Поделиться через


Updated: Using Thales nShield Connect/Solo on Windows with OpenSSL CHIL Engine

Using the Thales nShield with OpenSSL on Windows

So I installed an nShield Connect HSM and a Windows Server 2012 R2 machine. I wanted to achieve two goals:

(1) Using the a nShield HSM (aka enrollment)

(2) Use the nShield Support Software (v. 11.70 is recommended for Windows Server 2012 R2) to support OpenSSL's chil engine

Part I : Enrolling a Net HSM

This was rather obvious, use the IP address of the server so that the nFast server connects to that remote server. I will use CLIENT as the name of the client machine and SERVER as the nShield Connect HSM connected on the network.

  1. Find out the device's kNeti Hash and Electronic Serial Number (ESN)
        anokneti.exe [Hsm-IP-Addr]
  2. Copy the output of the above command and paste after the [IP] below
        nethsmenroll.exe [Hsm-IP-Addr] [Output from Anonkneti]
  3. Success! You should be able to run nfkminfo.exe and enquiry.exe without errors.

Useful Hints

  • Make the directory containing the config and keys fully controllable by your normal/power user. This is set in the environment variable %NFAST_KMDATA%
  • Windows Server 2012 R2 CAPI keys and containers are *sometimes* made without the proper permissions, so running icacls to reset permissions on the %NFAST_KMDATA% \local directory works wonders.

Part II: Using the OpenSSL CHIL Engine

The few differences found are subtle but definitely very important.      

  1. Setup some environment variables, from the command prompt run the following commands.
        SET LD_LIBRARY_PATH= %NFAST_HOME% \toolkits\hwcrhk
        SET LIBPATH= %NFAST_HOME% \toolkits\hwcrhk
        SET OPENSSL_CONF= %NFAST_HOME% \lib\ssleay\openssl.cnf
  2. nCipher provides an OpenSSL config file that is almost ready to use. But sometimes it points to the wrong DLL depending on how you installed your software. The file path is: %NFAST_HOME%\lib\ssleay\openssl.cnf and you should check under the [chil] section. For my particular setup, the section looks like below, notice in bold the path matches the value stored in %NFAST_HOME% :
        [chil_section]
        SO_PATH=c:\nCipher\nfast\toolkits\hwcrhk\nfhwcrhk.dll
  3. I highly recommend setting up the path variable so that the nCipher-provided version of OpenSSL is used (0.9.8e 23 Feb 2007). This version is located in the %NFAST_HOME%\bin
        SET PATH=C:\nCipher\nfast\bin;%PATH%
  4. Now, the engine should be properly configured. To verify run the following command.
        openssl.exe engine -t chil
  5. Expected output is below.
             (chil) CHIL hardware engine support
        [ available ]
  6. Congratulations! You are DONE!