Microsoft Host Guardian Service and Shielded Virtual Machines: nShield HSM Integration Guide
Table of Contents
- Introduction
-
Procedures
- Install and configure the nshield Security World software and nshield HSM
- Install and register the nshield CNG
- Install the Host Guardian Service in a new forest
- Generate certificates
- Initialize the Host Guardian Service
- Configure the Guarded Host
- Configure attestation on the Guardian Server
- Configure attestation on the Guarded Host
- Troubleshooting
- Remote Administration
Introduction
The Entrust nshield HSMs secure keys that encrypt and sign the protected VMs. The keys are stored in an encrypted state on the Host Guardian Server (HGS).
The Guarded Host provides a trusted server and environment in which to create and run the Shielded VMs. The HGS attests the trustworthiness of a particular Guarded Host before releasing the relevant protection key used to unlock (decrypt), the virtual machine.
The HGS only releases the decryption key for the Shielded VM when it is satisfied that the condition of the VM matches a known clean state and that the VM has not been tampered with. This is achieved by providing evidence to attest to the VM’s integrity via a certificate that is also provided by the HGS.
Attestation process for running Shielded VMs on a Hyper-V Guarded Host:
-
The Guarded Host requests a key to allow it to run the Shielded VM.
-
The HGS receives the request but does not trust that the request comes from a legitimate host.
-
The Guarded Host sends its declaration of health information, a known state conferred upon the host by the HGS in the initial set-up of the Hyper-V host.
-
The HGS responds with a certificate of health to the host.
-
The host makes another request, which includes the certificate to the HGS.
-
The HGS returns the encrypted key to the virtualized security area of the Guarded Host, allowing the VM to run.
Product configurations
Entrust has successfully tested nshield HSM integration with Windows Hyper-V feature in the following configurations:
Product | Version |
---|---|
Guardian Server Base OS |
Windows Server 2019 Datacenter |
Guarded Host Base OS |
Windows Server 2019 Datacenter |
Supported nshield features
Entrust has successfully tested nshield HSM integration with the following features:
Feature | Support |
---|---|
Operator Card Set (OCS) |
Yes |
Softcard Protection |
Yes |
Module |
Yes |
Supported nshield hardware and software versions
Entrust has successfully tested with the following nshield hardware and software versions:
Product | Security World Software | Firmware | Image | OCS | Softcard | Module |
---|---|---|---|---|---|---|
Connect XC |
12.80.4 |
FIPS 12.50.11 |
12.80.4 |
✓ |
✓ |
✓ |
Connect + |
12.80.4 |
FIPS 12.50.8 |
12.80.4 |
✓ |
✓ |
✓ |
Requirements
Familiarize yourself with the Microsoft Hyper-V and Guarded Hosts documentation and set-up process.
Before installing these products, read the associated nshield HSM Installation Guide and User Guide .
This guide assumes familiarity with the following:
-
The importance of a correct quorum for the Administrator Card Set (ACS).
-
Whether Operator Card Set (OCS) protection or Softcard protection is required.
-
If OCS protection is to be used, a 1-of-N quorum must be used.
-
Whether your Security World must comply with FIPS 140-2 Level 3 or Common Criteria standards. If using FIPS Restricted mode, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nshield HSM.
-
Whether to instantiate the Security World as recoverable or not.
-
Network environment set-up, via correct firewall configuration with usable ports: 9004 for the HSM and 9005 for remote administration.
More information
For more information contact your sales representative or Entrust nshield Support, https://nshieldsupport.entrust.com .
Procedures
The following steps summarize the integration procedure.
Guardian Server:
Guarded Host:
Important
|
For this guide both the Guardian Server and Guarded Host were implemented on virtual machines. Microsoft recommends installing the Host Guardian Service role on a physical machine for security purposes. |
Note
|
The Host Guardian Service should be installed in a dedicated Active Directory forest. Ensure the Guardian Server and Guarded Host are not joined to a domain. |
Install and configure the nshield Security World software and nshield HSM
-
Install the Security World software on the Guardian Server:
-
Mount the DVD or
.iso
disc image. -
Run
setup.exe
. -
Right-click the icon and select Run as Administrator .
For detailed instructions, see the Installation Guide and the User Guide for the HSM.
-
-
Add the Security World utilities path
C:\Program Files\nCipher\nfast\bin
to the Windows system path. -
Open the firewall port 9004 for the HSM connections.
-
Install the nshield Connect HSM locally, remotely, or remotely via the serial console.
See the following nshield Support articles and the Installation Guide for the HSM:
-
Open a command window and run the following to confirm that the HSM is
operational
:>enquiry Server: enquiry reply flags none enquiry reply level Six serial number 530E-02E0-D947 7724-8509-81E3 09AF-0BE9-53AA 9E10-03E0-D947 mode operational ... Module #1: enquiry reply flags none enquiry reply level Six serial number 530E-02E0-D947 mode operational ...
-
Create your Security World if one does not already exist or copy an existing one. Follow your organization’s security policy for this. The Security World can also be created later, when configuring the CNG provider via its GUI, see Install and register the nshield CNG . Skip the next step if doing so.
-
Confirm that the Security World is
usable
:>nfkminfo World generation 2 state 0x37270008 Initialised Usable ... ... Module #1 generation 2 state 0x2 Usable ...
Install and register the nshield CNG
It is necessary to install and register the nshield Cryptography API: Next Generation (CNG) provider on the Guardian Server. This can be done using either the command line or the CNG Configuration wizard.
Before proceeding, check that no legacy providers are installed.
-
Run the command:
>cnglist.exe --list-providers Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\Administrator>cd %nfast_home%\bin C:\Program Files (x86)\nCipher\nfast\bin>cnglist.exe --list-providers Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider Windows Client Key Protection Provider C:\Program Files (x86)\nCipher\nfast\bin>
-
Select the Start button to access all applications. Look for the recently installed nshield utilities.
-
Double-click the CNG Configuration wizard and run it as Administrator.
The nshield CNG Providers Configuration Wizard starts.
-
On the Welcome panel, select Next .
The Enable HSM Pool Mode panel appears.
-
If you intend to use multiple HSMs in a failover and load-sharing capacity, select Enable HSM Pool Mode for CNG Providers . If you do, you can only use module protected keys.
NoteModule protection does not provide conventional 1 or 2 factor authentication. Instead, the keys are encrypted and stored as an application key token, also referred to as a Binary Large Object (blob), in the kmdata/local
directory of the HGS server. -
Select Next .
The Initial setup panel appears:
-
Select Use the existing security world if you already have a Security World that you intend to use. The corresponding
world
andmodule_xxxx-xxxx-xxxx
files must be present in the%NFAST_KMDATA%\local
directory. Be prepared to present the quorum of Administrator cards. -
Select Create a new Security World if you do not currently have a Security World or would like to create a new Security World.
NoteFor the purposes of this guide, an existing Security World is used. For instructions on how to create and configure a new Security World, see the Installation Guide and User Guide for your HSM. -
-
Select Next .
The Set Module States panel appears.
-
Select the desired HSM among those available.
-
Select Next .
The Key Protection Setup panel appears.
-
Select the required protection method.
For the purposes of this guide, Operator Card Set is used. You can choose Module Protection or Softcard Protection instead.
-
Select Next .
The Token for Key Protection panel appears.
-
Enter the OCS name, K and N values, select Persistent , and select Usable remotely .
-
Select Next .
You must now present the cards.
-
First present the ACS to the HSM.
Then remove the ACS and insert a blank Operator Card in the HSM. On the Insert Next Card screen enter a name for the OCS and corresponding passphrase.
-
Select Next and repeat until all cards in the OCS have been presented.
-
Select Finish .
The nshield CNG providers will now be installed and the Key Storage Provider will be registered.
After this process completes, the Finished Registering the nShield CNG Providers panel appears.
-
Open a command window as Administrator and run the following command to confirm the KSP has been successfully registered:
> cnglist.exe --list-providers Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider Windows Client Key Protection Provider nCipher Primitive Provider nCipher Security World Key Storage Provider
Look for the nCipher Security World Key Storage Provider entry.
-
Run the following from PowerShell after the Host Guardian Service has been installed:
> Show-DnsServerKeyStorageProvider Microsoft Software Key Storage Provider nCipher Security World Key Storage Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Smart Card Key Storage Provider
-
Check that the registry also shows the nCipher Security World Key Storage Provider :
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider
For example:
Install the Host Guardian Service in a new forest
This section describes how to install the Host Guardian Service in a new Active Directory forest:
Microsoft has documented the full process in https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-deploying-hgs-overview .
Add the Host Guardian Server role using the Server Manager GUI
Note
|
You can also add the Host Guardian Server role using PowerShell, see Add the Host Guardian Server role using PowerShell . |
To add the Host Guardian Server using the Server Manager GUI:
-
Open Server Manager and under Manage , select Add Roles and features .
The Add Roles and Features Wizard starts.
-
Select Next until you reach the Select destination server panel.
-
On the Select destination server panel, select the Guardian Server. For example:
-
Select Next .
The Select server roles panel appears.
-
Select Host Guardian Service .
The Add features that are required for Host Guardian Service? dialog appears.
-
In the dialog, select Add Features and select Next .
-
Select Next multiple times until the install for the Select role services panel for Web Server Role (IIS) appears.
-
Select Next to install IIS and then select Install .
After the installation completes, a server restart is required.
After the role has been added, you are prompted to continue with Post-deployment Configuration by promoting the server to a domain controller. This is shown by expanding the notification flag in the Server Manager Dashboard .
Important
|
Do not promote to domain controller at this time. The server will be promoted as part of the HGS installation process below. |
Add the Host Guardian Server role using PowerShell
Note
|
You can also add the Host Guardian Server role using the Server Manager GUI, see Add the Host Guardian Server role using the Server Manager GUI . |
To add the Host Guardian Server role using PowerShell:
-
Start PowerShell in an elevated Admin mode.
-
Run the following command:
Install-WindowsFeature -Name HostGuardianServiceRole -IncludeAllSubFeature -IncludeManagementTools -Restart
ImportantDo not promote to domain controller at this time. The server will be promoted as part of the HGS installation process below.
Install the Host Guardian Service
To install the Host Guardian Service:
-
Launch PowerShell as Administrator.
-
Run the
Install_HGS.ps1
script (below) to install the Host Guardian Service and configure its domain.$hgsDomainName = "hgs.com" $adminPassword = ConvertTo-SecureString -AsPlainText "xxxxxxxxxxx" -Force Install-HgsServer -HgsDomainName $hgsDomainName -SafeModeAdministratorPassword $adminPassword -Restart
The password you specify here will only apply to the Directory Services Repair Mode password for Active Directory. It will not change your admin account’s password.
You may provide any domain name of your choosing for
-HgsDomainName
.The server will reboot after executing the above script.
The Host Guardian Service domain is created.
Generate certificates
The following sections describe how to generate certificates:
Generate certificates using the nshield key storage provider
The HGS requires certificates and associated keys.
Keys are used for “attestation”, one of the two services that run as part of HGS, to affirm the health of the Guarded Hosts and the associated Hyper-V virtual machines.
Other keys called Transport Keys (TKs) are used for “Key Protection Service” (KPS), to unlock and run the Shielded VMs on positively attested Guarded Hosts.
Run
certutil -store my
for the certificates currently available in the machine store.
For example:
>certutil -store my
my "Personal"
CertUtil: -store command completed successfully.
Note
|
It is possible to use conventionally backed Certificates from a Certificate Authority and import these into the HSM Security World, but this is not within the scope of this document. |
The following sections generate these keys and certificates using the nshield KSP.
Generate encryption certificate
To generate an encryption certificate:
-
Launch PowerShell as Administrator.
-
Run the following script:
Generate_HGS_Encryption_SelfSigned_Certificate.ps1
.$cngProviderName = "nCipher Security World Key Storage Provider" $subjectName = "HGS Encryption Certificate" $friendlyName = "HGS_Encryption_SelfCert" # $locationName = "Cert:\CurrentUser\My" $locationName = "Cert:\LocalMachine\My" New-SelfSignedCertificate -Subject $subjectName -FriendlyName $friendlyName -CertStoreLocation $locationName -Provider $cngProviderName -KeyExportPolicy NonExportable
The nCipher Key Storage Provider - Create key wizard appears.
-
In the Create new key panel, select Next .
The Select a method to protect new key panel appears.
-
Select the Operator Card Set protection and select Next .
The Select token to protect key with panel appears.
-
Present the OCS created before and select Next .
The Choose modules you wish to load the keys onto panel appears.
-
Select the required HSM and select Add to move the HSM to the Included modules list. In this example, two HSMs are available.
-
Select Finish .
A passphrase dialog appears.
-
Enter the passphrase for the OCS and select Next .
An OCS status dialog appears.
-
Select Finish after the card reading is completed.
The final command line output will look like the following:
> .\Generate_HGS_Encryption_SelfSigned_Certificate.ps1 PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ---------- ------- 751A528A88C788458A7A8347543DA58CCC1212A6 CN=HGS Encryption Certificate
Generate signing certificate
To generate a signing certificate:
-
Launch PowerShell as Administrator.
-
Run the following script:
Generate_HGS_Singning_SelfSigned_Certificate.ps1
.$cngProviderName = "nCipher Security World Key Storage Provider" $subjectName = "HGS Signing Certificate" $friendlyName = "HGS_Signing_SelfCert" # $locationName = "Cert:\CurrentUser\My" $locationName = "Cert:\LocalMachine\My" New-SelfSignedCertificate -Subject $subjectName -FriendlyName $friendlyName -CertStoreLocation $locationName -Provider $cngProviderName -KeyUsageProperty Sign -KeyExportPolicy NonExportable
-
Select the protection method, present the OCS, select the HSM, and enter the passphrase when prompted. This is similar process to the previous section.
The final command line output will look like the following:
> .\Generate_HGS_Singning_SelfSigned_Certificate.ps1 PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ---------- ------- E59DFA33163C4DB47E74039249BCCBF3B857C17F CN=HGS Signing Certificate
Confirm certificates and keys
When keys are generated by the HSM:
-
The key’s blobs are stored in the
C:\ProgramData\nCipher\Key Management Data\local
directory. -
On the HGS the certificates are in the
\LocalMachine\My store
directory.
To verify that the certificates are in the correct location using PowerShell:
> Get-ChildItem Cert:\LocalMachine\My -DnsName hgs*
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
E59DFA33163C4DB47E74039249BCCBF3B857C17F CN=HGS Signing Certificate
751A528A88C788458A7A8347543DA58CCC1212A6 CN=HGS Encryption Certificate
To verify the certificates via the command line, use
certutil
(see below).
Present the OCS, select the HSM, and enter the passphrase when prompted.
For example:
C:\Users\Administrator>certutil -store my
my "Personal"
================ Certificate 0 ================
Serial Number: 31c30a8d8e0246bd47f29d91d5780d7d
Issuer: CN=HGS Signing Certificate
NotBefore: 7/14/2022 9:07 AM
NotAfter: 7/14/2023 9:27 AM
Subject: CN=HGS Signing Certificate
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): e59dfa33163c4db47e74039249bccbf3b857c17f
Key Container = te-418055d2-40a0-47da-8cbf-b1c6ca224cea
Provider = nCipher Security World Key Storage Provider
Private key is NOT exportable
Signature test passed
================ Certificate 1 ================
Serial Number: 2082cc9faf4fa19742745ae548ad1055
Issuer: CN=HGS Encryption Certificate
NotBefore: 7/13/2022 5:26 PM
NotAfter: 7/13/2023 5:46 PM
Subject: CN=HGS Encryption Certificate
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 751a528a88c788458a7a8347543da58ccc1212a6
Key Container = te-d5734830-3daa-4043-96dc-0e5519fb9199
Provider = nCipher Security World Key Storage Provider
Private key is NOT exportable
ERROR: Could not verify certificate public key against private key
CertUtil: -store command completed successfully.
Make a note of the Cert Hash(sha1) values for the signing certificate and the encryption certificate. You will use these in the next section.
Initialize the Host Guardian Service
To initialize the Host Guardian Service:
-
Launch PowerShell as Administrator.
-
Run the following script:
Initialize_HGS_Server_Trust_Host_Key.ps1
.$hgsServiceName = "HGS" $encryptionCertificateThumbprint = "751A528A88C788458A7A8347543DA58CCC1212A6" $signingCertificateThumbprint = "E59DFA33163C4DB47E74039249BCCBF3B857C17F" Initialize-HgsServer -HgsServiceName $hgsServiceName -EncryptionCertificateThumbprint $encryptionCertificateThumbprint -SigningCertificateThumbprint $signingCertificateThumbprint -TrustHostKey
In this script:
-
For
hgsServiceName
, insert a name of your choosing for the HGS node. This name will be the distributed network name of the cluster and should not be fully qualified. For example, enter HGS if you want the FQDN to be configured as HGS.<domain>.<com> . -
For
encryptionCertificateThumbprint
, insert the encryption certificate hash from Confirm certificates and keys . -
For
signingCertificateThumbprint
, insert the signing certificate hash from Confirm certificates and keys .
> .\Initialize_HGS_Server_Trust_Host_Key.ps1 WARNING: The names of some imported commands from the module 'BitLocker' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. LogPath: C:\Windows\Logs\HgsServer\220714101502\HOSTGUARDIANSRV WARNING: Ensure that service account 'hgs\HGSSVC_64C43$' has read access to the private key of certificate with thumbprint '751A528A88C788458A7A8347543DA58CCC1212A6', and that that the private key is both present and accessible on all Host Guardian Service servers. WARNING: Ensure that service account 'hgs\HGSSVC_64C43$' has read access to the private key of certificate with thumbprint 'E59DFA33163C4DB47E74039249BCCBF3B857C17F', and that that the private key is both present and accessible on all Host Guardian Service servers.
-
-
Make a note of the name of the service account that is created during this process.
-
Ensure the service account created above has rights to the HSM backed keys:
-
Launch the IIS Manager and select Application Pools and note the Identity under which the KeyProtection app pool is running. For example:
-
Run the Local Machine Certificate Management Console
certlm.msc
. Locate the encryption certificate under thePersonal
folder. -
Right-click and select All tasks > manage Private keys .
-
Present the OCS, select the HSM, and enter the passphrase when prompted.
-
Add the service account above to the list of Groups and Users permitted to manage the private keys.
-
Select Add > Object Types > Service Accounts , then select OK .
-
Under Enter the object names to select , type the account name. The default is HGSSVC .
-
Select Check Names .
-
Give the service account Read access to the private keys for the certificate. To do this, select Advanced , select the user account, then select Edit . For example:
-
Repeat the process for the signing certificate.
-
Configure the Guarded Host
The Guarded Host is the host server for the Hyper-V virtual machines that will become Shielded VMs. The Guarded Host will require attestation from the HGS before its shielded VMs will be allowed to run. For the purpose of this guide, the Guarded Host was implemented on a ESXi 7.1 VM.
-
On the ESXi Hypervisor, edit VM settings.
-
On the Virtual Hardware tab, ensure that Expose hardware assisted virtualization to guess OS is selected. For example:
-
On the VM Options tab, ensure that Virtualization Based Security is enabled.
-
Ensure that the following roles are installed:
-
AD DS
-
DNS
-
AD LDS.
This is required for
netdom.exe
which is used to establish one-way trust from the HGS to the Fabric domain. -
Hyper-V.
This should include the Host Guardian support feature.
-
-
Determine the status of the required roles by selecting Add Roles and Features Server Selection > Server Roles . The installed features are selected. For example:
-
Ensure the hypervisor-protected code integrity (HVCI) is enabled, see https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity .
-
Promote the DNS server as normal if installing it for the first time.
-
Add the Host Guardian Server DNS as a conditional forwarder:
-
Open PowerShell as Administrator
-
Run the following script named
Add_DNS_Server_Conditional_Forward_Zone.ps1
.$hgsDomainName = "hgs.com" $ipAddressHGSServer = "xxx.xxx.xxx.xxx" Add-DnsServerConditionalForwarderZone -Name $hgsDomainName -ReplicationScope "Forest" -MasterServers $ipAddressHGSServer
NoteThis can also be performed from the DNS Manager GUI.
-
-
Set the Guarded Host domain to trust the Guardian Server domain:
-
Open a CLI as Administrator.
-
Run the following command:
>netdom trust guardedhost.com /domain:hgs.com /userd:hgs\Administrator /passwordd:nCipher123! /add The command completed successfully.
-
-
Generate a Guardian Host key automatically or select an existing certificate. Alternatively, you can also use a certificate generated by the nshield HSM as on the Guardian Server.
-
Open PowerShell as Administrator.
-
Run the following command:
> Set-HgsClientHostKey
-
Get the public half of the key to provide the HGS server.
You can also provide a
.cer
file that contains the public half of the key. Note that the HGS is only used to store and validate the public key. No certificate information is stored on the HGS and neither the certificate chain nor the expiration date is validated by the HGS.Open PowerShell as Administrator and run:
> Get-HgsClientHostKey -Path "C:\Users\Administrator\Documents\HostGuardianHst-HostKey.cer" Directory: C:\Users\Administrator\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/18/2021 3:39 PM 830 HostGuardianHst-HostKey.cer
-
Copy the listed certificate file to the Guardian Server using the method of your choice. You will add this certificate to the attestation service.
-
-
Create a new Global security group to identify the Guarded Hosts that will run the shielded VMs.
-
Open the Server Manager and select Tools >Active Directory Users and Computers .
-
Expand the domain.
-
Right-click Users , select New > Group , and enter the group name.
The security group is created. For example:
-
-
Get the Security Identifier (SID) of the security group created above.
-
Open PowerShell as Administrator.
-
Run the following command:
> Get-ADGroup "Guarded Hosts" DistinguishedName : CN=Guarded Hosts,CN=Users,DC=guardedhost,DC=com GroupCategory : Security GroupScope : Global Name : Guarded Hosts ObjectClass : group ObjectGUID : b914cb31-fe5f-4d10-be70-60bbcfa95243 SamAccountName : Guarded Hosts SID : S-1-5-21-2491135030-878028546-2245137482-1104
-
Configure attestation on the Guardian Server
Perform the following on the Guardian Server:
-
Register the global security group created in the Guarded Host with the Guardian Server as an Attestation Host Group:
-
Copy the group name and SID from the previous step.
-
Open PowerShell as Administrator and run the
Register_Security_Group_with_Guardian_Server.ps1
script.$guardedHostName = "Guarded Hosts" $SID = "S-1-5-21-2491135030-878028546-2245137482-1104" Add-HgsAttestationHostGroup -Name $guardedHostName -Identifier $SID
The command line and output look like the following:
> .\Register_Security_Group_with_Guardian_Server.ps1 WARNING: The current attestation operation mode is: "HostKey". Any "AD" mode specific changes made or content returned will not take effect until the attestation operation mode is changed to "AD". S-1-5-21-2491135030-878028546-2245137482-1104:Guarded Hosts
-
-
Confirm that the Guarded Host group was added:
> Get-HgsAttestationHostGroup WARNING: The current attestation operation mode is: "HostKey". Any "AD" mode specific changes made or content returned will not take effect until the attestation operation mode is changed to "AD". Name Identifier ---- ---------- Guarded Hosts S-1-5-21-2491135030-878028546-2245137482-1104
Notice the returned friendly name and SID.
This completes the process of configuring the HGS cluster.
-
Add the Guardian Host certificate copied above to the attestation service. The certificate was copied to
C:\Users\Administrator\Documents
.-
Open PowerShell as Administrator.
-
Run the following command:
> Add-HgsAttestationHostKey -Name HostGuardianHst-HostKey -Path "C:\Users\Administrator\Documents\HostGuardianHst-HostKey.cer" Name PublicKey ---- --------- HostGuardianHst-HostKey System.Security.Cryptography.X509Certificates.PublicKey
-
-
The fabric Administrator needs to provide two URLs from the Guardian Server to the Guarded Host. Obtain these URLs by executing the following command:
> Get-HgsServer Name Value ---- ----- AttestationOperationMode HostKey AttestationUrl {http://hgs.hgs.com/Attestation} KeyProtectionUrl {http://hgs.hgs.com/KeyProtection}
Configure attestation on the Guarded Host
Perform the following on the Guarded Host:
-
Configure the Key Protection and Attestation URLs.
-
Open PowerShell as Administrator and run the following cmdlet.
> Set-HgsClientConfiguration -AttestationServerUrl 'http://hgs.hgs.com/Attestation'-KeyProtectionServerUrl 'http://hgs.hgs.com/KeyProtection' IsHostGuarded : True Mode : HostGuardianService KeyProtectionServerUrl : http://hgs.hgs.com/KeyProtection AttestationServerUrl : http://hgs.hgs.com/Attestation AttestationOperationMode : HostKey AttestationStatus : Passed AttestationSubstatus : NoInformation FallbackKeyProtectionServerUrl : FallbackAttestationServerUrl : IsFallbackInUse : False
-
Copy the attestation server URL and key protection server URL from the previous step.
You should now be able to create shielded VM templates as per Microsoft guidelines using either Virtual Machine Manager (VMM) or Windows Azure Pack.
Troubleshooting
The following table lists error messages that might appear during the procedures described in this guide.
Problem | Cause | Solution |
---|---|---|
|
Module does not have a valid Security World loaded. |
Reload the Security World onto the HSM Refer to the HSM
User Guide
for full details.
Ensure that you have the Administrator Card quorum and passwords.
Place the HSM into Initialisation mode and run the
|
|
Module does not have the correct world file.
The world file is from an unrecognized Security World.
The world file in the
|
Ensure that you are using the correct world file. If you are using multiple Security Worlds in your environment, you must ensure that you use the appropriate Security World file that corresponds to the Security World loaded on the HSM. For help with using multiple Security Worlds, contact Entrust nshield Support, https://nshieldsupport.entrust.com . |
nshield Edge only When using an nshield USB attached Edge HSM, the Edge is not reported as available or is reported as failed. |
This is due to an outdated USB driver used by the nshield Edge. |
Open a command window as an Administrator and navigate to
The driver can be updated from the FTDI website, http://www.ftdichip.com/FTDrivers.htm . |
nshield Edge only
When you run
|
nshield Security World Version 12.xx and newer expects to be able to read the HSM Hardware status (error codes).
The Edge does not support this function and therefore responds with the
|
This has no impact on the HSM nor Security World and can safely be ignored. No remedial action is required. |
Remote Administration
Remote Administration uses smartcards and a Trusted Verification Device. Before any smartcard can be used, it must be registered in the acceptable card white list.
For added security, each smartcard’s unique serial number can be entered. The serial number is the 16-digit number found at the bottom of the card. You can allow any smartcard with the wildcard character (*).
Save the
cardlist
and close the
cardlist
configuration file.
Initially these smartcards will form your Administrator Card Set. For information about ACS, see the User Guide for your HSM.
The cardlist configuration file can be found in:
C:\ProgramData\nCipher\Key Management Data\config\cardlist
.
Note
|
By default,
Program Data
is hidden.
In Windows Explorer, select
View
, then select
Hidden items
.
|
Example cardlist configuration file:
# This is the cardlist file, which contains the serial numbers of any
# Remote Administration Ready Smartcards that a system administrator
# has permitted to be used.
These serial numbers are printed on the
# face of the smartcards
# Examples of valid 16 digit serial numbers:
# XXXXXXXX-XXXXXXXX
# XXXXXXXXXXXXXXXX
# XXXX-XXXX-XXXX-XXXX
# To permit any cards presented to be used:
# *
# The default configuration file has no cards listed, this means
# that all cards will be rejected by default.
*
-
Integration GuideMicrosoft Host Guardian Service and Shielded Virtual Machines
-
ProductsnShield Connect
-
ProductsnShield as a Service