Import a Vault Server Key to the HSM

CyberArk PAM uses a server key to open and close the Vault. With the integration with a Securosys HSM, this Vault server key will be stored in the HSM.

This guide explains how to import an existing server key into the HSM.

warning

Importing an existing key is not recommended. Instead, generate a new server key directly inside the HSM.

Step-by-step

• Stop the PrivateArk Server.

• Navigate to the Server directory. In the directory open a command prompt with administrative privileges.

• (Optional) For a more verbose output when generating a new server key on the HSM use the following command:

  Set CACryptoTrace=1

• Using CAVaultManager, run the LoadServerKeyToHSM command to upload the server key to store in the HSM server:

  CAVaultManager.exe LoadServerKeyToHSM /WrapKey

  The command generates a new key pair. The public key is used to encrypt the server key, and the private key decrypts it on the HSM device. The private key is deleted from HSM when the server key is un-wrapped.

  The output should confirm that the server key has been successfully uploaded to the HSM. For example:

  CAVLT143I Server Key was successfully uploaded to HSM device

• Open the DBParm.ini file located in Server\Conf. Set the ServerKey parameter to use the Securosys CloudHSM:

  ServerKey=HSM

• Make sure to save the file before starting the PrivateArk Server.

• Start the PrivateArk Server and verify that there are no errors in the console.

• Verify that you can log on to the Vault using CyberArk authentication.

This completes the migration of existing server key to Securosys CloudHSM or on-premise Primus HSM.