Introduction

Microsoft Internet Information Services (IIS) for Windows Server is a Web server application. nShield Hardware Security Modules (HSMs) integrate with IIS 10.0 to provide key protection with FIPS-certified hardware. Integration of the nShield HSM with IIS 10.0 provides the following benefits:

  • Uses hardware validated to the FIPS 140 standards.

  • Enables secure storage of the IIS keys.

Product configuration

Entrust has successfully tested the nShield HSM integration with IIS in the following configuration:

Product Version

Operating System

Windows 2019 Server

IIS version

10.0

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

nShield

Product Security World Software Firmware Netimage OCS Softcard Module

nSaaS

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

Connect XC

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

nShield 5c

13.3.2

13.3.2

13.3.2

Requirements

Before installing the software, Entrust recommends that you familiarize yourself with the IIS documentation and set-up process, and that you have the nShield documentation available. Entrust also recommends that there is an agreed organizational Certificate Practices Statement and a Security Policy/Procedure in place covering administration of the HSM. In particular, these documents should specify the following aspects of HSM administration:

  • The number and quorum of Administrator Cards in the Administrator Card Set (ACS) and the policy for managing these cards.

  • Whether the application keys are protected by the HSM module key or an Operator Card Set (OCS) protection.

  • Whether the Security World should be compliant with FIPS 140 Level 3.

  • Key attributes such as the key algorithm, key length and key usage.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

For more information, see the User Guide for the HSM.