1.0 Introduction
This article explains how to configure Microsoft Internet Information Services (IIS) to use Fortanix-Data-Security-Manager (DSM) to provide full key life-cycle management to reduce the cryptographic load on the host server CPU.
1.1 Intended Audience
This guide is intended to be used by technical stakeholders of Fortanix DSM who will be responsible for planning, performing, or maintaining the DSM cluster.
2.0 Prerequisites
Ensure the following:
Fortanix KMS client version 4.8 or later (Download)
Fortanix app API key
Admin Access to Microsoft IIS server
3.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
3.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
3.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
3.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
3.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
Interface (optional): Select the CNG option as interface type from the drop down menu.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully.
Note the app API Key or app UUID depending on the authentication method you will be using when configuring the CNG client in Section 4.1: Configuring the KMS Client.
4.0 Integration Procedure
4.1 Configuring the KMS Client
For detailed information on how to configure the KMS client, refer to Clients: Microsoft CNG Key Storage Provider.
4.2 Installing Microsoft IIS
Perform the following steps if the Microsoft IIS server is not already installed on your system:
Select Start → Windows Administrative Tools → Server Manager to open the Server Manager Dashboard.
In the Server Manager toolbar, select Quick Start → Configure this local server → Add roles and features.
In the Add Roles and Features wizard, proceed to the Installation Type tab, then continue through the wizard to install Web Server (IIS).
Select the Default (or required) components from within the wizard and complete the Microsoft IIS installation process.
4.3 Creating Certificate Request
You can generate a Microsoft IIS certificate request using an encryption key stored in Fortanix DSM.
Create a file named
request.infwith the following information:NOTE
Remove the <> brackets while editing.
[Version] Signature= "$Windows NT$" [NewRequest] Subject = "C=<country_code>,CN=<common_name>,O=<company_name>,OU=<object>,L=<locality_name>,S=<state_name>" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "Fortanix KMS CNG Provider" KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE" MachineKeySet = True KeyContainer = "IIS-testing-key" [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1Complete configuration example:
[Version] Signature= "$Windows NT$" [NewRequest] Subject = "C=US,CN=www.IISDemo.com,O=Fortanix,OU=certobject,L=BS,S=CA" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "Fortanix KMS CNG Provider" KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE" MachineKeySet = True KeyContainer = "IIS-testing-key" [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1NOTE
For different
KeyUsageoptions, refer to Microsoft’s KB article.Run the following command to request the certificate:
certreq.exe -new request.inf IIStesting.csr
This command creates a security object (key) in Fortanix DSM.
Figure 4: Key Created on Fortanix DSM
Sign the certificate using the Certificate Authority of your choice.
For example:
Submit a new request in Active Directory Certificate Services (ADCS).
Issue the pending certificate.
Obtain the signed certificate. For example: Copy ADCS signed certificate to a file.
Run the following command to accept the certificate:
certreq -accept IIStesting.crt
Alternatively, double-click the certificate file and select Install to add it to the local personal certificate store.Bind the signed certificate to Microsoft IIS.
Figure 5: Bind the Certificate
Test the configuration.
Figure 6: Test Configuration