IntegrationGuide - Utimaco · IntegrationGuide: ... •...

.

Integration Guide

.

Active Directory CertificateServices (AD CS)Microsoft Windows Server 2008 /R2 x64

.Integration Guide: Active Directory Certificate Services (AD CS)

Imprint

copyright 2014 Utimaco IS GmbHGermanusstrasse 4D-52080 AachenGermany

phone +49 (0)241 / 1696-200fax +49 (0)241 / 1696-199web http://hsm.utimaco.comemail [email protected] version 1.2.0date June 2014author System Engineering HSMdocument no. SGCS_IG_Microsoft-W2K8Server-ADCS

all rights reserved No part of this documentation may be reproduced in any form (printing, photocopyor according to any other process) without the written approval of Utimaco IS GmbHor be processed, reproduced or distributed using electronic systems.Utimaco IS GmbH reserves the right to modify or amend the documentation at anytime without prior notice. Utimaco IS GmbH assumes no liability for typographicalerrors and damages incurred due to them.All trademarks and registered trademarks are the property of their respective owners.

http://hsm.utimaco.com

mailto:[email protected]

.

Contents1 Introduction 4

2 Overview 4

3 Requirements 5

4 Procedures 6

4.1 Install SafeGuard® CryptoServer Hardware . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.2 Install SafeGuard® CryptoServer Software . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.2.1 Check Firmware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.2.2 Install Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.3 Configure Utimaco CryptoServer CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.4 Install Active Directory Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Backup and Restore CSP Keys 15

5.1 Backup Of CSP keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5.2 Restore and Distribute CSP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

6 4-Eyes Administration Concept 19

7 Failover 19

8 Further Information 23


1 IntroductionThe SafeGuard CryptoServer is the hardware securitymodule developed by Utimaco Safeware AG, i.e.

a physically protected specialized computer unit designed to perform sensitive cryptographic tasks

and to securely manage cryptographic keys and data. In a SafeGuard CryptoServer security system

security-relevant actions can be executed and security relevant information can be stored. It can be

used as a universal, independent security component for heterogeneous computer systems.

2 OverviewA Certification Authority is a point of trust in your IT environment. The key pair of this certification au-

thority must be protected with highest available methods, but must also be accessible to companies

security officer(s) (SO) in the most user friendly way. A security officer for example uses a certifica-

tion authority to generate digital user certificates and certificates for computer management. If the

security officer has physical access to the root certificate, he is able to setup an identical certifica-

tion authority. For this purpose Utimaco SafeGuard CryptoServer is able to protect the key-pair from

misusage. The key-pairs are generated inside an inaccessible memory of the CryptoServer Hardware

Security Module (HSM). From the cryptographic service provider (CSP) perspective the generation of

key pair works completely transparent.

Page 4

.

3 RequirementsEnsure that you have a copy of theCryptoServer Administration Guide [1]. This document also assumes

that a Microsoft Windows 2008 (R2) Server has already been installed.

Software- and Hardware Requirements

HSMModel SafeGuard CryptoServer CS-Series/S-Series/Se-Series PCI

SafeGuard CryptoServer CS-Series/S-Series/Se-Series LAN

SafeGuard CryptoServer Simulator CS/Se

HSM Firmware SafeGuard SecurityServer 2.50.2

Software Microsoft Windows Server 2008

Microsoft Windows Server 2008 R2 x64

SafeGuard SecurityServer 2.50.2

Page 5


4 ProceduresTo integrate the SafeGuard CryptoServer with Microsoft Windows Server 2008 (R2) Certification Au-

thority, complete the following steps:

1. Install SafeGuard CryptoServer hardware

2. Install SafeGuard CryptoServer software

3. Configure Utimaco CryptoServer CSP

4. Install Microsoft Windows Server 2008 (R2) Active Directory Certificate Services

4.1 Install SafeGuard® CryptoServer HardwareFor installation and setupof SafeGuardCryptoServer hardwarewe refer to theSafeGuardCryptoServer

PCI Installation and Operating Manual [4] and the SafeGuard CryptoServer LAN Installation and Op-

erating Manual [3] respectively.

4.2 Install SafeGuard® CryptoServer SoftwareFor the installation of SafeGuard CryptoServersoftware we refer to the CryptoServer Administration

Guide [2]. Select CSP/CNG -- Cryptographic Service Provider (Microsoft) during the installation of

SafeGuard CryptoServer software. Select CSP/CNG -- Cryptographic Service Provider (Microsoft)

during the installation of SafeGuard CryptoServer software. Please also ensure that the CXI firmware

module has been loaded after the installation (chapter 4.2.1). Otherwise load the firmware package

SecurityServer-2.50.2.mpkg to the SafeGuard CryptoServer.

4.2.1 Check Firmware Installation

1. Start the CryptoServer Administration Tool (CAT) (Start > All Programs > Utimaco > SafeGuard

CryptoServer).

2. Connect to your SafeGuard CryptoServer device.

3. Press button List Firmware to list all installed firmware modules. To see if the CXI module is

installed, it should be listed like this:

68 CXI 2.0.4.0 INIT_OK

Page 6

.

4.2.2 Install Firmware

If CXI module has not been installed on the SafeGuard CryptoServer follow these steps to load the

firmware module.

1. Start the CryptoServer Administration Application (CAT) (Start > All Programs > Utimaco > Safe-

Guard CryptoServer).

2. Connect to your SafeGuard CryptoServer device.

In case of SafeGuard CryptoServer Se-Series login as user with administra-

tion privileges (e.g. ADMIN) as next.

3. Open the dialog Setup CryptoServer

(Firmware Management > Setup CryptoServer).

• Enter license file if necessary or leave it blank.

• Select firmware package file SecurityServer-2.50.2.mpkg.

• Either chooseUpdate orNew Installation as installation type. SelectUpdate option if you like

to update existing firmware modules and keep your key databases unchanged or select

New Installation when you like to remove all key databases and firmware modules before

upload of the new ones.

• To start uploading the firmware package press Setup.

• You will be prompted to authorize the installation. Select either smartcard authorization

or key file token authorization and press OK button.

The SafeGuard CryptoServer will restart after installation of the SecurityServer firmware package. To

check if your setup was successful refer to the steps of section 4.2.1.

4.3 Configure Utimaco CryptoServer CSPThe Utimaco CryptoServer CSP (Cryptographic Service Provider) has to be configured before it can

be used in the integration with the Microsoft Windows Server 2008 (R2) Certification Authority. The

CSP has to be aware of the SafeGuard CryptoServer device(s) to be used. Each CryptoServer device

Page 7


has to be registered in the CSP. Generally there are two types of key storage options available for the

CSP:

• The most common way is to store the keys inside the SafeGuard CryptoServer. This is the best

protection against physical and logical attacks.

• In a cluster or failover scenario keys are stored externally. Normally the external storage is a

media device e.g. shared network device (SAN or ISCSI) or a hard drive.

The next steps assume that an internal storage of keys is used.

1. Start the Utimaco CryptoServer CSP configuration tool.

(Start > control panel > Utimaco CryptoServer CSP).

2. Add a device to the list by pressing Add Device and enter the device specifier, e.g.

• IP address (e.g. SafeGuard CryptoServer LAN

• PCI:0 (e.g SafeGuard CryptoServer PCI(e)

• [email protected] (SafeGuard CryptoServer Simulator)

Choose a group name for the new generated keys. Usually the Certificate Authority name

is chosen here. Confirm the settings by pressing OK.

3. Now you are prompted for a CryptoServer user logon. Only a user with administrative privileges

can logon here. Select for example the default ADMIN user and press Logon button.

Page 8

.

4. The user credentials must be provided here. If you have selected a key based user, you are

prompted for the user key. Enter the source of the private user key and press OK.

5. After a successful authentication, the user is logged on. Press OK button to close the dialog.

6. The new registered device is shown in the list of known devices.

7. Select the device in the list and set it as default by pressing Set Default button.

Page 9


8. As next step the key storage export policy can be adjusted. Switch to the Key Storage tab and

set the key export policy as shown in the next figure. Then click OK to leave the CryptoServer

CSP Configuration window.

4.4 Install Active Directory Certificate ServicesThe Microsoft Active Directory Certificate Services is installed as role with the Microsoft Server man-

ager. The account details of the Utimaco CSP of the CryptoServer should be known for the instal-

lation. For further configuration and policy settings of the Microsoft Active Directory Certificate Ser-

vices, we refer to the installation and configuration guides of Microsoft Windows Server 2008 (R2).

Page 10

.

1. To install Active Directory Certificate Services open the Server Manager

(Start > Control Panel > Administration Tools > Server Manager).

2. Click Add Roles in the Roles section, select the "Active Directory Certificate Services", click Next.

Also click Next in the "Introduction to Active Directory Certificate Service" window.

3. Choose the CA Type and click Next. In this example the "Certification Authority" is chosen.

Page 11


4. In the "Specify Setup Type" window keep the "Standalone" setting and click Next.

5. In the "Specify CA Type" window select "Root CA" and press Next.

6. In the "Set Up Private Key" window select "Create a new private key" and click Next.

7. Select Utimaco CryptoServer CSP from CSP list, set the key length and select a hash algorithm.

Click Next to proceed.

Page 12

.

8. In the "Configure CA Name" window specify the common name for this CA (usually the name

of the group, which was specified in device settings of CryptoServer CSP configuration) and

Distinguished name suffix (e.g. OU=PS-HSM, O=Utimaco Safeware, C=DE) and click Next.

9. In the "Set Validity Period" window enter your preferred validity period of the Certification Author-

ity and click Next.

Page 13


10. To configure the certificate database define the certificate database and database log locations

or keep the defaults and click Next.

11. Confirm the installation configurations and click Install. Wait until the installation is finished.

Page 14

.

12. After the installation is finished, the Certification Authority service will start an the installation

results will be displayed. Press Close to finish the installation.

5 Backup and Restore CSP KeysBackup of key material is always encrypted with a HSM system key -- Master Box Key (MBK). That

key has to be generated and imported to the CryptoServer before any backup of key material -- in

this case CSP keys -- can be done. The creation and import of a MBK is explained in the CryptoServer

AdministrationGuide. For this documentation it`s assumed that aMBK is present in the CryptoServer.

Additionally to MBK based backup encryption with a password is available. To restore a backup

the same MBK has to be present or the same password has to be used because it will be used for

decryption of the backup.

5.1 Backup Of CSP keysTo create a backup of CSP key material, follow these steps:

1. Open the Utimaco CryptoServer CSP Tool.

(Start > All Programs > Utimaco > SafeGuard CryptoServer)

2. Select a key container which contains your keys. Select your key which you intend to backup.

Press Export Key button to proceed.

Page 15


3. In the following window check "use Master Box Key as encryption key (Backup)" and press OK.

4. Now you are prompted for a user logon. Select a user with administrative privileges permission

e.g. the user ADMIN and press Logon button.

5. The user credentials must be provided here. If you have selected a smart card key based user,

you are prompted for the user key. Enter the source of the private user key and press OK.

6. Browse to the folder to store the key and enter the corresponding name. Press Save to backup

the key.

Page 16

.

5.2 Restore and Distribute CSP KeysIf you distribute or restore a key theMBK is used for the encryption. Be sure that the target SafeGuard

CryptoServer uses the same MBK as used for encryption of the key to restore.

1. Open the Utimaco CryptoServer CSP Tool form the folder "Start > Utimaco > SafeGuard Cryp-

toServer".

2. Enter the name of the key container you want to create and press Create Container. Or if you

want to restore the key to an already existing key container, select the key container and press

Open Container. In this example RootCA is created. The name of the target container must be

the same as the name of the original one which contained the key.

3. Press Import Key and select the key file to restore the key from. Press Open.

4. Now you are prompted for a user logon. Select a user with administrative privileges permission

e.g. the user ADMIN and press Logon button.

Page 17


5. The user credentials must be provided here. If you have selected a key based user, you are

prompted for the user key. Enter the source of the private user key and press OK.

6. Now the key is restored and shown in the key list.

Page 18

.

6 4-Eyes Administration ConceptThe purpose of 4-eyes administration concept is to prevent fill access to user administration privi-

leges for someone who is in possession of a single smartcard or a key file. For this reason a single

user logon must not be sufficient to reach the necessary login state for user administration. With

SafeGuard CryptoServer it is possible to assign only a part of necessary group rights or user admin-

istration to a single user. It is advised to change the default administration key as a first step of

the CryptoServer setup. At this point it is also possible to apply the 4-eyes administration concept.

For setting up CSP with the optional 4-eyes authentication we refer to the document SGCS_SE_CSP

Setup_4_Eyes respectively. This guide relies on the SafeGuard CryptoServer Se-Series but it also

valid for other series as well. You also may realize the 4-eyes administration concept after CSP is

already set up with the default administrator. The authentication of user administrator is required in

the following chapters of this document.

1. Configure Utimaco CryptoServer CSP

2. Backup Of CSP keys

3. Restore and Distribute CSP Keys

7 FailoverFailover generally is the capability to automatically switch over to server, system or network upon

the failure or abnormal termination of the previously used server, system or network. In terms of

the Utimaco CryptoServer devices this means switch over to another HSM device. All this happens

without intervention of a user. This chapter provides information about the necessary configuration

of Utimaco Safeguard CSP in order to enable the failover functionality. Note that a failover scenario

only works when an external key storage is used. In terms of external a storage of a cryptographic

key on local file system is meant. Every external key is protected with an encryption before storage.

In this case the system keyMBK (master box kex) is used for this encryption. In addition to a local file

system storage a shared network storage like iscsi or san can be used. A typical Microsoft Windows

network mapped drive can not be used due permission conflicts with Microsoft Certificate Authority

service. To enable the failover feature follow these steps:

Page 19


1. Start Utimaco CryptoServer CSP configuration tool.

(Start > Control panel > Utimaco CryptoServer CSP).

2. Addminimum two devices (HSM1 and HSM2) to the list of managed devices by clicking on Add

Device button. Enter the device specifier and group name as described in chapter 4.3 (Configure

Utimaco CryptoServer CSP).

3. Every time you add a new CryptoServer device you will be prompted for a CryptoServer user

logon. Each time you have to choose a user with administrative privileges.

4. Provide the user credentials here. If you have selected a key based user, you are prompted for

the user key. Enter the source of the private user key and press OK.

5. After successful authentication, the user is logged on. Press OK button to close the dialog.

Page 20

.

6. The new registered devices are shown in the list of known devices.

7. Select the device in the list which supposed to be the default one and click on Set Default button.

By defining a device as default it becomes the current device for every operation. In case of a

failure or abnormal termination of the current CryptoServer device the next device in the list is

chosen for operation.

8. The key storage export policy must be adjusted. As already mentioned, external key storage

is necessary to enable failover feature. Switch to the Key Storage tab and set the key export

policy as shown in the next figure.

Page 21


9. Press OK button to leave the CryptoServer CSP Configuration window and finish configuration.

Page 22

.

8 Further InformationThis document forms a part of the information and support which is provided by the Utimaco Safe-

ware. Additional documentation can be found on the product CD in the documentation directory.

All SafeGuard CryptoServer product documentation is also available at the Utimaco Safeware web-

site: http://hsm.utimaco.com

Page 23



References[1] UTIMACO SAFEWARE AG. SafeGuard CryptoServer - Administration Guide for CSADM, 2011. 2009-

0003.

[2] UTIMACO SAFEWARE AG. SafeGuard CryptoServer - Manual for System Administrators, 2011. M010-

0001-de.

[3] UTIMACO SAFEWARE AG. SafeGuard CryptoServer LAN - Operating Manual, 2011. M010-0006-en.

[4] UTIMACO SAFEWARE AG. SafeGuard CryptoServer PCI - Operating and Installation Manual, 2011.

M010-0003-en.

Page 24

.

Page 25


Page 26

.

Page 27

.

Contact

Utimaco IS GmbHGermanusstraße 4D - 52080 AachenGermany

phone +49 241 1696 - 200fax +49 241 1696 - 199

web http://hsm.utimaco.comemail [email protected]

.


mailto:[email protected]

Date post:	29-Mar-2019
Category:	Documents
Upload:	hoangcong
View:	270 times
Download:	1 times

IntegrationGuide - Utimaco · IntegrationGuide: ... •...

Documents