ncipher Modules Integration Guide for Apache HTTP Server www.thalesgroup.com/iss



Similar documents
ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

Thales nshield HSM. ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2.

nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

Thales nshield HSM. Integration Guide for ISC BIND DNSSEC.

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

Thales Database Security Option Pack. for Microsoft SQL Server Integration Guide.

Integration Guide Microsoft Internet Information Services (IIS) 7.5 Windows Server 2008 R2

Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)

Thales e-security Key Isolation for Enterprises and Managed Service Providers

Microsoft AD CS and OCSP Integration Guide. Microsoft Windows Server 2008 R2

Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices

Apache HTTP Server Integration Guide

Microsoft AD CS and OCSP

Integrated Citrix Servers

Integrating Apache Web Server with Tomcat Application Server

Preface. Limitations. Disclaimers. Technical Support. Luna SA and IBM HTTP Server/IBM Web Sphere Application Server Integration Guide

Data Center Real User Monitoring

Hitachi Backup Services Manager Certified Configurations Guide 6.5

Installation Guide Supplement

Interoperability of Bloombase StoreSafe and Thales e-security keyauthority for Data At- Rest Encryption

Veritas Operations Manager Release Notes. 3.0 Rolling Patch 1

Microsoft IIS Integration Guide

StoneGate SSL VPN Technical Note Adding Bundled Certificates

Remote Filtering Software

Nimsoft Monitor Compatibility Matrix October 17, 2013

By the Citrix Publications Department. Citrix Systems, Inc.

VERITAS NetBackup 6.0 Encryption

Thales e-security Financial and Operational Benefits of using Datacryptor R4.02 in your network

HP OpenView Patch Manager Using Radia

Installing the SSL Client for Linux

Identity as a Service Powered by NetIQ Privileged Account Manager Service Installation and Configuration Guide

capacity management for StorageWorks NAS servers

PN Connect:Enterprise Secure FTP Client Release Notes Version

CA SiteMinder. Web Agent Installation Guide for Apache-based Servers 12.51

Unified Infrastructure Management Compatibility Matrix April 4, 2016

Ahsay Offsite Backup Server and Ahsay Replication Server

hp digital home networking wireless USB network adapter hn210w quick start guide

Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22

RealView Developer Suite Version 2.1

Product Support Notice. FTP backup MSS to a Windows 2003 Server

Best Practices in Hardening Apache Services under Linux

Craig Pelkie Bits & Bytes Programming, Inc. craig@web400.com

Oracle WebCenter Sites. Backup and Recovery Guide 11g Release 1 (11.1.1)

Enterprise Reporting Server v3.5

Fuse MQ Enterprise Broker Administration Tutorials

ODBC Driver User s Guide. Objectivity/SQL++ ODBC Driver User s Guide. Release 10.2

Intel Storage System SSR212CC Enclosure Management Software Installation Guide For Red Hat* Enterprise Linux

Securing the OpenAdmin Tool for Informix web server with HTTPS

IDENTIKEY Server Windows Installation Guide 3.1

Heroix Longitude Quick Start Guide V7.1

Microsoft Dynamics GP. Electronic Signatures

BrightStor ARCserve Backup for Linux

HP OpenView Adapter for SSL Using Radia

VERITAS Backup Exec TM 10.0 for Windows Servers

Symantec LiveUpdate Administrator. Getting Started Guide

Requirements for Upgrading from MetaLib 3.13 to MetaLib 4. Version 4

How To Manage A Privileged Account Management

SSL Insight Certificate Installation Guide

IDENTIKEY Server Windows Installation Guide 3.2

Retina CS: Using Strong Certificates

Installation Guide for FTMS and Node Manager 1.6.0

Novell SUSE Linux Enterprise Virtual Machine Driver Pack

CA Nimsoft Unified Management Portal

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Moxa Device Manager 2.3 User s Manual

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Architecting the Future of Big Data

Installing the Shrew Soft VPN Client

RED HAT SECURE WEB SERVER 3.0 DEVELOPER EDITION FOR COBALT NETWORKS SERVERS

An Oracle Technical White Paper May How to Configure Kaspersky Anti-Virus Software for the Oracle ZFS Storage Appliance

November Ex Libris Certified Third-Party Software and Security Patch Release Notes

Active Directory Rights Management Service Integration Guide

By the Citrix Publications Department. Citrix Systems, Inc.

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

NetBackup Backup, Archive, and Restore Getting Started Guide

CA SiteMinder. Web Agent Installation Guide for Apache-based Servers. r nd Edition

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

Siebel Installation Guide for UNIX. Siebel Innovation Pack 2013 Version 8.1/8.2, Rev. A April 2014

Dell Statistica. Statistica Document Management System (SDMS) Requirements

SolarWinds Migrating SolarWinds NPM Technical Reference

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

QuickDNS 4.6 Installation Instructions

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Installing CPV Lab Version 2.17

VERITAS NetBackup Bare Metal Restore 6.0

The Tor VM Project. Installing the Build Environment & Building Tor VM. Copyright The Tor Project, Inc. Authors: Martin Peck and Kyle Williams

VERITAS NetBackup TM 6.0

Data Center Real User Monitoring

Installing the IPSecuritas IPSec Client

EMC AVAMAR BACKUP CLIENTS

Novell Access Manager

JobScheduler Installation by Copying

DameWare Server. Administrator Guide

Identikey Server Windows Installation Guide 3.1

Remote Filtering Software

SAP HANA Client Installation and Update Guide

Transcription:

ncipher Modules Integration Guide for Apache HTTP Server www.thalesgroup.com/iss

Version: 1.3 Date: 19 August 2011 Copyright 2011 Thales e-security Limited. All rights reserved. Copyright in this document is the property of Thales e-security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-security Limited neither shall it be used otherwise than for the purpose for which it is supplied. CodeSafe, KeySafe, ncipher, nfast, nforce, nshield, payshield, and Ultrasign are registered trademarks of Thales e-security Limited. CipherTools, CryptoStor, CryptoStor Tape, keyauthority, KeyVault, ncore, nethsm, nfast Ultra, nforce Ultra, nshield Connect, ntoken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-security Limited. All other trademarks are the property of the respective trademark holders. Information in this document is subject to change without notice. Thales e-security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material. These installation instructions are intended to provide step-by-step instructions for installing Thales software with third-party software. These instructions do not cover all situations and are intended as a supplement to the documentation provided with Thales products. Disclaimer: Thales e-security Limited disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. Version: 1.3 Date: 19 August 2011 2011 nshinov10 ncipher Modules: Integration Guide for Apache HTTP Server 1.3 2

Contents Chapter 1: Introduction 4 Supported ncipher functionality 5 Requirements 5 Chapter 2: Procedures 7 Installing the HSM 7 Installing the ncipher software and creating the security world 7 Installing and building OpenSSL 8 Installing the Apache HTTP Server 9 Configuring the Apache HTTP Server to use the HSM 10 Addresses 13 ncipher Modules: Integration Guide for Apache HTTP Server 1.3 3

Chapter 1: Introduction Apache, also known as Apache HTTP Server, is an established standard in the online distribution of Web site services, and provided the initial boost for the expansion of the World Wide Web. It is an open-source web server platform, which guarantees the online availability of the majority of the Web sites active today. The server is aimed at serving many of the popular modern web platforms and operating systems, such as Microsoft Windows, UNIX, Linux, and Solaris. This guide describes how to integrate a Thales ncipher product line Hardware Security Module (HSM) with the Apache HTTP Server. Offloading the cryptographic operations to the HSM provides significant performance improvements, and the HSM provides extra security by protecting and managing the server s high-value SSL private key within its FIPS 140-2 certified hardware. The benefits of using a Thales HSM with the Apache HTTP Server include: Secure storage of the private key. FIPS 140-2 level 3 validated hardware. Improved server performance by offloading the cryptographic processing. Full life cycle management of the keys. Failover support. Load balancing between HSMs. You use the Thales ncipher software CHIL (Cryptographic Hardware Interface Library) interface to integrate the HSM and Apache HTTP Server. The integration between the HSM and the server has been tested for the following combinations. Operating system Apache / OpenSSL version Red Hat Enterprise Linux 5.4 64-bit 2.2.15 / 1.0.0a ncipher software version nshield Solo PCI module support nshield Solo PCIe module support 11.40 Yes nshield Connect support ncipher Modules: Integration Guide for Apache HTTP Server 1.3 4

Supported ncipher functionality Operating system Apache / OpenSSL version Red Hat Enterprise Linux 5.4 32-bit 2.2.15 / 1.0.0a Solaris 10 for SPARC 2.2.15 / 1.0.0a ncipher software version nshield Solo PCI module support nshield Solo PCIe module support 11.40 Yes Yes 11.30 Yes Yes nshield Connect support For more information about OS support, contact your Apache HTTP Server sales representative or Thales Support. For more information about contacting Thales, see Addresses at the end of this guide. Additional documentation produced to support your Thales product can be found in the document directory of the CD-ROM or DVD-ROM for that product. Note Throughout this guide, the term HSM refers to nshield Solo modules and nshield Connect units. (nshield Solo products were formerly known as nshield). Supported ncipher functionality Key Generation Yes 1-of-N Operator Card Set Yes Strict FIPS Support Yes Key Management Yes K-of-N Operator Card Set Yes Load Sharing Yes Key Import Yes Softcards Yes Fail Over Yes Key Recovery Yes Module-only Key Yes Requirements Before starting the integration process, familiarize yourself with: The documentation for the HSM. The documentation and setup process for the Apache HTTP server. Before using the Thales ncipher software, you need to know: The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards. Whether the application keys are protected by the module or an Operator Card Set (OCS) with or without a pass phrase. The number and quorum of Operator Cards in the OCS, and the policy for managing these cards. ncipher Modules: Integration Guide for Apache HTTP Server 1.3 5

Requirements Whether the security world should be compliant with FIPS 140-2 level 3. For more information, refer to the Quick Start Guide or Hardware Installation Guide for the HSM. ncipher Modules: Integration Guide for Apache HTTP Server 1.3 6

Chapter 2: Procedures The integration process involves the following steps: 1 Install the HSM. 2 Install the ncipher software and create the security world. 3 Install and build OpenSSL. 4 Install the Apache HTTP Server. 5 Configure the Apache HTTP Server to use the HSM. All these procedures are described in the following sections. Installing the HSM Install the HSM by following the instructions in the Quick Start Guide or Hardware Installation Guide for the HSM. We recommend that you install the HSM before configuring the ncipher software with your Apache HTTP Server. Installing the ncipher software and creating the security world 1 On the computer that you want to make the Apache HTTP Server, install the latest version of the ncipher software, with the CHIL components selected, as described in the Quick Start Guide for the HSM. Note We recommend that you uninstall any existing ncipher software before installing the new ncipher software. 2 Create the security world as described in the Quick Start Guide, creating the ACS and OCS that you require. ncipher Modules: Integration Guide for Apache HTTP Server 1.3 7

Installing and building OpenSSL Installing and building OpenSSL To install and build OpenSSL: 1 Log into the computer as a root user with administrative privileges. 2 Create the directory in which OpenSSL is to be built: mkdir openssl_dir 3 Download the latest openssl-1.0.0a.tar.gz file from: http://www.openssl.org/source. 4 Copy the openssl-1.0.0a.tar.gz file into the openssl_dir directory that you created. 5 Navigate to the openssl_dir directory. 6 Decompress the openssl-1.0.0a.tar.gz file: gzip -d openssl-1.0.0a.tar.gz 7 Untar the openssl-1.0.0a.tar file: tar -xvf openssl-1.0.0a.tar 8 Navigate to the openssl_dir/openssl-1.0.0a directory. 9 If you are using Solaris 10 for SPARC, set the following environment variables: export PATH=$PATH:/usr/ccs/bin export PATH=$PATH:/usr/local/ssl export PATH=$PATH:/usr/local/ssl/bin export PATH=$PATH:/usr/sfw/bin export PATH=$PATH:/usr/local/bin export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/ssl/lib If you are using Red Hat Enterprise Linux 5.4, you do not need to set these environment variables. 10 If you are using Solaris 10 for SPARC, ensure that the latest versions of the following utilities are installed: apr, aprutil, gcc, libgcc, libiconv, and libgcrypt. 11 Run the config script:./config -ldl ncipher Modules: Integration Guide for Apache HTTP Server 1.3 8

Installing the Apache HTTP Server 12 Build OpenSSL: make make install Installing the Apache HTTP Server To install the Apache HTTP Server: 1 Log in as a root user with administrative privileges. 2 Create the directory in which Apache 2.2 is to be built: mkdir apache_dir 3 Download the httpd-2.2.15.tar.gz file from: http://httpd.apache.org/download.cgi. 4 Copy the httpd-2.2.15.tar.gz file into the apache_dir directory that you created. 5 Navigate to apache_dir directory. 6 Decompress the httpd-2.2.15.tar.gz file: gzip -d httpd-2.2.15.tar.gz 7 Untar the httpd-2.2.15.tar file: tar -xvf httpd-2.2.15.tar 8 If you are using Red Hat Enterprise Linux 5.4 64-bit, configure the openssl library: cd /usr/local/ssl rm -r lib cp r lib64 lib 9 Navigate to the apache_dir/httpd-2.2.15 directory. 10 Configure Apache:./configure --enable-ssl - with-ssl=/usr/local/ssl/ ncipher Modules: Integration Guide for Apache HTTP Server 1.3 9

Configuring the Apache HTTP Server to use the HSM 11 Build Apache: make make install Configuring the Apache HTTP Server to use the HSM To configure the Apache HTTP Server to use the HSM: 1 Open the /usr/local/apache2/conf/httpd.conf file in a text editor. Locate the following line: #Include conf/extra/httpd-ssl.conf 2 Remove the comment mark (#), and then save the file. 3 Create the ssl.key and ssl.crt directories within the /usr/local/apache2/conf/ directory. 4 Generate an embedded key by using the generatekey command-line utility: /opt/nfast/bin/generatekey embed Generating a key with this utility stores the following information (where key_name represents the name given to the key being generated): - The key, in the key_name file. - The X.509 self-certificate, in the key_name_selfcert file. - The X.509 (base 64 encoded PKCS #10) certificate request, in the key_name_req file. 5 Copy the key_name file to the /usr/local/apache2/conf/ssl.key directory. 6 Copy the key_name_selfcert file to the /usr/local/apache2/conf/ssl.crt directory. 7 Create a preload directory, with root as user and nfast as group, within the /opt/nfast/kmdata directory. ncipher Modules: Integration Guide for Apache HTTP Server 1.3 10

Configuring the Apache HTTP Server to use the HSM 8 Open the /usr/local/apache2/conf/extra/httpd-ssl.conf file in a text editor, edit the file in following way, and then save the file: - Insert the following line anywhere before the SSL Virtual Host Context section: SSLCryptoDevice chil - Locate the following line: SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt Rename server-dsa.crt to the generated self-certificate file. - Locate the following line: SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key Rename server-dsa.key to the generated key file. - Locate the following line: ServerName www.example.com:443 Edit it to ensure that the name of the server matches the one specified when the key was generated. 9 Set and export the LD_LIBRARY_PATH environment variable: LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk export LD_LIBRARY_PATH ncipher Modules: Integration Guide for Apache HTTP Server 1.3 11

Configuring the Apache HTTP Server to use the HSM 10 Start the SSL-enabled HSM-protected Apache HTTP Server by running one of the following commands, depending on the type of key protection you are using: - Token-protected keys: /opt/nfast/bin/preload -f /var/run/nfast/apache cardset-name=<token_name> /usr/local/apache2/bin/httpd -k start Use the appropriate value for <token_name>. - Softcard-protected keys: /opt/nfast/bin/ppmk --preload -f /var/run/nfast/apache <softcard_name> /usr/local/apache2/bin/httpd -k start Use the appropriate value for <softcard_name>. - Module-protected keys: /opt/nfast/bin/preload -M -f /var/run/nfast/apache /usr/local/apache2/bin/httpd -k start ncipher Modules: Integration Guide for Apache HTTP Server 1.3 12

Addresses Americas 2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA Tel: +1 888 744 4976 or + 1 954 888 6200 sales@thalesesec.com Europe, Middle East, Africa Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK Tel: + 44 (0)1844 201800 emea.sales@thales-esecurity.com Asia Pacific Units 4101, 41/F. 248 Queen s Road East, Wanchai, Hong Kong, PRC Tel: + 852 2815 8633 asia.sales@thales-esecurity.com Internet addresses Web site: Support: Online documentation: International sales offices: www.thalesgroup.com/iss http://iss.thalesgroup.com/en/support.aspx http://iss.thalesgroup.com/resources.aspx http://iss.thalesgroup.com/en/company/contact%20us.aspx