Getting started

Refer to the sections below to get started with the integration.

Supported configurations

Thales has tested integration with Microsoft OCSP using the configurations listed in the table below.

Setting up your environment for the integration

Before beginning the integration, you must set up your environment for the integration.

To set up your environment for the integration

1. Install one of the supported operating systems on the client machine. Refer to Supported configurations for more information.

2. Set up, initialize, provision, and prepare a ProtectServer 3 HSM for deployment. Refer to ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration for more information.

3. Install the ProtectToolkit-C Runtime and CNG Provider packages on the client machine. Refer to ProtectToolkit 7 software installation and Setup and configuration for more information about installing ProtectToolkit and configuring ProtectToolkit-M, respectively.

   Note

   If you are operating the ProtectServer 3 HSM in FIPS Mode for this integration, ensure that client system is configured to communicate with the HSM over the Secure Messaging System (SMS). For more information, refer to Using ProtectToolkit-M with the Secure Messaging System enabled.

4. Configure the ProtectServer 3 HSM for the integration.

   1. Create a slot on the HSM that will be used by MS OCSP. Refer to Adding and removing slots for more information.

   2. Verify that the the HSM is successfully configured by running hsmstate.

      C:\Users\Administrator>hsmstate
      HSM device 0:   HSM in NORMAL MODE. RESPONDING. Usage Level=0%
      
      C:\Users\Administrator>ctkmu l
      ProtectToolkit C Key Management Utility 7.0.0
      Copyright (c) Safenet, Inc. 2009-2021
      Cryptoki Version  = 2.20
      Manufacturer      = Safenet, Inc.
      Test                             (Slot 0)
      AdminToken (524128)              (Slot 1)
      
      C:\Users\Administrator>
      

5. Set up Microsoft's Online Certificate Status Protocol (OCSP). Refer to Setting up Microsoft OCSP for complete procedure.

6. Configure the SafeNet Key Storage Provider (KSP). Refer to Configuring the SafeNet KSP for more information.

Setting up Microsoft OCSP

Microsoft OCSP must be installed on the target machine using the following setup:

• Windows Server machine that will be used as a domain controller.

• Windows Server machine that will be used as CA and OCSP Server.

• Windows machine, which will become a client to submit enrolment requests to the CA.

The three machines utilized are denoted in the setup as follows:

• OCSPDC: Windows Server Domain Controller machine.

• OCSPSERV: Windows Server CA and OCSP Server machine.

• OCSPCL: Windows Server client machine.

You can install Microsoft OCSP and CA on separate machines. If you are configuring your OCSP on separate machines, the following setup is recommended:

• OCSPCA: Windows Server machine, which will become a domain controller and CA.

• OCSPSERV: Windows Server machine, which will become an OCSP Server.

• OCSPCL: Windows machine, which will become a client to submit enrolment requests to the CA.

Configuring the SafeNet KSP

To configure the SafeNet KSP

1. Navigate to the KSP installation directory.

2. Run the KSP configuration wizard (KspConfig.exe).

3. Double-click Register Or View Security Library.

4. Browse the library cryptoki.dll from the SafeNet ProtectServer 3 HSM Client installation directory Register.

   

   On successful registration, the following message appears:

   

5. Double-click Register HSM Slots on the left side of the pane.

6. Register the slot for the Administrator as follows:

   1. Open the Register for User drop-down menu and select ADMINISTRATOR.

   2. Open the Domain drop-down menu and select your domain.

   3. Open the Available Slots drop-down menu and select the relevant service.

   4. Enter the Slot Password.

   5. Select Register Slot.

      On successful registration, the following message appears:

      

7. Register the same slot for NT AUTHORITY\SYSTEM.