Creating a HSM connector

After you have completed the necessary preconfiguration requirements, you can create the HSM connector in the CyberArk Configuration Console. The HSM connector provides the information required to access encryption keys in Trust Protection Foundation. Trust Protection Foundation supports HSM connectors using the PKCS#11 standard using the Cryptoki API.

To create an HSM connector

1. On the CyberArk Trust Protection Foundation server, open the CyberArk Configuration Console, and open the Connectors node.
2. In the Actions panel, click Create HSM Connector.
3. (Conditional) If requested, enter your CyberArk Trust Protection Foundation administration credentials.

4. Enter data into the fields, as described below.

   Field	Description
   Name	Name of the HSM connector. Use something descriptive so you can identify it later.
   Cryptoki DLL Path	Trust Protection Foundation requires access to the 64-bit version of Cryptoki DLL. For SafeNet Luna SA devices, this is the path to the cryptoki.dll file. For Entrust nShield Connect HSM devices, this is the path to the cknfast.dll file. After selecting the DLL, click Load Slots. Trust Protection Foundation will query the HSM and return the available slots. IMPORTANT  Trust Protection Foundation requires the path to the DLL file to initialize the connection to the HSM device. This path will be used for all Trust Protection Foundation servers in the cluster (connected to the same database). All servers in the cluster must have their DLL file in the same location.
   Slot	Slot ID for the HSM partition where you want Trust Protection Foundation to access the encryption keys. NOTE  While slot numbers are listed in the drop-down list, Trust Protection Foundation does not depend on slot numbers. Trust Protection Foundation identifies HSM partitions by label first, and in the case that there are duplicate labels, it falls back to the serial number.
   User Type	User type required to access the HSM keys on the designated partition (Slot ID). The designated User Type must have sufficient permissions to use the keys in the Encryption Driver’s Permitted Keys list.
   Pin	Pin, if one is required to access the HSM. If you use Entrust nShield token protection, leave the field empty. If you are setting up AWS CloudHSM, the pin must be in the following format: <CU_user_name>:<password> .
   Permitted Keys	A list of keys that can be used for encryption and decryption of data by the Trust Protection Foundation servers. The keys listed are the ones that can be used to encrypt data stored in the Trust Protection Foundation Secret Store.
   Allow Key Storage	Tells Trust Protection Foundation whether this HSM can be used to generate and store new private keys associated with Code Signing certificates. NOTE  This feature is available only for CyberArk Code Sign Manager - Self-Hosted and requires Advanced Key Protect.
   New Key(button)	If you want to generate a new AES 256-bit symmetric key on the HSM, click this button. A new key will be generated.

5. Click Verify.

These steps only create the connecter that exists between CyberArk Trust Protection Foundation - Self-Hosted and the HSM. You will need to use Policy Tree to enable the connector when you are ready. You will do that In Policy Tree, on the Policy root node. Click the Certificate tab. In the Other Information section, select your connector in the Encryption Key field.

Once the HSM connector has been added and the connection has been verified, we recommend reviewing the post-installation steps.