nCipher Modules
Integration Guide for Axway Validation Authority
Server 4.11 (Responder)
Version: 1.0
Date: 30 May 2012
Copyright 2012 Thales e-Security Limited. All rights reserved.
1
2
Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which it is supplied.
CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of Thales e-Security Limited.
CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra, nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited. All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.
These installation instructions are intended to provide step-by-step instructions for installing Thales software with third-party software. These instructions do not cover all situations and are intended as a supplement to the documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale.
Contents
Chapter 1: Introduction 4
Supported Thales nCipher functionality 5
Requirements 5
Chapter 2: Procedures 7
Installing the HSM 7
Installing the nShield support software and creating the security world 7 Installing and configuring Axway Validation Authority Server (Responder) 8
Installing the Axway Validation Authority Server (Responder) 9
Configuring the Axway Validation Authority Server (Responder) 10 Applying service pack 1 on Axway Validation Authority Server v4.11 14
Chapter 3: Troubleshooting 15
Chapter 1: Introduction
The Axway Validation Authority ™ Server (VA Server) product is a digital online certificate status responder. The VA Server maintains a store of digital certificate revocation data by obtaining the issuing Certification Authority (CA) Certificate Revocation List (CRL), which is a cumulative list of revoked certificates.
The VA Server product provides integrity and validity for online transactions by validating, in real time, digital certificates issued by any CA.
Thales nCipher Hardware Security Modules (HSMs) securely store all the response signing keys generated by VA Server to validate the CA and its CRLs using the nCipher PKCS #11 interface. This guide explains how to integrate a VA Server installation with an HSM. The instructions have been thoroughly tested, and provide a straightforward integration process. There may be other untested ways to achieve interoperability.
This guide might not cover every step in the process of setting up all the hardware and software. It assumes that you have read your HSM documentation and that you are familiar with the documentation and setup process for the VA Server. For more information about installing the Server, see the Axway Validation Authority Server documentation supplied on CD-ROM. Before proceeding with the installation of the packages, dependency packages should be configured, initialized and running.
The integration between the HSM and the Axway Validation Authority Server has been successfully tested in the following configurations:
For more information about OS support, contact your Axway sales representative or Thales Support. For more information about contacting Thales, see Addresses at the end of this guide.
Operating system Axway VA server version Thales nCipher software version nShield Solo support nShield Connect support
Red Hat Enterprise Linux 5 (64 bit)
4.11SP1 11.50 Yes Yes
Supported Thales nCipher functionality
Additional documentation produced to support your Thales nCipher product can be found in the document directory of the CD-ROM or DVD-ROM for that product.
Note Throughout this guide, the term HSM refers to nShield Solo modules and
nShieldonnect products. (nShield Solo products were formerly known as nShield.)
Supported Thales nCipher functionality
You can access the following nCipher functionality when you integrate an nCipher HSM with the AD RMS.
Requirements
Before attempting to install the software, we recommend that you familiarize yourself with the Axway Validation Authority Server documentation and setup process and that you have the nCipher documentation available.
To integrate the HSM and Axway Validation Authority Server, you need the server and client machines set up as follows:
We also recommend that there be an agreed organizational Certificate Practices Statement and Security Policy/Procedure in place covering administration of the HSM. In particular, these documents should specify the following aspects of HSM administration:
• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
• Whether the application keys are protected by the module or an Operator Card Set (OCS).
Soft Cards Yes Key Management Yes Strict FIPS Support Yes
Key Recovery Yes Module-only Key Yes K-of-N Card Set Yes
Key Generation Yes Key Import — Fail Over Yes
Fall Back — Load Balancing Yes Preload Support Yes
Hardware Software
Server Red Hat Enterprise Linux 5 Linux x64 bit/Solaris10 SPARC
nShield support software 11.50
Tumbleweed Validation Authority Server 4.11 (Responder)
Tumbleweed Validation Authority Server V4.11SP1 (Responder)
Client Windows Server 2003/Windows Server
2008 R2
Requirements
• The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
• Whether the security world should be compliant with FIPS 140-2 level 3. For more information, refer to the User Guide for the HSM.
Chapter 2: Procedures
To set up and configure the Axway Validation Authority Server with an HSM: 1 Install the HSM.
2 Install the nShield Support Software and create a Security World. 3 Install and configure Axway Validation Authority Server (Responder). 4 Apply service pack 1 on Axway Validation Authority Server.
These procedures are described in the following sections.
Installing the HSM
Install the HSM using the instructions in the documentation for the HSM. We recommend that you install the HSM before configuring the nShield support software with your Axway Validation Authority (Responder) installation.
Installing the nShield support software and creating the
security world
To install the support software and create the security world:
1 Install the latest version of the support software with the PKCS #11 components selected as described in the User Guide for the HSM.
Note We recommend that you always uninstall any existing nShield support software before installing the new nShield support software.
2 Open the file named cknfastrc in the directory where the nShield support software is installed. The default directory is /opt/nfast.
Installing and configuring Axway Validation Authority Server (Responder)
3 Add the following environment variables to the file for 1-of-N OCS or softcard protection:
CKNFAST_NO_UNWRAP=1
CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_LOADSHARING=1
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
4 For K-of-N OCS, create an empty file in the /opt/nfast/kmdata directory and add the following environment variable in addition to the above variables:
NFAST_NFKM_TOKENSFILE=/opt/nfast/kmdata/name_of_the_empty_file
5 If module/accelerator-protected keys are supported, also add the following environment variable to the file:
CKNFAST_FAKE_ACCELERATOR_LOGIN=1
For more information about the environment variables used in cknfastrc, see the nCipher PKCS
#11 library environment variables section in the User Guide for the HSM.
Installing and configuring Axway Validation Authority Server
(Responder)
VA is comprised of:
• A VA Host Server acting as either a Repeater or Responder operating on a Windows, Solaris, or Linux platform.
• A web-based Administration Server that provides centralized management of your validation processing components.
Client applications can query the VA Server utilizing open standard protocols including the Online Certificate Status Protocol (OCSP) or the Server-based Certificate Validation Protocol (SCVP), allowing clients to delegate the entire certificate validation operation, including path construction and intermediate CA validation, to the VA Server.
This section describes how to quickly set up a Responder. Before setting up the Axway Validation Authority Server (Responder), you must:
Installing and configuring Axway Validation Authority Server (Responder)
• Obtain a root certificate from a CA and make it available in a directory on the host platform.
Note The Responder will not be operating in SSL mode. If you are operating in SSL mode, you must generate an SSL key and certificate.
Installing the Axway Validation Authority Server (Responder)
To install the Axway Validation Authority Server (Responder):
1 Unzip the Unix binaries from Axway. You can download the software for your operating system from http://www.axway.com/.
2 Untar the file VCeva.tar.
3 Navigate to the directory VCeva/.
4 Run the script ./install.sh to install the Axway Validation Authority Server (Responder), and accept all the default options during the installation process.
5 Check that the installation was successful and that the Apache Web server on which the Axway Validation Authority Server Web interface runs is operational by running the command:
ps-aef | grep apache
6 Open a Web browser, and check whether the Axway Validation Authority Server is running by entering https://<machinename>:13333.
For example:
Installing and configuring Axway Validation Authority Server (Responder)
Configuring the Axway Validation Authority Server (Responder)
To configure the Axway Validation Authority Server (Responder):
1 Log in to the Tumbleweed Validation Authority Server Web interface with the user name
admin and the appropriate password.
The Tumbleweed Validation Authority Server Web interface is running in SETUP mode.
Note For K-of-N OCS protection, before opening the Tumbleweed Validation Authority Server Web interface preload the K-of-N OCS as follows:
a Open a new terminal. b Navigate to /opt/nfast/bin.
2 Run ./preload –m1 –c <cardsetname> -f </opt/nfast/kmdata/name_of_the_empty_file>, and then enter the license information:
a In the Admin Server Welcome window, click Enter License. The Enter License page appears.
b Paste the license certificate that you received from Axway into the text area. c Click Submit License.
The Axway Validation Authority License page appears, showing the licensed features and capability of your Responder.
d In the features list, ensure that OCSP is enabled. e Click Next Step.
The Add Extensions Install Custom Extensions page appears, showing that the default is set to NO.
3 Click Submit to continue without adding or installing any extensions. The Server Password page appears.
Installing and configuring Axway Validation Authority Server (Responder)
4 Change the server password to match the OCS or softcard pass phrase (that you set when creating the OCS or softcard).
Note To integrate an Axway Validation Authority Server (Responder) installation with an HSM, the Axway Validation Authority Server password must match the OCS or softcard pass phrase. If you have already created a server password that matches the OCS or softcard pass phrase, enter it in Enter Current Server Password. Otherwise, leave the field blank, and click Next Step.
a Enter the OCS or softcard pass phrase you created in Enter New Password. b Enter the same pass phrase again in Confirm New Password.
c Click Submit.
A message confirming that the password has been changed appears. d Click Next Step.
The Key Type Selection page appears.
5 Ensure that the default Default OCSP Response Signing and Create an OCSP Signing Key Pair
options are selected.
Note It is mandatory to generate a private/public key pair for signing OCSP responses when operating as a Responder.
6 Click Submit Key Type.
The Key Generation/Import Mechanism page appears. 7 Select how key pairs are to be created or imported:
a Select Hardware Key Generation/Import using nCipher. b Click Submit Key Generation Technique.
Installing and configuring Axway Validation Authority Server (Responder)
8 Select Generate new private key, and then click Submit Key Generation Or Import: a In User PIN, enter the OCS or softcard pass phrase. (Enter any acceptable value.) b In Friendly Key Name, enter a name of your choice.
c Select the desired value for Key Expiration in days. d Select Auto Sense for Slot ID.
e Select the desired Key Length.
f Enter all appropriate Certificate Information, and then select Self Signed Certificate. g Click Submit.
The Success page appears, confirming that the request was successful and that you have obtained a self-signed certificate.
Note When you generate a private key for signing OCSP responses, Axway Validation Authority Server typically receives a base-64 encoded X.509 certificate. The current version of Axway Validation Authority Server does not accept PKCS #7 certificate chains.
Note If you generate a private key for signing OCSP responses, four files are created in the <VAInstallDir>/entserv/.ckbak directory:
• Two db files of the form <DateTimeStamp_GMTvack.db
• OCSP_RESP_SIGN_<DateTimeStamp_GMT>.req (PKCS #10 request).
• OCSP_RESP_SIGN_<DateTimeStamp_GMT>.cert (self-signed OCSP Responder certificate).
Note In the above path, <VAInstallDir> represents the directory where Axway Validation Authority Server is installed. In the above file names, <DateTimeStamp_GMT>
represents a time-stamp string indicating when the key was created.
h Click Next Step.
The Manage Certificate Store page appears. The default certificate store is CA Certificates, which is the repository for trusted CAs.
Installing and configuring Axway Validation Authority Server (Responder)
9 Click Submit Certificate Import Method. The Import Certificate File page appears.
10 Click Browse, navigate to the location of the certificate file, and then select it. 11 Click Submit Certificate File.
The Import Certificates page appears, listing all certificates contained in the file. By default, all certificates are selected for import.
12 Click Next Step.
Note If you are using LDAP as a CA certificates repository, ensure that the LDAP server is accessible.
The Configuring CRL Imports page appears.
13 Select At an HTTP, FTP or FILE location, and then click Add CRL Source. 14 Enter the CRL distribution point of the third-party CA CRL, and click Submit.
15 Click Schedule Import of Checked CRLs to store the list of CRLs to import on a scheduled basis.
16 Click Next Step.
The Configure Server URLs page appears.
17 Accept all default selections, and then click Submit. The message, Server URL’s updated Successfully appears.
Note The default Axway Validation Authority Server instance is assigned to port 80 (for example, http://<machinename>:80).
18 Click Next Step.
The VA Responder Configuration Parameters page appears. 19 Accept all default selections, and then click Submit.
The message, Server Configuration has been successfully Updated appears. 20 Click Next Step.
Installing and configuring Axway Validation Authority Server (Responder)
21 Enter the OCS or softcard pass phrase to start the server with the HSM in CONFIGURATION
mode.
22 Enter the server password, and then click Start Server.
The server status changes from OFF to ON. The Responder is now operational.
Note On Solaris machines, for 1-of-N, softcard, and module only protection, start the VA server by running the vactl script (/va/inst/va/entserv/vactl start).
Note On Solaris machines, for K-of-N OCS protection, start the VA server by running the
vactl script as follows: a Open a new terminal. b Navigate to /va/inst/va.
c Run /opt/nfast/bin/preload –m1 –c <cardsetname> -f </opt/nfast/kmdata/name_of_the_empty_file> ./vactl start
Applying service pack 1 on Axway Validation Authority Server v4.11
To patch a VA Server:
1 Unzip the patch archive from Axway. You can download the software for your operating system from http://www.axway.com/.
2 Stop the VA server using either the Admin UI or by running vctl script.
3 Stop the VA Admin server using the apachectl control script (va/inst/va/apache/bin/apachectl stop).
4 Copy extracted files from the patch archive to the associated locations (/va/inst/va/) in the VA install directory.
5 Start the VA Admin server using the apachectl control script (va/inst/va/apache/bin/apachectl start).
Chapter 3: Troubleshooting
The following table provides troubleshooting guidelines.
Problem Cause Resolution
Cannot start the VA server instance.
Certificate is not present in the Certificate Store.
Ensure that there is at least one certificate present in the Certificate Store (OCSP). Cannot start the VA server
instance.
The default port for VA server instance (port 80) is already assigned.
Assign a port other than port 80 to the server instance. Failed to generate the OCSP
signing certificate and key pair.
The PKCS #11 token password was entered incorrectly.
Ensure that you enter the correct password for the PKCS #11 when generating the OCSP signing certificate and key pair.
Internet addresses
Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA Tel: +1 888 744 4976 or + 1 954 888 6200
Europe, Middle East, Africa
Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK Tel: + 44 (0)1844 201800
Asia Pacific
Units 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRC Tel: + 852 2815 8633
Web site: www.thales-esecurity.com
Support: www.thales-esecurity.com/en/Support.aspx
Online documentation: www.thales-esecurity.com/Resources.aspx
International sales offices: www.thales-esecurity.com/en/Company/Contact%20Us.aspx
