Thales
nShield Series
RSA Secured Implementation Guide
For 3rd Party PKI Applications
th
Last Modified: November 16 , 2011
Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description
Thales
www.thales-esecurity.com
nShield
11.50
The nShield™ range of hardware security modules (HSMs) provides both
physical and logical protection for cryptographic keys and sensitive
application code. All cryptographic applications benefit from the highly
secure, tamper-resistant hardware environment. This enables sensitive
material to be effectively managed and safely stored without fear of
compromise from internal or external threats while simultaneously ensuring
maximum system availability. The nShield family of HSMs offers a range of
performance options and security validation to best fit each organization’s
requirements.
Thales
nShield Series
Solution Summary
nShield Connect enables enterprises to add hardware protection to critical applications such as public key
infrastructures (PKIs), databases, web and application servers. Using standard cryptographic interfaces,
nShield Connect integrates readily with Microsoft Certificate Services (PKI), Entrust Authority Security
Manager, RSA Certificate Manager, Oracle Database, Microsoft SQL Server, and many other
applications.
-2-
Thales
nShield Series
Product Configuration
Before You Begin
This section provides instructions for configuring the Thales nShield series HSMs (Hardware Security
Modules) with RSA Certificate Manager. This document is not intended to suggest optimum installations
or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. Administrators should have access to the product
documentation for all products in order to install the required components.
Thales Configuration Overview
The integration of RSA Certificate Manager with Thales nShield HSMs requires a number of configuration
steps. The following procedure is an overview of the steps that are required for the integration:
•
•
•
•
•
•
Installing the Thales nShield HSM hardware
Installing the Thales nShield Support software
Setup the Network Modules (nShield Connect only)
Creating the Thales Security World
Installing RSA Certificate Manager software
Configuring RSA Certificate Manager software
Installing the Thales nShield HSM hardware
To install the Thales nShield HSM, refer to the Thales Quick Start Guide or the Hardware Installation
Guide documentation for your HSM.
Note: The installation manual can be found on the Thales Support
Software CD that comes with the HSM.
-3-
Thales
nShield Series
Installing the Thales Support software
To install the Thales Support software, perform the following steps:
1.
Launch the Thales nShield Support software installer and click Next.
2.
Click Yes to the License Agreement.
-4-
Thales
nShield Series
3.
Do not install the software into the default directory. Click the Browse… button and change the Destination
folder to c:\nfast.
4.
5.
6.
Continue to click the Next button for all remaining prompts.
Click the Finish to complete the install.
After the InstallShield has finished, move all the directories under c:\Documents and Settings\All
Users\Application Data\nCipher to c:\nfast
Rename the following folders in the c:\nfast directory:
7.
•
•
•
8.
Key Management Data to kmdata
Feature Certificates to femcerts
Log Files to log
Next, navigate to the Windows Control Panel  System Advanced  Environment Variables and
change the following environment variables that were created during the install:
•
•
•
NFAST_CERDIR = c:\nfast\femcerts
NFAST_KMDATA = c:\nfast\kmdata
NFAST_LOGDIR = c:\nfast\log
-5-
Thales
nShield Series
Setup the Network Modules (nShield Connect only)
To setup the Network modules for the nShield Connect, refer to the section Basic Software Setup in the
nShield Connect Quick Start Guide.
Note: The nShield Connect Quick Start Guide can be found on the
Thales Support Software CD that comes with the HSM.
Creating the Thales Security World
A Security World stores encrypted key material and related data in files in the remote file system on the
client. Within a given Security World there are two types of card sets: an Administrator Card Set (ACS),
and Operator Card Sets (OCS). The Administrator Card Set is used to control access to Security World
recovery functions, and is created during the Security World’s initialization. There is only one
Administrator Card Set per Security World. Operator Card Sets are used to control access to application
keys, such as those created and used by the RSA CA. There may be many Operator Card Sets per
Security World, and they may be created at any time after the Security World is initialized.
For complete instructions on creating the Security World, refer to the section nCipher Security Worlds in
the nShield User Guide.
Important: If nCipher SSL keys are to be used with the CA, it is
recommended that the Operator Card Set (OCS) is created as persistent. If
multiple card sets are to be used with the RSA CA installation, then the
SSL keys’ card set must be set as persistent. Otherwise, when the server
keys’ card set is removed from the nShield device to allow operation with
another card set, the server keys will be unloaded from the nShield device
and the RSA CA servers will be unable to communicate.
-6-
Thales
nShield Series
Installing RSA Certificate Manager software
Before installing RSA Certificate Manager, the Thales nfast Window’s services must be running. The RSA
Certificate Manager will automatically detects that nCipher is available.
On Solaris only, RSA CA must be installed by a member of the nfast group or by the root user to allow
operation with Thales hardware. If RSA CA is installed as root, the user specified to run the UI Server
must belong to the nfast group.
1.
2.
Install the RSA Certificate Manager software per instructions in the RSA Certificate Manager Installation
Guide.
When prompted to Configure a Cryptographic Provider, select the Do not search radio button.
3.
Proceed with the install and select the Finish button to complete the first phase.
-7-
Thales
nShield Series
4.
After the Finish button is selected, a web browser will automatically launch for the reminder of the setup.
Continue with the installation until the User Information screen is displayed.
5.
To use the nCipher based SSL keys or nCipher-based System Authority Keys, select the nCipher radio
buttons and click Next. If the nCipher options are selected, ensure that the nShield smart card that was
used to create the OCS is inserted in the nShield device.
Note: It is not required to select these nCipher options to enable the
use of the nCipher for CA and signer keys.
Important: When selecting the Hardware (nCipher) option for the
Cryptographic Provider’s SSL Keys, the RSA Certificate Manager will not
run if the Thales nShield HSM components become unavailable. If this
occurs, restart the RSA Certificate Manager services after the Thales HSM
becomes available.
6.
Proceed with the rest of the installation per the RSA Certificate Manager Installation Guide.
-8-
Thales
nShield Series
Configuring RSA Certificate Manager software
After successfully installing the RSA Certificate Manager software, you will need to configure the CA to
use the Thales nShield HSM. Complete the following steps to configure a new CA with the Thales HSM.
1.
2.
3.
4.
5.
From a web browser, connect to the RSA Certification Manager Administration console.
Navigate to CA Operations then select Create from the sidebar menu to create a new CA.
Enter in the Nickname for the new CA as well as any of the other optional fields.
Select either the nCipher RSA or nCipher DSA signing algorithm and appropriate key size.
Select Next.
6.
Select the appropriate OCS Card Set to use for the CA generation. If you do not see your OCS card set
listed, make sure you have the correct smart card inserted in the Thales HSM before proceeding.
-9-
Thales
nShield Series
7.
Click Next .
8.
Finish by selecting the Create CA button.
To select the Thales nCipher HSM for verification of signatures on certificate requests, perform the
following steps:
1.
Navigate to the System Configuration options.
- 10 -
Thales
nShield Series
2.
Select Verification Crypto Provider link from the left sidebar menu.
3.
Select nCipher cryptographic provider.
4.
Finish by clicking the Save Configuration button.
- 11 -
Thales
nShield Series
Certification Checklist for 3rd Party Applications
th
Date Tested: November 16 , 2011
Product
RSA Certificate Manager
nShield Connect 6000
nShield Edge
nShield Solo
Thales nCipher Software
Certification Environment
Version Information
6.8 (Build 518)
2.38.7
2.33.60
2.38.7
11.50
Operating System
Microsoft Windows 2003 Server R2
Appliance
Microsoft Windows 2003 Server R2
Microsoft Windows 2003 Server R2
Microsoft Windows 2003 Server R2
Test Case
Result
Certificate Authorities (CAs)
Create Self-Signed CA
Create Sub CA
Create RSA/SHA1 CAs with different key sizes (1024, 2048, 4096)
Create RSA/SHA256 CAs with different key sizes (1024, 2048, 4096)
Create RSA/SHA384 CAs with different key sizes (1024, 2048, 4096)
Create RSA/SHA512 CAs with different key sizes (1024, 2048, 4096)
Create RSA/MD5 CAs with different key sizes (1024, 2048, 4096)
Create DSA/SHA1 CAs with different key sizes (512, 1024, 2048)
/
/
/
/
/
/
/
/
/
/
/
/
PIN Prompt Modes
Enter PIN at startup
Do not enter PIN at startup
setpin directive in xudad.conf
Token Operations
Verify CA Key Test
JJO
= Pass
- 12 -
= Fail N/A = Non-Available Function