Using the NCipher with OpenSSL on Windows

So I installed a Net HSM and a Windows Server 2008 R2 machine. I wanted to achieve two goals:

(1) Using the a Net HSM (aka enrolling)

(2) Use the HSM to support OpenSSL/MSCAPI at the same time

Update: I am using Windows 7 Enterprise for the client, using version 11.11 of the nCipher tools on both machines.

Part I : Enrolling a Net HSM

This was rather obvious, use the IP address of the server so that the nFast server connects to that remote server. I will use CLIENT as the name of the client machine and SERVER as the Net HSM installed on the network.

  • 1. Enroll the SERVER on the CLIENT (replace IP with the IPv4 address of the SERVER):

nethsmenroll.exe -p -V [IP]

  • 2. Enroll the server in RFS syncing (assumes SERVER has RFS already setup)

rfs-sync .exe --setup --no-authenticate [IP]

  • 3. Sync the client files.

rfs-sync.exe -U

  • 4. Success! You should be able to run nfkminfo.exe and enquiry.exe without errors.

Useful Hints

  • I usually "restart" nFast Server service after every step that requires changes to the configuration.
  • Make the directory containing the config and keys fully controllable by your normal/power user. In Win7 this directory is C:\PROGRAMDATA\nCipher.
  • Windows Server 2008 R2 keys and containers are made without the proper permissions, so running icacls *.* /reset on the KMDATA\local directory works wonders.

 

Part II: Using nCipher with OpenSSL

 

I used the Andrea Campi's great blog post as a starting point for this, so some of the credit goes to him.

The few differences found are subtle but definitely very important.      

  • 1. Setup some environment variables

LD_LIBRARY_PATH=c:\nCipher\nfast\toolkits\hwcrhk
LIBPATH=c:\nCipher\nfast\toolkits\hwcrhk
OPENSSL_CONF=c:\nCipher\nfast\lib\ssleay\openssl.cnf

  • 2. nCipher provides an OpenSSL config file that is almost ready to use. But it points to the wrong DLL depending on how you installed your software. The file path is

NFAST_HOME%\lib\ssleay\openssl.cnf

  • The section you should verify points to the appropriate DLL is:

[chil_section]
SO_PATH=c:\nCipher\nfast\toolkits\hwcrhk\nfhwcrhk.dll

  • 3. I highly recommend setting up the path variable so that the nCipher-provided version of OpenSSL is used. This version is located in the

%NFAST_HOME%\bin

  • I did this setting up my own PATH variable

SET PATH=C:\nCipher\nfast\bin;%PATH%

  • To verify this, you can run

OpenSSL.exe version

OpenSSL 0.9.8e 23 Feb 2007

  • 4. Now you can verify that the CHIL engine is working

openssl.exe engine -t chil

(chil) CHIL hardware engine support

[ available ]

  • 5. Congratulations! You are DONE!