Steps to configure SafeNet KeySecure Server and Centrify Privilege Service to store account passwords on-premise
Applies to: All version of Centrify Privilege Service (CPS)
How to configure SafeNet KeySecure Server with Centrify, so that CPS account passwords can be stored in on-premise SafeNet KeySecure appliance?
(Note: This Knowledge Article assumes that a new local CA will be created in SafeNet KeySecure appliance and the client certificate created by the Centrify cloud service will be used for the secure communication between KeySecure and the Centrify cloud connector. Please skip the related steps below if existing CA and existing client certificate will be in use)
On the SafeNet KeySecure Management side:
1) Login to the SafeNet KeySecure Management Console
2) Create a local Certificate Authority to generate certificates
Under Security tab -> Click on the "Local CAs" option -> Fill in the necessary information to create local certificate authority -> Click "Create"
3) Now the trusted Certificate Authority should be created under the "Trusted CA List"
Select "Default" profile and click "Edit" -> Add the newly created local Certificate Authority under the Available CAs to the Trusted CAs List on the left -> Save
4) Access to SSL Certificates to create the server certificate to be used by the SafeNet KeySecure in order to authenticate to Centrify
Fill in the necessary information to create the certificate -> Click "Create Certificate Request"
5) Locate the newly created Certificate Request under Certificate List (status should be "Pending" - will be signed in Step 6)
Click into the certificate -> copy the certificate information
6) Back to "Local CAs" to sign the Certificate Request with the certificate information obtained in Step 5 above.
Select the newly created CA -> Select "Sign Request" -> Select the Certificate Purpose as "Server" -> Paste the certificate information into the "Certificate Request" box -> Click "Sign Request"
7) Install the signed certificate under "SSL Certificates"
Copy the installed certificate information -> Under "SSL Certificates" -> Select the "Request Pending" Certificate -> Click "Install Certificate" -> Paste the signed certificate information into the box -> "Save"
8) Add our own Key Server instant under "Key Server" tab
Under "Devices" tab -> "Key Server" -> Click "Add" -> Select "KMIP" and enter a new port number -> Specify SSL with the certificate just created
9) Download the "Trusted Root CA Certificate" under "Security" tab
Select "Local CAs" -> Select the Certificate -> Click "Download"
On the Centrify Privilege Manager side:
1) Configure the SafeNet KeySecure under "Password Storage"
Under "Settings" tab -> "Password Storage" -> Click on the "Configuration Settings for SafeNet KeySecure" to redirect to Cloud Manager
2) Paste in the IP address or DNS Hostname (Copy from the URL in the browser when accessing the SafeNet Management Console) and type in the port number we specify in previous steps (Step 8 above)
3) Upload the CA root certificate downloaded Step 9 above (NOTE: The original .crt file was renamed to .cer )
4) Download the client certificate issued by Centrify Cloud
Click "Download" Button -> Open the file with text editor -> Copy the certificate data
5) Back to SafeNet Configuration under "Known CAs"
Type in a certificate name and paste the certificate data into the "Certificate" box -> Click "install"
6) Access to "Trusted CA Lists" to trust the newly installed certificate
Select "Default" profile and then click "Edit" -> Add the recently installed certificate under the Available CAs to the Trusted CAs List on the left -> Save
7) Back to Cloud Manager and Save the settings we have
8) Click the "Test Connection" button to verify the configuration (See Notes below if it returns Server Unavailable and see if it is related)
9) To enable KeySecure feature:
Access to Centrify Privilege Manager -> Under "Settings" tab -> "Password Storage" -> Enable the "SafeNet KeySecure Appliance" button
After enabling, all new account passwords will start to be stored in the SafeNet KeySecure Appliance. This can be verified by creating a new account in CPS portal and the password will be showing in SafeNet KeySecure Management Console > Security tab > Keys
Click "Migrate Passwords" to migrate all existing passwords to SafeNet KeySecure Appliance
When troubleshooting, if there is similar error message appears in, "Device" tab -> "Activity" SafeNet activity log as "Security Settings do not allow global key usage" as shown below:
Please make sure under "Security" tab -> "High Security" -> "Disable Creation and use of Global Keys" option is unchecked.
This prevents Client Certificate authentication without Password authentication setting is set to "Required". Any application on this Safenet that use Server/Client certificate authentication need to have "Required" setting. It is not CPS's requirement which causes CPS failed because the Safenet failed to authenticate CPS' request.