Gemalto IAS smart card with Microsoft CLM

Application Note
Gemalto IAS Smartcard with Microsoft’s CLM
ii
Preface
All information herein is either public information or is the property of and owned solely by Gemalto NV.
and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind
of intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or
otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s
information.
This document can be used for informational, non-commercial, internal and personal use only provided
that:
•
The copyright notice below, the confidentiality and proprietary legend and this full warning
notice appear in all copies.
•
This document shall not be posted on any network computer or broadcast in any media and no
modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of
information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically
added to the information herein. Furthermore, Gemalto reserves the right to make any change or
improvement in the specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained
herein, including all implied warranties of merchantability, fitness for a particular purpose, title
and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise,
for any indirect, special or consequential damages or any damages whatsoever including but not
limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out
of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks
and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant
with current security standards in force on the date of their design, security mechanisms'
resistance necessarily evolves according to the state of the art in security and notably under the
emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third
party actions and in particular in case of any successful attack against systems or equipment
incorporating Gemalto products. Gemalto disclaims any liability with respect to security for
direct, indirect, incidental or consequential damages that result from any use of its products. It is
further stressed that independent testing and verification by the person using the product is
particularly encouraged, especially in any application in which defective, incorrect or insecure
functioning could result in damage to persons or property, denial of service or loss of privacy.
© Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and
service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other
trademarks and service marks, whether registered or not in specific countries, are the property of their
respective owners.
GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE.
Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90
February 18, 2009
ii
Contents
Preface ........................................................................................................................................ 5
Who Should Read This Book ................................................................................................. 5
Conventions ........................................................................................................................... 5
Contact Our Hotline ............................................................................................................... 5
Overview .....................................................................................................................................6
Microsoft’s CLM ..................................................................................................................... 6
Gemalto SmartCard ............................................................................................................... 7
IAS card with CLM ..................................................................................................................... 8
Introduction ............................................................................................................................ 8
Use case overview ................................................................................................................. 8
Architecture & requirements .................................................................................................. 8
Main Step of the configuration ............................................................................................... 9
Configuration on the Enrollment machine ............................................................................ 10
CLM Client ........................................................................................................................... 10
Smartcard reader ................................................................................................................. 10
Middleware installation......................................................................................................... 10
Modification in registry ......................................................................................................... 11
CLM configuration ................................................................................................................... 13
Publish a new Certificate Template ..................................................................................... 13
CLM Template Creation ....................................................................................................... 13
Profile details........................................................................................................................ 13
Enroll Policy ......................................................................................................................... 15
Retire policy ......................................................................................................................... 16
Enrollment process ................................................................................................................. 17
Smartcard logon test ............................................................................................................... 21
Retire a IAS ECC Smart Card .................................................................................................23
List of Figures
Figure 1-Commissioning's infrastructure ................................................................................... 8
Figure 2- IAS Profile Template ................................................................................................ 14
Figure 3- Enroll policy .............................................................................................................. 15
Figure 4- Retire policy ............................................................................................................. 16
Figure 2-Request a Permanent smart card ............................................................................. 18
Figure 3-Select the profile template......................................................................................... 18
Figure 4-Processing ................................................................................................................ 19
Figure 5- PIN code .................................................................................................................. 19
Figure 6-Processing ................................................................................................................ 19
Figure 7- IAS smart card ......................................................................................................... 20
Figure 8-Welcome to Windows................................................................................................ 21
Figure 9-Log on to Windows.................................................................................................... 21
Figure 10-Manage user smart cards ....................................................................................... 23
Figure 11-Insert smart card ..................................................................................................... 23
Figure 12-Details of smart card ............................................................................................... 24
Figure 13-Retiring smart card .................................................................................................. 24
Figure 17- smart card retired ................................................................................................... 25
4
Preface
The Gemalto two-factor authentication solution provides strong authentication based on smart
cards for the enterprise, banking, and internet service provider (ISP) markets.
This solution enables organizations to deploy a strong authentication solution for their endusers, whether local or remote. The system can service a broad range of deployments, from
small corporations with less than 100 users to ISPs with potentially millions of users.
Who Should Read This Book
This guide is intended for system administrators wanting to provide to end users IAS
smartcard through the Microsoft’s CLM product. Administrators should be familiar with CLM
and should know PKI and smartcard concept.
Conventions
The following conventions are used in this document:
In this manual, the following highlighting styles are used:

Bold – Instructions, commands, file names, folder names, key names, icons, menus,
menu items, field names, buttons, check boxes, tabs, registry keys and values.

Italic – Variables that you must replace with a value, book titles, news or emphasized
terms.
In this manual, hyperlinks are marked as described below

Internal Links – Displayed in quotation marks. When viewing this book online, click an
internal link to jump to a different section of the book.

External Links – Displayed in blue, underlined text. When viewing this book online, click
an external link to launch your default browser (or email program) to navigate to that Web
address or compose an email.
In this manual, notes and cautions are marked like this:
Notes: Information that further explains a concept or instruction, tips, and tricks.
Caution: Information that alerts you to potentially severe problems that might result in loss of
data or system failure.
Contact Our Hotline
If you do not find the information you need in this manual, or if you have any questions,
contact our hotline [email protected]
5
Overview
Microsoft’s CLM
CLM provides an identity assurance management system to maximize the trust and flexibility
associated with digital certificates and smart cards by providing enhanced management
facilities for Windows Server 2003. CLM simplifies the administrative processes required to
convey trust, and ensures distribution of certificates and cards in a secure and structured
manner. The result is a highly configurable and robust registration and management solution
that provides simple deployment, improved manageability, and increased flexibility:
Ease of Deployment
Microsoft CLM is the only Microsoft Windows®-based certificate management solution that
provides turnkey deployment and is designed to require no development work to implement in
an organization. CLM simplifies digital certificate and smart card deployment in the enterprise
environment by using services such as Microsoft Active Directory® directory service and
Windows Server 2003 Certificate Services extensively, providing enterprise customers with
an integrated security solution.
CLM is also able to easily grow with an organization and can scale without requiring software
modifications. As a typical Web application, CLM consists of several layers: database,
business components, and presentation (Web). These layers can be placed on physically
separate servers in various combinations, maximizing deployment flexibility and scalability. In
addition, Network Load Balancing, Windows Clustering, and Application Center technologies
can be used to further facilitate scaling.
Manageability
CLM provides Web-based, policy-driven workflow management that helps organizations
manage administrative and end-user experiences. In addition, the technology lowers the
overall cost of Windows-based digital certificate and smart card infrastructures by providing
tools that automate common administrative functions and enable users to self-administer
common tasks.
By simplifying the administrative processes required to convey trust, CLM ensures distribution
in a secure and structured manner. CLM’s enhanced management facilities for Windows
Server 2003 help administer multiple certificates, multiple certificate authorities (CAs), and
certificates for computers and devices. To reduce administrative overhead, CLM provides a
self-service Web portal for subscribers and managers and temporary cards to solve the
problem of employees forgetting cards at home or other locations.
CLM provides a flexible and transparent way to update card content information, including
adding a new certificate template, renewing certificates, and performing applet management
functions. CLM also includes features to personalize and manage Java applets required to
operate Java cards, allowing organizations to personalize smart cards as part of the
enrollment process and simplify the overall deployment process.
Flexibility
Microsoft CLM offers broad flexibility by providing IT administrators with the ability to modify
certificate and smart card management process and adapt CLM to their organizational policy
requirements and unique infrastructures. CLM solution that provides simplified management
and end-user experiences through advanced policy and workflow.
6
CLM is designed based on the principle that every enterprise is unique, and therefore has
unique security and management requirements. Certificate registration varies greatly with
each organization, and CLM was designed to address this challenge by providing a certificate
registration and management framework that can be used in many different ways when
required.
The remainder of this paper will explore CLM’s role in a Smart Card and Digital Certificate
infrastructure from a technical perspective, including:
•
The architecture that makes the above benefits possible
•
The fundamental applications that CLM interacts with
•
How authentication roles and permissions can be centrally managed
•
CLM’s role in the smart card and certificate lifecycle
Gemalto Smartcard
Gemalto offers a complete family of compatible smart cards, smart card readers,
authentication and secure memory tokens, software, and more. These products are based on
our proven smart card expertise and enable component optimization and integration with
existing hardware infrastructures.
The Gemalto strong authentication portfolio supports current industry standards and provides
solutions that operate in both Java and .NET environments.
List of smart card product
TOP Java Card
Trusted Open Platform Java Card
Classic TPC
For PKI applications
Classic TPC MDE
Microsoft mini-driver and PKCS#11 support
IAS TPC
Java Card fully compliant with IAS specifications
.NET Smart Card
Fully integrated with Microsoft platform
.NET Bio smart card
Biometric Authentication solution for Microsoft Windows
Hybrid Card Body
Hybrid card body for converged physical and logical access systems
Instant Badge Issuance
Smart card badge issuance system compatible with Microsoft ILM & CLM
In this document, we are focusing only on IAS Smart Card.
7
IAS card with CLM
Introduction
This is an example that shows how to use a Gemalto IAS ECC Smart Card with Microsoft
CLM.
Caution:
Consequently, this document should not be considered as an instruction manual
on how to configure your system.
Use case overview
The Use Case shows a basic configuration of CLM: the end user will be able to enroll himself
his IAS Smartcard on the enrollment station. The main interest of this use case is to see how
CLM can handle the IAS ECC Smart card and how it is configured.
By default CLM doesn’t handle IAS Card. We will see how to get round this limitation
Notes: Only these “Provider Name” are managed by CLM: Microsoft Smart Card Base CSP,
Axalto, GemPlus GemSafe, SafeSign Identity Client, Aladdin eToken and Siemens HiPath.
Architecture & requirements
Figure 1- Architecture for the Use Case
8
To have a full infrastructure working you need:
• A Microsoft domain controller based on W2K3
• A Certificate Authority on W2K3
• A Microsoft ILM FP1 server on W2K3
Please note that both the CA and the CLM server are installed on the same machine in our
example.
•
The client is a computer running Microsoft Windows XP sp2
o The Microsoft CLM client available on the server is installed
o The smart card reader driver is installed
o Middleware for IAS card is installed (Classic Client V6)
o IAS ECC Smartcards (IAM Profile)
•
User accounts:
o An ILM manager account (clmadmin)
o An ILM user account (marc)
• Please note that the user has to have Administration rights
on the Client in order to install ILM client, MS Patch and the
smart card reader driver.
Main Step of the configuration
Firstly, all software mentioned above must be installed correctly and running. The installation
step is not documented here. We will show only the configuration.
In order to prepare the use case, the main steps of the configuration are:
• Enrollment machine configuration:
o CLM client, middleware, smartcard reader installation.
o Registry modification in order to link the CLM’s Profile Template with
the IAS ECC card.
•
CLM Configuration:
o Publish a new certificate template.
o Create a ILM profile template with the certificate template just
created.
o Modify Enrollment and Retirement Policies.
•
Enrollment phase: User marc enrolls his IAS Smartcard.
•
Do a smartcard logon to check the smartcard is working fine.
•
Retire phase: CLM administrator retires the smartcard.
9
1
Configuration on the
Enrollment machine
Caution: Administration rights are required.
CLM Client
The CLM client has to be installed on the Enrollment machine.
Smartcard reader
The Smart Card reader driver must also be installed. Please refer to the Smart card reader
manufacturer in order to install the correct driver. Here we use the Gemalto PC-Twin reader.
You can find the drivers on the website www.gemalto.com.
Middleware installation
You have to install Classic Client V6. Log on as an administrator on the machine in order to
have sufficient privileges to install it. Once installed you can verify your IAS card is correctly
managed by the middleware just installed.
1. Launch the toolbox: Start->All Programs->Gemalto->Classic Client-> Classic
Client Toolbox
2. Insert your IAS smartcard into the reader
3. Click on Card Properties and Next.
10
4. See the characteristic of your card:
Modification in registry
Modify the registry by using the file described below:
-------------Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient\Providers\AsciGemPlus1
]
"CSPs"=hex(7):47,00,65,00,6d,00,61,00,6c,00,74,00,6f,00,20,00,43,00,6c,00,61,\
00,73,00,73,00,69,00,63,00,20,00,43,00,61,00,72,00,64,00,20,00,43,00,53,00,\
50,00,00,00,00,00
"DLLs"=hex(7):47,00,43,00,4c,00,49,00,42,00,2e,00,44,00,4c,00,4c,00,00,00,00,\
00
"DLLs_WINDOWS"=hex(7):47,00,43,00,4c,00,49,00,42,00,2e,00,44,00,4c,00,4c,00,00,\
00,00,00
"DLLs_WINNT"=hex(7):47,00,43,00,4c,00,49,00,42,00,2e,00,44,00,4c,00,4c,00,00,\
00,00,00
--------------
11
Caution:
This modification links the provider name “Gemplus Gemsafe” in CLM to the IAS
middleware. So, if you create a profile template on CLM with “Gemplus
Gemsafe” as provider name, the expected smartcard won’t be a Gemsafe card
but will be an IAS ECC card. Consequently, The name “Gemplus gemsafe”
cannot be use for gemsafe or classic client card. We cannot add a new provider
name for IAS at this moment.
Before using client authentication with certificate, we have to generate and store a certificate
within the smartcard from the Enrollment machine.
12
2
CLM configuration
Publish a new Certificate Template
In our case we have decided to publish the “SmartCard User” certificate template on the
Microsoft CA (this certificate can also be used for a smartcard logon):
1.
2.
3.
4.
5.
6.
7.
Logon on the CA Server as administrator.
On the server, choose Start -> Administrative Tools.
Double click Certification Authority.
Under Certification Authority/<Name of the CA>.
Right click on Certificate templates.
New -> Certificate template to issue.
Select on the list “MySmart Card User”. In this case, “MySmartcard User” is a
duplication of the original “Smartcard User”.
8. And click OK.
The new template now appears in the list of available templates in the right panel.
CLM Template Creation
Profile details
Now we are going to create a new “Profile template” under CLM.
1. Connect to the CLM Site and log on as administrator of CLM from the Enrollment
machine (http://ca.iam.solutions.gem/clm).
2. Under Administration click on Manage Profile Template.
3. Select the smartcard profile and click on copy a selected profile template.
4. Enter a new name for the profile template. In our example the name is “IAS
Smartcard Profile Template”.
5. Under Certificate template click on Add a new certificate template.
6. Check the box in front of the name of your CA and then all available certificate
templates appear.
7. Then select “MySmartcard User” and click Add.
The next step is not mandatory, but shows how to allow the use of retired smart cards in
order to reuse a retired smart card.
13
8.
9.
10.
11.
Under Smart card configuration click on change settings.
Then check the box of Reuse Retire card.
For the Provider Name, select “Gemplus Gemsafe”
In the Administrative PIN part, Administrative PIN initial value is 00000000 (This
value could be different) in ascii; Enable the Admin PIN Rollover (Only the admin
PIN for IAS ECC card with IAM profile can be diversified)
12. In the User PIN part, choose ‘User provided’ for the User PIN Policy
13. Click on OK
Figure 2- IAS Profile Template
14
Enroll Policy
The enrollment process is the following one in this case:
1. The user asks for a Permanent smart card.
2. The user has to insert his smart card and enter the new PIN Code.
3. The smart card is ready.
For this, we define an Enrollment policy:
1. On the profile template click on the menu: Enroll policy.
2. Under Workflow : General click on Change general settings.
3. Under Workflow: Initiate Enroll Requests add the CLM Subscriber group: CLM
Users group in this case.
4. No Data collection.
Figure 3- Enroll policy
15
Retire policy
In this case, only CLM managers can revoke cards.
1. On the profile template click on the menu : Retire Policy
2. Under: Workflow: Initiate Retire Requests add the CLM Manager group: Clm
admins in this case
3. Optional: remove the data collection.
Figure 4- Retire policy
The CLM server is now ready for the use case.
16
3
Enrollment process
On the enrollment machine: Open IE and
1. Connect to the CLM web site.
2. Log on as marc
3. Click Request a Permanent smart card.
17
Figure 5-Request a Permanent smart card
4. Select the profile template: IAS Smart Card Profile Template
Figure 6-Select the profile template
During processing several windows like the following appear.
18
Figure 7-Processing
7. When the Creating certificate request window appears, enter a new pin code in
New PIN and Confirm PIN.
8. Click OK.
Figure 8- PIN code
The process continues.
Figure 9-Processing
19
At the end of processing, the Request Complete window appears:
Figure 10- IAS smart card
The smart card is now ready to use.
20
4
Smartcard logon test
Let’s perform some tests in order to verify that the smart card is OK.
1. Restart the client to display the window logon.
Figure 11-Welcome to Windows
2. When Welcome to Windows appears insert the smart card. The display should
change.
Figure 12-Log on to Windows
You’ll be asked for the Pin code. Type it and Click OK
21
The session is opened, the smart card is functional.
22
5
Retire a IAS ECC Smart
Card
When an employee is leaving the company the card has to be retired from the system. This
operation revokes certificates that are stored in the smart card and also re-initializes the
smart card.
1. Insert the smart card to be retired in the reader
2. Log on to the ILM administration portal and under Manage User Smart Cards click on
View details of the smart card currently in the reader.
Figure 13-Manage user smart cards
3. The following windows appears : You don’t need to click on OK just wait a few second
Figure 14-Insert smart card
4. The details of the smart card appear. At the bottom of the window click on Retire this
smart card
23
Figure 15-Details of smart card
5. The ILM displays information about the smart card and the actions that will be done
during the retirement process as show the figure 24.
6. Click Next
Figure 16-Retiring smart card
Wait for the process to end
24
7. When the processing finishes, the ILM displays a Request complete window. Click on
Main Menu.
Figure 17- smart card retired
The smart card is now ready to be reused and reallocated to a new user.
25