Integration with Trident Hardware Security Module (HSM)

PAM360 offers robust encryption methods to secure the passwords of the privileged credentials stored in the PAM360 repository. By default, PAM360 employs AES-256-bit encryption to protect these credentials. For heightened security, PAM360 supports integration with the Trident HSM, which handles all the encryption and decryption operations directly within the hardware. This approach not only strengthens data protection but also allows for the encrypted key to be securely stored within the hardware module, providing an additional layer of security against unauthorized access. This document covers the following topics in detail:

  1. Prerequisites
  2. Workflow
  3. Migrating to Trident HSM Encryption Method
  4. Troubleshooting Tips

1. Prerequisites

Before proceeding with the integration, ensure the following prerequisites are met:

  1. A valid instance of Trident HSM is properly installed and set up in your environment. The Trident HSM installation guide details the necessary steps to complete this setup.
  2. The Trident HSM service is accessible from the PAM360 server in your environment.
  3. A dedicated user in Trident HSM, which will be used by PAM360 to connect with the Trident HSM service.
  4. The mpcm-api.jar file provided by i4p Informatics as a part of the Trident SDK.

2. Workflow

Integrating PAM360 with Trident HSM involves several key steps to ensure secure and seamless encryption management, including configuring the Trident HSM, establishing connectivity with PAM360, and updating the encryption mechanism to use Trident HSM for storing the PAM360 encryption key.

3. Migrating to Trident HSM Encryption Method

Follow these steps to migrate to Trident HSM for securely storing the PAM360 encryption key:

  1. Stop the PAM360 service.
  2. Navigate to the <PAM360_Installation_Directory>\lib folder and paste the mpcm-api.jar file provided by i4p Informatics as a part of Trident SDK.
  3. Open the command prompt with administrator privileges and navigate to the <PAM360_Installation_Directory>\bin folder.
  4. Execute the migration script based on your operating system:
    • Windows - SwitchToHSM.bat
    • Linux - sh SwitchToHSM.sh
  5. In the Switch to HSM Encryption window, select Trident as the HSM Solution and enter the following details:
    1. CMAPI URL - Enter the Trident HSM's service URL in the format https://<trident-hostname>:<port number>. It is the endpoint through which PAM360 communicates with the Trident HSM for operations such as encryption key storage, retrieval, and encryption.
    2. Username - Enter the username of the dedicated Trident HSM user account you created specifically for this integration, which PAM360 will use to authenticate its connection. The user role should be Key User and the user type should be mpcm user.
    3. Password - Enter the password of the specified user account in this field.
    4. Key Password - Enter the encryption key password in this field.
  6. After entering the required details, click Migrate to migrate from the default PAM360 cryptography to Trident HSM.
  7. Restart the PAM360 service to complete the migration process.

To verify the encryption method currently in use, navigate to Admin >> Configuration >> Encryption and HSM. This section displays the active encryption method, confirming successful integration and migration to Trident HSM.

Important Notes:

  1. Once Trident HSM is configured as the primary encryption method, switching back to PAM360’s native encryption requires a complete reconfiguration of PAM360. To revert to PAM360 encryption and recover some data from your old build, you can choose one of the following approaches:
    1. Export all resources and passwords from the PAM360 build that uses HSM encryption. Then, uninstall the existing build and perform a fresh installation of PAM360 without HSM encryption. Please note that reinstalling PAM360 will erase all existing data. However, you can import the previously exported resources and passwords to recover some of the data.
    2. Uninstall the current version and restore an older backup of PAM360 created with the PAM360 encryption key.
  2. It is not possible to switch encryption modes after the initial configuration.
  3. If the current encryption method in your PAM360 server is SafeNet Luna HSM or Entrust nShield HSM, direct migration to Trident HSM is not supported and requires complete reconfiguration of PAM360.

4. Troubleshooting Tips

Below are some of the errors you may encounter in the SwitchToHSM_log.txt file if there are discrepancies in the values passed during the integration process. The file is available within the <PAM360_Installation_Directory>\logs folder.

1. java.lang.ClassNotFoundException: mpcm.api.parameters.ApiConfiguration (or) java.lang.NoClassDefFoundError: mpcm/api/parameters/ApiConfiguration

Problem: The mpcm-api.jar file is not available in the directory path <PAM360_Installation_Directory>\lib.

Solution: Place the mpcm-api.jar file in the lib folder within the PAM360 installation directory, as described in Step 2 of the migration process, to resolve this error.

2. Unable to connect to the Trident HSM. Please check the CMAPI URL/Username/Password.

Problem: The Trident HSM service is not reachable, or the credentials provided during migration are invalid.

Solution: Verify that the Trident HSM service is accessible from the PAM360 server in your environment. Also, ensure the CMAPI URL, Username, and Password are correct.
Top