Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5983: How to configure SafeNet KeySecure Server and Centrify Privilege Service to store account passwords on-premise

Centrify Privilege Service ,  

18 December,15 at 07:40 AM

Applies to: All version of Centrify Privilege Service (CPS)

Question: 

How to configure
SafeNet KeySecure Server with Centrify, so that CPS account passwords can be stored in on-premise SafeNet KeySecure appliance?

Answer: 

(Note: This Knowledge Article assumes that a new local CA will be created in 
SafeNet KeySecure appliance and the client certificate created by the Centrify cloud service will be used for the secure communication between KeySecure and the Centrify cloud connector. Please skip the related steps below if existing CA and existing client certificate will be in use)

On the SafeNet KeySecure Management side:

1) Login to the SafeNet KeySecure Management Console

2) Create a local Certificate Authority to generate certificates
  • Under Security tab -> Click on the "Local CAs" option -> Fill in the necessary information to create local certificate authority -> Click "Create"
User-added image

3) Now the trusted Certificate Authority should be created under the "Trusted CA List"
  • Select "Default" profile and click "Edit" -> Add the newly created local Certificate Authority under the Available CAs to the Trusted CAs List on the left -> Save
User-added image

User-added image

User-added image


4) Access to SSL Certificates to create the server certificate to be used by the SafeNet KeySecure in order to authenticate to Centrify
  • Fill in the necessary information to create the certificate -> Click "Create Certificate Request"
User-added image

5) Locate the newly created Certificate Request under Certificate List (status should be "Pending"  - will be signed in Step 6)
  • Click into the certificate -> copy the certificate information
User-added image

6) Back to "Local CAs" to sign the Certificate Request with the certificate information obtained in Step 5 above.
  • Select the newly created CA -> Select "Sign Request" -> Select the Certificate Purpose as "Server" -> Paste the certificate information into the "Certificate Request" box -> Click "Sign Request"
User-added image

User-added image


7) Install the signed certificate under "SSL Certificates"
  • Copy the installed certificate information -> Under "SSL Certificates" -> Select the "Request Pending" Certificate -> Click "Install Certificate" -> Paste the signed certificate information into the box -> "Save"
User-added image

User-added image

User-added image



8) Add our own Key Server instant under "Key Server" tab
  • Under "Devices" tab -> "Key Server" -> Click "Add" -> Select "KMIP" and enter a new port number -> Specify SSL with the certificate just created
User-added image

9) Download the "Trusted Root CA Certificate" under "Security" tab
  • Select "Local CAs" -> Select the Certificate -> Click "Download"
User-added image

On the Centrify Privilege Manager side:

1) Configure the SafeNet KeySecure under "Password Storage"
  • Under "Settings" tab -> "Password Storage" -> Click on the "Configuration Settings for SafeNet KeySecure" to redirect to Cloud Manager
User-added image

2) Paste in the IP address or DNS Hostname (Copy from the URL in the browser when accessing the SafeNet Management Console) and type in the port number we specify in previous steps (Step 8 above)

User-added image

3) Upload the CA root certificate downloaded Step 9 above (NOTE: The original .crt file was renamed to .cer )

4) Download the 
client certificate issued by Centrify Cloud
  • Click "Download" Button -> Open the file with text editor -> Copy the certificate data
5) Back to SafeNet Configuration under "Known CAs"
  • Type in a certificate name and paste the certificate data into the "Certificate" box -> Click "install"

User-added image

6) Access to "Trusted CA Lists" to trust the newly installed certificate
  • Select "Default" profile and then click "Edit" -> Add the recently installed certificate under the Available CAs to the Trusted CAs List on the left -> Save
User-added image

7) Back to Cloud Manager and Save the settings we have

User-added image

8) Click the "Test Connection" button to verify the configuration (See Notes below if it returns Server Unavailable and see if it is related)


9) To enable KeySecure feature:
  • Access to Centrify Privilege Manager -> Under "Settings" tab -> "Password Storage" -> Enable the "SafeNet KeySecure Appliance" button
  • After enabling, all new account passwords will start to be stored in the SafeNet KeySecure Appliance. This can be verified by creating a new account in CPS portal and the password will be showing in SafeNet KeySecure Management Console > Security tab > Keys

User-added image
  • Click "Migrate Passwords" to migrate all existing passwords to SafeNet KeySecure Appliance

User-added image

Notes:
  • When troubleshooting, if there is similar error message appears in, "Device" tab -> "Activity" SafeNet activity log as "Security Settings do not allow global key usage" as shown below:

User-added image
  • Please make sure under "Security" tab -> "High Security" -> "Disable Creation and use of Global Keys" option is unchecked.

User-added image
 
  • This prevents Client Certificate authentication without Password authentication setting is set to "Required". Any application on this Safenet that use Server/Client certificate authentication need to have "Required" setting. It is not CPS's requirement which causes CPS failed because the Safenet failed to authenticate CPS' request.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles