Fortanix DSM and CyberArk Enterprise Password Vault®

Prerequisites

Add the following to Windows environment variables:

For new deployments, please review the Fortanix Data Security Manager Installation Guide for prerequisites and deployment procedures. Once complete you can review the instructions for getting started: https://support.fortanix.com/hc/en-us/articles/360015809372-Getting-Started-with-DSM

• FORTANIX_API_ENDPOINT=https://<fortanix_dsm_url>
• FORTANIX_PKCS11_LOG_FILE=C:\Program Files\Fortanix\KmsClient\logs\debug_pkcs.txt
• FORTANIX_PKCS11_LOG_LEVEL=debug
• FORTANIX_PKCS11_NUM_SLOTS=1
• CyberArk EPV configuration

Fortanix Data Security Manager Configuration for Cyber

Sign up for Fortanix Data Security Manager

Your Fortanix Data Security Manager installation should now be accessible from the browser at

https://dsm.<your-domain.com>.

Sign up as a user on this site.

Create an account

Use your credentials to login to Fortanix Data Security Manager. Here you can create a new account or accept an invitation to join another account. After entering an account, you can view and manage groups, users, applications, and security objects belonging to the account.

If you have a newly-created account, use the following steps to add your first group and application to Fortanix Data Security Manager .

Add a group

A group is a collection of security objects created by and accessible by users and applications which belong to the group. The user who creates a group automatically gets assigned the role of the group administrator. You can add more users to the group in the role of administrators or auditors. You can also add applications to the group to enable the applications to create and use security objects in that group.

To add a group, you may specify:

• The title of the group (required).
• A short description for the group (required).
• Users in your account as members.
• Applications in your account to add to the group so that they can use the security objects in the group.

Add an application corresponding to EPV

An application can use Fortanix Data Security Manager to generate, store, and use security objects, such as cryptographic keys, certificates, or an arbitrary secret. Examples of applications include web servers, PKI servers, key vaults, etc. An application can interact with Fortanix Data Security Manager using the REST APIs or using the PKCS#11, JCE, or CNG providers.

EPV integrates with Fortanix Data Security Manager using the PKCS#11 interface.

To add an application, you may specify:

• Name of the application (required).
• A short description for the application.
• Choose API Key as the form of authentication.
• Select the group created in the previous step for this application.

Download Fortanix KMS Windows Client and configure it

The Fortanix DSM client for Windows 64-bit can be downloaded from https://support.fortanix.com/hc/en-us/articles/360018312391-PKCS-11.

FortanixKmsClient.msi installs the Fortanix Data Security Manager PKCS#11 library.

The Fortanix DSM URL needs to be configured for the PKCS#11 DLL to communicate with. This is done by running the following command:

C:\Program Files\Fortanix\KmsClient\FortanixKmsClientConfig.exe machine –-api-endpoint https://<fortanix_dsm_url>

The PKCS#11 DLL gets installed in C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll. The path to this file needs to be configured in the CyberArk EPV software in the next steps.

CyberArk EPV configuration

The following steps describe the configuration that needs to be done at CyberArk EPV to use Fortanix Data Security Manager.

Network Connectivity

Allow the Fortanix DSM IP by adding a non-standard address entry in the [MAIN] section of dbparm.ini

C:\Program Files (x86)\PrivateArk\Server\conf\dbparm.ini 
AllowNonStandardFWAddresses=[xx.xxx.xxx.xxx],Yes,443:inbound/tcp,443:outbound/tcp

Configure path to PKCS#11 DLL

To configure the path to PKCS#11 DLL, browse and open the following file C:\Program Files (x86)\PrivateArk\Server\conf\dbparm.iniadd an entry to dbparm.ini at the bottom of the file:

[HSM]
PKCS11ProviderPath=”C:\Program Files\Fortanix\KmsClient\FortanixKmsPkcs11.dll”

Restart the PrivateArk Server.

Set the HSM credential:

c:\'program files (x86)'\privateark\server\CAVaultManager.exe SecureSecretFiles /SecretType HSM /Secret file:
//C:\key\api_key.txt
 

Stop the PrivateArk Server.

Configure PKCS#11 PIN

Run the following command to configure the PIN for Fortanix Data Security Manager. The program CAVaultManager is located at :

C:\Program Files (x86)\PrivateArk\Server.
CAVaultManager SecureSecretFiles /SecretType HSM /Secret

The hsmpincode corresponds to the API key for the application generated in Section: Add an application corresponding to EPV. CyberArk restricts the length of the hsmpincode to 50 characters, so using the API Key as the parameter for /Secret throws an error. The workaround for this is to create a file C:\tmp\apikey.txt with the contents:

api_key = “FEL/ME…j+bt7”

Then, use file://C:\tmp\apikey.txt as the hsmpincode. Open dbparm.ini to verify that HSMPinCode parameter was added with the encrypted value of the PIN.

Generate a new key in Fortanix Data Security Manager

The following instructions assume the CyberArk Vault is already hardened.

• Stop the vault.
• Generate a new Operator Key in the Fortanix HSM:

CAVaultManger GenerateKeyOnHSM /ServerKey

• Record the HSM slot number returned by the command (HSM#2 in the example)

• Verify that the new key has been generated in Fortanix DSM. To do this, log in to the web interface of Fortanix DSM using your user credentials and go to the Group tab. Click the group created earlier in Section: Add a group to see a detailed view of objects in the group. Go to the Security Objects tab for the group, and find the new security object created by CyberArk EPV. Click on the security object to see the detailed view of the security object. On the bottom right, an audit log should state that the CyberArk EPV application created the key at a specified time.

Re-encrypt Vault

Re-encrypt the vault database with the new key:

Run the ChangeServerKeys.exe [keys directory] [full path to VaultEmergency.pass] HSM command:

14/08/2020 15:30:07 CHSRVK043I Signing entropy file C:\PrivateArk\Safes\entropy.rnd with new keys.
14/08/2020 15:30:08 CHSRVK034I Encrypting server private key.
14/08/2020 15:30:08 CHSRVK058I Encrypting Backup key.
14/08/2020 15:30:08 CHSRVK057I Encrypting Database access passwords.
14/08/2020 15:30:11 CHSRVK020I Keys of Safe System changed successfully.
14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe System.
......
14/08/2020 15:30:11 CHSRVK020I Keys of Safe System changed successfully.
14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe Pictures.

14/08/2020 15:30:11 CHSRVK020I Keys of Safe Pictures changed successfully.
14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe VaultInternal.

14/08/2020 15:30:11 CHSRVK020I Keys of Safe VaultInternal changed successfully.
14/08/2020 15:30:11 CHSRVK040I Changing keys for Safe Notification Engine.
......
14/08/2020 15:30:11 CHSRVK020I Keys of Safe Notification Engine changed successfully.
14/08/2020 15:30:11 CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys
for Vault to start.
14/08/2020 15:30:11 CHSRVK042I ChangeServerKeys process ended.

C:\Program Files (x86)\PrivateArk\Server>

Modify the ServerKey=HSM#1 in dbparm.ini and start the vault service using the PrivateArk server.

Revert back to local server key:

ChangeServerKeys.exe <keys_directory><vault_emergency_password_full_path>

The <keys_directory>should include the local server.key in the path.

C:\Program Files (x86)\PrivateArk\Server>ChangeServerKeys.exe C:\Users\sysadmin\Downloads\keys\DemoMasterKeys
C:\Users\sysadmin\Downloads\keys\DemoOperatorKeys\VaultEmergency.pass
Enter HSM keyset or the Cloud Vendor key management (empty if support not needed):
12/10/2020 13:52:26 CHSRVK041I ChangeServerKeys process started.
ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol
Integrity), SHA2-512 (Files Integrity).
ITADM114I Successfully connected to Database, Database id 0.
ITAQS031I Object cache is loaded.
Verify that the current master key is at C:\Users\sysadmin\Downloads\keys\DemoMasterKeys\recprv.key, and press any key.

Verify new server's master key is at C:\Users\sysadmin\Downloads\keys\DemoMasterKeys, and press any key.

12/10/2020 13:52:41 CHSRVK043I Signing entropy file C:\PrivateArk\Safes\entropy.rnd with new keys.
12/10/2020 13:52:42 CHSRVK034I Encrypting server private key.
12/10/2020 13:52:42 CHSRVK058I Encrypting Backup key.
12/10/2020 13:52:42 CHSRVK057I Encrypting Database access passwords.
12/10/2020 13:52:45 CHSRVK020I Keys of Safe System changed successfully.
12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe System.
......
12/10/2020 13:52:45 CHSRVK020I Keys of Safe System changed successfully.
12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe Pictures.

12/10/2020 13:52:45 CHSRVK020I Keys of Safe Pictures changed successfully.

12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe VaultInternal.
12/10/2020 13:52:45 CHSRVK020I Keys of Safe VaultInternal changed successfully.
12/10/2020 13:52:45 CHSRVK040I Changing keys for Safe Notification Engine.
......
12/10/2020 13:52:46 CHSRVK020I Keys of Safe Notification Engine changed successfully.
12/10/2020 13:52:46 CHSRVK040I Changing keys for Safe newSafe.
.....
12/10/2020 13:52:46 CHSRVK020I Keys of Safe newSafe changed successfully.
12/10/2020 13:52:46 CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys
for Vault to start.
12/10/2020 13:52:46 CHSRVK042I ChangeServerKeys process ended.