Integration Guide. Entrust Authority Security Manager 8.1 SP1 Microsoft Windows Server 2012 R2 Standard

Integration Guide Entrust Authority Security Manager 8.1 SP1 Microsoft Windows Server 2012 R2 Standard

Integration Guide: Entrust Authority Security Manager 8.1 SP1 Imprint copyright 2018 Utimaco IS GmbH Germanusstrasse 4 D-52080 Aachen Germany phone +49 (0)241 / 1696-200 fax +49 (0)241 / 1696-199 web http://hsm.utimaco.com email support-cs@utimaco.com document version 2.0.0 date September 2018 author John Dingelstad document no. IG_Entrust all rights reserved No part of this documentation may be reproduced in any form (printing, photocopy or according to any other process) without the written approval of Utimaco IS GmbH or be processed, reproduced or distributed using electronic systems. Utimaco IS GmbH reserves the right to modify or amend the documentation at any time without prior notice. Utimaco IS GmbH assumes no liability for typographical errors and damages incurred due to them. All trademarks and registered trademarks are the property of their respective owners.

Contents 1 Introduction 5 2 Overview 6 3 Requirements 7 4 Supported Operating Systems 8 5 Integrating CryptoServer in Entrust Authority Security Manager 9 5.1 Installing the CryptoServer................................... 9 5.2 Configuring PKCS#11 R2 Library............................... 9 5.2.1 Configuring the PKCS#11 R2 Configuration File.................. 10 5.2.2 Initializing PKCS#11 Slot 0 with p11tool2...................... 11 5.3 Copying 32-bit version of PKCS#11 Driver.......................... 12 5.4 Installing PostgreSQL...................................... 12 5.5 Installing Entrust Authority Security Manager....................... 13 5.6 Configuring and Initializing Entrust Authority Security Manager............. 13 5.7 Installing Entrust Authority Security Manager Administration.............. 15 5.8 Test the Integration....................................... 16 6 Troubleshooting 18 7 Further Information 19 Appendices 21 A Procedures on the Domain Controller 22 A.1 Installing Microsoft Active Directory Domain Services................... 22 A.2 Configuring Microsoft Active Directory Domain Services................. 22 A.3 Installing and Configuring Microsoft Active Directory Lightweight Directory Services. 23 A.3.1 Installing and configuring AD LDS.......................... 23 A.3.2 Add the Security Manager Schema......................... 25 A.3.3 Create and Configure a New CA Entry........................ 25 A.3.4 Assigning permissions for clients to read CA data................. 27

Integration Guide: Entrust Authority Security Manager 8.1 SP1 A.3.5 Adding a Directory Administrator........................... 30 B Procedures on the Security Manager Server 31

1 Introduction This paper provides an integration guide explaining how to integrate an Utimaco CryptoServer Hardware Security Module (HSM) with Entrust Authority Security Manager 8.1 SP1 on Windows Server 2012 R2 Standard. Installation and configuration instructions - especially relating to Active Directory Lightweight Directory Services (AD LDS), PostgreSQL, Entrust Authority Security Manager and Entrust Authority Security Manager Administration - are beyond the scope of this document. For more detailed information on these specific topics, please refer to the documentation provided by Entrust Datacard. In order to allow a quick start when setting up an Entrust Authority Security Manager 8.1 SP1 evaluation environment, instructions are provided for reference in the appendix for setting up an evaluation environment under Windows Server 2012 R2 Standard that is based on Microsoft Active Directory Lightweight Services (AD LDS). Page 5

Integration Guide: Entrust Authority Security Manager 8.1 SP1 2 Overview Entrust Authority Security Manager is a public key infrastructure (PKI), which is designed to manage the digital keys and certificates that make up the digital identities required to transparently automate all security-related processes in an organization. As the organization s Certification Authority (CA) system, Entrust Authority Security Manager software enables the use of digital signature, digital receipt, encryption and permissions management services across a wide variety of applications and solutions. Among others, secure storage of the CA key pair that Entrust Authority Security Manager uses to certify its users and the storage of a key used to protect the database bring hardware security modules into effect, which provide a further level of protection. The CryptoServer is a hardware security module developed by Utimaco IS GmbH, i.e. a physically protected specialized computer unit designed to perform sensitive cryptographic tasks and to securely manage cryptographic keys and data. In a CryptoServer, security system security-relevant actions can be executed and security relevant information can be stored. It can be used as a universal, independent security component for heterogeneous computer systems. Page 6

3 Requirements Ensure that you have a copy of the CryptoServer - Administration Manual [1] and the CryptoServer PKCS#11 R2 Developer Guide [2]. You will also need a copy of the Entrust Authority Security Manager 8.1 SP1 - Installation Guide [8], Entrust Authority Security Manager 8.1 SP1 - Directory Configuration Guide [9] and the Entrust Authority Security Manager 8.1 SP1 - Operations Guide [10] provided by Entrust. Additionally, Entrust Authority Security Manager requires a Lightweight Directory Access Protocol (LDAP)-compliant directory to store Certification Authority (CA) certificates, certificate revocation lists (CRLs), and user information. It is recommended that you install and configure your directory upfront. For more details, please refer to the Entrust Authority Security Manager 8.1 SP1 - Directory Configuration Guide [9]. Software- and Hardware Requirements HSM Model CryptoServer Se Gen2-Series/CSe-Series LAN CryptoServer Se Gen2-Series/CSe-Series PCIe CryptoServer Simulator HSM Firmware SecurityServer Version 4.21.0 Software Windows Server 2012 R2 An LDAP compliant directory service PostgreSQL 8.3.23 Entrust Authority Security Manager 8.1 SP1 Page 7

Integration Guide: Entrust Authority Security Manager 8.1 SP1 4 Supported Operating Systems The integration of the CryptoServer solution and Entrust Authority Security Manager have been tested successfully for the following configurations: Operating System Windows Server 2012 R2 Standard SecurityServer Version 4.21.0 Entrust Authority Security Manager Version 8.1 SP1 including patch 192895 PCIe Support Ethernet Support Yes Yes Page 8

5 Integrating CryptoServer in Entrust Authority Security Manager Complete the following steps on the server, where Entrust Authority Security Manager, PostgreSQL and SecurityServer will be installed and verified: 1. Install the CryptoServer 2. Configure PKCS#11 R2 Library: Configure the PKCS#11 R2 Configuration File Initialize PKCS#11 Slot 0 with p11tool2 3. Copy 32-bit version of PKCS#11 Driver 4. Install PostgreSQL 5. Install Entrust Authority Security Manager 6. Configure and Initialize Entrust Authority Security Manager 7. Install Entrust Authority Security Manager Administration 8. Test the Integration 5.1 Installing the CryptoServer Step-by-step instructions on how to bring the CryptoServer LAN and PCIe plug-in card into service, how to install the CryptoServer software on a computer are described in the CryptoServer LAN - Quick Start Guide [3] and the CryptoServer PCIe - Quick Start Guide [4] on the SecurityServer product CD. PKCS#11 R2 - Cryptographic Token Interface When installing the CryptoServer software from the product CD, make sure hat you install the PKCS#11 R2 - Cryptographic Token Interface. 5.2 Configuring PKCS#11 R2 Library This section describes the configuration and initialization of the Utimaco PKCS#11 R2 library. Page 9

Integration Guide: Entrust Authority Security Manager 8.1 SP1 For further information regarding the installation and configuration of PKCS#11 R2 please consult the CryptoServer - PKCS#11 R2 Developer Guide [2]. 5.2.1 Configuring the PKCS#11 R2 Configuration File During the installation of the CryptoServer software an environment variable named CS_PKCS11_R2_CFG was set, to the correct path and location of the PKCS#11 R2 configuration file. On Windows, it is by default referring to C:\ProgramData\Utimaco\PKCS11_R2\cs_pkcs11_R2.cfg. The PKCS#11 library uses this environment variable to locate and the configuration file. ProgramData Folder The ProgramData folder is hidden by default on Windows. To access the PKCS#11 R2 configuration file, enter the path mentioned above in the address bar of the Windows Explorer. Open the PKCS#11 R2 configuration file cs_pkcs11_r2.cfg with an editor of your choice in order to adjust it for your CryptoServer hardware: 1. Find the Device parameter in the CryptoServer section and change the value to one of these possible values: IP address of your device (e.g. 192.168.0.42) This device specifier is used for network attached devices. Further details to setup the IP address of your device can be found in CryptoServer LAN V4 - Operating Manual [5]. PCI:0 This device specifier addresses a locally installed PCI or PCIe device. An installed device driver is necessary to open a connection. Further details to setup the driver can be found in CryptoServer PCIe - Se-Series Gen2 - Operating Manual [6]. 2. Change the KeepAlive parameter from false to true in order to keep the session with Entrust Authority Security Manager alive and prevent it from expiring after a 15 minutes idle time. 3. Find the SlotCount parameter in the CryptoServer section and change the default value of 10 to the desired number that are intended to be used. E.g. change the value to 1 if only one slot will be used. Page 10

PKCS#11 Slot Configuration Please note that as of SecurityServer version 4.21, there is no longer a restriction in place that CA keys can be stored in PKCS#11 slot 0 only. 5.2.2 Initializing PKCS#11 Slot 0 with p11tool2 p11tool2 is the CryptoServer PKCS#11 Administration Tool Release 2 based on the CryptoServer PKCS#11 Library R2. It is a command line utility designed for being called from the command line or in a batch file. The p11tool2 offers functions to execute PKCS#11 commands on the CryptoServer and additional commands for backup, restoration and configuration settings. It is located in the directory ProgramFiles\Utimaco\CryptoServer\Administration. The CryptoServer PKCS#11 p11tool2 - Reference Manual [7] gives detailed command descriptions of the p11tool2. Start the Microsoft Windows command line shell and perform the following steps to initialize the PKCS#11 slot where the CA keys for Entrust Authority Security Manager will be generated and stored. 1. Check, if the configuration of PKCS#11 R2 was successful by performing ListSlots command of p11tool2: Console # p11tool2 ListSlots The output should display a list of available PKCS#11 slot numbers. ListSlots 0: 00000000 1: 00000001 2: 00000002 3: 00000003 4: 00000004 5: 00000005 6: 00000006 7: 00000007 Page 11

Integration Guide: Entrust Authority Security Manager 8.1 SP1 8: 00000008 9: 00000009 2. Initialize PKCS#11 slot 0 for Entrust Authority Security Manager to store the necessary CA keys. used where the InitPin parameter determines the PKCS#11 user PIN of this slot: Console # p11tool2 slot=0 Login=ADMIN,:cs2:auto:USB0 InitToken=123456 # p11tool2 slot=0 LoginSO=123456 InitPin=utimaco123 Here the InitToken parameter determines the PKCS#11 SO pin and the InitPin parameter determines the PKCS#11 user pin of slot 0. This user pin will be used later in this document for the PKCS#11 user authentication. 5.3 Copying 32-bit version of PKCS#11 Driver Because Entrust Authority Security Manager is 32-bit application, you have to use the 32-bit version of PKCS#11 library. Therefore, copy the CryptoServer PKCS#11 library cs_pkcs11_r2.dll (PKCS#11 R2) from the ProductCD\Software\Windows\x86-32\Crypto_APIs\PKCS11_R2\lib into the Windows\ System32 directory. 5.4 Installing PostgreSQL Before Entrust Authority Security Manager can be installed, PostgreSQL must be installed as the Security Manager database. The Security Manager database stores information about the Certification Authority, X509 users, and EAC entities. Entrust provides a PostgreSQL database for the Security Manager database. The instructions how to install PostgreSQL are explained in the Entrust Authority Security Manager 8.1 SP1 - Installation Guide [8] in chapter Installing PostgreSQL. Page 12

5.5 Installing Entrust Authority Security Manager The installation of the Entrust Authority Security Manager is trivial since no essential configuration steps have to be performed during the process. Please see chapter Installing Security Manager in the Entrust Authority Security Manager 8.1 SP1 - Installation Guide [8]. 5.6 Configuring and Initializing Entrust Authority Security Manager The configuration and initialization of the Security Manager is described in detail in the chapters Configuring Security Manager and Initializing Security Manager of the Entrust Authority Security Manager 8.1 SP1 - Installation Guide [8]. The following CryptoServer specific configuration steps have to be performed: 1. Start the Security Manager Configuration application and follow the instructions in Entrust Authority Security Manager 8.1 SP1 - Installation Guide, chapter Configuring Security Manager up until the Cryptographic Information page appears. 2. Proceed with the CryptoServer configuration by selecting the option Use hardware on the Certification Authority Key Generation tab. Page 13

Integration Guide: Entrust Authority Security Manager 8.1 SP1 3. Click Next on the following tabs keeping all the default settings until the No Hardware Device Found dialog box appears. 4. Now the appropriate PKCS#11 library cs_pkcs11_r2.dll has to be selected. During the PKCS#11 configuration we prepared the 32-bit library in the directory Windows\System32. After the library is selected, you should see the following dialog and select Utimaco CryptoServer as hardware. 5. Confirm the default settings on the next pages until the configuration wizard reports that the configuration of the Security Manager is complete. 6. Select the option Run Security Manager Control Command Shell now and Click OK in order to initialize Entrust Authority Security Manager. Page 14

7. You are prompted to enter and confirm passwords for all three Master Users and the First Officer. At each prompt, have the specified Master User or First Officer enter and then confirm their password. 8. Finally, you are prompted to enter the password of the CA hardware, which is the PKCS#11 user PIN that we created when the PKCS#11 slot was initialized in chapter 5.2.2. Note: For more information on configuring a hardware security module for Entrust Authority Security Manager, refer to the Entrust Authority Security Manager 8.1 SP1 - Operations Guide [10], chapter Using hardware security modules. 5.7 Installing Entrust Authority Security Manager Administration The installation of the Entrust Authority Security Manager Administration and Entrust Authority Security Manager Administration online help are trivial since no essential configuration steps have to be performed during the process. Please see chapter Installing and uninstalling Security Manager Administration and the online help in the Entrust Authority Security Manager Administration 8.1 SP1 - User Guide [11]. Page 15

Integration Guide: Entrust Authority Security Manager 8.1 SP1 5.8 Test the Integration First we should check, if any objects (CA keys) were created in the configured PKCS#11 slot using the CryptoServer administration tool p11tool2. For this purpose start the Microsoft Windows command line shell and run the ListSlots command of p11tool2: Console # p11tool2 slot=0 LoginUser=utimaco123 ListObjects You should see an entry for a CA signing key as shown below: ListSlots CKO_PRIVATE_KEY: + 1.1 CKA_KEY_TYPE CKA_SENSITIVE CKA_EXTRACTABLE CKA_LABEL = CKK_RSA = CK_TRUE = CK_FALSE = CA Signing Key CKA_ID = 0x6D634777 684E7579 51694943 70413764 mcgwhnuyqiicpa7d 462B496A 316E3135 625A383D F+Ij1n15bZ8= Finally, use the Security Manager Control Command Shell for viewing the hardware information. First start the shell and then log in by entering the command login, the username Master1 and the password for this user, which was set by the end of the chapter 5.5. The next command lists the configured hardware devices and informs you if those are used for key storage. Console # ca key show-cahw -type all Page 16

Hardware Devices EAC is not enabled. There is no associated cryptographic hardware for EAC. **** Hardware Information **** ---------------------------------------------------- Name: Utimaco IS GmbH CryptoServer SN : UTIMACO CS000000 SLOT : 0 Has current X.509 CA key: Y Load Status: Uses Password: DB protection HW: hardware loaded ok Y N In use for X.509 CA keys: Y In use for EAC keys: N ---------------------------------------------------- **** End of Hardware Information **** Page 17

Integration Guide: Entrust Authority Security Manager 8.1 SP1 6 Troubleshooting Error Solution It helps to restart the configuration wizard. During the configuration of Entrust Authority Security Manager, the message "No Hardware Device Found" pops up every time - even if the right library is selected. When logging in at Entrust Authority Security Manager Administration, the message "Either Windows User Account Control (UAC) is enabled the user profile could not be found or and you need to run Entrust Authority Security Manager Administration as administrator. To do this, is read-only" pops up. right click on the Security Manager Administrator icon and select Run as administrator. The CryptoServer reports "CKR_USER_NOT_LOGGED_IN - secure messaging session expired" in the log file. The session with Entrust Authority Security Manager Administration expired after 15 minutes of inactivity. To prevent the session from expiring, change the KeepAlive parameter to true in the PKCS11 R2 Configuration File as described in section 5.2.1. The CryptoServer reports a "Command Timeout" in the log file. Increase the CommandTimeout parameter in the PKCS11 R2 Configuration File, which specifies the Errorcode: failed) (-07855 Database integrity check maximum time in milliseconds to wait for the answer from the CryptoServer after sending a command. See also section 5.2.1. This problem will occur when all visible PKCS#11 slots have not been initialized in advanced. See section 5.2.2 for details on slot initialization. Page 18

7 Further Information This document forms a part of the information and support that is provided by the Utimaco IS GmbH. Additional documentation can be found on the product CD in the documentation directory. All CryptoServer product documentation is also available at the Utimaco IS GmbH website: http://hsm.utimaco.com Page 19

Integration Guide: Entrust Authority Security Manager 8.1 SP1 References [1] CryptoServer - Administration Manual, Utimaco IS GmbH, Document Version 2.7.5, Date 2017-11-20. [2] CryptoServer - PKCS#11 R2 Developer Guide, Utimaco IS GmbH, Document Version 1.2.5, Date 2017-10-26. [3] CryptoServer LAN - Quick Start Guide, Utimaco IS GmbH, Version 1.2.4. [4] CryptoServer PCIe - Quick Start Guide, Utimaco IS GmbH, Version 1.1.2. [5] CryptoServer LAN V4 - Operating Manual, Utimaco IS GmbH, Document Version 1.3.0, Date 2017-11-06. [6] CryptoServer PCIe - SeSeries Gen2 - Operating Manual, Utimaco IS GmbH, Document Version 1.1.1, Date 2017-11-13. [7] CryptoServer PKCS#11 p11tool2 - Reference Manual, Utimaco IS GmbH, Document Version 1.4.1, Date 2017-10-02. [8] Entrust Authority Security Manager 8.1 SP1 - Installation Guide, Entrust Datacard, Document issue: 14.0, Date of issue: October 2016. [9] Entrust Authority Security Manager 8.1 SP1 - Directory Configuration Guide, Entrust Datacard, Document issue 11.0, Date of issue: September 2017. [10] Entrust Authority Security Manager 8.1 SP1 - Operations Guide, Entrust Datacard, Document issue 20.0, Date of issue: January 2017. [11] Entrust Authority Security Manager Administration 8.1 SP1 - User Guide, Entrust Datacard, Document issue 3.0, Date of issue: June 2012. Page 20

Appendices In order to allow a quick start when setting up an Entrust Authority Security Manager 8.1 SP1 evaluation environment on Windows Server 2012 R2 Standard, instructions are provided in the following appendices for: 1. Setting up a Domain Controller. 2. Configuring Security Manager accordingly. Note that these instructions are provided for reference purposes only and are in no way meant to replace the installation guides provided by Entrust Datacard. In this case it is assumed that one has prepared Microsoft Windows Server 2012 R2 Standard on 2 (two) different machines. One machine will act as a Domain Controller (on which Active Directory Domain Services (AD DS) will be installed) and the other as Security Manager. LDAP (Lightweight Directory Access Protocol) compliant directory service Security Manager requires a LDAP compliant directory to store Certification Authority (CA) certificates, certificate revocation lists (CRLs), and user information. These appendices describe the use of Entrust Authority Security Manager 8.1 SP1 with AD DS, but you may use any supported directory that is listed on Entrust Datacard TrustedCare 1 in the Entrust Authority Security Manager documentation. 1 https://trustedcare.entrustdatacard.com Page 21

Integration Guide: Entrust Authority Security Manager 8.1 SP1 A Procedures on the Domain Controller To integrate the CryptoServer with Entrust Authority Security Manager, complete the following steps on the server that will act as the domain controller, before installing configuring, and initializing Security Manager: 1. Install Microsoft Active Directory Domain Services 2. Configure Microsoft Active Directory Domain Services 3. Install and Configure Microsoft Active Directory Lightweight Directory Services A.1 Installing Microsoft Active Directory Domain Services Install Microsoft Windows Server Active Directory Domain Services (AD DS) and perform the necessary post-deployment configuration required to promote the server to a domain controller. The actual installation and domain name system is beyond the scope of this integration guide. For more detailed information on these specific topics, please refer to the Microsoft Developer Network (MSDN). Note: The domain name which is used in the examples is utimaco.com. A.2 Configuring Microsoft Active Directory Domain Services A detailed description on how to configure Microsoft Active Directory Domain Services for Entrust Authority Security Manager is provided in the Entrust Authority Security Manager 8.1 SP1 - Directory Configuration Guide [9], chapter Configuring Microsoft Active Directory Domain Services. Use the wizard provided by Entrust, which is part of the Security Manager Utilities download package, to configure the Active Directory scheme for your environment. After configuring Active Directory, add the Security Manager domain accounts created by the wizard to the domain administrators group. Instructions are provided in the aforementioned chapter. Page 22

A.3 Installing and Configuring Microsoft Active Directory Lightweight Directory Services A detailed description on how to install and configure Microsoft Active Directory Lightweight Directory Services (AD LDS) Entrust Authority Security Manager is provided in the Entrust Authority Security Manager 8.1 SP1 - Directory Configuration Guide [9], chapter Configuring Microsoft Active Directory Lightweight Directory Services. This section therefore only highlights the strictly necessary steps. Follow the steps provided in the documentation to: 1. Installing and configuring AD LDS 2. Adding the Security Manager Scheme 3. Configuring a CA entry 4. Assigning permissions for clients to read CA data 5. Adding a Directory Administrator A.3.1 Installing and configuring AD LDS 1. To install AD LDS start the Server Manager, select the role AD LDS and click on the link to create an AD LDS instance. 2. Check unique instance and click Next. 3. Provide a name for the instance and click Next. 4. Since Active Directory Domain Services is installed, where LDAP is also used, the default LDAP port 389 is already taken, so keep the suggested ports 50000 and 50001 and click Next. 5. Now check the option to create an application directory partition and provide a distinguished name for the new partition as shown in the figure below: Page 23

Integration Guide: Entrust Authority Security Manager 8.1 SP1 6. Keep the settings for the location of AD DLS files and click Next. 7. Keep Network service account for AD LDS permissions and click Next. 8. Now select the Administrators group that will have the administrative permissions for this AD LDS instance as shown in the figure below, and click Next. Remember that the user AdminSecManager, who installs and configures Entrust Authority Security Manager later is a member of the group. Page 24

9. Check the file MS-User.LDF to import and click Next until the AD LDS instance is installed, and then click Finish. A.3.2 Add the Security Manager Schema Before a CA entry can be configured for the Security Manager, we need to add a custom LDAP schema, which is provided by Entrust for this purpose. 1. Make sure the logged in user is a member of the following groups: Domain Users, Domain Admins and Schema Admins. 2. Download the file SM_ADLDS_schema.ldf 2 3. Adjust the file in the following way: Substitute the entry CD=X with the distinguished name of the partition cn=part,dc=utimaco,dc=com, which we specified in chapter A.3.1, save and close the file. 4. Start the command line shell, navigate to c:\windows\system32 and run the following command to load the schema: Console ldifde -i-f SM_ADLDS_schema.ldf -s localhost:50000 -k -c cn=schema,cn=configuration,cn=part,dc=utimaco,dc=com #schemanamingcontext A.3.3 Create and Configure a New CA Entry The new CA entry enables the storage of CA information for Entrust Authority Security Manager Certification Authority. 1. First open the ADSI Editor at Start > Administrative Tools > ADSI Edit 2. Select Action > Connect to and type in the connection parameters as shown in the figure below: 2 https://trustedcare.entrustdatacard.com Page 25

Integration Guide: Entrust Authority Security Manager 8.1 SP1 3. Select the partition directory and create a new object called entrustca (Action > New > Object) as shown in the figure below (This object only appears, if the import of the Entrust schema was successful.): 4. Name the object ca, click Next and Finish. 5. Now select the new object, click More Actions > Reset password to set a new password for the CA entry. Page 26

6. To enable the CA entry, click More Actions > Properties and set the attribute msds-useraccountdisable to false and apply the settings. 7. To assign permissions for the CA, navigate to c:\windows\system32 in the command line shell and run the commands: Console dsacls \\localhost:50000\cn=ca,cn=part,dc=utimaco,dc=com /I:T /G cn=ca,cn=part,dc=utimaco,dc=com:ga dsacls \\localhost:50000\cn=part,dc=utimaco,dc=com /I:T /G cn=ca,cn=part,dc=utimaco,dc=com:lc dsacls \\localhost:50000\cn=part,dc=utimaco,dc=com /I:T /G cn=ca,cn=part,dc=utimaco,dc=com:ga A.3.4 Assigning permissions for clients to read CA data By default, no entities can read information from AD LDS, except the administrator that installed AD LDS. To allow other entities to read information from the CA s partition, you can assign users or groups to the Readers role of the AD LDS partition. Grant Anonymous Clients Access to the Partition In order to log onto Security Manager Administration the CRL has to be checked successfully. This is one example, where anonymous access to the partition is required. For this reason, complete the following steps: 1. Open the ADSI Editor at Start > Administrative Tools > ADSI Edit. 2. Select Action > Connect to and type the connection parameters as shown in the figure below (this time the well known Naming Context Configurationis selected): Page 27

Integration Guide: Entrust Authority Security Manager 8.1 SP1 3. Now expand the configuration options in the following order: CN=Configuration > CN=Services > CN=Windows NT > CN=Directory Service Properties, click Actions > Properties on the right and change the value dsheuristics to 0000002 as shown in the figure below: 4. Expand the directory partition connection that you created earlier. See step 2 in chapter A.3.3. 5. Select CN=Roles > CN=Readers and click Action > Properties on the right. Page 28

6. Select the attribute member, click Edit and add the value <SID=S-1-5-7> as shown in the figure below: You will receive an Invalid Format error, which you can ignore. This security identifier (SID) is known to Microsoft Windows and represents the anonymous users group. 7. Refresh the CN=Roles branch and verify that the SID was added correctly by viewing the member property. There should be ANONYMOUS LOGON in the list now and it should look like the figure below: Page 29

Integration Guide: Entrust Authority Security Manager 8.1 SP1 Assigning permissions for clients to read CA data 1. To allow domain users to read AD LDS data, select CN=Roles > CN=Readers in the partition directory, then click More Actions > Properties. 2. Select the attribute member, click Edit, add the windows group account Domain Users and confirm the settings. A.3.5 Adding a Directory Administrator Entrust Authority Security Manager requires a user entry for a Directory Administrator in order to be able to add, modify, and delete directory entries. 1. Now we need to add AdminSecManager as directory administrator. For this purpose create a new user in the directory partition (Action > New > Object and select user) with the value AdminSecManager and click Finish. 2. Assign a password for the administrator entry (More Actions > Reset Password) and enter a new password. 3. To enable the Administrator entry, click More Actions > Properties and set the attribute msds-useraccountdisable to false and apply the settings. 4. Now select CN=Roles > CN=Administrators in the partition directory, then click More Actions > Properties. 5. Select the attribute member, click Edit and add the distinguished name cn=adminsecmanager, cn=part,dc=utimaco,dc=com. 6. Additionally, add the AdminSecManager account as a member and confirm the settings. Page 30

B Procedures on the Security Manager Server During the configuration and initialization of the Security Manager, see chapter 5.6, the following directory specific configuration steps have to be performed for Active Directory Lightweight Directory Services (AD LDS): 1. Start the Security Manager Configuration application and follow the instructions in Entrust Authority Security Manager 8.1 SP1 - Installation Guide, chapter Configuring Security Manager up until the Directory Node and Port page appears. 2. Select Microsoft AD LDS/ADAM as directory type, enter the DNS node name or IP address of the server hosting AD LDS and enter the port that AD LDS listens on for requests, which we have configured during the installation of the Lightweight Directory instance in chapter A.3.1 and click Next. 3. On the next page enter the CA Distinguished Name and the password for simple authentication, which we have configured during the configuration of the CA entry in chapter A.3.3, click Test Bind Information and click Next if the test succeeded. Page 31

Integration Guide: Entrust Authority Security Manager 8.1 SP1 4. Now enter the Directory Administrator DN and the password, which we also have created during the configuration of the CA entry, click Test Bind Information and click Next if the test succeeds. 5. Keep the default values for the First Officer and click Next. 6. Make sure, that the verification of directory information succeeds and click Next. If the verification does not succeed, check the configuration of the CA entry. Page 32

7. Provide the password of the current user on the next page, check Enable autologin for automatic service startup and click Next. 8. Select EASM_Entrust_PostgreSQL as ODBC Data Source and provide the required passwords for the database, which were set during the database installation. 9. Select No, do not work with Microsoft Windows applications when asked whether you want to make your published Certificate Revocation Lists (CRLs) compatible for use with Microsoft Windows client applications. 10. Keep the settings on the Security Manager Port Configuration page, click Next. 11. Proceed with the CryptoServer configuration as described in detail in chapter 5.6. Page 33

Integration Guide: Entrust Authority Security Manager 8.1 SP1 Page 34

Page 35

Contact Utimaco IS GmbH Germanusstraße 4 D - 52080 Aachen Germany phone +49 241 1696-200 fax +49 241 1696-199 web email https://hsm.utimaco.com support-cs@utimaco.com