Using the NCipher with OpenSSL on Windows
So I installed a Net HSM and a Windows Server 2008 R2 machine. I wanted to achieve two goals:
(1) Using the a Net HSM (aka enrolling)
(2) Use the HSM to support OpenSSL/MSCAPI at the same time
Update: I am using Windows 7 Enterprise for the client, using version 11.11 of the nCipher tools on both machines.
Part I : Enrolling a Net HSM
This was rather obvious, use the IP address of the server so that the nFast server connects to that remote server. I will use CLIENT as the name of the client machine and SERVER as the Net HSM installed on the network.
- 1. Enroll the SERVER on the CLIENT (replace IP with the IPv4 address of the SERVER):
nethsmenroll.exe -p -V [IP]
- 2. Enroll the server in RFS syncing (assumes SERVER has RFS already setup)
rfs-sync .exe --setup --no-authenticate [IP]
- 3. Sync the client files.
- 4. Success! You should be able to run nfkminfo.exe and enquiry.exe without errors.
- I usually "restart" nFast Server service after every step that requires changes to the configuration.
- Make the directory containing the config and keys fully controllable by your normal/power user. In Win7 this directory is C:\PROGRAMDATA\nCipher.
- Windows Server 2008 R2 keys and containers are made without the proper permissions, so running icacls *.* /reset on the KMDATA\local directory works wonders.
Part II: Using nCipher with OpenSSL
I used the Andrea Campi's great blog post as a starting point for this, so some of the credit goes to him.
The few differences found are subtle but definitely very important.
- 1. Setup some environment variables
- 2. nCipher provides an OpenSSL config file that is almost ready to use. But it points to the wrong DLL depending on how you installed your software. The file path is
- The section you should verify points to the appropriate DLL is:
- 3. I highly recommend setting up the path variable so that the nCipher-provided version of OpenSSL is used. This version is located in the
- I did this setting up my own PATH variable
- To verify this, you can run
OpenSSL 0.9.8e 23 Feb 2007
- 4. Now you can verify that the CHIL engine is working
openssl.exe engine -t chil
(chil) CHIL hardware engine support
[ available ]
- 5. Congratulations! You are DONE!