PrivateServer HSM Integration with Microsoft IIS



Similar documents
PrivateServer HSM EKM Provider for Microsoft SQL Server

Microsoft IIS Integration Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Check Point FDE integration with Digipass Key devices

Client Authenticated SSL Server Setup Guide for Microsoft Windows IIS

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Integration Guide Microsoft Internet Information Services (IIS) 7.5 Windows Server 2008 R2

Yale Software Library

USER GUIDE WWPass Security for Windows Logon

Secure IIS Web Server with SSL

SSL Intercept Mode. Certificate Installation Guide. Revision Warning and Disclaimer

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)

X.509 Certificate Generator User Manual

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

Integration Guide. SafeNet Authentication Client. Using SAC CBA for Check Point Security Gateway

How to Configure a Secure Connection to Microsoft SQL Server

Preface. Microsoft Office Sharepoint Server 2007 Integration Guide SafeNet, Inc. All rights reserved. Part Number: (Rev A, 06/2009)

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

SELF SERVICE RESET PASSWORD MANAGEMENT WEB INTERFACE GUIDE

How to set up Outlook Anywhere on your home system

Thales nshield HSM. ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2.

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

BASIC CLASSWEB.LINK INSTALLATION MANUAL

Microsoft IIS 4 Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

How to Secure a Groove Manager Web Site

etoken Enterprise For: SSL SSL with etoken

Using etoken for SSL Web Authentication. SSL V3.0 Overview

SQL Server 2008 R2 Express Edition Installation Guide

Preface. Limitations. Disclaimers. Technical Support. Luna SA and IBM HTTP Server/IBM Web Sphere Application Server Integration Guide

Technical Certificates Overview

Certificate Management for your ICE Server

MadCap Software. Upgrading Guide. Pulse

DIGIPASS CertiID. Getting Started 3.1.0

CHECKLIST FOR THE MARKET SYSTEMS...

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

MICROSTRATEGY 9.3 Supplement Files Setup Transaction Services for Dashboard and App Developers

Integration Guide. CyberArk Microsoft Windows

Hyper-V Installation Guide for Snare Server

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

E-CERT C ONTROL M ANAGER

Endpoint Security VPN for Windows 32-bit/64-bit

F-Secure Messaging Security Gateway. Deployment Guide

etoken PKI Client (Windows) Administrator s Guide Version 5.1 SP1 Rev A

Installation Guide. SafeNet Authentication Service

WHITE PAPER Citrix Secure Gateway Startup Guide

SELF SERVICE RESET PASSWORD MANAGEMENT BACKUP GUIDE

SafeNet Authentication Client (Mac)

ADFS Integration Guidelines

Using Microsoft Expression Web to Upload Your Site

Shakambaree Technologies Pvt. Ltd.

NSi Mobile Installation Guide. Version 6.2

Managed Services PKI 60-day Trial Quick Start Guide

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Active Directory Rights Management Service Integration Guide

OneStop Reporting OSR Portal 4.6 Installation Guide

FedLine Web Certificate Retrieval Procedures. User Guide

NEFSIS DEDICATED SERVER

Important. Please read this User s Manual carefully to familiarize yourself with safe and effective usage.

epass2003 User Guide V1.0 Feitian Technologies Co., Ltd. Website:

PageScope Enterprise Suite

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

ECA IIS Instructions. January 2005

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

YubiKey PIV Deployment Guide

Entrust Managed Services PKI

G-Lock EasyMail7. Admin Guide. Client-Server Marketing Solution for Windows. Copyright G-Lock Software. All Rights Reserved.

Active Directory Management. Agent Deployment Guide

Exchange 2010 PKI Configuration Guide

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Using etoken for Securing s Using Outlook and Outlook Express

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate on Aladdin etoken (Personal eid)

Secure Agent Quick Start for Windows

Cyber-Ark Software. Version 4.5

StarWind iscsi SAN Software: Using with Citrix XenServer

GRAVITYZONE HERE. Deployment Guide VLE Environment

Two Factor Authentication in SonicOS

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

EMC Data Protection Search

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Installation Procedure SSL Certificates in IIS 7

Configuration Guide. Remote Backups How-To Guide. Overview

Installing the Microsoft Network Driver Interface

Craig Carpenter MCT. MCSE, MCSA

HOTPin Integration Guide: DirectAccess

Installing LearningBay Enterprise Part 2

Creating IBM Cognos Controller Databases using Microsoft SQL Server

SUMMARY Moderate-High: Requires Visual Basic For Applications (VBA) skills, network file services skills and interoperability skills.

App Orchestration 2.5

Defender EAP Agent Installation and Configuration Guide

HP ProtectTools Embedded Security Guide

Transcription:

PrivateServer HSM Integration with Microsoft IIS January 2014 Document Version 1.1

Notice The information provided in this document is the sole property of Algorithmic Research Ltd. No part of this document may be reproduced, stored or transmitted in any form or any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from Algorithmic Research Ltd. Copyright 2014 by Algorithmic Research Ltd. All rights reserved.

Table of Contents Introduction... 4 Requirements... 4 PrivateServer Installation and Configuration... 5 PrivateServer Installation... 5 PrivateServer Configuration... 6 Signing Engine Configuration... 8 Configuring Microsoft IIS to Work with PrivateServer... 11 IIS Installation... 11 Generate Keys and Obtain Server Certificate... 11 Bind the IIS server with the New Certificate... 12

Introduction This step-by-step guide will help you set up ARX PrivateServer TM HSM as the signing engine for Microsoft Internet Information Server (IIS) running on Windows 2008 operating system. The IIS will use ARX PrivateServer Hardware Security Module (HSM) to store the sensitive website private key and to securely perform all cryptographic operations within the secure appliance. The IIS uses certificates in a public key infrastructure (PKI) during SSL authentication. The certificate and corresponding private key are used to authenticate the IIS server through the use of public key cryptography. ARX PrivateServer is highly secure (FIPS 140-2 Level 3), high capacity, network attached, HSM that provides a secure environment for data encryption and key management. PrivateServer conducts sensitive cryptographic operations, secure key storage, and management of a large number of keys. Requirements Two servers are required to set up your system: ARX PrivateServer v4.8 or higher Windows server 2008 R2 and higher with Internet Information Services (IIS)

PrivateServer Installation and Configuration The process of installing PrivateServer HSM and its client is described in full detail in the PrivateServer Installation and Operation Guide. Please refer to the manual for detailed description of each of the installation steps. PrivateServer Installation To set up your PrivateServer follow the steps below: 1. Install the PrivateServer client on the Windows 2008 server, by running the client setup. 2. Make sure that the following features are installed: a. Legacy client b. PrivateSafe USB driver c. Signing Engine 3. Connect the USB smart card reader to the Windows 2008 server. 4. Run the PrivateServer management application from All Programs -> ARX -> PrivateServer Client -> PrivateServer Management. 5. Select Client -> Generate Cards and generate a set of smart cards (Root, init and Startup). For more information refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide. It is recommended to create backup for the Init and Startup smart cards. 6. Select Client -> Generate Users menu option and generate smart card for the administrative user first. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide.

7. Initialize the PrivateServer with the newly generated set of smart cards (Init and Startup). For more information refer to Chapter 5: Operating the System in the PrivateServer Installation and Operation Guide. 8. Set the PrivateServer IP address. For more information refer to Chapter 6: Configuring the System in the PrivateServer Installation and Operation Guide. PrivateServer Configuration Perform the following steps to create the IIS user in PrivateServer database: 1. Add your PrivateServer IP address to the servers list, from Client -> Add PrivateServer menu. 2. Select Server -> Connect to connect to the PrivateServer with administrative user.

3. Select View -> Users to switch to the users view. Select User -> Create to create a user for the IIS server, which will be the owner of the website sensitive key. 4. Enter the IIS user data. Usually, such user does not need any special authorizations, so you can leave all authorization mask clear. However, since this is a critical user in the system, set the Minimum Access Level to Non-secure LAN, authenticated and encrypted session. This setting will require strong user authentication with key media (software or smart card). 5. Click OK to create the IIS server user. 6. Select Client -> Generate Users and generate software token key media for the IIS user. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide. 7. Test the key media by establishing an authenticated connection with the PrivateServer.

Signing Engine Configuration The signing engine is a client side component that provides support for Microsoft CAPI and CAPI New Generation (CNG) APIs. These APIs are used by Microsoft applications to access the PrivateServer HSM and perform the required cryptographic operations. To configure the signing engine on the IIS machine: 1. Open the directory C:\Program Files\ARX\PrivateServer Client\extlogin\Encrypted_Pass and copy the 64 bit dll to the Windows\system32 directory and the 32 bit dll to the Windows\SysWow64 directory. 2. To create an encrypted password file run as administrator the genpass.exe utility from C:\Program Files\ARX\PrivateServer Client\extlogin\Encrypted_Pass\win32 and enter the media password. Make sure that the file cspass.dat was created in C:\Program Files\ARX\PrivateServer Client\utils directory. 3. Select Client -> Settings menu and click on Signing Engine tab.

4. Click New button to add a new slot. a. In the Signing Engine group box choose Server Based and choose the IP of your PrivateServer from the combo box. b. In the Authentication Type group box choose File Media and enter the path to the software key media of the IIS user. c. In the User and Password Details group box enter the IIS user name. d. Check Use Extended Login Module and enter extlogin.dll in the name of the extended login module. 5. Click Apply button to save your settings.

6. Click Test button to check your configuration setting. If the test fails check your configuration or restart the machine. 7. Press OK.

Configuring Microsoft IIS to Work with PrivateServer Now you are ready to install Microsoft IIS service and configure it to work with PrivateServer. IIS Installation To install Microsoft IIS on Windows server 2008: 1. Open Server Roles. 2. In the Server Roles check the Web Server (IIS). Follow the instructions of the IIS installation wizard. Additional information can be found in Microsoft MSDN. Generate Keys and Obtain Server Certificate In this step you will generate a set of RSA private and public keys on PrivateServer HSM and obtain a corresponding server certificate from your CA. In general, there are several ways to obtain server certificate. When you generate a certificate for IIS server you must make sure that the subject will be the server name or IP address of the web server. The process below uses the Web enrollment service of the CA. 1. Open Microsoft Internet Explorer and enter the Microsoft CA web enrollment page. 2. Select Request a certificate. 3. Select Advanced certificate request. 4. Select Create and submit a request to this CA. 5. In the Advanced Certificate Request form select: a. Certificate Template should be Web Server. b. In the Name enter the IIS server IP or the server name. The certificate subject name must match the IIS server name. c. In the CSP select AR Base Cryptographic Provider. 6. The private key will be generated inside the PrivateServer and a corresponding certificate will be created by the CA. 7. Select Install the certificate to save the IIS server certificate inside PrivateServer. Now the certificate is loaded into the machine certificate store and you should be able to configure the IIS to use it to identify the server during SSL negotiation.

Bind the IIS server with the New Certificate 1. Open the IIS manger and choose the site that will support the SSL connection using the PrivateServer. 2. Click on the Binding in the Actions tab: 3. In the Site Binding window click on Add:

4. Choose type as https and choose the SSL certificate to be the one that was created in previous step. This certificate will serve as the web site certificate and will be used in the SSL authentication. Make sure this certificate is in the personal directory of the local computer certificate store. 5. Click OK, 6. Open browser and connect the web site with the https prefix.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information