Using Fortanix Data Security Manager with Microsoft IIS Integration Guide

1.0 Introduction

This article explains how to configure Microsoft Internet Information Services (IIS) to use Fortanix-Data-Security-Manager (DSM) to provide full key life-cycle management to reduce the cryptographic load on the host server CPU.

1.1 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix DSM who will be responsible for planning, performing, or maintaining the DSM cluster.

2.0 Prerequisites

Ensure the following:

• Fortanix KMS client version 4.8 or later (Download)

• Fortanix app API key

• Admin Access to Microsoft IIS server

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the CNG option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

Note the app API Key or app UUID depending on the authentication method you will be using when configuring the CNG client in Section 4.1: Configuring the KMS Client.

4.0 Integration Procedure

4.1 Configuring the KMS Client

For detailed information on how to configure the KMS client, refer to Clients: Microsoft CNG Key Storage Provider.

4.2 Installing Microsoft IIS

Perform the following steps if the Microsoft IIS server is not already installed on your system:

1. Select Start → Windows Administrative Tools → Server Manager to open the Server Manager Dashboard.

2. In the Server Manager toolbar, select Quick Start → Configure this local server → Add roles and features.

3. In the Add Roles and Features wizard, proceed to the Installation Type tab, then continue through the wizard to install Web Server (IIS).

4. Select the Default (or required) components from within the wizard and complete the Microsoft IIS installation process.

4.3 Creating Certificate Request

You can generate a Microsoft IIS certificate request using an encryption key stored in Fortanix DSM.

1. Create a file named request.inf with the following information:

   NOTE

   Remove the <> brackets while editing.

   [Version]
   Signature= "$Windows NT$"
   [NewRequest]
   Subject = "C=<country_code>,CN=<common_name>,O=<company_name>,OU=<object>,L=<locality_name>,S=<state_name>"
   HashAlgorithm = SHA256
   KeyAlgorithm = RSA
   KeyLength = 2048
   ProviderName = "Fortanix KMS CNG Provider"
   KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE"
   MachineKeySet = True
   KeyContainer = "IIS-testing-key"
   [EnhancedKeyUsageExtension]
   OID = 1.3.6.1.5.5.7.3.1  

   Complete configuration example:

   [Version]
   Signature= "$Windows NT$"
   [NewRequest]
   Subject = "C=US,CN=www.IISDemo.com,O=Fortanix,OU=certobject,L=BS,S=CA"
   HashAlgorithm = SHA256
   KeyAlgorithm = RSA
   KeyLength = 2048
   ProviderName = "Fortanix KMS CNG Provider"
   KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE"
   MachineKeySet = True
   KeyContainer = "IIS-testing-key"
   [EnhancedKeyUsageExtension]
   OID = 1.3.6.1.5.5.7.3.1

   NOTE

   For different KeyUsage options, refer to Microsoft’s KB article.

2. Run the following command to request the certificate:

   certreq.exe -new request.inf IIStesting.csr

   

   This command creates a security object (key) in Fortanix DSM.

   

3. Sign the certificate using the Certificate Authority of your choice.

   For example:

   • Submit a new request in Active Directory Certificate Services (ADCS).

   • Issue the pending certificate.

4. Obtain the signed certificate. For example: Copy ADCS signed certificate to a file.

5. Run the following command to accept the certificate:

   certreq -accept IIStesting.crt

   Alternatively, double-click the certificate file and select Install to add it to the local personal certificate store.

6. Bind the signed certificate to Microsoft IIS.

   

7. Test the configuration.