hardware security module integration · time. bi and pbps will always encrypt new or edited...

Hardware Security Module

Integration

With BeyondInsight and Password Safe

Process

2

© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration

Table of Contents

Executive Summary .................................................................................... 4

Introduction ................................................................................................. 5

Document Conventions ............................................................................... 5

Glossary and Acronyms .............................................................................. 5

Configure a Hardware Security Module for use in BeyondTrust Products ... 6

Prerequisites ................................................................................................................ 6

Supported Hardware Security Module Devices ........................................................... 6

Add a New HSM Credential to BI ................................................................................ 6

Cancel New Credential Addition .................................................................................. 8

Manage Hardware Security Module Credentials ......................................... 9

Edit existing HSM credentials ...................................................................................... 9

Consequences of Editing Existing HSM credentials .................................................... 9

Delete existing credentials ........................................................................................... 9

Hardware Security Module Integration with BeyondTrust Products ........... 11

Which HSM Credentials are used? ............................................................................ 11

What happens to archived HSM Credentials? ........................................................... 11

Configuration Graphical User Interface Guide ........................................... 11

Ribbon Menu Items .................................................................................................... 11

Context Menu Items ................................................................................................... 11

View Buttons .............................................................................................................. 12

3


Row Status ................................................................................................................ 12

Cell Status ................................................................................................................. 12

About BeyondTrust ................................................................................... 13

4


Executive Summary

BeyondTrust® produces and maintains a suite of software products that are used to maintain

network and device security.

Two of the products produced by BeyondTrust® (BeyondInsight and Password Safe) provide the

capability to encrypt, store, and access various types of credentials. BeyondInsight (BI) and

PowerBroker Password Safe (PBPS) typically use software encryption algorithms with local key

management to encrypt and decrypt credentials.

BI and PBPS now provide the capability to use a Hardware Security Module (HSM) to handle

encryption key management and cryptographic processing for stored credentials.

This document provides the procedures to configure and manage HSM devices for

cryptographic processing of stored credentials in BI and PBPS.

5


Introduction

BI and PBPS provide the capability to store and manage various user credentials. BI and PBPS

both use software encryption algorithms and key storage as the default method to encrypt

credentials.

BI and PBPS provide the capability to use a Hardware Security Module (HSM) to encrypt and

decrypt credentials as of BI version 6.2. An HSM may be used to manage encryption keys and

to perform the encryption and decryption operations.

An HSM is a device that manages digital cryptography keys and provides cryptographic

processing functionality. An HSM takes over the key management, encryption, and decryption

functionality for credential storage if an HSM has been configured.

HSMs are configured and managed using the Retina Events Manager (REM) configuration tool

(referred to as REMConfig). The REM configuration tool provides users the capability to

configure one or more HSM. The procedures to configure and manage HSM devices are

outlined later in this document.

Document Conventions

The following conventions will be used in this document:

Normal Text

Computer printed text

Data you should fill in

Variable data like system names

Glossary and Acronyms

BeyondInsight BI

Hardware Security Module HSM

PowerBroker Password Safe PBPS

Retina Events Manager REM

REM Configuration Tool REMConfig

6


Configure a Hardware Security Module for use in BeyondTrust

Products

This section describes the process for configuring a new Hardware Security Module using REM

Configuration Manager.

Prerequisites

A Windows Server instance with BI installed and the BI database configured.

A supported HSM must be configured and accessible to the server running BI and PBPS. Note

the location of the driver assemblies for the HSM. For example, the Cryptoki drivers for a

Thales nShield Connect series HSM are located at %NFAST_HOME%/toolkits/*.dll (where

%NFAST_HOME% is a Windows environment variable). The driver location will be required

during HSM configuration.

There must be no other credentials configured in the database when the HSM configuration

procedure is executed.

Supported Hardware Security Module Devices

BI and PBPS supports the following model of HSM:

Thales nShield Connect series

Add a New HSM Credential to BI

1. Log on to the Windows 2012 server that is running BI and is configured to access the HSM.

2. To start REM Manager, click the Windows button, and go to eEye Digital Security.

3. Click the BI Configuration icon.

A User Account Control dialog box might appear at this point. If so, click Yes to continue.

7


4. Click Configure HSM Credentials.

5. Select Edit -> Add New HSM.

6. Enter HSM details.

7. Click Save.

8


Cancel New Credential Addition

1. Right-click an HSM device.

2. Select Cancel Credential Addition.

3. Click Save and Close.

9


Manage Hardware Security Module Credentials

Edit existing HSM credentials

1. Right-click an existing credential.

2. Select Edit Credential.

3. Click on the respective cell to modify the values of Slot, Key Name, Description, or PIN. Click

the link text in the Driver Path cell to modify the Driver Path.

4. Enter new value.

5. Click Save.

Consequences of Editing Existing HSM credentials

Editing an existing HSM credential may prevent BI and PBPS from successfully decrypting the

credentials which were encrypted using the existing HSM credential.

BI and PBPS may fail to decrypt a credential for the following common reasons:

If the HSM device cannot be reached due to an invalid HSM driver

If BI or PBPS cannot authenticate with the HSM device due to an invalid slot or PIN value

If the encryption key name configured in the HSM credential does not match the encryption

key name that was used to encrypt a credential

Delete existing credentials

1. Right-click a credential.

10


2. Click Delete Credential.

3. Click Save and Close.

11


Hardware Security Module Integration with BeyondTrust Products

Which HSM Credentials are used?

BI and PBPS will only use one set of HSM credentials to encrypt any stored credential at a given

time. BI and PBPS will always encrypt new or edited credentials using the latest stored set of

HSM credentials.

BI and PBPS provide support for ‘legacy’ HSM credentials. Credentials which were encrypted

using an older set of HSM credentials will still be accessible, so long as the HSM credential used

to encrypt it has not been manually deleted.

What happens to archived HSM Credentials?

Archived HSM credentials will remain in the BI and PBPS database until they are manually

deleted.

Configuration Graphical User Interface Guide

This section will provide specific details about the GUI, without necessarily tying them to a

specific procedure. For example, what different colors/highlighting mean, when certain context

menu items are available, etc.

Ribbon Menu Items

Edit -> Add New HSM Credential

Add a new, editable row to the HSM credentials list to facilitate adding a new HSM

credential to the database.

Edit -> Undo All changes

This button is currently disabled. The functionality will be implemented in a future release.

Context Menu Items

Context Menu items are menu items shown when a user right-clicks their mouse cursor over an

HSM row.

Edit Credential

Makes an existing HSM credential entry writeable

Delete Credential

Remove an existing HSM credential from the database

12


Cancel Row Addition

Discards the information and row for an HSM credential which is being added

View Buttons

These are the buttons that are constantly available in the HSM Configuration view

Close

Closes the HSM configuration window. Note that this will discard all unsaved changes to

existing HSM credentials, and any unsaved new HSM credentials

Save

Save all of the changes to existing HSM credentials and all new HSM credentials to the

database

Save and Close

Save all of the changes to existing HSM credentials and all new HSM credentials to the

database, and close the HSM configuration window

Test Active Credential

Test the HSM connection information in the currently selected row

Row Status

The background color for each row denotes the status of the information contained in the row.

White background – the row represents an existing HSM credential which has not been

made editable

Green background – the row represents an HSM Credential that has been flagged for

editing, but has not been saved yet

Cell Status

White background – the cell is part of an existing HSM credential which has not been

flagged for editing, or is a cell with no value in a new HSM credential

Green background – the cell is part of a row that has been flagged for editing, but has not

yet been saved. The cell contents have not yet been modified.

Purple background – the cell is part of a row that has been flagged for editing, but has not

yet been saved. The cell contents have been modified.

13


About BeyondTrust

BeyondTrust® is a global security company that believes preventing data breaches requires

the right visibility to enable control over internal and external risks.

We give you the visibility to confidently reduce risks and the control to take proactive,

informed action against data breach threats. And because threats can come from

anywhere, we built a platform that unifies the most effective technologies for addressing

both internal and external risk: Privileged Account Management and Vulnerability

Management. Our solutions grow with your needs, making sure you maintain control no

matter where your organization goes.

BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including

over half of the Fortune 100. To learn more about BeyondTrust, please visit

www.beyondtrust.com.

http://www.beyondtrust.com/Products/BeyondInsight

http://www.beyondtrust.com/Products/PrivilegedAccountManagement

http://www.beyondtrust.com/Products/VulnerabilityManagement

http://www.beyondtrust.com/Products/VulnerabilityManagement

http://www.beyondtrust.com/

hardware security module integration · time. bi and pbps will always encrypt new or edited...

Documents