Loading...
15370 Barranca Parkway
Irvine, CA 92618
ADMINISTRATION GUIDE
Product Version C1150
November 2013
HID GLOBAL CONFIDENTIAL AND PROPRIETARY INFORMATION. Use and disclosure of this information is strictly restricted by the terms of a non-disclosure agreement with HID Global Corporation. If you have received this information and are not an intended recipient or are not subject to or do not agree to be bound by the terms of the non-disclosure agreement, please immediately return this document to HID Global Corporation, 15370 Barranca Pkwy, Irvine, CA 92618-3106. © 2013 HID Global Corporation. All rights reserved.
HID Global Crescendo C1150 – Administration Guide
Contents
About this Guide............................................................................................................................ |
6 |
|
1.1 |
Purpose ................................................................................................................. |
6 |
1.2 |
Audience................................................................................................................ |
7 |
1.3 |
Scope of Document ............................................................................................... |
7 |
1.4 |
Typographic Conventions...................................................................................... |
7 |
2.0 |
Introduction |
....................................................................................................................... |
8 |
|
|
2.1 |
Product Overview .................................................................................................. |
8 |
|
|
2.2 |
Installation ......................................................................................and Upgrades |
9 |
|
|
2.3 |
Supported ..............................................................................Deployment Modes |
9 |
|
|
|
2.3.1 ............................................................ |
Standalone Mode with Mini Driver |
10 |
|
|
2.3.2 ......................................... |
Standalone Mode with Advanced Middleware |
10 |
|
|
2.3.3 ............ |
Managed Mode with Microsoft Forefront Identity Manager (FIM) |
11 |
|
|
2.3.4 ................................................. |
Managed Mode with HID Global naviGO |
11 |
|
|
2.3.5 ........................... |
Managed Mode with HID Global 4TRESS AAA Server |
11 |
2.3.6Managed Mode with HID Global ActivID CMS and ActivID CMS Appliance
|
|
.................................................................................................................. |
12 |
|
2.4 |
Choosing Smart Card Middleware ........................................................................ |
12 |
|
|
2.4.1 Services Available with Both Mini Driver and ActivClient......................... |
12 |
|
|
2.4.2 Additional Services Available with ActivClient.......................................... |
13 |
3.0 |
Installing the Mini Driver.................................................................................................. |
15 |
|
|
3.1 |
Mini Driver System Requirements ......................................................................... |
15 |
|
3.2 |
Automatic Download.............................................................................................. |
15 |
|
3.3 |
Manually Download and Install the Mini Driver ..................................................... |
15 |
|
3.4 |
Uninstall the Mini Driver......................................................................................... |
19 |
4.0 |
Managing a Smart Card with the Mini Driver ................................................................. |
20 |
|
|
4.1 |
Prerequisites.......................................................................................................... |
20 |
|
4.2 |
Issuing a Smart Card using Microsoft Certificate Authority................................... |
21 |
|
|
4.2.1 Enroll a Smart Card for a User with Internet Explorer .............................. |
21 |
|
|
4.2.2 Enroll a Smart Card for a User with MMC ................................................ |
22 |
|
4.3 |
Importing Certificates Using Microsoft Windows ................................................... |
30 |
|
|
4.3.1 Download a PKI Certificate with Internet Explorer ................................... |
30 |
|
|
4.3.2 Download a PKI Certificate with MMC ..................................................... |
31 |
|
4.4 |
Changing the PIN Code Using Microsoft Windows ............................................... |
40 |
|
|
4.4.1 Change the PIN Code on Microsoft Windows Vista, Windows 7 or Windows 8 |
|
|
|
.................................................................................................................. |
40 |
|
|
4.4.2 Change the PIN Code on Microsoft Windows XP .................................... |
41 |
|
4.5 |
Unlocking the PIN Code Using Microsoft Windows .............................................. |
44 |
4.5.1Unlock the PIN Code on Microsoft Windows Vista, Windows 7 or Windows 8
.................................................................................................................. |
44 |
4.5.2 Unlock the PIN Code on Microsoft Windows XP...................................... |
47 |
Page 2 of 115 |
November 2013 |
© 2013 HID Global Corporation. All rights reserved. |
|
HID Global Crescendo C1150 – Administration Guide
|
|
|
|
5.0 |
...............Managing a Smart Card using Microsoft Forefront Identify Manager (FIM) |
50 |
|
|
5.1 |
Prerequisites.......................................................................................................... |
50 |
|
5.2 |
Initialize a Permanent Card ................................................................................... |
51 |
|
5.3 |
Change the PIN Code Using FIM .......................................................................... |
53 |
|
5.4 |
Unlocking the Smart Card Using FIM - Online ...................................................... |
55 |
|
|
5.4.1 Unlock the Smart Card as an Administrator ............................................. |
55 |
|
|
5.4.2 Unlock the Smart Card as an End User ................................................... |
59 |
|
|
5.4.3 Using the Unblock Wizard ........................................................................ |
60 |
|
5.5 |
Unlocking the Smart Card Using FIM - Offline ...................................................... |
61 |
|
|
5.5.1 Verify that the Offline Unlock Policy is Enabled ....................................... |
61 |
|
|
5.5.2 Launch Offline Unlock Request ................................................................ |
64 |
|
5.6 |
Reset the Smart Card Using FIM .......................................................................... |
71 |
6.0 |
Managing a Smart Card with ActivClient ....................................................................... |
73 |
||
|
6.1 |
Issue a Smart Card with ActivClient ...................................................................... |
73 |
|
|
6.2 |
Change the PIN Code with ActivClient.................................................................. |
76 |
|
|
6.3 |
Unlock the Smart Card Using ActivClient .............................................................. |
78 |
|
|
6.4 |
Reset the Smart Card Using ActivClient ............................................................... |
80 |
|
|
6.5 |
Importing Certificates Using ActivClient ................................................................ |
83 |
|
|
|
6.5.1 |
Request a Certificate ................................................................................ |
83 |
|
|
6.5.2 |
Import the Certificate ................................................................................ |
84 |
7.0 |
Managing a Smart Card with naviGO ............................................................................. |
85 |
|
||||
|
|
7.1 |
Prerequisites.......................................................................................................... |
85 |
|
||
|
|
7.2 |
Initialize a Smart Card ........................................................................................... |
85 |
|
||
8.0 |
Managing a Smart Card with 4TRESS AAA Server ....................................................... |
97 |
|
||||
|
|
8.1 |
Issue a Smart Card Using 4TRESS AAA Server .................................................. |
98 |
|
||
|
|
8.2 |
Change the PIN Code ........................................................................................... |
102 |
|
||
|
|
8.3 |
Unlock the Smart Card with 4TRESS AAA Server................................................ |
102 |
|
||
|
|
|
8.3.1 Unlock the Smart Card with the Administration Console |
......................... 102 |
|
||
|
|
|
8.3.2 Unlock the Smart Card with the Web Help Desk ..................................... |
103 |
|
||
|
|
|
8.3.3 Unlock the Smart Card with the Web Self Help Desk .............................. |
103 |
|
||
|
|
8.4 |
Importing Certificates............................................................................................. |
105 |
|
||
9.0 |
Using the Smart Card ....................................................................................................... |
106 |
|
||||
|
|
9.1 |
Logging On to Microsoft Windows......................................................................... |
106 |
|
||
|
|
9.2 |
Authenticating to Secure Websites ....................................................................... |
106 |
|
||
|
|
9.3 |
Sending and Reading Secure Emails.................................................................... |
107 |
|
||
|
|
|
9.3.1 |
Send Signed/Encrypted Emails ................................................................ |
107 |
|
|
|
|
|
9.3.2 |
Read Signed/Encrypted Emails................................................................ |
107 |
|
|
|
|
9.4 |
Encrypting and Decrypting Files............................................................................ |
107 |
|
||
|
|
|
9.4.1 Encrypt a File or Folder ............................................................................ |
107 |
|
||
|
|
|
9.4.2 Decrypt a File or Folder ............................................................................ |
108 |
|
||
|
|
|
|
|
|
||
|
November 2013 |
|
|
|
Page 3 of 115 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
|
|
|
|
|
10.0 |
...............................................................................................................Troubleshooting |
109 |
||
|
10.1 |
ActiveX Error During Certificate Requests ............................................................ |
109 |
|
|
10.2 |
Smart Card Enrollment Errors ............................................................................... |
109 |
|
|
|
10.2.1 |
Wrong CSP............................................................................................... |
109 |
|
|
10.2.2 |
Key Length Setting ................................................................................... |
109 |
|
|
10.2.3 |
Enrollment Rights ..................................................................................... |
110 |
11.0 Security Guidelines .......................................................................................................... |
111 |
|
11.1 |
SHA-2 Compliance ................................................................................................ |
111 |
|
11.1.1 Card Content Signed with SHA-2............................................................. |
111 |
|
11.1.2 Using SHA-2 for Digital Signature Operations ......................................... |
112 |
11.2 |
PIN Policies ........................................................................................................... |
113 |
11.3 |
Log Handling ......................................................................................................... |
113 |
11.4 |
Additional Recommendations................................................................................ |
113 |
|
|
|
Page 4 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
Copyright
© 2013 HID Global Corporation. All rights reserved.
Trademarks
HID GLOBAL, HID, the HID logo, Crescendo, OMNIKEY, ActivID ActivClient, 4TRESS and ActivID CMS are trademarks or registered trademarks of HID Global Corporation, or its licensors, in the U.S. and other countries.
Revision History
Date |
Author |
Description |
Document Version |
|
|
|
|
JAN13 |
SIS |
Added managed with 4TRESS AAA Server |
A.1 |
|
|
procedures. |
|
NOV13 |
SIS |
Updated with default PIN details and HID Unblock |
A.2 |
|
|
tool. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contacts
North America
15370 Barranca Parkway
Irvine, CA 92618 |
|
USA |
|
Phone: |
800 237 7769 |
Fax: |
949 732 2120 |
|
|
|
|
|
|
support.hidglobal.com
|
November 2013 |
|
|
Page 5 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
About this Guide
The information contained in this document is provided “AS IS” without any warranty.
HID GLOBAL HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION CONTAINED HEREIN, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT.
IN NO EVENT SHALL HID GLOBAL BE LIABLE, WHETHER IN CONTRACT, TORT OR OTHERWISE FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING FROM USE OF INFORMATION CONTAINED IN THIS DOCUMENT.
Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
1.1Purpose
This document describes different options how you can manage and use your HID® Crescendo™ smart card with a variety of software options.
The Crescendo C1150 smart card is versatile and can be deployed in standalone mode (that is, without any central card management system) or in an enterprise-managed environment (that is, with a central card management system).
The Crescendo C1150 smart card can be used on a variety of environments, providing a wide range of strong authentication, digital signature and encryption services – such as secure Windows logon, secure authentication to web sites, secure authentication to remote sessions, email digital signature, email and file encryption.
This document presents the services available via the Crescendo C1150 Mini Driver, a free middleware from HID Global designed specifically for this card. The Mini Driver is compatible with a number of card management systems (such as Microsoft® Forefront Identity Manager or HID Global naviGO™) and end-user applications (such as Microsoft Windows®, Internet Explorer®, Microsoft Office® or Adobe® Acrobat).
The document also presents additional services available via the HID Global ActivID ActivClient™ middleware, bringing support for additional applications (such as Mozilla® Firefox® or remote access / VPN products).
NOTE |
The instructions provided for third party products are meant as guidance |
|
only. HID Global cannot be held liable for any malfunctioning from |
|
configuring these products; refer to the vendor documentation for complete |
|
information. |
|
|
|
Page 6 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
1.2Audience
This manual is specifically designed for IT administrators, who want to use their HID Crescendo C1150 card to obtain strong authentication in their Microsoft environment.
1.3Scope of Document
This document assumes that the system administrator has already installed and configured other necessary components (such as Microsoft Windows, a certificate server) and that you have a Crescendo C1150 card.
1.4Typographic Conventions
Typography |
Description |
|
|
Arial bold |
Action steps: paths, buttons, options (checkboxes). Field and drop- |
|
down list labels. Notes, important notes, and warnings. Emphasis |
|
and captions. |
|
|
Italic black |
File names, document titles, and file extensions. |
|
|
ARIAL BOLD SMALL CAPS |
“Callouts” used to flag important tips or technical information. |
CUSTOM BLUE |
|
|
|
Arial blue |
Cross-references within the document (no underlines). |
|
|
|
November 2013 |
|
|
Page 7 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
2.0Introduction
2.1Product Overview
This release of the Mini Driver is designed to support the Crescendo C1150 and is a key component of the HID logical and physical access convergence solution.
Crescendo smart cards include a PKI chip that provides extended cryptographic capabilities, expanding the number of supported services:
Authenticate to Microsoft Windows (online or offline).
Authenticate to secure web sites.
Authenticate to remote networks via a VPN.
Authenticate to remote sessions authentication using Citrix® or Microsoft terminal server technologies.
Sign emails, forms and documents.
Encrypt emails, documents and disks.
The Mini Driver also enables users to personalize their smart cards by:
Defining a PIN code.
Downloading certificates.
If the same smart card is used on a workstation with ActivID ActivClient instead of the Mini Driver, you have access to additional services, such as:
PKI services with a PKCS#11 library (compatibility with Mozilla Firefox, Thunderbird®).
Automated configuration for PKI applications (such as Microsoft Outlook).
One-Time Password services enabling support for a wider range of remote access and VPN services.
User-based card management services (card content viewer, diagnostics tool, notifications, standalone management services, etc.).
|
|
|
Page 8 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
2.2Installation and Upgrades
The Mini Driver is a free component and can be automatically downloaded from Microsoft Windows Update (applicable to Windows 7, Windows Server 2008 R2 and later versions).
NOTE |
If a supported middleware is already installed on the machine, the Windows |
|
Update download is not triggered. |
It is also available for download as a Microsoft Windows installer package (.msi) from the HID web site http://www.hidglobal.com/main/crescendo/
This is useful for:
Older Windows versions where the automatic download is not available.
Workstations not connected to the internet, or with Windows Update disabled.
For further information about the installation process, see chapter 3.0 Installing the Mini Driver on page 15.
In addition, the installer package detects potential middleware existing on the machine and acts accordingly. For example, if the ActivClient middleware is detected, the Mini Driver installation is not possible as you cannot have two middleware for the same card on the same Windows workstation, and as ActivClient provides enhanced services compared to the Mini Driver.
NOTE |
If the Crescendo C1150 card is used with its Mini Driver (installed either from |
|
Windows Update or by the MSI package), you can upgrade to ActivClient 6.2 |
|
(version 6.2.0.162 or later) to gain access to additional services. When |
|
ActivClient is installed, it takes precedence over the Mini Driver. |
2.3Supported Deployment Modes
This section describes several Crescendo C1150 deployment modes, either in standalone mode (that is without any central card management system), or in an enterprise managed environment (that is, with a central card management system).
Some of these deployment modes require the Crescendo C1150 Mini Driver, which is free middleware from HID Global. Some deployment modes require additional software products, such as ActivID ActivClient, Microsoft Forefront Identity Manager, and HID Global naviGO. Contact the product vendor for licensing information.
|
November 2013 |
|
|
Page 9 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
2.3.1Standalone Mode with Mini Driver
This is the simplest (and also least secure) mode in which the Mini Driver can be installed and used with the Crescendo C1150 card to provide the following services:
The card comes with a default PIN code (00000000) that you can change at any time:
On Microsoft Windows Vista and 7 - using the native Ctrl+Alt+Del Change Password feature.
On Microsoft Windows XP - using the Microsoft PIN Tool (pintool.exe) included with the Base Smart Card CSP package.
While there is no “simple” PIN unlock feature, if you know the ADMIN Key (set to a default binary value 000000000000000000000000000000000000000000000000) and have a tool to generate a response based on the challenge (3DES algorithm), you can unlock the card.
The user can then use the Microsoft Windows 7 or Windows 8 PIN Unlock user interface. It is recommended that you use card management software to manage these keys.
You can download a certificate onto the card from the Microsoft Certificate Authority (or other CA), by selecting the Microsoft Base Smart Card CSP.
You can use certificates for standard PKI services based on the Mini Driver, such as Windows logon, authentication to web sites (with Internet Explorer) and PKI-compatible VPNs, email signature and encryption (with Microsoft Outlook).
For further information, see chapter 4.0 Managing a Smart Card with the Mini Driver on page 20.
2.3.2Standalone Mode with Advanced Middleware
Using advanced middleware such as ActivID ActivClient, you have access to additional card management services, and you can use your card with more applications.
You can initialize a Crescendo C1150 card with the ActivClient PIN Initialization Tool, resetting the PIN from the default value and obtaining a static unlock code.
You can change the PIN using the ActivClient PIN Change Tool (on any Windows version).
If the card PIN is locked, you can unlock it with the static unlock code displayed at initialization.
You can reset the card with the ActivClient PIN Initialization Tool.
You can download a certificate onto the card from the Microsoft CA (or other CA) by selecting the ActivClient CSP.
You can use certificates for standard PKI services based on the CSP or PKCS#11 technologies, which provides more options than in the previous mode – such as Windows logon, authentication to web sites (with Internet Explorer or Mozilla Firefox) and PKI-compatible VPNs, email signature and encryption (with Microsoft Outlook or Lotus Notes).
The user can use other ActivClient services for improved usability (card management utility, card activity notification, application auto-configuration, etc.).
|
|
|
Page 10 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
For further information, see chapter 6.0 Managing a Smart Card with ActivClient on page 73.
2.3.3Managed Mode with Microsoft Forefront Identity Manager (FIM)
In this mode, the card is managed with Microsoft Forefront Identity Manager (FIM), and end users can use the card on their workstation with either the Mini Driver or with advanced middleware.
The card is managed by Microsoft FIM 2010 via the Mini Driver.
The card comes with a default PIN (00000000) and default ADMIN Key (binary value 000000000000000000000000000000000000000000000000).
The Administrator imports this data into FIM.
With FIM, the administrator can load certificates on the card (and update them later), and unlock the card PIN if it is locked.
If the end user has the Crescendo C1150 Mini Driver on his workstation, he can use certificates for standard PKI services based on the Mini Driver.
If the end user has ActivClient on his workstation, he can use certificates for standard PKI services based on the CSP or PKCS#11 technologies. He can also use other ActivClient services for improved usability.
For further information, see chapter 5.0 Managing a Smart Card using Microsoft Forefront Identify Manager (FIM) on page 50.
2.3.4Managed Mode with HID Global naviGO
In this mode, the card is managed with naviGO; end users use the card on their workstation with the Crescendo Mini Driver.
The card is managed by naviGO via the Mini Driver.
With naviGO, the administrator can load certificates on the card (and update them later), and unlock the card PIN if it is locked.
The default PIN code (00000000) is used during the issuance process.
The default ADMIN Key is 000000000000000000000000000000000000000000000000 (binary value).
The end user has the Crescendo C1150 Mini Driver on his workstation; he can use certificates for standard PKI services based on the Mini Driver.
naviGO also provides emergency access authentication in case the card is lost or forgotten.
For further information, see chapter 7.0 Managing a Smart Card with naviGO on page 85.
2.3.5Managed Mode with HID Global 4TRESS AAA Server
In this mode, the card is managed with 4TRESS AAA Server 6.7 (version 6.7.2.15 or later), and end users can use the card on their workstation with the ActivClient middleware (version 6.2.0.162 or later).
|
November 2013 |
|
|
Page 11 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
4TRESS AAA Server adds one-time password services to Crescendo C1150 cards, enabling support for legacy applications that are not PKI-enabled, such as many remote access and VPN applications.
The card is managed by 4TRESS AAA Server via the ActivClient middleware.
The administrator initializes the Crescendo C1150 cards with 4TRESS AAA Server, adding one-time password (OTP) capabilities to the cards.
Administrators or end users can download a certificate onto the card from the Microsoft CA (or other CA), by selecting the ActivClient CSP.
If the card PIN is locked, you can unlock it with the challenge/response unlock code managed by 4TRESS AAA Server.
The end user has ActivClient on his workstation; he can use certificates for standard PKI services based on the CSP or PKCS#11 technologies.
He can also use the Crescendo C1150 for remote access/VPN services using one-time passwords.
He can also use other ActivClient services for improved usability.
For further information, see section 8.0 Managing a Smart Card with 4TRESS AAA Server on page 97.
2.3.6Managed Mode with HID Global ActivID CMS and ActivID CMS Appliance
To deploy Crescendo cards with ActivID Card Management System (CMS), use the Crescendo C1100 instead of the Crescendo C1150.
To deploy Crescendo cards with ActivID CMS Appliance, use the Crescendo C800 instead of the Crescendo C1150.
2.4Choosing Smart Card Middleware
You have a choice of Crescendo C1150 smart card middleware for end user workstations:
You can choose to deploy the Crescendo C1150 Mini Driver, which is available free of charge.
You can choose to deploy the ActivClient software that provides enhanced capabilities. This section presents the similarities and differences between the two options.
2.4.1Services Available with Both Mini Driver and ActivClient
Both middleware options support the same applications for PKI services:
Windows Logon
Web authentication with Internet Explorer and Google Chrome
VPN authentication with Windows, Cisco, Juniper, etc.
Authentication to Citrix or Terminal Server sessions
Email signature and encryption with Microsoft Outlook and Exchange
|
|
|
Page 12 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
Document signature with Microsoft Office and Adobe Acrobat
File encryption with Windows EFS
Disk encryption with Windows BitLocker To Go
Compatibility with more applications based on Microsoft CAPI / CNG
Both middleware options support some basic card management services:
PIN change
PIN unlock (with Mini Driver, not applicable to all deployment modes – requires a card management system or utility to support the challenge / response unlock model)
2.4.2Additional Services Available with ActivClient
The following services are available only with the ActivClient middleware:
ActivClient is compatible with a wider range of PKI-enabled applications thanks to a PKCS#11 compliant library:
Web authentication with Firefox.
Email signature and encryption with Lotus Notes and Thunderbird.
Compatibility with more applications based on PKCS#11.
ActivClient provides usability enhancements with Microsoft Outlook, enabling users to sign and encrypt emails without the need to learn how to configure and use it.
Outlook is automatically configured on card insertion with the user’s signature and encryption certificates. This guarantees that users are using up-to-date credentials, and no longer use software certificates. This also automatically configures the hash and encryption algorithms for consistency within an organization.
Certificates are automatically published to the Exchange Global Address List (GAL) on card insertion. This guarantees that all email encryption is performed with up-to- date certificates.
Contacts’ certificates are automatically added to the user’s Outlook Contacts upon reception of an email.
Option to automatically decrypt and save encrypted emails. This guarantees that older encrypted emails can be read even if old encryption key is not on the card.
ActivClient provides usability enhancements with Firefox and Thunderbird, making it easier to use PKI services with Mozilla products: ActivClient PKCS#11 library is automatically registered into these apps, to automatically enable new users with smart card services, negating the need for additional configuration and training.
|
November 2013 |
|
|
Page 13 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
ActivClient enables using smart cards with additional credentials than PKI keys and certificates. ActivClient supports one-time passwords (OTP) on the Crescendo C1150 card, enabling organizations to use smart cards for remote access (authentication to VPNs) even if these systems are not PKI-capable. Organizations that have deployed an OTP Strong Authentication Server (such as 4TRESS AAA Server) and OTP hardware tokens or soft tokens can now deploy smart cards to additional users and enable a mixed OTP token / Crescendo smart card deployment. This enables a smooth transition to PKI environments.
ActivClient includes a User Console to view and edit the card content (certificates and other credentials). This console helps identify certificates on the card vs. all the certificates loaded on the PC, as Windows does. The console also enables importing keys and certificates into the card, and exporting certificates from the card. Users can also select a “default certificate” in the case several Windows Logon certificates are present on the card.
ActivClient includes utilities to manage the Crescendo smart cards in standalone mode: initialization, unlock, reset cards. This provides organizations with a simple and efficient model to deploy and manage smart cards in small deployments when a card management system may be considered too complex.
ActivClient includes a smart Card indicator icon in Windows notification area, which, helps identify when the card is in use.
ActivClient provides notifications to end users, helping them use and manage their smart card. For example:
Certificate expiration notification, informing users that their certificates need to be updated before they expire, preventing users to log on.
Unattended card notification, reminding users to take their card when they leave their workstation.
No smart card reader notification, informing users when no reader is detected.
ActivClient has close to 100 policies, enabling organizations to configure the middleware to match their specific security and usability requirements. For example:
Option to unregister certificates on card removal or logoff: this is a security feature for shared workstations.
PIN cache for increased usability: the ActivClient PIN Cache provides a sort of SSO for the PIN: users enter the PIN once, use it for multiple services (Windows Logon, secure email, secure web, etc.), and securely! PIN Cache policies provide the right mix of security and usability; for example PIN Cache timeout (by default 15 min – configurable), or “Per-process” PIN cache (one PIN entry per application).
ActivClient supports additional smart cards in addition to the Crescendo C1150, and is certified by NIST and GSA to support the FIPS 201 PIV standard smart cards.
|
|
|
Page 14 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
3.0Installing the Mini Driver
3.1Mini Driver System Requirements
One of the following Microsoft operating systems is required:
Windows XP SP3 (32 and 64-bit)
Windows Vista SP1 (32 and 64-bit)
Windows 7 and Windows 7 SP1 (32 and 64-bit)
Windows 8 (32 and 64-bit)
Windows Server 2003 (32 and 64-bit)
Windows Server 2008 and 2008 SP2 (32 and 64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2012 (64-bit)
NOTES |
Microsoft Windows XP and Server 2003 require a Windows update |
|
available at http://support.microsoft.com/kb/909520 to install the Microsoft |
||
|
||
|
Smart Card Base CSP. |
The Crescendo C1150 Mini Driver is supported with PC/SC smart card readers.
3.2Automatic Download
Crescendo C1150 Mini Driver can be downloaded automatically using the Microsoft Windows Update feature.
When you insert the Crescendo C1150 card into a reader connected to Microsoft Windows 7 or Windows 8 (32 and 64-bit) workstation, or Windows Server 2008 R2 or Windows Server 2012 (64-bit) server, the driver is automatically downloaded and installed.
3.3Manually Download and Install the Mini Driver
If the automatic download is not available, the Mini Driver can also be downloaded as a
Windows Installer (MSI) package from HID’s web site: http://www.hidglobal.com/main/crescendo/.
Crescendo C1150 Mini Driver x64 2.0.msi
Crescendo C1150 Mini Driver x86 2.0.msi
|
November 2013 |
|
|
Page 15 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
1.Launch the Mini Driver setup using the .msi file that corresponds to your operating system.
2. Click Next.
|
|
|
Page 16 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
3. Select I accept… and click Next.
|
November 2013 |
|
|
Page 17 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
4. Click Install.
|
|
|
Page 18 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
5.Click Finish.
The Mini Driver is installed in the following directory: [ProgramFiles]\HID Global\Crescendo C1150 Mini Driver
3.4Uninstall the Mini Driver
You can remove the Crescendo C1150 Mini Driver using the standard Add/Remove Programs (Microsoft Windows XP) or Programs and Features (Microsoft Windows 7 and Windows 8) tools.
|
November 2013 |
|
|
Page 19 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
4.0Managing a Smart Card with the Mini Driver
This section explains how to issue a smart card for other users as well as for you.
NOTE |
Enrollment for a smart card certificate must be a controlled procedure, in the |
|
same manner that employee badges are controlled for purposes of |
|
identification and physical access. |
|
The recommended method for enrolling users for smart card-based |
|
certificates and keys is through the Smart Card Enrollment station that is |
|
integrated with Certificate Services in Microsoft Windows Server 2008. |
|
Therefore, section 4.2 describes the process of how to enroll for a smart card |
|
user or smart card logon certificate through the Smart Card Enrollment |
|
Station. This process is likely completed by your system administrator. |
|
As a user, request your own certificate through the Microsoft Certificate |
|
Services interface on your local workstation. In this case, a domain user |
|
cannot enroll for a Smart Card Logon certificate (which provides |
|
authentication) or a Smart Card User certificate (which provides |
|
authentication plus the capability to secure e-mail) unless a system |
|
administrator has granted the user access rights to the certificate template |
|
stored in Active Directory. This is described in section 4.3. |
4.1Prerequisites
Microsoft Windows 2008 Server is installed and configured as a Primary Domain Controller.
Active Directory is configured to manage users and computers.
DNS Server is configured with your domain name.
Internet Information Services (IIS) is installed (to be able to request a certificate through the Smart Card Enrollment Station.
Microsoft Windows Certificate Services is installed and configured.
Microsoft CA is configured with an issuance Certificate Template for smart card logon onto the domain. It must include the following certificates:
Enrollment Agent - a certificate intended for the entity that should be able to enroll certificates for other entities than itself. For example, when an administrator wants to deploy smart card logon certificates for the employees in an organization, he would require an “Enrollment Agent” certificate.
Smartcard Logon - intended for smart card logon onto the domain.
Smartcard User - an all-round certificate, intended both for smart card logon and, for example, signing and encrypting e-mail messages and web authentication.
Microsoft CA Registration Authority (RA) station is created with:
All the drivers required for your HID Crescendo C1150 card and smart card reader.
|
|
|
Page 20 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
An Enrollment Agent Certificate configured with Microsoft Enhanced Cryptographic Provider 1.0 or similar as the CSP.
4.2Issuing a Smart Card using Microsoft Certificate Authority
4.2.1Enroll a Smart Card for a User with Internet Explorer
1.From the enrollment station, connect to the “Smart card Certificate Enrollment Station” web page of the CA.
This smart card enrollment web page can be found at http://<machine-name>/certsrv/ where the <machine-name> is the machine where you have installed the CA.
2.Select Request a certificate.
3.Select advanced certificate request.
4.Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
The Smart Card Certificate Enrollment Station window opens.
NOTE |
If you encounter an “ActiveX” error upon connecting to this page, see section |
10.1ActiveX Error During Certificate Requests on page 109.
5.Under Enrollment Options:
6.From the Certificate Template drop-down list, choose Smartcard User.
7.From the Cryptographic Service Provider drop-down list, select Microsoft Base Smart Card Crypto Provider.
8.Ensure the correct Enrollment Agent certificate is selected in the Administrator Signing Certificate box.
9.Select a User to Enroll by clicking Select User.
10.Enter the user name in which you are enrolling a certificate in the Enter the object name to select field.
11.Click Check Names to verify the entry, and then click OK.
12.Verify the user’s smart card is inserted into the smart card reader.
13.Click Enroll to enroll a smartcard user certificate for the user.
14.Enter the PIN, and then click OK to continue.
After the certificate request has been made, the CA will sign the request and return a certificate. This certificate is automatically placed on the smart card. You might be prompted to confirm the issuance of a certificate.
At the end of the smart card enrollment process, you are informed that the smart card is ready for use.
|
November 2013 |
|
|
Page 21 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
15.You can verify if the certificate contains the correct personal information about the user by clicking View Certificate. You also have the opportunity to enroll a new user by clicking
New User.
4.2.2Enroll a Smart Card for a User with MMC
1.Open the management console by typing mmc in the Start > Run menu.
2.Add the Certificates snap-in from the File > Add/Remove Snap-in menu.
3.Right-click on the Certificates node.
4.Go to All Tasks, then Advanced Operations, and then click Enroll on behalf of.
5. Click Next.
|
|
|
Page 22 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
6. Browse to the Enrollment Agent Certificate that you created on the enrollment station.
|
November 2013 |
|
|
Page 23 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
7. Select Smartcard User, and expand the Details view.
|
|
|
Page 24 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
8. Click Properties.
|
November 2013 |
|
|
Page 25 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
9.Make sure that Microsoft Base Smart Card Crypto Provider is selected as the CSP, and click OK.
|
|
|
Page 26 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
10. Click Browse to select the user for whom you want to enroll the smart card.
|
November 2013 |
|
|
Page 27 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
11.Enter the user name, and click OK. If necessary, click Check Names to make sure you have selected the correct user.
12.When prompted, insert the smart card into the reader.
13.If you are prompted to enter the PIN, do so and then click OK to continue.
After the certificate request has been made, the CA will sign the request and return a certificate. This certificate is automatically placed on the smart card.
|
|
|
Page 28 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
14. Click Finish.
|
November 2013 |
|
|
Page 29 of 115 |
|
|
|
|
|
||
|
|
|
|
||
|
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
||
|
|
|
|
|
|
HID Global Crescendo C1150 – Administration Guide
4.3Importing Certificates Using Microsoft Windows
You can download PKI certificates from the CA onto the smart card using Internet Explorer or Microsoft Management Console (MMC).
4.3.1Download a PKI Certificate with Internet Explorer
When creating the certificate request, make sure that the Microsoft Base Smart Card Crypto Provider is selected as the CSP.
|
|
|
Page 30 of 115 |
November 2013 |
|
|
© 2013 HID Global Corporation. All rights reserved. |
|
|
|
|
|
|
|
|
|
|
Loading...