Microsoft IIS: nShield® HSM Integration Guide

[Pages:28]Microsoft IIS

nShield? HSM Integration Guide

Version: 2.5

Date: Wednesday, June 30, 2021

Copyright ? 2019-2021 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of nCipher Security Limited neither shall it be used otherwise than for the purpose for which it is supplied.

Words and logos marked with ? or TM are trademarks of nCipher Security Limited or its affiliates in the EU and other countries.

Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher Security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.

Where translations have been made in this document English is the canonical language.

nCipher Security Limited Registered Office: One Station Square Cambridge, UK CB1 2GA Registered in England No. 11673268

nCipher is an Entrust company.

Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/or service marks of Entrust Corporation in the U.S. and/or other countries. All other brand or product names are the property of their respective owners. Because we are continuously improving our products and services, Entrust Corporation reserves the right to change specifications without prior notice. Entrust is an equal opportunity employer.

2 of 27

Microsoft IIS nShield? HSM Integration Guide

Contents

1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Product configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Install the nShield HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Install the Security World Software and configure the Security World . . . . . . . . . . 6 2.3. Install IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.4. Install and register the CNG provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.5. Create a certificate request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.6. Get the signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.7. Install the certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.8. Integrate an nShield HSM with an existing IIS deployment . . . . . . . . . . . . . . . . . . . 24

Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Microsoft IIS nShield? HSM Integration Guide

3 of 27

1. Introduction

Microsoft Internet Information Services (IIS) for Windows Server is a Web server application. nShield Hardware Security Modules (HSMs) integrate with IIS 10.0 to provide full key life-cycle management with FIPS-certified hardware and to reduce the cryptographic load on the host server CPU. Integration of the nShield HSM with IIS 10.0 provides the following benefits:

? Uses hardware validated to the FIPS 140-3 standards ? Improves server performance by offloading cryptographic processing ? Enables secure storage of the IIS keys ? Enables management of the full life cycle of the keys

1.1. Product configuration

We have successfully tested the nShield HSM integration with IIS in the following configuration:

Product

Version

Operating System Windows 2019 Server

IIS version

10.0

1.1.1. Supported nShield features

We have successfully tested nShield HSM integration with the following features:

Feature

Support

Softcards

No

Module-only key Yes

OCS cards

Yes

1.1.2. Supported nShield hardware and software versions

We have successfully tested with the following nShield hardware and software versions:

4 of 27

Microsoft IIS nShield? HSM Integration Guide

1.1.2.1. Connect XC

Security World Software

Firmware

12.60.11

12.50.11

Image 12.60.10

OCS

Softcard

Module

1.1.2.2. Connect +

Security World Software

Firmware

12.60.11

12.50.8

Image 12.60.10

OCS

Softcard

Module

1.2. Requirements

Before installing the software, we recommend that you familiarize yourself with the IIS documentation and setup process, and that you have the nShield documentation available. We also recommend that there is an agreed organizational Certificate Practices Statement and a Security Policy/Procedure in place covering administration of the HSM. In particular, these documents should specify the following aspects of HSM administration:

? The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards

? Whether the application keys are protected by the HSM module key or an Operator Card Set (OCS) protection

? Whether the Security World should be compliant with FIPS 140-2 level 3 ? Key attributes such as the key algorithm, key length and key usage.

For more information, see the User Guide for the HSM.

Microsoft IIS nShield? HSM Integration Guide

5 of 27

2. Procedures

Integration procedures include: ? Installing the nShield HSM. ? Installing the Security World Software, and configuring the Security World. ? Installing IIS. ? Install and register the CNG provider ? Creating a certificate request ? Getting the signed certificate ? Installing the certificate. ? Integrate an nShield HSM with an existing IIS deployment

2.1. Install the nShield HSM

Install the HSM and Security World software using the instructions in the Installation Guide for the HSM. We recommend that you do this before installing and configuring IIS.

2.2. Install the Security World Software and configure the Security World

1. Install the latest version of the Security World Software as described in the User Guide for the HSM.

2. Initialize a Security World as described in the User Guide for the HSM. You can also use the CNG Configuration Wizard to create a Security World. If you are using an OCS, to adhere to IIS requirements it must be a 1-of-N with no passphrase, where N is the number of cards in the set.

2.3. Install IIS

To install Microsoft Internet Information Services: 1. Open Server Manager by selecting Start > Server Manager.

6 of 27

Microsoft IIS nShield? HSM Integration Guide

2. Select Manage and then select Add Roles and Features.

3. On the Before you begin screen, select Next.

Microsoft IIS nShield? HSM Integration Guide

7 of 27

4. On the Select installation type screen, ensure the default selection of Role or Feature Based Installation is selected and select Next.

5. On the Server Selection screen, select a server from the server pool and select Next.

8 of 27

Microsoft IIS nShield? HSM Integration Guide

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download