Using Fortanix Data Security Manager with Microsoft IIS Integration Guide

1.0 Introduction

This article explains how to configure Microsoft Internet Information Services (IIS) to use Fortanix-Data-Security-Manager (DSM) to provide full key life-cycle management to reduce the cryptographic load on the host server CPU.

2.0 Prerequisites

Ensure the following:

• Fortanix KMS client version 4.8 or later (Download)

• Fortanix app API key

• Admin Access to the Microsoft IIS server

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

3.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 4.1: Configuring the KMS Client.

3.6 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use in Section 4.1: Configuring the KMS Client.

4.0 Integration Procedure

4.1 Configuring the KMS Client

For detailed information on how to configure the KMS client, refer to the Clients: Microsoft CNG Key Storage Provider.

4.2 Installing Microsoft IIS

Perform the following steps if the Microsoft IIS server is not already installed on your system:

1. Select Start → Windows Administrative Tools → Server Manager to open the Server Manager Dashboard.

2. In the Server Manager toolbar, select Quick Start → Configure this local server → Add roles and features.

3. In the Add Roles and Features wizard, proceed to the Installation Type tab, then continue through the wizard to install Web Server (IIS).

4. Select the Default (or required) components from within the wizard and complete the Microsoft IIS installation process.

4.3 Creating Certificate Request

You can generate a Microsoft IIS certificate request using an encryption key stored in Fortanix DSM.

1. Create a file named request.inf with the following information:

   NOTE

   Remove the <> brackets while editing.

   [Version]
   Signature= "$Windows NT$"
   [NewRequest]
   Subject = "C=<country_code>,CN=<common_name>,O=<company_name>,OU=<object>,L=<locality_name>,S=<state_name>"
   HashAlgorithm = SHA256
   KeyAlgorithm = RSA
   KeyLength = 2048
   ProviderName = "Fortanix KMS CNG Provider"
   KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE"
   MachineKeySet = True
   KeyContainer = "IIS-testing-key"
   [EnhancedKeyUsageExtension]
   OID = 1.3.6.1.5.5.7.3.1

   Complete configuration example:

   [Version]
   Signature= "$Windows NT$"
   [NewRequest]
   Subject = "C=US,CN=www.IISDemo.com,O=Fortanix,OU=certobject,L=BS,S=CA"
   HashAlgorithm = SHA256
   KeyAlgorithm = RSA
   KeyLength = 2048
   ProviderName = "Fortanix KMS CNG Provider"
   KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE"
   MachineKeySet = True
   KeyContainer = "IIS-testing-key"
   [EnhancedKeyUsageExtension]
   OID = 1.3.6.1.5.5.7.3.1

   NOTE

   For different KeyUsage options, refer to the Microsoft’s KB article.

2. Run the following command to request the certificate:

   certreq.exe -new request.inf IIStesting.csr

   

   This command creates a security object (key) in Fortanix DSM.

   

3. Sign the certificate using the Certificate Authority (CA) of your choice.

   For example:

   • Submit a new request in Active Directory Certificate Services (ADCS).

   • Issue the pending certificate.

4. Obtain the signed certificate. For example: Copy the ADCS signed certificate to a file.

5. Run the following command to accept the certificate:

   certreq -accept IIStesting.crt

   

   Alternatively, double-click the certificate file and select Install to add it to the local personal certificate store.

6. Bind the signed certificate to Microsoft IIS.

   

7. Test the configuration.