Integration Guide. CyberArk Microsoft Windows



Similar documents
Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Integration Guide. Zen Load Balancer Ubuntu/Microsoft Windows

PrivateServer HSM Integration with Microsoft IIS

Microsoft IIS Integration Guide

PrivateServer HSM EKM Provider for Microsoft SQL Server

DIGIPASS CertiID. Getting Started 3.1.0

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Check Point FDE integration with Digipass Key devices

Microsoft SQL Server Integration Guide

HTTPS Configuration for SAP Connector

SafeGuard Enterprise upgrade guide. Product version: 6.1

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

SafeGuard Easy upgrade guide. Product version: 7

IDENTIKEY Server Windows Installation Guide 3.1

SecureDoc Disk Encryption Cryptographic Engine

SafeGuard Enterprise upgrade guide. Product version: 7

Secure Agent Quick Start for Windows

RSA Authentication Manager 7.1 Basic Exercises

Cyber-Ark Software. Version 4.5

English ETERNUS CS800 S3. Backup Exec OST Guide

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

SafeGuard Enterprise Web Helpdesk

CLIENT CERTIFICATE (EAP-TLS USE)

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

IBM Client Security Solutions. Client Security User's Guide

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Quick Start Guide for VMware and Windows 7

Cloud Services ADM. Agent Deployment Guide

HP ProtectTools Embedded Security Guide

IDENTIKEY Server Windows Installation Guide 3.2

ImageNow Cluster Resource Monitor

Microsoft SQL Server Express 2005 Install Guide

Project management integrated into Outlook

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

White Paper. Fabasoft Folio Thin Client Support. Fabasoft Folio 2015 Update Rollup 2

Active Directory Rights Management Service Integration Guide

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Preface. Limitations. Disclaimers. Technical Support. Luna SA and IBM HTTP Server/IBM Web Sphere Application Server Integration Guide

Quick Start Guide for Parallels Virtuozzo

SafeCom Smart Printing Administrator s Quick Guide

Use QNAP NAS for Backup

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

HP Client Automation Standard Fast Track guide

How To Improve Alancom Vpn On A Pc Or Mac Or Ipad (For A Laptop) With A Network Card (For Ipad) With An Ipad Or Ipa (For An Ipa) With The Ipa 2.

Project management integrated into Outlook

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

Configuring Secure Network Communications for SAP

MaaS360 Cloud Extender

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

MaaS360 On-Premises Cloud Extender

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

SonicWALL CDP 5.0 Microsoft Exchange User Mailbox Backup and Restore

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Installation Notes for Outpost Network Security (ONS) version 3.2

Active Directory Management. Agent Deployment Guide

Sophos Enterprise Console server to server migration guide. Product version: 5.2

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

NSi Mobile Installation Guide. Version 6.2

Hyper-V Server 2008 Setup and Configuration Tool Guide

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Server Installation ZENworks Mobile Management 2.7.x August 2013

DEPLOYMENT ROADMAP March 2015

Identikey Server Windows Installation Guide 3.1

Networking Best Practices Guide. Version 6.5

NTP Software File Auditor for Windows Edition

Administration Guide. . All right reserved. For more information about Specops Gpupdate and other Specops products, visit

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

For Active Directory Installation Guide

Information Systems Services. SafeGuard Enterprise. enc. Device Encryption (DE) Installation V /11/2010

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

EMC Data Protection Search

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

Burst Technology bt-loganalyzer SE

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

Version 4.61 or Later. Copyright 2013 Interactive Financial Solutions, Inc. All Rights Reserved. ProviderPro Network Administration Guide.

SELF SERVICE RESET PASSWORD MANAGEMENT DATABASE REPLICATION GUIDE

Universal Management Service 2015

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

HR Onboarding Solution

Copyrights, Legal Notices, Trademarks and Servicemarks

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

SafeGuard Enterprise 5.50 Installation

Endpoint Security VPN for Windows 32-bit/64-bit

Full Disk Encryption Agent Reference

Omniquad Exchange Archiving

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

Installing and Configuring vcenter Multi-Hypervisor Manager

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Installation Guide for Pulse on Windows Server 2008R2

Sophos Endpoint Security and Control How to deploy through Citrix Receiver 2.0

Symantec Backup Exec 2010 R2. Quick Installation Guide

CA SiteMinder. Agent for IIS Installation Guide. r12.0 SP3

Sophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012

Transcription:

Integration Guide CyberArk Microsoft Windows

Integration Guide: CyberArk Imprint copyright 2014 Utimaco IS GmbH Germanusstrasse 4 D-52080 Aachen Germany phone +49 (0)241 / 1696-200 fax +49 (0)241 / 1696-199 web http://hsm.utimaco.com email support-cs@utimaco.com document version 1.0.0 date September 2014 author System Engineering HSM document no. SGCS_IG_CyberArk all rights reserved No part of this documentation may be reproduced in any form (printing, photocopy or according to any other process) without the written approval of Utimaco IS GmbH or be processed, reproduced or distributed using electronic systems. Utimaco IS GmbH reserves the right to modify or amend the documentation at any time without prior notice. Utimaco IS GmbH assumes no liability for typographical errors and damages incurred due to them. All trademarks and registered trademarks are the property of their respective owners.

Contents 1 Introduction 4 2 Overview 4 3 Requirements 5 4 Components 5 5 HSM Configuration 6 5.1 HSM Host Software Installation................................ 6 5.2 HSM Initialization........................................ 6 6 Installation of CyberArk 8 6.1 Initial Vault Configuration................................... 8 6.2 Loading the Server Key into the HSM............................. 9 6.3 Generating the Server Key in the HSM............................ 9 7 Further Information 11

Integration Guide: CyberArk 1 Introduction The SafeGuard CryptoServer is a hardware security module developed by Utimaco, i.e. a physically protected specialized computer unit designed to perform sensitive cryptographic tasks and to securely manage cryptographic keys and data. In a SafeGuard CryptoServer security system securityrelevant actions can be executed and security relevant information can be stored. It can be used as a universal, independent security component for heterogeneous computer systems. 2 Overview The Privileged Identity Management (PIM) Suite of CyberArk is a full life-cycle solution for managing privileged accounts inside an enterprise environment. At the very heart of this Suite lies the Enterprise Password Vault (EPV) which enables organizations to secure, manage and log all activities associated to privileged passwords. In order to further raise the security of the password management solution EPV offers a PKCS#11 hardware interface which enables the integration of an HSM in the role of the security anchor in the infrastructure. Introducing a FIPS 140-2 certified HSM into an identity management solution maximizes the security of the complete infrastructure and demonstrates that proper due care measures have been taken to ensure confidentiality, integrity and availability of critical enterprise data. Page 4

3 Requirements Please ensure that you have a copy of the CryptoServer Manual for System Administrators available. The present integration guide also assumes that a Microsoft Server 2008R2 SP1 EN has already been installed. CyberArk recommends the usage of Windows Server 2008 R2 SP1 EN as the most suitable platform for installations. Please contact your CyberArk support representative for the most recent supported service pack requirements. Software- and Hardware Requirements HSM Model SafeGuard CryptoServer CS(e)-Series/Se-Series PCI(e) SafeGuard CryptoServer CS(e)-Series/Se-Series LAN SafeGuard CryptoServer Simulator HSM Firmware SafeGuard SecurityServer 3.20.1 Software SafeGuard SecurityServer 3.20.1 CyberArk recommends the usage of Windows Server 2008 R2 SP1 EN 4 Components In this section we give a quick overview of the components required for setting up a CyberArk EPV and integrating a SafeGuard CryptoServer HSM into your identity management infrastructure. Cyber- Ark EPV consists of a Server and an Administrative Client component which in the basic installation described in this document both need to be installed one by one on the same server. Further on the PKCS#11R2 interface and administrative tools of Utimaco have also to be installed on the same machine. Last but not least, a Java run-time environment together with the corresponding Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files have to be installed on the same machine. Detailed installation and configuration instructions are provided in the following two sections. Page 5

Integration Guide: CyberArk 5 HSM Configuration 5.1 HSM Host Software Installation After installing the administrative and PKCS#11R2 components from the SafeGuard SecurityServer 3.20.0 Utimaco Product CD, following steps must be taken: Copy the 32bit variant of the PKCS#11R2 library (cs_pkcs11_r2.lib) out of the SafeGuard SecurityServer 3.20.0 product CD into your SysWOW64 directory. Copy the 64bit variant of the PKCS#11R2 library (cs_pkcs11_r2.lib) out of the SafeGuard SecurityServer 3.20.0 product CD into your System32 directory. Verify that a system variable named: CS_PKCS11_R2_CFG is pointing to your PKCS#11R2 configuration file (cs_pkcs11_r2.cfg). This variable is automaticaly created if you follow the Safe- Guard SecurityServer 3.20.0 installation wizard. If the wizard was not used the variable has to be created manualy. In the cs_pkcs11_r2.cfg configuration file make sure that the parameter KeepAlive is set to true otherwise your PKCS#11 session between CyberArk Vault and HSM will be terminated after 15 minutes of being idle resulting in the necessity to re-authenticate the Vault Server towards the HSM every time it is used. 5.2 HSM Initialization In order to interface CyberArk EPV to a SafeGuard CryptoServer HSM you need to initialise a PKCS#11R2 slot with a security officer (SO) and a PKCS#11 cryptographic user (USER) role in advance. The credential used to log on to the PKCS#11 slot will later on be used from the CybeArk EPV to authenticate against the HSM and store/generate the CyberArk Server Master Key. To configure a PKCS#11R2 slot (slot#0 in this case) do the following: By using Utimaco's PKCS#11R2 command line tool (p11tool2) logon to the HSM as a user with user management rights and initialise the PKCS#11 SO role: p11tool2 slot=0 Login=ADMIN,:cs2:cyb:USB0 Label=CyberArkEPV InitToken=123456 Page 6

After the SO has been initialised, you have to authenticate the SO to be able to initialise the PKCS#11R2 cryptographic user: p11tool2 slot=0 LoginSO=123456 InitPin=654321 This finishes the configuration of the PKCS#11R2 slot #0 on the HSM. The PIN used for the PKCS#11 user will be used during the configuration of CyberArk EPV to access the CyberArk Server key. Page 7

Integration Guide: CyberArk 6 Installation of CyberArk An HSM can be integrated into the CyberArk suite in two ways. Either by loading an existing CyberArk Server Key into the PKCS#11 slot or, in the more secure setup, by generating it directly inside the secure HSM environment. Both integration paths are described in the following two subsections. The installation of CyberArk EPV is described in detail in the CyberArk suite's installation guide. Assuming that the installation of the CyberArk Digital Vault server has been successful the next step is to configure the HSM key management in order to store your critical CyberArk keys as non exportable keys on the HSM. 6.1 Initial Vault Configuration 1. For interfacing a CryptoServer LAN HSM the Firewall has to be configured to allow communication to the HSM. In the DBParm.ini configure the AllowNonStandardFWAddresses parameter to open the Firewall and enable access to the HSM. AllowNonStandardFWAddresses=[HSM-IP],Yes,288:inbound/tcp,288:outbound/tcp 2. As a next step the PKCS#11 provider DLL has to be specified. This is done by entering the parameter PKCS11ProviderPath into DBParm.ini and pointing it to the 64bit PKCS#11R2 DLL located in the directory System32. PKCS11ProviderPath=C:\Windows\System32 3. Save and close the DBParm.ini configuration file. 4. Encrypt the PKCS#11R2 Slot user PIN used for accessing the PKCS#11 Slot on the HSM by running CyberArk's command line tool CAVaultManager with following arguments: CAVaultManager SecureSecretFiles /SecretType HSM /Secret <PKCS#11R2_USER_PIN> 5. Open the DBParm.ini file and verify that the HSMPinCode parameter has been added with the encrypted value of the PIN code. 6. Restart the CyberArk Digital Vault Server in order for the new Firewall rules to be effective. 7. Shutdown the CyberArk Digital Vault. Page 8

6.2 Loading the Server Key into the HSM When the initial vault configuration is done we can proceed and store the Vault Server key on the HSM. Once this process is through, the server key is stored as a non exportable key on the HSM PKCS#11 slot and can be used by the vault. 1. Verify that the Vault Server is not running. 2. With the help of CyberArk's command line tool CAVaultManager run the following command: CAVaultManager LoadServerKeyToHSM 3. Verify that the load operation successfully confirms. 4. Open DBParm.ini and change the ServerKey parameter value to: ServerKey=HSM 5. Start CyberArk's Digital Vault Server and verify that you can log on to the Vault. With the above described procedure you have successfully imported the Vault Server's Master Key into the PKCS#11 slot on the HSM and can proceed with the installation of of the admin client as described in CyberArk's installation guide. 6.3 Generating the Server Key in the HSM In the most secure CyberArk Vault setup the Server Master key is directly generated in the secure environment of the HSM. After the initial vault configuration is done you can proceed and generate the Vault Server key on the HSM. Once this process is through, the server key is stored as a non exportable key on the HSM PKCS#11 slot and can be used by the vault. 1. Make sure that the Vault Server is not running. 2. Run the CAVaultManager command line tool of CyberArk with following parameters: CAVaultManager GenerateKeyOnHSM /ServerKey The above command will generate a new key for the Vault server and store it in the HSM PKCS#11R2 slot previously initialized, and will return the key generation keyword. For example: HSM#5. Each time a key generation is done, the keyword allocated is one number higher than the current server key generation specified in DBParm.ini. The HSM can store up to 255 key generations, after which key generation numbering will begin again at one. In order to create Page 9

Integration Guide: CyberArk additional key generations successfully, users have to manually delete the first generation of the server key, otherwise an error will be returned. If the ServerKey parameter in the CAVault- Manager command specifies a path instead of an HSM keyword, the first key generation will be created, i.e., HSM#1. 3. Next the Vault data and metadata have to be re-encrypted with the newly generated keys on the HSM. With the use of the command line tool ChangeServerKeys run the following command: ChangeServerKeys <PathToKeys> <PathToEmergencyFile> HSMKeyword For example, the following command will re-encrypt the Vault data and metadata with the encryption keys in K:\PrivateArk\Keys, and the HSM#1 key will be used as the server key. ChangeServerKeys K:\PrivateArk\Keys K:\PrivateArk\Keys\VaultEmergency.pass HSM#1 4. After that open the DBParm.ini and edit the ServerKey according to the value output of the previous command. For example: ServerKey=HSM#1 5. Finally, start the Vault Server and verify that you can log onto the Vault. With the above described procedure you have successfully generated the Vault Server's Master Key in the PKCS#11 slot on the HSM and can proceed with the installation of of the admin client as described in CyberArk's installation guide. Page 10

7 Further Information This document forms a part of the information and support which is provided by the Utimaco IS GmbH. Additional documentation can be found on the product CD in the documentation directory. All SafeGuard CryptoServer product documentation is also available at the Utimaco IS GmbH website: http://hsm.utimaco.com Page 11

. Contact Utimaco IS GmbH Germanusstraße 4 D - 52080 Aachen Germany phone +49 241 1696-200 fax +49 241 1696-199 web email http://hsm.utimaco.com support-cs@utimaco.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information