PrivateServer HSM EKM Provider for Microsoft SQL Server



Similar documents
PrivateServer HSM Integration with Microsoft IIS

Microsoft SQL Server Integration Guide

SafeNet MSSQL EKM Provider User Guide

Thales Database Security Option Pack. for Microsoft SQL Server Integration Guide.

Preface. Microsoft Office Sharepoint Server 2007 Integration Guide SafeNet, Inc. All rights reserved. Part Number: (Rev A, 06/2009)

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

SELF SERVICE RESET PASSWORD MANAGEMENT BACKUP GUIDE

Microsoft Corporation. Project Server 2010 Installation Guide

Microsoft IIS Integration Guide

Moving the TRITON Reporting Databases

Endpoint Security VPN for Windows 32-bit/64-bit

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

DigiVault Online Backup Manager. Microsoft SQL Server Backup/Restore Guide

DocAve 4.1 SharePoint Disaster Recovery High Availability (SPDR HA) User Guide

Print Audit 6 - SQL Server 2005 Express Edition

Check Point FDE integration with Digipass Key devices

How to Copy A SQL Database SQL Server Express (Making a History Company)

Configuration Guide. Remote Backups How-To Guide. Overview

Creating IBM Cognos Controller Databases using Microsoft SQL Server

Client Authenticated SSL Server Setup Guide for Microsoft Windows IIS

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Integration Guide. CyberArk Microsoft Windows

Cisco VPN Concentrator Implementation Guide

epass2003 User Guide V1.0 Feitian Technologies Co., Ltd. Website:

RSA Security Analytics

Dream Report Version 4.5

SafeGuard Enterprise upgrade guide. Product version: 7

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Backup/Restore Microsoft SQL Server 7.0 / 2000 / 2005 / 2008

Using etoken for SSL Web Authentication. SSL V3.0 Overview

How to set up Outlook Anywhere on your home system

SQL Server Encryption Overview. September 2, 2015

Cyber-Ark Software. Version 4.5

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

Active Directory Rights Management Service Integration Guide

Cloud Services ADM. Agent Deployment Guide

Active Directory Management. Agent Deployment Guide

Video Administration Backup and Restore Procedures

How to Secure a Groove Manager Web Site

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

eduroam Network guide configuration for Microsoft Windows 7

X.509 Certificate Generator User Manual

Securing Your Sensitive Data with EKM & TDE. on SQL Server 2008/2012

Managed Services PKI 60-day Trial Quick Start Guide

Guidelines for Developing Cryptographic Service Providers (CSPs) for Acrobat on Windows

DIGIPASS CertiID. Getting Started 3.1.0

Configuring Security Features of Session Recording

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Creating client-server setup with multiple clients

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

SQL Server 2008 R2 Express Edition Installation Guide

SafeGuard Easy upgrade guide. Product version: 7

DOCUMENTATION MICROSOFT SQL BACKUP & RESTORE OPERATIONS

RSA SecurID Software Token 3.0 for Windows Workstations Administrator s Guide

E-CERT C ONTROL M ANAGER

Getting Started with the Ed-Fi ODS and Ed-Fi ODS API

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

NetSupport DNA Configuration of Microsoft SQL Server Express

Microsoft SQL Server Security Best Practices

NetSupport DNA Configuration of Microsoft SQL Server Express

SafeGuard Enterprise upgrade guide. Product version: 6.1

MONAHRQ Installation Permissions Guide. Version 2.0.4

BioWin Network Installation

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

How To Install A New Database On A 2008 R2 System With A New Version Of Aql Server 2008 R 2 On A Windows Xp Server 2008 (Windows) R2 (Windows Xp) (Windows 8) (Powerpoint) (Mysql

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

SELF SERVICE RESET PASSWORD MANAGEMENT DATABASE REPLICATION GUIDE

SonicWALL CDP 5.0 Microsoft Exchange User Mailbox Backup and Restore

1 of 10 1/31/2014 4:08 PM

EVault Endpoint Protection 7.0 Single Sign-On Configuration

Active Directory Management. Agent Deployment Guide

1.6 HOW-TO GUIDELINES

etoken PKI Client (Windows) Administrator s Guide Version 5.1 SP1 Rev A

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

SourceAnywhere Service Configurator can be launched from Start -> All Programs -> Dynamsoft SourceAnywhere Server.

SSL Intercept Mode. Certificate Installation Guide. Revision Warning and Disclaimer

User Setup for SQL Security

SQL Server Mirroring. Introduction. Setting up the databases for Mirroring

Setup and configuration for Intelicode. SQL Server Express

How to Install SQL Server 2008

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

How To Upgrade Your Microsoft SQL Server for Accounting CS Version

Entrust Managed Services PKI

Quick Instructions Installing on a VPS (Virtual Private Server)

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

ESET SECURE AUTHENTICATION. API SSL Certificate Replacement

EventTracker Windows syslog User Guide

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Transcription:

PrivateServer HSM EKM Provider for Microsoft SQL Server January 2014 Document Version 1.1

Notice The information provided in this document is the sole property of Algorithmic Research Ltd. No part of this document may be reproduced, stored or transmitted in any form or any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from Algorithmic Research Ltd. Copyright 2014 by Algorithmic Research Ltd. All rights reserved.

Table of Contents Introduction... 4 Requirements... 4 PrivateServer Installation and Configuration... 5 PrivateServer Installation... 5 PrivateServer Configuration... 6 Signing Engine Configuration... 8 Using Microsoft SQL EKM Provider... 11 Registering the EKM Provider... 11 Generating Symmetric and Asymmetric Keys... 13 Encrypting and Decrypting Data with a Symmetric Key... 14 Encrypting and Decrypting Data with Asymmetric Key... 15

Introduction Microsoft SQL Server 2008/2012 provides data encryption capabilities together with Extensible Key Management (EKM), using HSM devices. ARX PrivateServer TM HSM offers an EKM plug-in that provides cryptographic capabilities such as bulk encryption, decryption, and key management functions. By adding EKM to PrivateServer's growing list of supported API's, PrivateServer HSM can now serve as an external cryptographic provider, alleviating SQL's operations and significantly enhancing operational security. Via this feature, any organization that uses Microsoft SQL Server 2008/2012 as its database engine can use PrivateServer HSM to secure sensitive information in its database. A significant advantage of this new feature is that it does not require any further development or integration by the application developer or database administrator. This step-by-step guide will help you set up PrivateServer as a cryptographic engine for Microsoft SQL server 2008/2012. It provides code samples and detailed information about the different features of the PrivateServer EKM provider. The PrivateServer EKM provider supports the following features and algorithms: Authentication type: Username/Password Symmetric Algorithms: AES_128, AES_192, AES_256, DES, TRIPLE_DES, TRIPLE_DES_3KEY Asymmetric Algorithms: RSA_1024, RSA_2048 Key name support: Yes ARX PrivateServer is highly secure (FIPS 140-2 Level 3), high capacity, network attached, HSM that provides a secure environment for data encryption and key management. PrivateServer conducts sensitive cryptographic operations, secure key storage, and management of a large number of keys. Requirements Two servers are required to set up your system: ARX PrivateServer v4.7 or higher Windows server 2008 R2 and higher with Microsoft SQL server 2008/2012 (Enterprise, Developer, or Evaluation)

PrivateServer Installation and Configuration The process of installing PrivateServer HSM and its client is described in full detail in the PrivateServer Installation and Operation Guide. Please refer to the manual for detailed description of each of the installation steps. PrivateServer Installation To set up your PrivateServer follow the steps below: 1. Install the PrivateServer client on the Windows 2008 server, by running the client setup. 2. Make sure that the following features are installed: a. Legacy client b. PrivateSafe USB driver c. Signing Engine 3. Connect the USB smart card reader to the Windows 2008 server. 4. Run the PrivateServer management application from All Programs -> ARX -> PrivateServer Client -> PrivateServer Management. 5. Select Client -> Generate Cards and generate a set of smart cards (Root, init and Startup). For more information refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide. It is recommended to create backup for the Init and Startup smart cards. 6. Select Client -> Generate Users menu option and generate smart card for the administrative user first. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide.

7. Initialize the PrivateServer with the newly generated set of smart cards (Init and Startup). For more information refer to Chapter 5: Operating the System in the PrivateServer Installation and Operation Guide. 8. Set the PrivateServer IP address. For more information refer to Chapter 6: Configuring the System in the PrivateServer Installation and Operation Guide. PrivateServer Configuration Perform the following steps to create the EKM user in PrivateServer database: 1. Add your PrivateServer IP address to the servers list, from Client -> Add PrivateServer menu. 2. Select Server -> Connect to connect to the PrivateServer with administrative user.

3. Select View -> Users to switch to the users view. Select User -> Create to create a user for the EKM provider, which will be the user of the sensitive keys. 4. Enter the EKM user data. Usually, such user does not need any special authorizations, so you can leave all authorization mask clear. However, since this is a critical user in the system, set the Minimum Access Level to Non-secure LAN, authenticated and encrypted session. This setting will require strong user authentication with key media (software or smart card). 5. Click OK to create the EKM user. 6. Select Client -> Generate Users and generate software token key media for the EKM user. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide. 7. Test the key media by establishing an authenticated connection with the PrivateServer.

Signing Engine Configuration The signing engine is a client side component that provides support for Microsoft CAPI, CAPI New Generation (CNG) and PKCS#11 APIs. These APIs are used by the EKM provider to access the PrivateServer HSM and perform the required cryptographic operations. To configure the signing engine on the SQL server: 1. Select Client -> Settings menu and click on Signing Engine tab.

2. Click New button to add a new slot. a. In the Signing Engine group box choose Server Based and choose the IP of your PrivateServer from the combo box. b. In the Authentication Type group box choose File Media and enter the path to the software key media of the EKM user. c. In the User and Password Details group box enter the EKM user name. d. Check Use Unattended Password and enter a dummy password. During runtime, the password to the software token is supplied by the SQL server from the user credentials. 3. Click Apply button to save your settings.

4. Click Test button to check your configuration setting. If the test fails check your configuration or restart the machine. 5. Press OK.

Using Microsoft SQL EKM Provider To install and configure the EKM provider on your Microsoft SQL Server, run the SQL Management Studio and enter the different queries. Registering the EKM Provider To register the EKM provider enter the following commands: Use the sp_configure command to enable the Extensible Key Management feature: Run query to register the provider name and set the full path to the EKM provider dll. In the example below, AR_EKM_Prov is the name of the provider and C:\Program Files\ARX\PrivateServer Client\EKM\win64\arekm.dll is the path is to the arekm.dll.

Run query to create login credentials that maps the PrivateServer user to the SQL server user. In the example below, AR_EKM_Prov is the name of the EKM provider created in previous step, AR_EKM_cred is the name of the credential; EKMuser is the name of the PrivateServer user that was defined in the Signing Engine configuration. TestDomain\administrator is the domain name\username of the SQL server user. SECRET is the media password if you use media authentication.

Generating Symmetric and Asymmetric Keys Run query to generate a symmetric key inside PrivateServer, to be used by the EKM provider. In the example below, master is the name of the database; SQL_EKM_3DES is the name of the key in SQL database, AR_EKM_Prov is the name of the EKM provider we defined in previous step. TRIPLE_DES_3KEY is the algorithm of the generated key, 3des_test_key is the name of the key in PrivateServer database. Supported symmetric key types are: AES_128 AES_192 AES_256 DES TRIPLE_DES TRIPLE_DES_3KEY To create an asymmetric key, use the following example: Supported asymmetric key types are: RSA_1024 RSA_2028

Encrypting and Decrypting Data with a Symmetric Key Run the following query to encrypt credit_card column in the user_credit_cards table with SQL_EKM_3DES symmetric key. Run the following query to decrypt credit_card column in the user_credit_cards table with SQL_EKM_3DES symmetric key.

Encrypting and Decrypting Data with Asymmetric Key Run the following query to encrypt credit_card column in the user_credit_cards table with SQL_EKM_RSA_1024 asymmetric key. Run the following query to decrypt credit_card column in the user_credit_cards table with SQL_EKM_RSA_1024 asymmetric key.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information