How to Configure and Integrate Luna HSM with CyberArk Vault?
Luna HSM and CyberArk Vault integration is a significant improvement in strengthening the key management system. Luna HSM is a hardware-based cryptographic key storage solution that is a good fit for the CyberArk Privileged Access Management solution.
For this integration, it is necessary to begin by installing the Luna client on the CyberArk Vault server. This client mediates the interaction between the CyberArk Vault and the Luna HSM. The following should be configured to enable the Luna client to establish communication links with the HSM.
Therefore, the next steps include Updating the configuration files of CyberArk Vault, namely PARagent.ini and DBParm.ini to allow and indicate the use of Luna HSM in the encryption/decryption processes. CyberArk will use these parameters to ensure that it correctly uses the HSM for the storage and management of keys.
Once the configuration is done, generate and store all the required cryptographic keys in the Luna HSM. It is imperative to test the integration so that CyberArk will be capable of executing cryptographic operations with the keys kept within the HSM.
Stop the CyberArk Vault services to implement new changes made in the settings. This integration not only increases security with the use of hardware key management but also complies with the recommended best practices for protecting sensitive data and privileged credentials.
The reader should consult the official documentation from Thales and CyberArk at the time of reading this text for more details and guidance.
Prerequisites
Luna HSM Setup:
Hardware and Network:
Check that the Luna HSM device is physically deployed and connected to your network environment. Check on the electricity supply, make sure that the network connection is properly established, and check any possible hardware settings.
Initial Configuration:
Day 1 tasks include installing Luna HSM and creating a Security Officer (SO) account, creating HSM partitions and others include checking network configuration.
Firmware and Software Updates:
Verify that the HSM firmware and software are of the current version and as recommended by Thales.
CyberArk Vault Setup:
Installed and Configured:
The technical implementation, specifically the CyberArk Privileged Access Security (PAS) solution, should be installed and set up. This entails deploying the CyberArk Digital Vault, Privileged Session Manager (PSM), and Central Policy Manager (CPM), amongst other components.
Version Compatibility:
Check that the CyberArk Vault edition you use supports the Luna HSM and its client software.
Software Requirements:
Luna HSM Client:
Available on the Thales’ website, obtain the newest Luna HSM client software. Before proceeding make sure that you are using the right version of TrueType that will work with your Luna HSM device and the pertinent CyberArk Vault version.
Operating System:
Only those operating systems that are compatible with the Luna HSM client software and the CyberArk Vault can run on the CyberArk Vault server. Further, check on operating system compatibility in both vendors’ manuals.
User Accounts and Permissions:
Admin Access:
Make sure that you have the administrator’s access privilege to the CyberArk vault server to install software and matters related to configuration files.
HSM User Accounts:
Create the necessary HSM user accounts in advance and make sure you have, e.g., Security Officer and Crypto Officer permissions to manage the HSM.
Security and Compliance:
Policies:
Revise established security policies for compliance with the addition of an HSM solution utilizing CyberArk Vault. These cover key management policies, access control policies, as well as audit logging policies.
Compliance:
All integrations should consider general data protection regarding industry laws such as PCI-DSS, HIPAA, GDPR.
Documentation and Support:
Vendor Documentation:
Just a reminder to collect and go through the newest documentation of both Thales for Luna HSM and CyberArk for the Vault integration. This will give a clear guideline and procedures to follow as well as advice on how to do it properly.
Support Contacts:
Make sure you have the main support contact information of both Thales and CyberArk readily available, just in case one will be required when integrating support.
Steps to Configure and Integrate Luna HSM
Here are the comprehensive guidelines we recommend using when integrating Luna HSM with CyberArk Vault.
Step 1: Install Luna client on the Cyberark Vault Server
Download Luna Client:
Since there are many HSMs and CyberArk Vault versions, go to the Thales website and download the correct Luna client software version that corresponds to your Luna HSM and CyberArk Vault version.
Install Luna Client:
- Copy the downloaded installer to your CyberArk Vault server machine.
- As with most programs, running the installer will start the process, and following the prompts on the screen will allow one to successfully install the program. This usually requires agreeing to the software license agreement and deciding the primary location of the installation.
Verify Installation:
To ensure that Linux Luna client software is well installed, check the installation directory and perform basic tests to ensure the proper execution of the Luna client.
Step 2: Settings of the Luna Client
Initialize Connection:
To configure the connection to the HSM, you should use the Luna client tools, which are given below:
.vtl addServer -n <HSM_Server_Name> -a <HSM_Server_IP_Address>
This includes configuration of the client’s and server’s IP addresses, as well as configuring certificates.
Test Connection:
Confirm that the Luna client is connected and communicating with the HSM utilizing the client utilities.
. /vtl verify
Partition Configuration:
In general, set up the partition on the HSM that will be used by CyberArk. This may include creating the partition and creating any other objects that can be cryptographic such as keys and certificates.
Step 3: Setup CyberArk to work with Luna HSM
Modify PARagent.ini Configuration File:
Locate the `PARagent. additional settings in the configuration ini` file on your CyberArk Vault server. The file is generally located in the CyberArk installation directory in a subdirectory such as `Conf`.
[General]
HSMEnabled=YES
HSMType=Luna
HSMDevice=/dev/lunadev
Make the changes and then close the file.
Modify the DBParm.ini File:
Locate the `DBParm.conf file`, which is typically located in the `Conf` folder.
[KeyManagement]
KeySecureProvider=HSM
HSMModule=Luna
Make the necessary changes and then close the document.
Step 4: Configure the HSM on CyberArk
Create and Store Keys:
- Using the Luna client or the Luna HSM management tools, create the required cryptographic keys that CyberArk will use.
- Make sure that these keys are securely stored in the HSM partition that has been set up earlier.
Assign Permissions:
To do so, the appropriate permissions should be set to the keys so that CyberArk Vault can use them for performing cryptographic operations.
Step 5: Check the Integration
Perform Cryptographic Operations:
- CyberArk Vault should then perform a series of cryptographic operations (e. g. encryption and decryption) to demonstrate that it is capable of utilizing the keys stored in the Luna HSM.
- It is recommended to look at the logs of the CyberArk Vault to see if there are any issues connected with the work of HSMs.
Verify Key Usage:
Ensure that the keys employed in cryptographic operations are the ones that are stored on the HSM. This can often be done by checking the HSM’s audit logs.
Step 6: Restart CyberArk Services
Restart Services:
Upon completion of the configuration change, it is advisable to restart the CyberArk Vault to reflect the changes in the settings. This may typically be initiated using the CyberArk Management Console or CyberArk Command.
Verify Service Operation:
Verify that all the CyberArk Vault services are functional following the restart. It is also important to look for several context-based service errors or problems among them;
Conclusion
SignMyCode enhances your security infrastructure by safeguarding data and software.
Cloud Code Signing
Seamless Automated Code Signing Tasks without Need of Physical HSM or Token using Cloud Code Signing Certificate.
Code Signing as a Service