CASE: Using nCipher and OpenSSL (on Windows)
Using the NCipher with OpenSSL on Windows
So I installed a Net HSM and a Windows Server 2008 R2 machine. I wanted to achieve two goals:
(1) Using the a Net HSM (aka enrolling)
(2) Use the HSM to support OpenSSL/MSCAPI at the same time
Update: I am using Windows 7 Enterprise for the client, using version 11.11 of the nCipher tools on both machines.
Part I : Enrolling a Net HSM
This was rather obvious, use the IP address of the server so that the nFast server connects to that remote server. I will use CLIENT as the name of the client machine and SERVER as the Net HSM installed on the network.
- 1. Enroll the SERVER on the CLIENT (replace IP with the IPv4 address of the SERVER):
nethsmenroll.exe -p -V [IP]
- 2. Enroll the server in RFS syncing (assumes SERVER has RFS already setup)
rfs-sync .exe --setup --no-authenticate [IP]
- 3. Sync the client files.
rfs-sync.exe -U
- 4. Success! You should be able to run nfkminfo.exe and enquiry.exe without errors.
Useful Hints
- I usually "restart" nFast Server service after every step that requires changes to the configuration.
- Make the directory containing the config and keys fully controllable by your normal/power user. In Win7 this directory is C:\PROGRAMDATA\nCipher.
- Windows Server 2008 R2 keys and containers are made without the proper permissions, so running icacls *.* /reset on the KMDATA\local directory works wonders.
Part II: Using nCipher with OpenSSL
I used the Andrea Campi's great blog post as a starting point for this, so some of the credit goes to him.
The few differences found are subtle but definitely very important.
- 1. Setup some environment variables
LD_LIBRARY_PATH=c:\nCipher\nfast\toolkits\hwcrhk
LIBPATH=c:\nCipher\nfast\toolkits\hwcrhk
OPENSSL_CONF=c:\nCipher\nfast\lib\ssleay\openssl.cnf
- 2. nCipher provides an OpenSSL config file that is almost ready to use. But it points to the wrong DLL depending on how you installed your software. The file path is
NFAST_HOME%\lib\ssleay\openssl.cnf
- The section you should verify points to the appropriate DLL is:
[chil_section]
SO_PATH=c:\nCipher\nfast\toolkits\hwcrhk\nfhwcrhk.dll
- 3. I highly recommend setting up the path variable so that the nCipher-provided version of OpenSSL is used. This version is located in the
%NFAST_HOME%\bin
- I did this setting up my own PATH variable
SET PATH=C:\nCipher\nfast\bin;%PATH%
- To verify this, you can run
OpenSSL.exe version
OpenSSL 0.9.8e 23 Feb 2007
- 4. Now you can verify that the CHIL engine is working
openssl.exe engine -t chil
(chil) CHIL hardware engine support
[ available ]
- 5. Congratulations! You are DONE!