the local server.key in the path.
    C:\Program Files (x86)\PrivateArk\Server>ChangeServerKeys.exe C:\Users\sysadmin\Downloads\keys\DemoMasterKeys C:\Users\sysadmin\Downloads\keys\DemoOperatorKeys\VaultEmergency.pass
    Enter HSM keyset or the Cloud Vendor key management (empty if support not needed):
    12/10/2020 13:52:26 CHSRVK041I ChangeServerKeys process started.
    ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
    ITADM114I Successfully connected to Database, Database id 0.
    ITAQS031I Object cache is loaded.
    Verify that the current master key is at C:\Users\sysadmin\Downloads\keys\DemoMasterKeys\recprv.key, and press any key.

    Verify new server's master key is at C:\Users\sysadmin\Downloads\keys\DemoMasterKeys, and press any key.

    12/10/2020 13:52:41 CHSRVK043I Signing entropy file C:\PrivateArk\Safes\entropy.rnd with new keys.
    12/10/2020 13:52:42 CHSRVK034I Encrypting server private key.
    12/10/2020 13:52:42 CHSRVK058I Encrypting Backup key.
    12/10/2020 13:52:42 CHSRVK057I Encrypting Database access passwords.
    12/10/2020 13:52:45 CHSRVK020I Keys of Safe System changed successfully.
    12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe System.
    ......
    12/10/2020 13:52:45 CHSRVK020I Keys of Safe System changed successfully.
    12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe Pictures.

    12/10/2020 13:52:45 CHSRVK020I Keys of Safe Pictures changed successfully.
    12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe VaultInternal.

    12/10/2020 13:52:45 CHSRVK020I Keys of Safe VaultInternal changed successfully.
    12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe Notification Engine.
    ......
    12/10/2020 13:52:46 CHSRVK020I Keys of Safe Notification Engine changed successfully.
    12/10/2020 13:52:46 CHSRVK040I Changing keys for Safe newSafe.
    .....
    12/10/2020 13:52:46 CHSRVK020I Keys of Safe newSafe changed successfully.
    12/10/2020 13:52:46 CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys for Vault to start.
    12/10/2020 13:52:46 CHSRVK042I ChangeServerKeys process ended.

 

 

 

Was this article helpful?
0 out of 0 found this helpful