Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Guides

Microsoft IIS

search
printsuggest an edit

Microsoft IIS

This guide outlines step-by-step instructions for seamlessly integrating Microsoft IIS (Internet Information Services) with a Luna HSM device or Luna Cloud HSM service. Microsoft IIS is a robust web server software integrated with Windows Server, designed for hosting and managing web applications. Offering scalability, security, and seamless integration with Microsoft technologies, IIS provides administrators and developers with an efficient platform for deploying diverse web solutions.

The key benefits of this integration are:

  • Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.

  • Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.

  • Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.

  • Significant performance enhancements by offloading cryptographic operations from application servers.


copy link to clipboardSupported Platforms

This integration has been tested and verified on the following platforms:

HSM Type Platform Tested
Luna HSM Windows Server 2016
Windows Server 2012 R2
Luna Cloud HSM Windows Server 2016
note

Note

This integration been tested using Luna Client in both High Availability (HA) and FIPS-compliant modes.


copy link to clipboardPrerequisites

The prerequisites for this integration are:

1Set up Luna HSM

2Install Microsoft IIS

copy link to clipboardSet up Luna HSM

As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.


copy link to clipboardSet up On-Premise Luna HSM

Follow these steps to set up your on-premise Luna HSM:

1Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

2Create a partition that will be later on used by Microsoft IIS.

3Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

4Initialize Crypto Officer and Crypto User roles for the registered partition.

5Run the following command to verify that the partition has been successfully registered and configured: 

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved. 
Available HSMs:
Slot Id ->                           1
Label ->                             part1
Serial Number ->                     1238696044953
Model ->                             LunaSA 7.3.0
Firmware Version ->                  7.3.0
Configuration ->                     Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->                  Net Token Slot
note

Note

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

note

Note

To ensure the correct configuration of a PED-based Luna HSM, make sure that the ProtectedAuthenticationPathFlagStatus is set to 1 within the Misc section of the Chrystoki.conf file.


copy link to clipboardSet up Luna HSM in FIPS Mode

To configure Luna HSM in FIPS Mode, it's important to ensure that your RSA key generation methods comply with FIPS 186-3/4 standards. Specifically, FIPS 186-3/4 approves two methods for generating keys: 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation methods are no longer allowed when operating your Luna HSM in a FIPS-compliant mode. When using the Luna HSM in FIPS mode, you should make adjustments to your configuration settings by following these steps:

1Open the configuration file for your Luna HSM.

2Look for the [Misc] section within the configuration file.

3Add or modify the following setting within the [Misc] section:

RSAKeyGenMechRemap=1

This setting instructs the Luna HSM to redirect older key generation mechanisms to the newly approved mechanism when the HSM is operating in FIPS mode.

note

Note

This adjustment is not necessary for the Universal Client.

note

Note

This configuration change applies exclusively to Luna Client 7.x.


copy link to clipboardSet up Luna Cloud HSM

The following steps are applicable for setting up the Luna Cloud HSM on a Windows environment:

1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

2Extract the .zip file into a directory on your client workstation.

3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

cvclient-min.zip

4Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.

note

Note

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

5Run the LunaCM utility and verify that the Cloud HSM service is listed.

note

Note

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.


copy link to clipboardInstall Microsoft IIS

To install Microsoft IIS:

1Open Server Manager.

2Click Configure this local server, and then select Add roles and features.

3Choose Web Server (IIS).

4Select the default or desired components within the wizard and complete the installation.

copy link to clipboardIntegrate Microsoft IIS with Luna HSM

To integrate Microsoft IIS with Luna HSM, undertake the following procedures:

Configure SafeNet KSP

Generate and install certificates in Microsoft IIS

copy link to clipboardConfigure SafeNet KSP

To configure SafeNet KSP:

note

Note

Prior to starting the integration process, we recommend becoming acquainted with Microsoft IIS. Consult the Windows Server Help Files for comprehensive information on utilizing Microsoft IIS.

1Install KSP Package.


  • For Luna HSM integration, install the KSP package as part of the Luna Client software installation.

  • For Luna Cloud HSM integration, locate the KSP package within the /KSP folder of the Luna Cloud HSM service client package.

2Configure KSP.


  • Navigate to <Luna HSM Client installation Directory>/KSP. For Luna Cloud HSM, use the /KSP folder in the service client package.

  • Double-click KspConfig.exe to launch the SafeNet KSP configuration wizard.

3Register or View Security Library.


  • Double-click on Register or View Security Library on the left side of the pane.

  • Click Browse and select a cryptographic library, such as <Luna HSM Client installation Directory>\cryptoki.dll or <cklog.dll>.

  • Click Register. A success message will be displayed upon successful registration: "Success registering the security library!"

4Register HSM Slots.


  • Double-click Register HSM Slots on the left side of the pane.

  • Enter the Slot (Partition) password.

  • Click Register Slot to register the slot for Domain\User. On success, a message will appear: "The slot was successfully and securely registered!"

5Register the same slot for NT_AUTHORITY\SYSTEM.

note

Note

Both slots are registered, even if only one entry appears for the service in the Registered Slots section of the KSP interface.

copy link to clipboardGenerate and install certificates in Microsoft IIS

Follow these steps to generate and install certificates in Microsoft IIS:

1Create a certificate request

2Install the certificate

3Bind the certificate with a secure IIS web server

copy link to clipboardCreate a certificate request

To create a certificate request linked to an encryption key in Microsoft IIS:

note

Note

IIS Manager does not support the creation of certificates protected by CNG keys. If you are using a CNG key, create it using the Microsoft command line utility.

1Create a file named request.inf with the following information:

[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "C=IN,CN=IIS.com,O=Safenet,OU=HSM,L=Noida,S=UP"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "Safenet Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

2Specify the subject details of the Domain Controller issuing the certificate.

3Specify the key algorithm and key length (RSA, for example) as required.

4Specify the Provider name as SafeNet Key Storage Provider.

5Save the above content in the file request.inf.

6Create the certificate request for the Certification Authority:

certreq.exe –new request.inf request.req

This generates a certificate request file called request.req that can be sent to a Certificate Authority.

copy link to clipboardInstall the certificate

To complete the certificate installation:

1Send the Certificate Signing Request (CSR) file to a trusted CA, such as VeriSign or Entrust. Request authentication and receive a signed certificate along with the certificate chain. Save the response in your current working directory.

2Make the certificate available for use in Microsoft IIS:

certreq.exe –accept signed.cer

Ensure that signed.cer is the binary signed certificate obtained from the CA.

copy link to clipboardBind the certificate with a secure IIS web server

To bind the certificate with a secure IIS web server:

1Open IIS Manager from Start > Administrative Tools > Internet Information Services (IIS) Manager.

2Select the desired website under Sites.

3Click Bindings on the right side.

4Click Add in the Site Bindings window.

5Select the https protocol.

6Choose the IP address of the machine running IIS from the drop-down list.

7Select the certificate from the drop-down list.

8Click OK to complete the certificate binding for an SSL connection.

9Open a browser and enter https://<machine_name>:443. If necessary, accept the certificate in the browser to complete the SSL connection with the Microsoft IIS web server.

On this page