Quickstart
The quickstart section provides a comprehensive guide outlining the steps necessary to integrate CyberArk PAM with Securosys CloudHSM or on-premises Primus HSM.
Installing Primus PKCS#11 Provider
Install the latest version of Primus PKCS#11 provider on the device with the CyberArk Privileged Access Manager Vault Server already installed.
Follow the instructions in Installing Primus PKCS#11 Provider on CyberArk Vault.
Configuring Primus PKCS#11 Provider
Configure the Primus PKCS#11 provider by adapting the configuration file primus.cfg according to your set-up.
If network hardening is already configured on the host device, please see Configuring Primus HSM on CyberArk Primary Vault on how to enable an outgoing connection to the Securosys HSM.
Depending on your platform, the configuration file is located by default under:
- Unix
- Microsoft Windows
On CyberArk PAM the primus.cfgfile is best stored in:
/etc/primus/primus.cfg
On CyberArk PAM the primus.cfgfile is best stored in:
C:\Program Files\Securosys\Primus P11\primus.cfg
Consult Primus PKCS#11 User Guide - Configuration for alternative configuration file locations.
Follow the example in the Installing Primus PKCS#11 Provider on CyberArk Vault section.
Configuring Primus HSM on CyberArk Primary Vault
Follow the instruction provided in Configuring CyberArk Primary Vault with HSM.
- Allow traffic between CyberArk Primary Vault and the HSM in the
DBParm.inifile. - Set the
pkcs11-passwordrunning command:sh CAVaultManager.exe SecureSecretFiles /SecretType HSM /Secret Password
Generate CyberArk Vault Server Key on HSM
Now you are ready to protect your Vault Server Keys using the HSM infrastructure.
Follow the instructions provided in the Tutorial - Securing the Vault Server Key to:
- Generate Vault Server Key on HSM
- Migrate Existing Vault Server Key to HSM