Using Fortanix Data Security Manager with CyberArk Enterprise Password Vault

1.0 Introduction

The CyberArk Privilege Account Security Solution seamlessly integrates with the Fortanix-Data-Security-Manager (DSM) to enhance the security and accessibility of encryption keys. This document provides essential information for deploying the Fortanix DSM service in conjunction with the CyberArk Enterprise Password Vault (EPV®) solution. For more information, refer to the Integration Guide available in the Resources section.

2.0 Prerequisites

Before proceeding, ensure the following:

• The DSM account is configured. For more details, refer to Section 3.0: Configure Fortanix DSM.

• The CyberArk server is installed and operational.

• Administrator access on CyberArk server.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to be used later.

4.0 Download and Configure Fortanix DSM Windows Client

An application can leverage Fortanix DSM to generate, store, and utilize security objects such as cryptographic keys, certificates, or arbitrary secrets. Such applications include web servers, PKI servers, key vaults, and more. Interactions between an application and Fortanix DSM can occur through REST APIs or various providers like PKCS#11, JCE, or CNG. The EPV and Fortanix DSM integrate using the PKCS#11 interface.

Perform the following steps to download and configure the Fortanix DSM Windows client:

1. The Fortanix DSM client for Windows 64-bit can be downloaded from link.

2. Install the FortanixKmsClient.msi, which installs the Fortanix DSM PKCS#11 library.

3. Configure the Fortanix DSM URL for communication with the PKCS#11 DLL. Execute the following commands to store the correct values in the registry. Alternatively, you can choose to store entries in the user registry instead of HKLM (HKEY_LOCAL_MACHINE). Refer to this link for more information.

   • Fortanix DSM Endpoint:

     1. To configure the Fortanix KMS Server URL for the local machine, run the following command:

        C:\"Program Files"\Fortanix\KmsClient\FortanixKmsClientConfig.exe machine --api-endpoint https://<fortanix_dsm_url>

        Where fortanix_dsm_url refers to the Fortanix DSM service URL. The customers can use the URLs based on the region listed here.

     2. To configure the Fortanix KMS Server URL for the current user, run the following command:

        C:\"Program Files"\Fortanix\KmsClient\FortanixKmsClientConfig.exe user --api-endpoint https://<fortanix_dsm_url>

4. The PKCS#11 DLL is installed in C:\"Program Files"\Fortanix\KmsClient\FortanixKmsPkcs11.dll.

Configure the path to this file in the CyberArk EPV software in the subsequent steps.

5.0 Configure CyberArk EPV

This section outlines the essential configuration steps required in CyberArk EPV to utilize Fortanix DSM.

5.1 Network Connectivity

Before implementing CyberArk hardening procedures, it is advisable to install PKCS11 drivers as described in Section 4.0: Download and Configure the Fortanix DSM Windows Client to facilitate HSM integrations, such as Fortanix DSM. The CyberArk hardening process, executed through PowerShell scripts, restricts communication to external systems unless explicitly allowed. If server hardening is performed prior to the steps outlined below, communication with Fortanix DSM may be disrupted, leading to operational issues. It is recommended to apply future CyberArk hardening scripts in a development environment before implementing them in a production setting, as they have the potential to disrupt communication with Fortanix DSM.

Perform the following steps to enable communication with Fortanix DSM:

1. Add the following entry to your Windows host file, located at %SystemRoot%\System32\drivers\etc\hosts, replacing <fortanix_dsm_url> and with the appropriate DSM IP address and URL: <IP Address>  <fortanix_dsm_url>

2. In the section of dbparm.ini, found at C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini, allow connectivity to Fortanix DSM to be added to the Windows Firewall. Add a non-standard address entry with the DSM IP address, as shown in the following example:

   AllowNonStandardFWAddresses=[xx.xxx.xxx.xxx],Yes,443:inbound/tcp,443:outbound/tcp

3. The CyberArk hardening process modifies the TLS Cipher Suite, restricting the accepted ciphers for TLS on the host server. Execute the following step after the CyberArk hardening process to restore a common cipher agreed upon by both the host server and Fortanix DSM during TLS connection establishment.

   • To restore the TLS Cipher Suite, run the following command in Windows PowerShell as the administrator:

     Enable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

   • To verify the restoration of the cipher, check the list of ciphers, including the one added with the above command, in the Windows Registry under:

     Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL

5.2 Configure Path to PKCS#11 DLL

Perform the following steps:

1. Open the C:\"Program Files (x86)"\PrivateArk\Server\conf\dbparm.ini using a text editor and add the following entry to the dbparm.ini under the HSM section you created:

   [HSM]
   PKCS11ProviderPath="C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll"

5.3 Configure PKCS#11 PIN

Perform the following steps to configure the PKCS#11 PIN:

1. Create the file C:\key\api_key.txt and add the API key created in Section 3.5: Copying the API Key for the CyberArk integration app from your Fortanix DSM account as <dsm_app_api_key>.

   api_key = "<dsm_app_api_key>"

2. Run the following command to configure the PIN for Fortanix DSM. The program CAVaultManager is located at:

   c:\"program files (x86)"\privateark\server\CAVaultManager.exe SecureSecretFiles /SecretType HSM /Secret file://C:\key\api_key.txt

3. Open dbparm.ini to verify that the HSMPinCode parameter was added with the encrypted value of the PIN.

4. Stop the PrivateArk Server if it is running.

NOTE

Fortanix advises deleting the file C:\key\api_key.txt as a security best practice after the CyberArk server is started.

5.4 Generate a New Server Key in Fortanix DSM

Perform the following steps:

1. Run the following command to generate a new server key:

   CAVaultManager.exe GenerateKeyOnHSM /ServerKey

   The new key ID is mentioned in the response of the command. For example,KeyID=HSM#1.

   C:\Program Files (x86)\PrivateArk\Server>CAVaultManager.exe GenerateKeyOnHSM /ServerKey
   ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
   ITADM114I Successfully connected to Database, Database id 0.
   CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#1).

2. Verify that the new key has been generated in Fortanix DSM:

   1. Log in to the web interface of Fortanix DSM using your user credentials.

   2. Navigate to the Groups menu in the left-navigation bar and click on the group created earlier during the application creation.

   3. Click the Security Objects tab for the group and locate the new Security-object created by CyberArk EPV.

   4. Click the security object to view its detailed information. The audit log at the bottom right should indicate that the CyberArk EPV application created the key at a specified time.

3. Modify the ServerKey=HSM#1 in dbparm.ini and start the vault service using the PrivateArk server.

5.5 Re-encrypt Vault

Perform the following steps:

1. Run the following command to re-encrypt the vault database with the new key:

   ChangeServerKeys.exe [keys directory] [full path to VaultEmergency.pass] HSM#1

   Here,

   • keys directory is the directory where the Vault keys are located. For example, C:\DemoOperatorKeys.

   • The full path to VaultEmergency.pass is the full path to the Vault emergency password file. For example, C:\DemoOperatorKeys\VaultEmergency.pass

   For more details, refer to CyberArk documentation.

   Sample Output:

   C:\WINDOWS\system32> C:\"Program Files (x86)"\Privateark\server\ChangeServerKeys.exe C:\DemoOperatorKeys C:\DemoOperatorKeys\VaultEmergency.pass HSM#1
   30/08/2023 11:51:30 CHSRVK041I ChangeServerKeys process started.
   ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
   ITADM114I Successfully connected to Database, Database id 0.
   ITAQS031I Object cache is loaded.
   HSM generation 1 was chosen, are you sure you want to change server keys to HSM (y/n)?
   y
   Verify that the current master key is at C:\DemoOperatorKeys\RecPrv.key, and press any key.
   
   Verify new server's master key is at C:\DemoOperatorKeys, and press any key.
   
   30/08/2023 11:51:53 CHSRVK043I Signing entropy file C:\PrivateArk\Safes\entropy.rnd with new keys.
   30/08/2023 11:51:54 CHSRVK034I Encrypting server private key.
   30/08/2023 11:51:54 CHSRVK058I Encrypting Backup key.
   30/08/2023 11:51:54 CHSRVK057I Encrypting Database access passwords.
   30/08/2023 11:51:58 CHSRVK020I Keys of Safe System changed successfully.
   30/08/2023 11:51:58 CHSRVK040I Changing keys for Safe System.
   ........
   ...
   30/08/2023 11:53:54 CHSRVK020I Keys of Safe AppProviderCacheSafe changed successfully.
   30/08/2023 11:53:54 CHSRVK040I Changing keys for Safe ItamarSafe.
   .
   30/08/2023 11:53:54 CHSRVK020I Keys of Safe ItamarSafe changed successfully.
   30/08/2023 11:53:54 CHSRVK040I Changing keys for Safe PasswordManager_Accounts.
   .
   30/08/2023 11:53:54 CHSRVK020I Keys of Safe PasswordManager_Accounts changed successfully.
   30/08/2023 11:53:54 CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys for Vault to start.
   30/08/2023 11:53:54 CHSRVK042I ChangeServerKeys process ended.

2. Set the parameter ServerKey in the file dbparam.ini to the Key ID as received in Section 5.4: Generate a New Server Key in Fortanix DSM.

   For example, ServerKey=HSM#1.

3. Start the vault service using the PrivateArk server.

5.6 Key Rotation

To rotate the key, follow the procedure outlined in Section 5.5: Re-encrypt Vault.

Ensure to use the correct Hardware Security Module (HSM) key handle during the key rotation process.

The new key ID is mentioned in the response of the command. For example, KeyID=HSM#2.

C:\"Program Files (x86)"\PrivateArk\Server\CAVaultManager.exe GenerateKeyOnHSM /ServerKey
ITADB518W MaxConcurrentUsersByClientID activated in dbparm.ini.
ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
ITADM114I Successfully connected to Database, Database id 0.
CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#2).

5.7 Revert to the Local Server Key

Perform the following steps:

1. Stop the PrivateArk server.

2. Run the following command to revert back to local server key:

   ChangeServerKeys.exe <keys_directory> <vault_emergency_password_full_path> 

   The <keys_directory> should include the local server.key in the path. The following is a sample output:

   C:\Program Files (x86)\PrivateArk\Server>ChangeServerKeys.exe C:\Users\sysadmin\Downloads\keys\DemoMasterKeys C:\Users\sysadmin\Downloads\keys\DemoOperatorKeys\VaultEmergency.pass
   Enter HSM keyset or the Cloud Vendor key management (empty if support not needed):
   12/10/2020 13:52:26 CHSRVK041I ChangeServerKeys process started.
   ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
   ITADM114I Successfully connected to Database, Database id 0.
   ITAQS031I Object cache is loaded.
   Verify that the current master key is at C:\Users\sysadmin\Downloads\keys\DemoMasterKeys\recprv.key, and press any key.
   Verify new server's master key is at C:\Users\sysadmin\Downloads\keys\DemoMasterKeys, and press any key.
   12/10/2020 13:52:41 CHSRVK043I Signing entropy file C:\PrivateArk\Safes\entropy.rnd with new keys.
   12/10/2020 13:52:42 CHSRVK034I Encrypting server private key.
   12/10/2020 13:52:42 CHSRVK058I Encrypting Backup key.
   12/10/2020 13:52:42 CHSRVK057I Encrypting Database access passwords.
   12/10/2020 13:52:45 CHSRVK020I Keys of Safe System changed successfully.
   12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe System.
   ......
   12/10/2020 13:52:45 CHSRVK020I Keys of Safe System changed successfully.
   12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe Pictures.
   12/10/2020 13:52:45 CHSRVK020I Keys of Safe Pictures changed successfully.
   12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe VaultInternal.
   12/10/2020 13:52:45 CHSRVK020I Keys of Safe VaultInternal changed successfully.
   12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe Notification Engine.
   ......
   12/10/2020 13:52:46 CHSRVK020I Keys of Safe Notification Engine changed successfully.
   12/10/2020 13:52:46 CHSRVK040I Changing keys for Safe newSafe.
   .....
   12/10/2020 13:52:46 CHSRVK020I Keys of Safe newSafe changed successfully.
   12/10/2020 13:52:46 CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys for Vault to start.
   12/10/2020 13:52:46 CHSRVK042I ChangeServerKeys process ended.

6.0 References

You can refer to the following documents for more information:

• Configure HSM Key Management in a Distributed Vaults Environment

• Configure HSM Key Management for a Primary-DR Environment

• Configure HSM Key Management for a Primary-DR Cluster

• Administer HSM Key Management Integration in Distributed Vaults

• Change an HSM Vendor (migrate from one HSM to another)