Integration with the Entrust nShield Hardware Security Module (HSM)

Apart from the default encryption method, PAM360 integrates with Entrust nShield HSM, a hardware security module, and provides an option to enable hardware-based data encryption. The integration allows you to utilize hardware-based data encryption for the privileged digital identities and the personal passwords stored in the PAM360 database. You can secure your data encryption key within the HSM to safeguard it locally in your environment. Through this integration, it is also possible to achieve FIPS 140-2 compliance for the privileged identities in your environment and ensure enhanced data security.

PAM360 supports two modes of encryption that encompasses the Entrust nShield HSM:

  1. Module Only Key
  2. Softcards

Read further to learn how to configure them in detail.

  1. Workflow Diagram
  2. Configuring the Entrust nShield HSM
  3. Migrating to the Entrust nShield HSM Encryption

1. Workflow Diagram

The workflow diagram depicting the encryption and decryption workflow between PAM360 and the Entrust nShield HSM is as follows:

2.Configuring the Entrust nShield HSM

2.1 Steps to Install the Entrust nShield HSM

Follow these steps to install and configure PAM360 with the Entrust nShield HSM.

2.1.1 Prerequisites

The following are needed for the integration:

  1. A working instance of PAM360.
  2. An nShield Connect HSM.
  3. Good connectivity between the PAM360 instance and nShield's Security World.

    Please note that the Security World software must be installed and configured in the same server where PAM360 is running. The Entrust nShield HSM setup can reside in any machine that is reachable by the PAM360 server to facilitate communication between them.

2.2 Steps to Install the Security World Software

Note: We recommend you uninstall any existing nShield software before installing the new nShield software.

  1. Install and configure the Security World software. For instructions, refer to the Installation Guide and the User Guide for the HSM.
  2. Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the Windows system path.
  3. Run the following commands to check connectivity between the machine where PAM360 is running and the nShield Security world.

    anonkneti <Unit IP>

    Output of this command is:

    <Unit ESN> < Unit KNETI HASH>

    ESN refers to Electronic Serial Number.

    To enroll, run the following command:

    nethsmenroll  <Unit IP>
  4. Run the enquiry utility to verify that the HSM is configured properly.
    C:\Users\Administrator>enquiry
    Server

    enquiry reply flags none
    enquiry reply level Six
    serial number ####-####-####
    mode operational
    ...

    Module #1

    enquiry reply flags none
    enquiry reply level Six
    serial number ####-####-####
    mode operational
    ...
  5. Extract and place the world and module files in the path - C:\ProgramData\nCipher\Key Management Data\local for Windows and kmdata/local for Linux to complete the configuration.
    You can run for example some of the local benchmarking: perfcheck -m1 signing:287
  6. As per your organization's security policy, create a Security World, if you don't have one already. As a precaution, create extra ACS cards for each person who has access privilege and a few spares.
    new-world -i -m <module_number> -Q >K/N<
    Note: After an ACS card set has been created, the cards cannot be duplicated.
  7. Run the nfkminfo utility to confirm the Security World is operational:

    C:\Users\Administrator>nfkminfo
    World
    generation 2
    state 0x37270008 Initialised Usable ...
    ...
    Module #1
    generation 2
    state 0x2 Usable
    ...
    Module #1 Slot #0 IC 0
    generation 1
    phystype SmartCard
    ...
    error OK
    ...
    Module #1 Slot #1 IC 0
    generation 1
    phystype SoftToken
    ...
    error OK
    ...

Important Notes:

  1. The Softcard key is stored as an environmental variable in the path C:\ProgramData\nCipher\Key Management Data\local and it is not saved in the PAM360 database.
  2. Based on the encryption mode you have opted for, we highly recommend you to save a copy of the Module only key (or) the Softcard and the Softcard key in a secure location.

3. Migrating to the Entrust nShield HSM Encryption

Follow the below steps to initiate the migration from PAM360 Encryption to the Entrust nShield HSM encryption:

  1. Stop the PAM360 service.
  2. Open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory.
  3. Execute the following command:

    For Windows:
    SwitchToHSM.bat

    For Linux:
    sh SwitchToHSM.sh

  4. The command will bring up the following dialog box:

  5. Here, choose Entrust nShield from the HSM Solution drop-down. In the nShield Features option, choose either Module only key or Softcards.
  6. If you choose the Module Only Key mode, no need to enter a passphrase. If you choose Softcards, enter the Softcard name and its Passphrase.
  7. Verify the details and click Migrate.
  8. To ensure success of the integration, copy this jar file: nCipherKM.jar found in your nShield installation folder and paste it in this directory: <PAM360_Installation_Folder>\lib.
  9. Restart the PAM360 service to complete the HSM migration.
  10. To check the method of encryption applied in PAM360, go to the Admin tab in the PAM360 interface and select Configuration >> Encryption and HSM.

Important Notes:

  1. Once you have configured the Entrust nShield HSM as your primary encryption method, you cannot switch back to PAM360 encryption without complete reconfiguration of PAM360. To switch to PAM360 encryption once again and regain some of data from your old build, you can do either of the following:
    1. Export all resources and their passwords from the PAM360 build that is using HSM encryption to use as a backup. Uninstall the old build and install PAM360 anew without HSM encryption. Reinstalling PAM360 will erase your previous data. However, you can import the resources and passwords taken from the previous build to recover some of the data.
    2. Uninstall the current version and restore an older backup of PAM360 with the PAM360 encryption key.
  2. It is not possible to switch encryption modes after the initial configuration.
  3. If the current primary encryption method in your PAM360 server is SafeNet Luna HSM, direct transition to the Entrust nShield HSM is not possible without complete reconfiguration of PAM360.

3.1 Steps to Configure the Entrust nShield HSM in a High Availability Setup

If you have High Availability (HA) enabled for PAM360 in your environment, you will have to reconfigure the HA setup after transitioning to the Entrust nShield HSM as your primary encryption mode.

Follow the below steps to configure the Entrust nShield HSM in a HA setup:

  1. Install and configure nShield in the primary and secondary servers and set up high availability as per the steps provided in the following documents, based on the database you use: PostgreSQL / MS SQL.
  2. Now, based on the encryption mode you have chosen, do as follows to complete the HSM configuration in a HA setup:
    1. If you have chosen Module only key mode: Copy the key file from the directory path C:\ProgramData\nCipher\Key Management Data\local in the primary server and place it in the aforementioned path in the secondary server.
    2. If you have chosen Softcards mode: You will find 2 Softcard key files in the directory path C:\ProgramData\nCipher\Key Management Data\local. Copy both the key files and place them in the aforementioned path in the secondary server.
  3. Start both the primary and the secondary servers.

Notes:

  1. Please ensure that both the primary and secondary servers in the HA setup are running PAM360 build 5550 or above.
  2. After switching to the Entrust nShield HSM as the encryption mode, ensure to reconfigure the Application Scaling and Failover Service too, similar to HA.

3.2 Steps to Rotate the HSM Key

As a security best practice, we recommend periodically rotating encryption keys. The same steps used to rotate the PAM360 encryption key will work for the HSM keys as well. Click here to learn how to rotate the HSM key in both HA and non-HA setups.

4. Troubleshooting Steps

Below is a list of errors that you may encounter in the SwitchToHSM_log.txt log file if there are any discrepancies in the values passed during the integration process. The SwitchToHSM_log.txt file is present under the directory path: <PAM360_Installation_Folder>\logs.

4.1 Exceptions

Exception #1: java.lang.NoClassDefFoundError: com/ncipher/provider/km/nCipherKM|

Problem: The jar file nCipherKM.jar is not available in the directory path: <PAM360_Installation_Folder>\lib.

Solution: Place the nCipherKM.jar file in the Lib folder as mentioned in the step above to rectify the error.

Exception #2: error (st=DecryptFailed) : NFKM_checkpp

Problem: The Softcard passphrase provided during migration was incorrect.

Solution: Please repeat the steps in section 3 with the correct Softcard passphrase.

4.2 Error

Problem: PAM360 service does not start, the following error in present in the the Wrapper.log - Error: Exception while initializing ManageEngine PAM360 Cryptography. java.lang.Exception: Exception occurred while decrypting

Solution: The HSM key is not present in the directory path: C:\ProgramData\nCipher\Key Management Data\local as mentioned in the step 3.1.

 
Top