If you want to store account passwords in SafeNet KeySecure, you must first install the appliance by following the instructions in the KeySecure Installation and Configuration Guide. As part of the initialization process, you will have created an admin account and specified the IP address, subnet mask, default gateway, host name, and port number for connecting to KeySecure. You should take note of the IP address or fully-qualified domain name and port number used for the appliance.
You can use the following SafeNet KeySecure models to provide centralized key management and store passwords for the Privileged Access Service:
- SafeNet KeySecure K460
- SafeNet KeySecure K450
- SafeNet KeySecure K250
- Virtual KeySecure Key Management
Interoperability between the Privileged Access Service and the KeySecure appliance requires the Key Management Interoperability Protocol (KMIP), version 1.1, the KeySecure appliance operating system version 8.1 or 8.2, and ProtectApp version 8.1. Note that these are the basic integration requirements. You should check the release notes for any additional or updated requirements before proceeding.
Note that you must have the SafeNet KeySecure appliance installed and configured in your environment and available on the network before configuring it for storage of Privileged Access Service passwords.
After the initialization process is complete, you must configure KeySecure with at least one server certificate for communication between KeySecure and the Centrify connector. To generate a valid server certificate, you must have a certificate authority (CA) sign the certificate request. You can create a local CA certificate for KeySecure using its management console, then use the local CA certificate to sign the certificate requests. If you don’t create a local certificate authority, you must use an external certificate authority to sign certificate requests.
To prepare for password storage in KeySecure, you need to do the following:
- Create or identify the certificate authority (CA) certificate
- Create or identify a KeySecure server certificate
- Create a key server instance
- Select the client certificate to use for the connector
Consult with your SafeNet KeySecure administrator or security officer to create or identify the KeySecure server certificate and client certificate to use with the connector. You can use any standard PKCS 12-compliant package, such as makecert or openssl, to create the certificates to use with the connector. Alternatively, you can use the Centrify-issued client certificate for the connector. If you use the Centrify-issued client certificate, you must download and import the Centrify CA certificate to enable two-way authentication between the KeySecure appliance and the Centrify connector.
The following figure provides an overview of the certificates required.
For complete information about installing and configuring a SafeNet KeySecure hardware security appliance, see the KeySecure Installation and Configuration Guide.