docNetSign CAC Administrator Guide
download 
Report Transcription
NetSign CAC Administrator Guide
NetSign CAC Administrator Guide Version 5.5 Limitation of Liability Litronic, its affiliates, and distribution channels are not responsible for any lost, corrupted, or misdirected data through the use of this product. Litronic warrants this product to be physically free of defects in manufacturing and workmanship. No other warranties may be implied nor are enforceable according to international law and authority. Litronic reserves the right to change specifications of this program at any time without public notice for purposes of product improvement. Disclaimer of Warranty Litronic makes no representation or warranties, either expressed or implied, by or with respect to anything in this handbook, and shall not be liable for any implied warranties of merchantability and fitness for a particular purpose or for any indirect, special, or consequential damages. Some states do not allow the exclusion of incidental or consequential damages, in which case this exclusion may not apply. Copyright Notice © 1998 - 2005 Litronic - All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of Litronic No patent liability is assumed with respect to the use of information contained herein. Further, this publication and the features described herein are subject to change without notice. Trademarks SSP Solutions, SSP-Litronic, the SSP logo, the SSP-Litronic Logo, NetSign, the NetSign Logo, SecureStart, JCryptOS, SSP, and Profile Manager are trademarks of Litronic in the United States and other countries. FORTEZZA is a registered trademark of the United States Government. All other trademarks are the property of their respective owners. p7390-41001-04 Fourth Edition March, 2005 Litronic a saflink company 17861 Cartwright Road Irvine, CA 92614 USA (949) 851-1085 http://www.litronic.com Contents Preface............................................................................................................................ vii Who should read this guide..................................................................................................................... vii What is in this guide ................................................................................................................................ vii Typeface Conventions............................................................................................................................. vii Service and Support................................................................................................................................viii Chapter 1 Public Key Cryptography Introduction............................................................. 1 Digital Signatures ...................................................................................................................................... 2 Password Based Encryption .....................................................................................................................3 Password Selection................................................................................................................................ 3 Password Location................................................................................................................................. 3 Password Interception............................................................................................................................ 3 Password Duplication............................................................................................................................. 3 Public Key Infrastructure ...........................................................................................................................4 Public Key Enabled ................................................................................................................................ 4 Obtaining a Public Key...........................................................................................................................5 Secure Sockets Layer ............................................................................................................................... 6 Chapter 2 Pre-Installation Configuration......................................................................... 7 Using the NetSign Configuration Wizard................................................................................................... 8 Installation Settings ................................................................................................................................ 9 Product Features Dialog Box ...............................................................................................................12 Policy Settings Dialog Box ...................................................................................................................13 Citrix Server Dialog Box .......................................................................................................................20 Chapter 3 NetSign Installation and Upgrade ................................................................ 21 Installation Requirements........................................................................................................................22 Hardware Requirements ......................................................................................................................22 Software Requirements........................................................................................................................22 Installation Considerations ......................................................................................................................24 Local Installation......................................................................................................................................25 Silent Installation Without User Interaction..............................................................................................29 Remote Installation Using Active Directory Push ....................................................................................30 Installation Requirements.....................................................................................................................30 Overview of the Steps to Push Install with Active Directory.................................................................31 Step 1: Create an Active Directory Organizational Unit .......................................................................32 Step 2: Add MSI Files as Active Directory Packages...........................................................................33 Remote Installation Using SMS Push .....................................................................................................36 Installation Requirements.....................................................................................................................36 Overview of the Steps to Install NetSign by SMS ................................................................................36 Step 1: Create a New Package............................................................................................................37 Step 2: Set the Package Distribution Points ........................................................................................39 Step 3: Create NetSign Package Programs.........................................................................................40 Step 4: Advertise the NetSign Installation Package.............................................................................44 Chapter 4 NetSign Policy Configuration ....................................................................... 51 iii Local Policy Configuration.......................................................................................................................51 Remote Policy Configuration...................................................................................................................52 Remote Policy Configuration Requirements ........................................................................................52 Setting Up Remote Policy Configuration..............................................................................................52 NetSign Configuration Options................................................................................................................56 Local and Remote Configuration Policy Mapping ................................................................................56 Recommended Policies...........................................................................................................................58 NetSign Policies ......................................................................................................................................59 Smart Card Events...............................................................................................................................59 Certificate Registration.........................................................................................................................60 Outlook Configuration ..........................................................................................................................61 Auto Update .........................................................................................................................................63 PIN Policy.............................................................................................................................................64 Web Links ............................................................................................................................................65 Chapter 5 SSL and Client Authentication ..................................................................... 67 Generating the Certificate Signing Request ............................................................................................68 Requesting the Certificate .......................................................................................................................70 Installing the Certificate........................................................................................................................70 Enforcing SSL Connections ....................................................................................................................71 To enable secure communications with the Web site .........................................................................71 To enforce SSL connections ...............................................................................................................71 Enabling Client Certificate Authentication ...............................................................................................72 Modifying the Registry to Restrict Trusted Certification Authorities .......................................................73 Useful links ..............................................................................................................................................74 Chapter 6 Using NetSign with Citrix.............................................................................. 75 Desktop View vs. Application View .........................................................................................................75 Citrix Products Supported by NetSign.....................................................................................................75 Initial Preparation ....................................................................................................................................76 Configure Windows Domain Controller for Smart Card Logon ............................................................76 Citrix Server Configuration Tasks ........................................................................................................77 Client Computer Configuration Tasks ..................................................................................................80 How NetSign for Citrix is Different...........................................................................................................81 Card Insertion - Windows 2000............................................................................................................81 Card Removal - Windows 2000 ...........................................................................................................81 Windows 2000 Netscape Profile Creation............................................................................................81 Certificate Registration in Netscape.....................................................................................................81 Certificate Registration - CardStart ......................................................................................................81 Launch Browser ...................................................................................................................................82 CardStart in Desktop View ...................................................................................................................82 Auto Unreg on Log off ..........................................................................................................................82 CardStart Required to Implement Policy Changes ..............................................................................82 Saving Diagnostic Information from System Info Tab (Application View Only)....................................82 Internet Browser Fails to Close when Card is Removed......................................................................82 Chapter 7 Using NetSign with Outlook Web Access .................................................... 83 Configuring Exchange Server 2003 for OWA..........................................................................................84 Configuring OWA on User Computers ....................................................................................................85 User Requirements ..............................................................................................................................85 Deploying the OWA S/MIME Control ...................................................................................................85 Setting Up IE Active X Security to Support the S/MIME Control..........................................................86 iv OWA Problems with Windows XP Service Pack 2..................................................................................87 Problem................................................................................................................................................87 Symptoms ............................................................................................................................................87 Cause...................................................................................................................................................87 Solution ................................................................................................................................................87 Appendix A Uninstall NetSign ........................................................................................ 89 Uninstallation Considerations..................................................................................................................90 Local Uninstall .........................................................................................................................................91 Silent Uninstall Without User Interaction .................................................................................................92 Push Uninstall with Active Directory........................................................................................................93 Push Uninstall with SMS .........................................................................................................................95 Step 1: Obtain the NetSign Program GUID..........................................................................................96 Step 2: Create an Uninstall Package ...................................................................................................97 Step 3: Set up Uninstallation Package Distribution Points...................................................................99 Step 4: Create Programs for the Uninstallation Package...................................................................100 Step 5: Advertise the Uninstallation Package ....................................................................................102 Appendix B NetSign Installation Changes............................................................... 105 Files Added to the Computer by a NetSign Installation.........................................................................105 Certificate Files Added for a NetSign CAC Installation ......................................................................106 Changes to Registry by a NetSign Installation ......................................................................................108 Card Start...........................................................................................................................................108 CRM ...................................................................................................................................................110 Smart Card Reader Interface .............................................................................................................110 NetSign Functions..............................................................................................................................110 Build Version ......................................................................................................................................110 Target Directory .................................................................................................................................111 E-Mail Application ..............................................................................................................................111 Smart Cards .......................................................................................................................................111 Unload DLL ........................................................................................................................................114 Exchange Client Extensions ..............................................................................................................114 GSC BSI.............................................................................................................................................114 GSC Cryptography PKCS#11 ............................................................................................................114 Installer...............................................................................................................................................115 Target Directory .................................................................................................................................115 Appendix C Certificate Installation ......................................................................... 117 Importing Certificates to Netscape ........................................................................................................117 Index ............................................................................................................................ 119 v vi Preface NetSign CAC is designed to work with the General Service Administration Common Access Card (CAC). This release of NetSign supports CAC smart cards issued by the Department of Defense (DoD) as specified by the DoD Access Card Office. Hereafter, NetSign CAC is simply referred to as NetSign. Who should read this guide This manual is intended for administrators responsible for installing, configuring and maintaining user software at their site. What is in this guide This manual describes typical administrative tasks to support NetSign in a production environment. Typical administrative tasks include the following: • Installing NetSign on user computers • Configure NetSign for both the domain and the user systems • Specify policy settings that determine how NetSign operates on user computers • Configure NetSign to work with supported third-party products Typeface Conventions The following list shows typographic and usage conventions of this manual: Bold Bold text represents commands, interface buttons, dialog names, and keywords except when they appear in screen examples or the contents of files. Blue text Blue text indicates a hypertext link to another topic within the manual or a web site. Italic text Italic text represents user-specified values. Monospace Monospace text indicates the contents of files, text entered on a screen, file names, directory paths or output shown on the screen. Monospace italic Monospace italic text represents user-specified values that are entered as the contents of files, keyboard input or the output shown on the screen. vii Service and Support Any modifications, repairs or customization to NetSign must be performed by qualified personnel. Report your NetSign issues to a Litronic customer support engineer at: Litronic Support Web Site: http://www.litronic.com/support/ Litronic Support E-mail: [email protected] If you do not have access to the internet, contact a customer support engineer at one of the following Litronic locations: West Coast East Coast Irvine, CA Reston, VA Phone: (949) 851-1085 Phone: (703) 905-9700 Fax: (949) 851-8588 Fax: (703) 905-9777 viii Chapter 1 Public Key Cryptography Introduction As more and more people use the Internet to conduct business, the issues of preventing fraud, protecting confidential information, and ensuring information legitimacy become critical. Digital signatures, password-based encryption, Public Key Security, Secure Sockets Layer (SSL), the leading security protocol on the Internet, and smart cards are secure and dependable means of addressing these issues. NetSign provides the most secure and flexible way of using these security methods. 1 Digital Signatures Digital signatures provide the same benefit for electronic documents that physical signatures provide for paper documents. The digital signature verifies that a document is official and identifies the originator of the document. Digital signatures also guard against document tampering. A digital signature is only useful if its creation is limited to its proper owner. In order to create a digital signature, the owner must possess a digital ID also known as a digital certificate, issued by a trusted organization. The trusted organization, also known as a Certificate Authority (CA), is given the responsibility of verifying the identity of the proper owner before a digital ID is issued. As long as the issuing organization is trusted, the authenticity of the digital signature can also be trusted. When an e-mail or document is sent, the sender may select the option of digitally signing the correspondence. The information from the sender’s digital ID, which may include the sender’s name, company, e-mail address, and the issuing certificate authority, is incorporated into the digital signature. This digital signature is then attached to the e-mail. The digital signature acts as a sealed envelope around the e-mail message. For someone to gain unauthorized access to the content of the message, they must first break the seal, which alters the digital signature, and open the envelope. An altered digital signature offers evidence of message tampering. 2 Password Based Encryption Passwords have traditionally been used to limit computer access and protect files and data. Passwords are the keys by which encryption programs are accessed to scramble the data and make them unreadable. The same password is often used as the key to the encryption program that unscrambles the data. Although quite functional, there are several contributing factors that may make password-based security insecure. Password Selection Passwords are often chosen that are personal and easy to remember. These passwords can be easily guessed or obtained. Password Location Passwords are often written down and stored near the computer. These passwords are very easily obtained. Password Interception When encrypted documents are shared, using a symmetric key (one key used to both encrypt and decrypt data), passwords must be given to both sender and receiver so the documents can be read. These passwords may be intercepted. Password Duplication When the same password is used for all documents, allowing access to one document allows access to all documents. These passwords are often misused. 3 Public Key Infrastructure Many programs supporting the Department of Defense (DOD) missions require security services, such as authentication, confidentiality, non-repudiation, and access control. To help address these security problems, the DOD developed a Public Key Infrastructure (PKI). The DOD PKI provides products and services that enhance the security of networked information systems and facilitate digital signatures. Public Key Enabled Applications must be enabled to take advantage of the services offered by a PKI. Without enabled applications, the infrastructure holds little value. It is essential that applications become enabled and use the infrastructure. However, enabling the applications is a complicated task. Applications must be tested to ensure they are enabled correctly, interoperable, and leave no security holes. Litronic integrates the following PKE applications with NetSign: • SecretAgent • Kyberpass • Evincible Ink SecretAgent SecretAgent is a multi-purpose file encryption and digital signature utility – the perfect solution for data encryption and authentication needs. SecretAgent can utilize smart card technology. SecretAgent includes macros for Microsoft Office applications and integrates into the most popular e-mail clients. Other features include support of X.509 certificates, automated file security, self-decrypting archives, and key recovery support. Kyberpass Enterprise TrustPlatform and the Kyberpass Corporation K2 Client Software create a secure telnet, FTP, MS networking, e-mail, and SSL-based VPN environment. Validation TrustPlatform is a scalable Online Certificate Status Protocol (OCSP) responder that can support both OCSP and Certificate Revocation List (CRL) Certificate Status Checking for a wide variety of Certificate Authorities and Directories. Web Access TrustPlatform includes the Kyberpass K2 Trust Agent Plug-in, which is a plug-in supported by standard web browsers that can be invoked to digitally sign HTML forms. The signing process is invoked by an HTTP tag or a downloadable Java applet that stands between web application servers and user web browsers. The user does not need a separate client, only an SSLv3 web browser. Evincible Ink Evincible Ink is a comprehensive signing solution for electronic forms, typically in HTML or Adobe format. The solution components include a Signing Application, a policy-based workflow, a management console, and a non-repudiation database. Users access and fill in forms using a standard web browser. The solution’s signing tool signs the forms, either electronically or digitally. The Evincible Ink server implements signature validation and certificate verification using OCSP or CRL. The solution’s management console allows administrators to define signature and workflow policies. The solution’s non-repudiation database is tamper-evident and provides an audit journal for all signed forms. 4 Public Key Security Public Key Security is an excellent addition to password-based systems. Public Key Security is made up of a public key and a private key. The public key is used to encrypt information and the private key is used to decrypt information. A Certificate Authority uses the public/private key pair as part of the digital ID or digital certificate. Once information is encrypted using a public key, only the private key of the unique key pair can decrypt that information. To send an encrypted document or e-mail message, the sender must have the recipient’s public key to encrypt the document.The recipient decrypts the document or e-mail message using the matching private key. Obtaining a Public Key There are several ways to obtain a user’s public key: • Public keys are incorporated into a digital signature • Public keys are maintained in directory listings Public keys are incorporated into a digital signature A person sends a digitally signed e-mail message. This sends their public key to your e-mail program. This is the easiest way to acquire someone’s public key. By clicking on the sender’s e-mail message, public key information is added to your address book. Public keys are maintained in directory listings Certificate Authorities frequently maintain directories on the Internet that contain the public keys of the users to whom they have issued digital certificates. In order to access public keys using this method, knowledge of the issuing Certificate Authority is required. 5 Secure Sockets Layer Secure Sockets Layer (SSL) is an open, non proprietary security protocol developed by Netscape. The design of SSL uses a public key to encrypt data that will be transmitted over the SSL connection. SSL is ideal for sending confidential information, such as credit card information, over the Internet. SSL can also be used to authenticate server identity, message integrity, and client TCP/IP connections. Netscape, Internet Explorer, and many websites support SSL. URLs requiring SSL connections will start with https:// rather than http://. Smart Cards Smart cards resemble magnetic stripe credit cards, but are considered “smart” because they contain a tiny silicon chip. The chip, which is built right into the card, allows the card to be used for many purposes beyond that of the magnetic stripe card. Smart cards are virtually impossible to replicate; data stored on the card is extremely secure and more protected than the information stored on a magnetic stripe card. Currently, NetSign smart cards can hold two or more digital IDs making them more convenient than any other card offered. NetSign provides an additional level of security over digital signatures and encryption by storing the digital IDs (including the private key) on a smart card rather than on the computer. This offers “two-factor authentication”, which means that in order to send a signed e-mail or read an encrypted document, you must supply: • Something you have – the smart card itself • Something you know – the PIN number required to access the smart card. This prevents unauthorized access to your computer, unauthorized sending of digitally signed e-mail, and unauthorized reading of confidential e-mail. 6 Chapter 2 Pre-Installation Configuration The NetSign product CD provides the NetSign Configuration Wizard. Administrators use the wizard to assign values to configuration options. The specified values determine how NetSign is installed and configured on the user’s computer. By applying the same configuration values during installation, an administrator can ensure a consistent NetSign implementation for all users. Typically, administrators copy an image of the NetSign product CD to disk. Administrators run the NetSign Configuration Wizard and save their configuration changes. Then, the product image is burned to another CD containing the custom configuration values, or simply placed in an accessible network location. The NetSign Configuration Wizard consists of four dialog boxes that include options to assign values that are saved in the NetSignConfig.ini file: • Install Settings Window on page 9 • Product Features Window on page 12 • Policy Settings Window on page 13 • Citrix Server Windows on page 20 The NetSign Configuration Wizard steps through each dialog box in sequence and then updates the NetSignConfig.ini file. A Save As dialog box appears to specify an alternative file name and directory location. By default, the NetSignConfig.ini file is saved in the admin directory of the Netsign CD image with its original name. For NetSign’s push or silent installation methods, the file must be manually moved to the CD image’s temp directory and overwrite the original NetSignConfig.ini file. Refer to the procedure on page 8 for instructions to run the NetSign Configuration Wizard to update the NetSignConfig.ini file for either local, silent or push installation methods. Important: Do not manually edit the NetSignConfig.ini file to change its values. All file settings should be made through the NetSign Configuration Wizard. 7 Using the NetSign Configuration Wizard The following procedure explains how to run the NetSign Configuration Wizard and update the NetSignConfig.ini file with your changes before installing NetSign. 1. Copy the NetSign CD image to disk. 2. Using Windows Explorer, change to the admin directory of the NetSign CD image. You should see the NsConfigWizard.exe file. 3. Double-click on NsConfigWizard.exe to start the wizard. The Install Settings dialog box appears, as shown on page 9. 4. Assign values to the fields shown in the dialog box. All fields of the Wizard’s dialog boxes are described in the following sections of this chapter. 5. Click Next to continue to the next dialog box after you finish entering your changes in the current dialog. 6. Click Finish from the final Citrix Server dialog box to end the wizard. The values you entered in the dialog boxes are written to the NetSignConfig.ini file. A Save As dialog box appears to specify an alternative name and directory location for the NetSignConfig.ini file. If the configuration wizard was run from a CD image on disk and you accept the default values, the NetSignConfig.ini file is saved in the NetSign_home\admin directory with its original name. If the NsConfigWizard.exe file is run from the original NetSign product CD, the NetSignConfig.ini file is saved in the local computer’s ...\Windows\temp directory. 7. Accept the default values, or assign an alternative file name and directory location. 8. Click Save from the Save As dialog box. 9. If necessary, move the updated NetSignConfig.ini file to the \temp subdirectory of the NetSign CD image and overwrite the original NetSignConfig.ini file. 8 Installation Type Directory to Place Updated NetSignConfig.ini File Local Not required. Choose the custom installation method to set configuration values during the installation procedure. Silent ..\NetSign_home\temp directory of the NetSign CD image Active Directory Push ..\NetSign_home\temp directory of the NetSign CD image SMS Push ..\NetSign_home\temp directory of the NetSign CD image Installation Settings The NetSign Configuration Wizard dialog box provides options that determine how NetSign will be installed on user computers. The example below shows the default installation values. Fields Description Target Path The Target path field specifies the directory location in which NetSign will be installed on the target computer(s). Default Value: C:\Program Files\Litronic\NetSign Note: The installation path must be valid for all computers that will have NetSign installed by either the SMS or Active Directory push methods. Use existing target path when upgrading If this check box is selected, NetSign is installed into the same directory of an earlier version during an upgrade to Version 5.5. If unchecked, NetSign is installed into the directory specified from the Target Path field described above. Default Value: Install the NetSign Version 5.5 upgrade into the same directory where an earlier version of NetSign is currently installed. Push install The Push install field specifies that NetSign will be installed by the Active Directory or SMS push methods. This option must be selected if you will be installing NetSign by either push method. Default Value: No push installation Note: See the example of the NetSign Configuration Wizard dialog box on page 11 that shows how all other installation options are set when the Push install option has been selected. 9 Fields Description Check Web Browser Version If these fields are selected, the NetSign installer verifies if Netscape or Internet Explorer (IE) web browsers installed on the target computer are within the permissible minimum/maximum version ranges. • Internet Explorer: Version 5.5 and above • Netscape minimum version: Version 4.76 • Netscape maximum version: Version 7.2 The NetSign installer issues a warning message if the version of the installed web browser is outside of the permissible version range for each browser. Default Values: • Internet Explorer checking for a minimum version of 5.5 and above • No Netscape version checking Note: Web browser version checking becomes inactive when the Push install option has been selected. Key Strength If the Check cipher strength field is selected, the installer checks the web browser’s encryption key length and compares it to the value set from the Minimum field drop-down list. The installation stops if the web browser’s minimum key strength is not met. Default Value: 128 bits Note: Web browser key strength checking becomes inactive when the Push install option has been selected. Install Root Certificates If these fields are selected, DoD root and intermediate certificates are installed during the NetSign CAC installation. Default Values: • Root certificates are installed for Internet Explorer and Netscape Note: The NetSign Configuration Wizard sets a flag when Netscape root certificates have been selected. The flag indicates to the NetSign installer to run nsreg.exe to register root certificates to a Netscape Version 4.76 web browser. The NetSign CAC installer ignores the request to install Netscape certificates when the option to install Netscape certificates is set to inactive. You can manually register root certificates to Netscape Version 4.76 after installation by running nsreg.exe, which is located in the home directory of the NetSign CAC CD image. 10 Fields Description Reader If the Check for Reader option is selected, the installer verifies if a card reader is currently attached to the computer where NetSign will be installed. The installer issues a warning message about the limited capabilities of NetSign if a card reader is not detected. Default Value: Check for a card reader during installation Note: Card reader checking becomes inactive when the Push install option has been selected. Release Notes If the Display Release Notes check box is selected, a dialog box appears and asks the installer if the Release Notes should be displayed after NetSign has been installed. The person installing NetSign has the choice of clicking Yes/No from the dialog box to display the Release Notes or not. Default Value: Display Release Notes Note: The silent and push installation methods ignore the Release Notes value and never display the Display Release Notes dialog box during an installation. Example of Install Settings Values for a Push Installation The following screen shot shows the values that are set from the NetSign Configuration Wizard dialog box to install NetSign by a push installation method. The Push install option should be selected and all other options that perform any sort of checking during the installation are set automatically to inactive. The option to upgrade NetSign Version 5.5 into the existing directory of an earlier version can be active or inactive depending upon site preferences. 11 Product Features Dialog Box The Product Features dialog box includes options to specify which NetSign functions will be installed on the computer and be accessible to users without administrator privileges. It also includes options to specify alternative addresses for NetSign’s technical support and product feedback web sites. Fields Description Application The Application field lists NetSign functions that will be available to the user from the product window. Default Values: Users have access to all functions available from the main NetSign window, as shown in the following screen shot. Note: Consider removing Policies if you do not want users to attempt to modify the configuration options installed with NetSign. Web Links These fields show the default URLs to the Litronic feedback and technical support web pages. If the Override web link check boxes are selected, alternative URLs can be specified. Default Values: • Technical Support: http://www.litronic.com/support/ Note: This URL is invoked by clicking Web Support from the NetSign System Info page. • Product Feedback: http://www.litronic.com/products/netsigncac/feature_request.php Note: This URL is invoked by clicking Feedback from the initial NetSign page. The figure above shows the Feedback option from NetSign’s initial page. 12 Policy Settings Dialog Box The Policy Settings dialog box includes options to specify how NetSign operates with smart cards, certificates, Outlook and the user’s PIN. Note: This section describes the different configuration options that will set when NetSign is installed. Refer to “Chapter 4 NetSign Policy Configuration” on page 51 that explains how to modify these same configuration values after NetSign has been installed. Action to perform when a smart card is inserted This option specifies the action taken by the computer after a smart card is inserted into the reader. The choices are: • Launch Application This option starts a specified application when a smart card is inserted. The application’s executable file name is entered in the Application or Web address field. Use the browse (...) button to navigate to the application’s executable file and select it. • Launch Browser This option starts the web browser. If you select this option, you must specify the URL of the target web site in the Application or Web address field. • Launch E-mail This option automatically launches the user’s default e-mail application. • No action performed No action is performed after a smart card is inserted. Default Value: No action performed 13 Action to Perform when a smart card is removed This option specifies the action taken by the computer after the user removes a smart card from the reader. The choices are: • Close launched application This option stops the application that was initially started when a smart card was inserted. • Launch Application This option starts a specified application when a smart card is removed. Use the browse (...) button to navigate to the application’s executable file and select it. • Log off from Windows This option logs off the current user and the computer displays the initial Windows log on screen. • Lock Workstation This option locks the computer when the smart card is removed from the card reader. The computer can be unlocked by inserting the smart card back into the reader. Note: Only computers running Windows 2000 or Windows XP can be locked. • No action performed No action is performed after a smart card is removed from the reader. Default Value: No action performed Allow user to override insertion/deletion events This option allows users without administrator privileges to override the policies that have been specified by the Action to perform when the smart card is inserted and Action to perform when the smart card is removed fields. Changing all other specified NetSign policies still requires administrator authority. Default Value: Non-administrators can override the policies set from the card insertion and removal fields. Certificate Registration This field contains policy options that determine how NetSign handles certificates on the user’s smart card. • Auto-register certificates for IE When this item is checked, certificates are automatically registered with the Microsoft Certificate store after the smart card is inserted. This policy must be enabled if you are going to enable Auto-register certificates with Outlook under Outlook AutoConfigure. The Microsoft Certificate Store is used to store certificates for CAPI-based applications. This includes Internet Explorer, Outlook, Outlook Express, Windows 2000 Logon, some VPNs, and other applications. The setting for the Action to perform when a smart card is inserted field does not affect this setting. Default Value: Auto-register certificates for IE Important: Windows XP and Windows 2003 Server automatically register smart card logon certificates with the Microsoft certificate store after a card is inserted in the reader. With either operating system certificates are registered automatically, regardless of the value set for this option. 14 • Auto UnReg on LogOff When this option is checked, CAC identity, signing, and encryption certificates are removed from the Microsoft Certificate Store under the user’s personal section at Windows log off. This policy option is useful for a computer that is shared by several users. Default Value: Do not Auto-unregister certificates at log off • Auto Unreg on Removal When this option is selected, CAC identity, signing, and encryption certificates are removed from the Microsoft Certificate Store under the user’s personal section when the card is removed from the reader. Default Value: Do not Auto-unregister certificates when the smart card is removed from the reader • Cache certificates Copies of certificates on the user’s smart card are stored locally on the computer to improve performance. Otherwise, certificates are read directly from the card inserted in the reader. Typically, you should cache certificates to improve performance. Default Value: Do not cache certificates Exceptions when certificates should not be cached include: • When used in conjunction with Auto UnReg to remove traces that a card was used on a system. • A card is registering the wrong certificate due to a problem with the cache. Outlook AutoConfigure This field contains a set of options to configure NetSign to work with the Outlook e-mail program. When this option is selected, certificates registered from the user’s smart card are automatically set for use with Outlook. When an AutoConfigure setting is selected, it overrides values set in the user’s Outlook profile each time certificates are registered with IE. This prevents users from modifying settings that should not be changed. Additionally, if your domain is configured to push registry settings to end-user computers, you can change all end users' configurations automatically. AutoConfigure allows you to force the following Outlook settings to either ON, OFF, No Override: • Sign Email This option automatically adds the user’s digital signature to outgoing messages. Default Value: No override • Clear Text Signing This option sends e-mail messages with digital signatures in clear text. Default Value: No override • Encrypt Email This option encrypts the contents and attachments of the user’s outgoing messages. Default Value: No override • Secure Receipt This option automatically requests a return receipt for all S/MIME signed outgoing e-mail messages. The receipt appears in the sender’s Outlook Inbox after the message was delivered and opened. The receipt confirms that a sent message was received unaltered and also provides information about who opened the message. This feature applies only to Outlook XP or Outlook 2003. Default Value: No override 15 • Publish to GAL If the Publish to GAL option is selected, the user's certificates are automatically published to the Outlook Global Address List (GAL) when registering certificates. This option requires both the Auto-register certificates with Outlook and Auto-register Certificates for IE options to be selected. Default Value: Do not publish to the GAL • Auto Decrypt If the Auto decrypt policy has been selected, Outlook automatically decrypts incoming e-mail messages. Auto Decrypt is not suitable for all users. If users require encrypted e-mail because messages must be protected no matter where they reside, Auto Decrypt is not appropriate. The Auto Decrypt feature only works with Outlook. It does not work with Outlook Express or Netscape. Default Value: Do not auto decrypt incoming e-mail messages • Auto Contact If Auto contact policy has been selected, the contact is automatically added to the user’s address book after receiving a signed message. This gives users the capability of sending an encrypted e-mail message to anyone who has previously sent them a signed message. Auto contact makes working with encrypted e-mail in Outlook easier for most users. Typically, Outlook users need somebody to send them a signed e-mail message before they can send an encrypted e-mail to the person who sent the original signed message. Then, they need to add the contact to their address book in order to get their certificate. This is difficult to understand for most users. Not only does it require training for the users, but it is also inconvenient. Auto Contact reduces administrative work. Auto Contact also provides an extra security measure. If an end user receives two different signing certificates from the same e-mail return address, Auto Contact warns the end user of a possible security violation and shows both certificates to the end user. At this time the user will be allowed to choose which one to trust. Take, for an example, three individuals A, B, and C. A and B communicate regularly with signed and encrypted e-mails. C is a corrupt individual who wants to impersonate A. C is capable of getting a certificate in A’s name through a trusted CA. C sends a signed e-mail to B. Normally B would open C’s e-mail (impersonating as A), notice it has a valid sign symbol on the e-mail, and trust the e-mail (even though this e-mail came from C). If Auto Contact was enabled, B would open C’s e-mail (impersonating as A) and a dialog would be displayed warning B of a possible danger. B would examine the certificates and notice that there is a difference. B would either automatically distrust C’s e-mail and notify his security officer or B would contact A via phone and ask him about the change in certificates. Auto Contact only works for Outlook. It does not work with Outlook Express or Netscape. Default Value: Do not automatically add contacts to the user’s Outlook address book 16 Auto Update If the Auto Update option is selected, NetSign searches for any updates and distributes them to web servers. Default Value: The Auto Update feature is inactive If you select Auto Update and then click Advanced, the Advanced Options dialog box appears to set values in the fields shown in the following example. • Auto Update Mode This field contains a drop-down list to specify how the update will be downloaded and installed on a client computer running NetSign. The choices from the drop-down list are: AUTO Updates are downloaded and installed without user intervention. Users see a pop-up message that indicates an update is being installed on their computers. MANUAL Auto Update runs only when the user requests a NetSign update by selecting the Update Now option from the Card Start menu. Default Value: Manual mode • Auto Update Interval The length (hours) of the interval in which the client computer polls the server to see if a new NetSign patch is available. The patch polling request occurs on the hour. For example, a value of 4 sets a polling request to the server every 4 hours on the hour. Default Value: 24 hours • Web Server The DNS name of the web server hosting the Auto Update Server where NetSign patches are located. Default Value: None • Virtual Directory The directory on the web server where Auto Update patches reside. The Browse button displays the Open dialog box to navigate to the directory where the NetSign update files are located. Default Value: None • Auto Update Certificate This is the certificate or root of the certificate used to sign the patches. The Browse button displays the Open dialog box to navigate to the directory where the certificate file is located. Default Value: None 17 PIN Policy This field contains a set of options that specify how often the user must enter a PIN when accessing applications. The field also contains options that determine how often users must change their PIN. • PIN Cache Mode The PIN Cache Mode drop-down list provides three PIN cache mode options: PIN Once A PIN must be entered once for each use of an application. PIN Always A PIN must be entered each time a secure operation (such as signing) is performed. PIN Timeout This option allows you to specify a time out period after which the user’s smart card will be logged out. Once the card is logged out, users must re-enter their PIN to continue secure operations. Default Value: PIN Time out at 15 minutes If you click the Advanced button, the Advanced PIN Policy dialog box provides options to set more granular time out periods. Instead of a single PIN time out for the card, you can set individual PIN time out periods for the ID, signing and encryption certificates. Also, you can set a PIN time out period for a specific application that requires a card. Setting a certificate’s cache time out period to 0 requires the user to enter the PIN each time a secure operation is performed. A time out period of 0 is equivalent to the PIN Always option. Setting the PIN time out period to a very large value is equivalent to the PIN Once option. If there is a difference between a specific certificate time out period and an application’s time out period, the shorter time out period takes precedence. For example, if the signing certificate’s time out period is 15 minutes and Outlook’s period is 30 minutes, NetSign enforces the shorter 15 minute time out period. • Enable PIN Change AutoRemind PIN Change AutoRemind prompts users to change their PIN on a periodic basis. If the user does not change their PIN within the specified period, a message appears and requests the PIN be changed. The PIN change dialog box will open. The message reappears whenever a card is inserted into the reader until the user changes the PIN. If the PIN Change AutoRemind period is set to 0 days, then users are never prompted to change their PINs. Forcing users to change their PIN when they insert their smart card becomes effective only when the PIN change period is set to a non-zero value. 18 Default Value: Do not enable PIN change AutoRemind If the user has never changed the PIN, and PIN Change AutoRemind is turned on, NetSign will not immediately request a PIN change. Rather, NetSign will reset the clock for PIN change. PIN Change AutoRemind does not monitor which card was last used for the PIN change. Even if multiple cards are used on the same system, only one PIN Change AutoRemind will be displayed for the configured AutoRemind time period. 19 Citrix Server Dialog Box The Citrix Server dialog box includes a field to register hosted applications that run on a Citrix server and are secured with a smart card. The screen shot below shows the default applications secured by a smart card that are registered to Citrix. Fields Description Register Applications This field lists the default application executable files that are registered to run in a Citrix environment. Default Values: CrdStart.exe: NetSign card start function IEXPLORE.EXE: Internet Explorer web browser netscape.exe: Netscape web browser NetSign.exe: NetSign smart card middleware OUTLOOK.EXE: Outlook e-mail application pinChange.exe: NetSign smart card PIN change dialog psm.exe: Netscape Personal Security Manager Applications can be added or removed from the Register Applications field: Removing an application 1. Click on the application’s executable file listed in the Register Applications field. 2. Click Remove. The selected application disappears from the list and is no longer registered to Citrix. Adding an Application 1. Click Add. The Open dialog box appears to navigate to the directory where the application’s executable file is located and select it. 2. Navigate to the directory where the application’s executable file is located. 3. Click on the executable file shown in the directory to select it. 4. Click Open. The file appears in the Citrix Server’s list of registered applications. 20 Chapter 3 NetSign Installation and Upgrade This chapter describes various methods to install and upgrade NetSign. The table below summarizes the installation methods and provides a reference to a section within the chapter that describes the installation procedure in detail. Also, these same procedures can be used to upgrade earlier versions of NetSign currently to Release 5.5. Installation Method Description Local Use the local method to install NetSign on a single computer. See “ Local Installation” on page 25. Installers have the choice of installing NetSign by a standard method using default values, or a custom method that presents a series of dialogs to set configuration and installation values. Silent The silent method installs NetSign on a single computer without requiring any user interaction. The installer program automatically assigns values to all installation and configuration options. See “ Silent Installation Without User Interaction” on page 29. Active Directory push The Active Directory push method installs NetSign on multiple computers that are members of an Active Directory Organizational Unit (OU). See “ Remote Installation Using Active Directory Push” on page 30. Note: Installing NetSign by the Active Directory push installation is restricted to computers running Windows 2000, Windows XP or Windows 2003 Server. NetSign cannot be installed on earlier versions of Windows by the Active Directory push method. Systems Management Use the SMS method to install NetSign on multiple computers running any version Server (SMS) push of the Windows operating system. Refer to “ Remote Installation Using SMS Push” on page 36. Refer to Appendix A on page 89 for instructions to uninstall NetSign by similar methods listed in the table above. “Appendix B NetSign Installation Changes” on page 105 lists the changes to a computer after NetSign has been installed. Refer to the appendix for a listing of all files that are added to the computer and new keys in the Windows registry by a NetSign Version 5.5 installation or upgrade. 21 Installation Requirements This section describes the minimum hardware and software requirements to support NetSign. Hardware Requirements • Personal computer The computer on which NetSign will be installed must meet the following minimum requirements: • Intel/AMD CPU with processing power equivalent to a Pentium 133 MHz or higher • 20 MB of free disk space • 32 MB of RAM minimum (256 MB or higher is recommended) • CD-ROM drive (only necessary for a local installation using the NetSign product CD) • 1 unused USB or serial port to attach the smart card reader • Smart card reader NetSign is designed to work with PC/SC compliant smart card readers that adhere to the DoD smart card reader specification. NetSign supports the following listed smart card reader models from their respective vendors: • Litronic: Litronic 215, 3015, 3015i, and 260 • SCM: SCR201 PCMCIA, SCR331 USB, SCR331-DI USB/DesFire, and SCR301 USB • Cherry: ST-1000UA • UPEK: TouchChip TCRS1C combination smart card and fingerprint reader • Smart card NetSign supports smart cards from the following vendors: • Oberthur GalactIC 2.1-5032 Mask 2.1R • Axalto Cyberflex Access 32K CAC (M256EPALP1_SI_9C_02 Softmask 7 Version 2) • Oberthur CosmopolIC V4 • ActivCard V2 Gemplus Gemxpresso 64K Software Requirements • Windows operating system NetSign can run on the following versions of the Windows operating system: • Microsoft Windows 2000 with Service Pack 4 applied • Microsoft Windows XP Professional Service Pack 1a and above • Microsoft Windows Server 2003 Enterprise Edition 22 • Web browsers NetSign supports the following web browsers: • Microsoft Internet Explorer Version 5.5 and above • Netscape Communications Corporation Netscape Versions 4.76, 7.0 and 7.2 • Smart card reader drivers NetSign supports software drivers for PC/SC and DoD compliant smart card readers • E-mail applications NetSign supports the following e-mail applications: • Microsoft Outlook 2000 with Service Pack 2 • Microsoft Outlook 2002 (XP) • Microsoft Outlook 2003 • Microsoft Outlook Express 6 (no auto-configure capability) • Microsoft Outlook Web Access Note: The following specific Outlook Web Access software requirements must be met for NetSign support: User computers are running on Windows 2000 and above User computers are running Internet Explorer Version 6 and above (No other browsers are supported) Microsoft Exchange Server 2003 to host Outlook Web Access 23 Installation Considerations This section describes general information that must be considered as part of your installation planning. • Entries are added to the Windows registry during a NetSign installation. You must log on to the computer with Windows administrator privileges to install NetSign by the local or silent methods. You must have appropriate Active Directory or SMS privileges to install NetSign by either push method. • You should have specified your installation and configuration options with the NetSign Configuration Wizard before attempting the installation procedures described in this chapter. Refer to “Chapter 2 Pre-Installation Configuration” on page 7, which explains how to use the NetSign Configuration Wizard. Otherwise, NetSign is installed with the current values specified in the NetSignConfig.ini file. • The two push installation methods require the Push install option to have been set to active in the NetSignConfig.ini file before installing NetSign. Refer to a description of the Push install option on page 11. The Push flag indicates to the installer to use the current keys entered in the registry instead of the keys within the NetSignConfig.ini script file of the local directory where the NetSign CD image has been placed. • If you are using AutoConfigure, Auto-register or any other auto feature of Outlook, make sure Outlook is specified as the default e-mail application and is already configured for users. • Although NetSign can be installed without PC/SC readers/drivers, the readers and drivers should be installed first to prevent errors that can occur with some versions of Windows during an installation. By default, the installer issues a warning message if it does not detect a card reader attached to the computer on which NetSign is being installed. The NetSign Configuration Wizard includes an option that can be set to prevent the installer from verifying if a reader is attached to the computer. • If you plan to use a version of Netscape with Personal Security Manager (PSM), you should install Netscape with PSM before installing NetSign. There is currently an issue with installing Netscape with PSM after the NetSign middleware is installed. • The NetSign installer runs the nsreg.exe file to register root certificates to the Netscape Version 4.76 web browser. Running nsreg.exe also adds the security module to Netscape. If Netscape root certificates were not chosen to be registered during installation, you can manually register certificates to Netscape Version 4.76 with the nsreg.exe file located in the home directory where NetSign is installed. Netscape certificates are located in the Certificates directory beneath the NetSign home directory. Certificates must be manually registered for Netscape Versions 7.0 and 7.2. Refer to “Appendix C Certificate Installation” on page 117 for instructions to import certificates for these Netscape releases. • If you install Netscape after NetSign, you must restart the computer to enable Netscape to work with NetSign. You must also register root certificates if Netscape was installed after NetSign. 24 Local Installation This procedure explains how to install or upgrade NetSign on a single computer. Refer to the push installation methods later in this chapter to install or upgrade NetSign simultaneously on multiple computers. NetSign can be installed by either a standard or custom method. A standard installation uses the current values saved in the NetSignConfig.ini file and automatically proceeds through the entire installation sequence. A custom installation launches the NetSign Configuration Wizard. The installation procedure includes a sequence of four dialog boxes to assign values to installation and configuration options. The following table lists the custom installation dialog boxes and a page reference to a section in Chapter 2 where the fields that appear on each configuration dialog box are described. Custom Installation Dialog Reference to Dialog Configuration Options NetSign Configuration Wizard “ Installation Settings” on page 9 Product Features “ Product Features Dialog Box” on page 12 Policy Settings “ Policy Settings Dialog Box” on page 13 Citrix Server “ Citrix Server Dialog Box” on page 20 The installer checks if NetSign is currently installed on the computer before installing Version 5.5. If the installer detects that NetSign is installed, it removes the earlier version before installing Version 5.5. 1. Log on to the computer with a Windows administrator user account. A NetSign installation writes additional entries to the Windows registry, which requires administrator authority. 2. Insert the NetSign installation CD in the computer’s CD drive, or navigate to the directory where the CD image has been placed. 3. Double-click on the setup.exe file in the home directory of the CD or the CD image. The installer program presents a splash screen followed immediately by the Welcome dialog box. 4. Click Next. The License Agreement dialog box appears on the screen. 5. Read the license agreement and click Yes to accept the terms of the agreement. 25 The Installation Type dialog box appears and presents two NetSign installation options. 6. Choose either Standard or Custom as the type of NetSign installation and click Next. The next step in the installation procedure varies based upon the type of installation you selected. Installation Type Continue at Standard Procedure step 13 on page 27 Custom Procedure step 7 on this page Custom Installation Procedure Steps The NetSign Configuration Wizard dialog box appears immediately after selecting Custom as the type of NetSign installation. 7. Set values for the installation options that appear on the NetSign Configuration Wizard dialog box. Refer to page 9 for descriptions of the fields that appear on the NetSign Configuration Wizard dialog box. 8. Click Next to proceed to the next custom installation dialog box. 9. Set values for the options that appear on the Product Features dialog box and click Next. Refer to page 12 for descriptions of the fields that appear on the Product Features dialog box. 26 10. Set values for the options that appear on the Policy Settings dialog box and click Next. Refer to page 13 for descriptions of the fields that appear on the Policy Settings dialog box. 11. Set values for the options that appear on the Citrix Server dialog box. Refer to page 20 for descriptions of the fields that appear on the Citrix Server dialog box. 12. Click Finish. The installer begins copying files to the computer immediately after clicking Finish. End of Custom Installation Procedure Steps 13. Notice the progress bar that indicates the status of the installation. The text caption immediately above the progress bar indicates the active process occurring during the installation procedure. If NetSign Version 5.5 is being installed on a computer with an earlier version of NetSign currently installed, you will see captions that indicate the earlier version of NetSign is being removed. When all files have been copied to the computer, a dialog box appears and asks if you want to display the Release Notes. Note: Administrators can set an installation option with the NetSign Configuration Wizard to prevent the Release Notes dialog box from appearing during the installation procedure. 14. Click Yes or No from the dialog box. if you click Yes, a NotePad window opens on the screen and displays the NetSign Release Notes. Close the NotePad window after you have finished reading the Release Notes. 27 The Wizard Complete window appears after the installation procedure has finished. 15. Click Finish. The NetSign CardStart icon should appear in the system tray of the computer. 16. Double-click on the CardStart icon to begin using NetSign. Refer to “ Local Uninstall” on page 91 for instructions to remove NetSign using the Windows Add or Remove facility. 28 Silent Installation Without User Interaction The silent method installs NetSign on a single computer without user interaction. No dialog boxes appear on the screen during the installation procedure, nor does the installer indicate when the installation procedure has finished. The installer program automatically assigns values to all installation and policy options specified from the NetSignConfig.ini file. You should have moved the updated NetSignConfig.ini file with your configuration changes to the temp subdirectory of the NetSign CD image. Otherwise, NetSign will be installed with a default configuration. Refer to “Chapter 2 Pre-Installation Configuration” on page 7 for a listing of the values specified in the NetSignConfig.ini file. The installer checks if NetSign is currently installed on the computer before installing Version 5.5. If the installer detects that NetSign is installed, it silently removes the earlier version during the Version 5.5 installation procedure. The silent method uses MsiExec.exe, which is the executable program of the Windows Installer to interpret installation packages. Refer to http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/msiexec.mspx for a complete listing of all msiexec.exe command parameters. The silent installation method is invoked from the Windows command line. You must enter three separate msiexec.exe commands. 1. Log on to the computer with a Windows administrator user account. A NetSign installation writes additional entries to the Windows registry, which requires administrator authority. 2. Open a command window. Start > Run > cmd 3. Enter the commands in the order listed below. C:\> msiexec /qn /i Z:\ISScript1050.msi C:\> msiexec /qn /i Z:\NetSignConfig.msi C:\> msiexec /qn /i Z:\NetSign.msi Notes: • In the examples above, Z: is the drive letter of the computer’s local CD drive where the NetSign product CD has been inserted. Or, specify the path to a mapped network disk where the NetSign installation package has been placed. • You must enclose the directory path within quotes (") if the path to the ISScript1050.msi, NetSign.msi and NetSignConfig.msi files contain a blank space. C:\> msiexec /qn /i "V:\App Server\NETSIGN\NetSign.msi" 4. Press Enter. It takes approximately 30-40 seconds to complete the installation. You should see the CardStart icon in the computer’s system tray that indicates NetSign has been installed. 5. Double-click on the icon to start using NetSign. Refer to “ Silent Uninstall Without User Interaction” on page 92 for instructions to remove NetSign by the silent method. 29 Remote Installation Using Active Directory Push Windows Active Directory provides a function to push installation packages to client computers. Active Directory can be used to install or upgrade NetSign on computers running on Windows 2000 and above. The Active Directory push installation method cannot be used to install or upgrade NetSign on computers running earlier versions than Windows 2000. The Active Directory push method uses three MSI packages containing installer scripts, registry entries and files to install NetSign. The target computers must be restarted to invoke the installation process. NetSign should be operational after users finish logging on to their computers. The Active Directory push method can be used to upgrade earlier versions of NetSign to Version 5.5. The earlier version is removed immediately before Version 5.5 is installed. Based upon a configuration value set with the NetSign Configuration Wizard, Version 5.5 is installed into the same directory as an earlier version, or to a separate directory as part of an upgrade. If Active Directory was used to push install NetSign, Active Directory should be used to remove the program. Errors can occur if NetSign is removed with the Windows Add/Remove Programs facility. Refer to “ Push Uninstall with Active Directory” on page 93 for instructions to remove NetSign by the Active Directory push installation method. Installation Requirements The following requirements must be met for an Active Directory push installation of NetSign to client computers. • The Domain Administrator must have domain privileges to administer the NetSign installation files (ISScript1050.msi, NetSignConfig.msi and NetSign.msi) throughout the domain. • All target computers that will have NetSign installed are running on Windows 2000, Windows XP or windows 2003 Server. • The domain controller must be running either Windows 2000 Advanced Server or Windows Server 2003. • Active Directory is implemented on the domain controller to be used to push the NetSign installation packages. • The NetSign Configuration Wizard has been run and the updated NetSignConfig.ini file has been placed in the \temp subdirectory of the NetSign CD image. • The NetSign CD image has been placed on a shared directory that is accessible to all computers that participate in an Active Directory push installation. • The Push install option must have been saved as a value of the NetSignConfig.ini file. Refer to page 11 for a description of the Push install option. 30 Overview of the Steps to Push Install with Active Directory There are various methods to deploy installation packages with Active Directory. Each site may have operational policies that dictate how installation packages are deployed to computers. This procedure consists of the major steps listed below. If this procedure is followed, the steps should be completed in the listed order. • Create an Active Directory Organizational Unit on page 32 • Add MSI Files as Active Directory packages on page 33 This procedure performs a complete installation of NetSign on computers that do not have NetSign installed. This procedure also updates computers to Version 5.5 that are currently running an earlier version of NetSign. An Active Directory push installation of NetSign requires the files shown in the following table: File Directory Location ISScript1050.msi NetSign_CD_home_Directory\ NetSignConfig.msi NetSign_CD_home_Directory\ NetSign.msi NetSign_CD_home_Directory\ 31 Step 1: Create an Active Directory Organizational Unit This step explains how to create an Active Directory Organizational Unit (OU) for a push installation of NetSign. All target computers that will have NetSign installed will be assigned as members of the OU. If all of your target computers are already part of the same OU, you can proceed to the next step. 1. Open the Active Directory Users and Computers facility. Start > Settings > Control Panel > Administrative Tools > Active Directory Users and Computers 2. Right-click on the name of the domain that the target computers belong and select New > Organizational Unit from the menu. 3. Assign a name to the OU and click OK. 4. Click Computers in the left pane to display a list of computers that belong to the domain. 5. Select the computers from the right pane that you want to be targets for the NetSign installation. 6. Right-click and select Move from the menu. 7. Select the OU in which the target computers should belong and click OK. 8. Open the OU folder and verify the computers you selected are within it. 32 Step 2: Add MSI Files as Active Directory Packages This step explains the procedure to create an OU policy and add the ISScript1050.msi, NetSignConfig.msi and NetSign.msi files as Active Directory packages. Important: You must select the MSI packages in the order listed below: a.ISScript1050.msi b.NetSignConfig.msi c.NetSign.msi 1. Right-click on the OU containing the target computers and select Properties from the menu. The properties dialog box for the OU appears on the screen. 2. Click the Group Policy tab. 3. Click New. 4. Assign a name to the policy. 5. Select the policy you created and Click Edit. 33 The Group Policy Object Editor window appears on the screen. 6. Click on the Computer Configuration > Software Settings folder to expand the list beneath it. You should see Software installation as an indented item beneath Software Settings. 7. Right-click on Software installation and then select New > Package from the menu. The Open dialog box appears on the screen to navigate to the NetSign installation packages. 8. Select My Network Places from the Open dialog box. Important: You must navigate to the location of the NetSign MSI files using the full network path. Otherwise, an error message appears indicating Active Directory cannot verify the network location. 9. Navigate to the ISScript1050.msi file. Select the ISScript1050.msi file located in the home directory of the NetSign CD image. 10. Select the file and click Open. 34 11. Accept all assigned default values from the Deploy Software dialog box and click OK. 12. Repeat steps 7-11 and select the NetSignConfig.msi file. The NetSignConfig.msi file is located in the home directory of the NetSign CD image. 13. Repeat steps 7-11 and select the Netsign.msi file. The NetSign.msi file is located in the home directory of the NetSign CD image. The MSI files should be listed in the right pane of the Group Policy Object Editor dialog box. NetSign will be installed as Windows restarts on each computer. After Windows has finished booting up, users should see the CardStart icon in their computer’s system tray that indicates NetSign is running. If the Active Directory push installation method was used to upgrade an existing version of NetSign to Version 5.5, the earlier version is removed on the target computers during the reboot operation. 35 Remote Installation Using SMS Push Microsoft’s Systems Management Server (SMS) gives administrators the capability to manage client systems and monitor hardware compatibility, license validity, and packages installed on client computers. Administrators can use SMS to distribute NetSign installation packages to selected target computers. SMS provides more functionality and flexibility than Active Directory to install software. Using SMS, administrators can distribute software to any number of computers on your network. SMS can push install NetSign to computers running any version of the Windows operating system. Installation Requirements • This procedure assumes SMS Version 2.0 or 2003 has been installed and is operational. • The person responsible for installing NetSign has the appropriate authority to use SMS. • SMS distribution points have been formally defined. • The NetSign Configuration Wizard has been run and the updated NetSignConfig.ini file has been placed in the \temp subdirectory of the NetSign CD image. • The Push install option must have been saved as a value of the NetSignConfig.ini file. Refer to page 11 for a description of the Push install option. Overview of the Steps to Install NetSign by SMS This procedure explains how to distribute the NetSign installation package using conventional SMS methods. There are various methods to push installation packages with SMS based upon each site’s standards for deploying software to their user community. This procedure consists of the major steps listed below. If this procedure is followed, the steps should be completed in the listed order. “Step 1: Create a New Package” on page 37 “Step 2: Set the Package Distribution Points” on page 39 “Step 3: Create NetSign Package Programs” on page 40 “Step 4: Advertise the NetSign Installation Package” on page 44 The NetSign installation package consists of three files: ISScript1050.msi Windows installer file containing the Install Shield script engine NetSignConfig.msi Windows installer file containing installation and configuration options NetSign.msi Windows installer file containing NetSign product files Set up your SMS package program dependencies to run these files in the order listed above. Also, set the programs in the NetSign installation package to run only when no user is logged on. 36 Step 1: Create a New Package 1. Log on to the computer that has the SMS administrator console installed with an account authorized to use SMS. 2. Select Start > Programs > Systems Management Server > SMS Administrator Console. The SMS Administrator Console appears on the screen. 3. Right-click the Packages folder and select New > Package. The Package Properties dialog box appears on the screen. 4. Complete the form, then click the Data Source tab. 5. Select This package contains source files option. 6. Click Set to locate and select the directory in which your data files are stored. The Set Source Directory dialog box appears on the screen. 37 7. Select Network path from the Source directory location field. 8. Click Browse and navigate to the directory where the NetSign installation CD has been placed. 9. Click OK to select the NetSign installation package. The Package Properties dialog box refreshes and displays the directory path to the NetSign installation CD. 10. Click OK. The NetSign installation package has been created. 38 Step 2: Set the Package Distribution Points This step describes how to set SMS distribution points to deploy the NetSign installation package. 1. Click on plus sign (+) of the NetSign installation package in the left pane of the SMS dialog box to expand options beneath it. 2. Right click on Distribution Points and select New > Distribution Points from the menu. The New Distribution Points Wizard dialog box appears on the screen. 3. Click Next. The Copy Package dialog box opens with a field to select the distribution points for the package. 4. Place a check mark next to names of the distribution points for the NetSign package you created earlier. 5. Click Finish. 39 Step 3: Create NetSign Package Programs This step explains how to prepare the three NetSign installation files for an SMS distribution package. The procedure describes how to add three files to the NetSign installation package and set the program dependencies to run them in the order listed below: a. ISScript1050.msi b. NetSignConfig.msi c. NetSign.msi 1. Right-click on the Programs folder and select New > Programs from the menu. The Program Properties dialog box appears on the screen. 2. Assign a name to the program to identify it as the ISScript1050.msi file. 3. Browse to the directory where the ISScript1050.Msi file is located and select it. 4. In the Command line field, enter msiexec /qn /i ISScript1050.msi 40 5. Click the Environment tab on the Program Properties dialog box. 6. Set the Program can run option to Only when no user is logged on. 7. Click Apply. 8. Click OK. You should see the ISScript program listed in the NetSign installation package you created. 9. Right-click on the Programs folder and select New > Programs from the menu. The Program Properties dialog box appears on the screen. 10. Assign a name to the program to identify it as the NetSignConfig.msi file. 11. Browse to the directory where the NetSignConfig.Msi file is located and select it. 12. In the Command line field, enter msiexec /qn /i NetSignConfig.Msi 41 13. Click the Environment tab on the Program Properties dialog box. 14. Set the environment option that the program should run Only when no user is logged on. 15. Click the Advanced tab. 16. Set the run-time dependency for the NetSignConfig.msi program to run after the Isscript1050.msi program in your NetSign installation package. 17. Click Apply. 18. Click OK. 19. Repeat steps 9-18 to add NetSign.msi to the package. a. The msiexec command string should be msiexec /qn /i NetSign.msi. b. Set the environment option that NetSign.msi should run Only when no user is logged on. c. Set the run-time dependency for the NetSign.msi program to run after NetSignConfig.msi. 42 20. Verify the three programs have been added to the NetSign installation package. 43 Step 4: Advertise the NetSign Installation Package 1. On the SMS Administrator Console, right-click Advertisements. 2. Select All Tasks > Distribute Software from the menu. The Distribute Software wizard begins to set up the package advertisement process. 3. Read the material on the first wizard screen and then click Next. The Distribute Software Wizard Package dialog box opens on the screen. 4. Select the Distribute an existing package option. 5. Select the NetSign package from the Packages section of the screen. 6. Click Next. The Distribution Points Software Wizard window opens. 7. Select the distribution point from which you want to distribute the NetSign package. In order to distribute the package, the system must bring all the source files from the source directory to a distribution point on the SMS server. The distribution point must be set up when you set up SMS. 44 8. Click Next. The Distribute Software Wizard - Advertise a Program dialog box opens. 9. Click Yes to advertise a program to a collection. 10. Select the name of the program associated with the NetSign.msi file. 11. Click Next. The Distribute Software Wizard - Advertisement Target dialog box opens on the screen. 12. Click the Advertise the program to an existing collection option. 45 13. Click Browse to select a collection from the Browse Collection dialog box. 14. Click OK after selecting the collections. The Browse Collection dialog box closes and returns you the Advertisement Target dialog box. 15. Click Next. 16. Select the Advertise the program to an existing collection option. 17. Use the Browse button to select the collection you want to distribute the NetSign and click OK. 18. Click Next. 46 The Distribute Software Wizard - Advertisement Name dialog box opens on the screen. 19. Specify a name for the NetSign advertisement in the Name field. 20. Enter any comments about the advertisement in the Comments box. 21. Click Next. The Distribute Software Wizard - Advertise to Subcollections dialog box opens on the screen. Within a collection there can be subcollections. 22. Click on the appropriate option button to select the advertise option for your specific environment. 23. Click Next. 47 The Distribute Software Wizard – Advertisement Schedule dialog box opens on the screen. The dialog box includes fields to set the date and time when this advertisement occurs and when it will expire. 24. Make the appropriate selection and set up the times and dates you want. 25. Click Next. The Distribute Software Wizard – Assign Program dialog box opens on the screen. By assigning the program, it becomes a mandatory component of the installation. 26. Select the Yes. Assign the program. option. 48 27. Click Next. The Distribute Software Wizard – Completing the Distribute Software Wizard opens. 28. Click Finish. The installation will be unnoticed by the user; the Litronic folder will be available from Start > Programs and users should see the Card Start icon in their system tray after logging on to their computers. 49 50 Chapter 4 NetSign Policy Configuration This chapter describes how to make configuration changes to NetSign after it has been installed. There are two methods to configure NetSign. The local method uses NetSign’s Policies page to make configuration changes on a single computer. The remote method configures NetSign for a group of computers that belong to an Active Directory Organizational Unit (OU). Much of the configuration information in this chapter was discussed previously in Chapter 2 about setting pre-installation configuration values with the NetSign Configuration Wizard. Local Policy Configuration NetSign policies can be configured locally on a single computer from the Policies page. You must have logged on to the computer with a Windows administrator user account to be able to access all configuration options that appear on the page. Administrators configure policies for an individual computer by assigning values to the options and then clicking Accept. The selected values are written to the computer’s registry and become immediately effective. The Policies page presents configuration options in five major groups: • Smart Card Events • Certificate Registration • Auto Update • PIN Policies • Outlook Configuration Refer to “ NetSign Policies” on page 59 for a description of the configuration options in each policy group. 51 Remote Policy Configuration NetSign provides the capability to remotely configure policies on a group of computers that belong to an Active Directory OU. Configuration policies are set through an Active Directory administration template defined in the NetSign.adm file. Remote policies set through NetSign’s template are saved in Registry.pol files. Separate Registry.pol files are used for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. Remote Policy Configuration Requirements The following requirements must be met to remotely configure NetSign: • The domain administrator must have domain privileges to administer NetSign throughout the domain. • Active Directory is implemented on the domain controller to be used to configure NetSign. • The domain controller must be running either Windows 2000 Advanced Server or Windows Server 2003. • The NetSign CD image has been placed in a network location that is accessible to the domain controller. • All target computers that have NetSign installed are running on either Windows 2000 or Windows XP. Setting Up Remote Policy Configuration This section describes a procedure to add NetSign’s configuration policies contained in the NetSign.adm file as an Active Directory administrative template. These policies will be applied to the computers that belong to the OU previously used to install NetSign by the Active Directory push method. The values assigned to these NetSign policies become effective after the target computers have been restarted. 1. Log on to the computer with a domain administrator user account. 2. Open the Active Directory Users and Computers MMC console. Start > Settings > Control Panel > Administrative Tools > Active Directory Users and Computers 3. Select the same Active Directory OU that was used to install NetSign. Note: This procedure assumes the original OU that was used to install NetSign will be used for remote configuration because the target computers have already been identified by their OU membership. 4. Right-click on the OU name shown in the left pane of the Active Directory Users and Computers window. 5. Select Properties from the menu. 52 6. Click on the Group Policy tab of the OU’s Properties dialog box. 7. Select the policy of the OU and click Edit. 8. Right-click on the Administrative Templates folder in the left pane of the Group Policy Object Editor dialog box. 9. Select Add/Remove Templates from the menu. 10. Click Add from the Add/Remove Templates window. The Policy Templates window should open on the screen. 53 11. Navigate to the directory where the NetSign.adm file is located. The NetSign.adm file is located in the admin subdirectory of the NetSign CD image. 12. Select the NetSign.adm file and click Open. The NetSign policy template appears in the list displayed from the Add/Remove Templates window. 13. Click Close. A NetSign folder should appear beneath the Administrative Templates folder displayed in the left pane of the Group Policy Object Editor dialog box. 14. Double-click on the NetSign folder to expand the policy categories within the folder. The example above shows the NetSign template subfolders. Each subfolder contains a set of related policies. 15. Click on a subfolder to display the policies within it. The policies within the folder appear in the right pane of the Group Policy Object Editor window. 54 16. Double-click on a policy setting. A dialog box appears to change the state of a NetSign policy. Each dialog box contains a set of options to specify whether the policy will be used in configuring NetSign remotely or not. Not Configured The policy is not used and no values for it are saved in the registry. This is the initial value assigned to all NetSign policies through the NetSign.adm file. Enabled The policy is actively enforced and its value is saved in the registry. Disabled The policy is disabled and is not enforced unless overridden. The value associated with the policy is saved in the registry. 17. Set the state of the policy based upon whether you want to use the policy to configure NetSign or not. 18. Assign a value to the policy if it will be used to remotely configure NetSign. 19. Repeat steps 15-18 until all NetSign configuration policies have been assigned values. The NetSign policies become effective on each target computer after it has been restarted. 55 NetSign Configuration Options This section describes each NetSign policy that can be configured locally or remotely. Local and Remote Configuration Policy Mapping The following table shows NetSign configuration groups and the unique name for both local and remote configuration policies. Local policies are identified by their title shown on the Policies page. In the case of remote configuration, the policy name includes the Active Directory configuration group and setting name in the form configuration_group-setting_name. Configuration Policy Local Configuration Policy Remote Configuration Policy Page Smart Card Events NetSign response to a card Action to perform when a smart insertion event card is inserted Card Events-Card insertion action 59 NetSign response to a card Action to perform when a smart removal event card is removed Card Events-Card removal action 59 User override of card events Allow user to override insertion/removal events Card Events-Allow user to 59 override insertion/removal events Certificate Registration Register certificates for use Auto-register certificates for IE with IE Automatically register certificates 60 for use with Internet Explorer Remove certificates when the user logs off Automatically remove certificates 60 on Logoff Auto Unreg on Log Off Remove certificates when a Auto Unreg on Remove card is removed from reader Automatically remove certificates 60 on card removal Cache smart card certificates on the user’s computer Cache certificates Cache certificates 60 Outlook AutoConfiguration Register certificates for use Auto-register certificates with with Outlook Outlook AutoRegister 61 Publish user certificates to the Outlook GAL Outlook AutoConfigure-Publish certificates to the GAL 62 Publish to GAL Add user’s digital signature Sign Email to e-mail messages Outlook AutoConfigure-Add digital 61 signatures to outgoing messages Send e-mail digital signatures in clear text Clear Text Signing Outlook AutoConfigure-Send clear 61 text signed messages Encryption of the contents of outgoing e-mail messages Encrypt Email Outlook AutoConfigure-Encrypt contents and attachments of outgoing messages 61 Return receipt for outgoing Secure Receipt e-mail messages Outlook AutoConfigure-Request secure receipt for all S/MIME signed messages 61 Automatic decryption of Auto decrypt incoming e-mail messages Outlook AutoConfigure-AutoDecrypt 62 56 Configuration Policy Local Configuration Policy Remote Configuration Policy Page Outlook Configuration Auto Contact Automatic addition of contact information to the user’s address book after receiving a signed message Outlook user profile Profile Outlook AutoConfigure-AutoContact 62 None 62 Client Update-AutoUpdate 63 Auto Update NetSign Update Auto Update PIN Policy PIN caching PIN cache mode PIN cache timeout 64 Note: Remote policy configuration does not provide the PIN Always or PIN Once options PIN cache time out period Request ID PIN after when using the ID certificate ID certificate PIN timeout 64 PIN cache time out period when using the e-mail certificate Request signature PIN after Email signing certificate PIN timeout 64 PIN cache time out period when using the encryption certificate Request encryption PIN after Encryption certificate PIN timeout 64 PIN cache time out period when using an application Application Timeout Application specific timeout 64 PIN change AutoRemind 64 NetSign feedback web site None Feeback web page 65 NetSign technical support web site Technical Support web page 65 Reminder to user to change Enable PIN change auto remind PIN at a specific interval Web Links None 57 Recommended Policies If you expect users to sign all e-mail messages with Outlook, the following policy values are recommended for NetSign. These policies allow users to sign all their e-mail messages without requiring any client side configuration. • Auto-register certificate for IE Enabling this option places certificates from the smart card into the certificate store so they can be registered for Outlook. • Auto-register certificates with Outlook This will automatically configure Outlook to use the certificates on the user’s smart card. • Sign e-mail messages as default This will cause e-mail messages to be signed by default, which reduces the need for user training to send secured messages with NetSign. • Send signed messages in Clear Text When messages are sent in clear text the recipient can view them in the preview pane of Outlook (non Clear Text messages cannot be displayed in the preview pane) If e-mail is the primary application used by the smart card, then you may want to set Launch default e-mail as the value for the Action to perform when a smart card is inserted option. Also, set the Close launched application as the value for the Action to Perform when smart card is removed option. This simplifies smart card usage for the end user. If you expect users to use a smart card to access SSL sites such as an intranet, the following policy settings are recommended: • Auto-register certificate for IE This places certificates from the smart card into the certificate store, which allows Internet Explorer to use them for SSL sessions. If the smart card is primarily used to access an intranet site, then you may want to set the Launch default browser as the value for the Action to perform when a smart card is inserted option. Specify the URL of the intranet site as the value of the Web or Application option. Also, set Close launched application as the value for the Action to Perform when smart card is removed option. This makes it easier for the user to access the web site by simply inserting a smart card. It also eliminates the need for administrators to distribute the intranet URL to their user communities. 58 NetSign Policies This section describes NetSign policies that can be configured locally and remotely. Smart Card Events These policies determine what action NetSign takes after the user either inserts or removes a smart card from a card reader. NetSign Response to a Card Insertion Event Policy Option Description Launch Application NetSign launches the application specified in the Application or Web address field when the smart card is inserted into the reader. Note: For remote configuration, the complete directory location to the application’s executable file must be specified in the Launch application field. All target computers must have the application placed in the same directory location. Launch Browser NetSign starts the user’s default web browser when a smart card is inserted. The browser opens at the web site specified from the Application or Web address field. Launch Email NetSign launches the user’s default e-mail application when a smart card is inserted into the reader. No action performed NetSign does not take an action when a card is inserted. This is the default. NetSign Response to a Card Removal Event Policy Option Description Close launched application NetSign closes the application that was initially launched when a smart card was inserted. This action also applies to e-mail and browser actions that were started when the smart card was inserted into the reader. Launch Application NetSign starts a specified application when the smart card is removed. Lock Workstation NetSign locks the computer when the smart card is removed from the card reader. Log off from Windows NetSign logs off the user from the computer when the smart card is removed. No action performed NetSign does not take an action when the card is removed from the reader. This is the default. User Override of Card Events If this policy is enabled, card insertion and card removal policies can be overridden by end users without administrator authority. 59 Certificate Registration This group of policy options determines how NetSign handles certificates on the user’s smart card. Policy Option Description Register certificates for When this item is checked, certificates are automatically registered with the use with IE Microsoft Certificate store after the smart card is inserted. This policy must be enabled if you are going to enable Auto-register certificates with Outlook under Outlook AutoConfigure. The Microsoft Certificate Store is used to store certificates for CAPI-based applications. This includes Internet Explorer, Outlook, Outlook Express, Windows 2000 Logon, some VPNs, and other applications. The setting for Action to perform when a smart card is inserted does not affect this setting. Important: Windows XP and Windows 2003 Server automatically register certificates with the Microsoft certificate store after a smart card is inserted in the reader. The value you set for this policy will be ignored and certificates will be registered if NetSign is installed on a computer running Windows XP or Server 2003. Remove certificates When this option is checked, CAC identity, signing, and encryption certificates when the user logs off are removed from the Microsoft Certificate Store under the personal section for the user when the user logs off from the computer. All other non-CAC certificates remain in the user’s personal certificate store. This policy option is useful for a computer that is shared by several users. When this option is selected, CAC identity, signing, and encryption certificates Remove certificates when a card is removed are removed from the Microsoft Certificate Store under the user’s personal section when the card is removed from the reader. All other non-CAC certificates from the reader remain in the user’s personal certificate store. Cache smart card certificates on the user’s computer 60 Copies of certificates on the user’s smart card are stored locally on the computer to improve performance. Otherwise, certificates are read directly from the card inserted in the reader. Typically, certificates should be cached to improve performance. Outlook Configuration Outlook AutoConfigure allows you to force certain Outlook security settings on the user’s computer. These settings can be pre-configured as part of the install script. This allows you to perform an install of NetSign and have Outlook fully configured for use without having to open Outlook. If Outlook is not currently installed, the settings become effective after Outlook has been installed. AutoConfigure allows you to force the following Outlook settings to either ON, OFF or No Override: • Automatically sign outgoing messages • Attach digital signature in clear text • Automatically encrypt outgoing messages • S/MIME return receipt for outgoing e-mail messages that verifies the message was delivered unaltered and provides information about who opened the message. This feature only applies to Outlook XP and Outlook 2003. When AutoConfigure is active, it overrides the existing Outlook setting each time certificates are registered with IE. This prevents users from changing settings that should not be changed. Additionally, if your domain is configured to push registry settings to end user computers, then you can change all end users’ settings automatically. Auto-register Certificates with Outlook When the Auto-register policy has been specified, signing and encrypting e-mail messages are automatically configured for use with Outlook. This occurs immediately after certificates are registered with the Microsoft certificate store. The administrator does not need to configure Outlook for the user after certificates have been installed on the computer. Certificate registration occurs each time a card is inserted into the card reader. This process also helps reduce NetSign maintenance. When users receive new cards with new certificates on them, they only have to insert the card and the computer will be automatically configured to use Outlook. The Outlook auto-register policy has some limitations that make it inappropriate for all users. The limitations include the following: • Certificates are configured regardless whether e-mail addresses match. The last card inserted will be used to sign/encrypt mail. If the e-mail address does not match, sending message will fail with an error message. • Outlook Express is not supported. NetSign does not provide automatic configuration for Outlook Express. • Only one e-mail profile per user account is supported. If more than one Outlook profile exists for the user account, only the first profile will be updated. • The expiration date of a certificate is not checked before configuring. If the user inserts a card with an expired certificate, it will be configured. 61 Outlook Profile Note: Changing the default Outlook profile is available only from the Policies page. By default, NetSign permits users without administrator authority to select the Outlook profile associated with NetSign. Users can select another Outlook profile to configure with NetSign by clicking on the Profile button from the Policies page. Users select the profile they want to AutoConfigure and click OK. Thereafter, NetSign applies its configuration policies to the selected Outlook policy. NetSign automatically detects if there are multiple Outlook profiles configured on a computer. When multiple profiles are detected, a pop-up dialog appears on the user’s screen and requests the Outlook profile be selected to AutoConfigure with NetSign. Again, users select the profile from the drop-down list of the Select Profile dialog box and click OK. Publish to GAL If this policy is enabled, the user's certificates are automatically published to the Outlook Global Address List (GAL) when registering certificates. If the Publish to GAL option is selected, both the Auto-register certificates with Outlook and Auto-register Certificates for IE options must be selected. Auto Decrypt If the Auto decrypt policy has been selected, Outlook automatically decrypts incoming e-mail messages. Auto Decrypt may not be appropriate in all circumstances. If e-mail messages are encrypted to secure their contents no matter where they reside, Auto Decrypt is not appropriate. If you use encrypted e-mail because you do not trust the channel over which the e-mail is transmitted and you want to make sure that the recipient is required to open the message, Auto Decrypt may be appropriate. Auto Decrypt works only with Outlook. It does not support Outlook Express or Netscape. Auto Contact If Auto contact policy has been selected, the person who sent a signed e-mail message is automatically added to the user’s address book after reading the message. This gives users the capability of sending an encrypted e-mail message to anyone who has previously sent them a signed e-mail message. Auto Contact works only with Outlook. It does not support Outlook Express or Netscape. 62 Auto Update The Auto Update policy provides a secure method to distribute NetSign patches and updates. The client computer is configured with the location of the server, a polling interval to check for updates, and the trusted certificate that is used to sign the patches. The client is also configured whether the user should be asked/notified before a patch is installed. When a patch is available, the client computer downloads the patch from the server and validates the signature. Once downloaded, the patch will be installed and the client comptuer notifies the server so that a log can be kept of who has received patches. Two files are distributed for NetSign update patches; an executable containing the patch itself and a file named cac-ver.php. Before the patch is placed on the Auto Update Server, the patch must be signed using signcode.exe (from Microsoft). Sign the patch executable with your signing certificate, which is the same as the certificate configured for Auto Update Certificate on the client. For security reasons, it is suggested that a Hardware Security Model (HSM) or at least a smart card be used for signing the patches. After the patch has been signed, place the patch in the Auto Update Server repository, which is in the same location as cac-ver.php. Clients that are configured for Auto Update will automatically download and execute the patches from the Auto Update Server if the patch is newer than the version already installed on their computer. Auto Update policies on the client computer determine update polling.If Auto Update policy is checked on the Policies page, you must verify that the Auto Update Interval, Web Server, and Virtual Directory fields contain values. 63 If these values are not set, the Auto Update properties dialog will open to allow the user to set these values. If you do not wish to set these values, the Auto Update option on the Policies page should be unchecked. Mode Setting Description Auto Update Mode Drop-down list to specify how the update patch will be downloaded and installed on a client computer running NetSign. The choices from the drop-down list are: AUTO Downloads and executes the patch without user intervention. Users see a pop-up message indicating that a patch is being currently installed on their computers. MANUAL Auto Update runs only when the user requests a NetSign update by selecting the Update Now option from the Card Start menu. Auto Update Interval The length (hours) of the interval in which the client computer will poll the server to see if a new patch is available. By default, the patch polling request occurs on the hour. Web Server The DNS name of the web server hosting the Auto Update Server where NetSign patches are located. Virtual Directory The directory on the web server where Auto Update patches reside. The file cac-ver.php file is placed at the following location: http://AutoUpdateWebServerName/AutoUdpateDirectoryOnServer/cac-ver.php Auto Update Certificate This is the certificate or root of the certificate used to sign the patches. The Browse button displays the Open dialog box to navigate to the directory where the certificate file (.cer) is located. PIN Policy PIN policy determines how often users must enter their PIN when accessing applications and how often their PIN must be changed. PIN Cache Mode The local PIN Cache Mode field includes a drop-down list to set the cache mode and the length of a time out period. The drop-down list provides three PIN cache mode options: • PIN Once A PIN has to be entered once for each use of an application. • PIN Always A PIN must be entered each time a secure operation (such as signing) is performed. 64 • PIN Timeout This option allows you to specify a time out period after which the user’s smart card will be logged out. Once the card is logged out, users must re-enter their PIN to continue secure operations. The default time out period is 15 minutes. If you click the Advanced button, the Advanced PIN Policy dialog box provides options to set more granular time out periods. Instead of a single PIN time out for the card, you can set individual PIN time out periods for the ID, signing and encryption certificates. Also, you can set a PIN time out period for a specific application that requires a card. Setting a certificate’s cache time out period to 0 requires the user to enter the PIN each time a secure operation is performed. A time out period of 0 is equivalent to the Always PIN cache option. If there is a difference between a specific certificate time-out period and an application’s time-out period, the shorter time out period takes precedence. For example, if the signing certificate’s time out period is 15 minutes and Outlook’s period is 30 minutes, the user would have to enter the PIN for the shorter signing certificate 15 minute time out period. PIN Change AutoRemind PIN Change AutoRemind prompts users to change their PIN on a periodic basis. If the user does not change their PIN within the specified period, a message appears and requests the PIN be changed. The PIN change dialog box will open. The message reappears whenever a card is inserted into the reader until the user changes the PIN. If the user has never changed the PIN, and PIN Change AutoRemind is turned on, NetSign will not immediately request a PIN change. Rather, NetSign will reset the clock for PIN change. PIN Change AutoRemind does not keep track of which card was last used for the PIN change. Even if multiple cards are used on the same system, only one PIN Change AutoRemind will be displayed for the configured AutoRemind time period. Web Links If these policies are set, alternative URLs to the Litronic feedback and technical support web pages can be specified. Note: Web link policies cannot be set locally. They must be set remotely, or through the Configuration Wizard. 65 66 Chapter 5 SSL and Client Authentication Secure Sockets Layer (SSL) is a standard security technology to establish an encrypted communication link between a web server and a browser. This link ensures the security and integrity of all data sent between the web server and browser. SSL is an industry standard and is used by millions of web sites in the protection of their online transactions with their customers. In order to be able to generate an SSL link, a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your web site (e.g. your web site's URL) and your company (e.g. your company's name and location). Your web server then creates two cryptographic keys - a Private Key and a Public Key. Your Private Key is so called for a reason - it must remain private and secure. The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR during the SSL Certificate application process, the Certification Authority, will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the web site and the user’s web browser. 67 Generating the Certificate Signing Request You must generate a Certificate Signing Request (CSR) to obtain a certificate. A CSR is basically a certificate that you generate on your server that validates the computer-specific information about your server when you request a certificate from a third-party certificate authority (CA). The CSR is simply a text message that is encrypted with a public/private key pair. Typically, the generated CSR contains the following information: • Common domain name Note: The common name is usually comprised of your host computer name and the domain to which it belongs, such as xyz.com. In this case, the computer is part of the .com domain, and is named XYZ. This may be the root server for your corporate domain, or simply a web site. • Organization • Organizational unit • City or locality • State or province • Country/region You generate a CSR through the IIS management console; IIS must be installed on the server. 1. Access the IIS Microsoft Management Console (MMC). a. Right-click My Computer and click Manage. This opens the Computer Management Console. b. Expand the Services and Application section. c. Locate Internet Information Services and expand the IIS console. 2. Select the specific web site on which you want to install a server certificate. Right-click the site and click Properties. 3. Click the Directory Security tab. In the Secure Communications section, click Server Certificate. This starts the Web Server Certificate Wizard. Click Next. 4. Select Create a New Certificate and click Next. 5. Select Prepare the request now, but send it later and click Next. 6. In the Name field, enter a name. The name defaults to the name of the web site for which you are generating the CSR. Note: When you generate the CSR, you need to specify the bit length of the encryption key. The bit length determines the strength of the encrypted certificate that you send to the third-party CA: the greater the bit length, the stronger the encryption. Most third-party CAs prefer a minimum encryption key length of 1024 bits. 68 7. In the Organization Information section, enter your organization and organizational unit information. This information must be accurate because you are presenting these credentials to a third-party CA and you must comply with their licensing of the certificate. 8. Click Next to access the Your Site's Common Name section. The Your Site's Common Name section is responsible for binding the certificate to your web site. 9. For SSL certificates, enter the host computer name with the domain name. For Intranet servers, you may use the NetBIOS name of the computer that is hosting the site. 10. Click Next to access geographical information. 11. Enter your country, state or province, and country or region information. Completely spell out the name of the state or province and country or region; do not use abbreviations. 12. Click Next. 13. Save the file as a .txt file. When you send the request to the CA, you must paste the contents of this file into the request. This file will be encrypted and contain a header and footer for the contents. You must include both the header and footer when you request the certificate. A CSR should resemble the following: -----BEGIN NEW CERTIFICATE REQUEST----MIIDATCCAmoCAQAwbDEOMAwGA1UEAxMFcGxhbjgxDDAKBgNVBAsTA1BTUzESMBAGA 1UEChMJTWljcm9zb2Z0MRIwEAYDVQQHEwlDaGFybG90dGUxFzAVBgNVBAgTDk5vcn RoIENhcm9saW5hMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYk CgYEAtW1koGfdt+EoJbKdxUZ+5vE7TF1ZuT+xaK9jEWHESfw11zoRKrHzHN0fIASn wg3vZ0ACteQy5SiWmFaJeJ4k7YaKUb6chZXG3GqL4YiSKFaLpJX+YRiKMtmIJzFzi ct5GVVGHsa1lY0BDYDO2XOAlstGlHCtENHOKpzdYdANRg0CAwEAAaCCAVMwGgYKKw YBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUGCisGAQQBgjcCAQ4xJzAlMA4GA1UdDwE B/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATCB/QYKKwYBBAGCNw0CAjGB7jCB 6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlA GwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4 GJAGKa0jzBn8fkxScrWsdnU2eUJOMUK5Ms87Q+fjP1/pWN3PJnH7x8MBc5isFCjww 6YnIjD8c3OfYfjkmWc048ZuGoH7ZoD6YNfv/SfAvQmr90eGmKOFFiTD+hl1hM08gu 2oxFU7mCvfTQ/2IbXP7KYFGEqaJ6wn0Z5yLOByPqblQZAAAAAAAAAAAwDQYJKoZIh vcNAQEFBQADgYEAhpzNy+aMNHAmGUXQT6PKxWpaxDSjf4nBmo7oMhfC7CIvR0McCQ +CBuLzD+UJxl+kjgb+qwcOUkGX2PCZ7tOWzcXWNmn/4YHQl0MGEXu0w67sVc2R9Dl sHDNzeXLIOmjUl935qy1uoIR4V5C48YNsF4ejlgjeCFsbCojJb9/2RM= -----END NEW CERTIFICATE REQUEST----- 14. Confirm your request details. Click Next to finish, and exit the Web Server Certificate Wizard. 69 Requesting the Certificate There are different methods of submitting a certificate request. Contact the certificate provider of your choice to request and receive your certificate and to determine the best certificate level for your needs. Installing the Certificate Once the third-party CA has completed your request for a server certificate, you will receive it by e-mail or download site. The certificate must be installed on the web site on which you want to provide secure communications. The key can be decrypted only with the private key that you generated earlier. 1. Copy the text of the certificate key (it should appear to be very similar to the key you generated earlier) and paste it into a .txt document. Be sure to include the header and footers of the certificate. 2. Save the file as Cert.txt. 3. Open the IIS MMC as described in the “Generating the CSR” section. 4. Access the Properties dialog box for the web site on which you are installing the certificate. 5. Click the Directory Security tab and click Server Certificate. This starts the Web Server Certificate Wizard. 6. Click Next. 7. Select Process the Pending Request and install the certificate and click Next. 8. Browse to the text file that you saved in step 1. 9. Click Next twice. 10. Click Finish. 70 Enforcing SSL Connections Now that the server certificate is installed, you can enforce SSL secure channel communications with clients of the web server. First, you need to enable port 443 for secure communications with the Web site. To enable secure communications with the Web site 1. From the Computer Management console, right-click the web site on which you want to enforce SSL and click Properties. 2. Click the Web Site tab. In the Web Site Identification area, verify the SSL Port option contains the value 443. 3. Click Advanced. The IP address and port of the web site should already be listed in the Multiple identities for this Web Site option. 4. Under the Multiple SSL Identities for this web site option, click Add if port 443 is not already listed. 5. Select the server's IP address and enter 443 in the SSL Port box. 6. Click OK. To enforce SSL connections 1. Click the Directory Security tab. In the Secure Communications section, note that Edit is now available. 2. Click Edit. 3. Select Require Secure Channel (SSL). Note: If you specify 128-bit encryption, clients who use 40-bit or 56-bit strength browser will not be able to communicate with your site unless they upgrade their encryption strength. 4. Open your browser and try to connect to your Web server by using the standard http:// protocol. If SSL is being enforced, the following error message will be displayed: The page must be viewed over a secure channel The page you are trying to view requires the use of "https" in the address. Please try the following: Try again by typing https:// at the beginning of the address you are attempting to reach. HTTP 403.4 - Forbidden: SSL required Internet Information Services Technical Information (for support personnel) Background: This error indicates that the page you are trying to access is secured with Secure Sockets Layer (SSL). You can now connect to your web site only by using the secure https:// protocol. 71 Enabling Client Certificate Authentication 1. Start Internet Information Services Manager. Start > Programs > Administrative tools > Internet Services Manager 2. Access your web site properties by right clicking on the web site you wish to configure. 3. Click on the Directory Security tab. 4. Click Edit within the Secure communications section. 5. Check the Require client certificates option within the Client certificates section. 6. Click OK. 72 Modifying the Registry to Restrict Trusted Certification Authorities If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Use the Registry Editor carefully. All trusted CA certificates are handled by Schannel.dll file, which stores its data in the registry. In the registry, you see a series of registry keys under the Certification Authorities key. There is one key for each pre installed CA. Each CA key contains an Enabled entry. This entry is set to 0x1 if the CA is trusted, or is set to 0x0 if the CA is not trusted. Note: Do not delete these registry entries. If you do, Schannel automatically recreates them. 1. Start Registry Editor (Regedt32.exe). 2. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\ SCHANNEL\CertificationAuthorities You should see a list of all of the trusted CAs on the computer. 3. Click the CA that you do not want to trust. 4. Select the Enabled sub key and set its value to 0 (zero). 5. Repeat these steps to make unavailable all CA certificates that you do not want to trust. 6. Restart the computer. 73 Useful links • Microsoft Knowledge Base Article – 298805 HOW TO: Enable SSL for All Customers Who Interact with Your Web Site in Internet Information Services http://support.microsoft.com/default.aspx?scid=kb;en-us;Q298805&sd=tech • Microsoft IIS Authentication http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconIISAuthentication.asp • Microsoft Knowledge Base Article – 21645 HOW TO: Limit the Number of Trusted Certification Authorities in IIS http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216485 74 Chapter 6 Using NetSign with Citrix NetSign for Citrix works much the same as NetSign for Windows, with the capacity to work with up to 25 concurrent Citrix sessions and with users logged on to multiple concurrent Citrix sessions. NetSign for Citrix supports cryptographic logon to Citrix through the Citrix Secure Gateway. This chapter gives an overview of the tasks to prepare NetSign to work with Citrix. It does not discuss specific Citrix configuration procedures in detail. Refer to Citrix documentation for information about setting up its servers and clients. Desktop View vs. Application View The application view of Citrix is available through the Citrix Desktop or through the Web Client (Web Interface). Many of NetSign’s functions operate through the Card Start Application. In order for them to work, the CardStart application must be published by registering the application using the NetSign Configuration Wizard or the scconfig.exe command. The following NetSign functions operate through the CardStart Application: • Action to perform when a smart card is inserted • Action to perform when a smart card is removed • Certificate registration • Auto-register certificates for IE • Auto Unreg on logoff • Auto Unreg on remove • Outlook AutoConfigure • Auto-register Certificates with Outlook • Publish to GAL • Auto Update • PIN Change AutoRemind Citrix Products Supported by NetSign NetSign can operate under the Citrix MetaFrame® Access Suite to authenticate users to applications hosted in a Citrix environment. NetSign Version 5.5 can operate with the following Citrix products: • Citrix Metaframe XP Presentation Server FR3 • Citrix ICA Client 7.0 • Citrix ICA Client 8.0 75 Initial Preparation This section describes the initial environment that must be prepared for NetSign to provide smart card logon support for Citrix. It does not discuss Citrix-specific installation or configuration procedures in detail. Instead, it gives an overview of the tasks to enable NetSign to work in a Citrix environment. There are three main procedures to provide NetSign support for Citrix: • Set up a domain controller for smart card logon • Set up a Citrix server on a Windows 2000/2003 server with Terminal Services running • Set up the user’s computer with NetSign, the Citrix client and a card reader These instructions are provided for a Citrix system with Citrix installed on both the server and the client(s). Install NetSign on the server. From the Citrix server, prepare the client so NetSign appears as the only application when the connection to the server is made. NetSign 5.5 executes on the server. Like other applications, NetSign must be registered to Citrix. Configure Windows Domain Controller for Smart Card Logon 1. Prepare a server to run on Windows Server 2003 Enterprise Edition as a domain controller. 2. Install an issuance CA. 3. Verify the CA certificate is in the trust root. 4. Verify that the card certificate is valid by using the following command: certutil -scinfo 5. If the certificate revoke list is not obtainable, import the revoke list by clicking on the crl file that is exported from the CA and click Install from the certificate window. 6. Import a CA certificate to the certificate store using the command: certutil -dspublish -f filename NTAuthCA 7. Add users to the Active Directory. 8. Display the contents of the user certificate with the NetSign Card Browser function. 9. Verify the certificate is intended for Smart Card Logon. Using Card Browser Detail, identify the user login name by looking at the Subject Alternative Name-> Principal Name field. 10. From Programs->Administrator tools->Active Directory Users and Computers right click on user and select New. This brings up the Add user dialog box. 11. Enter the user name and login name in the appropriate fields. 12. Use adsiedit.msc (installed from the support tools) to edit the new Active Directory user. 13. Change userPrincipalName to match the value in the certificate's Principal Name field. 76 Citrix Server Configuration Tasks This section outlines the steps to prepare a Citrix server to support either a standard Citrix web-based client or the Citrix Desktop client. Citrix Server Configuration for the Web-based Citrix Client 1. Install Citrix XPe and accept installation defaults. 2. Select a name for the Citrix farm you intend to use for NetSign users. 3. Log on to the management console. 4. Set up Licenses by right-clicking on the Licenses and then selecting Add Licenses from the menu. 5. Publish applications. a. Right-click Applications. b. Select the Publish Application option. c. Assign the applications by name. 6. Select application and command line. 7. Add the Citrix server by completing the remainder of the Wizard dialog. 8. Select the appropriate permissions through the Active Directory for the domain. 9. Go to the web interface http://<servername>/Citrix/MetaFrameXP/WIAdmin/. 10. Select Authentication > Select smart card > Save. 11. Add the Citrix farm. a. Select Manage Farms. b. Enter the name of the farm hosting the web interface. c. Click Add and Save. 12. Select the link to the Citrix Metaframe server. a. Enter the name of the server hosting the web interface for the farm. b. Select HTTPS. c. Click Save. 13. Configure IIS to accept secure communications. a. Right click IIS server > Properties. b. Click Edit. c. Select Directory Security. d. Check the box to enable the Windows Directory Service Mapper. e. Click OK. 77 14. Create a certificate request. a. Right click default web site > Properties > directory security > Server Certificate. b. Click Next. c. Create a new certificate. d. Prepare the request, but do not submit it yet. e. Click Next and enter the certificate name. f. Assign a common name to the certificate and click Next. g. Complete geographical information and click Next. h. Enter the file name and click Next. i. Click Finish. 15. Issue a root certificate through a CA and install it. 16. Verify the certificate is listed in the Directory Security tab within the Secure Communications dialog box. 17. Install a card reader and software drivers on the Citrix server. 18. Install Netsign on the Citrix server. 78 Citrix Server Configuration for the Citrix Desktop Client This section outlines the steps to prepare a Citrix server to support the Citrix Desktop client. 1. Install Citrix XPe and accept installation defaults. 2. Select a name for the Citrix farm you intend to use for NetSign users. 3. Log on to the Citrix management console. 4. Set up licenses by right-clicking on Licenses and then selecting Add Licenses from the menu. 5. Publish applications by completing the sequence: a. Right click on Applications. b. Select Publish Application from the menu. c. Assign a name to the application. 6. Select application and command line. 7. Add the Citrix server by completing the remainder of the Wizard dialog. 8. Select appropriate permissions through the Active Directory of the domain. 9. Install a card reader and software drivers on the Citrix server. 10. Install NetSign on the Citrix server. 79 Client Computer Configuration Tasks 1. Verify the client computer is running on Windows 2000 or Windows XP Professional. 2. Install a smart card reader and its software driver on the client computer. 3. Install NetSign Version 5.5 on the client computer. 4. If necessary, join the client computer to a domain accessible by the Citrix Server. 5. Install the Citrix client and configure it for a smart card logon. 6. Install an issuance CA root certificate chain on the client computer. Note: In order for Netscape to function properly, root and intermediate certificates for the DoD must be registered. Crypto module for PKCS 11 library must be configured for Netscape. During a Windows installation, this is performed by the installation procedure. For Citrix, the registration must be performed manually on the client by running nsreg.exe at least once. The nsreg.exe file is located in the home directory of the NetSign product CD. 7. Verify the CA certificate chain. 8. Register all applications that interface with the smart card reader. This can be accomplished by two methods: • Applications can be added by the NetSign Configuration Wizard. Refer to “ Citrix Server Dialog Box” on page 20 to register hosted applications that run on a Citrix server and are secured with a smart card. By default, the following applications are registered to Citrix when NetSign is installed: CrdStart.exe: NetSign card start function IEXPLORE.EXE: Internet Explorer web browser netscape.exe: Netscape web browse NetSign.exe: NetSign smart card middleware OUTLOOK.EXE: Outlook e-mail application pinChange.exe: NetSign smart card PIN change dialog psm.exe: Netscape Personal Security Manager • The application can be added using the scconfig command. To use the scconfig command to register applications, enter the following text at the command line. Substitute the name of the application’s executable file that is to be registered. C:\scconfig /farm /enable_process:application_command.exe The majority of applications can be added using the NetSign Configuration Wizard and new applications can be added later using the scconfig command. 80 How NetSign for Citrix is Different Since Citrix enterprise access infrastructure software works differently from Windows, some NetSign components may function differently. Some of these functional differences are described below: Card Insertion - Windows 2000 When running Windows 2000 with the Citrix enterprise access infrastructure software, the option to launch the browser when the smart card is inserted into the smart card reader may not function as desired. The option to launch an application and the option to launch your e-mail program continue to work properly. Card Removal - Windows 2000 When running Windows 2000 with the Citrix enterprise access infrastructure software, the option to log off Windows when the smart card is removed from the smart card reader may not function as desired. The option to close an application and the option to lock workstation continue to work properly. Windows 2000 Netscape Profile Creation If a Citrix server is configured with Windows 2000 and the Netscape application is running, it is necessary to create a Netscape user profile before installing NetSign on the Citrix client. Failure to create the profile prior to installing NetSign may cause unknown problems with NsReg, modutil, and certutil. Certificate Registration in Netscape When running Netscape with Citrix, certificates are not automatically registered for the browser. To register certificates manually, Nsreg.exe must be executed on the client. Certificate Registration - CardStart If security policies for the Citrix server require an application be published standalone without the desktop view, NetSign’s tools for automatic configuration will not be executed. Certificate and Outlook configuration will not function. If you wish to use CSP based applications like Outlook or Internet Explorer from the Citrix server, certificates from the smart card must be registered first. If the desktop view is not available to register certificates, they can be published using the CardStart application. CrdStart.exe is located in the system32 directory. Although it is strongly suggested that you run applications that use a smart card through a desktop view, sometimes security policy for the Citrix server requires that application be published standalone without an available desktop view. When applications are run standalone, NetSign’s tools for automatic configuration are not run. Therefore, certificate registration and Outlook configuration will not work. In order to use CSP-based applications (such as Outlook or Internet Explorer) from the Citrix server, certificates from the smart card must be registered first. If desktop view is not an option to register certificates, you can publish the CardStart application (CrdStart.exe located in the system32 directory). 81 Launch Browser When launching a browser by inserting a card into the reader, a URL must be specified in the Policies. If no URL is specified, NetSign does not automatically launch a browser session. CardStart in Desktop View When a user is finished working on Citrix in the desktop view, it is critical to log off Citrix rather than disconnecting from Citrix. If a user disconnects from Citrix instead of properly logging off, the CardStart application will not function when they resume working with the desktop view. Properly logging on and logging off Citrix will ensure that CardStart continues to function correctly. If a user inadvertently disconnects from Citrix, an administrator can manually log off the end user by using the Management Console for the Citrix Server. The Management Console will show the client as disconnected; the administrator can then log off the user. The next time the user logs in, CardStart will function properly. Auto Unreg on Log off Selecting the Auto Unreg on Log off option from the Certificate registration box of the Policies Tab only works when CardStart is running. If CardStart is not running, logging off from the Main desktop will not remove certificates from the Microsoft Certificate Store. This is a function of the Citrix software, since Citrix does not really log off when the smart card is removed from the reader. CardStart Required to Implement Policy Changes When a change is made to the NetSign policies set on the Citrix Server, CardStart must be run in order for the changes to apply to any stand alone applications executed on the client. Changes to the policies will also be applied if CardStart is running in the background on the desktop view. Saving Diagnostic Information from System Info Tab (Application View Only) If you save the diagnostic information detected by the System Info tab, the file will be saved in the desired location, but NetSign will shut down. Restarting NetSign is required. Internet Browser Fails to Close when Card is Removed If the policy settings of the Citrix server are set to launch a URL when a smart card is inserted into the card reader and close the application when the smart card is removed, the policies are not properly transferred to the client. When the Citrix client is in the desktop view mode, the client’s Internet browser will launch when the card is inserted, but the applications will not close when the smart card is removed. 82 Chapter 7 Using NetSign with Outlook Web Access This chapter discusses how to configure NetSign to work with the Exchange Server 2003 version of Microsoft Outlook Web Access (OWA) to permit users to digitally sign and encrypt e-mail messages by using the new OWA Secure/Multipurpose Internet Mail Extension (S/MIME) control. The S/MIME control works in conjunction with certificates placed on the user’s smart card to enable signing and encryption of e-mail messages. This chapter does not discuss how to install Exchange Server 2003 or set up user accounts. These tasks should be completed before attempting the configuration procedures discussed in this chapter. If necessary, refer to Microsoft Exchange Server documentation to complete the preliminary tasks before attempting the procedures described in this chapter. This chapter describes only those specific requirements to configure Outlook Web Access for use with NetSign. Support for smart cards in Outlook Web Access with the S/MIME control is provided by the Windows operating system on which the client is running. Windows 2000 or XP integrate smart cards into their certificate handling capabilities so that Outlook Web Access does not need to handle or manage these certificates. Outlook Web Access with the S/MIME control monitors the smart card for any changes and instructs the operating system when to move additional digital certificates from the smart card into the Personal certificate store. Windows removes these certificates when the user logs off from Outlook Web Access. Smart cards make digital certificates available by copying the certificate into the Personal certificate store when a smart card is inserted and the digital certificate is unlocked with the user's private key. This places the digital certificate in the same location as when software-based certificates are used. Applications do not need to take any special actions to use smart card-based digital certificates, because the Windows operating system handles all operations specific to smart card-based certificates. 83 Configuring Exchange Server 2003 for OWA The users' Exchange servers must be configured to support Outlook Web Access with the S/MIME control. The configuration enables handling and validation of digital certificates. Specifically, the user's Exchange server must have appropriate root certificates present in the local computer account's Personal certificate store, and must be able to access and retrieve information that PKIs make available for certificate validation. The user's client system handles digital certificates related to the user's private key, and the user's Exchange server handles digital certificates related to other users' public keys as well as validates digital certificates related to both public keys. To access the information that PKIs make available for certificate validation, ensure that when users' Exchange servers are behind a firewall, these servers can connect through the firewall using the appropriate protocols (generally, HTTP or LDAP). Consult with the PKI administrator to determine what configuration is necessary to support certificate validation on the client system and consult with the firewall administrator to implement the appropriate changes. Note When using Windows Server 2003, you can use the Proxycfg.exe utility to configure the built-in HTTP proxy client instead of installing a proxy client. However, this proxy does not support LDAP. If you need to access certificate validation information through LDAP, you will need to install firewall clients that support LDAP. For more information about using and configuring the Windows Server 2003 proxy client, see the online Help with Proxycfg.exe. After you install the S/MIME control on the users' client systems and ensure that the client systems and the Exchange servers are configured to support the handling and validation of digital certificates, you can then work with the PKI administrator to integrate Outlook Web Access with the S/MIME control with the smart card. Setting Exchange Server to Use Only Smart Card Certificates When choosing a digital certificate to obtain the user's private key, Outlook Web Access with the S/MIME control looks in the Personal certificate store of the current logged on user. Outlook Web Access with the S/MIME control searches through the available certificates in the certificate store until it finds a valid digital certificate for the operation requested. Outlook Web Access with the S/MIME control always uses hardware-based digital certificates, including smart cards, if both a software-based certificate and a hardware-based certificate are located. If the SmartCardOnly value has been set on the user's Exchange server, only digital certificates propagated from smart cards will be examined. You can configure Outlook Web Access with the S/MIME control to require only smart card-based certificates, using the SmartCardOnly registry setting on the Exchange Server. By default, this setting is not enabled. When SmartCardOnly is set to true (1), this key restricts the S/MIME control to use only smart card-based certificates for signing and decrypting e-mail messages with OWA. Users cannot use certificates that are not on a smart card. 84 Configuring OWA on User Computers This section describes how to deploy the S/MIME control to user computers and set Active X security settings through Internet Explorer. User Requirements User computers must meet the following requirements to encrypt and sign e-mail messages distributed by Outlook Web Access. The appropriate certificates placed on the user’s smart card are used by the S/MIME control to sign and encrypt messages. • User computers are running on either Microsoft Windows 2000 or Windows XP. • User computers are running Microsoft Internet Explorer Version 6 or later. • User computers have an attached card reader. • Users computers have NetSign Version 5.5 installed. • Users have been issued a smart card with valid certificates to send or receive signed and encrypted e-mail messages. • Users have been assigned a user name and password to log on to Outlook Web Access. • Users know the web address of the server that is hosting Outlook Web Access. • The latest version of the Outlook Web Access S/MIME control has been installed on user computers. Deploying the OWA S/MIME Control To use Outlook Web Access with the S/MIME control, the user’s computer must have the Outlook Web Access S/MIME control installed. After the S/MIME control is installed on a computer, it is available to all users, including those who do not have administrator rights. There are three deployment options to download and then install the S/MIME control on user computers: • Users download and install the S/MIME control on their computers. Users must be logged on to their computers with Windows administrator privileges to install the S/MIME control. Errors occur if the user attempts to install the S/MIME control without administrator privileges. Refer to “ Installing the S/MIME Control on a Computer” on page 86 for the user procedure to install the S/MIME control on a computer. • Integrate the S/MIME control into a pre-configured desktop image. Integrating the S/MIME control into a standardized image is a solution for those organizations that are already using this strategy for managing desktop configurations. • Deploy the S/MIME control setup package using SMS or other enterprise software management systems. Organizations that do not use a desktop image but want to deploy the S/MIME control to users without administrator privileges should deploy S/MIME control setup using their organization's enterprise software management system. In Exchange Server 2003 SP1, the S/MIME control setup program is a Microsoft Installer (MSI) file contained in a self-extracting executable file. The MSI file allows customers to deploy the S/MIME control to the desktop with enterprise software management systems like SMS. The setup package is named Setupmcl.exe and is located in the following directory when Exchange 2003 SP1 is installed (where version is the build number for SP1): drive:\program files\exchsrvr\exchweb\version\cabs\setupmcl.exe 85 Installing the S/MIME Control on a Computer This procedure explains how users can download and then install the OWA S/MIME control if they have Windows administrator authority. You must use alternative methods to deploy the S/MIME control if your organization’s user community do not have Windows administrator privileges on their computers. 1. Log on to the computer with a Windows administrator user account. 2. Open Internet Explorer and enter the URL to Outlook Web Access. 3. Log on to Outlook Web Access. 4. Click Options in the OWA Navigation pane. If the Navigation Pane is collapsed, click the Go to options button. 5. Scroll down the Options page until you locate the E-Mail Security section of the page. 6. Click Download. If any security warnings appear, click Yes for the control to download and install. The S/MIME control is downloaded from the Exchange server to the local computer and then installed. Note: Many companies use URLScan on the front-end HTTP servers for Outlook Web Access. URLScan monitors URLs and allows customers to block specific file types, such as .exe and .vbs files, from being downloaded to the Outlook Web Access client. If you use URLScan or similar software to protect the Outlook Web Access client, and you want to make the S/MIME control available from outside your corporate firewall, you will need to allow executable (.exe) file types to pass through URLScan and the firewall. 7. Under E-mail Security, click to select the Encrypt contents and attachments for outgoing messages check box if you want encryption enabled by default when you compose a message. 8. Under E-mail Security, click to select the option that messages should be digitally signed by the sender. Setting Up IE Active X Security to Support the S/MIME Control For the S/MIME control to operate properly, the Internet Explorer zone to which the user is connecting for Outlook Web Access must have the following Active X security settings: • Set the Download signed ActiveX controls value to Prompt or Enable. • Set the Run ActiveX controls and plug-ins value to Enable (or Administrator approved with the S/MIME control as an approved control). • Set the Script ActiveX controls marked as safe for scripting value to Enabled. By default, these Internet Explorer settings are enabled in the Internet and intranet zones. 86 OWA Problems with Windows XP Service Pack 2 This section describes a specific problem that can occur when using NetSign with an OWA client. This problem occurs when NetSign and the OWA client are installed on a computer running Microsoft Windows XP Service Pack 2 (SP2). The cause of the problem lies with Microsoft Exchange Server 2003 and Windows XP Service Pack 2. NetSign is not involved. This section is included because the problem routinely occurs when preparing NetSign for use with OWA. Problem When you use Microsoft Exchange Server 2003 to host Microsoft Outlook Web Access, the Secure/Multipurpose Internet Mail Extension (S/MIME) control does not load after you download and install it on a client computer running Windows XP with Service Pack 2 applied. Symptoms The symptoms of the problem are: • If you click Options in the left pane, the E-mail Security area of the OWA Options page indicates that the S/MIME control is not installed. Only the Download button is available. You expect to see the Encrypt contents and attachments for outgoing messages check box and the Add a digital signature to outgoing messages check box. • When you compose a new e-mail message, you experience the following symptoms:• If you click Options, the E-mail Security section does not appear. You expect to see the Encrypt message contents and attachments and Add a digital signature to this message check boxes. • The Encrypt message contents and attachments and Add a digital signature to this message buttons do not appear on the toolbar of the page to compose e-mail messages. • You cannot drag attachments to a Compose Message form. Cause The Exchange Server 2003 OWA client uses a function call to determine whether the S/MIME control is installed on the client computer. As part of its base security, Windows XP SP2 restricts the components that are supported by this function call. Therefore, OWA cannot detect that the S/MIME component is installed. Solution Microsoft provides a solution for the problem. Refer to the following Microsoft Knowledge base article: http://support.microsoft.com/default.aspx?scid=kb;en-us;883543 The article includes a link to download a file. The file should be installed on the Microsoft Exchange Server 2003 that hosts OWA. 87 88 Appendix A Uninstall NetSign This appendix describes various methods to uninstall Version 5.5 of NetSign. The table below summarizes the uninstall methods and provides a reference to a section within the appendix that describes the procedure in detail. Uninstall Method Description Local Use the local method to uninstall NetSign on a single computer with the Windows Add/Remove facility. See “ Local Uninstall” on page 91. Silent Use the silent method to uninstall NetSign on a single computer without requiring user interaction. See “ Silent Uninstall Without User Interaction” on page 92. Active Directory push Use the Active Directory push method to uninstall NetSign on multiple computers running Windows 2000 or Windows XP. See “ Push Uninstall with Active Directory” on page 93. Note: You must have previously installed NetSign with the Active Directory push method to remove it from the same computers. Systems Management Use the SMS method to uninstall NetSign on multiple computers running any Server (SMS) push Windows operating system. See “ Push Uninstall with SMS” on page 95. Note: You must have previously installed NetSign with the SMS push method to remove it from the same computers. 89 Uninstallation Considerations This section describes general information that must be considered before removing NetSign from computers. • NetSign must be removed with the same user privileges that were originally used for the installation. If NetSign was installed by a domain administrator, it should be removed by a user logged in as a domain administrator. Attempting to remove NetSign with the Windows Add Remove facility will fail if you have logged in as a general user when NetSign was originally installed under domain administrator control. • Uninstalling NetSign removes most files and registry keys from the computer on which it was installed. Testing has shown the following files and registry keys may remain on a computer after NetSign has been removed: Files • ..\Program Files\Common Files\InstallShield\Driver\1050\Intel 32 This directory contains files left behind by the Install Shield script engine, which is a commercial software product used to create the NetSign installation package. _ISRES1033.dll ID IDriver2.exe IDriver.exe IDriverT.exe iGdiCnv.dll ISRT.dll IUserCnv.dll objpscnv.dll IScrCnv.dll • ..\Windows\system32\capicom.dll This is a shared file used by other applications, which has corresponding registry entries. Registry Keys • HKEY_CURRENT_USER\SOFTWARE\GSC\Policies\PIN\Authentication\(Default) • HKEY_CURRENT_USER\SOFTWARE\SSP Solutions\CAC\CACHE\ • HKEY_CURRENT_USER\SOFTWARE\SSP Solutions\CardStart\(Default) 90 Local Uninstall This procedure explains how to remove NetSign Version 5.5. from a single computer with the Windows Add/Remove facility. Refer to the push uninstall methods later in this appendix if you want to remove NetSign simultaneously from multiple computers. 1. Log on with an administrator user account to the computer in which you want to remove NetSign. 2. Open the Windows Add or Remove Programs facility. Start > Settings > Control Panel > Add or Remove Programs 3. Select NetSign from the list shown in the dialog box. 4. Click Remove. 5. Click Yes from the pop-up menu that verifies that you want to remove NetSign. The uninstaller program removes NetSign from the computer. After NetSign has been uninstalled, a pop-up menu requests that you restart the computer. 6. Click Yes to restart the computer. The CardStart icon should no longer appear in the computer’s system tray after the computer has been shut down and restarted. 91 Silent Uninstall Without User Interaction The silent method removes NetSign from a single computer without requiring user interaction. No dialog boxes appear on the screen that indicates that NetSign has been removed. Nor does the uninstaller program indicate when the uninstaller procedure has finished. The silent installation method is invoked from the Windows command line. It uses the same msiexec command syntax that was originally used to install NetSign by the silent method. The /X parameter in the command string uninstalls a product. The silent uninstallation method is invoked from the Windows command line. You must enter three separate msiexec.exe commands to uninstall NetSign. 1. Log on with an administrator user account to the computer in which you want to remove NetSign. 2. Place the NetSign product CD into the computer’s CD drive if it was originally used to install NetSign. Alternatively, you can use the NetSign CD image placed on an accessible network disk. 3. Open a command window on the computer. Start > Run > cmd 4. Enter the commands below in the order that they are listed. C:\> msiexec /qn /x Z:\NetSign.msi C:\> msiexec /qn /x Z:\NetSignConfig.msi C:\> msiexec /qn /x Z:\ISScript1050.msi Notes: • In the examples above, Z: is the drive letter of the computer’s CD drive where the NetSign product CD has been inserted. Or, specify the network path to the directory where the NetSign CD image has been placed. • You must enclose the directory string within quotes (“) if the path to the ISScript1050.msi, NetSign.msi and NetSignConfig.msi files contains a blank space. C:\> msiexec /qn /x "V:\App Server\NETSIGN\NetSign.msi" • Remove the /qn parameter from the command string if you prefer to uninstall NetSign with dialog prompts. 5. Press Enter. It takes approximately 30-40 seconds to remove NetSign. The CardStart icon should no longer appear in the computer’s system tray when the uninstall procedure has finished. 92 Push Uninstall with Active Directory The procedure to remove NetSign from computers by the Active Directory push method uses similar steps to the installation procedure. The uninstall procedure removes the three Active Directory packages that were used to originally install NetSign. This procedure explains the steps to remove the ISScript1050, NetSignConfig and NetSign packages from the Active Directory OU containing the computers in which NetSign has been installed. 1. Open Active Directory Users and Groups. Start > Settings > Control Panel > Administrative Tools > Active Directory Users and Groups 2. Right-click the OU that contains the computers in which NetSign has been installed. 3. Select Properties from the menu. The domain_name Properties dialog box opens on the screen. 4. Click on the Group Policy tab. 5. Select the policy and click Edit. 6. The Group Policy Object Editor dialog box appears on the screen. 7. Expand Software Settings and right-click on Software Installation. 8. Right click on NetSign.msi and choose All Tasks > Remove. 93 The Remove Software dialog box appears on the screen. 9. Accept the default software removal method to immediately uninstall NetSign and click OK. 10. Repeat steps 8-9 to remove the NetSignConfig.msi package. 11. Repeat steps 8-9 to remove the ISScript1050.msi package. 12. Click OK to accept the changes to the OU’s group policy. 13. Exit from Active Directory. 14. Reboot all computers that have NetSign installed. NetSign is removed from all computers that belong to the Active Directory OU after they have been restarted. NetSign’s CardStart icon should no longer appear in the computer’s system tray. 94 Push Uninstall with SMS By default, Windows Installer creates a registry key for automatically adding and removing applications. Unless you use the ARPNOREMOVE Windows Installer property, any application installed by Windows Installer will be registered in Add/Remove Programs in Control Panel. This allows the application to be automatically removed using the SMS program removal feature. To use the automatic program removal functionality with SMS, configure the following program settings in the Program Properties dialog box. To configure SMS 2.0 to perform a restart: 1. Open the Program Properties dialog box. 2. On the Advanced tab, select the Remove software when it is no longer advertised check box. 3. In the Uninstall registry key edit box, enter the package code. Note: These instructions require you to know the package code. The package code is stored as a property in the summary information of a Windows Installer package. You can determine the package code by using the MSIINFO.exe tool that is included with the Windows Installer SDK to display the properties in the summary information. Uninstalling software follows closely the same steps to install the original software on computers. Refer to Chapter 3 for the complete SMS procedure to install NetSign. Important: This procedure summarizes the major steps to remove NetSign from computers that were originally installed using SMS. Local site practices may vary. The following procedure describes the major steps. SMS administrators should be familiar with the process of removing software from their user environment. 95 Step 1: Obtain the NetSign Program GUID This step explains how to obtain the Global Unique Identifier (GUID) for NetSign that must be entered as a parameter in the programs for the SMS uninstallation package. 1. Log on to a computer that has NetSign installed. 2. Using regedit, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 3. Copy the GUID number listed for the NetSign installation package. A GUID is enclosed within parentheses and consists of a hex number string. {F1530A8A-A7FA-4750-A0E9-6E777EF17F16} 4. Save the GUID to a file so that you will be able to paste it later in “Step 4: Create Programs for the Uninstallation Package. 96 Step 2: Create an Uninstall Package 1. Log on to the computer that has the SMS administrator console installed with an account authorized to use SMS. 2. Select Start > Programs > System Management Server > SMS Administrator Console. The SMS Administrator Console appears on the screen. 3. Right-click the Packages folder and select New > Package. The Package Properties dialog box appears on the screen. 4. Complete the form, then click the Data Source tab. 5. Select This package contains source files option. 6. Click Set to locate and select the directory in which your data files are stored. The Set Source Directory dialog box appears on the screen. 97 7. Select Network path from the Source directory location field. 8. Click Browse and navigate to the directory where the NetSign installation package has been placed. 9. Click OK to select the NetSign installation package. The Package Properties dialog box refreshes and displays the directory path to the NetSign installation package. 10. Click OK. The NetSign uninstallation package has been created. 98 Step 3: Set up Uninstallation Package Distribution Points 1. Click on plus sign (+) of the NetSign uninstallation package in the left pane of the SMS dialog box to expand options beneath it. 2. Right click on Distribution Points and select New > Distribution Points from the menu. The New Distribution Points Wizard dialog box appears on the screen. 3. Click Next. The Copy Package dialog box opens with a field to select the distribution points for the package. 4. Place a check mark next to names of the distribution points for the NetSign uninstallation package you created earlier. 5. Click Finish. 99 Step 4: Create Programs for the Uninstallation Package This step explains how to prepare the three NetSign installation files for an SMS uninstallation package. You will add three files to the NetSign installation package and set up the program dependencies to run them in order: a.NetSign.msi b.NetSignConfig.msi c.ISScript1050.msi 1. Right-click on the Programs folder and select New > Programs from the menu. The Program Properties dialog box appears on the screen. 2. Assign a name to the program to identify it as the NetSign.msi file. 3. In the Command line field enter: msiexec /x {F1530A8A-A7FA-4750-A0E9-6E777EF17F16} where the number enclosed in parentheses is the GUID that you copied in the previous step. 4. Click the Advanced tab. 100 5. Select the Remove software when it is no longer advertised option and place the GUID in the Uninstall registry key field. 6. Click OK. 7. Verify the program has been added to the NetSign installation package. 8. Right-click on the Programs folder and select New > Programs from the menu. 9. The Program Properties dialog box appears on the screen. 10. Assign a name to the NetSignConfig.msi file. 11. In the Command line field, enter cmd.exe /c {F1530A8A-A7FA-4750-A0E9-6E777EF17F16} uninstall where the number enclosed in parentheses is the GUID that you copied in the previous step. 12. Click the Advanced tab. 13. Select the Run another program first and set up the NetSignConfig.msi file to run after the NetSign.msi program created earlier in this step. 14. Repeat steps 8-13 for the ISScript1050.msi file. Make sure that ISScript1050.msi is the last program to run in the uninstallation package. 15. Click OK. You should see the three uninstallation programs listed in the NetSign uninstallation package. 101 Step 5: Advertise the Uninstallation Package 1. Select Advertisements from the SMS console. 2. Locate the original NetSign installation package. 3. Delete the NetSign installation package. 4. Right-click Advertisements and select Distribute Software. The Distribute Software Wizard appears on your screen. 5. Select the Distribute an existing package option and select the NetSign uninstallation package. 102 6. Click Next. The Advertise a Program dialog box opens on the screen. 7. Select the program assigned to the NetSign.msi file. The other programs will run automatically because of their run order linkage to NetSign.msi in the package. 8. Click Next. 9. Distribute the uninstallation package according to your site’s standards. All NetSign files and registry keys should be removed from the computers after the uninstallation package runs to completion. 103 104 Appendix B NetSign Installation Changes This appendix describes the changes to a computer after NetSign has been installed. It includes separate sections that list the NetSign files that are added to the computer and changes to the Windows registry. Files Added to the Computer by a NetSign Installation Files Target Directory AdvCryptos.dll Install_dir\Windows\System32 CACCSP.dll Install_dir\Windows\System32 caccsp.sig Install_dir\Windows\System32 core32.dll Install_dir\Windows\System32 crm.dll Install_dir\Windows\System32 Nsicleaner.exe Install_dir\Windows\System32 Nsicmdrmdir.exe Install_dir\Windows\System32 Nsiremove.reg Install_dir\Windows\System32 Nsiremove.cmd Install_dir\Windows\System32 SSPBSI.dll Install_dir\Windows\System32 SSPCertReg.dll Install_dir\Windows\System32 SSPMapi.dll Install_dir\Windows\System32 capicom.dll Install_dir\Windows\System32 cac.ckm Install_dir\Program Files\Common Files\Litronic\CKR LitPCSC.ckr Install_dir\Program Files\Common Files\Litronic\CKR CrdStart.exe Install_dir\Litronic\NetSign certutil.exe Install_dir\Litronic\NetSign dm-cacv1.ini Install_dir\Litronic\NetSign dm-cacv2.ini Install_dir\Litronic\NetSign dm-twic.ini Install_dir\Litronic\NetSign libnspr4.dll Install_dir\Litronic\NetSign libplc4.dll Install_dir\Litronic\NetSign libplds4.dll Install_dir\Litronic\NetSign modutil.exe Install_dir\Litronic\NetSign netsign.exe Install_dir\Litronic\NetSign NetSign.chm Install_dir\Litronic\NetSign NsAbout.dll nstall_dir\Litronic\NetSign COM Registration regsvr32 /s caccsp.dll regsvr32 /s capicom.dll regsvr32 /s NsAbout.dll 105 Files Target Directory COM Registration NsAuSvc.exe Install_dir\Litronic\NetSign NsAuSvc /service NsCacBrowser.dll Install_dir\Litronic\NetSign regsvr32 /s NsCacBrowser.dll NsOlExt.dll Install_dir\Litronic\NetSign NsPolicy.dll Install_dir\Litronic\NetSign NsReg.exe Install_dir\Litronic\NetSign NsResource.dll Install_dir\Litronic\NetSign nss3.dll Install_dir\Litronic\NetSign NsSysInfo.dll Install_dir\Litronic\NetSign pinChange.exe Install_dir\Litronic\NetSign ReleaseNotes.txt Install_dir\Litronic\NetSign smime3.dll Install_dir\Litronic\NetSign softokn3.dll Install_dir\Litronic\NetSign tags-cac.ini Install_dir\Litronic\NetSign tags-gscis.ini Install_dir\Litronic\NetSign tags-twic.ini Install_dir\Litronic\NetSign regsvr32 /s NsPolicy.dll regsvr32 /s NsSysInfo.dll Certificate Files Added for a NetSign CAC Installation The following table lists the certificate files that are located in the Install_dir\Litronic\NetSign\Certificates directory when NetSign CAC is installed. Files Target Directory DOD CLASS 3 CA-3.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-3.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-4.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-4.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-5.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-5.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-6.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-6.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-7.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-7.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-8.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-8.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-9.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-9.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-10.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CA-10.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CAC CA.crt509 Install_dir\Litronic\NetSign\Certificates 106 Files Target Directory DOD CLASS 3 CAC CA.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CAC EMAIL CA.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 CAC EMAIL CA.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-3.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-3.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-4.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-4.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-5.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-5.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-6.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-6.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-7.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-7.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-8.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-8.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-9.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-9.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-10.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 EMAIL CA-10.reg Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 Root CA.crt509 Install_dir\Litronic\NetSign\Certificates DOD CLASS 3 Root CA.reg Install_dir\Litronic\NetSign\Certificates 107 Changes to Registry by a NetSign Installation This section lists all changes to the Windows registry after NetSign has been installed. The NetSignConfig.ini script is run early in the NetSign installation procedure to load the registry values listed in this section. Card Start Card Start [HKEY_CURRENT_USER\Software\SSP Solutions\CardStart] Key Values Type Default Setting AppPin REG_SZ Off AppPinTimeout REG_SZ 0 Auto Update REG_DWORD 0x00000000 (0) AutoRemind REG_DWORD 0x00000000 (0) AutoUpdate Certificate REG_SZ AutoUpdate Interval REG_SZ 24 AutoUpdate Mode REG_SZ Manual AutoUpdate WebServerName REG_SZ AutoUpdate WebSubAddr REG_SZ Certificate Cache REG_DWORD 0x00000000 (0) EncryptPin REG_SZ Off EncryptPinTimeout REG_SZ 0 IDPin REG_SZ Off IDPinTimeout REG_SZ 0 LOGFILE_AUTOUPDATE REG_SZ C:\Program Files\Litronic\NetSign\AutoUpdate.log Outlook AutoContact REG_DWORD 0x00000000 (0) Outlook AutoDecrypt REG_DWORD 0x00000000 (0) Outlook AutoReg REG_DWORD 0x00000001 (1) Outlook ClearText REG_DWORD 0x00000002 (2) Outlook Encrypt REG_DWORD 0x00000002 (2) Outlook Publish GAL REG_DWORD 0x00000000 (0) Outlook Sign REG_DWORD 0x00000002 (2) Outlook Signed Receipt REG_DWORD 0x00000002 (2) PinAlways REG_DWORD 0x00000000 (0) PINCHANGE AutoRemind REG_DWORD 0x00000000 (0) PinOnce REG_DWORD 0x00000000 (0) PinTimeoutAppName REG_SZ ProcessReadMessagesAlso REG_DWORD 0x00000001 (1) SCI_EmailProgram REG_DWORD 0x00000000 (0) SCI_None REG_DWORD 0x00000001 (1) 108 Key Values Type SCI_Program REG_SZ SCI_URL REG_SZ Default Setting SCI_WebBrowser REG_DWORD 0x00000000 (0) SCR_ClosedWindows REG_DWORD 0x00000000 (0) SCR_LockWorkstation REG_DWORD 0x00000000 (0) SCR_None REG_DWORD 0x00000001 (1) SCR_Program REG_SZ SCR_Windowslogoff REG_DWORD 0x00000000 (0) SignPin REG_SZ Off SignPinTimeout REG_SZ 0 TargetProfile REG_SZ MS Exchange Settings User OverRide REG_DWORD 0x00000001 (1) Web Support Page REG_SZ www.litronic.com/support 109 CRM CKR Path [HKEY_LOCAL_MACHINE\SOFTWARE\SSP Solutions\CRM] Key Value CKR PATH Type REG_SZ Default Setting C:\Program Files\Common Files\Litronic\Ckr Smart Card Reader Interface Litronic PCSC Reader Interface [HKEY_LOCAL_MACHINE\SOFTWARE\SSP Solutions\CRM\0001] Key Value Type Default Setting (Default) REG_SZ Litronic PCSC Reader Interface ACTIVE REG_DWORD 0x00000001 (1) CKR NAME REG_SZ LITPCSC.CKR PORT NUMBER REG_DWORD 0x00000000 (0) PRIORITY REG_DWORD 0x00000000 (0) READERGROUP REG_SZ All Readers NetSign Functions NetSign Functions [HKEY_LOCAL_MACHINE\SOFTWARE\SSP Solutions\NetSign\] Key Value Type Default Setting About REG_DWORD 0x00000001 (1) CACBrowser REG_DWORD 0x00000001 (1) Edition REG_DWORD 0x00000002 (2) - NetSign CAC FeedBack Page REG_DWORD 0x00000001 (1) HelpFiles REG_DWORD 0x00000001 (1) PIN Change REG_DWORD 0x00000001 (1) Policy REG_DWORD 0x00000001 (1) SysInfo REG_DWORD 0x00000001 (1) Build Version NetSign Version [HKEY_LOCAL_MACHINE\SOFTWARE\SSP Solutions\NetSign\Build Version] Key Value Build Type REG_SZ Default Setting 5.5.xx where xx represents the specific build number of the NetSign release. 110 Target Directory Installation Directory [HKEY_LOCAL_MACHINE\SOFTWARE\SSP Solutions\NetSign\Target Directory] Key Value Directory Type REG_SZ Default Setting C:\Program Files\Litronic\NetSign E-Mail Application E-mail Application [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\MSMapiApps] Key Value sspmapi.dll Type REG_SZ Default Setting Microsoft Outlook Smart Cards NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - JForte] Key Value Type Default Setting ATR REG_BINARY 3b f8 11 00 ff 40 20 6a 46 6f 72 74 65 00 01 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - Oberthur] Key Value Type Default Setting ATR REG_BINARY 3b 7d 11 00 00 00 31 80 71 8e 64 86 d6 01 00 81 90 00 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM 111 NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - Oberthur V4] Key Value Type Default Setting ATR REG_BINARY 3b 7f 11 00 00 00 31 c0 53 ca c4 01 64 52 d9 04 00 82 90 00 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - Schlumberger] Key Value Type Default Setting ATR REG_BINARY 3b 65 00 00 9c 02 02 07 02 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\GSC2.1 Gemplus Card 0] Key Value Type Default Setting ATR REG_BINARY 3b 7b 95 00 00 80 65 b0 83 01 04 74 83 00 90 00 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\GSC2.1 - Gemplus Card 1] Key Value ATR Type REG_BINARY Default Setting 3b 6d 00 00 80 31 80 65 b0 43 06 00 98 83 01 90 00 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM 112 NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\GSC2.1 - Gemplus Card 2] Key Value Type Default Setting ATR REG_BINARY 3b f5 91 00 ff 91 81 71 fe 40 00 42 00 01 77 c1 b1 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\GSC2.1 - Gemplus Card 3] Key Value Type Default Setting ATR REG_BINARY 3b 6b 00 00 80 65 b0 83 01 03 74 83 00 90 00 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM NetSign Supported Smart Cards [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\ Schlumberger Access 64k] Key Value Type Default Setting ATR REG_BINARY 3b 75 12 00 00 29 05 01 04 01 ATRMask REG_BINARY ff ff ff ff ff ff ff ff ff ff CRYPTO PROVIDER REG_SZ CAC Cryptographic Service Provider TOKEN_MODULE REG_SZ CAC.CKM 113 Unload DLL Internet Explorer Unload DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Always UnloadDLL] Key Value (Default) Type Default Setting REG_SZ 1 Exchange Client Extensions Client Extensions [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions] Key Value NsOIExt Type Default Setting REG_SZ 4.0;[INSTALLDIR]\NsOlExt.dll;1;00000111111100 GSC BSI GSC BSI [HKEY_LOCAL_MACHINE\SOFTWARE\GSC\BSI\SSP] Key Value Type Default Setting Cryptodll REG_SZ C:\Windows\System32\SSPBSI.dll Storagedll REG_SZ C:\Windows\System32\SSPBSI.dll Utilitydll REG_SZ C:\Windows\System32\SSPBSI.dll Vendor REG_SZ SSP-Litronic GSC Cryptography PKCS#11 PKCS#11 [HKEY_LOCAL_MACHINE\SOFTWARE\GSC\Cryptography\PKCS#11\SSP] Key Value Type Default Setting PKCS#11DLL REG_SZ C:\Windows\System32\Core32.dll Vendor REG_SZ SSP-Litronic 114 Installer The installation values shown in the following table can be modified by the NetSign Configuration Wizard and saved in the NetSignConfig.ini file. The values shown in the table represent the default NetSign installation values without any user-specified configuration changes made by the administrator with the NetSign Configuration Wizard. NetSign Installation Configuration [HKEY_LOCAL_MACHINE\SOFTWARE\Litronic\Installer] Key Value Type Default Setting Application1 REG_SZ CrdStart.exe Application2 REG_SZ IEXPLORER.EXE Application3 REG_SZ netscape.exe Application4 REG_SZ NetSign.exe Application5 REG_SZ OUTLOOK.EXE Application6 REG_SZ pinChange.exe Application7 REG_SZ psm.exe CardStartLaunch REG_SZ No Check4Reader REG_SZ Yes CheckConfig REG_SZ Yes CheckVersion REG_SZ Yes CheckVersionNS REG_SZ No Display REG_SZ Yes InstallCert REG_SZ Yes MaxVerNS REG_SZ 7.2.0.0 MinStrength REG_SZ 128 MinVerIE REG_SZ 5.5.0.0 MinVerNS REG_SZ 4.76.0.0 NS_FLAG_ALL_CERT REG_SZ No NS_REBOOT_STATE REG_SZ NOT_REBOOTED Pushed REG_SZ No Target Directory NetSign Installation Configuration [HKEY_LOCAL_MACHINE\SOFTWARE\Litronic\Installer\Target Directory] Key Value TargetPath Type REG_SZ Default Setting c:\Program Files\Litronic\NetSign 115 116 Appendix C Certificate Installation This appendix describes how to import certificates to Netscape Versions 7.0 or 7.2 after NetSign has been installed. NetSign does not automatically import certificates to these Netscape releases during an installation. Administrators must manually import Netscape certificates. Importing Certificates to Netscape The Netscape Manage Certificates utility is used to import certificates into Version 7.0 or 7.2. 1. Add DER encoded binary X.509 certificate files to the Install_dir\Litronic\NetSign\Certificates directory. 2. Open Netscape on your desktop. 3. Select Preferences from the menu bar Edit option. 4. Click on Expand Privacy & Security from the left pane of the Preferences dialog box to display an expanded list. You should see Certificates listed beneath Privacy & Security. 5. Click Certificates. 6. Click Manage Certificates. The Certificate Manager dialog box appears on the screen. 7. Click the Authorities tab. 117 8. Click Import. The Select File containing CA certificate(s) to import dialog box appears on the screen. 9. Navigate to the Install_dir\Litronic\NetSign\Certificates directory. 10. Select All Files from the Files of type field drop-down list. 11. Select the certificate that you want to import into Netscape from the list of certificates that appear in the upper window of the dialog box. 12. Click Open. The Downloading Certificate dialog box appears on the screen. 13. Select the trust for the certificate and click OK. The certificate you imported should appear in the list beneath the Authorities tab of the Certificate Manager dialog box. 118 Index A Active Directory push installation defining Organizational Unit 32 description 30 overview 31 required files 31 requirements 30 specifying packages 33–35 Auto Contact 16, 62 Auto Decrypt 16, 62 Auto Update description 17, 63 directory on server 17, 64 interval 17, 64 modes 17, 64 web server name 17 Auto-register certificate for IE policy 58 Auto-register certificates with Outlook policy 58, 61 C capicom.dll file 90 card readers certificate registration 61 checking for during installation 11 registry entries 110 supported types 22 certificate authority 2, 5 certificates Auto Unreg on log off policy 15 Auto Unreg on smart card removal policy 15 auto-register for IE 58 auto-register for Outlook 58 cache policy 15, 60 caching for improved performance 60 importing to Netscape 117 installed with NetSign 106–107 publishing to GAL at registration 16 registering root certificates to Netscape with nsreg.exe 10, 24 registering under Windows XP or Windows 2003 server 14 registering with card insertion 61 registering with Internet Explorer 14 registration policies 60 to update NetSign 63 unregistering on card removal 15 Citrix Citrix Server dialog box 20 client computer configuration 80 configuration for Desktop client 79 configuration for web-based client 77 configure domain controller for smart card logon 76 registering applications 20 specify applications that must be registered 20 supported products 75 Citrix Server dialog box 20, 80 configuration action to perform when a card is inserted 13, 59 action to perform when a card is removed 14, 59 allow user to override insertion/deletion events 14, 59 Auto Contact 16, 62 Auto Decrypt 16, 62 Auto UnReg on Logoff 15 Auto Unreg on Removal 15 Auto Update 17, 63 Auto-register certificates for IE 14, 60, 61 cache certificates 15, 60 card reader checking 11 card reader checking during installation 11 from Policies page 51–65 installation directory 9 installation settings 9–11 local policy method 51 NetSign functions available to users 12 Outlook Autoconfigure 15, 61 Outlook profile 62 PIN change AutoRemind 18, 65 PIN policy 18, 64 publish to GAL 16, 62 push installation option 9 recommended policies 58 register applications to Citrix 20 Release Notes display 11 remote policy method 52–55 upgrade directory location 9 values for a push installation 11 web browser key strength checking 10 web browser version checking 10 web links 12, 65 with NetSign Configuration Wizard 7–20 CSR 68 D Department of Defense vii 119 digital certificate 2 digital signatures 2 Distribute Software wizard 44 E e-mail add contact to user’s address book 16, 62 adding public key 5 aout-decrypt messages option 62 auto-decrypt messages option 16 configuring Outlook AutoRegister 61 default signing 58 recommended Outlook policies 58 send in Clear text 58 sending encrypted message 5 sending encrypted messages 5 sending messages in clear text 58 supported applications 23 encryption key strength 10 Evincible Ink 4 F Feedback web page 12 files added to computer by NetSign installation 105–106 capicom.dll 90 ISScript1050.msi 31 left behind after NetSign uninstallation 90 NetSign.msi 31 NetSignConfig.msi 31 NSConfigWizard.exe 8 nsreg.exe 10, 24 Install wizard 25 installation Active Directory push procedure 30–35 Active Directory push system requirements 30 Auto Update configuration 17 certificates added 106–107 changes to registry 108–115 configuration registry entries 115 considerations 24 files added 105–106 license agreement 25 local procedure 25–28 methods 21 setting directory location 9 setting NetSign functions to install 12 setting option to display Release Notes 11 setting Push install field 9 silent procedure 29 SMS push procedure 36–49 Internet Explorer checking key strength 10 installing root certificates configuration 10 registering certificates policy 14, 60 registering to run in a Citrix environment 20, 80 setting Active X security 86 supported versions 23 unload DLL registry entry 114 verifying minimum version 10 intranet access recommended polices 58 K Kyberpass 4 L G GAL, See Global Address List Global Address List 16 Global Address List (GAL) 16, 62 Global Unique Identifier 96, 100 GUID, See Global Unique Identifer Litronic Product Feedback URL 12 service and support phone numbers viii Technical Support URL 12 local policy configuration 51 M H msiexec command 29, 92 hardware requirements 22 N I Install Settings dialog box 10–11 120 Netscape checking key strength 10 importing certificates 117 installation considerations with PSM 24 installing root certificates configuration option 10 registering certificates with nsreg.exe 10 registering PSM to run in a Citrix environment 20, 80 restriction with Auto Contact policy 16 supported versions 23 verifying version range 10 NetSign installation methods 89 installing by SMS push 36–49 installing locally 25–28 installing silently 29, 91, 92 license agreement 25 NetSign Configuration Wizard Citrix Server dialog box 20 default registry key values 115 description 7 Install Settings dialog box 9–11 Policy Settings dialog box 13–19 Product Features dialog box 12 using 8 using for local installations 8 using for push installations 8 NetSign.msi 31 NSConfigWizard file 8 nsreg.exe file 10, 24 O Organizational Unit 32 OU, see Organizational Unit Outlook Auto Contact 62 Auto Decrypt 62 AutoConfigure 15, 61 auto-register 61 Global Address List (GAL) 16 publishing certificates to GAL 16, 62 recommended configuration settings 58 registering to run in a Citrix environment 20, 80 selecting profile 62 selecting profile to AutoConfigure 62 Outlook Express restriction with Auto Contact policy 16, 62 restriction with Auto Decrypt policy 16, 62 restriction with Auto-register Certificates with Outlook policy 61 Outlook Web Access configuring Exchange Server 2003 84 installing S/MIME control 86 S/MIME deployment options 85 setting Active X security on user computers 86 user requirements 85 P password based encryption 3 password security 3 PIN 6 cache mode policies 18–19, 64–65 cache mode policy 65 PIN change AutoRemind 18, 65 registering pinChange.exe file to run in a Citrix environment 20, 80 time out period 18, 65 PKCS#11 registry entries 114 PKE applications 4 PKI, See Public Key Infrastructure polices certificate registration 60 policies auto-register certificates with Outlook 61 certificate registration 60 intranet access 58 local administration 51 Outlook AutoRegister 61 Outlook configuration 61–64 PIN 64–65 PIN cache mode 64 PIN change AutoRemind 18, 65 recommendations for intranet 58 recommended 58 recommended configuration 58 remote administration with Active Directory 52–55 remote and local configuration mapping 56–57 remote and local mapping 56 remote configuration 52–55 remote configuration requirements 52 smart card events 59 smart card insertion 59 smart card removal 59 web links 65 Policies page 51 Policy Settings dialog box 13–18 private key 5 Product Features dialog box 12 profile 62 public key 5, 6 public key enabled 4 Public Key Infrastructure 4 public key security 5 Publish to GAL policy 16, 62 121 R U recommended policies 58 registry adding entries requires administrator privileges 24 default values of keys specified by the NetSign Configuration Wizard 115 key to store NetSign installation configuration 7 keys added by NetSign installation 108–115 keys left behind after uninstalling NetSign 90 pushing configuration settings 15 Release Notes reading after installing NetSign 27 setting option to display after installation 11 uninstallation Active Directory push method 93 considerations 90 files and registry keys left behind 90 local method 91 methods 89 silent method 92 SMS push method 95 S S/MIME deployment options 85 installing on user computer 86 SecretAgent 4 Secure Sockets Layer 6 description 67 enabling SSL web server 67 enforcing SSL connections 71 recommended policies 58 silent installation procedure 29 smart cards description 6 insertion policies 13, 59 registry entries 111–113 removal options 14, 59 supported types 22 SmartCardOnly registry value 84 SMS push install advertising the package 44 creating a new package 37 Distribute Software wizard 44 installation requirements 36 overview of steps 36 set package distribution points 39 software requirements 22–23 SSL, see Secure Sockets Layer T Technical Support URL to Litronic web site 12 typeface conventions vii 122 W web browser key strength checking 10 version checking 10 Windows Add/Remove facility 90, 91 registry changes by a NetSign installation 108–115 supported versions 22
