Integrating Secret Server with a SafeNet HSM

To integrate Delinea Secret Server with the SafeNet HSM, complete the following steps in each section.

Task 1: Setting up Secret Server

Install Delinea Secret Server on the target machine. See Installation for detailed installation instructions.

Task 2: Configuring the SafeNet KSP

To configure the SafeNet Key Storage Provider (KSP):

  1. Go to the SafeNet HSM Client installation Directory\KSP directory. If using an HSMoD service, the KSP folder is available in the service client package.
  2. Double-click KspConfig.exe. The SafeNet KSP configuration wizard displays.
  3. Double-click Register or View Security Library on the left side of the pane.
  4. Click Browse.
  5. Select a cryptographic library, such as SafeNet HSM Client installation Directory\cryptoki.dll.
  6. Click Register.
  7. If using an HSMoD service, the cryptographic libraries are available in the service client package. On successful registration, a message "Success registering the security library" displays.
  8. Double-click Register HSM Slots on the left side of the pane.
  9. Type the Slot (Partition) password.
  10. Click Register Slot to register the slot for Domain\User. On successful registration, a message "The slot was successfully and securely registered" displays.
Capitalization matters. The KSP user and Secret Server IIS application pool user should match exactly.
  1. Register the same slot for NT_AUTHORITY\SYSTEM.
  2. If using the HSMoD service, place SafeNetKSP.dll in C:\Windows\System32.
  3. Restart the IIS after registering KSP for changes to take effect.

Task 3: Enabling the HSM

  1. Go to the Admin menu and click Configuration.
  2. Select the HSM tab. This starts the HSM wizard, which guides the process of selecting the HSM’s CNG provider.
  3. Click Enable HSM.
  4. The HSM Setup screen displays providing information about HSM integration.
  5. Click Next.
  6. Select SafeNet Key Storage Provider from Persistent Provider drop down box under HSM Providers section.
  7. Select key size of RSA from Key size drop down box.
  8. Click Next. Once SafeNet Key Storage Provider is selected, Secret Server stimulates encryption and decryption operations.
  9. Verify the results to ensure its functioning properly.
  10. The HSM Providers Test Results section shows the result Success.
  11. Click Next.
  12. The HSM Verify Configuration page displays. Review HSM configuration.
  13. Click Save.
  14. The HSM Setup Complete page displays message "The HSM is now enabled.”
  15. Click Finished.

Task 4: Verifying the Integration

  1. Restart the IIS for configuration changes to take effect. The HSM configuration is saved and can now be viewed under the HSM tab.
  2. The Secret Server encryption key is now stored on SafeNet HSM partition.
  3. Verify the key using the lunacm utility. This completes the integration of DelineaSecret Server with SafeNet Luna HSM or SafeNet Data Protection on Demand Service.