nCipher Modules
Version: 1.3
Date: 19 August 2011
Copyright 2011 Thales e-Security Limited. All rights reserved.
Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which it is supplied.
CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of Thales e-Security Limited.
CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra, nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited. All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.
These installation instructions are intended to provide step-by-step instructions for installing Thales software with third-party software. These instructions do not cover all situations and are intended as a supplement to the documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale.
Contents
Chapter 1: Introduction 4
Supported nCipher functionality 5
Requirements 5
Chapter 2: Procedures 7
Installing the HSM 7
Installing the nCipher software and creating the security world 7
Installing and building OpenSSL 8
Installing the Apache HTTP Server 9
Configuring the Apache HTTP Server to use the HSM 10
Chapter 1: Introduction
Apache, also known as Apache HTTP Server, is an established standard in the online distribution of Web site services, and provided the initial boost for the expansion of the World Wide Web. It is an open-source web server platform, which guarantees the online availability of the majority of the Web sites active today. The server is aimed at serving many of the popular modern web platforms and operating systems, such as Microsoft Windows, UNIX, Linux, and Solaris. This guide describes how to integrate a Thales nCipher product line Hardware Security Module (HSM) with the Apache HTTP Server. Offloading the cryptographic operations to the HSM provides significant performance improvements, and the HSM provides extra security by protecting and managing the server’s high-value SSL private key within its FIPS 140-2 certified hardware.
The benefits of using a Thales HSM with the Apache HTTP Server include: • Secure storage of the private key.
• FIPS 140-2 level 3 validated hardware.
• Improved server performance by offloading the cryptographic processing. • Full life cycle management of the keys.
• Failover support.
• Load balancing between HSMs.
You use the Thales nCipher software CHIL (Cryptographic Hardware Interface Library) interface to integrate the HSM and Apache HTTP Server. The integration between the HSM and the server has been tested for the following combinations.
Operating system Apache / OpenSSL version nCipher software version nShield Solo PCI module support nShield Solo PCIe module support nShield Connect support
Red Hat Enterprise Linux 5.4 64-bit
2.2.15 / 1.0.0a
Supported nCipher functionality
For more information about OS support, contact your Apache HTTP Server sales representative or Thales Support. For more information about contacting Thales, see Addresses at the end of this guide.
Additional documentation produced to support your Thales product can be found in the document directory of the CD-ROM or DVD-ROM for that product.
Note Throughout this guide, the term HSM refers to nShield Solo modules and nShield Connect units. (nShield Solo products were formerly known as nShield).
Supported nCipher functionality
Requirements
Before starting the integration process, familiarize yourself with: • The documentation for the HSM.
• The documentation and setup process for the Apache HTTP server. Before using the Thales nCipher software, you need to know:
• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
• Whether the application keys are protected by the module or an Operator Card Set (OCS) with or without a pass phrase.
• The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
Red Hat Enterprise Linux 5.4 32-bit
2.2.15 / 1.0.0a
11.40 Yes — Yes
Solaris 10 for SPARC 2.2.15 / 1.0.0a
11.30 Yes Yes —
Key Generation Yes 1-of-N Operator Card Set Yes Strict FIPS Support Yes
Key Management Yes K-of-N Operator Card Set Yes Load Sharing Yes
Key Import Yes Softcards Yes Fail Over Yes
Key Recovery Yes Module-only Key Yes
Operating system Apache / OpenSSL version nCipher software version nShield Solo PCI module support nShield Solo PCIe module support nShield Connect support
Requirements
• Whether the security world should be compliant with FIPS 140-2 level 3.
For more information, refer to the Quick Start Guide or Hardware Installation Guide for the HSM.
Chapter 2: Procedures
The integration process involves the following steps: 1 Install the HSM.
2 Install the nCipher software and create the security world. 3 Install and build OpenSSL.
4 Install the Apache HTTP Server.
5 Configure the Apache HTTP Server to use the HSM. All these procedures are described in the following sections.
Installing the HSM
Install the HSM by following the instructions in the Quick Start Guide or Hardware Installation
Guide for the HSM. We recommend that you install the HSM before configuring the nCipher
software with your Apache HTTP Server.
Installing the nCipher software and creating the security
world
1 On the computer that you want to make the Apache HTTP Server, install the latest version of the nCipher software, with the CHIL components selected, as described in the Quick Start
Guide for the HSM.
Note We recommend that you uninstall any existing nCipher software before installing the new nCipher software.
2 Create the security world as described in the Quick Start Guide, creating the ACS and OCS that you require.
Installing and building OpenSSL
Installing and building OpenSSL
To install and build OpenSSL:
1 Log into the computer as a root user with administrative privileges. 2 Create the directory in which OpenSSL is to be built:
mkdir openssl_dir
3 Download the latest openssl-1.0.0a.tar.gz file from: http://www.openssl.org/source. 4 Copy the openssl-1.0.0a.tar.gz file into the openssl_dir directory that you created. 5 Navigate to the openssl_dir directory.
6 Decompress the openssl-1.0.0a.tar.gz file:
gzip -d openssl-1.0.0a.tar.gz
7 Untar the openssl-1.0.0a.tar file:
tar -xvf openssl-1.0.0a.tar
8 Navigate to the openssl_dir/openssl-1.0.0a directory.
9 If you are using Solaris 10 for SPARC, set the following environment variables:
export PATH=$PATH:/usr/ccs/bin export PATH=$PATH:/usr/local/ssl export PATH=$PATH:/usr/local/ssl/bin export PATH=$PATH:/usr/sfw/bin export PATH=$PATH:/usr/local/bin export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/ssl/lib
If you are using Red Hat Enterprise Linux 5.4, you do not need to set these environment variables.
10 If you are using Solaris 10 for SPARC, ensure that the latest versions of the following utilities are installed: apr, aprutil, gcc, libgcc, libiconv, and libgcrypt.
Installing the Apache HTTP Server
12 Build OpenSSL:
make
make install
Installing the Apache HTTP Server
To install the Apache HTTP Server:
1 Log in as a root user with administrative privileges. 2 Create the directory in which Apache 2.2 is to be built:
mkdir apache_dir
3 Download the httpd-2.2.15.tar.gz file from: http://httpd.apache.org/download.cgi. 4 Copy the httpd-2.2.15.tar.gz file into the apache_dir directory that you created. 5 Navigate to apache_dir directory.
6 Decompress the httpd-2.2.15.tar.gz file:
gzip -d httpd-2.2.15.tar.gz
7 Untar the httpd-2.2.15.tar file:
tar -xvf httpd-2.2.15.tar
8 If you are using Red Hat Enterprise Linux 5.4 64-bit, configure the openssl library:
cd /usr/local/ssl rm -r lib
cp –r lib64 lib
9 Navigate to the apache_dir/httpd-2.2.15 directory. 10 Configure Apache:
Configuring the Apache HTTP Server to use the HSM
11 Build Apache:
make
make install
Configuring the Apache HTTP Server to use the HSM
To configure the Apache HTTP Server to use the HSM:
1 Open the /usr/local/apache2/conf/httpd.conf file in a text editor. Locate the following line:
#Include conf/extra/httpd-ssl.conf
2 Remove the comment mark (#), and then save the file.
3 Create the ssl.key and ssl.crt directories within the /usr/local/apache2/conf/ directory. 4 Generate an embedded key by using the generatekey command-line utility:
/opt/nfast/bin/generatekey embed
Generating a key with this utility stores the following information (where key_name
represents the name given to the key being generated): - The key, in the key_name file.
- The X.509 self-certificate, in the key_name_selfcert file.
- The X.509 (base 64 encoded PKCS #10) certificate request, in the key_name_req file. 5 Copy the key_name file to the /usr/local/apache2/conf/ssl.key directory.
6 Copy the key_name_selfcert file to the /usr/local/apache2/conf/ssl.crt directory.
7 Create a preload directory, with root as user and nfast as group, within the /opt/nfast/kmdata
Configuring the Apache HTTP Server to use the HSM
8 Open the /usr/local/apache2/conf/extra/httpd-ssl.conf file in a text editor, edit the file in following way, and then save the file:
- Insert the following line anywhere before the SSL Virtual Host Context section:
SSLCryptoDevice chil
- Locate the following line:
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt
Rename server-dsa.crt to the generated self-certificate file. - Locate the following line:
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key
Rename server-dsa.key to the generated key file. - Locate the following line:
ServerName www.example.com:443
Edit it to ensure that the name of the server matches the one specified when the key was generated.
9 Set and export the LD_LIBRARY_PATH environment variable:
LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk export LD_LIBRARY_PATH
Configuring the Apache HTTP Server to use the HSM
10 Start the SSL-enabled HSM-protected Apache HTTP Server by running one of the following commands, depending on the type of key protection you are using:
- Token-protected keys:
/opt/nfast/bin/preload -f /var/run/nfast/apache
–cardset-name=<token_name> /usr/local/apache2/bin/httpd -k start
Use the appropriate value for <token_name>. - Softcard-protected keys:
/opt/nfast/bin/ppmk --preload -f /var/run/nfast/apache <softcard_name> /usr/local/apache2/bin/httpd -k start
Use the appropriate value for <softcard_name>. - Module-protected keys:
/opt/nfast/bin/preload -M -f /var/run/nfast/apache /usr/local/apache2/bin/httpd -k start
Internet addresses
Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA Tel: +1 888 744 4976 or + 1 954 888 6200
Europe, Middle East, Africa
Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK Tel: + 44 (0)1844 201800
Asia Pacific
Units 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRC Tel: + 852 2815 8633
Web site: www.thalesgroup.com/iss
Support: http://iss.thalesgroup.com/en/Support.aspx Online documentation: http://iss.thalesgroup.com/Resources.aspx
International sales offices: http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx
