Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)

(1)

Integration Guide

Microsoft Internet Information Services

(IIS) 7.0 and nCipher Modules

• Windows Server 2008 (32-bit and 64-bit)

These installation instructions are intended to provide step-by-step instructions for installing nCipher software with third-party software. These instructions do not cover all situations and are intended as a supplement to the nCipher documentation provided with nCipher products.

Disclaimer: nCipher Corporation Ltd disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. nCipher is a registered trademark of nCipher Corporation Limited. Any other trademarks referenced in this document are the property of the respective trademark owners. © Copyright 2008 nCipher Corporation Ltd, Cambridge, United Kingdom.

Document version 1.3

02-May-2008

(2)

1. Introduction

This guide explains how to integrate an nCipher Hardware Security Module (nShield or

netHSM) with Microsoft Internet Information Services (IIS) 7.0. It assumes that you have read the nShield Quick Start Guide and the netHSM Quick Start Guide and are familiar with the IIS7 documentation and setup process.

Note: All nCipher documentation is available at: http://www.ncipher.com/documentation

2. Overview

The nCipher module integrates with Microsoft IIS 7.0 to provide full key life-cycle

management with FIPS-certified hardware and to reduce the cryptographic load on the host server CPU.

There are several benefits to using an nCipher module with IIS 7.0: 1._{uses hardware validated to the FIPS 140-2 standards}

2. improves server performance by offloading cryptographic processing 3. enables secure storage of the IIS keys

4. enables management of the full life cycle of the keys

5._{provides fail-over support where multiple HSMs are available}

Integration of the nCipher module with IIS 7.0 has been tested in the following configurations:

Operating System nCipher Version Microsoft IIS Version nShield Support netHSM Support Windows Server 2008 Enterprise 11.03 7.0 Yes Yes

3. Supported nCipher functionality

Softcards

Key management

Strict FIPS support*

Key recovery

Module-only key

K of N card set

Key generation

Key import

Fail-over

Fall back

Load balancing

Preload support * Microsoft IIS7 does not support Strict FIPS with ECDSA.

4. Requirements

Before running the setup program, you need to know:

• whether the application keys are protected by the module or an Operator Card Set (OCS). The card set must not have a pass phrase

(4)

• whether the security world is compliant with FIPS 140-2 Level 3

For more information on administering an nCipher module, see the nShield User Guide or the netHSM User Guide, as appropriate.

5. Procedures

To integrate an nCipher Hardware Security Module (HSM) with IIS 7.0, you: 1._{install the nCipher HSM}

2._{install the nCipher Support Software (nCSS-win-user-11.03)} 3. create the nCipher security world

4. install IIS 7.0

5._{create a certificate request} 6._{install the certificate}

6. Installing the nCipher HSM

Refer to the nCipher Hardware Installation Guide for full instructions. Note: nCipher recommends installing the hardware before the software

7. Installing the nCipher Support Software (nCSS)

7.1. Results of this procedure

• installation of the nCipher software

• CNG and CSP wizard shortcuts in Start > Program Files > nCipher • verification that the software is correctly installed

7.2. To install nCSS-win-user-11.03

1. Log in as the Local Administrator or as a user with local Administrator privileges. 2._{Insert the CD into the CD-ROM drive. If autorun is disabled, start the installation by}

clicking setup.exe in the root directory. The default installation folder is

%NFAST_HOME%\bin.

3._{Progress to the Select Components screen, where you select nCipher components for} installation. The recommended minimum set of components to install is:

• Core Tools

• Crypto API CSP GUI and console Installers • nCipher CAPI-NG Providers and Tools • Hardware Support (mandatory)

(5)

Version 1.3, 02-May-2008 Page 4 4._{Click Next and complete the remaining stages of the installation wizard. nCipher}

recommends that before continuing you verify that the software has been installed successfully. To do this, perform the next step.

5._{Open a Command Prompt window and run the nCipher command line utility}enquiry

(the default install folder location is %NFAST_HOME%\bin). The output should show that both the server and module are in operational mode. It will also show the electronic serial number unique to the module.

6._{Record this serial number. You will need it if you ever contact nCipher support. If}

enquiry.exe returns an error, contact nCipher support now.

8. Creating the nCipher security world

The nCipher security world performs key management functions. You can use the CNG configuration wizard to create the security world for straightforward setups with nShields. If you are using a netHSM, or for more advanced security world setups, consult the

nShield/netHSM user guides. If you create a security world by another means, run the wizard with the “Use the existing security world” option to register the CNG Providers.

The CNG configuration wizard can: • create a new security world

• add a module to an existing security world • create Operator Card Sets, including K of N sets

• install nCipher’s Cryptography API: Next Generation (CNG) Cryptographic Service Providers

8.1. Creating the Administrator card set

1._{Login in as Local Administrator or as a user with local Administrator privileges.} 2._{To start the CNG configuration wizard for x86 and x64, choose Start > Program Files >}

nCipher > CNG configuration wizard.

3._{In the “Welcome to nCipher Support Software Configuration wizard”, click Next.} 4._{Select Create a new security world.}

5. Click Next.

6. Put the module into pre-initialization mode. (For full instructions on changing the module mode, refer to the nShield User Guide for Windows.)

7._{Click Next. A prompt appears requesting Administrator Card Set Properties, namely the} quorum and whether the security world should be FIPS compliant.

8._{Indicate the appropriate policy decisions in the wizard and click Next. The Module}

Programming Options page prompts you to decide whether the module should be enabled

as a remote share target.

9._{Click Next. You may need to wait a few seconds for the next wizard page to appear.} 10._{You are now prompted to insert each of the “n” Administrator cards and decide if a pass}

phrase is required for each card. Once the wizard has written the ACS, it prompts you to set the module to the operational mode.

(6)

11._{Set the module to the operational mode.}

8.2. Creating the Operator card set

The Key Protection Setup wizard prompts you for the method of key protection: module key or Operator Card Set (OCS), and associated quorum. Other options to consider are card set

persistence; time out; remote usage.

Note: if you select OCS protection, the card set must be 1-of-n and must not use a pass phrase if keys to be protected by the OCS will be used with IIS.

1._{Select the appropriate settings.} 2._{Click Next.}

8.3. Completing the security world setup

1. In the Software Installation window, click Next. 2._{In the next screen, click Finish.}

You have now set up the security world and the CNG wizard has registered the nCipher CNG providers (nCipher Primitive Provider and nCipher Security World Key Storage Provider).

9. Installing IIS 7.0

1. Open Server Manager: Start > Administrative Tools > Server Manager > Add Roles >

WebServer.

2._{Select the Default (or desired) components and finish the wizard to install IIS7.0.} 3._{Execute the following command to make the web server service depend on the “nFast}

Server” service:

ncsvcdep.exe –a http

Note: The ncsvcdep.exe utility is in the %NFAST_HOME%\bin directory.

10. Creating a certificate request

10.1. Requirements

• The nCipher hardware must have been installed. • The nCipher software must have been installed. • An nCipher security world must have been created.

• If you are using an OCS, to adhere to IIS requirements it must be a 1-of-N with no pass phrase, where N is the number of cards in the set.

10.2. Preliminary steps

1. To make sure the nCipher Primitive Provider and nCipher Security World Key Storage Provider are listed, run the command cnglist.exe –-list-providers.

Note: IIS Manager does not support the creation of certificates protected by CNG Keys and these need to be created using the Microsoft command line utilities.

(7)

Version 1.3, 02-May-2008 Page 6 Note: Your request.inf file does not have to contain exactly the code given in the following step. These are examples, not definitive models.

2. Generate a certificate request.

To generate a request for an SSL certificate linked to a 2K RSA key, create a file called

request.inf. with the following information:

[Version] Signature= "$Windows NT$" [NewRequest] Subject = "C=GB,CN=myhostname.com" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048

ProviderName = "nCipher Security World Key Storage Provider" KeyUsage = 0xf0

MachineKeySet = True

[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1

Note: To generate a request for an SSL certificate linked to an ECDSA P384 key, create a file called request.inf. with the following information.

Note: ECDSA is currently not supported by CA in Strict FIPS mode.

[Version] Signature= "$Windows NT$" [NewRequest] Subject = "C=GB,CN=myhostname.com" HashAlgorithm = SHA384 KeyAlgorithm = ECDSA_P384 KeyLength = 384

ProviderName = "nCipher Security World Key Storage Provider" KeyUsage = 0xf0

MachineKeySet = True

[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1

3._{Specify the subject details of the Domain Controller which is issuing the certificate.} 4._{Specify the key algorithm and key length as required (e.g. RSA).}

5. Specify the Provider name as “nCipher Security World Key Storage Provider”. 6._{Save the above content in the file request.inf.}

(8)

10.3. Creating the certificate request

• To create the certificate request for the Certification Authority, execute the command:

certreq.exe –new request.inf request.req.

This creates a certificate request file request.ref that can be sent to a Certificate Authority.

11. Installing a certificate

After creating the certificate request, you obtain the certificate by using the CA web interface or Server Manager to send the request to the Certificate Authority.

11.1. Making the certificate available for use in IIS

• To make the certificate available for use in IIS, execute the command certreq.exe –-accept somecert.cer, where somecert.cer is the binary certificate exported from the CA.

11.2. Binding the certificate with a secure IIS web server

To bind the certificate with a secure IIS web server:

1. Open the IIS Manager from Start > Program Files > Administrative Tools > Internet Information Services (IIS) Manager.

2._{If necessary, insert an operator card for your certificate.}

3. Under Sites on the left hand side of the IIS Manager Window, select the desired Web site. 4._{On the right hand side of the IIS Manager, click the Bindings link.}

5._{In the Site Bindings window, click Add.} 6. Select the protocol https.

7._{Select the certificate from the drop-down list.}

8._{To complete the certificate binding for SSL connection, click OK.}

9. Open a browser and type https://myhostname. If necessary, accept the certificate in the browser to continue with SSL connection to the IIS7 web server.

12. Further information

This guide forms one part of the information and support provided by nCipher. Additional documentation produced to support your nCipher product can be found in the document directory of the CD-ROM for that product.

All nCipher product documentation is available from the nCipher web site at

(9)

Version 1.3, 02-May-2008 Page 8

12.1. Contact details

nCipher Corporation

Cambridge, UK

nCipher Inc.

Boston Metro Region, USA

Jupiter House Station Road Cambridge CB1 2JD UK Tel: +44 (0) 1223 723666 Fax: +44 (0) 1223 723601 E-mail: [email protected]

92 Montvale Avenue, Suite 4500 Stoneham MA 02180 USA Tel: +1 (781) 994 4008 Fax: +1 (781) 994 4001 E-mail: [email protected]

Web site: http://www.ncipher.com/

Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)