CyberArk privilege account security solution integrates with Fortanix Self-Defending Key Management Service™ (SDKMS) to enhance the security and availability of encryption keys. The document contains the necessary information to deploy Fortanix SDKMS service with the CyberArk Enterprise Password Vault (EPV®) solution. For further details, download our integration guide from the Resources.
Add an application corresponding to EPV
An application can use SDKMS to generate, store, and use security objects, such as cryptographic keys, certificates, or an arbitrary secret. Examples of applications include web servers, PKI servers, key vaults, etc. An application can interact with SDKMS using the REST APIs or using the PKCS#11, JCE, or CNG providers. EPV integrates with SDKMS using the PKCS#11 interface. To add an application, you may specify:
• Name of the application (required).
• A short description for the application.
• Choose API Key as the form of authentication.
• Select the group created in the previous step for this application.
Download Fortanix KMS Windows Client and configure it
The Fortanix SDKMS client for Windows 64-bit can be downloaded from https://support.fortanix.com/sdkms/resources.html. FortanixKmsClient.msi installs the SDKMS PKCS#11 library.
The SDKMS URL needs to be configured for the PKCS#11 DLL to communicate with. This is done by running the following command:
C:\Program Files\Fortanix\KmsClient\FortanixKmsClientConfig.exe machine –api-endpoint https://sdkms.<your-domain.com>
The PKCS#11 DLL gets installed in
C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll. The path to this file needs to be configured in the CyberArk EPV software in the next steps.
CyberArk EPV configuration
The following steps describe the configuration that needs to be done at CyberArk EPV to use SDKMS.
For network access, add the following line to your windows host file on
<IP Address> sdkms.<your-domain>.com
Add the following line to the file
C:\Program Files (x86)\PrivateArk\Server\dbparm.ini
Restart the Vault using the PrivateArk Server.
Configure path to PKCS#11 DLL
Browse and open the following file
C:\Program Files (x86)\PrivateArk\Server\dbparm.ini At the bottom of the file, add the following lines:
[HSM] PKCS11ProviderPath="C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll"
Save the dbparm.ini file and close it.
Configure PKCS#11 PIN
Run the following command to configure the PIN for SDKMS. The program CAVaultManager is located at C:\Program Files (x86)\PrivateArk\Server
CAVaultManager SecureSecretFiles /SecretType HSM /Secret<hsmpincode>
The “hsmpincode” corresponds to the API key for the application generated in Section 4.4. CyberArk restricts the length of the “hsmpincode” to 50 characters, so using the API Key as the parameter for “/Secret” throws an error. The workaround for this is to create a file
“C:\tmp\apikey.txt” with the contents:
api_key = “FEL/ME…j+bt7”
file://C:\tmp\apikey.txt as the “hsmpincode”. Open dbparm.ini to verify that
HSMPinCode parameter was added with the encrypted value of the PIN.
Generate a new key in SDKMS
The following instructions assume the CyberArk Vault is already hardened.
1. Stop the vault.
2. Generate a new Operator Key in the Fortanix HSM:
• CAVaultManger GenerateKeyOnHSM /ServerKey
• Record the HSM slot number returned by the command (HSM#2 in the example)
3. Verify that the new key has been generated in SDKMS. To do this, login to the web interface of SDKMS using your user credentials and go to the groups tab. Click on the group created in Section 4.3 to see a detailed view of objects in the group. Go to the security objects tab for the group, and find the new security object created by CyberArk EPV. Click on the security object to see the detailed view for the security object. On the bottom right, there should be an audit log stating that the key was created by the CyberArk EPV application at a specified time.
4. Make sure the master key is in the CD, then use the ChangeServerKeys command to re-encrypt the vault with the new key:
If successfully executed, the vault is now encrypted with the new key that was generated in the HSM. Modify the the ServerKey in the DBPARM.INI:
5. Start the Vault service using the PrivateArk Server