Breadcrumbs

Setting up the CSP/CNG Provider

The CS_CNG_CFG environment variable contains the path and name of the configuration file. By default, it is located at C:\ProgramData\Utimaco\CNG\cs_cng.cfg.

For advanced configuration, refer to the CryptoServer_Manual_CSP_CNG.pdf found on the product CD in the Documentation directory.

  1. Open the cs_cng.cfg file with an appropriate text editor.

›_ Console

 
> notepad %CS_CNG_CFG%

  1. For this installation, set the path to the log file and set the log level to "TRACE".

tmp7lqood39.png example.file

 
# Path to the logfile (name of logfile is attached by the API)
Logpath = C:\Logs\CNG\

# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)
Logging = 4

To make your testing easier, it would be good to enable the CNG log file. That can be enabled by editing the Logging Loglevel. Set the LogPath and Logging Loglevel to 1. For testing, you may want to increase it to 4.

The added LogPath points to a writable directory, not to a file.

If you encounter problems, check the log file named cs_cng.log in the LogPath-defined directory. When you are done testing, you should change Logging to 1 or 2. This will limit the logging to only critical and important messages.

  1. Set the Login. In this case, the name of the Cryptographic User is "Ca1User" and the HMAC password is "Utimaco19".

tmpnwg0_gik.png cs_cng.cfg

 
Login = Ca1User,HMACPwd=Utimaco19

If using smartcard or keyfile protection, make the appropriate change in the Login Section as shown below:

Login = username,RSASign=filename#password

Login = "SmartCardUser,RSASign=:cs2:auto:USB0@<HSM-IP>"

For additional information, refer to the CryptoServer_csadm_Manual_Systemadministrators.pdf document, which can be found on the product CD in the Documentation directory.

  1. Set the IP address of the HSM.

tmphgygxgxf.png cs_cng.cfg

 
[CryptoServer]

# Device specifier (here: CryptoServer is CSLAN with IP address 10.44.223.141)
Device = 10.44.223.141

  1. The Configuration File used in this document.

tmp9s8vtktp.png cs_cng.cfg

 
# Path to the logfile (name of logfile is attached by the API)
Logpath = C:\Logs\CNG\

# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)
Logging = 4

# Maximum size of the logfile in bytes
Logsize = 8mb

# Keys are stored in an external or internal database
KeysExternal = false

# Path to the external keystore. Directory must be given, not file!
KeyStore = C:\ProgramData\Utimaco\CNG\keys

# Export policy for newly created keys: 0=allow all, 1=deny plain export
(standard), 2=deny all
ExportPolicy = 1

# Prevents expiring session after inactivity of 15 minutes
KeepAlive = true

# Timeout of the open connection command in ms
ConnectionTimeout = 3000

# Timeout of command execution in ms
CommandTimeout = 60000

# CXI group for all keys. The user has to have access to this group.
Group = CngCa1

# Auto-login for CNG provider. This should be used for automated server
(re)start.
Login = Ca1User,HMACPwd=Utimaco19

# default device and fallback devices
Device = 10.44.223.141

For more information regarding the commands and command parameters, please check the Utimaco documentation. The device may be a CryptoServer (PCIe or LAN) device. The device line will follow one of these patterns, based on the HSM form-factor:

Device = 288@<HSM IP address> Hardware (LAN) HSM

OR

Device = /dev/cs2.0 Hardware (PCIe) HSM

To test the correct configuration of the provider, the following command can be used.

›_ Console

 
> cngtool EnumProvider
Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider
Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider
Windows Client Key Protection Provider Utimaco CryptoServer Key Storage Provider

To get the provider information, use the following command.

›_ Console

 
>cngtool ProviderInfo
Provider : Utimaco CryptoServer Key Storage Provider
Device : 10.44.223.141
Group : CNG
Mode : Internal Key Storage
------------------------------------------------------------
Name : Utimaco CryptoServer Key Storage Provider
Name : Utimaco CryptoServer Key Storage Provider
Version : 0x02010000
Impl. -Type : 0x00000011
MaxNameLength : 0x00000104
Device : 10.44.223.141
Group : CNG
Mode : Internal Key Storage