Microsoft IIS
This guide outlines step-by-step instructions for seamlessly integrating Microsoft IIS (Internet Information Services) with a Luna HSM device or Luna Cloud HSM service. Microsoft IIS is a robust web server software integrated with Windows Server, designed for hosting and managing web applications. Offering scalability, security, and seamless integration with Microsoft technologies, IIS provides administrators and developers with an efficient platform for deploying diverse web solutions.
The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Platform Tested |
|---|---|
| Luna HSM | Windows Server 2016 Windows Server 2012 R2 |
| Luna Cloud HSM | Windows Server 2016 |
This integration been tested using Luna Client in both High Availability (HA) and FIPS-compliant modes.
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by Microsoft IIS.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
C:\Program Files\SafeNet\LunaClient>lunacm.exe
Upon successful execution, you should observe an output similar to the example provided below:
lunacm.exe (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved. Available HSMs: Slot Id -> 1 Label -> part1 Serial Number -> 1238696044953 Model -> LunaSA 7.3.0 Firmware Version -> 7.3.0 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
To ensure the correct configuration of a PED-based Luna HSM, make sure that the ProtectedAuthenticationPathFlagStatus is set to 1 within the Misc section of the Chrystoki.conf file.
Set up Luna HSM in FIPS Mode
To configure Luna HSM in FIPS Mode, it's important to ensure that your RSA key generation methods comply with FIPS 186-3/4 standards. Specifically, FIPS 186-3/4 approves two methods for generating keys: 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation methods are no longer allowed when operating your Luna HSM in a FIPS-compliant mode. When using the Luna HSM in FIPS mode, you should make adjustments to your configuration settings by following these steps:
Open the configuration file for your Luna HSM.
Look for the [Misc] section within the configuration file.
Add or modify the following setting within the [Misc] section:
RSAKeyGenMechRemap=1
This setting instructs the Luna HSM to redirect older key generation mechanisms to the newly approved mechanism when the HSM is operating in FIPS mode.
This adjustment is not necessary for the Universal Client.
This configuration change applies exclusively to Luna Client 7.x.
Set up Luna Cloud HSM
The following steps are applicable for setting up the Luna Cloud HSM on a Windows environment:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
cvclient-min.zip
Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify that the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Install Microsoft IIS
To install Microsoft IIS:
Open Server Manager.
Click Configure this local server, and then select Add roles and features.
Choose Web Server (IIS).
Select the default or desired components within the wizard and complete the installation.
Integrate Microsoft IIS with Luna HSM
To integrate Microsoft IIS with Luna HSM, undertake the following procedures:
Generate and install certificates in Microsoft IIS
Configure SafeNet KSP
To configure SafeNet KSP:
Prior to starting the integration process, we recommend becoming acquainted with Microsoft IIS. Consult the Windows Server Help Files for comprehensive information on utilizing Microsoft IIS.
Install KSP Package.
-
For Luna HSM integration, install the KSP package as part of the Luna Client software installation.
-
For Luna Cloud HSM integration, locate the KSP package within the /KSP folder of the Luna Cloud HSM service client package.
Configure KSP.
-
Navigate to
<Luna HSM Client installation Directory>/KSP. For Luna Cloud HSM, use the /KSP folder in the service client package. -
Double-click
KspConfig.exeto launch the SafeNet KSP configuration wizard.
Register or View Security Library.
-
Double-click on Register or View Security Library on the left side of the pane.
-
Click Browse and select a cryptographic library, such as
<Luna HSM Client installation Directory>\cryptoki.dllor<cklog.dll>. -
Click Register. A success message will be displayed upon successful registration: "Success registering the security library!"
Register HSM Slots.
-
Double-click Register HSM Slots on the left side of the pane.
-
Enter the Slot (Partition) password.
-
Click Register Slot to register the slot for
Domain\User. On success, a message will appear: "The slot was successfully and securely registered!"
Register the same slot for NT_AUTHORITY\SYSTEM.
Both slots are registered, even if only one entry appears for the service in the Registered Slots section of the KSP interface.
Generate and install certificates in Microsoft IIS
Follow these steps to generate and install certificates in Microsoft IIS:
Create a certificate request
To create a certificate request linked to an encryption key in Microsoft IIS:
IIS Manager does not support the creation of certificates protected by CNG keys. If you are using a CNG key, create it using the Microsoft command line utility.
Create a file named request.inf with the following information:
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "C=IN,CN=IIS.com,O=Safenet,OU=HSM,L=Noida,S=UP"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "Safenet Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
Specify the subject details of the Domain Controller issuing the certificate.
Specify the key algorithm and key length (RSA, for example) as required.
Specify the Provider name as SafeNet Key Storage Provider.
Save the above content in the file request.inf.
Create the certificate request for the Certification Authority:
certreq.exe –new request.inf request.req
This generates a certificate request file called request.req that can be sent to a Certificate Authority.
Install the certificate
To complete the certificate installation:
Send the Certificate Signing Request (CSR) file to a trusted CA, such as VeriSign or Entrust. Request authentication and receive a signed certificate along with the certificate chain. Save the response in your current working directory.
Make the certificate available for use in Microsoft IIS:
certreq.exe –accept signed.cer
Ensure that signed.cer is the binary signed certificate obtained from the CA.
Bind the certificate with a secure IIS web server
To bind the certificate with a secure IIS web server:
Open IIS Manager from Start > Administrative Tools > Internet Information Services (IIS) Manager.
Select the desired website under Sites.
Click Bindings on the right side.
Click Add in the Site Bindings window.
Select the https protocol.
Choose the IP address of the machine running IIS from the drop-down list.
Select the certificate from the drop-down list.
Click OK to complete the certificate binding for an SSL connection.
Open a browser and enter https://<machine_name>:443. If necessary, accept the certificate in the browser to complete the SSL connection with the Microsoft IIS web server.
