Microsoft IIS: nShield® HSM Integration Guide

Microsoft IISnShield® HSM Integration Guide

Version: 2.5

Date: Wednesday, June 30, 2021

Copyright © 2019-2021 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be

reproduced modified, adapted, published, translated in any material form (including

storage in any medium by electronic means whether or not transiently or incidentally) in

whole or in part nor disclosed to any third party without the prior written permission of

nCipher Security Limited neither shall it be used otherwise than for the purpose for

which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its

affiliates in the EU and other countries.

Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in

the United States and/or other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information,

including, but not limited to, the implied warranties of merchantability and fitness for a

particular purpose. nCipher Security Limited shall not be liable for errors contained

herein or for incidental or consequential damages concerned with the furnishing,

performance or use of this material.

Where translations have been made in this document English is the canonical language.

nCipher Security Limited

Registered Office: One Station Square

Cambridge, UK CB1 2GA

Registered in England No. 11673268

nCipher is an Entrust company.

Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/or

service marks of Entrust Corporation in the U.S. and/or other countries. All other brand

or product names are the property of their respective owners. Because we are

continuously improving our products and services, Entrust Corporation reserves the right

to change specifications without prior notice. Entrust is an equal opportunity employer.

2 of 27 Microsoft IIS nShield® HSM Integration Guide

Contents1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1. Product configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1. Install the nShield HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2. Install the Security World Software and configure the Security World . . . . . . . . . . 6

2.3. Install IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.4. Install and register the CNG provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.5. Create a certificate request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.6. Get the signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.7. Install the certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.8. Integrate an nShield HSM with an existing IIS deployment . . . . . . . . . . . . . . . . . . . 24

Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Microsoft IIS nShield® HSM Integration Guide 3 of 27

1. IntroductionMicrosoft Internet Information Services (IIS) for Windows Server is a Web server

application. nShield Hardware Security Modules (HSMs) integrate with IIS 10.0 to provide

full key life-cycle management with FIPS-certified hardware and to reduce the

cryptographic load on the host server CPU. Integration of the nShield HSM with IIS 10.0

provides the following benefits:

• Uses hardware validated to the FIPS 140-3 standards

• Improves server performance by offloading cryptographic processing

• Enables secure storage of the IIS keys

• Enables management of the full life cycle of the keys

1.1. Product configuration

We have successfully tested the nShield HSM integration with IIS in the following

configuration:

Product Version

Operating System Windows 2019 Server

IIS version 10.0

1.1.1. Supported nShield features

We have successfully tested nShield HSM integration with the following features:

Feature Support

Softcards No

Module-only key Yes

OCS cards Yes

1.1.2. Supported nShield hardware and software versions

We have successfully tested with the following nShield hardware and software versions:


1.1.2.1. Connect XC

SecurityWorldSoftware

Firmware Image OCS Softcard Module

12.60.11 12.50.11 12.60.10 ✓ ✓

1.1.2.2. Connect +

SecurityWorldSoftware

Firmware Image OCS Softcard Module

12.60.11 12.50.8 12.60.10 ✓ ✓

1.2. Requirements

Before installing the software, we recommend that you familiarize yourself with the IIS

documentation and setup process, and that you have the nShield documentation

available. We also recommend that there is an agreed organizational Certificate Practices

Statement and a Security Policy/Procedure in place covering administration of the HSM.

In particular, these documents should specify the following aspects of HSM

administration:

• The number and quorum of Administrator Cards in the Administrator Card Set

(ACS), and the policy for managing these cards

• Whether the application keys are protected by the HSM module key or an Operator

Card Set (OCS) protection

• Whether the Security World should be compliant with FIPS 140-2 level 3

• Key attributes such as the key algorithm, key length and key usage.

For more information, see the User Guide for the HSM.


2. ProceduresIntegration procedures include:

• Installing the nShield HSM.

• Installing the Security World Software, and configuring the Security World.

• Installing IIS.

• Install and register the CNG provider

• Creating a certificate request

• Getting the signed certificate

• Installing the certificate.

• Integrate an nShield HSM with an existing IIS deployment

2.1. Install the nShield HSM

Install the HSM and Security World software using the instructions in the Installation

Guide for the HSM. We recommend that you do this before installing and configuring IIS.

2.2. Install the Security World Software and configure theSecurity World

1. Install the latest version of the Security World Software as described in the User

Guide for the HSM.

2. Initialize a Security World as described in the User Guide for the HSM.

You can also use the CNG Configuration Wizard to create a Security World. If you are

using an OCS, to adhere to IIS requirements it must be a 1-of-N with no passphrase,

where N is the number of cards in the set.

2.3. Install IIS

To install Microsoft Internet Information Services:

1. Open Server Manager by selecting Start > Server Manager.


2. Select Manage and then select Add Roles and Features.

3. On the Before you begin screen, select Next.


4. On the Select installation type screen, ensure the default selection of Role orFeature Based Installation is selected and select Next.

5. On the Server Selection screen, select a server from the server pool and select Next.


6. On the Select server roles screen, select the Web Server (IIS) Role and select Next

7. When prompted to install Remote Server Administration Tools, select Add Featuresand select Next.


8. On the Select features screen, keep the default selection and select Next.

9. On the Web Server Role (IIS) screen, select Next.


10. On the Select Role Service screen, select Next.

11. On the confirmation screen, select Install.


12. Once the installation completes, Select Close.

2.4. Install and register the CNG provider

1. Open a command window as administrator and type the following to put the HSM in

pre-initialization mode. This operation takes about a minute to complete.


>enquiry -m 1Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode operational ...

>nopclearfail -I -m 1Module 1, command ClearUnitEx: OK

>enquiry -m 1Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode pre-initialization ...

2. Select the Start button to access all applications. Look for the recently installed

nShield utilities.

3. Double-click the CNG configuration wizard and run it as Administrator.

4. Select Next on the CNG Install welcome screen.


5. Select Next on the Enable HSM Pool Mode screen. Leave the Enable HSM Pool Modefor CNG Providers check box un-checked.

6. At the Security World screen, select:

◦ Use the existing security world if you already have a Security World that you

intend to use for Always Encrypted. The corresponding world and module_xxxx-

xxxx-xxxx files most be present in the %NFAST_KMDATA%\local folder. Be prepared to

present the quorum of Administrator cards.

◦ Create a new Security World if you do not currently have a Security World or

would like to create a new Security World.

In this integration, we used an existing Security World. For instructions on how

to create and configure a new Security World, see the Installation Guide and

User Guide for your HSM.

Select Next.


7. The Set Module States pop-up shows the available HSM(s). Select the desired HSM.

The state of the selected HSM should be (pre-)initialisation. Select Next.

8. At the Module Programming Options screen, clear Enable this module as a remotetarget and select Next. It will take about a minute before the screen changes.

Please be aware that this is not to be confused with the nShield

Remote Administration utility.


9. Insert the first Administrator Card in the HSM, enter the passphrase and select Next.Repeat this step for the other Administrator Cards as required.

Loading or creating the Security World takes about a minute.

10. Return the HSM to Operational mode.

This operation takes about a minute to complete.


>enquiry -m 1Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode initialization ...

>nopclearfail -O -m 1Module 1, command ClearUnitEx: OK

C:\Windows\system32>enquiry -m 1Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode operational ...

The module state will change to Usable.

Select Next.

11. Select the protection method.

Due to limitations of IIS itself, any OCS protection must be

passphrase-less 1/n quorum, and any softcard protection is not

supported. For this reason, use only OCS or module protection.

◦ Operator Card Set protection

a. Select Operator Card Set in the Key Protection Setup, then select Next.


b. Enter the OCS name, K of N values, select Persistent and Usable remotely,

then select Next.

c. Insert a blank Operator Card in the HSM.

d. In Insert Next Card, enter a name to for the OCS card. Leave the Cardrequires a pass phrase checkbox unchecked as OCS protection must be

passphrase-less, then select Next.

◦ Module protection

a. In Key Protection Setup, select Module protection, then select Next.


b. Select Next and Finish.

The nShield CNG providers are installed and the key Storage Provider is registered.


12. Open a command window as administrator and type the following to confirm that

the KSP has been successfully registered. Look for nCipher Security World KeyStorage Provider.

> cnglist.exe --list-providersMicrosoft Key Protection ProviderMicrosoft Passport Key Storage ProviderMicrosoft Platform Crypto ProviderMicrosoft Primitive ProviderMicrosoft Smart Card Key Storage ProviderMicrosoft Software Key Storage ProviderMicrosoft SSL Protocol ProviderWindows Client Key Protection ProvidernCipher Primitive ProvidernCipher Security World Key Storage Provider

13. Check the registry in CNGRegistry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider


2.5. Create a certificate request

IIS Manager does not support the creation of certificates protected by CNG Keys and

these need to be created using the Microsoft command line utilities. Commands

executed in this section are run on a PowerShell in Windows.

Due to limitations of IIS itself, no GUI prompts (even via nShield Service

Agent) can be displayed, so any OCS protection must be passphrase-

less 1/n quorum. For this reason, use only OCS or module protection.

Complete the following steps to create a certificate request:

1. To make sure the nCipher Primitive Provider and nCipher Security World Key Storage

Providers are listed, run:

% cnglist.exe ‑‑list‑providers

Microsoft Key Protection ProviderMicrosoft Passport Key Storage ProviderMicrosoft Platform Crypto ProviderMicrosoft Primitive ProviderMicrosoft Smart Card Key Storage ProviderMicrosoft Software Key Storage ProviderMicrosoft SSL Protocol ProviderWindows Client Key Protection ProvidernCipher Primitive ProvidernCipher Security World Key Storage Provider

If the nCipher Primitive Provider and nCipher Security World Key

Storage Provider are not listed, please follow the steps in the

Install and register the CNG provider section.

2. Set up a template file:

a. Generate a request for an SSL certificate linked to a 2K RSA key by creating a file

called request.inf with the following information:

[Version]Signature= "$Windows NT$"[NewRequest]Subject = "CN=interop.com,C=US,ST=Florida,L=Sunrise,O=InteropCom,OU=WebServer"HashAlgorithm = SHA256KeyAlgorithm = RSAKeyLength = 2048ProviderName = "nCipher Security World Key Storage Provider"KeyUsage = 0xf0MachineKeySet = True[EnhancedKeyUsageExtension]OID = 1.3.6.1.5.5.7.3.1

Your request.inf file does not have to contain exactly the code given above. This

is an example, not a definitive model.


b. Specify the subject details of the Domain Controller which is issuing the

certificate.

c. Specify the key algorithm and key length as required, for example RSA 2048.

d. Specify the Provider name as nCipher Security World Key Storage Provider.

e. When you have set up the template successfully, save it as request.inf on the C:\

drive.

3. Open a command prompt and go to the local drive, in this case C:\.

4. To create the certificate request for the Certification Authority, execute the

command:

% certreq.exe -new request.inf IISCertRequest.csr

CertReq: Request Created

A certificate request called IISCertRequest.csr is generated and placed on the C:\

drive. This file is used to be sent to a Certificate Authority.

2.6. Get the signed certificate

1. Submit the CSR file to a CA such as VeriSign, Entrust, and so on.

2. The CA authenticates the request and returns a signed certificate or a certificate

chain.

3. Save the reply from the CA in the current working directory.

In this guide the signed certificate file is IISCertRequest.cer.

2.7. Install the certificate

Make the certificate available to be used in IIS and bind the certificate with the https

settings in IIS.

Commands used in this section are run from a Windows PowerShell.

2.7.1. Make the certificate available for use in IIS

To make the certificate available for use in IIS, run the following command:

% certreq --accept IISCertRequest.cer

Where IISCertRequest.cer is the binary certificate exported from the CA. Running this

command makes the CA certificate trusted on the Web Server.


Installed Certificate: Serial Number: 67790b108e551446903d999aabeaaf5e003fb66f Subject: C=US, CN=Hostname NotBefore: 6/22/2021 1:22 PM NotAfter: 6/22/2022 1:22 PM Thumbprint: cd3135f897ab0b44dfe6f451bcd63076ed4228e8

2.7.2. Bind the certificate with a secure IIS web server

1. Go to Start > Internet Information Service Manager.

2. Select the hostname, then double-click Server Certificates and verify the certificate

you accepted in the previous step is listed.

3. Click Default website under Sites on the left-hand side of the IIS Manager screen.

4. Select Bindings link on the right-hand side of the IIS Manager.

5. On the Site Bindings screen, select Add if the https protocol is not listed, but if it is,

select it.

6. If you have to add it select the protocol as HTTPS and select the certificate from the

list.

If you are editing the settings, select the certificate from the list.

7. Select OK to complete the certificate binding for SSL connection.

8. Select Close on the Site Bindings screen.

9. Restart the IIS server.

10. Open the browser and type https://machinename:443.

11. Accept the certificate on the browser to continue with SSL connection with IIS

server.


https://machinename:443

2.8. Integrate an nShield HSM with an existing IISdeployment

This section describes how to upgrade an existing IIS server installation to use an nShield

HSM to protect the private key. It is assumed that the existing certificate must continue

to be used by the server after the Prerequisites to integrate are:

• An IIS setup with software-protected certificate and private key

• nShield Software installed and a Security World created using The CNG

Configuration Wizard, or the front panel of an nShield Connect

2.8.1. Export the software-protected certificate

Complete the following procedure to export the software-protected certificate:

1. Type MMC at the command prompt and select OK.

The Microsoft Management Console opens.

2. On the initial screen, select File > Add/Remove Snap-in and select Add.

3. Select Certificates from Available Standalone Snap-ins and select Add.

4. On the Certificates snap-in screen, select Computer account and select Next.

5. On the Select Computer screen, select Local computer, select Finish then OK.

6. Navigate to the Certificates directory (Certificates (Local Computer) > Personal >Certificates).

7. Right-select the certificate file and select All Tasks > Export.

8. The Welcome to the Certificate Export Wizard screen appears. Select Next.

9. On the Export Private Key screen, select No, do not export the private key and

select Next.

10. On the Export File Format screen, select Base-64 encoded X.509 (.Cer) and select

Next.

11. On the File to Export screen, select an absolute path and filename to save the

exported Certificate.

Select Next.

12. The Completing the Certificate Export Wizard screen appears.

Select Finish.

13. After exporting the certificate, delete the certificate from the certificate store.


2.8.2. Import a Microsoft CAPI key into the nCipher Security WorldKey Storage Provider

To import a Microsoft CAPI key into the nCipher Security World Key Storage Provider:

1. Navigate to the C:\Program Files (x86)\nCipher\nfast\bin folder and run

cngimport.exe:

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "MS CAPI key" "imp_key_name"

The Microsoft CNG key is in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

folder.

Example:

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "48753e97af4e829f_b2885b-321a-42b9-9122-81d377654436""Importedkeyname"

2. To check the success of the import, list the keys in the Security World:

C:\Program Files (x86)\nCipher\nfast\bin\cnglist64.exe --list-key Importedkeyname: RSA machine

2.8.3. Import a certificate into the certificate store

1. Go to the command prompt and type MMC, then select OK to open the Microsoft

Management Console.

2. On the initial screen, select File > Add/Remove Snap-in and select Add.

3. From Available Standalone Snap-ins, select Certificates and select Add.

4. On the Certificates snap-in screen, select Computer account and select Next.

5. On the Select Computer screen, select Local computer, select Finish and select OK.

6. Navigate to the Certificates directory (Certificates (Local Computer) > Personal >Certificates).

7. Right-select the certificate folder and select All Tasks > Import.

8. The Welcome to the Certificate Import Wizard screen appears. Select Next.

9. Navigate to the location of the certificate from the Origin Server and select Next.

10. On the Certificate Store screen, select Place all certificates in the following store.

11. Make sure that the default selection in Certificate Store is Personal, then select Next.

12. The Completing the Certificate Import Wizard screen appears.

Select Next, then select OK.


13. Run the following command from the Windows terminal:

C:\Program Files (x86)\nCipher\nfast\bin>certutil -f -csp "nCipher Security World Key Storage Provider" -repairstoremy <serial number of certificate>

14. Open the IIS Manager from Start > Internet Information Services (IIS) Manager.

15. Under Sites on the left-hand side of the IIS Manager screen, select the required web

site.

16. On the right-hand side of the IIS Manager screen, select Bindings.

17. On the Site Bindings screen, select Add.

18. Select the protocol HTTPS.

19. Select the certificate from the drop-down list.

20. To complete the certificate binding for SSL connection, select OK.

21. Open the browser and type https://machinename:443.

If necessary, accept the certificate in the browser to continue with SSL connection to

the IIS Web Server.


https://machinename:443

Contact Us

Web site https://www.entrust.com

Support https://nshieldsupport.entrust.com

Email Support [email protected]

Online documentation: Available from the Support site listed

above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444

One Station Square

Cambridge, UK CB1 2GA

Americas

Toll Free: +1 833 425 1990

Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – A

Suite 130

13800 NW 14 Street

Sunrise, FL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070

World Trade Centre Northbank Wharf

Siddeley St

Melbourne VIC 3005 Australia

Japan: +81 50 3196 4994

Hong Kong: +852 3008 3188

31/F, Hysan Place,

500 Hennessy Road,

Causeway Bay


https://www.entrust.com

https://nshieldsupport.entrust.com

mailto:[email protected]

ABOUT ENTRUST CORPORATION

Entrust keeps the world moving safely by enabling trustedidentities, payments, and data protection. Today more than ever,people demand seamless, secure experiences, whether they’recrossing borders, making a purchase, accessing e-governmentservices, or logging into corporate networks. Entrust offers anunmatched breadth of digital security and credential issuancesolutions at the very heart of all these interactions.Withmorethan 2,500 colleagues, a network of global partners, andcustomers in over 150 countries, it’s no wonder the world’s mostentrusted organizations trust us.

To get help withEntrust nShield HSMs

[email protected]

nshieldsupport.entrust.com

Date post:	24-Feb-2022
Category:	Documents
Upload:	others
View:	18 times
Download:	0 times

Microsoft IIS: nShield® HSM Integration Guide

Documents