Configuring the Hardware Security Module

The following section describes the required configuration settings when the preferred keystore is a hardware security module (HSM). Multi-node setup is supported when the HSM is a network HSM. In a network HSM, the following 3 actors participate in the Encryption and Key Management process:

  • Client Machines. The Archer components that run on client machines.
  • RFS Server. Acts as a key repository. In some configurations, the client machine may also act as the RFS Server.
  • HSM Devices. Encryption and decryption can be performed only inside the HSM device.

On this page

Task 1: Install and test Thales nFast

Archer currently supports only the Thales N-Shield line of HSMs. Before using an HSM, you must install the Thales nFast client software on the Archer server and configure the client to synchronize files with the RFS server.

Important: The Thales N-Shield line of HSMs provides 3 types of key protection schemes. However, Archeronly supports key protection using OCS-protected keys.

  1. Install Thales nFast on theArcher server.

    Important: If this step is not completed, the configuration will not work.

  2. After installing Thales nFast, test the OCS settings based on the test instructions provided by Thales.

Task 2: Update IIS App Pool Settings

When you create a key using the Key Management Screen in Archer, the system internally creates a X509Certificate2 and stores it in the database. The X509Certificate2 is generated using CertEnrollLib. To enable the web application to create a certificate, you must set Load User Profile to True.

  1. On the Windows server running the Archer Platform, open Internet Information Services (IIS) Manager.

  2. In the Connections column, click Application Pools.
  3. On the Application Pools page, right click on the application you want to update, and select Advanced Settings.
  4. In the Process Model section, ensure that the Load User Profile is set to True.
  1. Click OK.

Task 3: Configure a Multi-Node HSM Key Store

  1. Generate the key using Archer.
    1. From the menu, click Admin menu.
    2. Under Encryption, select Field Encryption.
    3. In the Key Management section, click Generate Key.
      Once a key is generated, it appears in the Manage Keys grid.
  2. In a multi-node setup where the Web Application and Windows Services (Job Service and Queuing Service) run on different Windows servers, or in a load-balanced environment where more than 1 web server is available, the key generated using the Key Management screen must be synchronized to all Windows servers hosting Archer components. Synchronize the key by doing 1 of the following: 

    • Synchronize the keys outside Archer.

      Note: In Thales nShield Connect HSM, a key generated by a client machine must be synchronized with the RFS machine by running the command, rfs-sync.exe --commit, using the rfs-sync.exe utility provided by Thales. (The utility is located in the following directory: C:\Program Files (x86)\nCipher\nfast\bin) Once the key is available in the RFS machine, other clients can obtain the key by running the following command: rfs-sync.exe --update.

      • Option 1: Set the environment variable, %NFAST_KMDATA% , to a shared directory accessible to all the clients and the RFS server. In this case the Key Management Data folder is shared between the client and the RFS server, thus execution of rfs-sync.exe utility is not required.

      • Option 2: Synchronize the keys between clients and the RFS server by periodically running Windows Task Schedulers (or by any other means) and executing rfs-sync.exe.

    • Synchronize the keys using the Archer Control Panel.

      Note: The following is not a secure option as it involves execution of a different process (rfs-sync.exe) from Archer.

      1. Open the Archer Control Panel.
      2. Go to Installation Settings.
      3. Click the General tab, and go to the Hardware Security Module section.
      4. From the Select Module drop-down, select N-Shield.
      5. In the Module Token field, enter the key you generated in step 1 of this task.
      6. In the Security Pin field, enter the HSM pin for authentication purposes.

        Note: If you change the PIN in the HSM, you need to update it in the Archer Control Panel as well.

      7. Select Enable RFS Synchronization.
      8. On the toolbar, click Save.
        Archer executes the rfs-sync.exe utility while creating and reading keys.

        Note: If your organization is already using an HSM device, you may have an established process similar to the 1 described in "Synchronize the keys outside Archer". You should also establish a key synchronization process for Archer prior storing encryption keys from Archer in the HSM.