This guide outlines step-by-step instructions for seamlessly integrating Thycotic Secret Server with a Luna HSM device or Luna Cloud HSM service. Thycotic Secret Server is a comprehensive cybersecurity solution designed to address the critical need for effective privilege access management (PAM) within organizations. It plays a significant role in enhancing security by managing, controlling, and securing privileged accounts and sensitive information.
The key benefits of this integration are:
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
Significant performance enhancements by offloading cryptographic operations from application servers.
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
Set up Thycotic Secret Server
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned and ready for deployment. Refer to the HSM product documentation for help.
Create a partition that will be later used by Thycotic Secret Server.
Create and exchange certificate between the Luna Network HSM and Client system. Register client and assign partition to create an NTLS connection. Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
/usr/safenet/lunaclient/bin/lunacmYou should see the following output:
lunacm.exe (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved.Available HSMs:Slot Id -> 0Label -> ThycoticSerial Number -> 1280780175917Model -> LunaSA 7.4.0Firmware Version -> 7.3.0Configuration -> Luna User Partition With SO (PW) Key Export With Cloning ModeSlot Description -> Net Token SlotCurrent Slot ID> 0
Enable partition policies 22 and 23 to allow activation and auto-activation, in case you are using PED-authenticated HSMs.
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
Set up Luna HSM High-Availability Group
Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
This integration is tested in both HA and FIPS mode.
Set up Luna Cloud HSM
Follow these steps to set up your Luna Cloud HSM:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
This integration has been certified on the RHEL platform.
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
tar -xvf cvclient-min.tarRun the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.
source ./setenvTo add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Set up Thycotic Secret Server
Install Thycotic Secret Server on the target machine. Refer to Thycotic Documentation for detailed instructions.
Use Case I: Integrating Luna HSM with Thycotic Secret Server
The integration of Luna HSM with Thycotic Secret Server involves two key steps:
Configure SafeNet Key Storage Provider
Configure HSM
Configure SafeNet Key Storage Provider
To configure SafeNet Key Storage Provider:
Navigate to the directory where the SafeNet Key Storage Provider (KSP) is installed. If you are using a Luna Cloud HSM service, you'll find the KSP directory within the service client package.
Double-click KspConfig.exe to open the SafeNet KSP configuration wizard.
Within the configuration wizard, double-click Register or View Security Library in the left pane.
Click Browse and select a cryptographic library file, such as <Luna HSM Client installation Directory>\cryptoki.dll>.
Click Register. If you are using a Luna Cloud HSM service client, the required cryptographic libraries are typically included in the service client package. Upon successful registration, you will receive a confirmation message: Success registering the security library.
Double-click Register HSM Slots and provide the slot (partition) password.
Click Register Slot to register the slot for the Domain and Service Account that has access to database and is running the IIS Application Pool(s) dedicated to Secret Server. On successful registration, you will receive a confirmation message: The slot was successfully and securely registered.
Register the same slot for NT_AUTHORITY\SYSTEM.
If you are using a Luna Cloud HSM service client, copy the SafeNetKSP.dll file from the service client package and paste it into the C:\Windows\System32 directory, .
Restart the IIS to apply the configuration changes.
Configure HSM
To configure the HSM for Thycotic Secret Service integration, follow these steps:
Navigate to the Admin menu and select Configuration.
Click the HSM tab.
Click the Enable HSM option to initiate the HSM configuration process.
Click Next to continue with the configuration.
Choose SafeNet Key Storage Provider from the Persistent Provider dropdown under the HSM PROVIDERS section.
Select the RSA key size from the Key size dropdown.
Click Next. Secret Server will perform simulated encryption and decryption operations as part of the setup.
Verify whether the configuration has been successful by checking the details under the HSM PROVIDERS TEST RESULTS section.
Click Next to access the HSM VERIFY CONFIGURATION section.
Review the HSM configuration and then click Save to enable the HSM.
Click Finished after you see the message The HSM is now enabled. under the HSM SETUP COMPLETE section.
Restart the IIS to apply the configuration changes. You can now view the HSM configuration details under the HSM tab. The Secret Server encryption key is now stored on Luna Network HSM partition.
Verify the key using the lunacm utility.
This completes the integration of Thycotic Secret Server with Thales Luna HSM. Secrets created in Thycotic Secret Server will now use encryption keys stored within the HSM partition.
Use Case II: Integrating Luna HSM with Thycotic Secret Server Cluster
The integration of Luna HSM with Thycotic Secret Server Cluster involves two key steps:
Configure SafeNet Key Storage Provider
Configure HSM
Configure SafeNet Key Storage Provider
Perform the following steps across all the nodes of the Thycotic Secret Server Cluster:
Navigate to the directory where the SafeNet Key Storage Provider (KSP) is installed. If you are using a Luna Cloud HSM service, you'll find the KSP directory within the service client package.
Double-click KspConfig.exe to open the SafeNet KSP configuration wizard.
Within the configuration wizard, double-click Register or View Security Library in the left pane.
Click Browse and select a cryptographic library file, such as <Luna HSM Client installation Directory>\cryptoki.dll>.
Click Register. If you are using a Luna Cloud HSM service client, the required cryptographic libraries are typically included in the service client package. Upon successful registration, you will receive a confirmation message: Success registering the security library.
Double-click Register HSM Slots and provide the slot (partition) password.
Click Register Slot to register the slot for the Domain and Service Account that has access to database and is running the IIS Application Pool(s) dedicated to Secret Server. On successful registration, you will receive a confirmation message: The slot was successfully and securely registered.
Register the same slot for NT_AUTHORITY\SYSTEM.
If you are using a Luna Cloud HSM service client, copy the SafeNetKSP.dll file from the service client package and paste it into the C:\Windows\System32 directory, .
Restart the IIS to apply the configuration changes.
Configure HSM
To configure the HSM for Thycotic Secret Server Cluster integration, follow these steps on one of the cluster nodes:
Log in to Secret Server via your web browser: http://localhost:80/SecretServer.
From the Admin menu, select Configuration.
Select the HSM tab. This will guidw you through selecting the HSM’s CNG provider.
Click Enable HSM to initiate the configuration process.
Ensure that you have backed up the encryption.config file before proceeding with HSM activation.
Click Next to proceed.
Select SafeNet Key Storage Provider from the Persistent Provider dropdown under the HSM PROVIDERS section.
Select the RSA key size from the Key size dropdown.
Click Next. Secret Server will simulate encryption and decryption operations.
Verify whether the configuration has been successful by checking the details in the HSM PROVIDERS TEST RESULTS section.
Click Next. Review your HSM configuration under the HSM VERIFY CONFIGURATION section.
Click Save to complete the HSM setup. You will receive a message confirming the successful enabling of HSM:The HSM is now enabled.
Click Finished and then proceed to restart the IIS to apply the configuration changes.
The HSM configuration is now saved and can be viewed via the HSM tab. The Secret Server encryption key is now stored on the Luna Network HSM partition.
Verify the key using the lunacm utility.
Copy the encryption.config file from this node to all other nodes.
Restart the Application Pool on each node to ensure that changes take effect.
Log in to Secret Server from any node and verify that the HSM is enabled and the key identifier displayed is correct.
This completes the integration of Thycotic Secret Server Cluster with a Thales Luna Network HSM. Secrets created in Thycotic Secret Server Cluster from any node will now use encryption keys stored within the HSM partition.
