Generate a Vault Server Key on the HSM
CyberArk PAM uses a server key to open and close the Vault. With the integration with a Securosys HSM, this Vault server key will be stored in the HSM.
This guide explains how to generate such the server key directly in the HSM. This has the advantage that the key is generated using a true random number generator and has never left the HSM. For importing an existing key into the HSM see this tutorial (not recommended).
Step-by-step
-
Stop the PrivateArk Server.
-
Navigate to the Server directory. Within the directory open a command prompt with administrative privileges.
-
(Optional) For a more verbose output when generating a new server key on the HSM use the following command:
Set CACryptoTrace=1
-
Run the
GenerateKeyOnHSM
command to generate a new server key usingCAVaultManager
:CAVaultManager.exe GenerateKeyOnHSM /ServerKey
Make sure that the result confirms that the server key was successfully generated on the HSM. You should see the following output:
ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).
ITADM114I Successfully connected to Database, Database id 0.
CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#X).
-
Write down the HSM Key Generation Number
HSM#X
returned in the command output, as it will be needed in the next steps. -
Mount the recovery private key (
recprv.key
) to the Vault server. -
Open the
DBParm.ini
file located inC:\Program Files (x86)\PrivateArk\Server\Conf
-
Set the
RecoveryPrvKey
parameter to point to the location of the recovery private key (path to recovery key) and save the file. Example:
[MAIN]
…
RecoveryPrvKey=D:\recprv.key
…
- Navigate to the Server directory. In the directory open a command prompt with administrative privileges.
- Change the existing server key to your newly generated key, by running the following command:
ChangeServerKeys.exe <keys directory> <full path to VaultEmergency.pass> HSM#X
Parameter | Description |
---|---|
<keys directory> | Enter the directory where the Vault keys are located. |
<full path to VaultEmergency.pass> | Enter the full path to the Vault emergency password file. |
HSM#X | Replace the X with HSM Key Generation Number. |
Ensure the command output confirms that the server key change was successful, as seen in the following example of a successfully changed key:
CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys for Vault to start.
CHSRVK042I ChangeServerKeys process ended.
- Open the
DBParm.ini
file and set theServerKey
parameter. ReplaceHSM#X
with your HSM Key Generation Number.
ServerKey=HSM#X
- Make sure to save the file before starting the PrivateArk Server.
- Start the PrivateArk Server and confirm that no errors are printed to the console.
- Verify that you can log on to the Vault using CyberArk authentication.
- Unmount the recovery private key from
DBParm
(revert to default value:d:\recprv.key
).
The original server key is no longer in use, and a key safely secured in the HSM is now in operation.