integrationguide - utimaco...integrationguide:microsoftinternetinformationserver(iis)7.0/7.5 1...

.

Integration Guide

.

Microsoft Internet InformationServer (IIS) 7.0 /7.5Microsoft Windows Server 2008 /R2 x64

.Integration Guide: Microsoft Internet Information Server (IIS) 7.0 /7.5

Imprint

copyright 2014 Utimaco IS GmbHGermanusstrasse 4D-52080 AachenGermany

phone +49 (0)241 / 1696-200fax +49 (0)241 / 1696-199web http://hsm.utimaco.comemail [email protected] version 1.2.0date June 2014author System Engineering HSMdocument no. SGCS_IG_MicrosoftIIS7

all rights reserved No part of this documentation may be reproduced in any form (printing, photocopyor according to any other process) without the written approval of Utimaco IS GmbHor be processed, reproduced or distributed using electronic systems.Utimaco IS GmbH reserves the right to modify or amend the documentation at anytime without prior notice. Utimaco IS GmbH assumes no liability for typographicalerrors and damages incurred due to them.All trademarks and registered trademarks are the property of their respective owners.

http://hsm.utimaco.com

mailto:[email protected]

.

Contents1 Introduction 4

2 Overview 4

3 Requirements 5

4 Procedures 6

4.1 Install SafeGuard® CryptoServer Hardware . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.2 Install SafeGuard® CryptoServer Software . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.2.1 Check Firmware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.2.2 Install Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.3 Configure Utimaco CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.4 Install Internet Information Services 8.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.5 Create Certificate Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.6 Obtain the Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.7 Install the Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

5 Further Information 17


1 IntroductionThe SafeGuard® CryptoServer is the hardware securitymodule developed by Utimaco Safeware AG, i.e.

a physically protected specialized computer unit designed to perform sensitive cryptographic tasks

and to securely manage cryptographic keys and data. In a SafeGuard® CryptoServer security system

security-relevant actions can be executed and security relevant information can be stored. It can be

used as a universal, independent security component for heterogeneous computer systems.

2 OverviewThis document describes how to integrate the SafeGuard® CryptoServer solution into Microsoft In-

ternet Information Services (IIS) with SSL (Secure Sockets Layer) encryption. Generally the Internet

Information Services can be used without a Hardware Security Module (HSM). But with the integration

of a SafeGuard® CryptoServer (either SafeGuard CryptoServer PCI or SafeGuard CryptoServer LAN) your

keys are stored evenmore secure. Furthermore the HSMperforms encryption operationswhen using

an SSL connection. This releases the CPU from computationally expensive encryption operations.

.

3 RequirementsEnsure that you have a copy of the SafeGuard CryptoServer - Administration Guide for csadm [1]. This

document also assumes that a Microsoft Windows 2012 Server has already been installed.

Software- and Hardware Requirements

HSMModel SafeGuard CryptoServer CS-Series/S-Series/Se-Series PCI

SafeGuard CryptoServer CS-Series/S-Series/Se-Series LAN

SafeGuard CryptoServer Simulator CS/Se

HSM Firmware SafeGuard SecurityServer 3.10.3

Software Microsoft Windows Server 2012

SafeGuard SecurityServer 3.10.3


4 ProceduresTo integrate the SafeGuard CryptoServer with Internet Information Services 8.0, complete the following

steps:

• Install SafeGuard CryptoServer hardware

• Install SafeGuard CryptoServer software

• Configure Utimaco CryptoServer CSP

• Install Internet Information Services (IIS) 8.0

• Create a certificate

• Obtain the certificate

• Install the certificate

4.1 Install SafeGuard® CryptoServer HardwareFor installation and setup SafeGuard CryptoServer hardware we refer to the PCI(e) Installation and Op-

erating Manual [5][6] and the LAN Operating Manual [3][4] respectively.

4.2 Install SafeGuard® CryptoServer SoftwareFor the installation of SafeGuard CryptoServer software we refer to the CryptoServer Administration

Guide [2]. Make sure, Utimaco CryptoServer CSP is selected during the installation of SafeGuard Cryp-

toServer software. TheUtimacoCryptoServer CSP uses the CXI interface of the SafeGuard CryptoServer.

Therefore check if the firmware module has already been loaded. Otherwise load the firmware pack-

age SecurityServer-3.10.1.mpkg to the SafeGuard CryptoServer.

4.2.1 Check Firmware Installation

1. Start the CryptoServer Administration Tool (CAT)

START > ALL PROGRAMS > UTIMACO > SAFEGUARD CRYPTOSERVER

2. Connect to your SafeGuard® CryptoServer device

.

3. Press button LIST FIRMWARE to list all installed firmware modules. To see if the CXI module is

installed, it should be listed like this:

68 CXI 2.1.2.2 INIT_OK

4.2.2 Install Firmware

If CXI module has not been installed on the SafeGuard CryptoServer follow these steps to load the

firmware there.

1. Start CAT

START > ALL PROGRAMS > UTIMACO > SAFEGUARD CRYPTOSERVER

2. Connect to your SafeGuard CryptoServer device

3. Login as user with administrator privileges (e.g. ADMIN)

4. Open the dialog Setup CryptoServer

FIRMWARE MANAGEMENT > SETUP CRYPTOSERVER

5. Enter license file if necessary or leave it blank

6. Select firmware package file SecurityServer-3.10.1.mpkg

7. Either choose UPDATE or NEW INSTALLATION as installation type. Select UPDATE if you like to only

upload firmware modules and keep your databases untouched or select NEW INSTALLATION if

you like to remove all databases and firmware modules before upload.

8. To start uploading the firmware package press SETUP.

9. You will be prompted to authorize the installation. Select either smartcard authorization or key

file token authorization and press OK button.

The SafeGuard CryptoServer will restart after installation of the SafeGuard SecurityServer firmware

package. To check if your setup was successful refer to the steps of section 4.2.1.

4.3 Configure Utimaco CSPThe Utimaco CryptoServer CSP (Cryptographic Service Provider) has to be configured before it can be

used in the integration with the Internet Information Services. The CSP has to be aware of the Safe-

Guard CryptoServer device(s). There are two ways how the CSP manages the storage of keys: The


Utimaco CryptoServer CSP (Cryptographic Service Provider) has to be configured before it can be used

in the integration with the Internet Information Services. The CSP has to be aware of the SafeGuard

CryptoServer device(s). There are two ways how the CSP manages the storage of keys:

• The most common way is to store the keys inside the SafeGuard CryptoServer. This is the best

protection against physical and logical attacks.

• In a cluster or failover scenario keys are stored externally. Normally the external storage is a

media device e.g. shared network device (SAN or ISCSI).

The next steps assume that an internal storage of keys is used.

1. Start the Utimaco CryptoServer CSP configuration with opening the applet

(START > ALL APPS > CSP CONFIGURATION).

2. Add a device to the list by pressing ADD DEVICE.

3. Enter the device specifier, e.g. IP address, PCI:0 or 3001@localhost. Choose a group for new

generated or imported keys. Usually the workstation name of the computer is chosen here.

Optionally adjust the command timeout. Confirm the settings by pressing OK.

4. You are prompted for a user logon. Due to the fact that a machine user will be created, a user

with user management permissions must authenticate this action. The administrator ADMIN

can be chosen here. Select ADMIN and press LOGON button.

5. The user credentials for the user ADMIN have to be provided. Enter the source of the private

user key. Use the >> button to select a keyfile or enter the device specifier for the PIN pad (e.g.

:cs2:cyb:USB) and press OK.

.

6. Next, it's indicated that the user has been successfully logged on. It is shown with a lock icon.

Press OK to proceed.

7. The SafeGuard CryptoServer device has been already added to the current device list.

8. Select the previous added device from the list and press SET DEFAULT. This sets the device as

default device for this CSP configuration, which is indicated by the blue diamond in front of the

devices address. In case of a cluster or failover scenario several other devices may be defined

and shown here.

9. Open the KEY STORAGE tab to define a key export policy. The key to be used for SSL session

establishment will be generated inside of SafeGuard CryptoServer at a later stage(see section

4.5). Tomake sure that your private keywill never leave the premissed of SafeGuard CryptoServer

even encrypted, check additionally to DENY PLAIN KEY EXPORT the checkbox DENY KEY EXPORT

(EVEN ENCRYPTED). If you don't check DENY KEY EXPORT (EVEN ENCRYPTED) it is possible to

export the private key encrypted to a file. That can be useful for a backup.

10. Press OK to terminate the CryptoServer CSP configuration dialog.


4.4 Install Internet Information Services 8.0To install the Microsoft internet Information Services (IIS) 8.0 you have to add a Role Web Server (IIS)

to your current server installation. Follow these steps for the setup:

1. Open the Server Manager

(START -> SERVER MANAGER).

2. Select the node MANAGE from the panel above.

3. Press ADD ROLES AND FEATURES to add another role to your server.

4. Press NEXT to proceed for the selection of the server or the hard disk on which the new role will

be installed.

5. Select the server.

6. Check the role WEB SERVER (IIS) and press NEXT.

7. Follow the instruction of the wizard to accomplish the setup.

4.5 Create Certificate RequestIt is necessary to create a specific certificate for the usage with SSL within the Internet Information

Services. This certificate is bound to the external port (https) of yourwebsite to enable an SSL connec-

tion from a web browser (e.g. Internet Explorer). To get a certificate issued by a certification authority

you have to create a certificate request (CSR). Normally an official certificate authority (e.g. VeriSign,

Thawte) will create and sign a certificate based on your certificate request. If you don`t need an of-

ficially signed certificate, you can also use an in-house certificate authority (e.g. Microsoft Windows

Server 2012 CA).

To create a certificate request you first need to create a template file. You will then issue the certifi-

cate request based on this template file using Microsoft`s utility certreq.exe, which is included in

Microsoft Windows Server 2012. Create a file called request.inf which should include with amongst

others the following information:

• Subject details of the domain for which the SSL certificate shall be issued. The subject details

must include a 2-letter country code ,,C'' and a common name ,,CN'' which may be a domain

name or an IP address.

.

• Key algorithm and key length as required (e.g. RSA, 2048 bit key).

• Name of the Cryptographic Service Provider. For use with SafeGuard CryptoServer this needs to

be Utimaco CryptoServer Key Storage Provider.

Other settings must be defined as shown in the following sample:

[Version]

Signature = "$Windows Nt$"

[NewRequest]

Subject = "C=DE,CN=www.mydomain.com"

HashAlgorithm = SHA256

KeyAlgorithm = RSA

KeyLength = 2048

ProviderName = "Utimaco CryptoServer key storage Provider"

KeyUsage = 0xf0

MachineKeySet = True

[EnhancedKeyUsageExtension]

OID = 1.3.6.1.5.5.7.3.1

It is important, that the ProviderName is given as Utimaco CryptoServer KeyStorage

Provider. This links the IIS 8.0 with the SafeGuard CryptoServer

• Save the content of the file request.inf to some directory. Make sure, you don't copy and

paste the quotation marks from this document.

• Open a command prompt.

• Change to the directory where you have saved your request.inf file.

• Execute the next command. You can observe the changes in the logfile cs2cng.log if you like

debug purposes. The location and the log level can be configured using Utimaco CSP Configu-

ration applet.

certreq.exe -new request.inf request.req


This command creates a certificate request file request.req that can either be sent to an official

certificate authority or be signed with your in-house certificate authority. The second option is intro-

duced in the next section.

4.6 Obtain the CertificateAfter creating a certificate request, you obtain the certificate from a certificate authority or by your

own certificate authority. To use Active Directory Certificate Services as your own certificate authority

for this purpose, complete the following steps:

1. Open the Server Manager

(START -> SERVER MANAGER).

2. Select the node MANAGE from the panal above.

3. Click on ADD ROLE AND FEATURES and select ACTIVE DIRECTORY CERTIFICATE SERVICES in SERVER

ROLES section and later CERTIFICATION AUTHORITY WEB ENROLLMENT in ROLE SERVICES section

as it shown below.

4. Complete the installation of the service andpoint your browser tohttp://localhost/certsrv/.

5. In the Select a task section follow the link REQUEST A CERTIFICATE.

6. Now click on ADVANCED CERTIFICATE REQUEST.

7. Click SUBMIT A CERTIFICATE REQUEST BY USING A BASE-64-ENCODED CMC...

8. Paste the content of the certificate request (request.req), which was created in section 4.5

and click SUBMIT button.

9. Click on HOME in the right upper corner.

10. Open CERTIFICATION AUTHORITY

(START -> ADMINISTRATION TOOLS -> CERTIFICATION AUTHORITY).

11. Expand your Certificate Authority and open the Pending Requests folder.

12. Right-click the latest request and click on ALL TASKS -> ISSUE in the context menu.

13. Switch back to the browser window and click on VIEW THE STATUS OF A PENDING CERTIFICATE

REQUEST.

.

14. Now click on the saved request and download the certificate.

4.7 Install the CertificateAfter obtaining the certificatewhen you are going tomake the received certificate available for Internet

Information Services. You have to install this certificate and bind it to your web domain served by the

Internet Information Services:

1. Open a command prompt.

2. Execute the command

certreq.exe -accept {your certificate.cer}

where {your certificate.cer} is the certificate generated by the certificate authority. You

can observe the changes in the log file cs2cng.log. The location and the log level can be

configured using Utimaco CSP Configuration applet.

3. Open the Internet Information Services (IIS)Manager

(START -> INTERNET INFORMATION SERVICES MANAGER).

4. Click on the SITES node to show all available websites.

5. Select your website (e.g. DEFAULT WEB SITE).

6. Press BINDINGS... in the ACTIONS section at the right side of the window. This opens the dialog

Site Bindings.

7. Press the ADD... button to add a new secure binding (HTTPS).

8. Select HTTPS as type of the new binding.

9. Enter the IP address or domain name that you have defined as COMMON NAME (CN) in your

certificate request.

10. Choose your certificate in the SSL certificate box and press OK.

11. Press OK to close the bindings dialog.

12. Restart the INTERNET INFORMATION SERVICES by pressing RESTART in the MANAGE WEB SITE

section at the right side of the window.


After the installation of the certificate with a secure binding, you can check the successful installation

by opening a web browser on any connected client and enter the address https://{ip address} or

https://{domain name}. The connection is now encrypted with SSL and the web browser indicates

this with the certificate icon left to the address bar.

.

5 Further InformationThis document forms a part of the information and support which is provided by the Utimaco Safe-

ware. Additional documentation can be found on the product CD in the documentation directory.

All SafeGuard CryptoServer product documentation is also available at the Utimaco Safeware web-

site: http://hsm.utimaco.com



References[1] UTIMACO SAFEWARE AG. SafeGuard CryptoServer - AdministrationGuide for csadm, 2011. 2009-0003.

[2] UTIMACO SAFEWARE AG. SafeGuard CryptoServer - Handbuch für Systemverwalter, 2011. M010-

0001-de.

[3] UTIMACO SAFEWARE AG. SafeGuard CryptoServer LAN - Operating Manual, 2011. M010-0005-en.

[4] UTIMACO SAFEWARE AG. SafeGuard CryptoServer LAN - Operating Manual, 2011. M010-0006-en.

[5] UTIMACO SAFEWARE AG. SafeGuard CryptoServer PCI - Operating and Installation Manual, 2011.

M010-0003-en.

[6] UTIMACO SAFEWARE AG. SafeGuard CryptoServer PCIe - Operating and Installation Manual, 2011.

M010-0004-en.

.

Contact

Utimaco IS GmbHGermanusstraße 4D - 52080 AachenGermany

phone +49 241 1696 - 200fax +49 241 1696 - 199

web http://hsm.utimaco.comemail [email protected]

.


mailto:[email protected]

integrationguide - utimaco...integrationguide:microsoftinternetinformationserver(iis)7.0/7.5 1...

Documents