+ All Categories
Home > Documents > nShield Microsoft IIS Windows Server 2008 - Thales e-Security

nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Date post: 12-Feb-2022
Category:
Upload: others
View: 8 times
Download: 0 times
Share this document with a friend
14
Integration Guide Microsoft Internet Information Services (IIS) 7.5 Windows Server 2008 R2
Transcript
Page 1: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Integration Guide Microsoft Internet Information Services (IIS) 7.5

• Windows Server 2008 R2

Page 2: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 2

Version: 1.0

Date: 12 October 2010

Copyright 2010 Thales nCipher Corporation Ltd. All rights reserved.

These installation instructions are intended to provide step-by-step instructions for installing Thales nCipher software with third-party software. These instructions do not cover all situations and are intended as a supplement to the Thales nCipher documentation provided with Thales nCipher products.

Disclaimer: Thales nCipher Corporation Ltd disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. Thales nCipher is a registered trademark of Thales nCipher Corporation Limited. Any other trademarks referenced in this document are the property of the respective trademark owners.

Page 3: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 3

Contents

1. Introduction 4

2. Supported Thales nCipher functionality 5

3. Requirements 5

4. Procedures 5

5. Install the Thales nCipher HSM 6

6. Installing the HSM Support Software and Creating the Security World 6

7. Install IIS 7.5 6

8. Create a certificate request 6

8.1. Preliminary steps 6

8.2. Creating the certificate request 7

9. Install the Certificate 7

9.1. Making the certificate available for use in IIS 8

9.2. Binding the certificate with a secure IIS Web Server 8

10. Key Migration 8

10.1. Certificate Migration from IIS 6.0 to IIS 7.5 8

11. Integrating an HSM with an Existing IIS 7.5 Deployment 11

11.1. Exporting the software-protected certificate 11

11.2. Importing a Microsoft CAPI key into the nCipher Security World Key Storage Provider 12

11.3. Importing a certificate into certificate store 12

12. Addresses 14

Page 4: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 4

1. Introduction

This guide explains how to integrate Thales nCipher Hardware Security Module (nShield Solo, netHSM

or nShield Connect) with Microsoft Internet Information Services (IIS) 7.5. It assumes that you have

read the appropriate Quick Start Guide and are familiar with the IIS7.5 documentation and setup

process.

The Thales nCipher module integrates with Microsoft IIS 7.5 to provide full key life-cycle management

with FIPS-certified hardware and to reduce the cryptographic load on the host server CPU.

Integration of an Thales nCipher module with IIS 7.5 provides the following benefits:

• Uses hardware validated to the FIPS 140-2 standards.

• Improves server performance by offloading cryptographic processing.

• Enables secure storage of the IIS keys.

• Enables management of the full life cycle of the keys.

• Provides fail-over support where multiple HSMs are available.

The following integrations have been validated:

Operating

System

nCipher

Version

IIS

Version

nShield

Solo

Support

netHSM

Support

nShield

Connect

Support

Windows Server

2008 R2

Enterprise

11.40 7.5 Yes Yes Yes

Windows Server

2008 R2

Enterprise

11.30 7.5 Yes Yes Yes

Note Throughout this guide, the term HSM refers to nShield Solo PCI modules, netHSM units and nShield Connect units.

Page 5: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 5

2. Supported Thales nCipher functionality

� Soft Cards � Key Management � Strict FIPS Support

� Key Recovery � Module Only Key � K of N Card Set

� Load Balancing � Key Import � Fail Over

3. Requirements

Before attempting to install the software, we recommend that you consider the following aspects of

HSM administration. We also recommend that there be an agreed organizational Certificate Practices

Statement and Security Policy/Procedure in place covering administration of the HSM. In particular,

these documents should specify the following aspects of HSM administration:

• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the

policy for managing these cards.

• Whether the application keys are protected by the module or an Operator Card Set (OCS).

• Whether the security world should be compliant with FIPS 140-2 level 3.

• Key attributes such as the key size, persistence, and time-out.

• Whether there is any need for auditing key usage.

For more information, refer to the User Guide for the HSM.

4. Procedures

To integrate a Thales nCipher HSM with IIS 7.5, you will need to perform the following procedures:

1. Install the Thales nCipher HSM

2. Installing the HSM Support Software and Creating the Security World

3. Install IIS 7.5

4. Create a certificate request

5. Install the certificate

The integration guide also covers the following scenarios:

• Key migration

• Integrating an HSM with an existing IIS 7.5 deployment

Page 6: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 6

5. Install the Thales nCipher HSM

Install the HSM using the instructions in the Hardware Installation Guide for the HSM. We

recommend that you install the HSM before installing Thales nCipher software.

6. Installing the HSM Support Software and Creating the Security World

To install the HSM support software and create the security world:

1. Install the latest version of the Thales nCipher support software as described in the User Guide for

the HSM.

2. Initialize a security world as described in the User Guide for the HSM using the CNG configuration

wizard.

Note If you are using an OCS, to adhere to IIS requirements it must be a 1-of-N with no pass phrase, where N is the number of cards in the set.

7. Install IIS 7.5

To install IIS7.5:

1. Open Server Manager: Start > Administrative Tools > Server Manager > Add Roles > WebServer.

2. Select the Default (or desired) components from within the wizard and proceed with installation.

8. Create a certificate request

Complete the following steps to create a certificate request.

8.1. Preliminary steps

1. To make sure the nCipher Primitive Provider and nCipher Security World Key Storage

Providers are listed, run the command cnglist.exe –-list-providers.

Note IIS Manager does not support the creation of certificates protected by CNG Keys and these need to be created using the Microsoft command line utilities.

Note Your request.inf file does not have to contain exactly the code given in the following step. These are examples, not definitive models.

Page 7: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 7

2. Generate a certificate request.

To generate a request for an SSL certificate linked to a 2K RSA key, create a file called request.inf

with the following information:

[Version]

Signature= "$Windows NT$"

[NewRequest]

Subject = "C=GB,CN=myhostname.com"

HashAlgorithm = SHA256

KeyAlgorithm = RSA

KeyLength = 2048

ProviderName = "nCipher Security World Key Storage Provider"

KeyUsage = 0xf0

MachineKeySet = True

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

3. Specify the subject details of the Domain Controller which is issuing the certificate.

4. Specify the key algorithm and key length as required (e.g. RSA).

5. Specify the Provider name as “nCipher Security World Key Storage Provider”.

6. Save the above content in the file request.inf.

8.2. Creating the certificate request

To create the certificate request for the Certification Authority, execute the command:

certreq.exe –new request.inf request.req.

This creates a certificate request file request.req that can be sent to a Certificate Authority.

9. Install the Certificate

After creating the certificate request, you obtain the certificate by using the CA web interface to send

the request to the Certificate Authority.

Page 8: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 8

9.1. Making the certificate available for use in IIS

To make the certificate available for use in IIS, execute the command certreq.exe –accept

somecert.cer, where somecert.cer is the binary certificate exported from the CA.

9.2. Binding the certificate with a secure IIS Web Server

To bind the certificate with a secure IIS Web Server:

1. Open the IIS Manager from Start > Administrative Tools > Internet

Information Services (IIS) Manager.

2. Under Sites on the left hand side of the IIS Manager Window, select the desired Web site.

3. On the right hand side of the IIS Manager, click the Bindings link.

4. In the Site Bindings window, click Add.

5. Select the protocol as https.

6. Select IP address of machine running IIS from the IP Address dropdown list.

7. Select the certificate from the drop-down list.

8. To complete the certificate binding for SSL connection, click OK.

9. Open a browser and type https://machinename:443. If necessary, accept the certificate in the

browser to continue with SSL connection to the IIS7.5 Web Server.

10. Key Migration

Following section walks through the procedure to migrate private key and certificate from IIS6.0 to

IIS7.5.

10.1. Certificate Migration from IIS 6.0 to IIS 7.5

This section describes the procedure to migrate a server certificate from IIS 6.0 (Windows Server 2003

64bit) to IIS 7.5 (Windows Server 2008 R2).

10.1.1. Exporting a certificate from IIS6.0 (Windows Server 2003)

Prerequisites:

• The Thales nCipher software and hardware must have been installed on both servers.

• To adhere to IIS requirements, the Operator Card Set must be a 1-of-N with no password.

• IIS 6.0 server certificate is secured with a Thales nCipher HSM.

To export the certificate from IIS6.0:

1. Open the Microsoft Management Console (Start > Select Run > Type MMC > Click OK).

2. At the initial screen, click on File > Add/Remove Snap-in and select Add.

Page 9: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 9

3. Select Certificates from “Available Standalone Snap-ins” and click Add.

4. In the Certificates snap-in window, select Computer account and click Next.

5. In the Select Computer window, select Local computer, click Finish and click OK.

6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates).

7. Right-click on the certificate file and select All Tasks > Export.

8. The “Welcome to the Certificate Export Wizard” window appears. Click Next.

9. In the Export Private Key window, select “No, do not export the private key”.Click Next.

10. In the Export File Format window, select Base-64 encoded X.509 (.Cer) and click Next.

11. In the File to Export window, select an absolute path and filename to save the exported certificate.

12. Click Next. The “Completing the Certificate Export Wizard” window appears. Click Finish.

10.1.2. Import the Certificate into IIS7.5 (Windows Server 2008 R2)

To import the certificate to IIS7.5, complete the following steps:

1. Backup the C:\Documents and Settings\All Users\Application Data\nCipher\Key Management

Data\local directory on the IIS6.0 server

2. Backup the exported certificate file.

3. Restore the Key Management Data directory contents to C:\ProgramData\nCipher\Key

Management Data\local on the Windows 2008 R2 server

4. Switch the HSM into pre-initialization mode and clear the module.

5. Confirm the HSM is in the correct state by opening a console and running enquiry.

6. Run the CNG configuration wizard, which will detect the presence of

the C:\ProgramData\nCipher\Key Management Data\local directory.

7. Ensure that “Use the existing security world” is selected and click Next.

8. In the Set Module States window, click Next.

9. In the Module Programming Options window, keep the default selection and click Next.

10. Provided the Administrator Card Set when prompted and click Next.

11. Reset the Thales nCipher module to Operational mode, change the external switch to “O”, and

clear the module.

12. In the “Set Module States” window, click Next.

13. In the Key Protection Set Up window, select Operator Card Set Protection and Click Next.

14. In the nCipher CNG Providers Options window, keep the default selection and click Next.

15. In the Software Installation window, click Next.

16. Click Finish.

17. Secure the Administrator Card Set and C:\ProgramData\nCipher\Key Management

Data\local backup.

18. Identify the Security World key names of the keys in the container by running the csputils

command as follows:

Page 10: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 10

C:\Program Files (x86)\nCipher\nfast\bin>csputils64.exe -d -m

Detailed report for container ID

#36841e1e14fd7c2d28b0ff908f1deec1a46ac36b

Filename: key_mscapi_container-

36841e1e14fd7c2d28b0ff908f1deec1a46ac36b

Container name: 2c386521-b190-4c73-9ddd-1723882f10fb

Container is a machine container.

CSP DLL name: ncsp.dll

No signature key.

Filename for key exchange key is

key_mscapi_c12af7bc92aa47cf4893402d24c58ab3cc605ac5

Key was generated by the CSP

Key hash: c12af7bc92aa47cf4893402d24c58ab3cc605ac5

Key is recoverable.

Key is cardset protected.

Cardset name: IIS6-IIS7

Sharing parameters: 1 of 2 shares required.

Cardset hash: b5175753a96f5c9e1e0fb2dc08300de3a0ece584

Cardset is non-persistent.

1 container and 1 key found.

19. Import an nCipher Security World key into the nCipher Security World Key Storage Provider, run

the cngimport utility as shown in the following example:

C:\Program Files (x86)\nCipher\nfast\bin>cngimport.exe -i -M -k

c12af7bc92aa47cf4893402d24c58ab3cc605ac5 -a mscapi

Exchange_Key_Imported_From_nCipher_CAPI

Found unnamed key

Importing NFKM key.. done

20. Run cnglist64.exe with the --list-keys option to confirm that the key has been successfully

imported:

C:\Program Files (x86)\nCipher\nfast\bin>cnglist64.exe --list-keys

Exchange_Key_Imported_From_nCipher_CAPI: RSA machine

10.1.3. Importing a certificate to certificate store:

1. Open the Microsoft Management Console (Start >Select Run > Type MMC> Click OK).

2. At the initial screen, click on File > Add/Remove Snap-in and select Add.

3. From Available Standalone Snap-ins, select Certificates and click Add.

4. In the Certificates snap-in window, select Computer account and click Next.

5. In the Select Computer window, select Local computer, click Finish and click OK.

6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates)”

7. Right-click on the certificate folder and select All Tasks > Import.

8. The “Welcome to the Certificate Import Wizard” window appears. Click Next.

9. Navigate to the location of the certificate from the Origin Server and click Next.

10. In the Certificate Store window, select Place all certificates in the following store and click

Page 11: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 11

Next. The Completing the Certificate Import Wizard window appears.

11. Click Next.

12. Click OK.

13. Run the following command from the windows terminal:

C:\Program Files (x86)\nCipher\nfast\bin>certutil -f -csp "nCipher

Security World Key Storage Provider" -repairstore my “<serial number

of certificate>”

14. Open the IIS Manager from Start > Program > Administrative Tools > Internet Information

Services (IIS) Manager.

15. Under Sites on the left hand side of the IIS Manager Window, select the desired Web site.

16. On the right hand side of the IIS Manager, click the Bindings link.

17. In the Site Bindings window, click Add.

18. Select the protocol https.

19. Select the certificate from the drop-down list.

20. To complete the certificate binding for SSL connection, click OK.

21. Open a browser and type https://machinename:443. If necessary, accept the certificate in the

browser to continue with SSL connection to the IIS7.5 Web Server.

11. Integrating an HSM with an Existing IIS 7.5 Deployment

This section describes how to upgrade an existing IIS 7.5 server installation to use a Thales nCipher

module to protect the private key. It is assumed that the existing certificate must continue to be used by

the server after the Thales nCipher module is installed.

Prerequisites:

• An IIS 7.5 setup with software-protected certificate and private key.

• Thales nCipher Software installed and a Security World must have been created using CNG

configuration wizard.

11.1. Exporting the software-protected certificate

Complete the following procedure to export software protected certificate.

1. Open the Microsoft Management Console (Start >Select Run > Type MMC > Click OK).

2. At the initial screen, click on File > Add/Remove Snap-in and select Add.

3. Select Certificates from “Available Standalone Snap-ins” and click Add.

4. In the Certificates snap-in window, select Computer account and click Next.

Page 12: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 12

5. In the Select Computer window, select Local computer, click Finish and click OK.

6. Navigate to Certificates directory (Certificates (Local Computer) >Personal > Certificates).

7. Right-click on the certificate file and select All Tasks > Export.

8. The “Welcome to the Certificate Export Wizard” window appears. Click Next.

9. In the Export Private Key window, select “No, do not export the private key”.

Click Next.

10. In the Export File Format window, select Base-64 encoded X.509 (.Cer) and click Next.

11. In the File to Export window, select an absolute path and filename to save the exported

certificate. Click Next. The “Completing the Certificate Export Wizard” window appears.

12. Click Finish.

13. After exporting certificate delete the certificate from the certificate store.

11.2. Importing a Microsoft CAPI key into the nCipher Security World Key Storage Provider

To import a Microsoft CAPI key into the nCipher Security world Key Storage Provider:

1. Navigate to C:\Program Files (x86)\nCipher\nfast\bin folder and run cngimport.exe command as

follows.

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "MS CAPI

key name“ "Any name for imported key"

Note Microsoft CAPI key name can be found from

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

For Example:

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k

"48753e97af44aee2f5fe8b6f9d82e29f_b4c2885b-321a-42b9-9122-

81d377654436" "KeyImport"

2. To check the success of the import, list the keys present in the nCipher Security World Key Storage

Provider:

C:\Program Files (x86)\nCipher\nfast\bin\cnglist64.exe --list-key

KeyImport : RSA machine

11.3. Importing a certificate into certificate store

To import certificate to certificate store:

1. Open the Microsoft Management Console (Start >Select Run > Type MMC > Click OK).

2. At the initial screen, click on File > Add/Remove Snap-in and select Add.

3. From the Available Standalone Snap-ins, select Certificates and click Add.

Page 13: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 13

4. In the Certificates snap-in window, select Computer account and click Next.

5. In the Select Computer window, select Local computer, click Finish and click OK.

6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates)”

Right-click on the certificate folder and select All Tasks > Import.

7. The “Welcome to the Certificate Import Wizard” window appears. Click Next.

8. Navigate to the location of the certificate from the Origin Server and click Next.

9. In the Certificate Store window, select Place all certificates in the following store and click

Next. The Completing the Certificate Import Wizard window appears.

10. Click Next.

11. Click OK.

12. Run the following command from the windows terminal:

C:\Program Files(x86)\nCipher\nfast\bin>certutil -f -csp "nCipher

Security World Key Storage Provider" -repairstore my “<serial number

of certificate>”

13. Open the IIS Manager from Start > Administrative Tools > Internet Information

Services (IIS) Manager.

14. Under Sites on the left hand side of the IIS Manager Window, select the desired Web site.

15. On the right hand side of the IIS Manager, click the Bindings link.

16. In the Site Bindings window, click Add.

17. Select the protocol https.

18. Select the certificate from the drop-down list.

19. To complete the certificate binding for SSL connection, click OK.

20. Open a browser and type https://machinename:443. If necessary, accept the certificate in the

browser to continue with SSL connection to the IIS7 Web Server

Page 14: nShield Microsoft IIS Windows Server 2008 - Thales e-Security

Thales nCipher modules

Integration Guide: Microsoft Internet Information Services (IIS) 7.5 14

12. Addresses

Americas

2200 North Commerce Parkway Suite 200 Weston Florida 33326 USA

Tel: +1 888 744 4976 or + 1 954 888 6200

[email protected]

Asia Pacific

Units 2205-06 22/F Vicwood Plaza 199 Des Voeux Road Central Hong Kong PRC

Tel: + 852 2815 8633

[email protected]

Australia

103-105 Northbourne Avenue Turner ACT 2601 Australia

Tel: +61 2 6120 5148

[email protected]

Europe, Middle East, Africa

Meadow View House Long Crendon Aylesbury Buckinghamshire HP18 9EQ UK

Tel: + 44 (0)1844 201800

[email protected]

Internet addresses

Web site: www.thalesgroup.com/iss

Support: http://iss.thalesgroup.com/en/Support.aspx

Online documentation: http://iss.thalesgroup.com/Resources.aspx

International sales offices: http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx


Recommended