Integration with the Entrust nShield Hardware Security Module (HSM)

Apart from the default encryption method, Password Manager Pro integrates with Entrust nShield HSM, a hardware security module, and provides an option to enable hardware-based data encryption. The integration allows you to utilize hardware-based data encryption for the privileged digital identities and the personal passwords stored in the Password Manager Pro database. You can secure your data encryption key within the HSM to safeguard it locally in your environment. Through this integration, it is also possible to achieve FIPS 140-2 compliance for the privileged identities in your environment and ensure enhanced data security.

Password Manager Pro supports two modes of encryption that encompasses the Entrust nShield HSM:

  1. Module Only Key
  2. Softcards

Read further to learn how to configure them in detail.

  1. Workflow Diagram
  2. Configuring the Entrust nShield HSM
  3. Migrating to the Entrust nShield HSM Encryption

1. Workflow Diagram

The workflow diagram depicting the encryption and decryption workflow between Password Manager Pro and the Entrust nShield HSM is as follows:

2.Configuring the Entrust nShield HSM

2.1 Steps to Install the Entrust nShield HSM

Follow these steps to install and configure Password Manager Pro with the Entrust nShield HSM.

2.1.1 Prerequisites

The following are needed for the integration:

  1. A working instance of Password Manager Pro.
  2. An nShield Connect HSM.
  3. Good connectivity between the Password Manager Pro instance has connectivity to nShield's Security World.
    Please note that the Security World software must be installed and configured in the same server where Password Manager Pro is running. The Entrust HSM setup can reside in any machine that is reachable by the Password Manager Pro server to facilitate communication between them.

2.2 Steps to Install the Security World Software

Note: We recommend that you uninstall any existing nShield software before installing the new nShield software.

  1. Install and configure the Security World software. For instructions, refer to the Installation Guide and the User Guide for the HSM.
  2. Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the Windows system path.
  3. Run the following commands to check connectivity between the machine where Password Manager Pro is running and the nShield Security world.

    anonkneti <Unit IP>

    Output of this command is:

    <Unit ESN> < Unit KNETI HASH>

    ESN refers to Electronic Serial Number.

    To enroll, run the following command:

    nethsmenroll  <Unit IP>
  4. Run the enquiry utility to verify that the HSM is configured properly.
    C:\Users\Administrator>enquiry
    Server

    enquiry reply flags none
    enquiry reply level Six
    serial number ####-####-####
    mode operational
    ...

    Module #1

    enquiry reply flags none
    enquiry reply level Six
    serial number ####-####-####
    mode operational
    ...
  5. Extract and place the world and module files in the path - C:\ProgramData\nCipher\Key Management Data\local for Windows and kmdata/local for Linux to complete the configuration.
    You can run for example some of the local benchmarking: perfcheck -m1 signing:287
  6. As per your organization's security policy, create a Security World, if you don't have one already. As a precaution, create extra ACS cards for each person who has access privilege and a few spares.
    new-world -i -m <module_number> -Q >K/N<
    Note: After an ACS card set has been created, the cards cannot be duplicated.
  7. Run the nfkminfo utility to confirm the Security World is operational:

    C:\Users\Administrator>nfkminfo
    World
    generation 2
    state 0x37270008 Initialised Usable ...
    ...
    Module #1
    generation 2
    state 0x2 Usable
    ...
    Module #1 Slot #0 IC 0
    generation 1
    phystype SmartCard
    ...
    error OK
    ...
    Module #1 Slot #1 IC 0
    generation 1
    phystype SoftToken
    ...
    error OK
    ...

Important Notes:

  1. The Softcard key is stored as an environmental variable in the path C:\ProgramData\nCipher\Key Management Data\local and it is not saved in the Password Manager Pro database.
  2. Based on the encryption mode you have opted for, we highly recommend you to save a copy of the Module only key (or) the Softcard and the Softcard key in a secure location.

3. Migrating to the Entrust nShield HSM Encryption

Follow the below steps to initiate the migration from Password Manager Pro Encryption to the Entrust nShield HSM encryption:

  1. Stop the Password Manager Pro service.
  2. Open a command prompt and navigate to <Password Manager Pro_SERVER_HOME>\bin directory.
  3. Execute the following command:

    For Windows:
    SwitchToHSM.bat

    For Linux:
    sh SwitchToHSM.sh

  4. The command will bring up the following dialog box:

  5. Here, choose Entrust nShield from the HSM Solution drop down. In the nShield Features option, choose either Module only key or Softcards.
  6. If you choose the Module Only Key mode, no need to enter a passphrase. If you choose Softcards, enter the Softcard name and its Passphrase.
  7. Verify the details and click Migrate.
  8. To ensure success of the integration, copy this jar file: nCipherKM.jar found in your nShield installation folder and paste it in this directory: <Password Manager Pro_Installation_Folder>\lib.
  9. Restart the Password Manager Pro service to complete the HSM migration.
  10. To check the method of encryption applied in Password Manager Pro, go to the Admin tab in the Password Manager Pro interface and select Configuration >> Encryption and HSM.

Important Notes:

  1. Once you have configured the Entrust nShield HSM as your primary encryption method, you cannot switch back to Password Manager Pro encryption without complete reconfiguration of Password Manager Pro. To switch to Password Manager Pro encryption once again and regain some of data from your old build, you can do either of the following:
    1. Export all resources and their passwords from the Password Manager Pro build that is using HSM encryption to use as a backup. Uninstall the old build and install Password Manager Pro anew without HSM encryption. Reinstalling Password Manager Pro will erase your previous data. However, you can import the resources and passwords taken from the previous build to recover some of the data.
    2. Uninstall the current version and restore an older backup of Password Manager Pro with the Password Manager Pro encryption key.
  2. It is not possible to switch encryption modes after the initial configuration.
  3. If the current primary encryption method in your Password Manager Pro server is SafeNet Luna HSM, direct transition to Entrust nShield HSM is not possible without complete reconfiguration of Password Manager Pro.

3.1 Steps to Configure the Entrust nShield HSM in a High Availability Setup

If you have High Availability (HA) enabled for Password Manager Pro in your environment, you will have to reconfigure the HA setup after transitioning to the Entrust nShield HSM as your primary encryption mode.

Follow the below steps to configure the Entrust nShield HSM in a HA setup:

  1. Install and configure nShield in the primary and secondary servers and set up high availability as per the steps provided in the following documents, based on the database you use: PostgreSQL / MS SQL.
  2. Now, based on the encryption mode you have chosen, do as follows to complete the HSM configuration in a HA setup:
    1. If you have chosen Module only key mode: Copy the key file from the directory path C:\ProgramData\nCipher\Key Management Data\local in the primary server and place it in the aforementioned path in the secondary server.
    2. If you have chosen Softcards mode: You will find 2 Softcard key files in the directory path C:\ProgramData\nCipher\Key Management Data\local. Copy both the key files and place them in the aforementioned path in the secondary server.
  3. Start both the primary and the secondary servers.

Notes:

  1. Please ensure that both the primary and secondary servers in the HA setup are running Password Manager Pro build 5550 or above.
  2. After switching to Entrust nShield HSM as the encryption mode, ensure to reconfigure the Application Scaling and Failover Service too, similar to HA.

3.2 Steps to Rotate the HSM Key

As a security best practice, we recommend periodically rotating encryption keys. The same steps used to rotate the Password Manager Pro encryption key will work for the HSM keys as well. Click here to learn how to rotate the HSM key in both HA and non-HA setups.

4. Troubleshooting Steps

Below is a list of errors that you may encounter in the SwitchToHSM_log.txt log file if there are any discrepancies in the values passed during the integration process. The SwitchToHSM_log.txt file is present under the directory path: <Password Manager Pro_Installation_Folder>\logs.

4.1 Exceptions

Exception #1: java.lang.NoClassDefFoundError: com/ncipher/provider/km/nCipherKM|

Problem: The jar file nCipherKM.jar is not available in the directory path:<Password Manager Pro_Installation_Folder>\lib.

Solution: Place the nCipherKM.jar file in the Lib folder as mentioned in the step above to rectify the error.

Exception #2: error (st=DecryptFailed) : NFKM_checkpp

Problem: The Softcard passphrase provided during migration was incorrect.

Solution: Please repeat the steps in section 3 with the correct Softcard passphrase.

4.2 Error

Problem: Password Manager Pro service does not start, the following error in present in the the Wrapper.log - Error: Exception while initializing ManageEngine Password Manager Pro Cryptography. java.lang.Exception: Exception occurred while decrypting

Solution: The HSM key is not present in the directory path: C:\ProgramData\nCipher\Key Management Data\local as mentioned in the step 3.1.

 

Top