Integration with the Entrust nShield Hardware Security Module (HSM)11 minutes to read
Apart from the default encryption method, Password Manager Pro integrates with Entrust nShield HSM, a hardware security module, and provides an option to enable hardware-based data encryption. The integration allows you to utilize hardware-based data encryption for the privileged digital identities and the personal passwords stored in the Password Manager Pro database. You can secure your data encryption key within the HSM to safeguard it locally in your environment. Through this integration, it is also possible to achieve FIPS 140-2 compliance for the privileged identities in your environment and ensure enhanced data security. Password Manager Pro supports two modes of encryption that encompasses the Entrust nShield HSM:
Read further to learn how to configure them in detail.
1. Workflow DiagramThe workflow diagram depicting the encryption and decryption workflow between Password Manager Pro and the Entrust nShield HSM is as follows: 2.Configuring the Entrust nShield HSM2.1 Steps to Install the Entrust nShield HSMFollow these steps to install and configure Password Manager Pro with the Entrust nShield HSM. 2.1.1 PrerequisitesThe following are needed for the integration:
2.2 Steps to Install the Security World SoftwareNote: We recommend that you uninstall any existing nShield software before installing the new nShield software.
3. Migrating to the Entrust nShield HSM EncryptionFollow the below steps to initiate the migration from Password Manager Pro Encryption to the Entrust nShield HSM encryption:
Important Notes:
3.1 Steps to Configure the Entrust nShield HSM in a High Availability SetupIf you have High Availability (HA) enabled for Password Manager Pro in your environment, you will have to reconfigure the HA setup after transitioning to the Entrust nShield HSM as your primary encryption mode. Follow the below steps to configure the Entrust nShield HSM in a HA setup:
Notes:
3.2 Steps to Rotate the HSM KeyAs a security best practice, we recommend periodically rotating encryption keys. The same steps used to rotate the Password Manager Pro encryption key will work for the HSM keys as well. Click here to learn how to rotate the HSM key in both HA and non-HA setups. 4. Troubleshooting StepsBelow is a list of errors that you may encounter in the SwitchToHSM_log.txt log file if there are any discrepancies in the values passed during the integration process. The SwitchToHSM_log.txt file is present under the directory path: <Password Manager Pro_Installation_Folder>\logs. 4.1 ExceptionsException #1: java.lang.NoClassDefFoundError: com/ncipher/provider/km/nCipherKM| Problem: The jar file nCipherKM.jar is not available in the directory path:<Password Manager Pro_Installation_Folder>\lib. Solution: Place the nCipherKM.jar file in the Lib folder as mentioned in the step above to rectify the error. Exception #2: error (st=DecryptFailed) : NFKM_checkpp Problem: The Softcard passphrase provided during migration was incorrect. Solution: Please repeat the steps in section 3 with the correct Softcard passphrase. 4.2 ErrorProblem: Password Manager Pro service does not start, the following error in present in the the Wrapper.log - Error: Exception while initializing ManageEngine Password Manager Pro Cryptography. java.lang.Exception: Exception occurred while decrypting Solution: The HSM key is not present in the directory path: C:\ProgramData\nCipher\Key Management Data\local as mentioned in the step 3.1.
©2024, ZOHO Corp. All Rights Reserved. | |