Gemalto IAS smart card with Microsoft CLM
Transcription
Gemalto IAS smart card with Microsoft CLM
Application Note Gemalto IAS Smartcard with Microsoft’s CLM ii Preface All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information. This document can be used for informational, non-commercial, internal and personal use only provided that: • The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. • This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. © Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90 February 18, 2009 ii Contents Preface ........................................................................................................................................ 5 Who Should Read This Book ................................................................................................. 5 Conventions ........................................................................................................................... 5 Contact Our Hotline ............................................................................................................... 5 Overview .....................................................................................................................................6 Microsoft’s CLM ..................................................................................................................... 6 Gemalto SmartCard ............................................................................................................... 7 IAS card with CLM ..................................................................................................................... 8 Introduction ............................................................................................................................ 8 Use case overview ................................................................................................................. 8 Architecture & requirements .................................................................................................. 8 Main Step of the configuration ............................................................................................... 9 Configuration on the Enrollment machine ............................................................................ 10 CLM Client ........................................................................................................................... 10 Smartcard reader ................................................................................................................. 10 Middleware installation......................................................................................................... 10 Modification in registry ......................................................................................................... 11 CLM configuration ................................................................................................................... 13 Publish a new Certificate Template ..................................................................................... 13 CLM Template Creation ....................................................................................................... 13 Profile details........................................................................................................................ 13 Enroll Policy ......................................................................................................................... 15 Retire policy ......................................................................................................................... 16 Enrollment process ................................................................................................................. 17 Smartcard logon test ............................................................................................................... 21 Retire a IAS ECC Smart Card .................................................................................................23 List of Figures Figure 1-Commissioning's infrastructure ................................................................................... 8 Figure 2- IAS Profile Template ................................................................................................ 14 Figure 3- Enroll policy .............................................................................................................. 15 Figure 4- Retire policy ............................................................................................................. 16 Figure 2-Request a Permanent smart card ............................................................................. 18 Figure 3-Select the profile template......................................................................................... 18 Figure 4-Processing ................................................................................................................ 19 Figure 5- PIN code .................................................................................................................. 19 Figure 6-Processing ................................................................................................................ 19 Figure 7- IAS smart card ......................................................................................................... 20 Figure 8-Welcome to Windows................................................................................................ 21 Figure 9-Log on to Windows.................................................................................................... 21 Figure 10-Manage user smart cards ....................................................................................... 23 Figure 11-Insert smart card ..................................................................................................... 23 Figure 12-Details of smart card ............................................................................................... 24 Figure 13-Retiring smart card .................................................................................................. 24 Figure 17- smart card retired ................................................................................................... 25 4 Preface The Gemalto two-factor authentication solution provides strong authentication based on smart cards for the enterprise, banking, and internet service provider (ISP) markets. This solution enables organizations to deploy a strong authentication solution for their endusers, whether local or remote. The system can service a broad range of deployments, from small corporations with less than 100 users to ISPs with potentially millions of users. Who Should Read This Book This guide is intended for system administrators wanting to provide to end users IAS smartcard through the Microsoft’s CLM product. Administrators should be familiar with CLM and should know PKI and smartcard concept. Conventions The following conventions are used in this document: In this manual, the following highlighting styles are used: Bold – Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values. Italic – Variables that you must replace with a value, book titles, news or emphasized terms. In this manual, hyperlinks are marked as described below Internal Links – Displayed in quotation marks. When viewing this book online, click an internal link to jump to a different section of the book. External Links – Displayed in blue, underlined text. When viewing this book online, click an external link to launch your default browser (or email program) to navigate to that Web address or compose an email. In this manual, notes and cautions are marked like this: Notes: Information that further explains a concept or instruction, tips, and tricks. Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure. Contact Our Hotline If you do not find the information you need in this manual, or if you have any questions, contact our hotline commissioning.support@gemalto.com 5 Overview Microsoft’s CLM CLM provides an identity assurance management system to maximize the trust and flexibility associated with digital certificates and smart cards by providing enhanced management facilities for Windows Server 2003. CLM simplifies the administrative processes required to convey trust, and ensures distribution of certificates and cards in a secure and structured manner. The result is a highly configurable and robust registration and management solution that provides simple deployment, improved manageability, and increased flexibility: Ease of Deployment Microsoft CLM is the only Microsoft Windows®-based certificate management solution that provides turnkey deployment and is designed to require no development work to implement in an organization. CLM simplifies digital certificate and smart card deployment in the enterprise environment by using services such as Microsoft Active Directory® directory service and Windows Server 2003 Certificate Services extensively, providing enterprise customers with an integrated security solution. CLM is also able to easily grow with an organization and can scale without requiring software modifications. As a typical Web application, CLM consists of several layers: database, business components, and presentation (Web). These layers can be placed on physically separate servers in various combinations, maximizing deployment flexibility and scalability. In addition, Network Load Balancing, Windows Clustering, and Application Center technologies can be used to further facilitate scaling. Manageability CLM provides Web-based, policy-driven workflow management that helps organizations manage administrative and end-user experiences. In addition, the technology lowers the overall cost of Windows-based digital certificate and smart card infrastructures by providing tools that automate common administrative functions and enable users to self-administer common tasks. By simplifying the administrative processes required to convey trust, CLM ensures distribution in a secure and structured manner. CLM’s enhanced management facilities for Windows Server 2003 help administer multiple certificates, multiple certificate authorities (CAs), and certificates for computers and devices. To reduce administrative overhead, CLM provides a self-service Web portal for subscribers and managers and temporary cards to solve the problem of employees forgetting cards at home or other locations. CLM provides a flexible and transparent way to update card content information, including adding a new certificate template, renewing certificates, and performing applet management functions. CLM also includes features to personalize and manage Java applets required to operate Java cards, allowing organizations to personalize smart cards as part of the enrollment process and simplify the overall deployment process. Flexibility Microsoft CLM offers broad flexibility by providing IT administrators with the ability to modify certificate and smart card management process and adapt CLM to their organizational policy requirements and unique infrastructures. CLM solution that provides simplified management and end-user experiences through advanced policy and workflow. 6 CLM is designed based on the principle that every enterprise is unique, and therefore has unique security and management requirements. Certificate registration varies greatly with each organization, and CLM was designed to address this challenge by providing a certificate registration and management framework that can be used in many different ways when required. The remainder of this paper will explore CLM’s role in a Smart Card and Digital Certificate infrastructure from a technical perspective, including: • The architecture that makes the above benefits possible • The fundamental applications that CLM interacts with • How authentication roles and permissions can be centrally managed • CLM’s role in the smart card and certificate lifecycle Gemalto Smartcard Gemalto offers a complete family of compatible smart cards, smart card readers, authentication and secure memory tokens, software, and more. These products are based on our proven smart card expertise and enable component optimization and integration with existing hardware infrastructures. The Gemalto strong authentication portfolio supports current industry standards and provides solutions that operate in both Java and .NET environments. List of smart card product TOP Java Card Trusted Open Platform Java Card Classic TPC For PKI applications Classic TPC MDE Microsoft mini-driver and PKCS#11 support IAS TPC Java Card fully compliant with IAS specifications .NET Smart Card Fully integrated with Microsoft platform .NET Bio smart card Biometric Authentication solution for Microsoft Windows Hybrid Card Body Hybrid card body for converged physical and logical access systems Instant Badge Issuance Smart card badge issuance system compatible with Microsoft ILM & CLM In this document, we are focusing only on IAS Smart Card. 7 IAS card with CLM Introduction This is an example that shows how to use a Gemalto IAS ECC Smart Card with Microsoft CLM. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. Use case overview The Use Case shows a basic configuration of CLM: the end user will be able to enroll himself his IAS Smartcard on the enrollment station. The main interest of this use case is to see how CLM can handle the IAS ECC Smart card and how it is configured. By default CLM doesn’t handle IAS Card. We will see how to get round this limitation Notes: Only these “Provider Name” are managed by CLM: Microsoft Smart Card Base CSP, Axalto, GemPlus GemSafe, SafeSign Identity Client, Aladdin eToken and Siemens HiPath. Architecture & requirements Figure 1- Architecture for the Use Case 8 To have a full infrastructure working you need: • A Microsoft domain controller based on W2K3 • A Certificate Authority on W2K3 • A Microsoft ILM FP1 server on W2K3 Please note that both the CA and the CLM server are installed on the same machine in our example. • The client is a computer running Microsoft Windows XP sp2 o The Microsoft CLM client available on the server is installed o The smart card reader driver is installed o Middleware for IAS card is installed (Classic Client V6) o IAS ECC Smartcards (IAM Profile) • User accounts: o An ILM manager account (clmadmin) o An ILM user account (marc) • Please note that the user has to have Administration rights on the Client in order to install ILM client, MS Patch and the smart card reader driver. Main Step of the configuration Firstly, all software mentioned above must be installed correctly and running. The installation step is not documented here. We will show only the configuration. In order to prepare the use case, the main steps of the configuration are: • Enrollment machine configuration: o CLM client, middleware, smartcard reader installation. o Registry modification in order to link the CLM’s Profile Template with the IAS ECC card. • CLM Configuration: o Publish a new certificate template. o Create a ILM profile template with the certificate template just created. o Modify Enrollment and Retirement Policies. • Enrollment phase: User marc enrolls his IAS Smartcard. • Do a smartcard logon to check the smartcard is working fine. • Retire phase: CLM administrator retires the smartcard. 9 1 Configuration on the Enrollment machine Caution: Administration rights are required. CLM Client The CLM client has to be installed on the Enrollment machine. Smartcard reader The Smart Card reader driver must also be installed. Please refer to the Smart card reader manufacturer in order to install the correct driver. Here we use the Gemalto PC-Twin reader. You can find the drivers on the website www.gemalto.com. Middleware installation You have to install Classic Client V6. Log on as an administrator on the machine in order to have sufficient privileges to install it. Once installed you can verify your IAS card is correctly managed by the middleware just installed. 1. Launch the toolbox: Start->All Programs->Gemalto->Classic Client-> Classic Client Toolbox 2. Insert your IAS smartcard into the reader 3. Click on Card Properties and Next. 10 4. See the characteristic of your card: Modification in registry Modify the registry by using the file described below: -------------Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient\Providers\AsciGemPlus1 ] "CSPs"=hex(7):47,00,65,00,6d,00,61,00,6c,00,74,00,6f,00,20,00,43,00,6c,00,61,\ 00,73,00,73,00,69,00,63,00,20,00,43,00,61,00,72,00,64,00,20,00,43,00,53,00,\ 50,00,00,00,00,00 "DLLs"=hex(7):47,00,43,00,4c,00,49,00,42,00,2e,00,44,00,4c,00,4c,00,00,00,00,\ 00 "DLLs_WINDOWS"=hex(7):47,00,43,00,4c,00,49,00,42,00,2e,00,44,00,4c,00,4c,00,00,\ 00,00,00 "DLLs_WINNT"=hex(7):47,00,43,00,4c,00,49,00,42,00,2e,00,44,00,4c,00,4c,00,00,\ 00,00,00 -------------- 11 Caution: This modification links the provider name “Gemplus Gemsafe” in CLM to the IAS middleware. So, if you create a profile template on CLM with “Gemplus Gemsafe” as provider name, the expected smartcard won’t be a Gemsafe card but will be an IAS ECC card. Consequently, The name “Gemplus gemsafe” cannot be use for gemsafe or classic client card. We cannot add a new provider name for IAS at this moment. Before using client authentication with certificate, we have to generate and store a certificate within the smartcard from the Enrollment machine. 12 2 CLM configuration Publish a new Certificate Template In our case we have decided to publish the “SmartCard User” certificate template on the Microsoft CA (this certificate can also be used for a smartcard logon): 1. 2. 3. 4. 5. 6. 7. Logon on the CA Server as administrator. On the server, choose Start -> Administrative Tools. Double click Certification Authority. Under Certification Authority/<Name of the CA>. Right click on Certificate templates. New -> Certificate template to issue. Select on the list “MySmart Card User”. In this case, “MySmartcard User” is a duplication of the original “Smartcard User”. 8. And click OK. The new template now appears in the list of available templates in the right panel. CLM Template Creation Profile details Now we are going to create a new “Profile template” under CLM. 1. Connect to the CLM Site and log on as administrator of CLM from the Enrollment machine (http://ca.iam.solutions.gem/clm). 2. Under Administration click on Manage Profile Template. 3. Select the smartcard profile and click on copy a selected profile template. 4. Enter a new name for the profile template. In our example the name is “IAS Smartcard Profile Template”. 5. Under Certificate template click on Add a new certificate template. 6. Check the box in front of the name of your CA and then all available certificate templates appear. 7. Then select “MySmartcard User” and click Add. The next step is not mandatory, but shows how to allow the use of retired smart cards in order to reuse a retired smart card. 13 8. 9. 10. 11. Under Smart card configuration click on change settings. Then check the box of Reuse Retire card. For the Provider Name, select “Gemplus Gemsafe” In the Administrative PIN part, Administrative PIN initial value is 00000000 (This value could be different) in ascii; Enable the Admin PIN Rollover (Only the admin PIN for IAS ECC card with IAM profile can be diversified) 12. In the User PIN part, choose ‘User provided’ for the User PIN Policy 13. Click on OK Figure 2- IAS Profile Template 14 Enroll Policy The enrollment process is the following one in this case: 1. The user asks for a Permanent smart card. 2. The user has to insert his smart card and enter the new PIN Code. 3. The smart card is ready. For this, we define an Enrollment policy: 1. On the profile template click on the menu: Enroll policy. 2. Under Workflow : General click on Change general settings. 3. Under Workflow: Initiate Enroll Requests add the CLM Subscriber group: CLM Users group in this case. 4. No Data collection. Figure 3- Enroll policy 15 Retire policy In this case, only CLM managers can revoke cards. 1. On the profile template click on the menu : Retire Policy 2. Under: Workflow: Initiate Retire Requests add the CLM Manager group: Clm admins in this case 3. Optional: remove the data collection. Figure 4- Retire policy The CLM server is now ready for the use case. 16 3 Enrollment process On the enrollment machine: Open IE and 1. Connect to the CLM web site. 2. Log on as marc 3. Click Request a Permanent smart card. 17 Figure 5-Request a Permanent smart card 4. Select the profile template: IAS Smart Card Profile Template Figure 6-Select the profile template During processing several windows like the following appear. 18 Figure 7-Processing 7. When the Creating certificate request window appears, enter a new pin code in New PIN and Confirm PIN. 8. Click OK. Figure 8- PIN code The process continues. Figure 9-Processing 19 At the end of processing, the Request Complete window appears: Figure 10- IAS smart card The smart card is now ready to use. 20 4 Smartcard logon test Let’s perform some tests in order to verify that the smart card is OK. 1. Restart the client to display the window logon. Figure 11-Welcome to Windows 2. When Welcome to Windows appears insert the smart card. The display should change. Figure 12-Log on to Windows You’ll be asked for the Pin code. Type it and Click OK 21 The session is opened, the smart card is functional. 22 5 Retire a IAS ECC Smart Card When an employee is leaving the company the card has to be retired from the system. This operation revokes certificates that are stored in the smart card and also re-initializes the smart card. 1. Insert the smart card to be retired in the reader 2. Log on to the ILM administration portal and under Manage User Smart Cards click on View details of the smart card currently in the reader. Figure 13-Manage user smart cards 3. The following windows appears : You don’t need to click on OK just wait a few second Figure 14-Insert smart card 4. The details of the smart card appear. At the bottom of the window click on Retire this smart card 23 Figure 15-Details of smart card 5. The ILM displays information about the smart card and the actions that will be done during the retirement process as show the figure 24. 6. Click Next Figure 16-Retiring smart card Wait for the process to end 24 7. When the processing finishes, the ILM displays a Request complete window. Click on Main Menu. Figure 17- smart card retired The smart card is now ready to be reused and reallocated to a new user. 25