Microsoft IIS: nShield® HSM Integration Guide

Microsoft IIS: nShield® HSM Integration GuideVersion: 2.5
Copyright © 2019-2021 nCipher Security Limited. All rights reserved.
Copyright in this document is the property of nCipher Security Limited. It is not to be
reproduced modified, adapted, published, translated in any material form (including
storage in any medium by electronic means whether or not transiently or incidentally) in
whole or in part nor disclosed to any third party without the prior written permission of
nCipher Security Limited neither shall it be used otherwise than for the purpose for
which it is supplied.
Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its
affiliates in the EU and other countries.
Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in
the United States and/or other countries.
Information in this document is subject to change without notice.
nCipher Security Limited makes no warranty of any kind with regard to this information,
including, but not limited to, the implied warranties of merchantability and fitness for a
particular purpose. nCipher Security Limited shall not be liable for errors contained
herein or for incidental or consequential damages concerned with the furnishing,
performance or use of this material.
Where translations have been made in this document English is the canonical language.
nCipher Security Limited
Cambridge, UK CB1 2GA
Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/or
service marks of Entrust Corporation in the U.S. and/or other countries. All other brand
or product names are the property of their respective owners. Because we are
continuously improving our products and services, Entrust Corporation reserves the right
to change specifications without prior notice. Entrust is an equal opportunity employer.
2 of 27 Microsoft IIS nShield® HSM Integration Guide
Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Product configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Install the nShield HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Install the Security World Software and configure the Security World . . . . . . . . . . 6
2.3. Install IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.5. Create a certificate request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6. Get the signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.7. Install the certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.8. Integrate an nShield HSM with an existing IIS deployment . . . . . . . . . . . . . . . . . . . 24
Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction Microsoft Internet Information Services (IIS) for Windows Server is a Web server
application. nShield Hardware Security Modules (HSMs) integrate with IIS 10.0 to provide
full key life-cycle management with FIPS-certified hardware and to reduce the
cryptographic load on the host server CPU. Integration of the nShield HSM with IIS 10.0
provides the following benefits:
• Improves server performance by offloading cryptographic processing
• Enables secure storage of the IIS keys
• Enables management of the full life cycle of the keys
1.1. Product configuration
We have successfully tested the nShield HSM integration with IIS in the following
configuration:
IIS version 10.0
1.1.1. Supported nShield features
We have successfully tested nShield HSM integration with the following features:
Feature Support
Softcards No
1.1.2. Supported nShield hardware and software versions
We have successfully tested with the following nShield hardware and software versions:
1.1.2.1. Connect XC
Security World Software
12.60.11 12.50.11 12.60.10
12.60.11 12.50.8 12.60.10
1.2. Requirements
Before installing the software, we recommend that you familiarize yourself with the IIS
documentation and setup process, and that you have the nShield documentation
available. We also recommend that there is an agreed organizational Certificate Practices
Statement and a Security Policy/Procedure in place covering administration of the HSM.
In particular, these documents should specify the following aspects of HSM
administration:
• The number and quorum of Administrator Cards in the Administrator Card Set
(ACS), and the policy for managing these cards
• Whether the application keys are protected by the HSM module key or an Operator
Card Set (OCS) protection
• Whether the Security World should be compliant with FIPS 140-2 level 3
• Key attributes such as the key algorithm, key length and key usage.
For more information, see the User Guide for the HSM.
Microsoft IIS nShield® HSM Integration Guide 5 of 27
2. Procedures Integration procedures include:
• Installing the nShield HSM.
• Installing the Security World Software, and configuring the Security World.
• Installing IIS.
• Creating a certificate request
• Getting the signed certificate
2.1. Install the nShield HSM
Install the HSM and Security World software using the instructions in the Installation
Guide for the HSM. We recommend that you do this before installing and configuring IIS.
2.2. Install the Security World Software and configure the Security World
1. Install the latest version of the Security World Software as described in the User
Guide for the HSM.
2. Initialize a Security World as described in the User Guide for the HSM.
You can also use the CNG Configuration Wizard to create a Security World. If you are
using an OCS, to adhere to IIS requirements it must be a 1-of-N with no passphrase,
where N is the number of cards in the set.
2.3. Install IIS
1. Open Server Manager by selecting Start > Server Manager.
2. Select Manage and then select Add Roles and Features.
3. On the Before you begin screen, select Next.
4. On the Select installation type screen, ensure the default selection of Role or Feature Based Installation is selected and select Next.
5. On the Server Selection screen, select a server from the server pool and select Next.
6. On the Select server roles screen, select the Web Server (IIS) Role and select Next
7. When prompted to install Remote Server Administration Tools, select Add Features and select Next.
8. On the Select features screen, keep the default selection and select Next.
9. On the Web Server Role (IIS) screen, select Next.
10. On the Select Role Service screen, select Next.
11. On the confirmation screen, select Install.
12. Once the installation completes, Select Close.
2.4. Install and register the CNG provider
1. Open a command window as administrator and type the following to put the HSM in
pre-initialization mode. This operation takes about a minute to complete.
>enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode operational ...
>nopclearfail -I -m 1 Module 1, command ClearUnitEx: OK
>enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode pre-initialization ...
2. Select the Start button to access all applications. Look for the recently installed
nShield utilities.
3. Double-click the CNG configuration wizard and run it as Administrator.
4. Select Next on the CNG Install welcome screen.
5. Select Next on the Enable HSM Pool Mode screen. Leave the Enable HSM Pool Mode for CNG Providers check box un-checked.
6. At the Security World screen, select:
Use the existing security world if you already have a Security World that you
intend to use for Always Encrypted. The corresponding world and module_xxxx-
xxxx-xxxx files most be present in the %NFAST_KMDATA%\local folder. Be prepared to
present the quorum of Administrator cards.
Create a new Security World if you do not currently have a Security World or
would like to create a new Security World.
In this integration, we used an existing Security World. For instructions on how
to create and configure a new Security World, see the Installation Guide and
User Guide for your HSM.
Select Next.
7. The Set Module States pop-up shows the available HSM(s). Select the desired HSM.
The state of the selected HSM should be (pre-)initialisation. Select Next.
8. At the Module Programming Options screen, clear Enable this module as a remote target and select Next. It will take about a minute before the screen changes.
Please be aware that this is not to be confused with the nShield
Remote Administration utility.
9. Insert the first Administrator Card in the HSM, enter the passphrase and select Next. Repeat this step for the other Administrator Cards as required.
Loading or creating the Security World takes about a minute.
10. Return the HSM to Operational mode.
This operation takes about a minute to complete.
>enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode initialization ...
>nopclearfail -O -m 1 Module 1, command ClearUnitEx: OK
C:\Windows\system32>enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode operational ...
The module state will change to Usable.
Select Next.
11. Select the protection method.
Due to limitations of IIS itself, any OCS protection must be
passphrase-less 1/n quorum, and any softcard protection is not
supported. For this reason, use only OCS or module protection.
Operator Card Set protection
a. Select Operator Card Set in the Key Protection Setup, then select Next.
b. Enter the OCS name, K of N values, select Persistent and Usable remotely,
then select Next.
c. Insert a blank Operator Card in the HSM.
d. In Insert Next Card, enter a name to for the OCS card. Leave the Card requires a pass phrase checkbox unchecked as OCS protection must be
passphrase-less, then select Next.
Module protection
a. In Key Protection Setup, select Module protection, then select Next.
b. Select Next and Finish.
The nShield CNG providers are installed and the key Storage Provider is registered.
12. Open a command window as administrator and type the following to confirm that
the KSP has been successfully registered. Look for nCipher Security World Key Storage Provider.
> cnglist.exe --list-providers Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider Windows Client Key Protection Provider nCipher Primitive Provider nCipher Security World Key Storage Provider
13. Check the registry in CNGRegistry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider
2.5. Create a certificate request
IIS Manager does not support the creation of certificates protected by CNG Keys and
these need to be created using the Microsoft command line utilities. Commands
executed in this section are run on a PowerShell in Windows.
Due to limitations of IIS itself, no GUI prompts (even via nShield Service
Agent) can be displayed, so any OCS protection must be passphrase-
less 1/n quorum. For this reason, use only OCS or module protection.
Complete the following steps to create a certificate request:
1. To make sure the nCipher Primitive Provider and nCipher Security World Key Storage
Providers are listed, run:
Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider Windows Client Key Protection Provider nCipher Primitive Provider nCipher Security World Key Storage Provider
If the nCipher Primitive Provider and nCipher Security World Key
Storage Provider are not listed, please follow the steps in the
Install and register the CNG provider section.
2. Set up a template file:
a. Generate a request for an SSL certificate linked to a 2K RSA key by creating a file
called request.inf with the following information:
[Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=interop.com,C=US,ST=Florida,L=Sunrise,O=InteropCom,OU=WebServer" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "nCipher Security World Key Storage Provider" KeyUsage = 0xf0 MachineKeySet = True [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1
Your request.inf file does not have to contain exactly the code given above. This
is an example, not a definitive model.
b. Specify the subject details of the Domain Controller which is issuing the
certificate.
c. Specify the key algorithm and key length as required, for example RSA 2048.
d. Specify the Provider name as nCipher Security World Key Storage Provider.
e. When you have set up the template successfully, save it as request.inf on the C:\
drive.
3. Open a command prompt and go to the local drive, in this case C:\.
4. To create the certificate request for the Certification Authority, execute the
command:
CertReq: Request Created
A certificate request called IISCertRequest.csr is generated and placed on the C:\
drive. This file is used to be sent to a Certificate Authority.
2.6. Get the signed certificate
1. Submit the CSR file to a CA such as VeriSign, Entrust, and so on.
2. The CA authenticates the request and returns a signed certificate or a certificate
chain.
3. Save the reply from the CA in the current working directory.
In this guide the signed certificate file is IISCertRequest.cer.
2.7. Install the certificate
Make the certificate available to be used in IIS and bind the certificate with the https
settings in IIS.
Commands used in this section are run from a Windows PowerShell.
2.7.1. Make the certificate available for use in IIS
To make the certificate available for use in IIS, run the following command:
% certreq --accept IISCertRequest.cer
Where IISCertRequest.cer is the binary certificate exported from the CA. Running this
command makes the CA certificate trusted on the Web Server.
Installed Certificate: Serial Number: 67790b108e551446903d999aabeaaf5e003fb66f Subject: C=US, CN=Hostname NotBefore: 6/22/2021 1:22 PM NotAfter: 6/22/2022 1:22 PM Thumbprint: cd3135f897ab0b44dfe6f451bcd63076ed4228e8
2.7.2. Bind the certificate with a secure IIS web server
1. Go to Start > Internet Information Service Manager.
2. Select the hostname, then double-click Server Certificates and verify the certificate
you accepted in the previous step is listed.
3. Click Default website under Sites on the left-hand side of the IIS Manager screen.
4. Select Bindings link on the right-hand side of the IIS Manager.
5. On the Site Bindings screen, select Add if the https protocol is not listed, but if it is,
select it.
6. If you have to add it select the protocol as HTTPS and select the certificate from the
list.
If you are editing the settings, select the certificate from the list.
7. Select OK to complete the certificate binding for SSL connection.
8. Select Close on the Site Bindings screen.
9. Restart the IIS server.
10. Open the browser and type https://machinename:443.
11. Accept the certificate on the browser to continue with SSL connection with IIS
server.
2.8. Integrate an nShield HSM with an existing IIS deployment
This section describes how to upgrade an existing IIS server installation to use an nShield
HSM to protect the private key. It is assumed that the existing certificate must continue
to be used by the server after the Prerequisites to integrate are:
• An IIS setup with software-protected certificate and private key
• nShield Software installed and a Security World created using The CNG
Configuration Wizard, or the front panel of an nShield Connect
2.8.1. Export the software-protected certificate
Complete the following procedure to export the software-protected certificate:
1. Type MMC at the command prompt and select OK.
The Microsoft Management Console opens.
2. On the initial screen, select File > Add/Remove Snap-in and select Add.
3. Select Certificates from Available Standalone Snap-ins and select Add.
4. On the Certificates snap-in screen, select Computer account and select Next.
5. On the Select Computer screen, select Local computer, select Finish then OK.
6. Navigate to the Certificates directory (Certificates (Local Computer) > Personal > Certificates).
7. Right-select the certificate file and select All Tasks > Export.
8. The Welcome to the Certificate Export Wizard screen appears. Select Next.
9. On the Export Private Key screen, select No, do not export the private key and
select Next.
10. On the Export File Format screen, select Base-64 encoded X.509 (.Cer) and select
Next.
11. On the File to Export screen, select an absolute path and filename to save the
exported Certificate.
Select Next.
Select Finish.
13. After exporting the certificate, delete the certificate from the certificate store.
2.8.2. Import a Microsoft CAPI key into the nCipher Security World Key Storage Provider
To import a Microsoft CAPI key into the nCipher Security World Key Storage Provider:
1. Navigate to the C:\Program Files (x86)\nCipher\nfast\bin folder and run
cngimport.exe:
C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "MS CAPI key" "imp_key_name"
The Microsoft CNG key is in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
folder.
Example:
C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "48753e97af4e829f_b2885b-321a-42b9-9122-81d377654436" "Importedkeyname"
2. To check the success of the import, list the keys in the Security World:
C:\Program Files (x86)\nCipher\nfast\bin\cnglist64.exe --list-key Importedkeyname: RSA machine
2.8.3. Import a certificate into the certificate store
1. Go to the command prompt and type MMC, then select OK to open the Microsoft
Management Console.
2. On the initial screen, select File > Add/Remove Snap-in and select Add.
3. From Available Standalone Snap-ins, select Certificates and select Add.
4. On the Certificates snap-in screen, select Computer account and select Next.
5. On the Select Computer screen, select Local computer, select Finish and select OK.
6. Navigate to the Certificates directory (Certificates (Local Computer) > Personal > Certificates).
7. Right-select the certificate folder and select All Tasks > Import.
8. The Welcome to the Certificate Import Wizard screen appears. Select Next.
9. Navigate to the location of the certificate from the Origin Server and select Next.
10. On the Certificate Store screen, select Place all certificates in the following store.
11. Make sure that the default selection in Certificate Store is Personal, then select Next.
12. The Completing the Certificate Import Wizard screen appears.
Select Next, then select OK.
13. Run the following command from the Windows terminal:
C:\Program Files (x86)\nCipher\nfast\bin>certutil -f -csp "nCipher Security World Key Storage Provider" -repairstore my <serial number of certificate>
14. Open the IIS Manager from Start > Internet Information Services (IIS) Manager.
15. Under Sites on the left-hand side of the IIS Manager screen, select the required web
site.
16. On the right-hand side of the IIS Manager screen, select Bindings.
17. On the Site Bindings screen, select Add.
18. Select the protocol HTTPS.
19. Select the certificate from the drop-down list.
20. To complete the certificate binding for SSL connection, select OK.
21. Open the browser and type https://machinename:443.
If necessary, accept the certificate in the browser to continue with SSL connection to
the IIS Web Server.
above.
You can also contact our Support teams by telephone, using the following numbers:
Europe, Middle East, and Africa
United Kingdom: +44 1223 622444
One Station Square
Sawgrass Commerce Center – A
Siddeley St
31/F, Hysan Place,
500 Hennessy Road,
ABOUT ENTRUST CORPORATION
Entrust keeps the world moving safely by enabling trusted identities, payments, and data protection. Today more than ever, people demand seamless, secure experiences, whether they’re crossing borders, making a purchase, accessing e-government services, or logging into corporate networks. Entrust offers an unmatched breadth of digital security and credential issuance solutions at the very heart of all these interactions.Withmore than 2,500 colleagues, a network of global partners, and customers in over 150 countries, it’s no wonder the world’s most entrusted organizations trust us.
To get help with Entrust nShield HSMs
[email protected]
nshieldsupport.entrust.com
Contents
2.1. Install the nShield HSM
2.2. Install the Security World Software and configure the Security World
2.3. Install IIS
2.5. Create a certificate request
2.6. Get the signed certificate
2.7. Install the certificate
2.8. Integrate an nShield HSM with an existing IIS deployment
Contact Us

Date post:	24-Feb-2022
Category:	Documents
Author:	others
View:	4 times
Download:	0 times

Microsoft IIS: nShield® HSM Integration Guide

Documents

nSHIELD – TA Amendments

nShield/payShield Administrator Guide Windowskifri.fri.uniza.sk/~chochlik/epodpis/nCipher Timestamping... · 2008. 9. 1. · nShield/payShield Administrator Guide Windows v5.5 7 ncversions

NShield Microsoft ADCS and OCSP Windows Server 2012 Ig

nSHIELD CONNECT - dymarjaya.co.id · data security solutions and services deliver trust wherever information is created, shared or stored. nSHIELD CONNECT HSMs Feature Overview nShield

nSHIELD EDGE HSMsgo.thalesesecurity.com/rs/480-LWA-970/images/... · nShield Edge hardware security modules (HSMs) are ... El-Gamal,

cwi.unik.nocwi.unik.no/images/NSHIELD-D1.2_Quality_Control_Gui… · Web viewProject no: 269317. nSHIELD. new embedded Systems arcHItecturE for multi-Layer Dependable solutions.

nShield/payShield Operator Guide Windowskifri.fri.uniza.sk/~chochlik/epodpis/nCipher... · payShield modules. In this guide, the term nShield refers to any of the nShield, payShield

Hsm Oracle

D3.1 SPD node technologies assessment - its-wiki.nocwi.unik.no/images/NSHIELD-D3.1_SPD_node_technology... · Web viewD3.1 SPD node technologies assessmentnSHIELD C0 nSHIELD D3.1 SPD

nSHIELD Acronyms Document - its-wiki.nocwi.unik.no/images/NSHIELD-Acronyms_List.docx · Web viewProject no: 269317 nSHIELD new embedded Systems arcHItecturE for multi-Layer Dependable

nShield® HSM Integration Guide - Entrust

HSM Vol. 3 (Part C) MODULE HSM PREDICTIVE METHOD ...michiganltap.org/.../technical/Module_4b_Spreadsheets-ee.pdf · HSM PREDICTIVE METHOD SPREADSHEET TOOLS AND ... HSM Training Module

nSHIELD GENERAL PURPOSE HARDWARE ...go.thalesesecurity.com/rs/480-LWA-970/images/ThalesEsecurity... · nSHIELD ® GENERAL PURPOSE

HSM Callbacks

nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Utimaco HSM

nShield Remote Administration - nCipher Security · used with Remote Administration Cards to create a secure connection with the target HSM (includes Type A USB connector) ° Remote

nShield® General Purpose Hardware Security Modules