Log in to the Secret Server application with administrator access. In the ADMIN menu, click Configuration, then select the HSM tab. When ready, click the Next button, and the application will look for valid Key Storage Providers.
The tab will present a list of discovered, hardware (not smart-card) based CNG service providers. Select the Utimaco CryptoServer Key Storage Provider option, and choose a key size of 2048 or 4096. Click Next.
If the Utimaco CryptoServer Key Storage Provider option is not available, the most likely problem is a mis-configured CS_CNG_CFG file, which may point at a non-existant log file, or at an off-line CryptoServer cluster, or the default user login does not exist on the device(s) targeted.
If the option is there, but the initial tests (performed by the application) do not succeed, you should check two places for hints as to why. For CryptoServer specific error results, see the log file cs_cng.log found in the Logfile directory (defined in the CS_CNG_CFG file). For Thycotic Secret Server specific error results, see the SecretServer system log.
Click Next to configure the application to use the storage provider. When it returns correctly, it states "The HSM is now enabled."
You will need to make a backup of the C:\inetpub\wwwroot\SecretServer\encryption.config after the above, as the file will have been re-encrypted using the newly generated HSM-stored key. Use cngtool ListKeys to display the newly created key name (a UUID).
The final step required is to "Recycle the Application Pool". This is an IIS Manager job. If you try to navigate off the application page, you may notice a warning at the top, that includes "no secrets may be modified", and the page returns without navigating away.
Use the Windows Start menu to call up the IIS Manager. On the left, in the Connections panel, click on the "Application Pools" item. The list of active Application Pools will appear in the main field, right-click the SecretServer item, and select Recycle... .
The SecretServer application will now let you pass on from the Success screen.