Setting up the CSP/CNG Provider | Utimaco Integration Guides

A CSP (Cryptographic Service Provider) is a general-purpose cryptography standard, developed by Microsoft. On one side, it defines a cryptographic interface to be used by applications (CryptoAPI). On the other side, it defines an interface to be used by manufacturers to integrate their cryptographic hardware.

A CNG (Cryptography API Next Generation) is the second-generation cryptographic interface, developed by Microsoft. It offers updated cryptographic algorithms and is intended for a long-term replacement of CSP.
When installing the CryptoServer Setup make sure to select the CPS/CNG - Cryptographic Service Provider (Microsoft) interface. A Cryptographic User should be created as well as an MBK should be generated.

The CS_CNG_CFG environment variable contains the path and name of the configuration file.
By default, it is located at C:\ProgramData\Utimaco\CNG\cs_cng.cfg

Open the cs_cng.cfg file with an appropriate text editor
For this installation, set the path to the log file and set the log level to "ERROR"

cs_cng.cfg
# Path to the logfile (name of logfile is attached by the API) Logpath = C:\ProgramData\Utimaco\CNG\log # Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE) Logging = 1

cs_cng.cfg

# Path to the logfile (name of logfile is attached by the API)

Logpath = C:\ProgramData\Utimaco\CNG\log

# Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE)

Logging = 1

To make your testing easier, it would be good to enable the CNG log file. That can be enabled by editing the Logging Loglevel. Set the LogPath and Logging Loglevel to 1. For testing, you may want to increase it to 4. The added LogPath points to a writable directory, not to a file. If you encounter problems, check the log file named cs_cng.log in the LogPath defined directory. When you are done testing, you should change Logging to 1 or 2. This will limit the logging to only critical and important messages.

Set the Login. In this case, the name of the Cryptographic User is "UtimacoCryptoUser"
with an HMAC password "Utimaco25"

cs_cng.cfg
Login = UtimacoCryptoUser,HMACPwd=Utimaco25

If using Smartcard or KeyFile protection, make the appropriate change in the Login Section as shown below:
Login = username,RSASign=filename#password
Login = "SmartCardUser,RSASign=:cs2:auto:USB0@<HSM-IP>"
For additional information, refer CryptoServer_csadm_Manual_Systemadministrators.pdf
document, found on the product CD in the Documentation directory.

Set the group name and IP address of the HSM

cs_cng.cfg
Group = IISUser # default device and fallback devices Device = <HSM_IP>

cs_cng.cfg

Group = IISUser

# default device and fallback devices

Device = <HSM_IP>

For more information regarding the commands and command parameters, please check the Utimaco documentation. The device may be a CryptoServer (PCIe or LAN) device. The device line will follow one of these patterns, based on the HSM form-factor: Device = 288@<HSM IP address> Hardware (LAN) HSM OR Device = /dev/cs2.0 Hardware (PCIe) HSM