Breadcrumbs

Generating the Vault’s Server Key on the Utimaco HSM

In the most secure CyberArk Vault setup, the Server key is directly generated in the secure environment of the HSM. After the initial vault configuration is complete, you can proceed and generate the Vault Server key on the HSM. Once this process is complete, the server key is stored as a non-exportable key on the HSM PKCS#11 slot and is used by the vault.

  1. Stop the PrivateArk Server service.

tmp6q6p6coi.jpg

Stop the PrivateArk Server Service

  1. Open cmd as administrator.

  2. Run the GenerateKeyOnHSM command to generate a new server key using CAVaultManager. Make sure that the result confirms that the server key was successfully generated on the HSM. You should see the following response:

›_ Console

CAVaultManager.exe GenerateKeyOnHSM /ServerKey


tmpymqt7j7x.jpg

Generate server key on Utimaco HSM

The above command generates a new key for the Vault server, stores it in the previously initialized HSM PKCS#11 slot, and returns the keyID.

  1. Note down the HSM key generation number returned in the CAVLT187I log (KeyID=HSM#X).

  2. Verify that the key has been generated on the HSM with the p11tool2 command.

›_ Console

 
P11tool2 slot=0 LoginUser=ask ListObjects


tmppnb5o7wm.jpg

Key List

  1. Mount the recovery private key (recprv.key) to the Vault server.

  2. Open the DBParm.ini file located at C:\Program Files (x86)\PrivateArk\Server\Conf\dbparam.ini.

  3. Set the RecoveryPrvKey parameter to the recovery private key path location and save the file.

tmpiljhcota.png dbparam.ini

RecoveryPrvKey=<path_to_recovery_private_key>recprv.key

  1. Navigate to the C:\Program Files (x86)\PrivateArk\Server folder, then open cmd as an administrator.

  2. Change the existing server key to use the newly generated one on the Utimaco HSM.

›_ Console

ChangeServerKeys.exe <path_to_keys directory> <path_to_VaultEmergency.pass> HSM#<keyID_no.>
For example:
ChangeServerKeys.exe C:\Users\Partner\Document\DemoMAsterKeys C:\DemoOperatorKeys\VaultEmergency.pass HSM#1
tmpkkhynrug.jpg
tmp8fdz326p.jpg
tmpu0h1b48q.jpg
tmp5vhwlh6g.jpg

ChangeServerkey to HSM output

  1. Make sure that the result confirms that the Change Server keys process was successful.

  2. Open the DBParm.ini and change the ServerKey=HSM#X parameter. Replace X with the HSM key generation number.

tmp5559cxf5.png dbparam.ini

ServerKey=HSM#1

  1. Save the file.

  2. Start the PrivateArk Server service and ensure that no errors are printed to the console.

  3. Verify that you can log on to the Vault using CyberArk authentication.

tmpfy25gywj.jpg

Logon to Vault using CyberArk authentication

  1. Unmount the recovery private key from dbparm (revert to default value: d:\recprv.key).