Microsoft IIS 7 5 Windows - Thales...
-
Upload
nguyendien -
Category
Documents
-
view
217 -
download
0
Transcript of Microsoft IIS 7 5 Windows - Thales...
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 2
Version: 1.0
Date: 12 October 2010
Copyright 2010 Thales nCipher Corporation Ltd. All rights reserved.
These installation instructions are intended to provide step-by-step instructions for installing Thales nCipher software with third-party software. These instructions do not cover all situations and are intended as a supplement to the Thales nCipher documentation provided with Thales nCipher products.
Disclaimer: Thales nCipher Corporation Ltd disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. Thales nCipher is a registered trademark of Thales nCipher Corporation Limited. Any other trademarks referenced in this document are the property of the respective trademark owners.
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 3
Contents
1. Introduction 4
2. Supported Thales nCipher functionality 5
3. Requirements 5
4. Procedures 5
5. Install the Thales nCipher HSM 6
6. Installing the HSM Support Software and Creating the Security World 6
7. Install IIS 7.5 6
8. Create a certificate request 6
8.1. Preliminary steps 6
8.2. Creating the certificate request 7
9. Install the Certificate 7
9.1. Making the certificate available for use in IIS 8
9.2. Binding the certificate with a secure IIS Web Server 8
10. Key Migration 8
10.1. Certificate Migration from IIS 6.0 to IIS 7.5 8
11. Integrating an HSM with an Existing IIS 7.5 Deployment 11
11.1. Exporting the software-protected certificate 11
11.2. Importing a Microsoft CAPI key into the nCipher Security World Key Storage Provider 12
11.3. Importing a certificate into certificate store 12
12. Addresses 14
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 4
1. Introduction
This guide explains how to integrate Thales nCipher Hardware Security Module (nShield Solo, netHSM
or nShield Connect) with Microsoft Internet Information Services (IIS) 7.5. It assumes that you have
read the appropriate Quick Start Guide and are familiar with the IIS7.5 documentation and setup
process.
The Thales nCipher module integrates with Microsoft IIS 7.5 to provide full key life-cycle management
with FIPS-certified hardware and to reduce the cryptographic load on the host server CPU.
Integration of an Thales nCipher module with IIS 7.5 provides the following benefits:
• Uses hardware validated to the FIPS 140-2 standards.
• Improves server performance by offloading cryptographic processing.
• Enables secure storage of the IIS keys.
• Enables management of the full life cycle of the keys.
• Provides fail-over support where multiple HSMs are available.
The following integrations have been validated:
Operating
System
nCipher
Version
IIS
Version
nShield
Solo
Support
netHSM
Support
nShield
Connect
Support
Windows Server
2008 R2
Enterprise
11.40 7.5 Yes Yes Yes
Windows Server
2008 R2
Enterprise
11.30 7.5 Yes Yes Yes
Note Throughout this guide, the term HSM refers to nShield Solo PCI modules, netHSM units and nShield Connect units.
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 5
2. Supported Thales nCipher functionality
� Soft Cards � Key Management � Strict FIPS Support
� Key Recovery � Module Only Key � K of N Card Set
� Load Balancing � Key Import � Fail Over
3. Requirements
Before attempting to install the software, we recommend that you consider the following aspects of
HSM administration. We also recommend that there be an agreed organizational Certificate Practices
Statement and Security Policy/Procedure in place covering administration of the HSM. In particular,
these documents should specify the following aspects of HSM administration:
• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the
policy for managing these cards.
• Whether the application keys are protected by the module or an Operator Card Set (OCS).
• Whether the security world should be compliant with FIPS 140-2 level 3.
• Key attributes such as the key size, persistence, and time-out.
• Whether there is any need for auditing key usage.
For more information, refer to the User Guide for the HSM.
4. Procedures
To integrate a Thales nCipher HSM with IIS 7.5, you will need to perform the following procedures:
1. Install the Thales nCipher HSM
2. Installing the HSM Support Software and Creating the Security World
3. Install IIS 7.5
4. Create a certificate request
5. Install the certificate
The integration guide also covers the following scenarios:
• Key migration
• Integrating an HSM with an existing IIS 7.5 deployment
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 6
5. Install the Thales nCipher HSM
Install the HSM using the instructions in the Hardware Installation Guide for the HSM. We
recommend that you install the HSM before installing Thales nCipher software.
6. Installing the HSM Support Software and Creating the Security World
To install the HSM support software and create the security world:
1. Install the latest version of the Thales nCipher support software as described in the User Guide for
the HSM.
2. Initialize a security world as described in the User Guide for the HSM using the CNG configuration
wizard.
Note If you are using an OCS, to adhere to IIS requirements it must be a 1-of-N with no pass phrase, where N is the number of cards in the set.
7. Install IIS 7.5
To install IIS7.5:
1. Open Server Manager: Start > Administrative Tools > Server Manager > Add Roles > WebServer.
2. Select the Default (or desired) components from within the wizard and proceed with installation.
8. Create a certificate request
Complete the following steps to create a certificate request.
8.1. Preliminary steps
1. To make sure the nCipher Primitive Provider and nCipher Security World Key Storage
Providers are listed, run the command cnglist.exe –-list-providers.
Note IIS Manager does not support the creation of certificates protected by CNG Keys and these need to be created using the Microsoft command line utilities.
Note Your request.inf file does not have to contain exactly the code given in the following step. These are examples, not definitive models.
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 7
2. Generate a certificate request.
To generate a request for an SSL certificate linked to a 2K RSA key, create a file called request.inf
with the following information:
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "C=GB,CN=myhostname.com"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "nCipher Security World Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
3. Specify the subject details of the Domain Controller which is issuing the certificate.
4. Specify the key algorithm and key length as required (e.g. RSA).
5. Specify the Provider name as “nCipher Security World Key Storage Provider”.
6. Save the above content in the file request.inf.
8.2. Creating the certificate request
To create the certificate request for the Certification Authority, execute the command:
certreq.exe –new request.inf request.req.
This creates a certificate request file request.req that can be sent to a Certificate Authority.
9. Install the Certificate
After creating the certificate request, you obtain the certificate by using the CA web interface to send
the request to the Certificate Authority.
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 8
9.1. Making the certificate available for use in IIS
To make the certificate available for use in IIS, execute the command certreq.exe –accept
somecert.cer, where somecert.cer is the binary certificate exported from the CA.
9.2. Binding the certificate with a secure IIS Web Server
To bind the certificate with a secure IIS Web Server:
1. Open the IIS Manager from Start > Administrative Tools > Internet
Information Services (IIS) Manager.
2. Under Sites on the left hand side of the IIS Manager Window, select the desired Web site.
3. On the right hand side of the IIS Manager, click the Bindings link.
4. In the Site Bindings window, click Add.
5. Select the protocol as https.
6. Select IP address of machine running IIS from the IP Address dropdown list.
7. Select the certificate from the drop-down list.
8. To complete the certificate binding for SSL connection, click OK.
9. Open a browser and type https://machinename:443. If necessary, accept the certificate in the
browser to continue with SSL connection to the IIS7.5 Web Server.
10. Key Migration
Following section walks through the procedure to migrate private key and certificate from IIS6.0 to
IIS7.5.
10.1. Certificate Migration from IIS 6.0 to IIS 7.5
This section describes the procedure to migrate a server certificate from IIS 6.0 (Windows Server 2003
64bit) to IIS 7.5 (Windows Server 2008 R2).
10.1.1. Exporting a certificate from IIS6.0 (Windows Server 2003)
Prerequisites:
• The Thales nCipher software and hardware must have been installed on both servers.
• To adhere to IIS requirements, the Operator Card Set must be a 1-of-N with no password.
• IIS 6.0 server certificate is secured with a Thales nCipher HSM.
To export the certificate from IIS6.0:
1. Open the Microsoft Management Console (Start > Select Run > Type MMC > Click OK).
2. At the initial screen, click on File > Add/Remove Snap-in and select Add.
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 9
3. Select Certificates from “Available Standalone Snap-ins” and click Add.
4. In the Certificates snap-in window, select Computer account and click Next.
5. In the Select Computer window, select Local computer, click Finish and click OK.
6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates).
7. Right-click on the certificate file and select All Tasks > Export.
8. The “Welcome to the Certificate Export Wizard” window appears. Click Next.
9. In the Export Private Key window, select “No, do not export the private key”.Click Next.
10. In the Export File Format window, select Base-64 encoded X.509 (.Cer) and click Next.
11. In the File to Export window, select an absolute path and filename to save the exported certificate.
12. Click Next. The “Completing the Certificate Export Wizard” window appears. Click Finish.
10.1.2. Import the Certificate into IIS7.5 (Windows Server 2008 R2)
To import the certificate to IIS7.5, complete the following steps:
1. Backup the C:\Documents and Settings\All Users\Application Data\nCipher\Key Management
Data\local directory on the IIS6.0 server
2. Backup the exported certificate file.
3. Restore the Key Management Data directory contents to C:\ProgramData\nCipher\Key
Management Data\local on the Windows 2008 R2 server
4. Switch the HSM into pre-initialization mode and clear the module.
5. Confirm the HSM is in the correct state by opening a console and running enquiry.
6. Run the CNG configuration wizard, which will detect the presence of
the C:\ProgramData\nCipher\Key Management Data\local directory.
7. Ensure that “Use the existing security world” is selected and click Next.
8. In the Set Module States window, click Next.
9. In the Module Programming Options window, keep the default selection and click Next.
10. Provided the Administrator Card Set when prompted and click Next.
11. Reset the Thales nCipher module to Operational mode, change the external switch to “O”, and
clear the module.
12. In the “Set Module States” window, click Next.
13. In the Key Protection Set Up window, select Operator Card Set Protection and Click Next.
14. In the nCipher CNG Providers Options window, keep the default selection and click Next.
15. In the Software Installation window, click Next.
16. Click Finish.
17. Secure the Administrator Card Set and C:\ProgramData\nCipher\Key Management
Data\local backup.
18. Identify the Security World key names of the keys in the container by running the csputils
command as follows:
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 10
C:\Program Files (x86)\nCipher\nfast\bin>csputils64.exe -d -m
Detailed report for container ID
#36841e1e14fd7c2d28b0ff908f1deec1a46ac36b
Filename: key_mscapi_container-
36841e1e14fd7c2d28b0ff908f1deec1a46ac36b
Container name: 2c386521-b190-4c73-9ddd-1723882f10fb
Container is a machine container.
CSP DLL name: ncsp.dll
No signature key.
Filename for key exchange key is
key_mscapi_c12af7bc92aa47cf4893402d24c58ab3cc605ac5
Key was generated by the CSP
Key hash: c12af7bc92aa47cf4893402d24c58ab3cc605ac5
Key is recoverable.
Key is cardset protected.
Cardset name: IIS6-IIS7
Sharing parameters: 1 of 2 shares required.
Cardset hash: b5175753a96f5c9e1e0fb2dc08300de3a0ece584
Cardset is non-persistent.
1 container and 1 key found.
19. Import an nCipher Security World key into the nCipher Security World Key Storage Provider, run
the cngimport utility as shown in the following example:
C:\Program Files (x86)\nCipher\nfast\bin>cngimport.exe -i -M -k
c12af7bc92aa47cf4893402d24c58ab3cc605ac5 -a mscapi
Exchange_Key_Imported_From_nCipher_CAPI
Found unnamed key
Importing NFKM key.. done
20. Run cnglist64.exe with the --list-keys option to confirm that the key has been successfully
imported:
C:\Program Files (x86)\nCipher\nfast\bin>cnglist64.exe --list-keys
Exchange_Key_Imported_From_nCipher_CAPI: RSA machine
10.1.3. Importing a certificate to certificate store:
1. Open the Microsoft Management Console (Start >Select Run > Type MMC> Click OK).
2. At the initial screen, click on File > Add/Remove Snap-in and select Add.
3. From Available Standalone Snap-ins, select Certificates and click Add.
4. In the Certificates snap-in window, select Computer account and click Next.
5. In the Select Computer window, select Local computer, click Finish and click OK.
6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates)”
7. Right-click on the certificate folder and select All Tasks > Import.
8. The “Welcome to the Certificate Import Wizard” window appears. Click Next.
9. Navigate to the location of the certificate from the Origin Server and click Next.
10. In the Certificate Store window, select Place all certificates in the following store and click
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 11
Next. The Completing the Certificate Import Wizard window appears.
11. Click Next.
12. Click OK.
13. Run the following command from the windows terminal:
C:\Program Files (x86)\nCipher\nfast\bin>certutil -f -csp "nCipher
Security World Key Storage Provider" -repairstore my “<serial number
of certificate>”
14. Open the IIS Manager from Start > Program > Administrative Tools > Internet Information
Services (IIS) Manager.
15. Under Sites on the left hand side of the IIS Manager Window, select the desired Web site.
16. On the right hand side of the IIS Manager, click the Bindings link.
17. In the Site Bindings window, click Add.
18. Select the protocol https.
19. Select the certificate from the drop-down list.
20. To complete the certificate binding for SSL connection, click OK.
21. Open a browser and type https://machinename:443. If necessary, accept the certificate in the
browser to continue with SSL connection to the IIS7.5 Web Server.
11. Integrating an HSM with an Existing IIS 7.5 Deployment
This section describes how to upgrade an existing IIS 7.5 server installation to use a Thales nCipher
module to protect the private key. It is assumed that the existing certificate must continue to be used by
the server after the Thales nCipher module is installed.
Prerequisites:
• An IIS 7.5 setup with software-protected certificate and private key.
• Thales nCipher Software installed and a Security World must have been created using CNG
configuration wizard.
11.1. Exporting the software-protected certificate
Complete the following procedure to export software protected certificate.
1. Open the Microsoft Management Console (Start >Select Run > Type MMC > Click OK).
2. At the initial screen, click on File > Add/Remove Snap-in and select Add.
3. Select Certificates from “Available Standalone Snap-ins” and click Add.
4. In the Certificates snap-in window, select Computer account and click Next.
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 12
5. In the Select Computer window, select Local computer, click Finish and click OK.
6. Navigate to Certificates directory (Certificates (Local Computer) >Personal > Certificates).
7. Right-click on the certificate file and select All Tasks > Export.
8. The “Welcome to the Certificate Export Wizard” window appears. Click Next.
9. In the Export Private Key window, select “No, do not export the private key”.
Click Next.
10. In the Export File Format window, select Base-64 encoded X.509 (.Cer) and click Next.
11. In the File to Export window, select an absolute path and filename to save the exported
certificate. Click Next. The “Completing the Certificate Export Wizard” window appears.
12. Click Finish.
13. After exporting certificate delete the certificate from the certificate store.
11.2. Importing a Microsoft CAPI key into the nCipher Security World Key Storage Provider
To import a Microsoft CAPI key into the nCipher Security world Key Storage Provider:
1. Navigate to C:\Program Files (x86)\nCipher\nfast\bin folder and run cngimport.exe command as
follows.
C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "MS CAPI
key name“ "Any name for imported key"
Note Microsoft CAPI key name can be found from
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.
For Example:
C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k
"48753e97af44aee2f5fe8b6f9d82e29f_b4c2885b-321a-42b9-9122-
81d377654436" "KeyImport"
2. To check the success of the import, list the keys present in the nCipher Security World Key Storage
Provider:
C:\Program Files (x86)\nCipher\nfast\bin\cnglist64.exe --list-key
KeyImport : RSA machine
11.3. Importing a certificate into certificate store
To import certificate to certificate store:
1. Open the Microsoft Management Console (Start >Select Run > Type MMC > Click OK).
2. At the initial screen, click on File > Add/Remove Snap-in and select Add.
3. From the Available Standalone Snap-ins, select Certificates and click Add.
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 13
4. In the Certificates snap-in window, select Computer account and click Next.
5. In the Select Computer window, select Local computer, click Finish and click OK.
6. Navigate to Certificates directory (Certificates (Local Computer) > Personal > Certificates)”
Right-click on the certificate folder and select All Tasks > Import.
7. The “Welcome to the Certificate Import Wizard” window appears. Click Next.
8. Navigate to the location of the certificate from the Origin Server and click Next.
9. In the Certificate Store window, select Place all certificates in the following store and click
Next. The Completing the Certificate Import Wizard window appears.
10. Click Next.
11. Click OK.
12. Run the following command from the windows terminal:
C:\Program Files(x86)\nCipher\nfast\bin>certutil -f -csp "nCipher
Security World Key Storage Provider" -repairstore my “<serial number
of certificate>”
13. Open the IIS Manager from Start > Administrative Tools > Internet Information
Services (IIS) Manager.
14. Under Sites on the left hand side of the IIS Manager Window, select the desired Web site.
15. On the right hand side of the IIS Manager, click the Bindings link.
16. In the Site Bindings window, click Add.
17. Select the protocol https.
18. Select the certificate from the drop-down list.
19. To complete the certificate binding for SSL connection, click OK.
20. Open a browser and type https://machinename:443. If necessary, accept the certificate in the
browser to continue with SSL connection to the IIS7 Web Server
Thales nCipher modules
Integration Guide: Microsoft Internet Information Services (IIS) 7.5 14
12. Addresses
Americas
2200 North Commerce Parkway Suite 200 Weston Florida 33326 USA
Tel: +1 888 744 4976 or + 1 954 888 6200
Asia Pacific
Units 2205-06 22/F Vicwood Plaza 199 Des Voeux Road Central Hong Kong PRC
Tel: + 852 2815 8633
Australia
103-105 Northbourne Avenue Turner ACT 2601 Australia
Tel: +61 2 6120 5148
Europe, Middle East, Africa
Meadow View House Long Crendon Aylesbury Buckinghamshire HP18 9EQ UK
Tel: + 44 (0)1844 201800
Internet addresses
Web site: www.thalesgroup.com/iss
Support: http://iss.thalesgroup.com/en/Support.aspx
Online documentation: http://iss.thalesgroup.com/Resources.aspx
International sales offices: http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx