Thales nShield HSM

ADRMS Integration Guide for Windows Server

2008 and Windows Server 2008 R2

www.thales-esecurity.com

Version:

1.0

Date:

11 June 2012

Copyright 2012 Thales e-Security Limited. All rights reserved.

Version:

1.0

Date:

11 June 2012

2012

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

Template: nShiMay12

Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic means
whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior
written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which
it is supplied.
CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of
Thales e-Security Limited.
CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra,
nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited.
All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited
to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall
not be liable for errors contained herein or for incidental or consequential damages concerned with the
furnishing, performance or use of this material.
These installation instructions are intended to provide step-by-step instructions for installing Thales software
with third-party software. These instructions do not cover all situations and are intended as a supplement to the
documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities
regarding third-party products and only provides warranties and liabilities with its own products as addressed
in the Terms and Conditions for Sale.

Contents

Chapter 1:

Chapter 2:

Introduction

Supported Thales nShield functionality

Requirements

Procedures

Install the HSM

Install the nShield support software and create the security world

Set up the infrastructure

Install and configure AD RMS

Add ADRMSADMIN to the Enterprise Admins group

Install Active Directory Certificate Services (Standalone root CA)

Create a new alias (CNAME)

Chapter 3:

Install and configure AD RMS as a root cluster

10

Open the Active Directory Rights Management Services console

12

Verify AD RMS functionality

12

Uninstall AD RMS

15

Unregister AD RMS Service Connection Point (SCP)

15

Troubleshooting

Addresses

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

16
17

Chapter 1: Introduction

This guide explains how to integrate Active Directory Rights Management Services (AD RMS)
with Thales nShield Hardware Security Module (HSM). We have thoroughly tested the
instructions in this document. They provide a straightforward integration process. There may be
other untested ways to achieve interoperability. This document may not describe every step of the
software setup process.
This document assumes that you have read your HSM documentation, and that you are familiar
with the documentation and setup process for Active Directory Rights Management Services
(AD RMS). The HSM secures the AD RMS Cluster Key generated and used by the AD RMS.
You can integrate the AD RMS with an HSM by using the nCipher MSCAPI interface. The
benefits of using an nShield HSM with the AD RMS are:

Secure storage of the AD RMS Cluster Key.

FIPS 140-2 level 3 validated hardware.

Full life cycle management of the keys.

Failover support.

Load-balancing between modules.

For more information about Active Directory Rights Management Services Overview, see the
online documentation at http://technet.microsoft.com/en-us/library/cc771627.aspx.
The integration between the HSM and the AD RMS has been successfully tested in the following
configurations:
Operating
system

AD RMS
version

Security
World
Software
version

nShield Solo
support

nShield
Connect
support

nShield Edge
support

Windows
Server 2008
32 bit SP1

2.0

11.50

Yes

Yes

Yes

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

Supported Thales nShield functionality

Operating
system

AD RMS
version

Security
World
Software
version

nShield Solo
support

nShield
Connect
support

nShield Edge
support

Windows
Server 2008
64 bit SP1

2.0

11.50

Yes

Yes

Yes

Windows
Server 2008
R2 64 bit SP1

2.0

11.50

Yes

Yes

Yes

For more information about OS support, contact your Microsoft sales representative or Thales
Support. For more information about contacting Thales, see Addresses at the end of this guide.
Additional documentation produced to support your Thales nShield product is in the document
directory of the CD-ROM or DVD-ROM for that product.
Note Throughout this guide, the term HSM refers to nShield Solo modules, netHSM,
and nShield Connect products. (nShield Solo products were formerly known as
nShield.)

Supported Thales nShield functionality

You can access the following Thales nShield functionality when you integrate an HSM with the
AD RMS.
Soft Cards

Key Management

Yes

FIPS 140-2 level 3

Yes

Key Recovery

Yes

Module-only Key

Yes

K-of-N Card Set

Load Balancing

Yes

Key Import

Fail Over

Yes

Key Generation

Yes

Requirements
Before you begin the integration process, ensure that you familiarize yourself with the
documentation and setup process for the AD RMS and have access to a copy of the User Guide.
You need to know the following information before you run the setup program:

The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and a
policy for managing these cards.

Whether the application keys are protected by the module or an Operator Card Set (OCS).

The number and quorum of Operator Cards in the OCS, and a policy for managing these
cards.

Whether the security world must comply with FIPS 140-2 Level 3.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

Requirements

Key attributes, such as the key size, persistence, and time out.

For more information on administering an nShield module, see the User Guide.
Note K/N functionality is not currently supported, which means you must create a 1/N
OCS.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

Chapter 2: Procedures

The installation and configuration is performed in several steps:

1

Install the HSM.

2 Install the Security World Software and configure the nShield HSM
3

Set up the infrastructure.

Install and configuring AD RMS.

Verify AD RMS functionality.

Uninstall AD RMS.

Install the HSM

Install the HSM using the instructions in the Quick Start Guide for the HSM. We recommend that
you install the HSM before configuring nShield support software.

Install the nShield support software and create the security

world
To install the nShield support Software and create the security world:
1

Install the latest version of the nShield support software as described in the User Guide.
Note We recommend that you always uninstall any existing nShield support software
before installing the new nShield support software.

Initialize a security world using MSCAPI wizard with module protection or 1/N OCS without
passphrase as key protection method.
Note Do not select the option Always use the wizard when creating or importing keys
option while creating security world .

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

Set up the infrastructure

Set up the infrastructure

To prepare your AD RMS test environment in the NCIPHER domain, you must complete the
following tasks:
1

Configure the domain controller on NCIPHER-DC.

Configure the AD RMS database computer on RMS-DB.

Configure the AD RMS root cluster computer on RMS-SRV.

Configure the AD RMS client computer on RMS-CLNT.

For more information about setting up the infrastructure, see the online documentation at
http://technet.microsoft.com/en-us/library/cc772140.aspx.

Install and configure AD RMS

Service Manager handles the installation and configuration of AD RMS. The first server in an
AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more
AD RMS servers configured in a load-balancing environment. These step-by-step instructions
explain how to install and configure a single-server AD RMS root cluster. Registering the AD
RMS service connection point (SCP) requires that the installing user account is a member of the
Active Directory Enterprise Admins group.

Add ADRMSADMIN to the Enterprise Admins group

To add ADRMSADMIN to the Enterprise Admins group:
1

Log on to NCIPHER-DC with the ncipher\Administrator account (or another user account in
the Domain Admins group).

From the Start menu, select Administrative Tools > Active Directory Users and Computers.

In the console tree, expand ncipher.com, right-click Users and select New > User.

Enter the first name and full name adrmsadmin and then click Next.

Enter the password for user, click Next and then click Finish.

Right-click adrmsadmin and go to Properties.

Enter the email address adrmsadmin@ncipher.com and click OK.

Double-click Enterprise Admins.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

Install and configure AD RMS

Click the Members tab, and then click Add.

10 Type adrmsadmin@ncipher.com, and then click OK.

Install Active Directory Certificate Services (Standalone root CA)

To install Active Directory Certificate Services:
1

Log on to RMS-SRV as ncipher\ADRMSADMIN.

From the Start menu, select Administrative Tools > Server Manager.

If the User Account Control dialog box appears, confirm that the action it displays is correct,
and click Continue.

In the Roles Summary box, click Add Roles.

The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next.

On the Select Server Roles page, select the Active Directory Certificate Services check box, and
click Next.
Follow the online instructions to complete the installation.

Create a new alias (CNAME)

To create a new alias:
1

Log on to NCIPHER-DC as ncipher\Administrator.

Open DNS Manager from Programs > Administrative Tools > DNS.

Expand Forward Lookup Zones, and right-click ncipher.com.

Select New Alias, and enter the alias name as rmsncp.

In Fully qualified domain name (FQDN) for the target host field, browse to the RMS-SRV
machine.

Click OK.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

Install and configure AD RMS

Install and configure AD RMS as a root cluster

To add the AD RMS Server Role:
1

Log on to RMS-SRV as ncipher\ADRMSADMIN.

From the Start menu, select Administrative Tools > Server Manager.

If the User Account Control dialog box appears, confirm that the action it displays is correct,
and click Continue.

In the Roles Summary box, click Add Roles.

The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next.

On the Select Server Roles page, select the Active Directory Rights Management Services
check box. The Role Services page appears informing you of the AD RMS dependent role
services and features.

On the Feature page, ensure that Web Server (IIS), Windows Process Activation Service
(WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click
Next.

Read the AD RMS introduction page, and then click Next.

On the Select Role Services page, ensure you have selected the Active Directory Rights
Management Server check box, and click Next.

10 Select the Create a new AD RMS cluster option, and then click Next.
11 Select the Use a different database server option.
12 Click Select, type RMS-DB in the Select Computer dialog box, and then click OK.
13 In Database Instance, click Default, and then click Validate.
14 Click Next.
15 Click Specify, type ncipher\ADRMSSRVC, type the password for the account, click OK, and
then click Next.
16 Ensure that the Use CSP key storage option is selected, and then click Next.
17 On the Specify AD RMS Cluster key page, select nCipher Enhanced Cryptographic service
provider from the menu, and then click Next.
18 Select the web site where AD RMS is to be installed, and then click Next. In an installation
that uses default settings, the only available web site should be Default Web Site.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

10

Install and configure AD RMS

19 Select the Use an SSL-encrypted connection (https://) option.

20 In the Fully-Qualified Domain Name box, type rmsncp.ncipher.com, and then click Validate.
If validation succeeds, the Next button becomes available.
21 Click Next.
Note Ensure Fully Qualified Domain Name and CNAME are the same.

22 Select the Choose a certificate for SSL encryption later option, and then click Next.
23 Type rmsncp in the Friendly Name field, and then click Next.
24 Ensure that the Register the AD RMS service connection point now option is selected, and then
click Next to register the AD RMS service connection point (SCP) in Active Directory during
installation.
25 Read the Introduction to Web Server (IIS) page, and then click Next.
26 Keep the Web server default check box selections, and then click Next.
27 Click Install to provision AD RMS on the computer. When the process is complete, click
Close.
28 Open the IIS Manager. From the Start menu, select Program Files > Administrative Tools >
Internet Information Service Manager.
29 Click the IIS Server.
30 Double-click the Server Certificates icon.
31 On the right-hand side of the IIS Manager window, click the Create Certificate Request link.
32 Fill out the certificate properties page. In the common name field, enter the same name that
you entered for server licensor certificate (rmsncp), and click Next.
33 On the Cryptographic Service Provider Properties page, select Microsoft RSA SChannel
Cryptographic Provider from the menu, and then click Next.
Note Because of a certificate licensing issue, you cannot use nCipher CSPs for
requesting certificates.

34 Enter the certificate request file name, and click Finish.

35 Send the certificate request to Microsoft CA (http://RMS-SRV.ncipher.com/certsrv), and get
the certificate.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

11

Install and configure AD RMS

36 On the right-hand side of the IIS Manager window, click the Complete Certificate Request
link.
37 Show the path of the signed certificate, enter the Friendly name (ensure this is the same as the
server licensor certificatename), and click OK.
38 On the left-hand side of the IIS Manager window under Sites, click Default website.
39 On the right-hand side of the IIS Manager window, click the Bindings link.
40 In Site Bindings, click Add.
41 Select the protocol as HTTPS, and select the certificates from the menu.
42 Click OK to complete the certificate binding for SSL connection.
43 Click Restart to restart the IIS server.
44 Log off from the server, and then log on again to update the security token of the logged-on
user account.
The user account that is logged on when the AD RMS server role is installed is automatically
made a member of the AD RMS Enterprise Administrators local group. A user must be a member
of that group to administer AD RMS.
The AD RMS root cluster is now installed and configured.

Open the Active Directory Rights Management Services console

1

From the Start menu, select Program Files > Administrative Tools > Active Directory Rights
Management Services.

If the User Account Control dialog box appears, confirm that the action it displays is correct,
and click Continue.

Verify AD RMS functionality

The AD RMS client is included in the default installation of Windows Vista and Windows Server
2008. Before you can consume rights-protected content, you must add the AD RMS cluster URL
to the Local Intranet security zone. Add the AD RMS cluster URL to the Local Intranet security
zone for all users who are to consume rights-protected content.

Add AD RMS cluster to the Local Intranet security zone

1

Log on to RMS-CLNT as user_fin (ncipher\user_fin).

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

12

Install and configure AD RMS

From the Start menu, select All Programs > Internet Explorer.

Select Tools > Internet Options.

Click the Security tab, click Local intranet, and then click Sites.

Click Advanced.

In the Add this website to the zone field, enter https://rmsncp.ncipher.com, and then click Add.

Click Close.

Repeat the preceding steps for user_mar (ncipher\user_mar) and user_eng

(ncipher\user_eng).

Add Microsoft Root certificate to the trusted store

1

Download Microsoft CA root certificate.

Open Microsoft Management Console.

Select File > Add/Remove Snap-in > Add.

Select Certificates > Add > My User Account > Finish.

Select Add Standalone Snap-in.

Click OK.

Expand Certificates > Current-User, then expand Third-Party Root Certification Authorities.

Right-click Certificates > All Tasks > Import. The Certificate Import Wizard opens.

Click Next to display the path of the Microsoft CA root certificate.

10 Click Next.
11 Keep the default selection, and click Next.
12 Click Finish.
13 Repeat the preceding steps for user_mar (ncipher\user_mar) and user_eng
(ncipher\user_eng).

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

13

Install and configure AD RMS

Restrict permissions on a Microsoft Word document

To verify the functionality of the AD RMS deployment, you log on as user_fin, and then restrict
permissions on a Microsoft Word 2007 document so that user_mar can read the document but
cannot change, print, or copy it. You then log on as user_mar, and verify that the proper
permission to read the document has been granted, but no permissions to change, print, or copy
it have been granted.
1

Log on to RMS-CLNT as user_fin (ncipher\user_fin).

From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007.

On the blank document page, type

user_mar can read this document, but cannot change, print, or copy it.

Click the Microsoft Office Button, then select Prepare > Restrict Permission > Restricted
Access.

Select the Restrict permission to this document checkbox.

In the Read box, type user_mar@ncipher.com, and then click OK to close the Permission
dialog box.

Click the Microsoft Office Button, click Save As, and then save the file as \\RMSDB\Public\RMS-TST.docx.

Log off as user_fin.

View a rights-protected document

1

Log on to RMS-CLNT as user_mar (ncipher\user_mar).

From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007.

Click the Microsoft Office Button, and then click Open.

In the File name box, type \\RMS-DB\Public\RMS-TST.docx, and then click Open. The
following message appears: Permission to this document is currently restricted. Microsoft
Office must connect to https://rmsncp.ncipher.com:443/_wmcs/licensing to verify your
credentials and download your permission.

Click OK. The following message appears: Verifying your credentials for opening content with
restricted permissions.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

14

Install and configure AD RMS

When the document opens, click the Microsoft Office Button. Notice that the Print option is
not available.

Close Microsoft Word.

Log off as user_mar.

You have successfully installed and demonstrated the functionality of AD RMS, using the simple
scenario of applying restricted permissions to a Microsoft Word 2007 document.

Uninstall AD RMS
1

Open Server Manager.

Click Roles > Remove Roles. The Remove Roles Wizard opens.

Click Next.

Deselect Active Directory Rights Management Services, and click Next.

When the wizard prompts you, reboot the machine.

Unregister AD RMS Service Connection Point (SCP)

To unregister AD RMS SCP:
1

Download the RMS SP2 Administration Toolkit from

http://www.microsoft.com/downloads/details.aspx?FamilyID=bae62cfc-d5a7-46d2-90630f6885c26b98&displaylang=en.

2 Install the RMS SP2 Administration Toolkit.

3

Open a command prompt, and navigate to the C:\Program Files\RMS SP2 Administration
Toolkit\ADScpRegister folder.

Run the command:

ADScpRegister.exe unregisterscp

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

15

Chapter 3: Troubleshooting

Problem

Resolution

While installing AD RMS, you see the error:

Attempt to configure Active Directory Rights Management
Server failed.
Fail to generate enrolee certificate public key.

Ensure Microsoft SQL Server 2005 is

working properly, or reboot the
ADRMS-DB machine.

While installing AD RMS, you see the error:

Attempt to configure Active Directory Rights Management
Server failed.
The AD RMS installation could not determine the
certificate hierarchy.
If the AD RMS service connection point (SCP) you need to
use is registered in Active Directory but is not valid, revise
it to make it valid, or create a new SCP, and install AD
RMS again.

Unregister ADRMS Service

Connection Point (SCP) using RMS
SP2 Administration Toolkit, and
install again.

While installing AD RMS, you see the error:

Attempt to configure Active Directory Rights Management
Server failed.
Provisioning of AD RMS timed out without any specific
error.
Remove and re-install AD RMS to attempt provisioning
again.

Recreate security world by

unselecting the Always use the wizard
when creating or importing keys option,
and reinstall AD RMS.

When the recipient tries to open the restricted document,

they see the error in RMS Client machine (Microsoft
VISTA, SP1):
This Service is temporarily unavailable.
Microsoft Internet Explorer may be set to Work offline.
In Internet Explorer, verify that Work Offline on the File
menu is not selected, and try again.

Import the Microsoft CA root

certificate into the Third-Party Root
Certification Authorities store of My
User Account , and try again.

Note Ensure the key

protection method is
neither Softcard nor Kof-N cardset protection,
because AD RMS does
not support these
methods.

Thales nShield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2

16

Addresses

Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA
Tel: +1 888 744 4976 or + 1 954 888 6200
sales@thalesesec.com

Europe, Middle East, Africa

Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK
Tel: + 44 (0)1844 201800
emea.sales@thales-esecurity.com

Asia Pacific
Units 4101, 41/F. 248 Queens Road East, Wanchai, Hong Kong, PRC
Tel: + 852 2815 8633
asia.sales@thales-esecurity.com

Internet addresses
Web site:
Support:
Online documentation:
International sales offices:

www.thales-esecurity.com
www.thales-esecurity.com/en/Support.aspx
www.thales-esecurity.com/Resources.aspx
www.thales-esecurity.com/en/Company/Contact%20Us.aspx