HP T5720 - Compaq Thin Client User Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Server
  5. T5720 - Compaq Thin Client
  6. User manual
HP T5720 - Compaq Thin Client User Manual

HP T5720 - Compaq Thin Client User Manual

Implementing actividentity smart cards for use with hp compaq t5720 thin clients and hp blade pcs
Hide thumbs Also See for T5720 - Compaq Thin Client:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, User Manual
Implementing ActivIdentity Smart Cards for Use with
HP Compaq t5720 Thin Clients and HP Blade PCs
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Reference Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Client Software Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installing ActivClient PKI Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Initializing the smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Server Software Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installing Microsoft Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuring a Certificate Authority (CA) service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Manually issue Smart Card User Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Smart Card Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Testing the Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Troubleshoot ActivClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Using a Smart Card For Windows Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Working with ActivClient PKI Only 6.0 Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Server using RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Server using the HP SAM client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Usage case 4: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Service and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Advertisement

Table of Contents
loading

Related Manuals for HP T5720 - Compaq Thin Client

Summary of Contents for HP T5720 - Compaq Thin Client

  • Page 1: Table Of Contents

    Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 Thin Clients and HP Blade PCs Introduction ............2 Prerequisites .

  • Page 2: Introduction

    Introduction Smart cards can strengthen user authentication in a corporate network by offering strong, 2-factor authen- tication to offset weak passwords or cumbersome authentication policies requiring frequent password changes. This paper provides instructions for configuring a smart card with your HP Compaq t5720 Thin Clients and HP blade PCs.

  • Page 3: Reference Hardware And Software

    • Citrix Presentation Server 4 with Hotfix Rollup Pack PSE400W2KR01 for Citrix Presentation Server 4.0 for Windows 2000 Server. • Fat clients: - Client (Windows 2000/XP): MetaFrame Presentation Server Client Packager 8.1, Program Neighborhood Classic component. - Citrix Presentation Server Client Packager - Version 9.200 - Program Neighborhood (Classic), 9.1 on Win32: Program Neighborhood Agent.

  • Page 4: Reference Documents

    • Smart Card Readers • HP standard USB Smart Card Keyboard. Go to http://www.hp.com for driver support avail- able with sp31137.exe (driver 4.30.0.1) or greater. Driver: HPKBCCID.sys, version 4.30.0.1. • USB CAC approved smart card reader (SCM Microsystems SCR331 Reader). Driver: SCR33X2K.sys, version 4.27.00.01.

  • Page 5: Client Software Configuration

    Client Software Configuration Installing ActivClient PKI Only The Setup Deployment chapter of the Resource Kit provided by ActivIdentity discusses how to deploy ActivClient using standard methods. The ActivClient PKI Only 6.0 allows the user (based on privileges) or the Administrator to change and ver- ify the PINs, view card and system information, and register certificates.
  • Page 6 As mentioned above, the first installation step is to modify the thin client’s RAMDisk size from default set- tings to 64 MB. Make note of the default setting so that it can be restored after installation is complete. To change RAMDisk size, click Start > Control Panel > HP RAMDisk Manager. Next, modify the thin client TEMP and TMP environmental variables to a location that can support the .msi user installation package size.
  • Page 7 Once the environmental variables have been changed, right-click on the EWF icon on the taskbar and select Commit. NOTE: The environmental variables should be changed back to default settings after installation package has been installed, and then the write filter changes must again be committed. Installation of ActivClient base services and CSP is required on the client for smart card support.

  • Page 8: Initializing The Smart Card

    Initializing the smart card Use the following procedure on blank smart cards or cards which contain a standalone profile that need to be re-initialized. To initialize your PIN using the PIN Initialization Tool: Go to Start > Programs > ActivIdentity > ActivClient and select PIN Initialization Tool. -or- located on the Windows taskbar and select PIN Right-click the ActivClient Agent icon...

  • Page 9: Server Software Configuration

    Server Software Configuration Installing Microsoft Certificate Services Role based administrative features included in Windows Server 2003 can be used to manage and main- tain digital certificates via the Certification Authority (CA). The CA can be used by a user or administrator to provision a smart card.
  • Page 10 Click Certificate Services, and then click Next. Select Enterprise Root CA, and then click Next.
  • Page 11 Click Yes to accept the warning. Type a Common name for this CA, and then click Next.
  • Page 12 Select Next to accept Certificate Database Settings. The installation will configure components, as shown in the following screen.

  • Page 13: Configuring A Certificate Authority (Ca) Service

    Click Yes when prompted to temporarily stop ISS. Click Finish to complete the installation. Configuring a Certificate Authority (CA) service Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates. Refer to “Installing Microsoft Certificate Services” on page 9 on installing certificate services.
  • Page 14 Create a duplicate template by right-clicking on the Smartcard Logon certificate template, and then selecting Duplicate Template. Type a name for the new template in the Template Display name box. For this example we will use the template name of CCI Smartcard User. This template will be referred to for the remainder of this paper.
  • Page 15 Click the Request Handling tab. Select 1024 in the Minimum key size box. Click the CSPs button. Select Requests can use any CSP available on the subject’s computer. Click the Security tab.
  • Page 16 In the Permissions for Authenticated Users area, in the Allow column, select both Read and Enroll. You have created the creation of the template. Copy the CCI SmartCard User certificate template into the Certificates Templates folder under the certificate server. a.
  • Page 17 d. Select New > Certificate Template to Issue. Select the template, and then click OK to import the template.

  • Page 18: Configuring Microsoft Certificate Authority To Issue Smart Card User Certificate

    Configuring Microsoft Certificate Authority to Issue Smart Card User Certifi- cate ActivClient 6.0 PKI Services support Digital certificate-based logon to Windows 2000, Windows XP Pro- fessional, and Windows Server 2003. The Services also support: • The ability to log off user and lock workstation on smart card removal. •...
  • Page 19 Expand the defined CA. Right-click Certificate Templates, and then select New. a. Select Certificate Template to Issue. b. Select Enrollment Agent. c. Select OK to add. Launch Internet Explorer and browse to http://localhost/certsrv.
  • Page 20 Under Select a task, select Request a certificate. Select advanced certificate request.
  • Page 21 Select Create and submit request to this CA. In the Certificate Templates box, select Enrollment Agent.
  • Page 22 Verify Enrollment Agent Settings in the Key Options section as follows: • Create new key is selected • Microsoft Enhanced Cryptographic Provider v1.0 • Click Submit. Accept default settings under Additional Options. If a warning message displays about a potential scripting violation, press Yes to continue with the cer- tificate request.
  • Page 23 Install the Enrollment certificate requested. Select Yes to Potential Scription Violation. You have successfully generated and installed required Enrollment Certificate, as shown below.

  • Page 24: Manually Issue Smart Card User Certificate

    Manually issue Smart Card User Certificate Launch Internet Explorer and browse to http://localhost/certsrv. Select Request a certificate. Select advanced certificate request.
  • Page 25 Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station. Select Smartcard User under Enrollment Options.
  • Page 26 Define the user to enroll by clicking Select User. NOTE: ActivClient Libraries may report a container error message when used for secure logon purposes. It is important that the servers Active Directory User information contain an e-mail address on any smart card provisioned with a smart card user certificate to avoid any ActivClient secure logon error messages.

  • Page 27: Smart Card Validation

    Insert Smart Card into Reader, and then select Enroll. Smart Card Validation Testing the Smart Card To verify that the CCI SmartCard Logon certificate for the user is installed on the smart card: 1. Click the ActivCard icon in the system tray to open the ActivClient user console. 2.

  • Page 28: Troubleshoot Activclient

    3. Select the username ID to view the installed certificate, which shows: • who it was issued to • who is was issued by • valid dates Troubleshoot ActivClient The Troubleshooting Wizard helps you solve any problems with ActivClient. It analyzes your system, diag- noses the problems, and then displays the results on the Diagnosis And Resolutions page.

  • Page 29: Additional Information

    The following table lists what actions to take next if you do not type your PIN or the Troubleshooting Wizard is displayed: Then Action You do not type your PIN. With the certificates stored on your None. smart card, the Diagnosis and Res- olutions report will not: •...
  • Page 30 • Manage the smart cards and certificates used with ActivClient PKI Only 6.0 Libraries • Use ActivClient PKI Only 6.0 Libraries to log on/off and lock/unlock your Windows 2000, XP work- station, Windows 2000 and 2003 Servers. • Use a digital certificate to improve e-mail security and browse secure web sites. •...

  • Page 31: Usage Cases

    Usage cases Usage case 1: User authentication from HP blade PC to Active Directory Domain The following steps provide instructions for performing a functional test of the SmartCard Logon certificate (assumes ActivClient PKI Only 6.0 libraries have been distributed to client blade PCs): Ensure the CCI blade is connected to Active Directory Domain ”Log Off”...

  • Page 32: Usage Case 2: User Authentication From Client Device To Blade Pc Or Active Directory Server Using Rdp

    Usage case 2: User authentication from client device to blade PC or Active Directory Server using RDP The following steps provides instructions for performing a functional test of the SmartCard Logon certifi- cate: Log out of the RDP session. Open the Remote Desktop Communications window and initiate a connection to the HP blade PC. Make sure a smart card is installed in the reader.
  • Page 33 The following steps provide instructions for performing a functional test of the CCI SmartCard Logon certif- icate: Log out of the MS RDP session. Open the HP SAM client window and initiate a connection to the HP blade PC or Active Directory Server.

  • Page 34: Usage Case 4: Accessing Secure Web Site

    Usage case 4: Accessing secure Web site Secure Web access means access to any Web server with SSL v3 and a digital certificate. The following steps provide instructions for accessing a secure Web site using an ActivIdentity smart card through an HP blade PC or Active Directory Server. Installing and configuring a secure Web site is beyond the scope of this white paper;...

  • Page 35: Usage Case 5: User Authentication Using Vpn Through Firewall To Hp Blade Pc Or Active Directory Server

    Usage case 5: User authentication using VPN through firewall to HP blade PC or Active Directory Server Instructions for installing and configuring a VPN tunnel with a firewall is beyond the scope of this white paper; therefore, the white paper assumes the VPN tunnel and firewall are already installed and func- tional.
  • Page 36 Select Add a shortcut for this connection to my desktop, and then click Finish. Depending upon the configuration of the VPN tunnel, you may have to change the configuration of the VPN connection. To change the configuration of the VPN window: In Control Panel, open Network and Internet Connections >...
  • Page 37 Right-click on the VPN connection icon and select Properties. You can initiate the VPN connection after setting it up, as follows: Start the VPN connection. In Smart card PIN, type the PIN, and then click OK. While establishing the VPN connection, the system displays Verifying username and password and Authenticated.

  • Page 38: Usage Case 6: User Authentication From Client Device Using Citrix Server

    After the connection is established, the network connection icon displays in the system tray. Usage case 6: User authentication from client device using Citrix server A single client can access multiple Citrix servers in the same session, with ActivClient running on each Cit- rix server.
  • Page 39 3. Select properties for the ICA connection, click the Logon Information tab, select Smart card, and then click OK. 4. Double-click the shortcut to connect to the Citrix server. 5. During logon to the server, the smart card login prompt appears for authorization.

  • Page 40: Acronyms

    Acronyms ACM—Adaptive Credential Manager. CA—Certificate Authority. CAC—Either Common Access Card (for U.S. government) or Corporate Access Card (for enterprise systems). CSP—Cryptographic Service Provider. FIPS—Federal Information Processing Standard. GP—GlobalPlatform. Replaces OpenPlatform (OP). PKI—Public Key Infrastructure. PIV—Personal Identity Verification Card issued by the United States Department of Defense. Displays an expiration date for the card and the card’s certificate.

  • Page 41: Service And Support

    TEL: +61-2-62084888 FAX: +61-2-6281-7460 © 2007 Hewlett-Packard Development Company, L.P. The information in this document is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

Table of Contents