Microsoft Internet Information Services
Configure Microsoft Internet Information Services to use a Luna Cloud HSM Service to provide full key life-cycle management with FIPS-certified hardware and to reduce the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM service for this integration.
We recommend that you familiarize yourself with the Microsoft IIS Documentation for more information on installation procedures.
This integration guide uses the following third party applications:
- Microsoft Internet Information services (IIS)
This integration is supported on the following operating systems:
- Windows Server 2016
Prerequisites
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM Service
Configure the Luna Cloud HSM service for your application integration. See the section Luna Cloud HSM Service for detailed instructions on deploying and initializing a Luna Cloud HSM service partition and Luna Cloud HSM service client for your application integration.
Please take the following limitations into consideration when integrating your application with a Luna Cloud HSM service partition:
Non-FIPS algorithms: Luna Cloud HSM services operate in a FIPS and non-FIPS mode, which affects which algorithms are available on the partition. If your organization requires non-FIPS algorithms for your operations, ensure you enable the Remove FIPS restrictions check box when configuring your Luna Cloud HSM service. The FIPS mode is enabled by default.
Refer to the Supported Mechanisms in the SDK Reference Guide for more information about available FIPS and non-FIPS algorithms.
Verify Luna Cloud HSM <slot> value: LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If you are completing an integration using Luna Cloud HSM services, you need to verify which slot on the Luna Cloud HSM service you send commands to.
If there is more than one slot, then use the slot set command to direct a command to a specified slot. You can use slot list to determine which slot numbers are in use by which Luna Cloud HSM service.
Prepare Environment for Windows Integration
Your system requires access to the SafeNet Key Storage Provider (KSP). Copy the SafeNetKSP.dll file from your downloaded Luna Cloud HSM service client to C:\\Windows\System32
.
Failure to copy the SafeNetKSP.dll file will result in no access to the SafeNet Key Storage Provider's during the integration. For example, if configuring Microsoft Active Directory Certificate services, the SafeNet Key Storage Providers will not be available options when setting up the Cryptography for CA.
Integration
This chapter outlines the steps to install and integrate Microsoft Internet Information services (IIS) with a Luna Cloud HSM Service on Windows Server 2016. Microsoft IIS users the SafeNet Luna Key Storage provider (KSP) for integration.
We recommend that you familiarize yourself with Microsoft IIS before beginning the integration. Refer to the Windows Server Help Files for more information about using Microsoft IIS.
Configuring the SafeNet Key Storage Provider
Install the KSP for generating the CA certificate keys on the Luna Cloud HSM Service. See To register the SafeNet Key Storage Provider for more information about configuring the SafeNet KSP. The tool KspConfig.exe is included in the Luna Client installation directory or is available in the Luna Cloud HSM Service Client.
Your system requires access to the SafeNet Key Storage Provider (KSP). Copy the SafeNetKSP.dll file from your downloaded Luna Cloud HSM Service Client to C:\\Windows\System32
. Failure to copy the SafeNetKSP.dll file will result in no access to the SafeNet Key Storage Provider's during the integration. For example, if configuring Microsoft Active Directory Certificate services, the SafeNet Key Storage Providers will not be available options when setting up the Cryptography for CA.
Navigate to the KSP installation directory. Run KspConfig.exe.
The KSP client is available in the Luna Cloud HSM Service Client in the /KSP folder.
Double-click Register or View Security Library.
Click Browse. Select the cryptoki.dll file from the Luna Cloud HSM Service Client. Click Register.
On successful registration, a Success! message displays. Click OK.
Double-click Register HSM Slots.
Register the HSM for the Administrator user.
a. Open the Register For User drop-down menu and select Administrator.
b. Open the Domain drop-down menu and select your domain.
c. Open the Available Slots drop-down menu and select the service label.
d. Enter the Slot Password.
e. Click Register Slot.
f. On successful registration, a Success! message displays. Click OK.
Register the HSM for the System user.
a. Open the Register For User drop-down menu and select SYSTEM.
b. Open the Domain drop-down menu and select NT AUTHORITY.
c. Open the Available Slots drop-down menu and select the service label.
d. Enter the Slot Password.
e. Click Register Slot.
f. On successful registration, a Success! message displays. Click OK.
The Luna Cloud HSM Service has been registered for both users, despite only one entry appearing for the <slot_label>
in the Registered Slots section of the KSP interface.
Installing Microsoft Internet Information Services
You must install Microsoft Internet Information services (IIS) to integrate the service with a Luna Cloud HSM Service.
Open Server Manager. Click Configure this local server, select Add roles and features, and install Web Server (IIS).
Select the Default (or desired) components from within the wizard and complete the Microsoft IIS installation.
Creating a Certificate Request using Microsoft Internet Information Services
You can generate a Microsoft ISS certificate request using an encryption key stored on a Luna Cloud HSM Service.
IIS Manager does not support the generation of certificates using CNG keys. To use a CNG key you must create the key using the Microsoft command line utility.
Generate a certificate request using a Luna Cloud HSM Service
Create a file called request.inf with the following information:
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "C=<country_code>,CN=<common_name>,O=<company_name>,OU=<object>,L=<locality_name>,S=<state_name>"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "Safenet Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
Specify the subject details of the Domain Controller which is issuing the certificate.
Specify the key algorithm and key length as required (e.g. RSA).
Specify the Provider name as "SafeNet Key Storage Provider"
Save the above content in the file request.inf.
Parse the request file and create the certificate request for the Certification Authority (CA):
certreq.exe -new request.inf request.req
Validate the request file.
certutil.exe request.req
Submit the request.req
to the CA for signing and to create the certificate.
certreq -attrib "CertificateTemplate:webserver" -submit request.req
Save the certificate as IIS-Cert.cer
.
Install the certificate
Make the certificate available for use in Microsoft IIS.
certreq -accept IIS-Cert.cer
Bind the certificate to the secure IIS web server
Open the IIS Manager. Click Start, select Administrative Tools and open Internet Information services (IIS) Manager.
Under Sites on the left hand side of the IIS Manager Window, select the desired web site.
On the right side of the IIS Manager, click Bindings. The Site Bindings dialog displays.
In the Site Bindings window, click Add.
Select the https protocol.
Select the IP address of the machine running IIS from the IP Address drop-down list.
Select the certificate from the drop-down list.
Click OK to complete the certificate binding for SSL connection.
Open a browser and enter https://<machine_name>:443
. If necessary, accept the certificate in the browser to complete the SSL connection with the Microsoft IIS web server.