1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT...
  6. Manual

Red Hat CERTIFICATE SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT 1-23-2010 Manual

Managing smart cards with the enterprise security client
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate
System 8.0
Managing Smart Cards
with the Enterprise
Security Client
Ella Deon Lackey
Publication date: July 22, 2009, updated on January 23, 2010

Advertisement

Table of Contents
loading

Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT 1-23-2010

Summary of Contents for Red Hat CERTIFICATE SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT 1-23-2010

  • Page 1 Red Hat Certificate System 8.0 Managing Smart Cards with the Enterprise Security Client Ella Deon Lackey Publication date: July 22, 2009, updated on January 23, 2010...
  • Page 2 Managing Smart Cards with the Enterprise Security Client Red Hat Certificate System 8.0 Managing Smart Cards with the Enterprise Security Client Author Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 3: Table Of Contents

    About This Guide 1. What Is in This Guide ..................... v 2. Additional Reading ......................v 3. Examples and Formatting ....................vi 3.1. Formatting for Examples and Commands .............. vi 3.2. Tool Locations ..................... vi 3.3. Guide Formatting ....................vi 4.
  • Page 4 Managing Smart Cards with the Enterprise Security Client 4.3. Using Security Officers to Manage Users ..............44 4.3.1. Enrolling a New User ..................44 4.3.2. Performing Other Security Officer Tasks ............47 4.3.3. Formatting an Existing Security Officer Smart Card ..........48 5.

  • Page 5: About This Guide

    Managing Smart Cards with the Enterprise Security Client and the End User's Guide, together, are both for end users of Red Hat Certificate System. For more information on the basic concepts of certificates, public key infrastructure, and Certificate Certificate System Deployment Guide System itself, see the http://www.redhat.com/docs/manuals/cert-system/8.0/ee/html/ http://www.redhat.com/docs/manuals/cert-system/8.0/deploy/html/...

  • Page 6: Examples And Formatting

    Certificate Status Responder (which checks the revocation status) and the Data Recovery Manager (which recovers the certificate information if a token or a certificate is lost). The latest information about Red Hat Certificate System, including current release notes and other http://www.redhat.com/ updates, is always available at the Certificate System documentation page, docs/manuals/cert-system/.

  • Page 7: Giving Feedback

    If there is any error in this Enterprise Security Client Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...

  • Page 8: Document History

    About This Guide 5. Document History Revision 8.0.6 January 23, 2010 Ella Deon Lackey dlackey@redhat.com Correcting Windows Enterprise Security Client process for proper 64-bit Windows packages, per Errata RHBA-2009:1687. Revision 8.0.5 December 21, 2009 Ella Deon Lackey dlackey@redhat.com Updating platform support to include 64-bit Windows platforms, per Errata RHBA-2009:1687.

  • Page 9: Introduction To The Enterprise Security Client

    Chapter 1. Introduction to the Enterprise Security Client The Enterprise Security Client is a tool for Red Hat Certificate System which simplifies managing smart cards. End users can use security tokens (smart cards) to store user certificates used for applications such as single sign-on access and client authentication. End users are issued the tokens containing certificates and keys required for signing, encryption, and other cryptographic functions.

  • Page 10: Red Hat Certificate System And The Enterprise Security Client

    Chapter 1. Introduction to the Enterprise Security Client These certificates can be stored on a smart card. When a user inserts a smart card, the smart card presents the certificates to the system and identifies the user so the user can be authenticated. One of the two authentication methods for Red Hat Enterprise Linux's single sign-on is smart card authentication.

  • Page 11: The Enterprise Security Client And The Windows Cryptographic Service Provider

    The Enterprise Security Client and the Windows Cryptographic Service Provider A total of four Certificate System subsystems are involved with managing tokens, two for managing the tokens (TKS and TPS) and two for managing the keys and certificates within the public-key infrastructure (CA and DRM).
  • Page 12 Chapter 1. Introduction to the Enterprise Security Client • Send and receive encrypted and signed emails with Microsoft Outlook. • Visit SSL-protected websites with Microsoft Internet Explorer. • Access certain VPN clients using the smart card, which provides secure access to protected networks.

  • Page 13: Installing The Enterprise Security Client

    Chapter 2. Installing the Enterprise Security Client The Enterprise Security Client is packaged as a set of installation executables or RPMs and other files that are part of the complete Red Hat Certificate System distribution. These are listed in the installation chapter of the Certificate System Administrator's Guide.

  • Page 14: Uninstalling On Red Hat Enterprise Linux

    Chapter 2. Installing the Enterprise Security Client # yum install esc If the yum command completes successfully, all of the necessary Enterprise Security Client RPMs will be installed and ready for use. NOTE If the yum utility was used to install the Enterprise Security Client, there is no need for further installation;...

  • Page 15: Installing And Uninstalling On Windows

    Installing and Uninstalling on Windows 2. Stop the Enterprise Security Client. 3. Log in as root, and use rpm -ev to remove the Enterprise Security Client RPMs in the following order: NOTE Update the version numbers of the RPM files to match your version. # rpm -ev coolkey # rpm -ev esc 4.
  • Page 16 Chapter 2. Installing the Enterprise Security Client 4. Next, double-click the SmartCardManagerSetup-1.0.1-X.win32.i386.exe file to launch the Enterprise Security Client installation program. 5. Click Next to being going through the installer, and then accept the license agreement. 6. The wizard displays the list of packages that will be installed.
  • Page 17 Installing the Client 7. The wizard prompts for the installation directory for the Enterprise Security Client. The default directory is C:\Program Files\Red Hat\ESC.
  • Page 18 Chapter 2. Installing the Enterprise Security Client 8. The wizard prompts for the Start Menu directory for the Enterprise Security Client. The default directory is Red Hat.
  • Page 19 Installing the Client 9. Proceed through the Enterprise Security Client installation wizard. Click Install to begin installing the Enterprise Security Client components. NOTE The installation process also installs the CoolKey PKCS #11 driver needed for Certificate System-supported keys and automatically installs the Certificate System PKCS #11 module in any Mozilla browsers it can locate.
  • Page 20 Chapter 2. Installing the Enterprise Security Client 10. When the installation has completed, the Enterprise Security Client will prompt the user to insert a token, and can then be launched for immediate use.
  • Page 21 Installing the Client 11. Click Finish to complete the installation. The machine has to be restarted after installing the Enterprise Security Client, so, if possible, select the Yes radio button to restart the machine immediately.

  • Page 22: Uninstalling The Client

    Chapter 2. Installing the Enterprise Security Client 12. For 64-bit systems only. Last, double-click the CoolKeySetup-version.win64.x64.exe file to install the required 64-bit CoolKey libraries. 2.4.2. Uninstalling the Client 1. Unplug all USB tokens. 2. Stop the Enterprise Security Client. 3. Open the Control Panel, and click the Add Remove Programs icon. 4.

  • Page 23: Using The Enterprise Security Client

    Chapter 3. Using the Enterprise Security Client The following sections contain basic instructions on using the Enterprise Security Client for token enrollment, formatting, and password reset operations. 3.1. Tray Icons for the Enterprise Security Client Many programs maintain an icon in the tray or notification area which can be used to control the operation of the program, usually through context menus when the icon is right-clicked.

  • Page 24: Opening The Enterprise Security Client On Microsoft Windows

    Chapter 3. Using the Enterprise Security Client This daemon listens silently for smart cards and opens the GUI as soon as a smart card is inserted. To open the Enterprise Security Client GUI manually, click Applications, System Settings, and then Smart Card Manager.

  • Page 25: About Phone Home Profiles

    1. Remove any existing Enterprise Security Client user profile directory. Profile directories are created automatically when a smart card is inserted. • On Red Hat Enterprise Linux, the profile directory is ~/.redhat/esc. • On Windows, the profile directory is C:/Documents and Settings/user_name/ Application Data/RedHat/ESC.

  • Page 26: Adding Phone Home Information To A Token Manually

    • If tokens are blank, the company IT department can supply the information when formatting small groups of tokens. The following information is used by the Phone Home feature for each smart card in the ~/.redhat/ esc/alphanumeric_string.default/prefs.js file: • The TPS server and port. For example: "esc.key.token_ID.tps.url"...

  • Page 27: Configuring The Tps To Use Phone Home

    Configuring the TPS to Use Phone Home "esc.key.token_ID.tps.enrollment-ui.url" = "http://server.example.com:7888/cgi_bin/esc.cgi?" • The issuing company name or ID. For example: "esc.key.token_ID.issuer.name" = "Example Corp" • The Phone Home URL. For example: "esc.key.token_ID.phone.home.url" = "http://server.example.com:7888/phone_home/ phone_home.cgi?" • Optionally, a default browser URL to access when an enrolled smart card is inserted. "esc.key.token_ID.EnrolledTokenBrowserURL"...

  • Page 28: Setting Up Users To Be Enrolled

    Chapter 3. Using the Enterprise Security Client configuration URI is accessed, the TPS server is prompted to return all of the Phone Home information to the Enterprise Security Client. To test the URL of the Smart Card server, enter the address in the TPS Config URI field, and click Test URL.
  • Page 29 Enrolling a Smart Card Automatically 2. Insert an uninitialized smart card, pre-formatted with the Phone Home information for the TPS and the enrollment interface URL for the user's organization. The smart card can be added either by placing a USB form factor smart card into a free USB slot, or by inserting a standard, full-sized smart card into a smart card reader.
  • Page 30 Chapter 3. Using the Enterprise Security Client This illustration shows the default enrollment UI included with the TPS server. This UI is a standard HTML form, which you can customize to suit your own deployment requirements. This could include adding a company logo or adding and changing field text. Section 6.4, “Customizing the Smart Card Enrollment User Interface”...
  • Page 31 Enrolling a Smart Card Automatically NOTE The LDAP user ID and password are related to the Directory Server user. The TPS server is usually associated with a Directory Server, which stores user information and through which the TPS authenticates users. Passwords must conform to the password policy configured in the Directory Server.

  • Page 32: Managing Smart Cards

    Chapter 3. Using the Enterprise Security Client 3.6. Managing Smart Cards You can use the Manage Smart Cards page to perform many of the operations that can be applied to one of the keys. You can use this page to format the token, set and reset the card's password, and to display card information.

  • Page 33: Formatting The Smart Card

    Formatting the Smart Card Figure 3.3. Manage Smart Cards Page 3.6.1. Formatting the Smart Card When you format a smart card, it is reset to the uninitialized state. This removes all previously generated user key pairs and erases the password set on the smart card during enrollment. The TPS server can be configured to load newer versions of the applet and symmetric keys onto the card.

  • Page 34: Resetting A Smart Card Password

    Chapter 3. Using the Enterprise Security Client 5. When the formatting process is complete, the Active Smart Cards table shows the card status as UNINITIALIZED. 3.6.2. Resetting a Smart Card Password If a user forgets the password for a smart card after the card is enrolled, it is possible to reset the password.
  • Page 35 Viewing Certificates 2. Select the card from the list, and click View Certificates. This displays basic information about the certificates stored on the card, including the serial number, certificate nickname, and validity dates. 3. To view more detailed information about a certificate, select the certificate from the list and click View.

  • Page 36: Importing Ca Certificates

    Chapter 3. Using the Enterprise Security Client 3.6.4. Importing CA Certificates The Xulrunner Gecko engine implements stringent controls over which SSL-based URLs can be visited by client like a browser or the Enterprise Security Client. If the Enterprise Security Client (through the Xulrunner framework) does not trust a URL, the URL can not be visited.
  • Page 37 Importing CA Certificates 7. Click the Authorities tab. 8. Click Import. 9. Browse to the CA certificate chain file, and select it.

  • Page 38: Adding Exceptions For Servers

    Chapter 3. Using the Enterprise Security Client 10. When prompted, confirm that you want to trust the CA. 3.6.5. Adding Exceptions for Servers The Xulrunner Gecko engine implements stringent controls over which SSL-based URLs can be visited by client like a browser or the Enterprise Security Client. If the Enterprise Security Client (through the Xulrunner framework) does not trust a URL, the URL can not be visited.
  • Page 39 Adding Exceptions for Servers 3. Click the Servers tab. 4. Click Add Exception.

  • Page 40: Enrolling Smart Cards

    Chapter 3. Using the Enterprise Security Client 5. Enter the URL, including any port numbers, for the site or service which the smart card will be used to access. Then click the Get Certificates button to download the server certificate for the site.

  • Page 41: Re-Enrolling Tokens

    Re-Enrolling Tokens 5. If the TPS has been configured for user authentication, enter the user credentials in the authentication dialog, and click Submit. If the TPS has been configured to archive keys to the DRM, the enrollment process will begin generating and archiving keys.
  • Page 42 Chapter 3. Using the Enterprise Security Client 2. Select the smart card to check from the list. 3. Click the Diagnostics button. 4. This opens the Diagnostic Information window for the selected smart card.

  • Page 43: Errors

    Errors The Enterprise Security Client records two types of diagnostic information. It records errors that are returned by the smart card, and it records events that have occurred through the Enterprise Security Client. It also returns basic information about the smart card configuration. 3.7.1.
  • Page 44 Chapter 3. Using the Enterprise Security Client • The Enterprise Security Client loses the connection to the smart card. This can happen when problems occur communicating with the PCSC daemon. • The connection between the Enterprise Security Client and TPS is lost. Smart cards can report certain error codes to the TPS;...

  • Page 45: Events

    Events 3.7.2. Events • Simple events such as card insertions and removals, successfully completed operations, card operations that result in an error, and similar events. • Errors are reported from the TPS to the Enterprise Security Client. • The NSS crypto library is initialized. •...

  • Page 47: Using Security Officer Mode

    Chapter 4. Using Security Officer Mode The Enterprise Security Client, together with the TPS subsystem, supports a special security officer mode of operation. This mode allows a supervisory individual, a security officer, the ability to oversee the face to face enrollment of regular users in a given organization. Security officer mode provides the ability to enroll individuals under the supervision of a security officer, a designated user-type who can manage other user's smart cards in face-to-face and very secure operations.
  • Page 48 Chapter 4. Using Security Officer Mode It can be simpler to add and copy user entries in the LDAP database using the Red Hat Directory Server Console. Using the Directory Server Console is described more in the Red Hat Directory Server Administrators Guide in section 3.1.2, "Creating Directory Entries ."...
  • Page 49 Enabling Security Officer Mode 1. First, trust the CA certificate chain. a. Open the CA's end-entities page. https://server.example.com:9443/ca/ee/ca/ b. Click the Retrieval tab, and download the CA certificate chain. c. Open the Enterprise Security Client. d. Click the View Certificates button. e.

  • Page 50: Enrolling A New Security Officer

    Chapter 4. Using Security Officer Mode Edit the esc-prefs.js file again, and this time change the esc.security.url parameter to point to the security officer workstation page. pref("esc.security.url","https://server.example.com:7889/cgi-bin/sow/welcome.cgi"); Restart the Enterprise Security Client again. The UI now points to the security officer workstation to allow security officers to enroll tokens for regular users.
  • Page 51 Enrolling a New Security Officer NOTE If the password is stored using the SSHA hash, then any exclamation point (!) and dollar sign ($) characters in the password must be properly escaped for a user to bind successfully to the Enterprise Security Client on Windows XP and Vista systems. •...

  • Page 52: Using Security Officers To Manage Users

    Chapter 4. Using Security Officer Mode 3. Click Enroll My Smartcard. This produces a smart card which contains the certificates needed by the security officer to access the Enterprise Security Client security officer , so that regular users can be enrolled and managed within the system.
  • Page 53 Enrolling a New User 3. Click Continue to display the security officer Station page. The client may prompt for the password for the security officer's card (which is required for SSL client authentication) or to select the security officer's signing certificate from the drop-down menu. 4.
  • Page 54 Chapter 4. Using Security Officer Mode 5. Enter the LDAP name of the user who is to receive a new smart card. 6. Click Continue. If the user exists, the Security Officer Confirm User page opens. 7. Compare the information returned in the Enterprise Security Client UI to the person or credentials that are present.

  • Page 55: Performing Other Security Officer Tasks

    Performing Other Security Officer Tasks 4.3.2. Performing Other Security Officer Tasks All of the other operations that can be performed for regular users by a security officer — issuing temporary tokens, re-enrolling tokens, or setting a Phone Home URL — are performed as described in Chapter 3, Using the Enterprise Security Client, after opening the security officer UI.

  • Page 56: Formatting An Existing Security Officer Smart Card

    Chapter 4. Using Security Officer Mode Chapter 3, Using the Enterprise Security Client. 5. Continue the operation as described in 4.3.3. Formatting an Existing Security Officer Smart Card NOTE An e-gate token cannot be formatted on a Windows machine using the Enterprise Security Client.
  • Page 57 Formatting an Existing Security Officer Smart Card 1. Click Format SO Card. Because the security officer card is already inserted, the following screen displays: 2. Click Format to begin the operation. When the card is successfully formatted, the security officer's card values are reset. Another security officer's card must be used to enter security officer mode and perform any further operations.

  • Page 59: Using Keys On Smart Cards For Web And Mail Clients

    Chapter 5. Using Keys on Smart Cards for Web and Mail Clients After a token is enrolled, the token can be used for SSL client authentication and S/MIME email applications. The PKCS #11 module has different names and is located in different directories depending on the operating system.
  • Page 60 Chapter 5. Using Keys on Smart Cards for Web and Mail Clients 3. If the CA is not yet trusted, download and import the CA certificate. a. Open the SSL End Entity page on the CA. For example: https://server.example.com:9443/ca/ee/ca/ b. Click the Retrieval tab, and then click Import CA Certificate Chain. c.

  • Page 61: Using The Certificates On Tokens For Mail Clients

    Using the Certificates on Tokens for Mail Clients 5.2. Using the Certificates on Tokens for Mail Clients To enable S/MIME on mail applications such as Mozilla Thunderbird: 1. In Mozilla Thunderbird, open the Edit menu, and select Account Settings. 2. Select Security on the left. 3.

  • Page 63: Configuring The Enterprise Security Client

    Chapter 6. Configuring the Enterprise Security Client The Enterprise Security Client is now based on Mozilla XULRunner, allowing the preferences facility built into Mozilla to be used for simple configuration of the Enterprise Security Client. A simple UI, Chapter 3, Using the Enterprise Security Client, manages most important configuration discussed in settings.
  • Page 64 Chapter 6. Configuring the Enterprise Security Client The Enterprise Security Client uses the Mozilla configuration preferences for each of the supported platforms. A default configuration file is located in the following directories on each platform: • On Windows, this is in C:\Program Files\Red Hat\ESC\defaults\preferences\esc- prefs.js.
  • Page 65 About the Preferences Configuration Files Parameter Description Notes and Defaults restrict access to the Enterprise Security Client. esc.global.phone.home.url Sets the URL to use to contact ("esc.global.phone.home.url", the TPS server. "http:// server.example.com:7888/cgi- Normally, the Phone Home bin/home/index.cgi"); information is set on the token already through its applet.
  • Page 66 When the Enterprise Security Client is launched, it creates a separate, unique profile directory for each user on the system. These profiles are stored in different locations on each platform: • On Windows, this is in C:\Documents and Settings\$USER\Application Data\RedHat \ESC\Profiles\alphanumeric_string.default/prefs.js.

  • Page 67: About The Xul And Javascript Files In The Enterprise Security Client

    About the XUL and JavaScript Files in the Enterprise Security Client Parameter Description Notes and Defaults esc.key.token_ID.phone.home.url Gives the URL to use to contact ("esc.key.token_ID.phone.home.url" the Phone Home functionality = "http:// for the TPS. server.example.com:7888/ phone_home/ The global Phone Home phone_home.cgi?");...

  • Page 68: Enterprise Security Client File Locations

    Chapter 6. Configuring the Enterprise Security Client Filename Purpose Contains most of the Smart Card Manager ESC.js JavaScript functionality. TRAY.js Contains the tray icon functionality. Contains the code for the Diagnostics feature. AdvancedInfo.js GenericAuth.js Contains the code for the authentication prompt. This prompt is configurable from the TPS server, which requires dynamic processing by the Smart Card Manager.

  • Page 69: Configuring Ssl Connections With The Tps

    Configuring SSL Connections with the TPS File or Directory Purpose components/ XPCOM components. chrome/ Directory for Chrome components and additional application files for Enterprise Security Client XUL and JavaScript. defaults/ Enterprise Security Client default preferences. The script which launches the Enterprise Security Client.

  • Page 70: Using Shared Security Databases

    Chapter 6. Configuring the Enterprise Security Client Blank tokens are unformatted, so they do not have an existing Phone Home URL, and the URL must be set manually. Formatted tokens (and tokens can be formatted by the manufacturer or by your IT department) already have the URL set, and thus do not prompt to set the Phone Home URL.

  • Page 71: Customizing The Smart Card Enrollment User Interface

    Customizing the Smart Card Enrollment User Interface 6.4. Customizing the Smart Card Enrollment User Interface The TPS subsystem uses a generic smart card enrollment page which is opened automatically when an uninitialized smart card is inserted. There are actually three pages, depending on the mode in which the client is running: •...
  • Page 72 Chapter 6. Configuring the Enterprise Security Client <link rel=stylesheet href="/esc/home/style.css" type="text/css"> <table width="100%" class="logobar"> <tr> <td> <img alt="" src="/home/logo.jpg"> </td> <td> <p class="headerText">Smartcard Enrollment</p> </td> </tr> </table> Example 6.3. Changing Page Styles The style.css file is a standard CSS file, so all of the tags and classes can be defined as follows: body { background-color: grey;...
  • Page 73 Customizing the Smart Card Enrollment User Interface <title>Enrollment</title> </head> <script type="text/JavaScript" src="/esc/home/util.js"> </script> <body onload="InitializeBindingTable();" onunload=cleanup()> <progressmeter id="progress-id" hidden="true" align = "center"/> <table width="100%" class="logobar"> <tr> <td> <img alt="" src="/home/logo.jpg"> </td> <td> <p class="headerText">Smartcard Enrollment</p>p </td> </tr> </table> <table id="BindingTable" width="200px"align="center"> <tr id="HeaderRow">...

  • Page 74: Disabling Ldap Authentication For Token Operations

    Chapter 6. Configuring the Enterprise Security Client 6.5. Disabling LDAP Authentication for Token Operations By default, each user who requests a token operation is authenticated against an LDAP directory. If the user has an entry, then the operation is allowed; if the user does not have an entry, then the operation is rejected.

This manual is also suitable for:

System 8.0 - managing smart cards with the enterprise security clientCertificate system 8.0 - administration

Table of Contents