16
Thales e-Security Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 www.thales-esecurity.com
Thales e-Security
Microsoft IIS 8.0Windows Server 2012 and Windows Server 2012 R2
www. t ha les-esecur it y . com
Version: 1.0
Date: 03 July 2014
Copyright 2014 Thales UK Limited. All rights reserved.
Copyright in this document is the property of Thales UK Limited. It is not to be reproduced, modified,adapted, published, translated in any material form (including storage in any medium by electronicmeans whether or not transiently or incidentally) in whole or in part nor disclosed to any third partywithout the prior written permission of Thales UK Limited neither shall it be used otherwise than for thepurpose for which it is supplied.
Words and logos marked with ® or ™ are trademarks of Thales UK Limited or its affiliates in the EUand other countries.
Information in this document is subject to change without notice.
Thales UK Limited makes no warranty of any kind with regard to this information, including, but notlimited to, the implied warranties of merchantability and fitness for a particular purpose. Thales UKLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcerned with the furnishing, performance or use of this material.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 2
ContentsChapter 1: Introduction 4
Product configuration 4
Supported Thales functionality 4
Requirements 4
This guide 5
More information 5
Chapter 2: Procedures 6
Installing the Thales nShield HSM 6
Installing the Security World Software and configuring the security world 6
Installing IIS 8.0 6
Creating a certificate request 7
Installing the Certificate 8
Making the certificate available for use in IIS 8
Binding the certificate with a secure IIS web server 8
Migrating a certificate from IIS 7.5 to IIS 8.0 8
Exporting a certificate from IIS 7.5 (Windows Server 2008 R2) 8
Importing the Certificate into IIS 8.0 (Windows Server 2012 /Windows Server 2012 R2) 9
Importing a certificate to the certificate store 10
Integrating a Thales HSM with an existing IIS deployment 11
Exporting the software-protected certificate 11
Importing a Microsoft CAPI key into the nCipher Security World Key Storage Provider 12
Importing a certificate into the certificate store 12
Uninstalling IIS 8.0 12
Chapter 3: Troubleshooting 14
Internet addresses 15
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 3
Chapter 1: Introduction
Chapter 1: IntroductionMicrosoft Internet Information Services (IIS) for Windows Server is a Web server application. Thalesmodule integrates with IIS 8.0 to provide full key life-cycle management with FIPS-certified hardwareand to reduce the cryptographic load on the host server CPU.
Integration of the Thales module with IIS 8.0 provides the following benefits:
l Uses hardware validated to the FIPS 140-2 standardsl Improves server performance by offloading cryptographic processingl Enables secure storage of the IIS keysl Enables management of the full life cycle of the keysl Provides fail-over support where multiple Hardware Security Modules (HSMs) are available
Note: Throughout this guide, the term HSM refers to nShield® Solo™ modules (formerly known asnShield PCI and PCIe), nShield Connect™, and nShield Edge™ products.
Product configurationWe have successfully tested the Thales HSM integration with IIS in the following configuration:
Operatingsystem
IISVersion
Thales Security WorldSoftware version
nShield Solosupport
nShieldConnectsupport
nShieldEdge™support
Windows Server2012 R2
8.0 v11.70 Yes Yes Yes
Windows Server2012 8.0 v11.61 Yes Yes Yes
Supported Thales functionalitySoft cards — Key management Yes FIPS 140-2 level 3 YesKey recovery Yes Module-only key Yes K-of-N card set —Load balancing Yes Key import Yes Fail over Yes
RequirementsBefore installing the software, we recommend that you familiarize yourself with the IIS documentationand setup process, and that you have the Thales nShield documentation available. We alsorecommend that there is an agreed organizational Certificate Practices Statement and a SecurityPolicy/Procedure in place covering administration of the HSM.
In particular, these documents should specify the following aspects of HSM administration:
l The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and thepolicy for managing these cards
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 4
This guide
l Whether the application keys are protected by the module or an Operator Card Set (OCS) protection
l Whether the security world should be compliant with FIPS 140-2 level 3l Key attributes such as the key algorithm, key length and key usage
Note: For more information, refer to the User Guide for the HSM.
This guideThis guide describes how to integrate Thales HSM (nShield Solo, nShield Connect or nShield Edge)with Microsoft Internet Information Services (IIS) 8.0. This guide assumes that you are familiar withyour HSM documentation, and the documentation and setup process for IIS 8.0.
More informationl For more information about installing MS IIS, refer to the Microsoft documentation.l For more information about OS support, contact your Microsoft sales representative or ThalesSupport.
l For more information about contacting Thales, see Addresses at the end of this guide.l Additional documentation produced to support your Thales nShield product is in the documentdirectory of the CD-ROM or DVD-ROM for that product.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 5
Chapter 2: Procedures
Chapter 2: ProceduresIntegration procedures include:
l Installing the Thales nShield HSMl Installing the Security World Software, and configuring the Security Worldl Installing IIS 8.0l Creating a certificate requestl Installing the certificatel Migrating a certificate from IIS 7.5 to IIS 8.0l Integrating a Thales HSM with an existing IIS 8 deployment
This chapter describes these procedures, and the procedure for uninstalling IIS 8.0.
Installing the Thales nShield HSMInstall the HSM using the instructions in the Quick Start Guide for the HSM. We recommend that youinstall the HSM before configuring the Thales software, and before installing and configuring IIS.
Installing the Security World Software and configuring the securityworld1. Install the latest version of the Security World Software as described in the User Guide for the
HSM.2. Initialize a Security World as described in the User Guide for the HSM.
Note: You can also use the CNG Configuration Wizard to create a Security World for nShield Soloand Edge HSMs.
For nShield Connect, we recommend that you use the front panel user interface to create the SecurityWorld.
If you are using an OCS, to adhere to IIS requirements it must be a 1-of-N with no pass phrase, whereN is the number of cards in the set.
Installing IIS 8.0To install Microsoft Internet Information Services:
1. Open Server Manager by selecting Start > Server Manager.2. Select Manage and then click Add Roles and Features.3. On the Before you begin screen, click Next.4. On the Select installation type screen, ensure the default selection of Role or Feature Based
Installation is selected and click Next.5. On the Server Selection screen, select a server from the server pool and click Next.6. On the Select server roles screen, select the Web Server (IIS) Role and click Next7. When prompted to install Remote Server Administration Tools, click Add Features and click Next.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 6
Creating a certificate request
8. On the Select features screen, keep the default selection and click Next.9. On the Feature screen, click Next to configure the IIS Role.10. On the Web Server Role (IIS) screen, click Next.11. On the Role Service screen, click Next.12. On the confirmation screen, click Install.13. Click Close.
Creating a certificate requestComplete the following steps to create a certificate request:
1. To make sure the nCipher Primitive Provider and nCipher Security World Key Storage Providersare listed, run the command cnglist.exe --list --providers.IIS Manager does not support the creation of certificates protected by CNG Keys and these needto be created using the Microsoft command line utilities.Your request.inf file does not have to contain exactly the code given in the following step.These are examples, not definitive models.
2. Set up a template file:1. Generate a request for an SSL certificate linked to a 2K RSA key by creating a file called
test.inf with the following information:
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "C=GB, CN=Hostname"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "nCipher Security World Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
2. Specify the key algorithm and key length as required (e.g. RSA).3. Specify the Provider name as nCipher Security World Key Storage Provider.4. When you have set up the template successfully, save it as test.inf on the C:\ drive.
3. Open a command prompt and go to the local drive, in this case C:\. Type in the commandprompt:
C:\>certreq new test.inf test.req
4. While generating a certificate request the wizard prompts you to create a new key. Click Next.5. Select a way to protect a new key and click Finish. A certificate request called test.req is
generated and placed on the C:\ drive.6. Type the following command into the command prompt: certreq --submit --attrib
"CertificateTemplate:WebServer" test.req. A box appears asking which CA to use.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 7
Chapter 2: Procedures
7. Click the TESTCA entry and click OK. A file dialog appears asking you to save the certificate to afile.
8. Type test in the File Name textbox and click OK.After a short time a message saying Certificate Successfully Generated appears on thecommand prompt and a certificate file called test.cer appears on the C:\ drive.
Installing the Certificate
Making the certificate available for use in IISTo make the certificate available for use in IIS, run the following command on Web Server:
C:\>certreq --accept test.cer
where test.cer is the binary certificate exported from the CA. Running this command makes theCA certificate trusted on the Web Server.
Binding the certificate with a secure IIS web server1. Go to Start > Internet Information Service Manager.2. Select the hostname, then double-click Server Certificates.3. Click Complete Certificate Request on the right-hand side of the IIS Manager screen.4. Browse to the path of the certificate file of the format .cer and give the friendly name for the
certificate.5. Click OK to complete the certificate request to the IIS Manager.6. Click Default website under Sites on the left-hand side of the IIS Manager screen.7. Click Bindings link on the right-hand side of the IIS Manager.8. On the Site Bindings screen, click Add.9. Select the protocol as HTTPS and select the certificates from the dropdown list.10. Click OK to complete the certificate binding for SSL connection.11. Click Close on the Site Bindings screen.12. Restart the IIS server.13. Open the browser and type https://machinename:443. Accept the certificate on the browser to
continue with SSL connection with IIS server.
Migrating a certificate from IIS 7.5 to IIS 8.0This section describes the procedure to migrate a server certificate from IIS 7.5 (Windows Server2008 R2) to IIS 8.0 (Windows Server 2012 /Windows Server 2012 R2).
Exporting a certificate from IIS 7.5 (Windows Server 2008 R2)Prerequisites for export are:
l The Thales software and hardware must already be installed on both servers.l The Operator Card Set must be a 1-of-N with no passphrase, if an OCS is used, to adhere to IIS
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 8
Importing the Certificate into IIS 8.0 (Windows Server 2012 /Windows Server 2012 R2)
requirements.l IIS 7.5 server certificate is secured with a Thales HSM.
To export the certificate from IIS 7.5:
1. Open the Microsoft Management Console. Go to Run (press Windows key+R) and type MMC, thenClick OK.
2. On the initial screen, click File > Add/Remove Snap-in and click Add.3. Select Certificates from Available Standalone Snap-ins and click Add.4. On the Certificates snap-in screen, select Computer account and click Next.5. On the Select Computer screen, select Local computer, click Finish then OK.6. Navigate to Certificates directory, Certificates (Local Computer) > Personal > Certificates.7. Right-click the appropriate certificate and select All Tasks > Export.8. The Welcome to the Certificate Export Wizard screen appears. Click Next.9. On the Export Private Key screen, select No, do not export the private key. Click Next.10. On the Export File Format screen, select Base-64 encoded X.509 (.Cer) and click Next.11. On the File to Export screen, select an absolute path and filename to save the exported
certificate.12. Click Next. The Completing the Certificate Export Wizard screen appears. Click Finish.
Importing the Certificate into IIS 8.0 (Windows Server 2012 / WindowsServer 2012 R2)To import the certificate to IIS 8.0:
1. Back up the C:\ProgramData\nCipher\Key Management Data\local on the IIS 7.5 server.2. Back up the exported certificate file.3. Restore the Key Management Data directory contents to C:\ProgramData\nCipher\KeyManagement
Data\local on the Windows 2012 or Windows 2012 R2 server.4. Switch the HSM into pre-initialization mode and clear the module.5. Confirm that the HSM is in the correct state by opening a console and running enquiry.6. Run the CNG configuration wizard, which detects the presence of the
C:\ProgramData\nCipher\Key Management Data\local directory.7. Ensure that Use the existing security world is selected and click Next.8. Assuming that your module is not already part of the Security World, on the Set Module States
screen, click Next.9. On the Module Programming Options screen, keep the default selection and click Next.10. Provide the Administrator Card Set when prompted and click Next.11. Switch the HSM into operational mode and clear the module.12. On the Set Module States screen, click Next.13. On the Key Protection set up screen, if you want to use an OCS select Operator Card Set
Protection. Otherwise, choose Module Only Protection and click Next.14. On the nCipher CNG Providers Options screen, keep the default selection and click Next.15. On the Software Installation screen, click Next.16. Click Finish.17. Secure the Administrator Card Set and a C:\ProgramData\nCipher\Key Management Data\local
backup.Note: Execute the following steps only if you have used the CSP Install Wizard to Create
Security World, and run the CSP Installation Wizard to run this utility.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 9
Chapter 2: Procedures
18. Identify the CSP key from the CSP key containers by running the csputils command:
C:\Program Files (x86)\nCipher\nfast\bin>csputils64.exe -d -m
Sample output is:
Detailed report for container ID
#36841e1e14fd7c2d28b0ff908f1deec1a46ac36b
Filename: key_mscapi_container-
36841e1e14fd7c2d28b0ff908f1deec1a46ac36b
Container name: 2c386521-b190-4c73-9ddd-1723882f10fb
Container is a machine container.
CSP DLL name: ncsp.dll
No signature key.
Filename for key exchange key is
key_mscapi_c12af7bc92aa47cf4893402d24c58ab3cc605ac5
Key was generated by the CSP
Key hash: c12af7bc92aa47cf4893402d24c58ab3cc605ac5
Key is recoverable.
Key is cardset protected.
Cardset name: IIS6-IIS7
Sharing parameters: 1 of 2 shares required.
Cardset hash: b5175753a96f5c9e1e0fb2dc08300de3a0ece584
Cardset is non-persistent.
1 container and 1 key found.
19. Import a Security World key into the nCipher Security World Key Storage Provider. Run thecngimport utility as follows:
C:\Program Files (x86)\nCipher\nfast\bin>cngimport.exe -i -M -k
c12af7bc92aa47cf4893402d24c58ab3cc605ac5 -a mscapi
Exchange_Key_Imported_From_nCipher_CAPI
Found unnamed key
Importing NFKM key... done
20. Run cnglist64.exe --list-keys to confirm that the key has been successfully imported:
C:\Program Files (x86)\nCipher\nfast\bin>cnglist64.exe --list-keys
Exchange_Key_Imported_From_nCipher_CAPI: RSA machine
Importing a certificate to the certificate storeTo import a certificate to the certificate store:
1. Go to command prompt and type MMC, then click OK to open the Microsoft Management Console.2. On the initial screen, click File > Add/Remove Snap-in and click Add.3. From Available Standalone Snap-ins, select Certificates and click Add.4. On the Certificates snap-in screen, select Computer account and click Next.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 10
Integrating a Thales HSM with an existing IIS deployment
5. On the Select Computer screen, select Local computer, click Finish and click OK.6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates).7. Right-click the certificate folder and select All Tasks > Import.8. The Welcome to the Certificate Import Wizard screen appears. Click Next.9. Navigate to the location of the certificate from the Origin Server and click Next.10. On the Certificate Store screen, select Place all certificates in the following store and make
sure that the default selection inCertificate Store is Personal and click Next. The Completing theCertificate Import Wizard screen appears. Click Next, then click OK.
11. Run the following command from the Windows terminal:
C:\Program Files (x86)\nCipher\nfast\bin>certutil -f -csp "nCipher Security World Key
Storage Provider" -repairstore my <serial number of certificate>
12. Open the IIS Manager from Start > Internet Information Services (IIS) Manager.13. Under Sites on the left-hand side of the IIS Manager screen, select the required web site.14. On the right-hand side of the IIS Manager screen, click Bindings.15. On the Site Bindings screen, click Add.16. Select the protocol HTTPS.17. Select the certificate from the drop-down list.18. To complete the certificate binding for SSL connection, click OK.19. Open a browser and type https://machinename:443. If necessary, accept the certificate in the
browser to continue with SSL connection to the IIS7.5 Web Server.
Integrating a Thales HSM with an existing IIS deploymentThis section describes how to upgrade an existing IIS server installation to use a Thales module toprotect the private key. It is assumed that the existing certificate must continue to be used by theserver after the Thales module is installed.
Prerequisites to integrate are:
l An IIS 8.0 setup with software-protected certificate and private keyl Thales Software installed and a Security World created using The CNG Configuration Wizard, orthe front panel of an nShield Connect
Exporting the software-protected certificateComplete the following procedure to export the software-protected certificate:
1. Type MMC at the command prompt and click OK. The Microsoft Management Console opens.2. On the initial screen, select File > Add/Remove Snap-in and click Add.3. Select Certificates from Available Standalone Snap-ins and click Add.4. On the Certificates snap-in screen, select Computer account and click Next.5. On the Select Computer screen, select Local computer, click Finish then OK.6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates).7. Right-click the certificate file and select All Tasks > Export.8. The Welcome to the Certificate Export Wizard screen appears. Click Next.9. On the Export Private Key screen, select No, do not export the private key and click Next.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 11
Chapter 2: Procedures
10. On the Export File Format screen, select Base-64 encoded X.509 (.Cer) and click Next.11. On the File to Export screen, select an absolute path and filename to save the exported
Certificate. Click Next.The Completing the Certificate Export Wizard screen appears. Click Finish.
12. After exporting the certificate, delete the certificate from the certificate store.
Importing a Microsoft CAPI key into the nCipher Security World KeyStorage ProviderTo import a Microsoft CAPI key into the nCipher Security World Key Storage Provider:
1. Navigate to C:\Program Files (x86)\nCipher\nfast\bin folder and run the cngimport.exe
command:
C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "MS CAPI key" "imp_key_
name"
Note: Microsoft CNG key is in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.
Example:
C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "48753e97af4e829f_b2885b-
321a-42b9-9122-81d377654436" "Importedkeyname"
2. To check the success of the import, list the keys in the nCipher Security World Key StorageProvider:
C:\Program Files (x86)\nCipher\nfast\bin\cnglist64.exe --list-key
Importedkeyname: RSA machine
Importing a certificate into the certificate storeTo import certificate into the certificate store follow the steps in Importing a certificate to the certificatestore on page 10.
Uninstalling IIS 8.0To uninstall IIS 8.0:
1. Click Start->Server Manager to open Server Manager.2. Click Manage, then click Remove Roles and features.3. On the Before You Begin screen, click Next.4. In the Remove Roles and features wizard, click Next.5. On the Server selection screen, select a server from the server pool and click Next.6. On Remove Server Roles screen, deselect IIS and click Next.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 12
Uninstalling IIS 8.0
7. On Remove Features screen, keep the default selection and click Next.8. On the confirmation screen, click Remove, then click Close.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 13
Chapter 3: Troubleshooting
Chapter 3: TroubleshootingYour integration should work successfully. If it does not, contact Thales Support.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 14
Internet addressesWeb site: http://www.thales-esecurity.com/Support: http://www.thales-esecurity.com/support-landing-pageOnline documentation: http://www.thales-esecurity.com/knowledge-baseInternational sales offices: http://www.thales-esecurity.com/contact
Addresses and contact information for the main Thales e-Security sales offices are provided at thebottom of the following page.
Microsoft IIS 8.0 Windows Server 2012 and Windows Server 2012 R2 15
About Thales e-Security
Thales e-Security is a leading global provider of data encryption and cyber securitysolutions to the financial services, high technology manufacturing, governmentand technology sectors. With a 40-year track record of protecting corporate andgovernment information, Thales solutions are used by four of the five largestenergy and aerospace companies, 22 NATO countries, and they secure more than80 percent of worldwide payment transactions. Thales e-Security has offices inAustralia, France, Hong Kong, Norway, United Kingdom and United States.For more information, visit www.thales-esecurity.com
www. t ha les-esecur it y . com
Follow us on:
