CyberArk privilege account security solution integrates with Fortanix Self-Defending Key Management Service™ (Self-Defending KMS) to enhance the security and availability of encryption keys. The document contains the necessary information to deploy Fortanix Self-Defending KMS service with the CyberArk Enterprise Password Vault (EPV®) solution. For further details, download our integration guide from the Resources.
Add an application corresponding to EPV
An application can use Self-Defending KMS to generate, store, and use security objects, such as cryptographic keys, certificates, or an arbitrary secret. Examples of applications include web servers, PKI servers, key vaults, etc. An application can interact with Self-Defending KMS using the REST APIs or using the PKCS#11, JCE, or CNG providers. EPV integrates with Self-Defending KMS using the PKCS#11 interface. To add an application, you may specify:
• Name of the application (required).
• A short description of the application.
• Choose API Key as the form of authentication.
• Select the group created in the previous step for this application.
Download Fortanix KMS Windows Client and configure it
The Fortanix Self-Defending KMS client for Windows 64-bit can be downloaded from https://support.fortanix.com/sdkms/resources.html. FortanixKmsClient.msi installs the Self-Defending KMS PKCS#11 library.
The Self-Defending KMS URL needs to be configured for the PKCS#11 DLL to communicate with. This is done by running the following command:
C:\Program Files\Fortanix\KmsClient\FortanixKmsClientConfig.exe machine –api-endpoint https://sdkms.<your-domain.com>
The PKCS#11 DLL gets installed in
C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll. The path to this file needs to be configured in the CyberArk EPV software in the next steps.
CyberArk EPV configuration
The following steps describe the configuration that needs to be done at CyberArk EPV to use Self-Defending KMS.
For network access, add the following line to your windows host file on
<IP Address> sdkms.<your-domain>.com
Add the following line to the file
C:\Program Files (x86)\PrivateArk\Server\dbparm.ini
Restart the Vault using the PrivateArk Server.
Configure path to PKCS#11 DLL
Browse and open the following file
C:\Program Files (x86)\PrivateArk\Server\dbparm.ini At the bottom of the file, add the following lines:
[HSM] PKCS11ProviderPath="C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll"
Save the dbparm.ini file and close it.
Configure PKCS#11 PIN
Run the following command to configure the PIN for Self-Defending KMS. The program CAVaultManager is located at C:\Program Files (x86)\PrivateArk\Server
CAVaultManager SecureSecretFiles /SecretType HSM /Secret<hsmpincode>
The “hsmpincode” corresponds to the API key for the application generated in Section 4.4. CyberArk restricts the length of the “hsmpincode” to 50 characters, so using the API Key as the parameter for “/Secret” throws an error. The workaround for this is to create a file
“C:\tmp\apikey.txt” with the contents:
api_key = “FEL/ME…j+bt7”
file://C:\tmp\apikey.txt as the “hsmpincode”. Open dbparm.ini to verify that
HSMPinCode parameter was added with the encrypted value of the PIN.
Generate a new key in Self-Defending KMS
The following instructions assume the CyberArk Vault is already hardened.
1. Stop the vault.
2. Generate a new Operator Key in the Fortanix HSM:
• CAVaultManger GenerateKeyOnHSM /ServerKey
• Record the HSM slot number returned by the command (HSM#2 in the example)
3. Verify that the new key has been generated in Self-Defending KMS. To do this, login to the web interface of Self-Defending KMS using your user credentials and go to the group's tab. Click the group created in Section 4.3 to see a detailed view of objects in the group. Go to the security objects tab for the group, and find the new security object created by CyberArk EPV. Click on the security object to see the detailed view for the security object. On the bottom right, there should be an audit log stating that the key was created by the CyberArk EPV application at a specified time.
4. Make sure the master key is in the CD, then use the ChangeServerKeys command to re-encrypt the vault with the new key:
If successfully executed, the vault is now encrypted with the new key that was generated in the HSM. Modify the ServerKey in the DBPARM.INI:
5. Start the Vault service using the PrivateArk Server