PrivateServerâ„¢ HSM
Integration with Microsoft IIS
January 2014
Notice
The information provided in this document is the sole property of Algorithmic Research Ltd. No part of this document may be reproduced, stored or transmitted in any form or any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from Algorithmic Research Ltd.
Table of Contents
Introduction ... 4
Requirements ... 4
PrivateServer Installation and Configuration ... 5
PrivateServer Installation ... 5
PrivateServer Configuration ... 6
Signing Engine Configuration ... 8
Configuring Microsoft IIS to Work with PrivateServer ... 11
IIS Installation ... 11
Generate Keys and Obtain Server Certificate ... 11
Introduction
This step-by-step guide will help you set up ARX PrivateServerTM HSM as the signing engine for Microsoft Internet Information Server (IIS) running on Windows 2008 operating system. The IIS will use ARX
PrivateServer Hardware Security Module (HSM) to store the sensitive website private key and to securely perform all cryptographic operations within the secure appliance.
The IIS uses certificates in a public key infrastructure (PKI) during SSL authentication. The certificate and corresponding private key are used to authenticate the IIS server through the use of public key
cryptography.
ARX PrivateServer is highly secure (FIPS 140-2 Level 3), high capacity, network attached, HSM that provides a secure environment for data encryption and key management. PrivateServer conducts sensitive cryptographic operations, secure key storage, and management of a large number of keys.
Requirements
Two servers are required to set up your system: ARX PrivateServer v4.8 or higher
PrivateServer Installation and Configuration
The process of installing PrivateServer HSM and its client is described in full detail in the PrivateServer
Installation and Operation Guide. Please refer to the manual for detailed description of each of the
installation steps.
PrivateServer Installation
To set up your PrivateServer follow the steps below:
1. Install the PrivateServer client on the Windows 2008 server, by running the client setup.
2. Make sure that the following features are installed: a. Legacy client
b. PrivateSafe USB driver c. Signing Engine
3. Connect the USB smart card reader to the Windows 2008 server.
4. Run the PrivateServer management application from All Programs -> ARX -> PrivateServer Client -> PrivateServer Management.
5. Select Client -> Generate Cards and generate a set of smart cards (Root, init and Startup). For more information refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and
Operation Guide. It is recommended to create backup for the Init and Startup smart cards.
6. Select Client -> Generate Users menu option and generate smart card for the administrative user first. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation
7. Initialize the PrivateServer with the newly generated set of smart cards (Init and Startup). For more information refer to Chapter 5: Operating the System in the PrivateServer Installation and
Operation Guide.
8. Set the PrivateServer IP address. For more information refer to Chapter 6: Configuring the System in the PrivateServer Installation and Operation Guide.
PrivateServer Configuration
Perform the following steps to create the IIS user in PrivateServer database:
1. Add your PrivateServer IP address to the servers list, from Client -> Add PrivateServer menu.
3. Select View -> Users to switch to the users view. Select User -> Create to create a user for the IIS server, which will be the owner of the website sensitive key.
4. Enter the IIS user data. Usually, such user does not need any special authorizations, so you can leave all authorization mask clear. However, since this is a critical user in the system, set the Minimum Access Level to Non-secure LAN, authenticated and encrypted session. This setting will require strong user authentication with key media (software or smart card).
5. Click OK to create the IIS server user.
6. Select Client -> Generate Users and generate software token key media for the IIS user. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation
Guide.
Signing Engine Configuration
The signing engine is a client side component that provides support for Microsoft CAPI and CAPI New Generation (CNG) APIs. These APIs are used by Microsoft applications to access the PrivateServer HSM and perform the required cryptographic operations.
To configure the signing engine on the IIS machine:
1. Open the directory C:\Program Files\ARX\PrivateServer Client\extlogin\Encrypted_Pass and copy the 64 bit dll to the Windows\system32 directory and the 32 bit dll to the Windows\SysWow64 directory.
2. To create an encrypted password file run as administrator the genpass.exe utility from C:\Program Files\ARX\PrivateServer Client\extlogin\Encrypted_Pass\win32 and enter the media password. Make sure that the file cspass.dat was created in
C:\Program Files\ARX\PrivateServer Client\utils directory.
4. Click New button to add a new slot.
a. In the Signing Engine group box choose Server Based and choose the IP of your PrivateServer from the combo box.
b. In the Authentication Type group box choose File Media and enter the path to the software key media of the IIS user.
c. In the User and Password Details group box enter the IIS user name.
d. Check Use Extended Login Module and enter extlogin.dll in the name of the extended login module.
6. Click Test button to check your configuration setting.
If the test fails check your configuration or restart the machine.
Configuring Microsoft IIS to Work with PrivateServer
Now you are ready to install Microsoft IIS service and configure it to work with PrivateServer.
IIS Installation
To install Microsoft IIS on Windows server 2008: 1. Open Server Roles.
2. In the Server Roles check the Web Server (IIS).
Follow the instructions of the IIS installation wizard. Additional information can be found in Microsoft MSDN.
Generate Keys and Obtain Server Certificate
In this step you will generate a set of RSA private and public keys on PrivateServer HSM and obtain a corresponding server certificate from your CA. In general, there are several ways to obtain server
certificate. When you generate a certificate for IIS server you must make sure that the subject will be the server name or IP address of the web server.
The process below uses the Web enrollment service of the CA.
1. Open Microsoft Internet Explorer and enter the Microsoft CA web enrollment page. 2. Select Request a certificate.
3. Select Advanced certificate request.
4. Select Create and submit a request to this CA. 5. In the Advanced Certificate Request form select:
a. Certificate Template should be Web Server.
b. In the Name enter the IIS server IP or the server name. The certificate subject name must match the IIS server name.
c. In the CSP select AR Base Cryptographic Provider.
6. The private key will be generated inside the PrivateServer and a corresponding certificate will be created by the CA.
7. Select Install the certificate to save the IIS server certificate inside PrivateServer.
Now the certificate is loaded into the machine certificate store and you should be able to configure the IIS to use it to identify the server during SSL negotiation.
Bind the IIS server with the New Certificate
1. Open the IIS manger and choose the site that will support the SSL connection using the PrivateServer. 2. Click on the Binding in the Actions tab:
4. Choose type as https and choose the SSL certificate to be the one that was created in previous step. This certificate will serve as the web site certificate and will be used in the SSL authentication. Make sure this certificate is in the personal directory of the local computer certificate store.
5. Click OK,