Prerequisites
Before starting the process of integrating the Securosys CloudHSM or on-premise Primus HSM with CyberArk Privileged Access Manager – Self-Hosted, please make sure to fulfill all the necessary requirements listed below:
- Existing CyberArk installation
- Primus PKCS#11 Provider v1.8.6 or newer installed on the CyberArk device(s)
- An HSM:
- Securosys CloudHSM, or
- Securosys Primus HSM, firmware v2.8.21, v2.10.5 or newer.
Install CyberArk PAM
Obtain and install CyberArk PAM.
Make sure that you have the recovery private key (recprv.key
).
The recovery private key is used when a key to a Safe, encrypted with an external key, is forgotten.
Get an HSM
Before you start, you need to have an HSM. This can be an on-premise Primus HSM, that your install and configure yourself. Alternatively, Securosys CloudHSM is a managed HSM service, allowing you to get started immediately.
For on-premise HSMs, ensure that:
- The PKCS#11 API is licensed.
- The PKCS#11 API and Session Objects are enabled in the security configuration of your HSM.
Configure the Primus PKCS#11 Provider
Because CyberArk PAM uses the PKCS#11 API to access the HSM, the Primus PCKS#11 API provider needs to be installed and configured on the servers that run CyberArk PAM.
Please follow the PKCS#11 provider installation guide to install and configure the provider.