hardware security module integration · time. bi and pbps will always encrypt new or edited...
TRANSCRIPT
Hardware Security Module
Integration
With BeyondInsight and Password Safe
Process
2
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Table of Contents
Executive Summary .................................................................................... 4
Introduction ................................................................................................. 5
Document Conventions ............................................................................... 5
Glossary and Acronyms .............................................................................. 5
Configure a Hardware Security Module for use in BeyondTrust Products ... 6
Prerequisites ................................................................................................................ 6
Supported Hardware Security Module Devices ........................................................... 6
Add a New HSM Credential to BI ................................................................................ 6
Cancel New Credential Addition .................................................................................. 8
Manage Hardware Security Module Credentials ......................................... 9
Edit existing HSM credentials ...................................................................................... 9
Consequences of Editing Existing HSM credentials .................................................... 9
Delete existing credentials ........................................................................................... 9
Hardware Security Module Integration with BeyondTrust Products ........... 11
Which HSM Credentials are used? ............................................................................ 11
What happens to archived HSM Credentials? ........................................................... 11
Configuration Graphical User Interface Guide ........................................... 11
Ribbon Menu Items .................................................................................................... 11
Context Menu Items ................................................................................................... 11
View Buttons .............................................................................................................. 12
3
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Row Status ................................................................................................................ 12
Cell Status ................................................................................................................. 12
About BeyondTrust ................................................................................... 13
4
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Executive Summary
BeyondTrust® produces and maintains a suite of software products that are used to maintain
network and device security.
Two of the products produced by BeyondTrust® (BeyondInsight and Password Safe) provide the
capability to encrypt, store, and access various types of credentials. BeyondInsight (BI) and
PowerBroker Password Safe (PBPS) typically use software encryption algorithms with local key
management to encrypt and decrypt credentials.
BI and PBPS now provide the capability to use a Hardware Security Module (HSM) to handle
encryption key management and cryptographic processing for stored credentials.
This document provides the procedures to configure and manage HSM devices for
cryptographic processing of stored credentials in BI and PBPS.
5
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Introduction
BI and PBPS provide the capability to store and manage various user credentials. BI and PBPS
both use software encryption algorithms and key storage as the default method to encrypt
credentials.
BI and PBPS provide the capability to use a Hardware Security Module (HSM) to encrypt and
decrypt credentials as of BI version 6.2. An HSM may be used to manage encryption keys and
to perform the encryption and decryption operations.
An HSM is a device that manages digital cryptography keys and provides cryptographic
processing functionality. An HSM takes over the key management, encryption, and decryption
functionality for credential storage if an HSM has been configured.
HSMs are configured and managed using the Retina Events Manager (REM) configuration tool
(referred to as REMConfig). The REM configuration tool provides users the capability to
configure one or more HSM. The procedures to configure and manage HSM devices are
outlined later in this document.
Document Conventions
The following conventions will be used in this document:
Normal Text
Computer printed text
Data you should fill in
Variable data like system names
Glossary and Acronyms
BeyondInsight BI
Hardware Security Module HSM
PowerBroker Password Safe PBPS
Retina Events Manager REM
REM Configuration Tool REMConfig
6
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Configure a Hardware Security Module for use in BeyondTrust
Products
This section describes the process for configuring a new Hardware Security Module using REM
Configuration Manager.
Prerequisites
A Windows Server instance with BI installed and the BI database configured.
A supported HSM must be configured and accessible to the server running BI and PBPS. Note
the location of the driver assemblies for the HSM. For example, the Cryptoki drivers for a
Thales nShield Connect series HSM are located at %NFAST_HOME%/toolkits/*.dll (where
%NFAST_HOME% is a Windows environment variable). The driver location will be required
during HSM configuration.
There must be no other credentials configured in the database when the HSM configuration
procedure is executed.
Supported Hardware Security Module Devices
BI and PBPS supports the following model of HSM:
Thales nShield Connect series
Add a New HSM Credential to BI
1. Log on to the Windows 2012 server that is running BI and is configured to access the HSM.
2. To start REM Manager, click the Windows button, and go to eEye Digital Security.
3. Click the BI Configuration icon.
A User Account Control dialog box might appear at this point. If so, click Yes to continue.
7
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
4. Click Configure HSM Credentials.
5. Select Edit -> Add New HSM.
6. Enter HSM details.
7. Click Save.
8
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Cancel New Credential Addition
1. Right-click an HSM device.
2. Select Cancel Credential Addition.
3. Click Save and Close.
9
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Manage Hardware Security Module Credentials
Edit existing HSM credentials
1. Right-click an existing credential.
2. Select Edit Credential.
3. Click on the respective cell to modify the values of Slot, Key Name, Description, or PIN. Click
the link text in the Driver Path cell to modify the Driver Path.
4. Enter new value.
5. Click Save.
Consequences of Editing Existing HSM credentials
Editing an existing HSM credential may prevent BI and PBPS from successfully decrypting the
credentials which were encrypted using the existing HSM credential.
BI and PBPS may fail to decrypt a credential for the following common reasons:
If the HSM device cannot be reached due to an invalid HSM driver
If BI or PBPS cannot authenticate with the HSM device due to an invalid slot or PIN value
If the encryption key name configured in the HSM credential does not match the encryption
key name that was used to encrypt a credential
Delete existing credentials
1. Right-click a credential.
10
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
2. Click Delete Credential.
3. Click Save and Close.
11
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Hardware Security Module Integration with BeyondTrust Products
Which HSM Credentials are used?
BI and PBPS will only use one set of HSM credentials to encrypt any stored credential at a given
time. BI and PBPS will always encrypt new or edited credentials using the latest stored set of
HSM credentials.
BI and PBPS provide support for ‘legacy’ HSM credentials. Credentials which were encrypted
using an older set of HSM credentials will still be accessible, so long as the HSM credential used
to encrypt it has not been manually deleted.
What happens to archived HSM Credentials?
Archived HSM credentials will remain in the BI and PBPS database until they are manually
deleted.
Configuration Graphical User Interface Guide
This section will provide specific details about the GUI, without necessarily tying them to a
specific procedure. For example, what different colors/highlighting mean, when certain context
menu items are available, etc.
Ribbon Menu Items
Edit -> Add New HSM Credential
Add a new, editable row to the HSM credentials list to facilitate adding a new HSM
credential to the database.
Edit -> Undo All changes
This button is currently disabled. The functionality will be implemented in a future release.
Context Menu Items
Context Menu items are menu items shown when a user right-clicks their mouse cursor over an
HSM row.
Edit Credential
Makes an existing HSM credential entry writeable
Delete Credential
Remove an existing HSM credential from the database
12
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
Cancel Row Addition
Discards the information and row for an HSM credential which is being added
View Buttons
These are the buttons that are constantly available in the HSM Configuration view
Close
Closes the HSM configuration window. Note that this will discard all unsaved changes to
existing HSM credentials, and any unsaved new HSM credentials
Save
Save all of the changes to existing HSM credentials and all new HSM credentials to the
database
Save and Close
Save all of the changes to existing HSM credentials and all new HSM credentials to the
database, and close the HSM configuration window
Test Active Credential
Test the HSM connection information in the currently selected row
Row Status
The background color for each row denotes the status of the information contained in the row.
White background – the row represents an existing HSM credential which has not been
made editable
Green background – the row represents an HSM Credential that has been flagged for
editing, but has not been saved yet
Cell Status
White background – the cell is part of an existing HSM credential which has not been
flagged for editing, or is a cell with no value in a new HSM credential
Green background – the cell is part of a row that has been flagged for editing, but has not
yet been saved. The cell contents have not yet been modified.
Purple background – the cell is part of a row that has been flagged for editing, but has not
yet been saved. The cell contents have been modified.
13
© 2016. BeyondTrust Software, Inc. Hardware Security Module Integration
About BeyondTrust
BeyondTrust® is a global security company that believes preventing data breaches requires
the right visibility to enable control over internal and external risks.
We give you the visibility to confidently reduce risks and the control to take proactive,
informed action against data breach threats. And because threats can come from
anywhere, we built a platform that unifies the most effective technologies for addressing
both internal and external risk: Privileged Account Management and Vulnerability
Management. Our solutions grow with your needs, making sure you maintain control no
matter where your organization goes.
BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including
over half of the Fortune 100. To learn more about BeyondTrust, please visit
www.beyondtrust.com.