Classic Client 6.3 Administration Guide
Classic Client 6.3
Administration Guide
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries
who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in
connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any
intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
•
The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.
•
This document shall not be posted on any network computer or broadcast in any media and no modification of any part of
this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly
agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information
herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information,
and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all
implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall
Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any
damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or
customers, arising out of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur,
and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force
on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in
security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for
any third party actions and in particular in case of any successful attack against systems or equipment
incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect,
incidental or consequential damages that result from any use of its products. It is further stressed that independent
testing and verification by the person using the product is particularly encouraged, especially in any application in
which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or
loss of privacy.
© Copyright 2007–2012 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks
of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks,
whether registered or not in specific countries, are the property of their respective owners.
GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE.
Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90
Printed in France.
Document Reference: D1273522A
November 22, 2012
www.gemalto.com
viii
Classic Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Who Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
For Further Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
If You Find an Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1
Installation
1
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Installing Classic Client 6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Removing Previous Versions of Classic Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Installing the Classic Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Connecting the Smart Card Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Installing Gemalto Cryptographic Security Modules . . . . . . . . . . . . . . . . . . . . . . . 6
Uninstalling Classic Client 6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Checking the Windows Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
End User Package Creation and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2
The Classic Client Toolbox
14
About PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Classic Client Toolbox Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . .
Card Contents Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificates Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Card Properties Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Card Administration Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PIN Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ECC Management Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PKCS#15 Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Personal Data Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Administration Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PIN Policy Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diagnostic/Help Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diagnostic Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
15
15
17
18
20
23
23
24
24
24
25
25
25
26
27
28
28
33
Contents
Introduction
iv
Classic Client 6.3 Administration Guide
Chapter 3
The Registration Tool
34
Contextual Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Launch Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Start/Pause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restarting the Registration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registration Tool Management of Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Forced Change PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
36
36
36
36
37
37
38
Administration Tasks
39
Authenticating Yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging in to the Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Log in to the Toolbox Using a User PIN . . . . . . . . . . . . . . . . . . . . . . . . .
How to Log in to the Toolbox Using a Fingerprint . . . . . . . . . . . . . . . . . . . . . . . .
User Setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Create a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Create a PIN Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Select the Modules for a User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Deploy a User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PIN Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Change an Administration PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Change a User PIN or IdenTrust PIN . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Check The PIN Ratification Counter . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Unblock a User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Remotely Unblock a Connected Smart Card/Token . . . . . . . . . . . . . . . .
How to Use a PIN Pad Reader with Classic Client . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Log in with a PIN Using a PIN Pad and the Toolbox . . . . . . . . . . . . . . . .
How to Change an Admin PIN with a PIN Pad and the Toolbox . . . . . . . . . . . . .
How to Change a User PIN or IdenTrust PIN with a PIN Pad and the Toolbox .
How to Unblock a User PIN or IdenTrust PIN with a PIN Pad and the Toolbox .
PIN Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Forced PIN Change with the PIN Pad Reader . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Import a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Export a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Set Certificates as Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Register Certificates to the IE Store Manually . . . . . . . . . . . . . . . . . . . .
How to Display Certificate Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Erase Certificates (PKCS#11 Objects) . . . . . . . . . . . . . . . . . . . . . . . . . .
ECC Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Description of ECC Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How To Display the PKCS#15 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How To Export the PKCS#15 Files to an XML File . . . . . . . . . . . . . . . . . . . . . . .
How to Read and Update Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Change the Signature PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
40
40
41
42
42
45
46
53
53
53
54
56
56
57
60
60
61
61
63
65
65
65
65
66
72
74
74
76
76
77
77
78
79
79
85
Chapter 5
The Contactless Secure Data Mechanism
86
Appendix A
Security Basics
87
Chapter 4
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Secret Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Contents
v
Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
What is Classic Client? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Appendix B
Appendix C
Troubleshooting
94
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificate Related Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
e-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Localization Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Smart Card Reader Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
94
94
94
95
96
97
98
Using Classic Client with a Citrix Infrastructure
99
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Estimating the size of a Citrix client-server system . . . . . . . . . . . . . . . . . . . . . . 101
Gemalto Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Terminology
102
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
vi
Classic Client 6.3 Administration Guide
List of Figures
Figure 1 - Add/Remove Programs Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Figure 2 - Choose Setup Language Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 3 - InstallShield Wizard Welcome Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 4 - InstallShield Wizard Destination Folder Window . . . . . . . . . . . . . . . . . . . . . 5
Figure 5 - InstallShield Wizard Completed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 6 - The Options Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 7 - Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 8 - The Device Manager Dialog and the Load PKCS#11 Device . . . . . . . . . . . 8
Figure 9 - Cryptographic Modules Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 10 - Add/Remove Programs Window (Classic Client 6.3) . . . . . . . . . . . . . . . 10
Figure 11 - Programs and Features Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 12 - Close Applications Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 13 - The Services Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 14 - Properties Window for a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 15 - Classic Client Toolbox Graphical User Interface . . . . . . . . . . . . . . . . . . . 16
Figure 16 - Certificates Tool Window (Not logged in) . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 17 - Certificates Tool Window (Logged in) . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 18 - Card Properties Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 19 - Card Properties Window (Not logged in) . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 20 - Card Properties Window (Logged in) . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 21 - Card Properties Window (Showing Key Containers and Attributes) . . . . 22
Figure 22 - PIN Management Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 23 - PKCS#15 Initial Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 24 - Personal Data Initial Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 25 - Configuration Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 26 - PIN Policy Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 27 - User Setup First Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 28 - Diagnostic Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 29 - SmartDiag Welcome Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 30 - SmartDiag Passed Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 31 - SmartDiag Advanced Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 32 - SmartDiag Failed Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 33 - SmartDiag Getting Technical Assistance Window . . . . . . . . . . . . . . . . . 33
Figure 34 - Documentation Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 35 - Registration Tool Icon in the System Tray . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 36 - Registration Tool Right-Click Action Options . . . . . . . . . . . . . . . . . . . . . 36
Figure 37 - Classic Client Toolbox Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 38 - “About” the Reg Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 39 - Registration Tool: Install Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 40 - The Reg Tool Change PIN Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 41 - Certificates Window (Not Logged in with PIN Code) . . . . . . . . . . . . . . . . 41
Figure 42 - Certificates Window (Not Logged in with Fingerprint) . . . . . . . . . . . . . . . 41
Figure 43 - Fingerprint Verification Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 44 - Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 45 - PIN Policy Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 46 - User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Figure 47 - User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 48 - Custom Key Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 49 - Create Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 50 - User Setup Creation Complete Confirmation . . . . . . . . . . . . . . . . . . . . . 52
Figure 51 - Change PIN Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 52 - Change PIN Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 53 - Card Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 54 - PIN Management Tool: Unblock PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Contents
vii
Figure 55 - PIN Management-Remote Unblock PIN . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 56 - PIN Management-Remote Unblock PIN (2) . . . . . . . . . . . . . . . . . . . . . . 59
Figure 57 - Logging in Using a PIN Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 58 - Secure PIN Entry Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 59 - Logged in Using a PIN Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 60 - PIN Management with PIN Pad Reader Window . . . . . . . . . . . . . . . . . . 62
Figure 61 - PC Pinpad Secure PIN Entry Window . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 62 - PC Pinpad Secure PIN Change Window . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 63 - PIN Management with PIN Pad Reader Window . . . . . . . . . . . . . . . . . . 64
Figure 64 - PC Pinpad Secure PIN Entry Window . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 65 - PC Pinpad Secure PIN Unblock Window . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 66 - Forced PIN Change with PIN Pad Reader Window . . . . . . . . . . . . . . . . 65
Figure 67 - Certificates Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 68 - Choice of Methods to Import a Certificate . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 69 - Certificates Tool Window: Open Window . . . . . . . . . . . . . . . . . . . . . . . . 68
Figure 70 - Certificates Tool Window: Import Certificate File (1) . . . . . . . . . . . . . . . . 69
Figure 71 - Certificates Tool Window: Import Certificate File (2) . . . . . . . . . . . . . . . . 69
Figure 72 - Certificates Tool Window: Import Certificate - Selecting the Store . . . . . 70
Figure 73 - Certificates Tool Window: Import Certificate List . . . . . . . . . . . . . . . . . . 71
Figure 74 - Certificates Tool Window: Export Button Activated. . . . . . . . . . . . . . . . . 72
Figure 75 - Choice of Methods to Export a Certificate . . . . . . . . . . . . . . . . . . . . . . . . 73
Figure 76 - Security Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Figure 77 - Certificates Tool Window (All Objects Selected) . . . . . . . . . . . . . . . . . . . 75
Figure 78 - Certificate Successfully Registered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Figure 79 - Window Certificate Information Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Figure 80 - PKCS#15 Initial Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 81 - PKCS#15 Window (Showing PKCS#15 Structure) . . . . . . . . . . . . . . . . . 79
Figure 82 - Personal Data Initial Window (Read) for IAS ECC Card . . . . . . . . . . . . . 80
Figure 83 - Personal Data Initial Window (Read) for IAS Classic Applet V3 Card . . 80
Figure 84 - Personal Data Login Window for IAS Classic Applet V3 Card . . . . . . . . 81
Figure 85 - Personal Data Window (First Page of Data in Read Mode) for IAS Classic
Applet V3 Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Figure 86 - Personal Data Window (Second Page of Data) for IAS Classic Applet V3
Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Figure 87 - Personal Data Initial Window (Update) for IAS Classic Applet V3 Card . 82
Figure 88 - Personal Data Login Window for IAS Classic Applet V3 Card . . . . . . . . 83
Figure 89 - Personal Data Window (First Page of Data - Update) for IAS Classic Applet
V3 Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 90 - Personal Data Window (Second Page of Data) for IAS Classic Applet V3
Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 91 - Personal Data Window (Third Page of Data) for IAS ECC Card Only . . 84
Figure 92 - Change Signature PIN Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 93 - The CSD Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
List of Tables
Table 1 - Diagnostic Tool Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 2 - Registration Tool Status Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 3 -Toolbox Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 4 -Operating Systems and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
35
48
52
You have made a wise investment by purchasing Classic Client as a safeguard for
secure network services.
This chapter presents an overview of Classic Client, the documentation provided with
it, and additional resources available for working with Classic Client.
This document specifically helps an administrator of Classic Client to install the
software and set up the administrator environment. As the administrator, administrative
duties will include managing the smart cards/tokens issued to end–users, creating user
versions of the software, and deploying installations of the software to end users. All of
the tasks associated with these duties are available in the administrative installation of
Classic Client.
Classic Client
Classic Client is for individual users, who want to use a smart card/token to protect
information and transactions made via computers, including stand-alone workstations
and Citrix client-server environments.
Note: A token is in fact a smart card embedded in a device that can be plugged into
the USB port of a PC. In this document, “connecting a device” can mean inserting a
card in a reader or plugging a token in the USB port of a PC.
With Classic Client you can use a digital certificate stored on a smart card/token to:
■
Securely log on and off a computer with Windows 8/7/Vista/XP, or Windows Server
2003/2008/2008 R2.
■
Lock and unlock a computer with Windows 8/7/Vista/XP, or Windows Server 2003/
2008/2008 R2.
■
Sign Microsoft Office, or XP macros and Adobe Acrobat documents.
■
Open and verify signed documents.
■
Send and receive secure e-mail using Microsoft or Mozilla e-mail software.
■
Connect securely with a Web server.
Classic Client also includes features for managing certificates and smart card/token
security.
This guide introduces you to Classic Client and provides easy-to-follow instructions.
Read the entire guide for assistance in the installation, configuration, and use of
Classic Client.
Classic Client includes two user profiles; the administrator and the user.
Introduction
Welcome to Gemalto Classic Client.
Introduction
ix
Who Should Read This Book
This guide is intended for Classic Client administrators who are familiar with smart
cards/tokens and smart card reader technology, as well as PC hardware and software,
the Internet and the World Wide Web.
It is assumed that the administrator of Classic Client has:
■
an understanding of the basic operations in Windows.
■
administrative privileges for the computer on which Classic Client will be installed.
■
an understanding that the procedures in this manual refer to the Administrator
and User as two separate people, but they may be the same person using a standalone workstation.
This guide gives the administrator simple easy-to-follow instructions for installing,
configuring, and using Classic Client.
Documentation
Classic Client documentation is available as .pdf document files and includes:
■
Classic Client User Guide. This is selected by the administrator to be included in
each particular user setup.
■
Classic Client Administration Guide. This is located in the Classic Client installation
folder or through the Documentation plug-in the Classic Client Toolbox GUI.
■
Classic Client Release Notes. A separate file is included with each Classic Client
software release version and contains the complete version history.
■
End User License Agreement (EULA). This is displayed during installation. It can
be found after installation in the install dir\Documentation and depending on the
User Setup may also be access through the Documentation Plug-in the toolbox.
These files can be printed out or read on screen using the Adobe Acrobat Reader.
To obtain the Adobe Acrobat Reader, you can download it from Adobe’s Web site at:
www.adobe.com.
These files are best viewed with the Acrobat Reader, version 9.0 or later.
x
Classic Client 6.3 Administration Guide
Conventions
The following conventions are used in this document:
Typographical Conventions
Classic Client documentation uses the following typographical conventions to assist
the reader of this document.
Convention
Example
Description
Courier
transaction
Code examples.
Bold
Enter myscript.dll
Actual user input or screen output.
>
Select File > Open
Indicates a menu selection. In this example you are
instructed to select the “Open” option from the
“File” menu.
Note: Example screen shots of the Classic Client software are provided throughout
this document to illustrate the various procedures and descriptions. These screen
shots were produced with Classic Client running on Windows XP or Vista.
Additional Resources
For further information or more detailed use of Classic Client, additional resources and
documentation are available by contacting Gemalto technical support.
For Further Help
Further help is provided in the Gemalto Self Support portal at support.gemalto.com.
You can find information on how to contact your Gemalto representative by clicking
Contact Us at the Gemalto web site, www.gemalto.com.
If You Find an Error
Gemalto makes every effort to prevent errors in its documentation. However, if you
discover any errors or inaccuracies in this document, please inform your Gemalto
representative. Please quote the document reference number found at the bottom of
the legal notice on the inside front cover.
1
Installation
This chapter discusses information related to the installation of Classic Client 6.3 and
the information necessary for administrators to create installation and user profiles for
other users.
The installation requirements are outlined below.
This chapter describes:
■
The hardware and software you need to use Classic Client 6.3.
■
How to install Classic Client 6.3 on the administrator’s computer.
■
How to check that the necessary Windows Services are running, and how to install
them if they are not.
■
How, as the administrator, to generate profiles and installations for other users.
System Requirements
The following sections describe the hardware, operating systems, peripherals and
software you need to use Classic Client 6.3.
These requirements are also necessary for the end user computers on which Classic
Client 6.3 will be installed via the user installation packages created by the
administrator.
For any computer on which Classic Client 6.3 will be installed, the user installing the
software must have administrator rights to that computer.
Note: For information about the operating systems, applications, smart card devices
and smart card readers that are supported by Classic Client, please refer to the
Release Notes.
Computer
The workstation must meet the normal system requirements to run its version of
Windows.
The Classic Client Toolbox is best viewed with a screen resolution of 90 dpi. If your
computer uses a different resolution, this does not affect performance, but the
appearance of the toolbox may not be perfect.
2
Classic Client 6.3 Administration Guide
Operating Systems
The Administrator version of Classic Client 6.3 is available only for 32-bit operating
systems. However, from this version, it is possible to create user setups for 32-bit OS
or 64-bit OS. Install the version according to your OS. The “What’s In?” section of the
Release Notes summarizes the OS that Classic Client supports for the two versions.
Gemalto recommends that your machine has a RAM at least equal to that normally
recommended for the OS. If this RAM requirement is met, Classic Client should run
normally.
The .NET Framework version 2.0 or later must be already installed on the computer.
Applications
For a detailed list of applications supported by Classic Client 6.3, please refer to the
Release Notes. Here are some useful links where you can download the latest versions
of some software applications free of charge:
Microsoft Internet Explorer from Microsoft Internet Explore Download
Mozilla Firefox and Thunderbird from www.mozilla.org
Adobe Acrobat and Adobe Acrobat Reader from http://www.adobe.com/
Peripherals
Classic Client requires an available USB or PCMCIA port (not mandatory for the
Administrator version and not needed if your PC has a reader embedded).
For a detailed list of the smart cards and smart card readers supported by Classic
Client 6.3, please refer to the Release Notes.
Installing Classic Client 6.3
Removing Previous Versions of Classic Client
Installing Classic Client 6.3 automatically removes earlier 6.X and 5.X versions.
Version 5.0 was known as GemSafe Standard Edition. However, it does not
automatically uninstall previous versions older than 5.0. These must be removed
manually. Remember that versions older than 5.0. are called “GemSafe Libraries”.
For every workstation on which a new version of Classic Client is to be installed, the
administrator must check that all older versions are removed successfully.
If you have other middleware installed on your PC, you may also need to uninstall this,
depending on how it works. For further information consult your Gemalto technical
consultant.
Caution: Before removing the software, make sure you disconnect all devices (smart
cards/tokens).
To remove a previous version of GemSafe Libraries:
1
Open the Control Panel (Start > Settings > Control Panel).
2
Click Add or Remove Programs.
3
Locate GemSafe Libraries as shown in “Figure 1”.
Figure 1 - Add/Remove Programs Window
Installation
4
Click Remove. A window appears asking if you are sure that you want to remove
GemSafe Libraries.
5
Click Yes. A progress bar displays while GemSafe Libraries is removed.
6
At the end of the removal, the progress bar closes, removal is complete and
GemSafe Libraries is removed from your computer.
7
If prompted, restart your computer.
3
Note: The Smart Card reader installations are not removed.
Installing the Classic Client Software
This section describes how to install Classic Client.
Caution: Before installing the software, make sure you disconnect all devices (smart
cards/tokens).
Note: Remember that the installation of Classic Client does not automatically remove
versions of Classic Client older than 5.0.i. These must be manually removed as
described in “Removing Previous Versions of Classic Client” on page 2.
To install Classic Client 6.3:
1
Navigate to the location of the installation file
(Classic_Client_32_Admin_setup.exe) on the your computer and double-click its
file icon.
2
(For Windows 8/7Vista/Server 2008 and Server 2008 R2 only) If User Access
Control is activated, the “An unidentified program wants access to your computer”
warning appears. Choose Allow.
The InstallShield Wizard displays the Choose Setup Language dialog.
4
Classic Client 6.3 Administration Guide
Figure 2 - Choose Setup Language Dialog
3
Select the required language for your installation (English in this example) and click
OK to continue.
Note: If the operating system language is available in the Classic Client 6.3 software,
the setup.exe file it will automatically suggest the correct language. If not, English is
the default choice.
The Classic Client InstallShield Wizard displays the window indicating that it is
preparing to install.
Allow the installation to continue until the Welcome window appears.
Figure 3 - InstallShield Wizard Welcome Dialog Box
4
When the Welcome dialog box appears, click Next to continue; the Classic Client
InstallShield Wizard displays the License Agreement window.
5
Read the Gemalto License Agreement. Accept the terms if you wish to continue
by choosing “I accept the terms in the license agreement...” button and then
click on Next.
The Classic Client InstallShield Wizard displays the Destination Folder window.
Installation
5
Figure 4 - InstallShield Wizard Destination Folder Window
6
The destination folder is the location where the plug–ins and other files are
installed. Either click Next to accept the proposed default (recommended) or use
the Change function to choose another location and click Next.
Caution: For 64–bit operating systems; if you choose a different location, the location
must not be under c:\Program Files\... You can choose c:\Program Files (x86)\...or
another location.
The Ready to Install the Program dialog appears.
7
Click Install to start the installation. An “Installing” window displays showing a
progress bar during the installation.
When the Classic Client InstallShield Wizard has completed the installation, the
“Completed” dialog appears as shown in the following figure:
Figure 5 - InstallShield Wizard Completed
8
Click Finish to complete the installation. The Classic Client InstallShield Wizard
displays the Reboot Dialog.
6
Classic Client 6.3 Administration Guide
9
Click Yes to restart the system immediately or No if you want to restart your
computer later.
Classic Client is now installed on the computer.
Note: You will not be able to use the Classic Client software until you have restarted
your computer.
Connecting the Smart Card Reader
To use Classic Client 6.3 on your workstation, you must connect a smart card reader to
your computer.
If the card reader is not recognized on your workstation, you may need to install the
latest card reader drivers. You can download these from http://support.gemalto.com.
Installing Gemalto Cryptographic Security Modules
Security Modules are software add-ons that provide a variety of cryptographic services,
such as secure browsing, and support the use of smart cards/tokens.
In Classic Client 6.3, the installation of Security Modules can be done either
automatically or manually, depending on the application with which Classic Client is
being used.
Classic Client must be declared as a security module, so that applications can
communicate with it. For some applications, such as Firefox for example, the security
module cannot be installed automatically and must be done manually.
To manually install a security module for Firefox:
1
Open Firefox and from the Tools menu choose Options. The Options dialog
opens.
2
Click the Advanced icon, then the Encryption tab to display the settings as shown
in “Figure 6”.
Installation
7
Figure 6 - The Options Dialog
3
Click Security Devices to display the Device Manager window. This displays the
modules currently available as shown in “Figure 7”.
Figure 7 - Device Manager
4
Click the Load button to the right in the dialog. This displays the Load PKCS#11
Device window, as shown in “Figure 8”.
8
Classic Client 6.3 Administration Guide
Figure 8 - The Device Manager Dialog and the Load PKCS#11 Device
5
Enter a Module Name.
6
In Module filename, use the Browse button to select the gclib.dll file as follows:
■
For 32-bit versions of Windows, this is in \install dir\BIN\, where install dir is the
directory where you installed Classic Client. By default, install dir is c:\Program
Files\Gemalto\Classic Client\
■
For 64-bit versions of Windows, the location of the gclib.dll depends on whether
you are using the 32-bit version of Firefox or the 64-bit version.
–
For a 32-bit version of Firefox, the gclib.dll is in \install dir\BIN\. By default,
install dir is c:\Program Files (X86)\Gemalto\Classic Client\
–
For a 64-bit version of Firefox, the gclib.dll is in c:\Program Files\Gemalto\
Classic Client\BIN\
Caution: Not all tokens are supported for the 64-bit version of Windows. Please refer
to the Release Notes to know which these tokens are.
7
Click OK. The “Confirm” dialog appears asking if you are sure that you want to
install the security module.
8
Click OK.
A brief progress dialog appears indicating that the module is being loaded.
When this is completed an “Alert” indicates that the module has been installed.
9
Click OK to close this Alert.
The Device Manager indicates the presence of the new module as shown in
“Figure 9”:
Installation
9
Figure 9 - Cryptographic Modules Available
Note: The example shown in “Figure 9” shows the name of the reader (Gemplus USB
Smart Card Reader 0) because no card is inserted in the reader. If a card is inserted at
the time you are loading the module, then the name of the card appears instead of the
reader.
Uninstalling Classic Client 6.3
This example shows the Administrator version. The procedure to remove the User
version is the same except that the program appears as “Classic Client” instead of
“Classic Client Administrator”.
To remove Classic Client 6.3 in Windows XP and Server 2003:
1
Open the Control Panel (Start > Settings > Control Panel).
2
Click Add or Remove Programs.
3
Locate Classic Client as shown in “Figure 10”.
10
Classic Client 6.3 Administration Guide
Figure 10 - Add/Remove Programs Window (Classic Client 6.3)
4
Click Remove. A message box displays asking “Are you sure you want to remove
Classic Client 6.3 from your computer.
5
Click Yes to confirm the removal of Classic Client 6.3. A progress bar appears
during the removal.
At the end of the removal, the progress bar closes, removal is complete and
Classic Client is removed from your computer.
6
If prompted, restart your computer.
To remove Classic Client 6.3 in Windows 8/7/Vista, Server 2008 & Server 2008
R2:
1
Open the Control Panel (Start > Control Panel).
2
Double-click Programs and Features (if you are using the Control Panel view in
Windows Vista/Server 2008 or the Category view in Windows 8/7/Server 2008 R2,
then under Programs, click Uninstall a program instead).
3
Select Classic Client 6.3 as shown in “Figure 11” and click Uninstall (the
Uninstall button appears when you select Classic Client 6.3).
Installation
11
Figure 11 - Programs and Features Window
4
A message box displays asking “Are you sure you want to uninstall Classic Client
6.3.
5
Click Yes to confirm the removal of Classic Client 6.3.
6
If User Account Control is activated, the warning “An unidentified program wants
access to your computer” appears. Choose Allow.
7
Again, if User Account Control is activated, a message like the one shown in
“Figure 12” may appear to tell you to close certain applications, in particular the
Registration Tool.
Figure 12 - Close Applications Message
Choose the Automatically close applications option and click OK.
8
A progress bar appears during the removal.
At the end of the removal, the progress bar closes, removal is complete and
Classic Client is removed from your computer.
9
If prompted, restart your computer.
Checking the Windows Services
To run Classic Client correctly, the following Windows Services must be running on the
computer where Classic Client is installed:
■
Server
■
Smart Card
12
Classic Client 6.3 Administration Guide
To check if these services are running:
1
Open the Services window (Settings > Control Panel > Administrative Tools).
2
If the services are running, they appear as shown in “Figure 13”, with a Status of
“Started” and Startup Type of “Automatic”.
Figure 13 - The Services Window
3
If the status is not “Automatic”, set it to “Automatic” as follows:
a) Right-click the service and choose Properties.
Figure 14 - Properties Window for a Service
b) In the Properties window, select Automatic as the Startup Type as shown in
“Figure 14”.
c) Click OK.
4
If the service does not appear in the Services window (“Figure 13” on page 12), it
needs to be installed — in which case contact your system administrator.
Installation
13
End User Package Creation and Deployment
When Classic Client 6.3 is installed on a computer with administrator privileges, then
as an administrator you can access the administration tools necessary for generating
installation setups for other users, which are then usually deployed to the end-user
over a network.
“Chapter 4 - Administration Tasks” describes how to create installation setup packages
and to set use parameters for end users. See also “How to Deploy a User Setup” on
page 53.
2
The Classic Client Toolbox
This chapter discusses the Classic Client Toolbox, the dedicated tool for working with
Classic Client.
The Classic Client Toolbox is made up of a number of tools that enable the user to
perform tasks associated with the use of Classic Client products. Some of the tools are
product specific and will include the product name in the title.
Some of the tools described in this Classic Client Administrator Guide are available to
administrators but not end users. The Classic Client User Guide describes only those
tools that are available for the end user.
About PINs
The User PIN
A PIN (Personal Identification Number) is a private code. It can be a sequence of
numeric or alphanumeric characters or a mix of the two and is used as a type of
password. As a user, your User PIN must be verified before you can perform security
tasks with the card/token, such as logging on to a workstation, or creating a digital
signature.
The user PIN of a smart card/token may be the original PIN value set at the time of
manufacture or it may be a PIN value assigned by the administrator.
The user PIN should be unique to the user’s card/token and known only to the user. If
the administrator gives the user the rights, it is standard practice, upon reception of a
smart card/token, to change the user PIN value so that only the user knows it. The
administrator can even force the user to change the PIN value upon first use in the
software.
To perform a security operation, the card/token user must demonstrate knowledge of
the PIN. Software that performs a security operation usually displays a window
requesting the user enter the PIN before performing the security operation or there is a
field where the user can enter the PIN, as is shown in the Classic Client Toolbox.
■
When creating a digital signature, successful PIN validation proves that the user is
the correct card/token holder and permits the user to sign with the selected key.
■
By using the PIN to log on a network, the user proves both that the user card/token
is valid in the system and that the card/token holder, is physically there. If the PIN is
truly secret, the person entering the PIN must also be the card/token holder.
The Classic Client Toolbox
15
Caution: Do not allow the User PIN for your card/token to be blocked. If, for example,
you forget the user PIN and enter a predetermined number of failed validation
attempts (the PIN is entered incorrectly), the card/token becomes blocked and you
cannot perform any further security operations with it. If you know the Admin PIN you
can unblock your card/token as described in “How to Unblock a User PIN” on page 56.
However most organizations’ security policies do not allow this, in which case you
must ask the Classic Client system administrator to unblock the card/token using the
Admin PIN. If your user setup allows it, you may be able to unblock your card/token
remotely. This operation is described in “How to Remotely Unblock a Connected
Smart Card/Token” on page 57. Sometimes card/token technology or software onboard the card/token limits the absolute number of these unblocking operations. For
more information, see your card/token technology documentation.
The Administrator PIN
The administrator PIN is an extremely important part of the security of the smart card/
token. Knowledge of this PIN means that the administrator can change the value of all
the user PINs on the card/token and unblock the card/token if the user PIN is blocked.
It is extremely important for smart card/token administrators to keep the value of the
admin PIN secure and secret. The administrator has to know the admin PIN value for
all smart cards/tokens he or she has deployed. The admin PIN value of a card/token
should never be shared with anyone else, and it is strongly recommended not to give
this value to the card/token user, unless your security policy requests it.
Once an administration PIN has been entered incorrectly the requisite number of times,
it becomes blocked and the card/token can never be used again.
Note: Normally, if the administrator blocks a smart card/token’s admin PIN, the card/
token becomes unusable.
As the administrator you may want to change the Admin PIN value of the cards/tokens
you deploy so that only you, the administrator, knows it.
About Fingerprints
For cards that contain the IAS Classic Applet V3 and the Match On Card (MoC) applet,
fingerprints can be used as an alternative to presenting a PIN. For fingerprint
authentication, you must have a fingerprint scanner connected to the computer.
(Please refer to the Classic Client Release Note to know which fingerprint scanners are
supported.) To authenticate, place a finger on the sensor of the reader. Classic Client
compares the digital fingerprint of the finger with the corresponding fingerprint stored in
the MoC applet.
Caution: As with PINs, the number of attempts to perform a fingerprint authentication
is limited. After a pre-defined number of failed attempts, you can no longer perform
operations that require fingerprint authentication. YOU CANNOT UNBLOCK
FINGERPRINT AUTHENTICATION USING CLASSIC CLIENT.
The Classic Client Toolbox Graphical User Interface
To access the tools in the Classic Client Toolbox:
Navigate through Start > All Programs > Gemalto > Classic Client > Classic Client
Toolbox to open the Toolbox.
16
Classic Client 6.3 Administration Guide
Figure 15 - Classic Client Toolbox Graphical User Interface
About Button
Tool Folders
Exit Button
Tool Icons and Names
Background
Minimize Button
In the left panel of the GUI, the tools are located in folders with labelled tabs. The
various tools are located within each folder, grouped according to tool use.
Note: The Software Administration folder appears only in the Administrator setup and
not the usual User setup.
Card Contents folder
Certificates: The Certificates tool allows you to view information on the objects on your
card/token. According to PKCS#11, these objects can be certificates, keys and data
objects.
Card Properties: The Card Properties tool allows you to view information associated
with a particular smart card/token.
Card Administration folder
PIN Management: The PIN Management tool allows you to make changes to the PIN
associated with a particular smart card/token.
ECC Management folder
PKCS#15: The PKCS#15 tool allows you to browse the PKCS#15 file structure and
save it as an XML file.
The Classic Client Toolbox
17
Personal Data: The Personal Data tool allows you to read and update personal data in
IAS ECC / IAS XL cards and IAS Classic Applet V3 cards.
Software Administration folder
Configuration: The Configuration tool allows you as administrator to set the privileges
for the use of a smart card/token and for Classic Client.
PIN Policy: The PIN Policy tool allows you as administrator to set the PIN policy for a
particular end user or group of end users.
User Setup: The User Setup tool allows you as administrator to select the modules that
will be included in the end user’s setup.
Diagnostic/Help folder
Diagnostic Tool: The Diagnostic Tool is used to examine all components of the Classic
Client installation to determine if there are problems using Classic Client.
Documentation: The Documentation folder displays all the documentation available to
you, and will vary according to your user setup. It includes the Classic Client
Administration Guide, the Classic Client User Guide, the Release Notes and the EULA..
Click the folder tab and view the tools within. Click the tool icon to display tool
parameters in the right panel. Some information is available for viewing without logging
in using the PIN.
Most options are self explanatory in the graphical user interface. Further explanations
follow.
Card Contents Folder
The Card Contents folder contains all the tools associated with viewing and interacting
with the contents of a particular smart card/token. These tools are the Certificates tool
and the Card Properties tool.
18
Classic Client 6.3 Administration Guide
Certificates Tool
The Certificates Tool allows you to view information on certificates and key pairs in the
smart card/token.
Note: The Certificates Tool is only available if the Administrator has included it in the
user setup.
Figure 16 - Certificates Tool Window (Not logged in)
About Button
Exit Button
Tool Folders
Tool Title
Tool Icons and Names
Login Entry Area
Viewing Details Area
Small Background
Minimize Button
The Certificate Tool displays information about the following certificates and key pairs:
■
■
Certificate Authority (CA) and User Certificates:
–
Serial number
–
Expiration date
–
Owner
–
Issuing Certificate Authority (if applicable)
–
The keys associated with each certificate
Keys:
–
Public keys
–
Private keys (some cards/tokens require that you log in first)
The Certificates Tool allows you to:
■
Manually register all certificates
■
Set a default certificate
The Classic Client Toolbox
■
19
Erase one or more certificates or key pairs in the smart card/token (if this feature is
enabled by the administrator)
Note: The option to Erase or Erase All using the Certificates Tool does not determine
the capability of other applications that can also perform these functions.
■
Show details about a certificate or a key
■
Import and export a certificate.
There are some important points to note:
–
You can import a certificate without logging in, because certificates are always
imported to the card’s/token’s public area. But if you do not log in, and the
certificate has a key pair associated with it, the key pair is not imported.
–
You must login before you can perform any export operations with the
Certificates Tool.
–
You can never export a certificate’s associated key pair.
–
If you are not logged in, you may not be able to view private objects on the
card/token. This depends on the card/token technology and the on-board
software. If you cannot view a private key that you are sure you imported in a
previous session, make sure that you are logged in before you conclude that
the import process did not work.
Figure 17 - Certificates Tool Window (Logged in)
For the procedures to follow to perform tasks with the Certificates Tool, refer to
“Managing Certificates” on page 65.
20
Classic Client 6.3 Administration Guide
Certificate and Key Icons
The Certificate Tool can display the following icons, each representing a PKCS#11
object.
Certificate
Default Certificate
Imported Public Key
On-board Public Key
Imported Private Key
On-board Private Key
Card Properties Tool
The Card Properties tool allows you to view information associated with a particular
smart card/token.
The Card Properties window displays all available card readers or PKCS#11 slots.
Figure 18 - Card Properties Window
To view information on a smart card/token.
1
Choose the smart card reader from the list that holds the card/token you are
interested in and then click on Next to continue.
Information on the card/token is displayed:
The Classic Client Toolbox
21
Figure 19 - Card Properties Window (Not logged in)
Classic Client may not be able to display all information on the smart card/token
because not all smart cards/tokens have the same technology and the same on board
software.
In general, you can see information about:
■
Card/Token Type and Firmware
■
Card/Token Label and Card/Token Serial Number
■
Maximum number of incorrect PIN entry attempts (when supported) before
blocking occurs
■
Smart Card/Token Memory Space
Some smart cards/tokens do not allow Classic Client to view the number of PIN
attempts remaining before the card/token becomes blocked. See “How to Check The
PIN Ratification Counter” on page 56 for information on how to work around this.
2
If not already logged in, login as described in “Authenticating Yourself” on page 40.
–
The padlock symbol in the GUI unlocks to indicate that the user is successfully
logged in with that smart card/token and PIN, as shown in “Figure 20” on
page 22.
–
With cards/tokens where private information on the card/token is PIN protected,
logging in enables this information to become visible, for example,
Cryptographic Mechanisms and Key lengths.
–
The Advance button becomes available.
22
Classic Client 6.3 Administration Guide
Figure 20 - Card Properties Window (Logged in)
3
By clicking on the Advance button, all key containers associated with the card/
token are displayed and additional information can be viewed by clicking on the
plus symbol to expand the key container. This information includes how many keys
are available in the container or if it is free.
Figure 21 - Card Properties Window (Showing Key Containers and Attributes)
The Classic Client Toolbox
23
Card Administration Folder
The Card Administration folder contains the PIN Management tool.
PIN Management Tool
The PIN Management tool allows you to make changes to the PIN associated with a
particular smart card/token. It also allows you to view the PIN policy that has already
been defined by the administrator for this particular installation.
Caution: PIN policies are established according to an organization’s security policy,
but they are also established in relation to the particular type of smart card/token you
use and the on-board software the card/token features. Please refer to your card/
token documentation to make sure that your PIN policy is consistent with any
limitations imposed by the card/token/applet. In particular, please note the following:
■
Some cards/tokens allow a user PIN to be a minimum of 4 characters, while others
insist on it being a minimum of 6 characters.
■
For the Classic Applets V2 and V3 (and IAS Classic Applets V2 and V3), the
maximum PIN length is 16 ASCII bytes. The maximum PIN length for global PINs
in Classic Applet V3 (and IAS Classic Applet V3) is 12 bytes.
■
For Classic Applet V1, only numeric values are allowed for PINs.
To access the PIN Management Tool:
Click the PIN Management icon in the Card Administration folder. This displays the
tool as shown in “Figure 22” on page 23.
Figure 22 - PIN Management Tool Window
From this window, choose the function you want to perform, Change PIN or Unblock
PIN and click Next.
Note: The list next to the Unblock PIN option appears only if you have been granted
both “unblock” and “remote unblock” rights in your user setup.
For the procedures of how to perform these functions, refer to “PIN Management” on
page 53.
24
Classic Client 6.3 Administration Guide
PIN Types
Classic Client recognizes three types of PIN that may be in a smart card/token:
■
User PIN – the standard PIN used by a user to access the card/token
■
Admin PIN – the PIN that is necessary to unblock the card/token (for example after
too many consecutive incorrect presentations of the User PIN)
■
IdenTrust PIN – a PIN similar to the User PIN with some particular rules (minimum
length of 6 characters). This PIN appears only on certain types of smart card/token.
ECC Management Folder
The ECC Management folder contains the following tools that are used to view and
interact with the contents of smart cards:
■
PKCS#15 tool
■
Personal Data tool
For details on the tasks you can perform with these tools, see “ECC Management” on
page 77.
PKCS#15 Tool
The PKCS#15 tool allows you to view the PKCS#15 files on some smart cards. When
you click the PKCS#15 icon, the initial window displays all available card readers or
slots as shown in “Figure 23”.
Figure 23 - PKCS#15 Initial Window
To display the PKCS#15 files, choose the smart card reader from the list that holds the
card and then click Next to continue. For a full description of this function, see “How To
Display the PKCS#15 Files” on page 78.
Personal Data Tool
The Personal Data tool offers a functional view of the personal data only, allowing you
to read and update it. The initial window when you click the Personal Data icon
displays the initial personal data details as shown in “Figure 24”.
The Classic Client Toolbox
25
Figure 24 - Personal Data Initial Window
From this window, choose the function you want to perform (Read personal data or
Update personal data) and click Next.
Software Administration Folder
Overview
In the Software Administration folder, you can use the Configuration tool and the
PIN Policy tool to create and save configuration files that determine a user’s profile
regarding the individual rights of that user according to his or her organization’s
security policy.
You can then use the User Setup tool to create the end user setup by selecting the
configuration file and PIN Policy file mentioned above, then by entering other
parameters discussed in detail further on in this guide.
Then you deploy the end user setup to the end user, and these end user setups are
then installed on the end user’s computer.
Read through the following descriptions of the tools available to learn more about the
full range of administrative tools in Classic Client as well as how to set up end user
installation packages. For specific instructions on how to perform all administrative
tasks, refer to “Chapter 4 - Administration Tasks”.
Configuration Tool
The Configuration tool displays various features and parameters for how to use a
smart card/token, for example, how the smart card/token can be unblocked, whether
the user has been given the right to erase certificates from the smart card/token,
whether the user can change the user PIN, and so on.
When you have set all the parameters, you save that configuration in a file. You can
therefore use this tool to save new configurations or modify existing configurations.
Configuration files are used later when setting up user profiles in User Setup.
26
Classic Client 6.3 Administration Guide
To access the Configuration Tool:
In the Software Administration folder, click the Configuration icon. This displays the
default configuration as shown in “Figure 25” on page 26.
Figure 25 - Configuration Tool Window
For details on how to complete this window, see “How to Create a Configuration File”
on page 42.
PIN Policy Tool
With the PIN Policy tool the administrator sets the PIN policy for a particular end user.
The parameters to be set for a PIN policy include specifications for minimum and
maximum PIN lengths, characters allowed or not allowed, the use or not of repeated
patterns for PINs, and the use or not of weak PINs.
When you have set all the parameters for a policy, you save them in a PIN policy file.
You can therefore use this tool to save new policies or modify existing policies.
Policy files contain the settings for each type of PIN; User, Admin and IdenTrust.
PIN policies are used later when setting up user profiles in User Setup.
To access the PIN Policy Tool:
In the Software Administration folder, click the PIN Policy icon. This displays the
default PIN policy as shown in “Figure 26”.
The Classic Client Toolbox
27
Figure 26 - PIN Policy Window
For details on how to complete this window, see “How to Create a PIN Policy File” on
page 45.
User Setup
With the User Setup you determine what will be included in the user setup for a
particular end user. There are three windows in all, and you click Next in a window to
access the next one.
In the first window, you choose the following:
■
The tools that are to be made available for the user
■
The cards/tokens that can be used
■
The Cryptographic modules that will be allowed
■
The language in which the user interface will display,
In the second window, you choose the following:
■
The appearance of the toolbox
■
The configuration file
■
The PIN policy file
In the final window you choose the following:
■
The name and location for your setup
■
Whether the setup is 32-bit or 64-bit.
Note: It is not possible to have a different value for the User's minimum-maximum PIN
length and Admin's minimum-maximum PIN length when users use the PINPad
reader. In this case, only the User's minimum-maximum PIN length can be set.
To access the User Setup:
In the Software Administration folder, click the User Setup icon. This displays the
default user setup as shown in “Figure 27”.
28
Classic Client 6.3 Administration Guide
Figure 27 - User Setup First Window
For details on how to complete this and the other User Setup windows, see “How to
Select the Modules for a User Setup” on page 46.
Diagnostic/Help Folder
The Diagnostic/Help folder contains the Diagnostic Tool which is used to
troubleshoot any problems you may encounter when using Classic Client and the
Documentation plug-in which contains all the relevant documentation.
Diagnostic Tool
The Diagnostic Tool is used to examine all components of the Classic Client installation
to determine if there are problems using Classic Client. The Diagnostic Tool is then
able to diagnose where potential problems may be.
Figure 28 - Diagnostic Tool Window
The Classic Client Toolbox
29
Expand the folders to reveal further items. Click an item in the top pane to display
information about that component in the lower pane.
From the Diagnostic Tool window you can view the status of the program. The
Diagnostic Tool provides the following:
■
System Information
■
PKCS#11 registry values and files
■
Classic Client product information
■
Classic Client registry values
■
Status of the Classic Client installation files (executables, dynamic link libraries)
Note: For 64-bit OS, there are two registry folders “Registry” (for the 32-bit values)
and “Registry 64” (for the 64-bit values).
The following table provides a key to the symbols found in the Diagnostic Tool.
Table 1 - Diagnostic Tool Icons
Icon
Description
The PC icon shows details about operating system of the Classic Client installation.
A green magnifying glass icon shows that the registry item is stored and functioning
correctly.
A red magnifying glass icon indicates that the registry item is absent. In this case, you
should remove the current installation of Classic Client and re-install it.
A blue magnifying glass icon shows that the registry item is optional.
A file icon with a green tick shows that the file or dll is installed and functioning correctly.
A white cross on a red background indicates that the file does not correspond to a known
version. In this case, you should reinstall Classic Client.
A file icon with a question mark tick indicates that the file could not be read or is an
unexpected version.
A blue arrow indicates that more information is available.
To generate a status report of the application click Save report as. From the Save as
window save the .txt file to a suitable location.
Smart Card/Token and Reader Diagnostics
You can also view the smart card/token and smart card reader properties using the
SmartDiag Tool.
The SmartDiag Tool verifies the availability of the following:
■
Operating system services that allow smart card/token support
■
Smart card readers
30
Classic Client 6.3 Administration Guide
■
Smart cards/tokens
The tool also reports any software or hardware problems and gives troubleshooting
information. If the displayed information still does not solve the problem, you can
generate a diagnostic report. This report will be required if you ask Technical Support
for help.
Note: SmartDiag tests only the smart card’s/token’s basic functionality. It does not test
the suitability of your smart card/token for use with a specific application.
To use the Gemalto SmartDiag Tool
1
Open the SmartDiag Tool using one of the following ways:
–
In the Diagnostic Tool window (see “Figure 28” on page 28) click Smart card
and readers diagnostics.
–
Navigate through Start > Programs > Gemalto > SmartDiag >
SmartDiag.exe.
This opens the Welcome window as shown in “Figure 29”.
Figure 29 - SmartDiag Welcome Window
2
Click Start to begin a diagnostic session. The SmartDiag Tool begins a diagnostic
session to examine possible problems with the installation of the smart card reader
or the smart card/token used.
There are three possible outcomes:
3
–
Passed
–
Failed
–
Warning
If all components are as they should be, the following dialog appears.
The Classic Client Toolbox
31
Figure 30 - SmartDiag Passed Window
a) If the result is Warning, it is recommended that you click Advanced View to
obtain all the details.
The Advanced View provides information on the smart card/token sub-system and
the program's management facility.
The Advanced View’s purpose is to give a real-time status and description of smart
card/token related resources. This can be particularly useful to reveal obscure and
low-level problems, or to identify the version of various software and hardware
smart card/token components.
The window shown in “Figure 31” screen is displayed.
Figure 31 - SmartDiag Advanced Window
From the Gemalto SmartDiag window you can view the status and other
information about:
–
Smart card readers and smart cards/tokens
–
Services (application compatibility, reader identification)
32
Classic Client 6.3 Administration Guide
–
System (Resource Manager, driver library, Smart Cards Database).
By expanding the folders and selecting the required node, the information for each
is displayed in the right frame.
A blue question icon indicates that there is no smart card/token inserted in the smart
card reader or there is an error reading the smart card/token.
To generate a status report of the information, from the Report menu choose
Generate. From the Save as window save the .txt file to a chosen location.
Reports containing this information can be generated and saved as text files and
may be valuable should you need to communicate with your Technical Support
department. They can be saved as a Report in a text (.txt) file format.
Note: For more information about using the SmartDiag Tool, navigate to the Help
drop-down list to access the SmartDiag online help.
Click Close to quit the tool.
b) If the outcome of the diagnostic session is Failed, read the accompanying
message carefully. It explains the most probable source of the problem and
how to get your smart card and reader working. In addition, you can generate a
diagnostic report by clicking on Get Assistance. This displays the window
shown in “Figure 33”.
Figure 32 - SmartDiag Failed Window
The Classic Client Toolbox
33
Figure 33 - SmartDiag Getting Technical Assistance Window
Product Support
If you experience problems getting your smart card/token or reader to work, and the
advice given by SmartDiag does not solve the problem, please contact your Gemalto
representative (refer to “For Further Help” on page x). You may want to generate and
send a diagnostic report that your Gemalto representative will need in order to help
you.
Documentation
The Documentation plug-in contains all the documentation associated with the
product. This is available only if the administrator chose to include it when creating the
user setup.
To open the documentation:
1
Click Documentation to open the Documentation window.
2
Expand the Classic Client folder to display the available documents, as shown in
the following figure.
Figure 34 - Documentation Window
3
Double–click the document that you want to open.
3
The Registration Tool
If the Registration Tool is installed, it automatically starts when you start Windows.
Note: When the Registration Tool is installed, each smart card reader connected to
the computer is represented by a card reader icon in the system tray.
When a smart card/token is connected, the Registration Tool automatically reads the
data on the card/token and attempts to register any certificates for CAPI applications
that it finds on the card/token.
When you remove a card/token, the Registration Tool removes the certificates from the
IE store.
In Windows XP and Server 2003, there is an equivalent Microsoft application, that
registers certificates. However, unlike the Registration Tool, it does not remove the
certificates from the IE store, when you remove your card/token.
In Windows 8/7/Vista, Server 2008 and Server 2008 R2, if the Registration Tool is
present, Classic Client deactivates the equivalent Microsoft tool.
For all the versions of Windows that are supported, the Registration Tool, interrogates
Classic Client’s CSP security module in order to recognize a card. If this CSP module
does not recognize it, the Registration Tool then interrogates the Microsoft Base CSP.
This enables Classic Client to recognize more cards.
The Registration Tool
35
The tool’s status is reflected by changes that appear in the system tray icon:
System Tray
Registration Tool Icon
Table 2 - Registration Tool Status Icons
Icon
Definition
Registration Tool icon indicating that no card/token is connected.
Registration Tool icon with card inserted in the reader but indicating that no certificates are
on the card/token.
Registration Tool icon with card inserted and indicating that there are registered
certificate(s).
Registration Tool icon with green box over the card end indicates that the Tool is in the
Pause mode.
Registration Tool icon with a red X over the reader indicates that no card reader is
detected.
You can display information about the reader and the card/token in it by hovering the
mouse over the icon in the system tray as shown in “Figure 35”.
Figure 35 - Registration Tool Icon in the System Tray
36
Classic Client 6.3 Administration Guide
Contextual Menu
The tool has no interface, as it functions automatically. However, the user can interact
with the tool by right clicking on the icon so that the tool displays a contextual menu
from which to choose actions to take with the tool, as shown in “Figure 36”, and
explained below.
Figure 36 - Registration Tool Right-Click Action Options
Launch Toolbox
Selecting Launch Toolbox will open the Classic Client Toolbox if this has been included
in the user setup and is available. If it is already open, a dialog appears.
Figure 37 - Classic Client Toolbox Active
Start/Pause
Selecting Start/Pause allows the user to manually start and pause the Registration
Tool without having to remove the card/token, which may be useful if other applications
need exclusive access to the card/token. The Tool can be simply restarted by selecting
this option again to restart it.
Stop
Selecting Stop allows the user to manually stop the Registration Tool without having to
remove the card/token. Navigate through the Start/Programs... to restart the
Registration Tool, see.“Restarting the Registration Tool” on page 37.
About
Selecting About displays information about the Registration Tool, as shown in “Figure
38”.
Figure 38 - “About” the Reg Tool
The Registration Tool
37
Restarting the Registration Tool
If you stopped the Registration Tool and want to restart it, you need to do this from the
Start Menu, by choosing Start > Programs (or All Programs) > Gemalto > Classic
Client > Reg Tool.
Registration Tool Management of Certificates
If the Registration Tool finds any CA certificates in the card/token, it will ask your for
confirmation that you want to install (or register) them. This is a precaution because by
installing a CA certificate, Windows will automatically trust any certificate issued by that
CA. This confirmation appears as a security warning, as shown in “Figure 39” on
page 37.
Figure 39 - Registration Tool: Install Certificate
Note: The above screen only appears for CA certificates
Click Yes to install the certificate to the IE Certificate store, or No to not install the
certificate at this time.
If you close the card/token session (remove the card/token), and then reinsert the card/
token, the tool again offers you the choice to install any unregistered certificates it
finds.
Note: If you are working on a Citrix workstation, the Registration Tool is not installed
on your workstation. You can register or install certificates without the Registration
Tool by using the Certificates Tool (if your Citrix administrator has included the tool in
the distributed end user setup).
38
Classic Client 6.3 Administration Guide
Forced Change PIN
The Registration Tool may detect that the User PIN in the card/token must be changed.
There are two main reasons for this:
■
The card/token is a brand new card/token whose PIN has not yet been initialized.
■
The card/token has had its User PIN reset by the administrator, for example
because it was blocked, and the administrator has set Force User to Change PIN.
In either case, when you connect the card/token a Change PIN dialog appears as
shown in “Figure 40”.
Figure 40 - The Reg Tool Change PIN Screen
Enter the values, and when all the rules on the right show green ticks, click Change
PIN.
For details about forced PIN changes when using a PIN Pad reader, see “Forced PIN
Change with the PIN Pad Reader” on page 65.
4
Administration Tasks
This chapter discusses information related to specific tasks that you will most often be
required to carry out when using the Classic Client software and where to find the
information about them. These tasks are:
■
■
■
■
■
Authenticating Yourself
–
“How to Log in to the Toolbox Using a User PIN” on page 40
–
“How to Log in to the Toolbox Using a Fingerprint” on page 41
User Setups.
–
“How to Create a Configuration File” on page 42
–
“How to Create a PIN Policy File” on page 45
–
“How to Select the Modules for a User Setup” on page 46
–
“How to Deploy a User Setup” on page 53
PIN Management
–
“How to Change an Administration PIN” on page 53
–
“How to Change a User PIN or IdenTrust PIN” on page 54
–
“How to Check The PIN Ratification Counter” on page 56
–
“How to Unblock a User PIN” on page 56
–
“How to Remotely Unblock a Connected Smart Card/Token” on page 57
Using a PIN Pad Reader with Classic Client
–
“How to Log in with a PIN Using a PIN Pad and the Toolbox” on page 60
–
“How to Change an Admin PIN with a PIN Pad and the Toolbox” on page 61
–
“How to Change a User PIN or IdenTrust PIN with a PIN Pad and the Toolbox”
on page 61
–
“How to Unblock a User PIN or IdenTrust PIN with a PIN Pad and the Toolbox”
on page 63
Managing Certificates
–
“How to Import a Certificate” on page 66
–
“How to Export a Certificate” on page 72
–
“How to Set Certificates as Default” on page 74
–
“How to Register Certificates to the IE Store Manually” on page 74
–
“How to Display Certificate Details” on page 76
–
“How to Erase Certificates (PKCS#11 Objects)” on page 76
40
Classic Client 6.3 Administration Guide
■
■
ECC Management
–
“How To Display the PKCS#15 Files” on page 78
–
“How To Export the PKCS#15 Files to an XML File” on page 79
–
“How to Read and Update Personal Data” on page 79
–
“How to Change the Signature PIN” on page 85
In addition, the following tasks related to using Windows are described in the
Classic Client User Guide:
–
“How to Use Windows Secure Logon”
–
“How to Use E-mail Securely”
–
“Viewing Secure Web Sites”
Authenticating Yourself
For certain operations, Classic Client will ask you to authenticate yourself, for example
when using SSL authentication to access a secure web site, sign an e-mail or to
perform an operation in the Classic Client toolbox. There are several ways of doing
this:
■
Enter a PIN code using the computer’s keyboard when prompted by the application
demanding authentication. An example is given using the Classic Client toolbox in
“How to Log in to the Toolbox Using a User PIN”.
■
Enter a PIN code using a PIN Pad reader. As PIN Pad readers are a special type of
reader, the PIN Pad tasks have been grouped together in “How to Use a PIN Pad
Reader with Classic Client” on page 60. An example of how to log in to the toolbox
by entering a PIN code using a PIN Pad reader is given on page 60.
■
Scan a fingerprint on a fingerprint scanner connected to the computer. An example
is given using the Classic Client toolbox in “How to Log in to the Toolbox Using a
Fingerprint” on page 41.
Logging in to the Toolbox
You only need to log in to the toolbox once in the session to access all the tools within
it. If the User PIN entry or fingerprint verification is correct, the padlock icon changes
from closed
to open
to indicate a successful login.
Note: If the use of a tool is not possible even after logging in, this tool is not available
to you.
How to Log in to the Toolbox Using a User PIN
This is the more common way of logging in to the toolbox.
To log in to the Toolbox Using a User PIN:
1
Make sure that the smart card/token is connected.
2
In the Classic Client Toolbox, click Certificates in the Card Contents folder, to
display the following window:
Administration Tasks
41
Figure 41 - Certificates Window (Not Logged in with PIN Code)
3
In PIN Code, enter the User PIN and click Login.
How to Log in to the Toolbox Using a Fingerprint
If you are using cards that contain the IAS Classic Applet V3 and the Match On Card
(MoC) applet, and a fingerprint scanner is connected to the computer, then fingerprint
authentication is used instead of PIN authentication.
To log in to the Toolbox Using Fingerprint:
1
Make sure that the fingerprint scanner is connected, as well as the smart card
reader if the scanner does not have a physical smart card slot.
2
In the Classic Client Toolbox, click Certificates in the Card Contents folder, to
display the following window:
Figure 42 - Certificates Window (Not Logged in with Fingerprint)
42
Classic Client 6.3 Administration Guide
3
Click Login. A window displays showing two hands and indicating the fingers that
can be used for authentication (those that are stored in the card), as shown in the
following figure:
Figure 43 - Fingerprint Verification Prompt
4
Choose the finger you want to use for the authentication by clicking the option
button next to the corresponding finger.
5
Place the finger on the scanner. If successful, the fingerprint window disappears
and you are logged in to the toolbox.
User Setups
Each user setup requires the following:
■
A configuration file
■
A PIN policy file
■
A selection of modules that determine what is available to the end user such as the
language in which the toolbox will appear and the cards, tools and cryptographic
modules that are to be available to the user.
Each of these can be created by using a specific tool in the Software Administration
folder.
How to Create a Configuration File
The Configuration file determines the user’s rights.
To create a configuration file used for the user setup:
1
Click the Configuration tool icon
in the Software Administration folder to
display the Configuration tool interface as shown in “Figure 44”.
Administration Tasks
43
Figure 44 - Configuration Tool
If you want to use or view a previously defined configuration, for example one that
closely resembles the one you want to create, click Browse in the File Selection
area and navigate to the required file. In this case the check boxes in the window
reflect the values in the file you selected. Configuration files have a .gsl suffix.
2
Check or clear the check boxes in the Configuration as required:
Certificate Features
Note: The configuration you choose applies only to the toolbox’s “Certificates” Plug-in,
and to no other application that accesses the card/token.
a) User can erase objects on the card lets the user erase PKCS#11 objects,
that is certificates and their associated keys and data, on the smart card/token.
It is not recommended that this option be systematically given to the end user.
b) Import / export certificates allowed lets the user manage certificates on the
smart card/token. This makes it easy to manage certificates that are in an IE
certificate store, as well as allowing importing from and exporting to certificate
files.
PIN Management Features
Note: The configuration you choose applies only to the toolbox’s “PIN Management”
Plug-in, and to no other application that accesses the card/token.
c) User can unblock card allows the user to unblock his or her own smart card/
token.
Note: Checking User can unblock card is NOT recommended in a user
setup because it means that the administrator would have to give the
administration PIN to the user thus creating a security risk. This permission
should only be authorized to the user if your security policies specifically
require that the user must be able to unblock his or her own smart card/token
locally without outside intervention.
d) User can remotely unblock connected card allows the user to unblock his or
her smart card/token by a simple telephone call to the help desk. This option
44
Classic Client 6.3 Administration Guide
means a user can unblock a smart card/token without explicit knowledge of the
Admin PIN.
Note: For this option you will need an additional software tool in order to
generate encrypted PINs. Gemalto can develop this tool with you. Remote
unblocking is explained in “How to Remotely Unblock a Connected Smart
Card” on page 68
e) Change User PIN(s) allowed; this specifies that the user can change his or
her PIN at any time. It is independent of the Change PIN popup allowed used
to initialize a PIN (first use and first use after PIN is unblocked). That popup is
the one under Certificate Registration Tool Feature.
f)
Change Admin PIN allowed; this specifies that the user can change the
Admin PIN.
Note: Checking Change Admin PIN allowed is NOT recommended in a user
setup. It should only be used for the administrator setup if he needs to change
the Admin PIN of his or a user’s smart card/token.
Certificate Registration Tool Features
Note: The configuration you choose applies only to the Registration Tool, and to no
other application that accesses the card/token.
g) Certificate registration allowed; if checked, the registration tool checks the
card/token automatically for certificates and registers any that it finds in the IE
store.
h) Change PIN popup allowed; if checked, the registration tool checks the User
PIN in the card/token and automatically forces the user to change the User PIN
value if it has not been initialized. It does this by displaying a Change PIN
window.
Note: Initializing a PIN means changing its value the first time it is used or the
first time after it has been unblocked by the administrator.
Classic Client Toolbox Feature
i)
3
Display timeout(ms) lets the administrator determine how long (in
milliseconds) the Splash screen will be displayed. The default configuration is
3000 ms.
Click Save as, navigate to the required location for the file, enter the required file
name, and press Save to create a new configuration file.
To modify an existing configuration file:
1
Click the Configuration tool icon
in the Software Administration folder to
display the Configuration tool interface as shown in “Figure 44” on page 43.
2
Click Browse in the File Selection area and navigate to the file to be modified. The
check boxes in the window will reflect the current values in the file.
3
Check or clear the check boxes in the Configuration as required:
4
Click Save.
Administration Tasks
45
How to Create a PIN Policy File
As its name implies, the PIN policy file determines the rules that must be respected for
PINS.
Note: Make sure you respect the technical restrictions of the smart cards/tokens that
users have when you define the PIN policy. For example, some smart cards/tokens or
their on-board software have a minimum PIN length of 6 characters, while others have
a minimum length of 4 characters.
Note: The PIN policy applies only to the PKCS#11 and CSP layer of the PC on which
Classic Client is installed. It is ignored if you use the same card on a different PC that
does not have this policy, or if the card is accessed by a different PKCS#11 or CSP
layer on the same PC.
To create a user PIN policy used for the user setup:
1
Click on the PIN Policy tool icon
in the Software Administration folder to
display the PIN Policy tool interface as shown in “Figure 45”.
Figure 45 - PIN Policy Tool
2
If you want to use an existing policy file on which to base your new file, click
Browse in the File Selection area and navigate to the previously created PIN
policy file. The window reflects the values in the file you selected. PIN policy files
have a .ppc suffix.
3
In PIN select the type of PIN whose policy you want to define.
For each User Setup, there are up to three types of PIN (User, Admin or IdenTrust).
The PIN types available depends on the type of card/token used and your
organization’s security policy.
4
Check Enable PIN Policy and select items according to the following:
–
PIN minimum length: enter the required minimum PIN length value in the field;
this must be 4 or greater.
–
PIN maximum length: enter the required maximum PIN length value in the
field: the maximum length depends on the card/token.
–
Numeric only specifies that the user can enter only numbers for the PIN.
46
Classic Client 6.3 Administration Guide
■
–
Alphabetic AND numeric specifies that the user MUST include both letters
AND numbers for the PIN.
–
Upper AND lower cases specifies that the user MUST include both upper
case AND lower case letters for the PIN.
–
Different from previous one specifies that the user MUST enter a PIN that is
different to the previous PIN defined. This only applies to the Change PIN
option.
–
No repeated pattern specifies that the user MUST enter a PIN that does not
contain repeated characters; for example, the PIN cannot be “6666”, “qwqw”,
“zzzz,” and so on.
–
Check weak PIN forbids the user from using any of the PINs in the weak PIN
list.
If you checked the box Check weak PIN, you need to define a list of weak PINs in
the Weak PIN list.
A weak PIN can be any value that you consider to be insecure because it is easy to
guess, for example the name of the organization or “1234” or another sequential list
of numbers or letters.
To add a value to the Weak PIN list, enter it in Weak PIN and click Add. The value
appears in Weak PIN list.
To remove a value from the Weak PIN list, select it and click Remove. The value
disappears from the list.
5
Repeat steps 3 and 4 for each PIN type.
6
Click Save as, navigate to the required location for the file, enter the required file
name, and press Save to create the new PIN policy file.
To modify an existing user PIN policy file:
1
Click on the PIN Policy tool icon
in the Software Administration folder to
display the PIN Policy tool interface as shown in “Figure 45” on page 45.
2
Click Browse in the File Selection area and navigate to the previously created PIN
policy file.
3
In PIN select the type of PIN whose policy you want to define.
4
If necessary check Enable PIN Policy and modify the settings. You can of course
clear Enable PIN Policy if you want to disable an existing policy.
5
Repeat steps 3 and 4 for each type of PIN you want to modify.
6
Click Save.
How to Select the Modules for a User Setup
(For users of Windows Vista and later, you must run the Toolbox application in
Administrator mode to allow file modification. To do so, )
Start > All Programs > Gemalto > Classic Client > Classic Client Toolbox
In Windows Explorer, right-click the icon of the NomadLAB installer
(NOMADLAB_01.01.11.0909.EXE), and then click “Run as administrator”.
5 When prompted to allow the installer program to make changes to your computer,
click the Yes button.
Administration Tasks
47
To select the modules and define the User Setup:
1
Click the User Setup tool icon
in the Software Administration folder to
display the User Setup tool window.
Figure 46 - User Setup
2
If you want to use an existing User Setup on which to base your new one, click
Browse in the File Selection area and navigate to the previously created User
Setup. The window reflects the values in the file that you select. User Setup files
have an .msi suffix.
3
In the Readers area check the options as required:
–
SmartDiag; Checking this option provides the end user with the SmartDiag
Tool that can be used to view the smart card/token and reader information for
use in troubleshooting (see “Smart Card/Token and Reader Diagnostics” on
page 29).
Note: Checking this option automatically checks the Drivers option because
the SmartDiag tool requires at least on driver.
–
Drivers; The Drivers option specifies the reader drivers to be installed for the
user setup. For a list of supported readers, please refer to the Release Notes.
Check this option to display the list of drivers. Scroll down the list and select the
drivers to be installed for the user setup.
Note: Unless you know that your user already has the correct drivers for his or
her readers, Gemalto recommends that you install drivers using this feature.
Note: For the readers PC Express Reader, USB Shell Token V2 and PC Twin
Reader, choose the driver called “CCID Readers”.
Note: When the Registration Tool is installed, each smart card reader
connected to the computer is represented by a card reader icon in the system
tray.
4
In the Tokens area check the boxes corresponding to your types of cards/tokens
and their installed applets as required. You can choose any combination of tokens,
48
Classic Client 6.3 Administration Guide
but you must choose at least one. Gemalto strongly recommends that you choose
only those cards/tokens that your system is going to use.
Note: For Classic Applets v2 and v3, select the IAS Classic application check box.
For the IAS ECC applet, select the IAS XL application check box.
5
(This option is only available when the IAS Classic application check box is
selected in the Tokens area)
In the Custom Key area, select the check box if you want to set a custom key.
6
In the Biometrics area, check the box if you want to include the BioPIN feature.
This option is disabled by default and is only enabled when the IAS Classic
Application token is selected.
Note: Biometric support requires an additional license that is not covered by the
standard Classic Client license. You can obtain this license at an extra cost from
Gemalto.
7
In the Classic Client Toolbox area, choose the tools that are to be made available
to the user. Checking a box, makes the corresponding tool appear in the User’s
Toolbox.
Table 3 - Toolbox Options
Tool
Folder
Purpose
Certificates
Card Contents
Allows the user to manage certificates on the smart
card/token.
Card Properties
Card Contents
Allows the user to view information associated with a
particular smart card/token.
PIN Management Card Administration
Allows the user to make changes to the PIN or
unblock a blocked PIN.
Documentation
Diagnostic/Help
Allows the user access to the Classic Client
Documentation. The user setup generally includes
the Classic Client User Guide.
PKCS#15
ECC Management
Allows the user to browse the PKCS#15 file structure
and save it as an XML file.
Personal Data
ECC Management
Allows the user to read and update identity data in
IAS ECC cards
Diagnostic Tool
Diagnostic/Help
Troubleshoots common issues
Note: All these tools except the PKCS#15 and Personal Data tool are strongly
recommended in a user setup, as they allow the user to perform basic tasks with
smart cards/tokens, but they are not mandatory.
The PKCS#15 and Personal Data tool are not recommended for a user setup as
they can be used only with IAS ECC sample cards. If you do choose to include
them, be aware that their use is documented only in this Administration Guide –
not in the User Guide.
Selecting any of the first four plugins automatically selects the Diagnostic Tool.
8
In the Tools area check the option as required:
Checking the box Registration Tool includes the Registration Tool in the User
Setup. The Registration Tool performs two functions (according to the
configuration):
Administration Tasks
9
49
–
It allows the user to register certificates to the IE store automatically, see
Chapter 4 -” The Registration Tool”. If you select it, the CSP option in the
Crypto Modules section is mandatory and automatic.
–
It reminds the user to change his or her PIN if the PIN is not initialized. It does
this by displaying a Change PIN pop up window.
In the Crypto Modules area, the PKCS#11 Crypto module is mandatory in a user
setup and selected for you. You can additionally select the following check boxes:
–
CSP: The Cryptographic Service Provider (CSP) module allows the use of the
IE Certificate Store and smart card/token logon. If your user uses Mozilla tools
only, including it in a user setup is optional.
If you select the Registration Tool option in the Tools section, including the
CSP module is mandatory and automatic.
–
Minidriver R/O: This option sets the Registration Tool to use the Minidriver
(read-only) instead of CSP when propagating the certificates.
10 In the Languages area, choose the interface language of use for the end user.
Languages supported are English, Chinese (simplified and traditional), Czech,
Dutch, French, German, Hungarian, Italian, Japanese, Latvian, Polish, Portuguese,
Spanish, Slovenian, Swedish, and Turkish.
11 Click Next to access the User Setup creation options, as shown in “Figure 47”.
Figure 47 - User Setup
12 If you checked at least one box in the Classic Client Toolbox panel of the
preceding window (refer to step 7 on page 48), the Classic Client ToolBox
Customization option is available. This allows you to customize the appearance of
the Toolbox in the User Setup as follows:
a) Check the box(es) for the aspects that you want to change. Checking a box,
activates its corresponding Browse button.
b) Click the Browse button and select the file containing the option, for example
containing the Splash screen.
The four features that you can change are:
–
Splash screen. This is the picture of the man in the deck chair that appears
when you start the Toolbox (also shown on the front cover of this document).
50
Classic Client 6.3 Administration Guide
–
Background. This is the pattern that appears as background to some
windows, as shown in “Figure 15” on page 16.
–
Small background. This is the pattern that appears as background on the left
in some windows, as shown in “Figure 16” on page 18.
–
Title. This is the image that appears in the top left of the toolbox (the Classic
Client Toolbox logo in “Figure 47”.
Caution: The images used for these four features must be in .bmp format and their
size (in pixels) must be as follows:
■
Splash screen: Width 450 X Height 286
■
Background: Width 558 X Height 368
■
Small background: Width 210 X Height 369
■
Title: Width 150 X Height 49
13 In the File Selection area, use the two Browse buttons and select:
–
the configuration file
–
the PIN policy file
14 Click Next to access the custom key options, as shown in “Figure 48”.
If no custom key was previously applied to the administrator setup, then the first
option is not available for selection. Otherwise, you can select the first option to use
an existing custom key for the setup.
Figure 48 - Custom Key Options
Administration Tasks
51
Note: To apply or reset the custom key in Windows Vista and later, you must run the
Classic Client Toolbox application in the Administrator mode to allow file modification.
To do so:
a) Quit the Classic Client Toolbox application if it is currently running.
b) In Windows Explorer, browse to the installation folder for Classic Client
Toolbox. The default path is “C:\Program Files\Gemalto\Common\Classic
Client Toolbox”.
c) Right-click the icon of the Toolbox application (GSTOOLBOX.EXE), and then
click “Run as administrator”.
d) When prompted to allow the application to make changes to your computer,
click the Yes button.
15 To apply a custom key to the setup, follow these steps:
a) Ensure that the Specify another custom key to use option is selected.
b) In the text box, enter a 16-byte custom key in hexadecimal format.
If the text box is left blank, a generic key is used instead.
c) Click the Apply Key button.
If you want to remove any applied custom key, click the Reset Key button.
16 Click Next. This displays the final User Setup window as shown in “Figure 49”.
Figure 49 - Create Setup
17 In Setup Name, enter a name for the setup. This creates a setup folder of the
name you choose.
18 In Setup Path, choose the path to the location where you want to save the user
setup. You can either leave the location that displays by default or click Change
Path and browse to another location.
19 In Setup Creation, check one of the boxes 32–bit setup or 64–bit setup
depending on your operating system.
Note: You cannot install a 32-bit setup on a 64-bit OS or vice-versa.
52
Classic Client 6.3 Administration Guide
The following table lists the types of setup for various OS and applications.
Table 4 - Operating Systems and Applications
Operating System
Bits
Windows 8
32 and 64
Windows 7
32 and 64
Windows Vista SP1 and SP2
32 and 64
Windows XP Home (SP2 and SP3)
32
Windows XP Professional (SP2)
32 and 64
Windows XP Professional (SP3)
32
Windows Server 2003 R2 SP2
32 and 64
Windows Server 2008
32 and 64
Windows Server 2008 R2
64
20 Click Create Setup to create and save the User Setup in the location you specified
in the previous step.
A confirmation message is displayed once the user setup creation has completed.
Figure 50 - User Setup Creation Complete Confirmation
21 Click OK.
To modify an existing User Setup:
1
Click on the User Setup tool icon
in the Software Administration folder to
display the User Setup window as shown in “Figure 46” on page 47.
2
Click Browse in the File Selection area and navigate to the User Setup you want
to modify. The window displays the values in the file you selected.
3
Make any modifications you want in the first window (“Figure 46” on page 47), then
click Next.
4
Make any modifications you want in the second window (“Figure 47” on page 49),
then click Next.
5
In the final window (“Figure 49” on page 51), make sure you enter the same Setup
Name and Setup Path as your original file.
6
Click Create Setup to save your changes to the User Setup.
A confirmation message is displayed once the user setup creation has completed.
7
Click OK.
Administration Tasks
53
To delete an existing User Setup:
In Windows Explorer, physically delete the .msi file for the setup that you want to
delete.
How to Deploy a User Setup
Deploying User Setup Packages
When the end-user setup is created, it can be either automatically deployed using
parameters for the silent installation, or placed on a network available to the end user.
The installation options for the end user are summarized as follows.
Silent Installation
In the “silent” installation, the user setup is deployed to the user’s computer by the
administrator without any action on the part of the end user.
The administrator can deploy the user setup in the following manner:
In the Command Prompt dialog enter:
msiexec.exe /qn /i Classic_Client_32_User_setup.msi
Note: If your user has a 64-bit OS, remember the .msi file is
Classic_Client_64_User_setup.msi
Network Availability
The end user setup is made available to the user on a local network. In order to install
Classic Client, the user navigates to the folder on the local network in which the user
setup has been stored. The user clicks on the setup executable and the installation
automatically begins.
Including a REG File with the Setup
If you want to customize the registry values for your users, you can include a .reg file
with the Classic Client User Setup. This .reg file is executed when you execute the
User setup.msi file. You just have two points to remember:
■
The .reg file must be called ClassicClient.reg
■
The .reg file must be located in the same directory as the “User setup.msi” file.
PIN Management
PIN policies are established according to an organization’s security policy, but they are
also established in relation to the particular type of smart card/token you use and the
on-board software the card/token features. For example, some cards/tokens allow a
user PIN to be a minimum of 4 characters, and other cards/tokens allow a minimum of
6 characters. Please see your card/token documentation for more information.
How to Change an Administration PIN
Use the PIN Management tool to change the administration PIN for a smart card/token.
This operation must be performed either on a PC with the administrator setup of
Classic Client or a user setup version with the “Change Admin PIN allowed” access
rights (see “How to Create a Configuration File” on page 42). For simplicity, the
following procedure just says “administrator’s PC”.
54
Classic Client 6.3 Administration Guide
To change an Admin PIN
1
Connect the smart card/token whose Admin PIN you want to change to the
administrator’s PC.
2
Click on the PIN Management tool icon
in the Card Administration folder;
the PIN Management tool interface is displayed in the right hand area of the GUI.
Note: The Classic Client padlock icon is either open or locked to indicate if you are
logged in
or not logged in. . You do not have to log in, in order to change a PIN.
3
From the PIN Management Tool, choose the Change PIN option (see “Figure 22”
on page 23 and click Next. The window shown in “Figure 51” appears:
Figure 51 - Change PIN Window
4
In the PIN section, select the type Admin (instead of User). The options available
depend on the PINs that exist in the card/token.
PIN Policy in the right pane displays your organization’s policy for Admin PIN’s.
Ticks or crosses next each rule to tell you if your New PIN value respects the policy
rules.
The PIN Policy is set using the PIN Policy tool in the software administration
folder, see “How to Create a PIN Policy File” on page 45.
5
Enter the current PIN value in Current PIN, and the new value in New PIN.
6
If all the rules in PIN Policy display green ticks, reenter the new value in Confirm
New PIN, otherwise choose a different value for New PIN until PIN Policy displays
only green ticks.
7
Click Change PIN. A pop-up window confirms a successful PIN change.
If the PIN change is unsuccessful an error message is displayed with details of why
the operation was unsuccessful.
How to Change a User PIN or IdenTrust PIN
Use the PIN Management tool to change the user PIN.
To perform this operation, your Classic Client setup must have been granted the
“Change User PIN allowed” access rights by your administrator.
Administration Tasks
55
To change a User PIN or IdenTrust PIN
1
Connect the smart card/token whose User PIN you want to change.
2
Click on the PIN Management tool icon
in the Card Administration folder;
the PIN Management tool interface is displayed in the right hand area of the GUI. If
you don’t see the tool, you don’t have the rights to change the PIN.
Note: The Classic Client padlock icon is either open or locked to indicate if you are
logged in
or not logged in. . You do not have to log in, in order to change a PIN.
3
From the PIN Management Tool, choose the Change PIN option (see “Figure 22 PIN Management Tool Window” on page 23) and click Next. The window shown
in “Figure 52” appears:
Figure 52 - Change PIN Window
4
In the PIN section, select the type User or IdenTrust. The options available
depend on the PINs that exist in the card/token and the rights given to by the
Administrator in your User Setup.
PIN Policy in the right pane displays your organization’s policy for the type of PIN
chosen. Ticks or crosses next each rule to tell you if your New PIN value respects
the policy rules.
The PIN Policy is set using the PIN Policy tool in the software administration
folder, see “How to Create a PIN Policy File” on page 45.
5
Enter the current PIN value in Current PIN, and the new value in New PIN.
6
If all the rules in PIN Policy display green ticks, reenter the new value in Confirm
New PIN, otherwise choose a different value for New PIN until PIN Policy displays
only green ticks.
7
Click Change PIN. A pop-up window confirms a successful PIN change.
If the PIN change is unsuccessful an error message is displayed with details of why
the operation was unsuccessful.
56
Classic Client 6.3 Administration Guide
How to Check The PIN Ratification Counter
Smart cards/tokens are security protected against brute force PIN attacks by the
ratification counter. The counter decreases by one each time you enter the wrong PIN
code. When you enter the correct PIN, the ratification counter resets to its initial
(highest) value. However, if the ratification counter reaches zero, it becomes blocked.
Depending on the technology of the card/token and its on-board software features, it
may be possible to display the value of the PIN ratification counter value.
To check the PIN ratification counter (for cards/tokens that allow this feature)
1
In the Card Contents folder, click Card Properties, select the reader and click
Next.
Figure 53 - Card Properties
2
The detail of the PIN ratification counter is in the lower left of the right pane. If you
do not see any numerical values for the counter, then the card/token does not
support this feature.
How to Unblock a User PIN
As Administrator you can use the PIN Management tool to unblock user smart cards/
tokens that have been blocked after repeated attempts to enter an incorrect user PIN.
This operation can be done at your “Administrator” PC with the blocked smart card/
token inserted in the attached smart card reader.
If your security policy allows it, a user’s smart card/token can also be unblocked by the
user if the user is in possession of the unblocking code (Admin PIN) and has been
given the rights to unblock the user card/token in the user setup. However, it is not
recommended the user be given the Admin PIN of the user card/token.
If you want your user to have the right to unblock the user card/token, but don’t want
the user to have the Admin PIN, you can provide the user the right to unblock the card/
token remotely. See “How to Remotely Unblock a Connected Smart Card/Token” on
page 57.
Administration Tasks
57
To unblock a PIN
1
Connect the blocked smart card/token to the PC.
2
Click on the PIN Management tool icon
in the Card Administration folder;
the PIN Management tool interface is displayed in the right hand area of the GUI
as shown in “Figure 22 - PIN Management Tool Window” on page 23.
3
Check Unblock PIN and if the list next to it is visible, choose Local.
4
Click Next; The window shown in “Figure 54” appears:
Note: The Unblock PIN option is available even if the card/token is not blocked.
However, it is only available if you were given the right to use it in the user setup.
Figure 54 - PIN Management Tool: Unblock PIN
5
In the PIN section, select the PIN you need to unblock. Depending on your rights
and the connected smart card/token, you can choose from User, Admin and
IdenTrust.
6
Enter the Admin PIN, the New PIN, and the Confirm New PIN in the areas
provided. Modify the New PIN value if the rules in PIN Policy display any red
crosses.
7
If required check Force user to change PIN. This means that the user must
change his or her PIN the first time he or she tries to access his smart card/token.
Note: Do not use the Force user to change PIN option if your security policy does not
grant the user the right to change his or her PIN.
8
Click Unblock PIN.
A pop up dialog will inform you if the PIN has been successfully unblocked.
How to Remotely Unblock a Connected Smart Card/Token
Normally you unblock a smart card/token using the Admin PIN. If the user knows the
admin PIN, he or she can do it themselves, but this method is not recommended
because the security chain is less secure.
58
Classic Client 6.3 Administration Guide
However, you can configure a user to allow him or her to unblock the card/token
remotely by checking the box “User can remotely unblock connected card” in the User
Setup (see “Figure 44” on page 43 and in particular d) on page 43). In this case, the
user does not need to know the unblocking code as you provide an encrypted value of
the Admin PIN.
Note: The user does not need the right to change the User PIN, as this is a different
right from the right to unblock the PIN.
Caution: Remote user PIN unblocking requires an additional tool that can be installed
with the Classic Client Toolbox for help desk staff. For more information about this
tool, please contact your Gemalto representative.
Read the procedure below, as it treats the user’s perspective of the situation. Do not
hesitate to contact your Gemalto representative if you want to use this feature of the
software.
To unblock a smart card/token remotely
Note: You can do this only if the administrator has set “User can remotely unblock
connected card” in your user setup.
1
Connect the blocked smart card/token, click on the PIN Management tool icon
in the Card Administration folder,
2
Select Unblock PIN and if the list next to it is visible, choose Remote. This
displays the window shown in “Figure 55”.
Figure 55 - PIN Management-Remote Unblock PIN
3
Telephone the help desk and tell them the card serial number (CSN) and the
random number. With this information, the help desk will generate an encrypted
unblock PIN and tell you its value.
4
Click Next to display the window shown in “Figure 56”.
Administration Tasks
59
Figure 56 - PIN Management-Remote Unblock PIN (2)
5
In Encrypted PIN, enter the value given to you by the help desk. Enter your new
PIN value in New PIN and again in Confirm New PIN.
6
Leave Force user to change PIN unchecked.
7
Make sure that all the rules in PIN Policy show green ticks. If they do not, re–enter
the values until they do.
8
Click Unblock PIN. A pop up dialog confirms if the card/token has been
successfully unblocked.
60
Classic Client 6.3 Administration Guide
How to Use a PIN Pad Reader with Classic Client
How to Log in with a PIN Using a PIN Pad and the Toolbox
1
Insert the smart card in the PIN Pad reader.
2
Open the Classic Client Toolbox and in Card Contents, click Certificates to
open the Certificates Tool as shown in “Figure 57”.
Figure 57 - Logging in Using a PIN Pad
3
Click the Login button.
The following dialog box is displayed:
Figure 58 - Secure PIN Entry Dialog Box
The PIN Pad prompts you to enter the User PIN.
4
Enter the PIN in the PIN Pad (remember to press the confirmation button on the
pad, for example, Enter, Valid, OK).
5
The PIN Pad displays an OK message and the Certificate Tool changes to show
that you are logged in:
Administration Tasks
61
Figure 59 - Logged in Using a PIN Pad
How to Change an Admin PIN with a PIN Pad and the Toolbox
This operation must be performed either on a PC with the administrator setup of
Classic Client or a user setup version with the “Change Admin PIN allowed” access
rights (see “How to Create a Configuration File” on page 42). For simplicity, the
following procedure just says “administrator’s PC”.
The procedure is identical to that of “How to Change a User PIN or IdenTrust PIN with
a PIN Pad and the Toolbox”, except that in step 4 you select Admin as the PIN type
and you enter the current Admin PIN when prompted instead of the current User PIN.
How to Change a User PIN or IdenTrust PIN with a PIN Pad and the
Toolbox
To perform this operation, your Classic Client setup must have been granted the
“Change User PIN allowed” access rights by your administrator.
To change a User PIN or IdenTrust PIN
1
Insert the smart card/token whose User PIN you want to change into the PIN Pad
reader.
2
Click on the PIN Management tool icon
in the Card Administration folder;
the PIN Management tool interface is displayed in the right hand area of the GUI. If
you don’t see the tool, you don’t have the rights to change the PIN.
Note: The Classic Client padlock icon is either open or locked to indicate if you are
logged in
or not logged in. . You do not have to be logged in at this point, in
order to change a PIN.
3
From the PIN Management Tool, choose the Change PIN option (see “Figure 22 PIN Management Tool Window” on page 23) and click Next. The window shown
in “Figure 60” appears:
62
Classic Client 6.3 Administration Guide
Figure 60 - PIN Management with PIN Pad Reader Window
4
In the PIN section, select the type User or IdenTrust. The options available
depend on the PINs that exist in the card/token and the rights given to by the
Administrator in your User Setup.
PIN Policy in the right pane provides a reminder of your organization’s policy for
the type of PIN chosen.
5
Click Change PIN.
Note: If you have already logged in with the PIN that you want to change, the next
step (6) is missed out.
6
The window in “Figure 61” appears and the PIN Pad display asks you to enter the
user PIN.
Figure 61 - PC Pinpad Secure PIN Entry Window
Enter the current User PIN in the PIN Pad, then press the confirmation button.
7
When the window shown in “Figure 62” appears, follow the instructions displayed
on the PIN Pad as follows:
Administration Tasks
63
Figure 62 - PC Pinpad Secure PIN Change Window
8
When prompted by the PIN Pad, enter the current User PIN.
9
Enter the new User PIN value.
10 Enter the new User PIN value again. If successful, the window in “Figure 61” on
page 62 reappears to prompt you to relog in to the toolbox.
11 Enter the new current User PIN.
12 When the “PIN changed” message appears, click OK.
How to Unblock a User PIN or IdenTrust PIN with a PIN Pad and the
Toolbox
To perform this operation, your Classic Client setup must have been granted the “User
can unblock card” access rights by your administrator.
To unblock a User PIN or IdenTrust PIN
1
Insert the smart card/token whose User or IdenTrust PIN you want to unblock into
the PIN Pad reader.
2
Click on the PIN Management tool icon
in the Card Administration folder;
the PIN Management tool interface is displayed in the right hand area of the GUI. If
you don’t see the tool, you don’t have the rights to update the PIN.
Note: The Classic Client padlock icon is either open or locked to indicate if you are
logged in
or not logged in. . You do not have to log in, in order to unblock a PIN.
3
From the PIN Management Tool, choose the Unblock PIN option (see “Figure 22 PIN Management Tool Window” on page 23) and click Next. The window shown
in “Figure 60” appears:
64
Classic Client 6.3 Administration Guide
Figure 63 - PIN Management with PIN Pad Reader Window
4
In the PIN section, select the type User or IdenTrust.
PIN Policy in the right pane provides a reminder of your organization’s policy for
the type of PIN chosen.
5
Click Unblock PIN. The window in “Figure 64” appears and the PIN Pad display
asks you to enter the Admin PIN (sometimes known as the SO PIN).
Figure 64 - PC Pinpad Secure PIN Entry Window
6
Enter the Admin PIN in the PIN Pad, then press the confirmation button.
When the window shown in “Figure 65” appears, follow the instructions displayed
on the PIN Pad as follows:
Figure 65 - PC Pinpad Secure PIN Unblock Window
7
When the PIN Pad prompts you, enter the Admin PIN.
8
Enter the new User PIN value.
9
Enter the new User PIN value again as confirmation. If successful, the window in
“Figure 64” on page 64 reappears to prompt you to relog in to the toolbox.
Administration Tasks
65
10 Enter the Admin PIN. This last time is to relog in to the toolbox.
11 When the “PIN unblocked” message appears, click OK.
PIN Presentation
Caution: The PIN Pad reader is managed by the application that calls Classic Client.
Consequently the PIN Pad’s behavior when interacting with Classic Client will vary
according to the application.
Under some circumstances, the PIN Pad Reader requires several presentations of the
PIN by the User to gain access to certain tasks. When enrolling a user on the smart
card, for example, 3 presentations of the PIN is required.
Forced PIN Change with the PIN Pad Reader
If the administrator set the option “Force user to change PIN”, or if the User PIN is not
initialized, the Registration Tool displays the following message when you insert the
smart card in a PIN Pad reader.
Figure 66 - Forced PIN Change with PIN Pad Reader Window
Click Change User PIN and follow the instructions in “How to Change a User PIN or
IdenTrust PIN with a PIN Pad and the Toolbox” on page 61. When the final message
displays to tell you the change is successful, click OK.
■
Managing Certificates
Introduction
This section talks about using smart cards/tokens with certificates.
Cards/Tokens and Certificates
A digital certificate contains information about the user and the user’s public key, and is
used to authenticate the user’s identity during secure transactions. The certificate
identifying the user must be registered with a certificate authority and this information
66
Classic Client 6.3 Administration Guide
must be available to both parties. To use smart cards/tokens and certificates together,
the user must generate a key pair on his card/token and then get a digital certificate
corresponding to the public key and store it on the card/token.
Working with Different Cards/Tokens
Many types of cards/tokens are supported by Classic Client. You can check if a card/
token is supported simply by connecting it. For unsupported cards/tokens, the reader
icon displays a warning sign like this:
Note: 1) You cannot change anything on read-only cards/tokens.
Note: 2) Some cards/tokens, such as IdenTrust cards/tokens may have two user
keys, intended for two different purposes.
How to Import a Certificate
You can import certificates to a card/token if the administrator gave you the rights to do
so in your user setup. You can import certificates from the IE certificate store or from a
certificate file.
When importing certificates, note the following important points:
■
You cannot import certificates to a read-only card/token.
■
You can import a certificate without verifying your user PIN (logging in), but if the
certificate has an associated key pair, the key pair is not imported; you must be
logged in to import an associated key pair.
■
Your PIN must be initialized, that is, it’s value must have been changed from the
original value set when the PIN was issued (or set by the administrator if it has
been unblocked).
It is recommended that you read the section “Introduction” on page 65 before
performing these tasks.
To import a certificate to a smart card/token:
1
In the Classic Client Toolbox, click Certificates in the Card Contents folder.
Make sure that the smart card/token for which you want to import a certificate is
connected.
2
If not already logged in, login as described in “Authenticating Yourself” on page 40.
Administration Tasks
67
Figure 67 - Certificates Tool Window
Note: This example treats the case of a smart card/token featuring two operational
modes: the Standard mode, and the IdenTrust mode.
You can import a certificate without verifying your user PIN, but if the certificate has an
associated key pair, the key pair is not imported unless you can verify your user PIN
when requested.
3
Select the smart card reader.
This activates the Import button.
4
Click Import (you can also do a right–click on the reader and select Import from
the contextual menu). You are offered a choice of two ways to import the certificate
as shown in the following figure:
Figure 68 - Choice of Methods to Import a Certificate
5
Choose the option and follow the instructions for your choice:
–
If importing from a file, see page 68.
–
If importing from the IE certificate store, see page 70.
68
Classic Client 6.3 Administration Guide
To Import from a Certificate File
1
Follow the instructions in “To import a certificate to a smart card/token:” on
page 66.
2
When you reach the window shown in “Figure 68”, choose Import from File and
click Open. This opens the standard windows Open window as shown in “Figure
69”.
Figure 69 - Certificates Tool Window: Open Window
3
Navigate to the certificate file you want.
Compatible Files:
4
–
PKCS#12 file: (*.pfx), (*.p12). These types of files can have one or more
certificates and may contain the certificate’s key pair value. These types of files
are usually protected with a password.
–
Binary certificate file: (*.der), (*.cer), (*.crt). These types of files have only one
certificate and have no keys.
–
PKCS#7 certificate list file: (*.p7b). These types of files can have one or more
certificates and have no keys.
–
Base 64 encoded certificate file: (*.b64). These types of files have only one
certificate and have no keys.
In the example in “Figure 69”, the choice is among four PKCS#12 objects. These
objects can require that you prove knowledge of a password before you can work
with their certificates, keys or data objects. Select a file and click Open. The
window changes as shown in “Figure 70”.
Administration Tasks
69
Figure 70 - Certificates Tool Window: Import Certificate File (1)
5
Enter the File Password and click Verify.
If the password is correct, in the case of a PKCS#12 object, all the certificates in
the file are displayed in the Certificate(s) to import field as shown in “Figure 71”.
Figure 71 - Certificates Tool Window: Import Certificate File (2)
All the other certificate file types don’t require password verification, so you
immediately see the certificate(s) without the File password field.
Note: 1) A P12 certificate is often associated with public and private keys. If you
import the certificate, Classic Client automatically attempts to import its associated key
pair, and succeeds if you can prove knowledge of the card/token PIN.
Note: 2) The Figure above displays an example of a smart card/token with two
operational modes: the Standard mode, and the IdenTrust mode. Cards/tokens with
only one mode do not display the option IdenTrust for the Card PIN field, as cards/
tokens with one mode only require one user PIN.
70
Classic Client 6.3 Administration Guide
6
In Certificate(s) to import, select the certificate you want to import.
7
Do one of the following:
8
–
If the PKCS#11 object(s) (certificates and keys) are to be used for IdenTrust
security operations, check the IdenTrust option and enter your IdenTrust user
PIN in the Card PIN field to permit Classic Client to copy the certificate and, if
present, the key pair to the card’s/token’s public data area.
–
If the PKCS#11 object(s) (certificates and keys) are to be used for nonIdenTrust security operations, do not select IdenTrust and instead simply enter
your user PIN to permit Classic Client to copy the certificate and if present the
key pair, with the private key copied to the card’s/token’s private data area and
the public key copied to the card’s/token’s public area.
Once you have entered a valid PIN, click Import. A window confirms that the
selected certificate is imported.
To Import from the IE Certificate Store
1
Follow the instructions in “To import a certificate to a smart card/token:” on
page 66.
2
When you reach the window shown in “Figure 68”, choose Import from IE store
and select a store from the list:
–
Personal: Selects a certificate from the IE Store called Personal.
–
Intermediate Certification Authorities: Selects a certificate from the IE Store
called Intermediate Certification Authorities.
–
Trusted Root Certification Authorities: Selects a certificate from the IE Store
called Trusted Root Certificates.
For this example, the choice is from the Personal store:
Figure 72 - Certificates Tool Window: Import Certificate - Selecting the Store
3
Click Open. Classic Client displays the certificates you have in this IE store as
shown in “Figure 73”.
Administration Tasks
71
Figure 73 - Certificates Tool Window: Import Certificate List
4
Click on the certificate you want to import. You can select more than one certificate
by holding down the shift key to select a group, or the control key to add certificates
to the selection one by one.
Note: 1) A P12 certificate is often associated with a public and private key pair. If you
import a P12 certificate, Classic Client automatically attempts to import its associated
key pair, and succeeds if you can prove knowledge of the card/token PIN.
Note: 2) P12 objects may require that you prove knowledge of a password before you
can work with their certificates, keys or data objects. If you click on an item, you may
be prompted to enter a password. If this occurs, enter the password and click OK.
The example in “Figure 73” on page 71 shows an example of a smart card/token
with two operational modes: the Standard mode, and the IdenTrust mode. Cards/
tokens with only one mode do not display the option IdenTrust for the Card PIN
field, as cards/tokens with one mode only require one user PIN.
5
6
Do one of the following:
–
If the PKCS#11 object(s) (certificates and keys) are to be used for IdenTrust
security operations, select IdenTrust and enter your IdenTrust user PIN in the
Card PIN field to allow Classic Client to copy the certificate and if present, the
keys, to the card’s/token’s public data area.
–
If the PKCS#11 object(s) (certificates and keys) are to be used for nonIdenTrust security operations, do not select IdenTrust and instead simply enter
your user PIN to permit Classic Client to copy the certificate and, if present, the
keys, with the private key copied to the card’s/token’s private data area and the
public key copied to the card’s/token’s public area.
Once you have entered a valid PIN in Card PIN, click Import. A window confirms
that the selected certificate has been imported.
72
Classic Client 6.3 Administration Guide
How to Export a Certificate
You can export certificates from the card/token if the administrator gave you the rights
to do so in your user setup.
Note: If a certificate on the card/token is associated with a cryptographic key pair,
when you export the certificate, you cannot export the key pair as well.
It is recommended that you read the introductory remarks in the section “Managing
Certificates” on page 65.
Export allows you to export certificates from a smart card/token, one certificate at a
time (if you have been given the right to export certificates from a smart card/token).
You can export certificates from the smart card/token to the IE certificate store or to a
certificate file.
Caution: You cannot export any type of cryptographic key from the card/token to a
file or to the IE Certificate Store.
To export a certificate from a smart card/token:
1
In the Classic Client Toolbox, click Certificates in the Card Contents folder.
Make sure that the smart card/token from which you want to export a certificate is
connected.
2
If not already logged in, login as described in “Authenticating Yourself” on page 40.
3
Select the certificate. This activates the Export button as shown in “Figure 74”.
Figure 74 - Certificates Tool Window: Export Button Activated.
4
Click Export (you can also do a right–click on the reader and select Export from
the contextual menu). You are offered a choice of two ways to export the certificate
as shown in the following figure.
Administration Tasks
73
Figure 75 - Choice of Methods to Export a Certificate
5
Choose the option and follow the instructions for your choice:
–
If exporting to a certificate file, see “To export to a certificate file” on page 73.
–
If exporting to the IE certificate store, see “To export to the IE certificate store”
on page 73.
To export to a certificate file
1
Select Export to File and click Export. This opens the standard Windows Save As
window.
2
Type the file name and select among the following types of certificate files:
–
Binary certificate file: (*.der), (*.cer), (*.crt). These types of files can contain
only one certificate.
–
PKCS#7 certificate list file: (*.p7b). These types of files can contain one or more
certificates.
–
Base 64 encoded certificate file: (*.b64). These types of files can contain only
one certificate.
Note: You cannot export to a P12 certificate file because you cannot export any kind
of cryptographic key from the card/token.
Tip: Classic Client cannot export a certificate chain to a P7 certificate file in one
action. Export the root certificate to a P7 format, then export the rest of the chain into
respective *.der certificate files. You can then add the *.der certificates in order to your
P7 certificate file and recreate the chain.
3
Click Save as. A window confirms that the selected certificate is exported.
To export to the IE certificate store
1
Select Export to IE store and select a store from the list:
–
Personal: Exports the selected certificate to the IE Store called Personal.
–
Intermediate Certification Authorities: Exports the selected certificate to the
IE Store called Intermediate Certification Authorities.
74
Classic Client 6.3 Administration Guide
–
Trusted Root Certification Authorities: Exports the selected certificate to the
IE Store called Trusted Root Certificates. If you export a certificate to this store,
Windows prompts you to be confident as to the source of the certificate. If you
are, click Yes to continue.
Figure 76 - Security Warning
2
Click Export. A window confirms that the selected certificate is exported.
How to Set Certificates as Default
You can specify which certificate on your smart card/token you want to use as the
default certificate for logging on to your PC using the card/token.
Note: In versions of Windows older than Vista, the OS can use only the default
certificate.
To set the default certificate:
1
Make sure that the smart card/token for which you want to set a default certificate is
connected.
2
If not already logged in, login as described in “Authenticating Yourself” on page 40.
3
Select the certificate you want to become the default certificate.
4
Click Set as default; the selected certificate is set as the default certificate.
How to Register Certificates to the IE Store Manually
The Registration Tool can automatically register your certificate in the IE cert store. To
do this, simply start IE and connect your card/token.
Note: The Registration Tool does not copy certificate information to the IE store; it
creates a link from the IE cert store to the certificate information on the card/token to
ensure security.
The Registration Tool is available only if the administrator has included it in your User
Setup package. You can check it is available by the presence of the icon
that is
displayed in the tool bar.
Note: The Registration Tool is not available in Citrix client-server environments.
For a more information about this and other registration tool features, see “Chapter
3 - The Registration Tool”.
Administration Tasks
75
If the Registration Tool is not available, then Windows XP and Server 2003 will perform
this automatic registration in its place. However Classic Client deactivates this feature
in Windows 8/7/Vista, Server 2008 and Server 2008 R2.
Classic Client’s Certificates Tool enables you to register all your certificates to the IE
store manually. This tool is indicated by the certificate tool icon
in your Card
Contents folder. Its availability depends on whether the administrator included it in
your User Setup package.
To register all certificates manually:
1
Make sure that the smart card/token for which you want to register all the
certificates is connected.
2
Open the Certificate Tool in the Classic Client Toolbox (Card Contents >
Certificates).
3
If not already logged in, login as described in “Authenticating Yourself” on page 40.
4
Select the smart card reader
the smart card/token.
. This selects all the PKCS#11 objects stored on
The register all certificates function is only available when all objects are selected.
Figure 77 - Certificates Tool Window (All Objects Selected)
5
Click Register All.
A confirmation window summarizes how many certificates were registered.
Figure 78 - Certificate Successfully Registered
6
Click OK to complete the Register All operation.
76
Classic Client 6.3 Administration Guide
How to Display Certificate Details
You can view details of the certificates on the card/token and see if your card/token has
any data objects on it, although you cannot see details on the data itself. This is useful
to ensure you have the right certificates for a particular action that you want to perform.
Note: The Show Details button is for certificates only.
To see the details of a certificate:
1
Make sure that the smart card/token for which you want to register certificates is
connected.
2
If not already logged in, login as described in “Authenticating Yourself” on page 40.
This ensures you can see both public and private details.
3
Select the certificate you want to display information about.
4
Double click the certificate, or click Show details; the Microsoft Certificate viewer
opens.
Figure 79 - Window Certificate Information Viewer
How to Erase Certificates (PKCS#11 Objects)
Certificates are PKCS#11 objects, as are keys and data.
You can erase all the objects on your card/token, or erase an individual object. This is
useful if you have no more space on the card/token for any new objects.
Note: You cannot erase anything from a card/token that is read-only.
Administration Tasks
77
The introductory remarks in the section “Managing Certificates” on page 65 provide
some useful background information.
Erasing All Certificates
The Erase All function enables you to erase ALL the PKCS#11 objects on the card/
token (certificates, keys and data). The function’s availability depends on whether it
was included by the Administrator in your User Setup.
Note: In some circumstances the Erase All option does not remove all items from the
memory. The memory space may still be occupied by proprietary objects.
To erase all certificates (PKCS#11 objects):
1
Make sure that the smart card/token on which you want to Erase All is connected.
2
If not already logged in, login as described in “Authenticating Yourself” on page 40.
3
Select the smart card reader.
This selects all PKCS#11 objects on the smart
card/token, see “Figure 77” on page 75.
The Erase All function is only available when the smart card reader is selected.
4
Click Erase All; all objects are erased from the smart card/token.
Erasing an Individual Certificate
The Erase function enables you to erase individual PKCS#11 objects on the card/
token (certificates and keys) one at a time. The function’s availability depends on
whether it was included by the Administrator in your User Setup. This is useful to clear
up space on the card/token and to erase old keys or certificates.
Note: The Erase button deletes a key pair only when the certificate it is associated
with has already been deleted. The key pair associated with a certificate is displayed
after the certificate with which it is associated.
To erase an individual certificate (PKCS#11 object):
1
Make sure that the smart card/token on which you want to Erase the certificate is
connected.
2
If not already logged in, login as described in “Authenticating Yourself” on page 40.
3
Select the object to erase and click Erase.
ECC Management
This section describes the tasks that you can perform with the personal data in smart
cards.
Description of ECC Data
The ECC data is stored in a particular file structure known as PKCS#15. This is defined
in ISO 7816-15.
The PKCS#15 tool views the data from a PKCS#15 point of view. It displays all the files
that are present in the PKCS#15 structure in a tree structure. In this way, you can
check to see that all the files are present and are in the correct place.
The Personal Data tool displays the data from a functional point of view. With this tool,
it is easy to read and update the personal data. The personal data can be consists of
two main parts:
78
Classic Client 6.3 Administration Guide
■
The first part can be read and updated, and is the data of the cardholder such as
name, address and so on.
■
The second part is data that can be updated only:
–
Certificate and keys that belong to the cardholder.
These can be overwritten by importing new PKCS#12 files.
–
Signature PIN, a value you can change (only applicable for some smart cards).
Normally, smart cards are read-only because Personal Data is sensitive. However, for
sample cards only, Classic Client can update the data if it knows the key to use for
secure messaging. For this, you need to configure the Registry Key. For a description
of the registry keys used in Classic Client, refer to the Classic Client Integration Guide.
How To Display the PKCS#15 Files
You can view details of the PKCS#15 files on some smart cards. PKCS#15 is based on
ISO 7816-15 and describes a standard file structure for personalization profiles. The
PKCS#15 function in Classic Client displays these particular files only in the card.
Note: The Show Details button is for certificates only.
To display the PKCS#15 file structure:
1
Make sure that the smart card is connected.
2
In Classic Client Toolbox, in the ECC Management folder, click PKCS#15.
“Figure 80” shows the window that appears.
Figure 80 - PKCS#15 Initial Window
3
From the list, choose the smart card reader that holds the card and then click Next
to continue. The PKCS#15 files appear, as shown in “Figure 81”.
Note: Except for the IAS Applet V3 card, you do not need to log in to the card to
display the PKCS#15 files.
Administration Tasks
79
Figure 81 - PKCS#15 Window (Showing PKCS#15 Structure)
The window is like a standard file navigation system. You can expand and collapse
folders as you wish in the left pane. Select the file whose contents you want to view
in the left pane, and its contents are displayed in the right pane.
How To Export the PKCS#15 Files to an XML File
To Export the PKCS#15 Files to an XML File:
1
Follow the instructions in “How To Display the PKCS#15 Files” on page 78.
2
From the final window, shown in “Figure 81”, click Export XML.
3
In the Save As window that opens, choose a name and location for your XML file
and click Save.
How to Read and Update Personal Data
Personal data is information about the card holder, such as name, address, nationality,
but also includes the card’s keys and certificates used to perform digital signatures and
for authentication to a web site.
Classic Client provides two separate functions, Read Personal Data and Update
Personal Data. The Read Personal Data is to enable you to read data without the risk
of accidentally overwriting it.
To read personal data:
1
Make sure that the smart card is connected.
2
In the Classic Client Toolbox, in the ECC Management folder, click Personal
Data. The window as shown in the below figure appears.
80
Classic Client 6.3 Administration Guide
Figure 82 - Personal Data Initial Window (Read) for IAS ECC Card
Figure 83 - Personal Data Initial Window (Read) for IAS Classic Applet V3 Card
3
From the list, choose the smart card reader that holds the smart card.
4
If it is not already selected, choose the Read Personal Data option and then click
Next to continue. The first page of personal data appears as shown in the figure
below.
Note: For IAS ECC cards, you do not need to log in to the card to display personal
data. For IAS Classic Applet V3 cards, you need to log in to the card because viewing
and updating the identities data of the card requires secure access.
Administration Tasks
Figure 84 - Personal Data Login Window for IAS Classic Applet V3 Card
Figure 85 - Personal Data Window (First Page of Data in Read Mode) for IAS
Classic Applet V3 Card
5
Click Next to display the next page of data shown in the figure below.
81
82
Classic Client 6.3 Administration Guide
Figure 86 - Personal Data Window (Second Page of Data) for IAS Classic Applet
V3 Card
You can return to the first page of data by clicking Previous.
To update personal data:
1
Make sure that the smart card is connected.
2
In Classic Client Toolbox, in the ECC Management folder, click Personal Data.
The window as shown in “Figure 82” on page 80 appears.
3
From the list, select the smart card reader that holds the card.
4
Select the Update Personal Data option as shown in the figure below, and then
click Next to continue.
Figure 87 - Personal Data Initial Window (Update) for IAS Classic Applet V3 Card
Administration Tasks
83
The first page of personal data appears as shown in the figure below.
Note: For IAS ECC cards, you do not need to log in to the card to display personal
data. For IAS Classic Applet V3 cards, you need to log in to the card because viewing
and updating the identities data of the card requires secure access.
Figure 88 - Personal Data Login Window for IAS Classic Applet V3 Card
Figure 89 - Personal Data Window (First Page of Data - Update) for IAS Classic
Applet V3 Card
5
Update data by modifying text fields directly or choosing different options. To
change the photo of the cardholder, click Load and browse to the file that stores
the photo as an image. You can return to the initial window by clicking Previous.
Click Next to display the next page of data.
Note: The photo must not exceed 10K bytes and must be in .JPG 2000 format.
84
Classic Client 6.3 Administration Guide
Figure 90 - Personal Data Window (Second Page of Data) for IAS Classic Applet
V3 Card
6
Again, update data by modifying text fields directly or choosing different options.
You can return to the first page of data by clicking Previous.
7
(For IAS ECC card only) When you have finished making your modifications, click
Next. The third and final page of data appears as shown in “Figure 91”.
Figure 91 - Personal Data Window (Third Page of Data) for IAS ECC Card Only
8
(For IAS ECC card only) In this final page of data, you can load new PKCS#12 data
(certificates and keys) to be used for signatures and authentication. To do so, click
Administration Tasks
85
Load that is next to the corresponding field, and browse to the file on your
computer or network that contains the new PKCS#12 files.
Note: Certificates and keys are contained in the same PKCS#12 file. However Classic
Client also supports PKCS#12 files that contain only a single certificate and its keys.
9
When you have finished, click Update to update the data from this page and the
previous pages in the card.
How to Change the Signature PIN
To Change the Signature PIN:
1
Follow the instructions in “To update personal data:” on page 82, until the final
page of data (shown in “Figure 91” on page 84).
2
Click Change Signature PIN. The window in appears:
Figure 92 - Change Signature PIN Window
3
Enter the current value of the signature PIN in Old PIN and a new value in New
PIN and Confirm PIN.
4
Click OK to close the Change Signature PIN window.
5
The Contactless Secure Data
Mechanism
Contactless cards behave in the same way as contact cards. However, some
contactless cards have an additional feature. This feature is available if requested from
Gemalto. The contactless secure data (CSD) mechanism is designed to protect
confidential data about the cardholder from being read by a third party without the
cardholder’s consent or knowledge.
When a reader tries to access the Classic Applet V2 or V3 (or IAS Classic Applet V2 or
V3) in the smart card, the applet returns the Classic Client CSD dialog box as shown
in “Figure 93” on page 86).
Figure 93 - The CSD Dialog Box
Enter the CSD and click OK. The reader can then access the Classic Applet V2 or V3
(or IAS Classic Applet V2 or V3).
The CSD is specified by the card issuer but is typically information such as the last four
digits of the card serial number as printed on the card.
If you click Cancel, you must remove the smart card from the reader before it can be
reread. Normally the Classic Client CSD dialog box displays once only at the
beginning of each card session, that is, when the card is first read by the reader.
However, under certain circumstances (such as if the card session is broken for some
reason) it is possible that it may be displayed again to reprompt for the CSD.
Note: As an extra security measure against “brute force” attacks (where the reader
may attempt to read the applet many times in a short time), the smart card deliberately
slows down the verification of the CSD code after an incorrect CSD entry. The more
incorrect CSD attempts are made, the slower the response to process the next CSD
attempt.
A
Security Basics
This chapter introduces you to the IT security standards integral to Classic Client.
Cryptography
Communicating and conducting business electronically is quickly becoming the most
convenient, effective means of transaction. An essential condition for the continued
growth toward an electronic market is security. The identities of both corporations and
individuals must be authentic. The integrity and privacy of information must be
guaranteed.
Encryption/decryption enables you to send and receive secure e-mail and documents
to protect confidential or private information. You can use the signature function to sign
your messages. By signing messages, you can prove to the recipient that you are who
you claim to be.
The IT industry uses cryptography to render information secret and known only by
authorized entities.
There are two types of cryptography:
■
Secret Key Cryptography.
■
Public Key Cryptography
Both cryptographic systems use keys to digitally sign or encrypt/decrypt data. A key is
a value in electronic format used to perform cryptographic functions on electronic data.
The differences between secret key and public key cryptography include:
■
Key management.
■
Complexity of the key structure.
Key management is central to having a successful crypto system. If keys are not
managed in a secure environment, the overall security of the crypto system is at risk.
Keys must also be convenient to use.
The complexity of a key length is determined by the degree of mathematical properties
applied to the random numbers that comprise the key.
88
Classic Client 6.3 Administration Guide
Secret Key Cryptography
Secret key cryptography is the traditional crypto system, which remains in widespread
use even today. Secret key cryptography uses a single secret key to digitally sign or
encrypt/decrypt electronic data. The most widely used secret key crypto systems are
DES and RC2 (also known as symmetric key cryptography).
The sender and receiver must use the same secret key for the session in which secure
information is exchanged. The sender uses the secret key to encrypt the message; the
receiver uses the same secret key to decrypt the message.
The primary advantage of secret key cryptography is the speed at which data can be
encrypted/decrypted.
The primary weakness of secret key cryptography regards key management. Because
sender and receiver must share knowledge of the secret key, there must be a transfer
of the secret key at some point. Introducing a third party (such as a telephone line or
courier) to deliver the secret key to the receiver presents a security risk.
Secret keys are included in the cryptographic functionality of both Microsoft and Mozilla
e-mail and browser products.
Public Key Cryptography
Public key cryptography was introduced in 1976 and is the most advanced, secure
crypto system for digitally signing and encrypting/decrypting electronic data. Public key
cryptography refers to a crypto system that uses key pairs. The most popular and
widely-used public key crypto system uses the RSA key pair.
A key pair is a matched set of keys used to digitally sign or encrypt/decrypt electronic
data. RSA key pairs, like secret keys, are strings of random numbers. However, RSA
keys are not only significantly longer than secret keys, they also possess complex
mathematical properties.
A single user owns an RSA key pair. One key is private, while the other key is public.
The private key remains private and accessible only to the owner of the key pair. The
public key is made available by the owner to public users. The public key is used to
encrypt data. The private key is used to decrypt data.
The strengths of using an RSA key pair is that the need for sender and receiver to
share knowledge of the single secret key used in secret key crypto systems is
eliminated.
Classic Client takes advantage of the speed the secret key offers and the robust
security and convenience of the RSA key pair. When you use Classic Client to send
secure e-mail, the actual message data is encrypted using a secret key. The secret key
is then encrypted using the public key of the intended recipient. Only the recipient's
private key can decrypt the secret key. Only the secret key can decrypt the message
data.
Classic Client offers the most advanced digital security at the greatest speed and
convenience.
Security Basics
89
What is a digital certificate?
A digital certificate is an electronic document that serves as your digital passport. Your
digital certificate stores your public key and other personal information about you and
the certificate.
The most widely accepted standard for digital certificates is defined by International
Telecommunications Union standard ITU-T X.509. Version three is the most current
version of X.509.
The X.509v3 certificate includes the following data:
■
Version.
■
Serial number.
■
Signature algorithm ID.
■
Issuer name.
■
Expiration Date.
■
User name.
■
User public key information.
■
Issuer unique identifier.
■
User unique identifier.
■
Extensions.
■
Signature on the above fields.
As a convenience to recipients, it is standard practice to attach your digital certificate to
every secure e-mail that you send. The recipient uses your public key, included in your
digital certificate, to encrypt e-mail addressed to you. If you do not attach your digital
certificate to outgoing e-mails, recipients must retrieve your public key from a public
directory if they want to reply to you with an encrypted e-mail.
What is a Certificate Authority?
Certificate Authorities (CAs) are trusted third parties that issue digital certificates. CAs
vouch for the identity of the individual or enterprise to whom they are issuing a
certificate. CAs provide a transfer of trust from CA to the individual or enterprise. When
you trust the CA certificate, you can transfer that trust to all certificates published by
that CA.
When you obtain your digital certificate, you provide the CA with your public key and
any personal information requested by the CA. The CA verifies your personal
information and the integrity of your public key. After the verification process, the CA
signs your public key, stores appropriate personal information and your public key on
the digital certificate, and issues your digital certificate to you.
CAs issue certificates with varying levels of identification requirements. CA policies and
the level of identification of the digital certificate determine the method and
requirements for proving your identity to the CA. The most simple digital certificate only
requires your e-mail address and name. However, some CAs require a driver's license,
notarized certificate request form, or any other personal documentation attesting to
your identity. Some CAs may even go as far as requiring biometric data such as
fingerprints.
The CA public key must be widely available so that users can validate the authenticity
of all certificates published by this CA.
90
Classic Client 6.3 Administration Guide
What is a digital signature?
A digital signature is a piece of information created using message data and the
owner's private key. Digital signatures provide message authentication, nonrepudiation of origin, and data integrity.
Digital signatures are created by mathematical, or hash, and private signing functions.
The one-way hash function produces a message digest, a condensed version of the
original message text. The message digest is encrypted using the sender’s private key,
turning it into a digital signature.
The digital signature can only be decrypted using the public key of the same sender.
The recipient of the data decrypts the digital signature and compares the result with a
message digest, recalculated from the original message text. If the two are identical,
the message was not manipulated, thus is authentic.
What is S/MIME?
Secure/Multipurpose Internet Mail Extensions (S/MIME) is an open protocol standard,
that provides encryption and digital signature functionality to Internet e-mail. S/MIME
uses public key cryptography standards to define e-mail security services.
S/MIME enables you to encrypt and digitally sign Internet e-mail using Web messaging
applications such as Microsoft Outlook, and Mozilla Thunderbird. S/MIME also enables
you to authenticate incoming messages.
S/MIME provides the following security functions:
■
Sender Authentication to verify the sender's identity. By reading the sender's
digital signature, the recipient can see who signed the message and view the
certificate for additional details.
■
Message Encryption to ensure that your messages remain private. Mozilla
Thunderbird and Microsoft Outlook support domestic and export-level public key
and secret key encryption.
■
Data Integrity to guard against unauthorized manipulation of messages. S/MIME
uses a secure hashing function to detect message tampering.
■
Inter-operability to work with other S/MIME-compliant software.
What is SSL?
Secure Sockets Layer (SSL), developed by Netscape Communications, is a standard
security protocol that provides security and privacy on the Web. The protocol allows
client/server applications to communicate securely. SSL uses both public and secret
key cryptography.
The SSL protocol is application independent, which enables higher-level protocols
such as Hyper Text Transfer Protocol (HTTP) to be layered on top of it transparently.
Therefore, the client can negotiate encryption and authentication with the server before
data is exchanged by the higher-level application.
The SSL Handshake Protocol process includes two phases:
■
Server Authentication in which the client requests the server's certificate. In
response, the server returns its digital certificate and signature to the client. The
server certificate provides the server's public key. The signature proves that the
server currently has the private key corresponding to the certificate.
■
Client Authentication (optional) in which the server requests the client's
certificate. In response, the client sends the digital certificate and signature to the
server. If the SSL Server requests it, the client is prompted to enter a PIN to visit a
secure Web site.
Security Basics
91
The SSL process is repeated for every secure session you attempt to establish unless
you specify a permanent session. The SSL process will not proceed if the Web server's
certificate is expired.
Note: In some instances, the SSL Handshake takes place between the Web server
and the browser and does not require the client’s certificate.
SSL provides the following security functions:
■
Data Encryption to ensure data security and privacy. Both public key and secret
key encryption are used to achieve maximum security. All traffic between an SSL
server and SSL client is encrypted using both public key and secret key algorithms.
Encryption thwarts the capture and decryption of TCP/IP sessions.
■
Mutual Authentication to verify the identities of the server and client. Identities are
digital certificates. The entity presenting the certificate must digitally sign the data
to prove ownership of the certificate. The combination of the certificate and
signature authenticates the entity.
■
Data Integrity to ensure that SSL session data is not manipulated en route. SSL
uses hash functions to provide the integrity service.
92
Classic Client 6.3 Administration Guide
What is Classic Client?
Classic Client is a smart card−based solution designed to secure e−mail
communications and Internet transactions. Classic Client smart cards/tokens support
encryption/decryption and signature functions. Classic Client also supports Windows
8/7/Vista/XP secure libraries and the capability to sign Microsoft Office macros.
Classic Client and a smart card/token provide the following advantages:
■
Your private key is never removed from your smart card/token.
■
The smart card/token is hardware-based security.
■
The PIN code protects key use.
■
Classic Client is portable and convenient.
The encryption/decryption function enables you to send and receive secure e-mail to
protect confidential or private information. You can use the signature function to sign
your messages. By signing messages, you can prove to the recipient that you are who
you claim to be.
Classic Client combines the privacy, integrity, and authentication functionality provided
by cryptographic algorithms with the simplicity, portability, and convenience of smart
cards/tokens. Your private key, digital certificate, and other personal information are
securely stored on your Classic Client smart card/token to prevent fraudulent use of
your electronic identity.
The latest industry standards such as SSL3 (for Web access) and S/MIME (for e−mail)
enable inter−operability of security services between any browser interface and any
Web server. However, the security hole in SSL3 and S/MIME is the management of
your private key and digital certificate. Without Classic Client, your private key and
digital certificate are stored on your hard drive, which makes them susceptible to
unauthorized access and fraudulent use. Without Classic Client, your electronic identity
is at risk.
Classic Client provides double-barreled security! Classic Client, you get the hardwarebased security inherent in smart cards/tokens and software-based encryption security,
as well as the added advantage of individual PIN codes. Hardware-based security is a
principal security advantage. It is significantly more secure than software-only
solutions. Without the possession of your smart card/token and knowledge of your PIN
code, no one can use your identity.
Classic Client is your electronic passport to the digital world.
What is a Smart Card/Token?
A smart card is the size of a conventional credit card. But unlike the credit card, which
has a magnetic stripe, the smart card has a silicon microprocessor chip to store and
process electronic data and applications. The advantage of the smart card is security.
Gemalto manufactures various types of smart cards. Contact smart cards use a
microprocessor chip to store and process data. They must be inserted into a smart
card reader. Contactless smart cards use a microprocessor chip and antenna to store
and process data.
Smart cards can also be embedded in tokens such as USB devices, that you can plug
directly into a PC.
Smart cards/tokens provide the most sophisticated security available on the market.
Security Basics
93
What is the Classic Client Smart Card/Token?
Your Classic Client smart card/token stores your private key and digital certificate. In
the past, your only option was to store your private key on your local hard drive,
rendering it susceptible to theft and fraudulent use. With Classic Client, your electronic
identity is secure. You must have both the smart card/token and PIN code to use the
smart card/token.
The Classic Client smart card/token is tamper resistant. The structure and operating
system of the smart card/token make it practically impossible to penetrate, probe, or
pilfer smart card/token data.
Perhaps the most convenient aspect of the Classic Client smart card/token is
portability. With Classic Client, you can carry your electronic passport with you at all
times and use it on any Classic Client–equipped computer in the world.
The Classic Client smart card/token has a robust and flexible design. These features
offer greater freedom and enhanced security.
On-board Key Generation
The Classic Client smart card/token offers on-board key generation. With this feature,
every time you enroll a new certificate on your smart card/token, a new key pair is
generated on your smart card/token. In other words, you are not limited to using the
same key pair for every certificate that you enroll.
One significant advantage of onboard key generation is the ability to monitor and
control the life span of your RSA key pairs and that the generated key pair is unique.
Increased Certificate Storage
You can store up to six key pairs and multiple digital certificates on your Classic Client
smart card/token, depending upon the size of your certificates and space available on
your smart card/token. This feature provides the convenience of using up to eight
digital certificates for whatever purposes you want; for example, you can use
certificates with varying degrees of encryption (from 1024–bit to 512–bit RSA key pairs)
to communicate securely with contacts in various parts of the world.
Another reason for obtaining more than one digital certificate is the level of certification
that the Certificate Authority (CA) requires. You may want to obtain and use a digital
certificate from a CA that requires stringent identity certification if you are using the
certificate for sensitive business communications or financial transactions. However, if
you want to encrypt/sign data for personal communications, you may decide that a
certificate from a CA that requires minimal identity certification meets your needs.
The costs of obtaining a digital certificate from a CA are somewhat based on the
degree of identity certification the CA requires.
B
Troubleshooting
This appendix lists answers to some questions you may have about Classic Client
Toolbox.
General
I lost/forgot my PIN.
If you lost or forgot your User PIN, you can try to unblock the PIN with the PIN
Management Tool, only if this option has been granted to you upon installation by the
Administrator. If you do not have this privilege, you must contact the Administrator to
unblock your smart card.
My smart card/token appears to have stopped working
If your smart card/token stops working, consider the following reasons:
■
Your smart card’s/token’s PIN may be blocked You can unblock your smart
card/token as described in the section about unblocking a PIN.
■
Your smart card’s/token’s certificate may have expired You need to get a new
certificate. See information about getting a new certificate.
■
Your smart card’s/token’s certificate may not be registered If you are using
Microsoft e-mail software, you may need to register your certificate. See
information about registering a certificate.
■
The problem may be hardware-related failure Ask your Administrator for help.
Certificate Related Problems
General
How can I check that my certificate is stored on my Classic Client
smart card/token.
Use the Certificates tool to see information about your certificate. If you cannot see
information about your certificate, it might not be on your Classic Client smart card/
token. Either your certificate was stored on your hard drive during download or you do
not have a certificate.
Troubleshooting
95
If you did not select the correct CSP when you requested your certificate then your
certificate is stored on your hard drive. You must obtain a new certificate and be sure to
specify the correct CSP during the download process. Contact your Certificate
Authority if you purchased a digital certificate. You may be able to avoid fees for
obtaining a new certificate.
The correct CSPs to specify are:
■
Gemalto Classic Card CSP
If your Classic Client smart card/token or browser and e-mail applications do not list
your digital certificate, then there was probably an error during download or enrollment
of your certificate. Contact your Certificate Authority for additional help.
Browsers
I downloaded my certificate using Mozilla and now I can't use it
with Internet Explorer and Outlook.
When you download a digital certificate using Mozilla, you must register your certificate
with the Certificates Tool before you can use it with Internet Explorer and Outlook. In
fact, you must do this on every computer on which you want to use this certificate with
Internet Explorer and Outlook.
If the Classic Client Toolbox Registration Tool (certificate registry) is installed, it will
do this for you automatically simply by removing and reinserting your card/token.
The certificate I use with Internet Explorer doesn’t seem to work on
any other computer.
If you want to use your certificate on another computer with Internet Explorer, you must
register it first using the Certificates Tool.
I have an expired certificate in Internet Explorer and I can't delete it.
To delete a certificate with Internet Explorer 9 or later:
1
Click Tools > Options to open the Internet Options dialog box.
2
In the Internet Options dialog box, click the Content tab
3
Click Certificates to open the Certificate Manager dialog box.
4
Select the certificate you want to remove.
5
Click Remove.
Internet Explorer is available free for download from www.microsoft.com.
When I try to connect to a secure Web site that requests client
authentication, it takes an exceptionally long time to connect if it
ever connects.
If you experience an extremely slow connection when you are trying to connect to a
secure server, the problem could be related to the Web server, your computer, or your
digital certificate.
The best thing to do is to disconnect and try again. You may have simply had a bad
connection.
You can test connections to other secure Web sites to determine if the problem is
related to a specific Web server.
To rule out problems related to your computer, verify your hardware connections,
communication settings, and security settings.
96
Classic Client 6.3 Administration Guide
Finally, view your certificate to make sure it is valid and make sure your Classic Client
smart card/token is properly connected.
When I try to connect to a secure Web site that requests client
authentication, I am rejected.
If your certificate is rejected, try again. If your certificate is rejected again it could be for
one of the following reasons:
■
The certificate is not valid. Check the validity of your certificate using the
Certificates tool.
■
The Web server does not have an entry for the Certificate Authority that issued and
signed the certificate.
■
Your smart card reader is not properly connected or you do not have the
appropriate reader driver installed.
■
Your digital signature is temporarily corrupt, as in the case of an intruder trying to
spy on your secure connection.
I am not warned prior to entering a secure Web site.
You can tell a Web site is secure when its address starts with the characters https. If
you want, you can set your browser to warn you before entering a secure Web site.
In Internet Explorer 9 or later:
1
Click Tools > Options to open the Internet Options dialog box.
2
In the Internet Options dialog box, click the Security tab
3
Select a Web content zone to specify its security settings.
4
Click Custom Level.
5
Select Prompt under the actions for which you want to be warned.
In Firefox 14:
1
Click Security to open Firefox’s security window.
2
Click Navigator on the left side of the window.
3
Select the options you want under Show a warning before.
e-Mail
I tried to send a secure e-mail but received a message that
something was wrong with the recipient's certificate.
Check the validity of the user certificate. You may also want to contact the user directly
to inquire about the status of their certificate. The user can always send a new signed
message to you so that you can refresh or add the valid certificate.
I tried to send a secure e-mail but received a message that
something was wrong with my certificate.
Check the following:
■
Verify that a valid certificate is linked to your e-mail account.
■
Use the Certificates tool to make sure the certificate you are using to send secure
e-mail has not expired.
If the previous conditions are met and you still get the message that something is
wrong with your certificate, contact your Certificate issuer for further assistance.
Troubleshooting
97
When I try to send secure e-mail, I get the message that there is no
certificate associated with my e-mail account.
Before you can send secure e-mail using the digital certificate stored on your Classic
Client smart card/token, you must link your certificate to your e-mail account.
When I try to send secure e-mail, I get a message that says I don't
have a certificate for the person I'm trying to e-mail.
You could have one of three problems:
■
You do not have a certificate for this person If you do not have a certificate for
the user, you can add the user certificate by receiving a signed e-mail from the user
or by obtaining the user's certificate from a public directory.
■
You do not have a certificate linked to the user's e-mail address If you
already received a signed e-mail from the user but the certificate is not associated
with the user's e-mail address, you must open the signed e-mail and add the user's
certificate to your Contacts folder (Outlook 2003). If you are using Mozilla
Thunderbird, you should not encounter this problem because when you receive a
signed message from a user, their digital certificate is automatically linked to their
e-mail address.
The certificate that you have for this user is not valid You can view the user
certificate to determine if it is valid using your e-mail software.
■
The recipients of my e-mail cannot decrypt my messages or
attached files.
Your contacts may not be able to decrypt the e-mail or attachments that you send to
them because of the session key length specified in your browser. A session key is the
cryptographic secret key that is used to encrypt the actual message text of your e-mail
and attachments. (The RSA key pair is used to decrypt/encrypt the session key).
Until recently, Mozilla and Microsoft browsers and e-mail applications were subject to
cryptographic export regulations. As such, if you were sending e-mail to international
contacts outside of the United States and Canada, you could have been using a
session key that was too long or too strong. The session key length limitation for all
versions of Internet Explorer and Mozilla Firefox is 128-bits. For some countries, the
limit used to be 40-bits for the international versions of both products.
In order to decrypt your e-mails, your recipients should be instructed to install
Microsoft’s High Encryption Package.
Localization Problems
Gemalto Localization System Warning Message
If the following warning message appears on your screen it is to inform you that the
GSLibs.res file has been modified by someone else. There is no direct impact on the
functionality of the software however, for details on how to remove this message from
your screen, contact your Gemalto representative (refer to “For Further Help” on
page x).
98
Classic Client 6.3 Administration Guide
Smart Card Reader Problems
When I start my computer, I get a message that the appropriate
smart card reader driver is not installed.
Normally all the smart card reader drivers you will need are installed automatically
when you install Classic Client.
If for some reason it appears you are missing a driver, then install it by running the
Smart Diag Tool. Refer to “Diagnostic Tool” on page 28.
Note: If you do not have the Smart Diag Tool, download the corresponding driver from
the Gemalto web site at: http://support.gemalto.com.
The LED on my smart card reader blinks while my smart card is in
the reader.
Check if your Classic Client smart card is properly inserted into your reader. The smart
card should be inserted such that the front of the smart card is facing the Gemalto logo
on your smart card reader. You will not be able to see the microprocessor contact (the
gold-plated area on the front of your Classic Client smart card) when your smart card is
in the smart card reader.
Make sure that your smart card is firmly inserted. When the smart card is in the reader,
the LED should remain lit.
Make sure that the smart card is supported and recognized by Classic Client Toolbox
(see Release Notes).
The LED on my smart card reader does not blink nor does it stay
on. There is no light.
If your smart card reader is properly installed and your Classic Client smart card is in
the reader, the LED should show a steady green light. The LED should blink when the
smart card is not in the reader.
Verify that your smart card reader is properly installed. Refer to instructions on the
smart card reader box or this guide. The LED will not blink or remain on when your
computer is off.
The rapid removal and re-insertion of a smart card/token causes
problems.
If you quickly remove and re-insert a smart card/token the computer may “hang”.
Whenever you remove or re-insert a smart card/token, be careful not to do it too
quickly; wait until the computer finishes processing a task before removing the smart
card/token.
Removing the smart card/token while the it is being read or written to may cause the
application to interrupt the smart card/token session. During write operations, removing
the smart card/token may even destroy data stored on the smart card/token.
C
Using Classic Client with a
Citrix Infrastructure
This appendix provides specific information about using Classic Client with one of the
following Citrix environments:
■
Presentation Server 4.5
■
Xenapp 5.0 (the new name for Presentation Server)
System Requirements
This section describes the network and hardware requirements for running Classic
Client with Citrix.
Network
The quality of a network’s performance depends on the following factors:
■
Bandwidth — Citrix products are known for their good network performance. Refer
to the following Citrix documents for details on the bandwidth needed:
CTX114842 - Presentation Server Console Communication Bandwidth - Citrix
Knowledge Center
CTX114843 - Presentation Server Communication Bandwidth Requirements and
Application of IMA Bandwidth Formulas - Citrix Knowledge Center
■
Latency — Gemalto recommends a latency of 20 ms or less for Classic Client to
perform well. However, performance should still be acceptable up to around 70 ms.
If your network’s latency is more than 70 ms, please consult your network
administrator.
■
Jitter — This should be < 5 ms
■
Datagram loss — This should be < 1%
Note: For small to medium systems (up to 20 clients), the number of clients does not
greatly affect the performance of the network.
100
Classic Client 6.3 Administration Guide
Diagnostic Tools
The following tools are useful for testing the performance of your network (latency,
jitter, datagram loss):
■
IPerf (http://dast.nlanr.net/Projects/Iperf)
■
D-ITG (Distributed Internet Traffic Generator) (http://www.grid.unina.it/software/
ITG/)
Network Problems
If you experience performance problems with your network, use the diagnostic tools
mentioned and/or try to connect from another location (in the same VLAN than the
Citrix server for example).
Hardware
RAM
The memory used by Classic Client is about 25 MB per client. This must be combined
with any applications that are accessing the smart card on the same client at the same
time. For example, with Internet Explorer 7, this becomes 70 MB (25+45) for each
client session. Thus:
■
10 clients using Classic Client with IE7 require (10 x 70) = 700 MB
■
50 clients using Classic Client with IE7 require (50 x 70) = 3,500 MB
However, the 25 MB of RAM used by Classic Client needs to be combined with each
application that is running at the same time. If for example IE7 and another application
are both running, then the RAM for each client session would be (25+45 for IE)+
(25+X) for the other application.
Where X is the RAM needed for the other application.
Thus if X = 30MB, each client would need (25+45 for IE)+ (25+30 for the other
application) = 70+55=125:
Each client needs
■
10 clients using Classic Client with IE7 require (10 x 125) = 1,250 MB
■
50 clients using Classic Client with IE7 require (50 x 125) = 6,250 MB
This required memory must be added to Citrix sizing recommendations.
CPU
Generally CPU usage is not a problem with Classic Client. However, the
C_WaitForSlotEvent mechanism uses a great deal of CPU and so applications that use
it, such as Mozilla Firefox and Thunderbird are difficult for Classic Client to manage.
For this reason, Gemalto does not support Firefox and Thunderbird when used with
Classic Client in a Citrix environment.
Using Classic Client with a Citrix Infrastructure
101
Hard Disk of Server
Generally the speed of a disk system does not limit scalability unless one of the
following occurs:
■
The server does not have enough memory and starts to rely heavily on the page
file. Even the fastest disk array has an access time thousands of times slower than
real memory - the only solution for this problem is to add more RAM to the system.
■
The applications used require intense disk access and the disk array is unable to
cope with the amount of traffic generated by the large number of users running the
application simultaneously.
■
The file system accessed by the application is on a remote file server and the
network between the Presentation Server and the file server cannot cope with the
volume of traffic generated by the application's file accesses.
Software
You should use the following version of Windows Server:
■
For Citrix Presentation Server 4.5: Windows Server 2003 SP2
■
For Windows Server 2008: Windows Server 2008
Estimating the size of a Citrix client-server system
Typically you will want to estimate the size of an environment for “x” users. Gemalto
recommends that you set up one server with the production environment you plan to
deploy. Load users onto this server until the server reaches 80% - 85% of capacity.
Once you have the number of users for a single server, you can estimate the amount of
hardware required to host your complete environment.
For example if you find that one server supports 100 users at 80-85% capacity, and
you have a system of 300 users, then you will need three servers.
This method will produce the most accurate results for the hardware and software
configuration you intend to run. This is important considering the number of different
servers / CPU / Memory / OS configurations.
The following articles may be of further help:
CTX114845 - Advanced Concepts Guide — Hardware Configurations — Citrix
Knowledge Center
CTX114844 - Effects of Varying the Number of CPUS of a Citrix Presentation
Server — Citrix Knowledge Center
Gemalto Requirements
You must follow the system requirements outlined in this chapter. If you do so, Classic
Client will support a Citrix environment with up to 20 clients. This section provides
guidelines on how to improve the performance of Classic Client in your Citrix
environment.
Caution: Remember not to use the Mozilla applications Firefox and Thunderbird with
Classic Client and Citrix.
CA
Certificate Authority
CAPI
Crypto Application Program Interface
CMS
Card Management System
CSP
Cryptographic Service Provider
ECC
European Citizen Card
EEPROM
Electrically Erasable Programmable Read-only Memory
ID
Identification
IE
Internet Explorer
LED
Light Emitting Diode
PC/SC
Personal Computer/Smart Card
Personal Computer to smart card. Entry point for all
applications that use a smart card.
PIN
Personal Identification Number
PKCS
Public Key Cryptography Standard
PKCS#11
Public Key Cryptography Standard #11. For further
information about this and other PKCS standards, refer to
the RSA Laboratories web sit at http://www.rsa.com/
rsalabs/
PKI
Public Key Infrastructure
RSA
Rivest, Shamir, Adleman (inventors of public key
cryptography standards)
S/MIME
Secure/Multipurpose Internet Mail Extensions
SO
Security Officer. The PIN Pad reader prompts for the SO PIN,
which means the Admin PIN.
SSL
Secure Sockets Layer
A protocol, v.3.0.v, for securing TCP/IP sessions
WinSCard
Microsoft PC/SC library which provides the smart card API
(Application Programming Interface)
Terminology
Abbreviations
Terminology
103
Glossary
Algorithm
A mathematical formula used to perform computations that
can be used for security purposes.
Certificate
A certificate provides identification for secure transactions. It
consists of a public key and other data, all of which have been
digitally signed by a CA. It is a condition of access to secure email or to secure Web sites.
Certificate
Authority
An entity with the authority and methods to certify the identity
of one or more parties in an exchange (an essential function in
public key crypto systems).
Confirmation
button
The button on a PIN pad reader that saves the data you have
entered. It is often called Enter, or Valid, or OK. For example
Gemalto’s PC Pinpad readers have a green Enter button.
Cryptography
The science of transforming confidential information to make it
unreadable to unauthorized parties.
Digital Signature
A data string produced using a Public Key Crypto system to
prove the identity of the sender and the integrity of the
message.
Encryption
A cryptographic procedure whereby a legible message is
encrypted and made illegible to all but the holder of the
appropriate cryptographic key.
Key
A value that is used with a cryptographic algorithm to encrypt,
decrypt, or sign data. Secret key crypto systems use only one
secret key. Public key crypto systems use a public key to
encrypt data and a private key to decrypt data.
Key Length
The number of bits forming a key. The longer the key, the
more secure the encryption. Government regulations limit the
length of cryptographic keys.
Key Set
A key set in a smart card contains the following data objects:
■
Private key
■
Public key
■
Certificate
■
Descriptor
Public Key Crypto
system
A cryptographic system that uses two different keys (public
and private) for encrypting data. The most well-known public
key algorithm is RSA.
S/MIME
A Standard offline message format for use in secure e-mail
applications.
Splash screen
This is the picture that first appears when you start the Classic
Client toolbox. This picture is currently the one with the man in
the deck-chair that you will also find on the front cover of this
document.
SSL
Secure Sockets Layer: A Security protocol used between
servers and browsers for secure Web sessions.
104
Classic Client 6.3 Administration Guide
SSL Handshake
The SSL handshake, which takes place each time you start a
secure Web session, identifies the server. This is
automatically performed by your browser.
Token
In a security context, a token is a hardware object like a smart
card, but it could also be a pluggable software module
designed to interact with a specific hardware module, such as
a smart card. Token-based authentication provides enhanced
security because success depends on a physical identifier (the
smart card) and a personal identification number (PIN).
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement