Thales nshield HSM. ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2.

17 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

Thales nShield HSM

ADRMS Integration Guide for Windows Server

2008 and Windows Server 2008 R2

(2)

Version: 1.0

Date: 11 June 2012

Copyright 2012 Thales e-Security Limited. All rights reserved.

h

iMay

1

2

Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which it is supplied.

CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of Thales e-Security Limited.

CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra, nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited. All other trademarks are the property of the respective trademark holders.

Information in this document is subject to change without notice.

Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.

These installation instructions are intended to provide step-by-step instructions for installing Thales software with third-party software. These instructions do not cover all situations and are intended as a supplement to the documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale.

(3)

Contents

Chapter 1: Introduction 4

Supported Thales nShield functionality 5

Requirements 5

Chapter 2: Procedures 7

Install the HSM 7

Install the nShield support software and create the security world 7

Set up the infrastructure 8

Install and configure AD RMS 8

Add ADRMSADMIN to the Enterprise Admins group 8

Install Active Directory Certificate Services (Standalone root CA) 9

Create a new alias (CNAME) 9

Install and configure AD RMS as a root cluster 10

Open the Active Directory Rights Management Services console 12

Verify AD RMS functionality 12

Uninstall AD RMS 15

Unregister AD RMS Service Connection Point (SCP) 15

Chapter 3: Troubleshooting 16

(4)

Chapter 1: Introduction

This guide explains how to integrate Active Directory Rights Management Services (AD RMS) with Thales nShield Hardware Security Module (HSM). We have thoroughly tested the

instructions in this document. They provide a straightforward integration process. There may be other untested ways to achieve interoperability. This document may not describe every step of the software setup process.

This document assumes that you have read your HSM documentation, and that you are familiar with the documentation and setup process for Active Directory Rights Management Services (AD RMS). The HSM secures the AD RMS Cluster Key generated and used by the AD RMS. You can integrate the AD RMS with an HSM by using the nCipher MSCAPI interface. The benefits of using an nShield HSM with the AD RMS are:

• Secure storage of the AD RMS Cluster Key. • FIPS 140-2 level 3 validated hardware. • Full life cycle management of the keys. • Failover support.

• Load-balancing between modules.

For more information about Active Directory Rights Management Services Overview, see the online documentation at http://technet.microsoft.com/en-us/library/cc771627.aspx.

The integration between the HSM and the AD RMS has been successfully tested in the following configurations:

Operating system

AD RMS version

Security World Software version

nShield Solo support

nShield Connect support

nShield Edge support

Windows Server 2008 32 bit SP1

(5)

Supported Thales nShield functionality

For more information about OS support, contact your Microsoft sales representative or Thales Support. For more information about contacting Thales, see Addresses at the end of this guide. Additional documentation produced to support your Thales nShield product is in the document directory of the CD-ROM or DVD-ROM for that product.

Note Throughout this guide, the term HSM refers to nShield Solo modules, netHSM, and nShield Connect products. (nShield Solo products were formerly known as nShield.)

Supported Thales nShield functionality

You can access the following Thales nShield functionality when you integrate an HSM with the AD RMS.

Requirements

Before you begin the integration process, ensure that you familiarize yourself with the

documentation and setup process for the AD RMS and have access to a copy of the User Guide. You need to know the following information before you run the setup program:

• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and a policy for managing these cards.

• Whether the application keys are protected by the module or an Operator Card Set (OCS). • The number and quorum of Operator Cards in the OCS, and a policy for managing these

cards.

• Whether the security world must comply with FIPS 140-2 Level 3. Windows

Server 2008 64 bit SP1

2.0 11.50 Yes Yes Yes

Windows Server 2008 R2 64 bit SP1

2.0 11.50 Yes Yes Yes

Soft Cards — Key Management Yes FIPS 140-2 level 3 Yes

Key Recovery Yes Module-only Key Yes K-of-N Card Set —

Load Balancing Yes Key Import — Fail Over Yes

Key Generation Yes

Operating system AD RMS version Security World Software version nShield Solo support nShield Connect support nShield Edge support

(6)

Requirements

• Key attributes, such as the key size, persistence, and time out.

For more information on administering an nShield module, see the User Guide.

Note K/N functionality is not currently supported, which means you must create a 1/N OCS.

(7)

Chapter 2: Procedures

The installation and configuration is performed in several steps: 1 Install the HSM.

2 Install the Security World Software and configure the nShield HSM 3 Set up the infrastructure.

4 Install and configuring AD RMS. 5 Verify AD RMS functionality. 6 Uninstall AD RMS.

Install the HSM

Install the HSM using the instructions in the Quick Start Guide for the HSM. We recommend that you install the HSM before configuring nShield support software.

Install the nShield support software and create the security

world

To install the nShield support Software and create the security world:

1 Install the latest version of the nShield support software as described in the User Guide.

Note We recommend that you always uninstall any existing nShield support software before installing the new nShield support software.

2 Initialize a security world using MSCAPI wizard with module protection or 1/N OCS without passphrase as key protection method.

Note Do not select the option Always use the wizard when creating or importing keys option while creating security world.

(8)

Set up the infrastructure

Set up the infrastructure

To prepare your AD RMS test environment in the NCIPHER domain, you must complete the following tasks:

1 Configure the domain controller on NCIPHER-DC. 2 Configure the AD RMS database computer on RMS-DB. 3 Configure the AD RMS root cluster computer on RMS-SRV. 4 Configure the AD RMS client computer on RMS-CLNT.

For more information about setting up the infrastructure, see the online documentation at

http://technet.microsoft.com/en-us/library/cc772140.aspx.

Install and configure AD RMS

Service Manager handles the installation and configuration of AD RMS. The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment. These step-by-step instructions explain how to install and configure a single-server AD RMS root cluster. Registering the AD RMS service connection point (SCP) requires that the installing user account is a member of the Active Directory Enterprise Admins group.

Add ADRMSADMIN to the Enterprise Admins group

To add ADRMSADMIN to the Enterprise Admins group:

1 Log on to NCIPHER-DC with the ncipher\Administrator account (or another user account in the Domain Admins group).

2 From the Start menu, select Administrative Tools > Active Directory Users and Computers. 3 In the console tree, expand ncipher.com, right-click Users and select New > User.

4 Enter the first name and full name adrmsadmin and then click Next. 5 Enter the password for user, click Next and then click Finish.

6 Right-click adrmsadmin and go to Properties.

(9)

Install and configure AD RMS

9 Click the Members tab, and then click Add.

10 Type adrmsadmin@ncipher.com, and then click OK.

Install Active Directory Certificate Services (Standalone root CA)

To install Active Directory Certificate Services: 1 Log on to RMS-SRV as ncipher\ADRMSADMIN.

2 From the Start menu, select Administrative Tools > Server Manager.

3 If the User Account Control dialog box appears, confirm that the action it displays is correct, and click Continue.

4 In the Roles Summary box, click Add Roles.

5 The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next. 6 On the Select Server Roles page, select the Active Directory Certificate Services check box, and

click Next.

Follow the online instructions to complete the installation.

Create a new alias (CNAME)

To create a new alias:

1 Log on to NCIPHER-DC as ncipher\Administrator.

2 Open DNS Manager from Programs > Administrative Tools > DNS. 3 Expand Forward Lookup Zones, and right-click ncipher.com. 4 Select New Alias, and enter the alias name as rmsncp.

5 In Fully qualified domain name (FQDN) for the target host field, browse to the RMS-SRV

machine. 6 Click OK.

(10)

Install and configure AD RMS

Install and configure AD RMS as a root cluster

To add the AD RMS Server Role:

1 Log on to RMS-SRV as ncipher\ADRMSADMIN.

2 From the Start menu, select Administrative Tools > Server Manager.

3 If the User Account Control dialog box appears, confirm that the action it displays is correct, and click Continue.

4 In the Roles Summary box, click Add Roles.

5 The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next. 6 On the Select Server Roles page, select the Active Directory Rights Management Services

check box. The Role Services page appears informing you of the AD RMS dependent role services and features.

7 On the Feature page, ensure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click

Next.

8 Read the AD RMS introduction page, and then click Next.

9 On the Select Role Services page, ensure you have selected the Active Directory Rights Management Server check box, and click Next.

10 Select the Create a new AD RMS cluster option, and then click Next. 11 Select the Use a different database server option.

12 Click Select, type RMS-DB in the Select Computer dialog box, and then click OK. 13 In Database Instance, click Default, and then click Validate.

14 Click Next.

15 Click Specify, type ncipher\ADRMSSRVC, type the password for the account, click OK, and then click Next.

16 Ensure that the Use CSP key storage option is selected, and then click Next.

17 On the Specify AD RMS Cluster key page, select nCipher Enhanced Cryptographic service provider from the menu, and then click Next.

(11)

Install and configure AD RMS

19 Select the Use an SSL-encrypted connection (https://) option.

20 In the Fully-Qualified Domain Name box, type rmsncp.ncipher.com, and then click Validate. If validation succeeds, the Next button becomes available.

21 Click Next.

Note Ensure Fully Qualified Domain Name and CNAME are the same.

22 Select the Choose a certificate for SSL encryption later option, and then click Next. 23 Type rmsncp in the Friendly Name field, and then click Next.

24 Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation.

25 Read the Introduction to Web Server (IIS) page, and then click Next. 26 Keep the Web server default check box selections, and then click Next.

27 Click Install to provision AD RMS on the computer. When the process is complete, click

Close.

28 Open the IIS Manager. From the Start menu, select Program Files > Administrative Tools > Internet Information Service Manager.

29 Click the IIS Server.

30 Double-click the Server Certificates icon.

31 On the right-hand side of the IIS Manager window, click the Create Certificate Request link. 32 Fill out the certificate properties page. In the common name field, enter the same name that

you entered for server licensor certificate (rmsncp), and click Next.

33 On the Cryptographic Service Provider Properties page, select Microsoft RSA SChannel Cryptographic Provider from the menu, and then click Next.

Note Because of a certificate licensing issue, you cannot use nCipher CSPs for requesting certificates.

34 Enter the certificate request file name, and click Finish.

35 Send the certificate request to Microsoft CA (http://RMS-SRV.ncipher.com/certsrv), and get the certificate.

(12)

Install and configure AD RMS

36 On the right-hand side of the IIS Manager window, click the Complete Certificate Request

link.

37 Show the path of the signed certificate, enter the Friendly name (ensure this is the same as the server licensor certificatename), and click OK.

38 On the left-hand side of the IIS Manager window under Sites, click Default website. 39 On the right-hand side of the IIS Manager window, click the Bindings link.

40 In Site Bindings, click Add.

41 Select the protocol as HTTPS, and select the certificates from the menu. 42 Click OK to complete the certificate binding for SSL connection.

43 Click Restart to restart the IIS server.

44 Log off from the server, and then log on again to update the security token of the logged-on user account.

The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS.

The AD RMS root cluster is now installed and configured.

Open the Active Directory Rights Management Services console

1 From the Start menu, select Program Files > Administrative Tools > Active Directory Rights Management Services.

2 If the User Account Control dialog box appears, confirm that the action it displays is correct, and click Continue.

Verify AD RMS functionality

The AD RMS client is included in the default installation of Windows Vista and Windows Server 2008. Before you can consume rights-protected content, you must add the AD RMS cluster URL to the Local Intranet security zone. Add the AD RMS cluster URL to the Local Intranet security zone for all users who are to consume rights-protected content.

(13)

Install and configure AD RMS

2 From the Start menu, select All Programs > Internet Explorer. 3 Select Tools > Internet Options.

4 Click the Security tab, click Local intranet, and then click Sites. 5 Click Advanced.

6 In the Add this website to the zone field, enter https://rmsncp.ncipher.com, and then click Add. 7 Click Close.

8 Repeat the preceding steps for user_mar (ncipher\user_mar) and user_eng

(ncipher\user_eng).

Add Microsoft Root certificate to the trusted store

1 Download Microsoft CA root certificate.

2 Open Microsoft Management Console. 3 Select File > Add/Remove Snap-in > Add.

4 Select Certificates > Add > My User Account > Finish. 5 Select Add Standalone Snap-in.

6 Click OK.

7 Expand Certificates > Current-User, then expand Third-Party Root Certification Authorities. 8 Right-click Certificates > All Tasks > Import. The Certificate Import Wizard opens.

9 Click Next to display the path of the Microsoft CA root certificate. 10 Click Next.

11 Keep the default selection, and click Next. 12 Click Finish.

13 Repeat the preceding steps for user_mar (ncipher\user_mar) and user_eng

(14)

Install and configure AD RMS

Restrict permissions on a Microsoft Word document

To verify the functionality of the AD RMS deployment, you log on as user_fin, and then restrict permissions on a Microsoft Word 2007 document so that user_mar can read the document but cannot change, print, or copy it. You then log on as user_mar, and verify that the proper

permission to read the document has been granted, but no permissions to change, print, or copy it have been granted.

1 Log on to RMS-CLNT as user_fin (ncipher\user_fin).

2 From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007. 3 On the blank document page, type

user_mar can read this document, but cannot change, print, or copy it.

4 Click the Microsoft Office Button, then select Prepare > Restrict Permission > Restricted Access.

5 Select the Restrict permission to this document checkbox.

6 In the Read box, type user_mar@ncipher.com, and then click OK to close the Permission dialog box.

7 Click the Microsoft Office Button, click Save As, and then save the file as \\RMS-DB\Public\RMS-TST.docx.

8 Log off as user_fin.

View a rights-protected document

1 Log on to RMS-CLNT as user_mar (ncipher\user_mar).

2 From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007. 3 Click the Microsoft Office Button, and then click Open.

4 In the File name box, type \\RMS-DB\Public\RMS-TST.docx, and then click Open. The following message appears: Permission to this document is currently restricted. Microsoft Office must connect to https://rmsncp.ncipher.com:443/_wmcs/licensing to verify your credentials and download your permission.

5 Click OK. The following message appears: Verifying your credentials for opening content with restricted permissions.

(15)

Install and configure AD RMS

6 When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.

7 Close Microsoft Word. 8 Log off as user_mar.

You have successfully installed and demonstrated the functionality of AD RMS, using the simple scenario of applying restricted permissions to a Microsoft Word 2007 document.

Uninstall AD RMS

1 Open Server Manager.

2 Click Roles > Remove Roles. The Remove Roles Wizard opens. 3 Click Next.

4 Deselect Active Directory Rights Management Services, and click Next. 5 When the wizard prompts you, reboot the machine.

Unregister AD RMS Service Connection Point (SCP)

To unregister AD RMS SCP:

1 Download the RMS SP2 Administration Toolkit from

http://www.microsoft.com/downloads/details.aspx?FamilyID=bae62cfc-d5a7-46d2-9063-0f6885c26b98&displaylang=en.

2 Install the RMS SP2 Administration Toolkit.

3 Open a command prompt, and navigate to the C:\Program Files\RMS SP2 Administration Toolkit\ADScpRegister folder.

4 Run the command:

(16)

Chapter 3: Troubleshooting

Problem Resolution

While installing AD RMS, you see the error:

Attempt to configure Active Directory Rights Management Server failed.

Fail to generate enrolee certificate public key.

Ensure Microsoft SQL Server 2005 is working properly, or reboot the ADRMS-DB machine.

While installing AD RMS, you see the error:

Attempt to configure Active Directory Rights Management Server failed.

The AD RMS installation could not determine the certificate hierarchy.

If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.

Unregister ADRMS Service

Connection Point (SCP) using RMS SP2 Administration Toolkit, and install again.

While installing AD RMS, you see the error:

Attempt to configure Active Directory Rights Management Server failed.

Provisioning of AD RMS timed out without any specific error.

Remove and re-install AD RMS to attempt provisioning again.

Recreate security world by

unselecting the Always use the wizard when creating or importing keys option, and reinstall AD RMS.

Note Ensure the key protection method is neither Softcard nor K-of-N cardset protection, because AD RMS does not support these methods.

When the recipient tries to open the restricted document, they see the error in RMS Client machine (Microsoft VISTA, SP1):

This Service is temporarily unavailable.

Microsoft Internet Explorer may be set to Work offline. In Internet Explorer, verify that Work Offline on the File menu is not selected, and try again.

Import the Microsoft CA root certificate into the Third-Party Root Certification Authorities store of My User Account, and try again.

(17)

Internet addresses

Americas

2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA Tel: +1 888 744 4976 or + 1 954 888 6200

sales@thalesesec.com

Europe, Middle East, Africa

Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK Tel: + 44 (0)1844 201800

emea.sales@thales-esecurity.com

Asia Pacific

Units 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRC Tel: + 852 2815 8633

asia.sales@thales-esecurity.com

Web site: www.thales-esecurity.com

Support: www.thales-esecurity.com/en/Support.aspx

Online documentation: www.thales-esecurity.com/Resources.aspx

International sales offices: www.thales-esecurity.com/en/Company/Contact%20Us.aspx

Figure

Updating...