Integration with the Entrust nShield Hardware Security Module (HSM)10 minutes to read
Apart from the default encryption method, PAM360 integrates with Entrust nShield HSM, a hardware security module, and provides an option to enable hardware-based data encryption. The integration allows you to utilize hardware-based data encryption for the privileged digital identities and the personal passwords stored in the PAM360 database. You can secure your data encryption key within the HSM to safeguard it locally in your environment. Through this integration, it is also possible to achieve FIPS 140-2 compliance for the privileged identities in your environment and ensure enhanced data security. PAM360 supports two modes of encryption that encompasses the Entrust nShield HSM:
Read further to learn how to configure them in detail.
1. Workflow DiagramThe workflow diagram depicting the encryption and decryption workflow between PAM360 and the Entrust nShield HSM is as follows: 2.Configuring the Entrust nShield HSM2.1 Steps to Install the Entrust nShield HSMFollow these steps to install and configure PAM360 with the Entrust nShield HSM. 2.1.1 PrerequisitesThe following are needed for the integration:
2.2 Steps to Install the Security World SoftwareNote: We recommend you uninstall any existing nShield software before installing the new nShield software.
3. Migrating to the Entrust nShield HSM EncryptionFollow the below steps to initiate the migration from PAM360 Encryption to the Entrust nShield HSM encryption:
Important Notes:
3.1 Steps to Configure the Entrust nShield HSM in a High Availability SetupIf you have High Availability (HA) enabled for PAM360 in your environment, you will have to reconfigure the HA setup after transitioning to the Entrust nShield HSM as your primary encryption mode. Follow the below steps to configure the Entrust nShield HSM in a HA setup:
Notes:
3.2 Steps to Rotate the HSM KeyAs a security best practice, we recommend periodically rotating encryption keys. The same steps used to rotate the PAM360 encryption key will work for the HSM keys as well. Click here to learn how to rotate the HSM key in both HA and non-HA setups. 4. Troubleshooting StepsBelow is a list of errors that you may encounter in the SwitchToHSM_log.txt log file if there are any discrepancies in the values passed during the integration process. The SwitchToHSM_log.txt file is present under the directory path: <PAM360_Installation_Folder>\logs. 4.1 ExceptionsException #1: java.lang.NoClassDefFoundError: com/ncipher/provider/km/nCipherKM| Problem: The jar file nCipherKM.jar is not available in the directory path: <PAM360_Installation_Folder>\lib. Solution: Place the nCipherKM.jar file in the Lib folder as mentioned in the step above to rectify the error. Exception #2: error (st=DecryptFailed) : NFKM_checkpp Problem: The Softcard passphrase provided during migration was incorrect. Solution: Please repeat the steps in section 3 with the correct Softcard passphrase. 4.2 ErrorProblem: PAM360 service does not start, the following error in present in the the Wrapper.log - Error: Exception while initializing ManageEngine PAM360 Cryptography. java.lang.Exception: Exception occurred while decrypting Solution: The HSM key is not present in the directory path: C:\ProgramData\nCipher\Key Management Data\local as mentioned in the step 3.1.
| |
[Webinar] Weave privileged access security into your org-wide ITSM workflows. Register now