Skip to content

Beyond Insight

General Information

This BeyondTrust BeyondInsight integrated user guide has been prepared using the software and firmware versions below:

  • Windows Server 2019/2022
  • BeyondInsight 22.2.2.109/22.3.0.1270/24.1.2.1398
  • HSM DINAMO with FW 5.1.0
  • DINAMO CLIENT in version 4.10.2

Requirements:

  1. Connectivity with the HSM (TCP port 4433).
  2. HSM client software installed on the BeyondInsight server (see Windows topic).
  3. HSM service started.
  4. Credentials of the HSM partition that will be used by BeyondInsight.

Integration with BeyondInsight

The integration between BeyondInsight and HSM is done using the PKCS#11 library.

HSM settings

Integration with the application is carried out using the PKCS#11 library (more information in PKCS#11).

  1. Configure the PKCS#11 parameters with the partition's credentials on the DINAMO Console (DINAMOcon). On the start screen, select Local settings.

    Console home screen Console home screen
    Console home screen

  2. On the next screen, select the following option in the left-hand sidebar HSMoption, enter the credentials of the partition that will be used by BeyondInsight and click Apply.

    HSM tab HSM tab
    HSM tab

Settings in BeyondInsight

  1. Open the BeyondInsight Configuration tool:

    Start > Apps > eEye Digital Security > BeyondInsight Configuration.

  2. Click Configure HSM Credentials in the right-hand sidebar.

    BeyondInsight Configuration
    BeyondInsight Configuration

  3. In the Configure HSM Credentials window, select:

    Edit > Add New HSM Credential.

    HSM Credentials
    HSM Credentials

  4. Enter the HSM settings:

    • 32-bit Driver Path: Usually located in: C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\32-bit\tacndp11.dll.

    • 64-bit Driver Path: Usually located in: C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\c\tacndp11.dll.

    • Slot: On the DINAMO HSMs there is only one slot. Select: Dinamo HSM (0).

    • Key Name : Key label. Any name can be used as long as it is unique (e.g: keytest).

    • Description: Information about the key.

    • PIN: Password for the partition configured in the previous step.

  5. Click on Save.

Tests

To test connectivity with the HSM, click on Test Active Credential in the Configure HSM Credentials window. A success message will be displayed if the connection was successful.

HSM Connected

HSM Connected

You can follow the opening of the session on HSM by the BeyondInsight service and also the use of the symmetric key using the monitoring tool on the remote console (hsmcon).

HSM logs
Dinamo - Remote Management Console v. 4.7.33.0 2018 (c) Dinamo Networks

HSM 10.61.53.64 e - Engine 5.0.28.0 (DST) - TCA0000000  - ID master

HSM - Logs - Follow

Press Control+C to exit...


2022/10/17 20:34:35 0000C42C 000B3E0D EDC1CCA3 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:35 0000C42D 000B3E10 CDEF55B7 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:35 0000C42D 000B3E11 000A3309 session thread down [4]|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:42 0000C42E 000B3E12 000A3309 session thread up [5]
2022/10/17 20:34:42 0000C42E 000B3E13 FAED60C4 10.61.53.205 auth try, c: 39, tls: y, 5|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:42 0000C42E 000B3E14 FAED60C4 beyondtrust auth init, c: 39|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:42 0000C42E 000B3E15 FAED60C4 beyondtrust auth ok, 10.61.53.205, 5|10.61.53.205 10.61.53.64:4433 -
                                               ^^^^^^^^^^^ # (1)!
2022/10/17 20:34:46 0000C42E 000B3E17 FAED60C4 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:35:10 0000C423 000B3E2F 02C2DA21 f-sym: beyondtrust/518bf6106ecefb, 82, 0010, 0160|10.61.53.205 10.61.53.64:4433 beyondtrust
                                                      ^^^^^^^^^^^ ^^^^^^^^^^^^ # (2)!
2022/10/17 20:35:10 0000C423 000B3E30 02C2DA21 f-sym: beyondtrust/518bf6106ecefb, 82, 0010, 0160|10.61.53.205 10.61.53.64:4433 beyondtrust
2022/10/17 20:35:10 0000C423 000B3E31 02C2DA21 f-sym: beyondtrust/518bf6106ecefb, 02, 0010, 0160|10.61.53.205 10.61.53.64:4433 beyondtrust
2022/10/17 20:36:49 0000C423 000B3E4B 02C2DA21 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 beyondtrust
2022/10/17 20:36:49 0000C423 000B3E4C 000A3309 session thread down [4]|10.61.53.205 10.61.53.64:4433 beyondtrust
  1. Log with account authentication
  2. Logging using the key

128-bit AES key generated by BeyondInsight in HSM:

AES key in the console
Dinamo - Remote Management Console v. 4.7.33.125 2018 (c) Dinamo Networks

HSM 10.61.53.64 e - Engine 5.0.28.0 (DST) - TCA0000000  - ID beyondtrust

Keys/Objects - List


Name                                      Type                 T E Label
================================================================================
518bf6106ecefb                            aes128               n n keytest 
^^^^^^^^^^^^^^ # (1)!

Total of objects: 1

Press ENTER key to continue...
  1. AES key generated within the HSM

For more details on integration with HSM, see the BeyondInsight website.

Discovery Credentials

All the configuration done using the HSM Dinamocon console will be in the scope of thecurrent user. To configure the parameters for system accounts, it is necessary to impersonate the execution of the console in Windows under the account in question. This can be done using tools provided by Microsoft itself, the operating system manufacturer.

The system account dealt with here is:

  • System (or SYSTEM), sid: S-1-5-18

Tools used

  • Tool used for impersonation: psexec64from the suite PSTtools provided by Microsoft.

System Account

Once the HSM credential has been configured and created Dinamo, one of the BeyondInsight functionalities that can be used with HSM is Discovery Credential Management. To do this, you will need to configure Dinamoncon in the system account, as shown below.

Danger

Warning: execution with SYSTEM identity gives virtually unlimited access to the entire environment and can cause real damage if used inappropriately. Be very careful when using this facility.

  1. Instantiating a terminal cmd under the Windows system account profile. Run the command below in a terminal (powershell or cmd) with elevation of administrative privilege:

    psexec64 -i -u "NT AUTHORITY\System" cmd

    The accounts must be reported exactly by this name(in English) even on Portuguese systems; although it can be shown localized in certain Windows utilities (gui and cli).

    Note that the account has no password. If you are being asked for one, it is likely that the name is being entered incorrectly.

    Example:

    Terminal launch with system account permission
    > psexec64 -i -u "NT AUTHORITY\system" cmd

PsExec v2.43 - Execute processes remotely
Copyright (C) 2001-2023 Mark Russinovich
Sysinternals - www.sysinternals.com
               .
               .
               .
   cmd lançado em outro terminal (interativo) ... # (1)!
               .
               .
               .
   ... exit no terminal do cmd.

cmd exited on MYHOST with error code 0.
> _

    1. A new terminal with cmd is launched.

    The new cmd started will run under the profile of the account indicated, i.e. this account will be the current user for any application running from it.

  2. Run the console GUI management of HSM from terminal cmd.

    "\Program Files\Dinamo Networks\HSM Dinamo\dinamocon.exe"

    The title bar shows the account under which the console is running (v 4.8.0+).

    Impersonation of the SISTEMA account Impersonation of the SISTEMA account
    Impersonating the SYSTEM account (note the title bar)

  3. After configuring the IP address, name and password of the user of the HSM partition in the console, check that the environment variables are configured in both the user and system accounts, as shown in the list below:

    Environment variables
    DFENCE_PKCS11_AUTO_RECONNECT = 1
DFENCE_PKCS11_ENCRYPTED = 1
DFENCE_PKCS11_LARGE_FIND_LIST = 1
DFENCE_PKCS11_SPECIAL_PWD = 0
DFENCE_PKCS11_IP = <Endereço IP do HSM>
DFENCE_PKCS11_USER = <id do usuário do HSM>

  4. After configuration, you will need to restart your computer. Once the service has restarted, open the BeyondInsight Configuration service. Click Stop Services, then Start Services, and then Apply so that the BeyondInsight system recognizes the adjusted settings.

    HSM Connected
    Restarting the BeyondInsight service

  5. In the BeyondInsight WebConsole settings, you can use the partition defined in the BeyondInsight credentials located in Discovery Management, configured in HSM. The discovery credentials are used by BeyondInsight when running scans, as shown in the image below:

    HSM Connected
    Adding a new credential in settings

    HSM Connected
    Example of a credential created using HSM

    The image above is a demonstration of an account or credential created in BeyondInsight using HSM when it is configured.

  6. It is possible to monitor the use of the symmetric key in real time. HSM through the monitoring tool on the remote console (hsmcon), especially when a new credential is being created or updated in the BeyondInsight service.

    HSM Connected
    Key in the HSM used to create or update the BeyondInsight credential

    Logs in HSM
    Dinamo - Remote Management Console v. 4.10.1.0 2018 (c) Dinamo Networks

HSM 200.202.34.21 e - Engine 5.1.0.0-24-g8c90dda (DST) - TCA0000000  - ID master

HSM - Logs - Follow

Press Control+C to exit...

2024/06/13 18:42:45 00049AA8 000187B4 000A3309 session thread up [4]
2024/06/13 18:42:46 00049AA8 000187B5 B94FCD8C 52.90.118.21 auth try, c: 41, tls: y, 4|52.90.118.21 192.168.1.6:4433 -
2024/06/13 18:42:46 00049AA8 000187B6 B94FCD8C BI auth init, c: 41|52.90.118.21 192.168.1.6:4433 -
                                               ^^ # (1)!
2024/06/13 18:42:46 00049AA8 000187B7 B94FCD8C BI auth ok, 52.90.118.21, 4|52.90.118.21 192.168.1.6:4433 -
2024/06/13 18:42:46 00049AA8 000187B8 B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:46 00049AA8 000187B9 B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:47 00049AA8 000187BA B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:47 00049AA8 000187BB B94FCD8C f-sym: BI/b3b2d802cf7f8b, 02, 0010, 00E0|52.90.118.21 192.168.1.6:4433 BI
                                                      ^^^^^^^^^^^^^^^ # (2)!
2024/06/13 18:42:54 00049AA8 000187BC B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:54 00049AA8 000187BD B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:55 00049AA8 000187BE B94FCD8C f-sym: BI/b3b2d802cf7f8b, 82, 0010, 00E0|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:55 00049AA8 000187BF B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:55 00049AA8 000187C0 B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:55 00049AA8 000187C1 B94FCD8C 52.90.118.21#41 probe|52.90.118.21 192.168.1.6:4433 BI
2024/06/13 18:42:56 00049AA8 000187C2 B94FCD8C f-sym: BI/b3b2d802cf7f8b, 02, 0010, 00E0|52.90.118.21 192.168.1.6:4433 BI
    1. HSM authentication
    2. Use of the AES key

Note: Without Dinamocon properly configured on the account AUTHORITY\SYSTEMWhen trying to create or update a credential in BeyondInsight, the following error occurs: The functional account could not be saved, please try again. If the problem persists, contact the administrator.