Breadcrumbs

Configure CyberArk Vault to Use Utimaco HSM

  1. To allow communication between Vault Server and Utimaco HSM, open the CyberArk Vault configuration file located at C:\Program Files (x86)\PrivateArk\Server\Conf\dbparam.ini and configure the AllowNonStandardFWAddresses parameter to open the Firewall and enable access to the HSM.

tmp4i7utynh.png dbparam.ini

AllowNonStandardFWAddresses=[HSM-IP],Yes,288:inbound/tcp,288:outbound/tcp

Replace HSM IP and port according to your setup.

  1. Specify Utimaco PKCS#11 provider DLL in the PKCS11ProviderPath parameter in the DBParm.ini file.

tmp4f97xfc4.png dbparam.ini

PKCS11ProviderPath=C:\Program Files\Utimaco\SecurityServeer\Lib\cs_pkcs11_R3.dll

  1. Save the changes to the dbparam.ini file and close it.

  2. Restart the PrivateArk Server service.

tmpl5nkra3a.jpg

Restart PrivateArk Server Service

  1. Store the HSM Slot PIN as an encrypted password to access the Utimaco HSM:

›_ Console

CAVaultManager.exe SecureSecretFiles /SecretType HSM /Secret 12345678


tmp1bx2oz4h.jpg

CAVaultManager SecureSecretFiles command output

  1. Replace 12345678 with the Slot PIN.

  2. Open the DBParm.ini file and verify that the HSMPinCode parameter has been added with the encrypted value of the Slot PIN.

tmpmviih_9g.png dbparam.ini

HSMPinCode=2F3C61B954886FAA08EFFCE92137981A8B2E3459A58D8571CB262FCA8E8E8C92EA7 9E24A12BFA30E4FDFB8E0698D6D63