Professional Documents
Culture Documents
NShield Microsoft ADRMS Windows Server 2008 R2 Ig
NShield Microsoft ADRMS Windows Server 2008 R2 Ig
www.thales-esecurity.com
Version:
1.0
Date:
11 June 2012
Version:
1.0
Date:
11 June 2012
2012
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
Template: nShiMay12
Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic means
whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior
written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which
it is supplied.
CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of
Thales e-Security Limited.
CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra,
nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited.
All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited
to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall
not be liable for errors contained herein or for incidental or consequential damages concerned with the
furnishing, performance or use of this material.
These installation instructions are intended to provide step-by-step instructions for installing Thales software
with third-party software. These instructions do not cover all situations and are intended as a supplement to the
documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities
regarding third-party products and only provides warranties and liabilities with its own products as addressed
in the Terms and Conditions for Sale.
Contents
Chapter 1:
Chapter 2:
Introduction
Requirements
Procedures
Install the nShield support software and create the security world
Chapter 3:
10
12
12
Uninstall AD RMS
15
15
Troubleshooting
Addresses
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
16
17
Chapter 1: Introduction
This guide explains how to integrate Active Directory Rights Management Services (AD RMS)
with Thales nShield Hardware Security Module (HSM). We have thoroughly tested the
instructions in this document. They provide a straightforward integration process. There may be
other untested ways to achieve interoperability. This document may not describe every step of the
software setup process.
This document assumes that you have read your HSM documentation, and that you are familiar
with the documentation and setup process for Active Directory Rights Management Services
(AD RMS). The HSM secures the AD RMS Cluster Key generated and used by the AD RMS.
You can integrate the AD RMS with an HSM by using the nCipher MSCAPI interface. The
benefits of using an nShield HSM with the AD RMS are:
Failover support.
For more information about Active Directory Rights Management Services Overview, see the
online documentation at http://technet.microsoft.com/en-us/library/cc771627.aspx.
The integration between the HSM and the AD RMS has been successfully tested in the following
configurations:
Operating
system
AD RMS
version
Security
World
Software
version
nShield Solo
support
nShield
Connect
support
nShield Edge
support
Windows
Server 2008
32 bit SP1
2.0
11.50
Yes
Yes
Yes
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
Operating
system
AD RMS
version
Security
World
Software
version
nShield Solo
support
nShield
Connect
support
nShield Edge
support
Windows
Server 2008
64 bit SP1
2.0
11.50
Yes
Yes
Yes
Windows
Server 2008
R2 64 bit SP1
2.0
11.50
Yes
Yes
Yes
For more information about OS support, contact your Microsoft sales representative or Thales
Support. For more information about contacting Thales, see Addresses at the end of this guide.
Additional documentation produced to support your Thales nShield product is in the document
directory of the CD-ROM or DVD-ROM for that product.
Note Throughout this guide, the term HSM refers to nShield Solo modules, netHSM,
and nShield Connect products. (nShield Solo products were formerly known as
nShield.)
Key Management
Yes
Yes
Key Recovery
Yes
Module-only Key
Yes
Load Balancing
Yes
Key Import
Fail Over
Yes
Key Generation
Yes
Requirements
Before you begin the integration process, ensure that you familiarize yourself with the
documentation and setup process for the AD RMS and have access to a copy of the User Guide.
You need to know the following information before you run the setup program:
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and a
policy for managing these cards.
Whether the application keys are protected by the module or an Operator Card Set (OCS).
The number and quorum of Operator Cards in the OCS, and a policy for managing these
cards.
Whether the security world must comply with FIPS 140-2 Level 3.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
Requirements
Key attributes, such as the key size, persistence, and time out.
For more information on administering an nShield module, see the User Guide.
Note K/N functionality is not currently supported, which means you must create a 1/N
OCS.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
Chapter 2: Procedures
2 Install the Security World Software and configure the nShield HSM
3
Uninstall AD RMS.
Install the latest version of the nShield support software as described in the User Guide.
Note We recommend that you always uninstall any existing nShield support software
before installing the new nShield support software.
Initialize a security world using MSCAPI wizard with module protection or 1/N OCS without
passphrase as key protection method.
Note Do not select the option Always use the wizard when creating or importing keys
option while creating security world .
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
For more information about setting up the infrastructure, see the online documentation at
http://technet.microsoft.com/en-us/library/cc772140.aspx.
Log on to NCIPHER-DC with the ncipher\Administrator account (or another user account in
the Domain Admins group).
From the Start menu, select Administrative Tools > Active Directory Users and Computers.
In the console tree, expand ncipher.com, right-click Users and select New > User.
Enter the first name and full name adrmsadmin and then click Next.
Enter the password for user, click Next and then click Finish.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
From the Start menu, select Administrative Tools > Server Manager.
If the User Account Control dialog box appears, confirm that the action it displays is correct,
and click Continue.
The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next.
On the Select Server Roles page, select the Active Directory Certificate Services check box, and
click Next.
Follow the online instructions to complete the installation.
Open DNS Manager from Programs > Administrative Tools > DNS.
In Fully qualified domain name (FQDN) for the target host field, browse to the RMS-SRV
machine.
Click OK.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
From the Start menu, select Administrative Tools > Server Manager.
If the User Account Control dialog box appears, confirm that the action it displays is correct,
and click Continue.
The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next.
On the Select Server Roles page, select the Active Directory Rights Management Services
check box. The Role Services page appears informing you of the AD RMS dependent role
services and features.
On the Feature page, ensure that Web Server (IIS), Windows Process Activation Service
(WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click
Next.
On the Select Role Services page, ensure you have selected the Active Directory Rights
Management Server check box, and click Next.
10 Select the Create a new AD RMS cluster option, and then click Next.
11 Select the Use a different database server option.
12 Click Select, type RMS-DB in the Select Computer dialog box, and then click OK.
13 In Database Instance, click Default, and then click Validate.
14 Click Next.
15 Click Specify, type ncipher\ADRMSSRVC, type the password for the account, click OK, and
then click Next.
16 Ensure that the Use CSP key storage option is selected, and then click Next.
17 On the Specify AD RMS Cluster key page, select nCipher Enhanced Cryptographic service
provider from the menu, and then click Next.
18 Select the web site where AD RMS is to be installed, and then click Next. In an installation
that uses default settings, the only available web site should be Default Web Site.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
10
22 Select the Choose a certificate for SSL encryption later option, and then click Next.
23 Type rmsncp in the Friendly Name field, and then click Next.
24 Ensure that the Register the AD RMS service connection point now option is selected, and then
click Next to register the AD RMS service connection point (SCP) in Active Directory during
installation.
25 Read the Introduction to Web Server (IIS) page, and then click Next.
26 Keep the Web server default check box selections, and then click Next.
27 Click Install to provision AD RMS on the computer. When the process is complete, click
Close.
28 Open the IIS Manager. From the Start menu, select Program Files > Administrative Tools >
Internet Information Service Manager.
29 Click the IIS Server.
30 Double-click the Server Certificates icon.
31 On the right-hand side of the IIS Manager window, click the Create Certificate Request link.
32 Fill out the certificate properties page. In the common name field, enter the same name that
you entered for server licensor certificate (rmsncp), and click Next.
33 On the Cryptographic Service Provider Properties page, select Microsoft RSA SChannel
Cryptographic Provider from the menu, and then click Next.
Note Because of a certificate licensing issue, you cannot use nCipher CSPs for
requesting certificates.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
11
36 On the right-hand side of the IIS Manager window, click the Complete Certificate Request
link.
37 Show the path of the signed certificate, enter the Friendly name (ensure this is the same as the
server licensor certificatename), and click OK.
38 On the left-hand side of the IIS Manager window under Sites, click Default website.
39 On the right-hand side of the IIS Manager window, click the Bindings link.
40 In Site Bindings, click Add.
41 Select the protocol as HTTPS, and select the certificates from the menu.
42 Click OK to complete the certificate binding for SSL connection.
43 Click Restart to restart the IIS server.
44 Log off from the server, and then log on again to update the security token of the logged-on
user account.
The user account that is logged on when the AD RMS server role is installed is automatically
made a member of the AD RMS Enterprise Administrators local group. A user must be a member
of that group to administer AD RMS.
The AD RMS root cluster is now installed and configured.
From the Start menu, select Program Files > Administrative Tools > Active Directory Rights
Management Services.
If the User Account Control dialog box appears, confirm that the action it displays is correct,
and click Continue.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
12
From the Start menu, select All Programs > Internet Explorer.
Click the Security tab, click Local intranet, and then click Sites.
Click Advanced.
In the Add this website to the zone field, enter https://rmsncp.ncipher.com, and then click Add.
Click Close.
Click OK.
Expand Certificates > Current-User, then expand Third-Party Root Certification Authorities.
Right-click Certificates > All Tasks > Import. The Certificate Import Wizard opens.
10 Click Next.
11 Keep the default selection, and click Next.
12 Click Finish.
13 Repeat the preceding steps for user_mar (ncipher\user_mar) and user_eng
(ncipher\user_eng).
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
13
From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007.
user_mar can read this document, but cannot change, print, or copy it.
Click the Microsoft Office Button, then select Prepare > Restrict Permission > Restricted
Access.
In the Read box, type user_mar@ncipher.com, and then click OK to close the Permission
dialog box.
Click the Microsoft Office Button, click Save As, and then save the file as \\RMSDB\Public\RMS-TST.docx.
From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007.
In the File name box, type \\RMS-DB\Public\RMS-TST.docx, and then click Open. The
following message appears: Permission to this document is currently restricted. Microsoft
Office must connect to https://rmsncp.ncipher.com:443/_wmcs/licensing to verify your
credentials and download your permission.
Click OK. The following message appears: Verifying your credentials for opening content with
restricted permissions.
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
14
When the document opens, click the Microsoft Office Button. Notice that the Print option is
not available.
You have successfully installed and demonstrated the functionality of AD RMS, using the simple
scenario of applying restricted permissions to a Microsoft Word 2007 document.
Uninstall AD RMS
1
Click Roles > Remove Roles. The Remove Roles Wizard opens.
Click Next.
Open a command prompt, and navigate to the C:\Program Files\RMS SP2 Administration
Toolkit\ADScpRegister folder.
ADScpRegister.exe unregisterscp
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
15
Chapter 3: Troubleshooting
Problem
Resolution
Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2
16
Addresses
Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA
Tel: +1 888 744 4976 or + 1 954 888 6200
sales@thalesesec.com
Asia Pacific
Units 4101, 41/F. 248 Queens Road East, Wanchai, Hong Kong, PRC
Tel: + 852 2815 8633
asia.sales@thales-esecurity.com
Internet addresses
Web site:
Support:
Online documentation:
International sales offices:
www.thales-esecurity.com
www.thales-esecurity.com/en/Support.aspx
www.thales-esecurity.com/Resources.aspx
www.thales-esecurity.com/en/Company/Contact%20Us.aspx