HP BRIO BA200, BRIO BA600, BRIO BA400, KAYAK XM600, KAYAK XU800 User Manual
HP ProtectTools 2000
Smart Card Kit
User’s Guide
Notice
The information contained in this document is subject to change
without notice.
Hewlett-Packard makes no warranty of any kind with regard to this
material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett-Packard
shall not be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing, performance,
or use of this material.
This document contains proprietary information that is protected by
copyright. All rights are reserved. No part of this document may be
photocopied, reproduced, or translated to another language without the
prior written consent of Hewlett-Packard Company.
TM
Adobe
Microsoft
registered trademarks of Microsoft Corporation in the United States and
other countries.
and AcrobatTMare trademarks of Adobe Systems Incorporated.
®
,MS®, MS-DOS®, Windows®and Windows NT®are
Hewlett-Packard France
Commercial Computing Division
38053 Grenoble Cedex 9
France
2000 Hewlett-Packard Company
User’s Guide
This manual is intended for both the PC administrator and the PC user.
It describes how to:
•
Install and deploy HP ProtectTools 2000 software
•
Set up HP ProtectTools 2000 for use
•
Manage security settings
•
Manage smart cards
•
Troubleshoot problems
•
Find out where to get more information and support.
HP Custom Security Services
HP offers security consulting services and customized security
solutions, including the use of this product and other HP security
products. For more information, please contact your HP sales
representative.
Conventions Used in this Manual
This document describes the installation of software on a range of
Microsoft operating systems. Whenever some information applies only
to one or more operating systems, a small tab appears alongside to
indicate the operating system(s) concerned. See the following
example:
Windows NT 4.0
Windows 2000
1 This indicates that step 1 applies only to PCs running Windows NT
4.0 or Windows 2000. You can ignore this step if your PC is running
a different operating system.
When no such symbol is shown alongside a step or section in the
manual, the information concerns all operating systems:
2 This indicates that step 2 applies to any system running one of the
supported operating systems: Windows 95, Windows 98, Windows
NT 4.0 or Windows 2000.
iii
Important Information
Folder Encryption (Windows 95, 98 and NT 4.0 Only)
You are about to install File Encryption software. This software enables
the use of an advanced security feature but it implies at the same time
theriskoflossofaccesstoyourconfidentialfiles.Toreducesucha
risk, HP strongly recommends you prepare in advance a recovery smart
card and/or recovery file that will still give you access to such files in
case you lose your smart card and/or password.
ATTENTION: in case of loss of your smart card and/or password you
may not be able to recover access to those encrypted files.
THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES
OF ANY KIND INCLUDING WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT
OF INTELLECTUAL PROPERTY. IN NO EVENT WILL HP BE LIABLE
FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT
LIMITATION, THOSE RESULTING FROM LOST PROFITS, LOST DATA
OR BUSINESS INTERRUPTION) ARISING OUT OF THE USE,
INABILITY TO USE, OR THE RESULTS OF USE OF THIS SOFTWARE,
WHETHER BASED ON WARRANTY, CONTRACT, TORT OR ANY
OTHER LEGAL THEORY AND WHETHER OR NOT ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. APPLICABLE LAW MAY NOT
ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR
CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR
EXCLUSION MAY NOT APPLY TO YOU.
iv
Import/Export Regulations
This computer system includes HP ProtectTools 2000. HP ProtectTools
2000 is made of a smart card (and associated reader and software
driver) and HP Encryption Smart Card Security System software with
the following encryption capabilities.
•
40bit symmetrical encryption algorithm, used for data encryption
(confidentiality) (non-US version);
•
128bit symmetrical encryption algorithm, used for data encryption
(confidentiality) (US version);
•
512/56bit RSA private key algorithm, used for digital signature (nonUS version);
•
1024/128bit RSA private key algorithm, used for digital signature
(US version).
Export of this product is not allowed to the following countries:
Afghanistan, Angola, Cuba, Iraq, Iran, Lybia, Macedonia, Montenegro,
Mozambique, North Korea, Pakistan, Serbia, Slovenia, Somalia, Sudan,
Syria. Export of this product to other countries may be subject to
regulations. For instructions on how to export this product, and
according to the country in which you have purchased this equipment,
please contact: in France: SCSSI (Service Central de la Sécurité des
Systèmes d'Information, www.scssi.gouv.fr); in Germany: BAFA
(Bundesausfuhramt, Exportkontrolle, www.bafa.de); in the UnitedKingdom: DTI (Department of Trade and Industry, www.dti.gov.uk), in
the USA: Department of Commerce (Export Administration
Regulations, www.bxa.doc.gov).
v
vi
Contents
1 Introduction to HP ProtectTools 2000
Introduction.............................................. 12
WhatisaSmartCard?........................................ 12
SmartCardKitContents...................................... 12
GemSAFESmartCards....................................... 13
PINNumbers ............................................... 13
BeforeYouBegin.......................................... 15
SystemRequirements(HPDesktopPCs) ........................ 15
SystemRequirements(OmniBookNotebookPCs)................. 15
Software Compatibility for PCs Running Windows NT 4.0 . . . . . . . . . . . 16
Features of HP ProtectTools 2000 . . . . . . . . . . .................... 17
Contents of the HP ProtectTools 2000 CD-ROM ................ 18
2 Installing HP ProtectTools 2000 Software
BeforeInstallingtheSoftware............................... 22
SoftwareInstallationProcedure............................. 23
Preparing a PC Running Windows NT 4.0 (HP Desktop PCs) . . . . . . . . 23
Preparing a PC Running Windows NT 4.0 (HP Notebook PCs) . . . . . . . 24
Installing the Drivers, Software and Reader (HP Desktop PCs). . . . . . . 25
Installing the Drivers, Software and Reader (HP Notebook PCs). . . . . . 27
InstallingOptionalItems...................................... 29
Deploying ProtectTools 2000 Using a Network ................. 31
RemoteInstallationUsingaDeploymentTool..................... 31
Automatic Installation of ProtectTools 2000 . . . . . . . . . ............. 31
Uninstalling HP ProtectTools 2000 ........................... 33
English vii
UninstallingHPNTLock...................................... 33
UninstallingHPSoftPowerDown .............................. 34
3 Setting up HP ProtectTools 2000
PreparingaSmartCardforUse:Overview.................... 36
InitializingaSmartCard ................................... 37
Updating the PC’sBIOS(OmniBooksOnly)................... 38
EnablingBIOSSmartCardSecurity(OmniBooksOnly) ........ 39
SettingUpaBIOSUserPasswordCard.......................... 39
SettingUpFolderEncryptiononYourPC .................... 40
CreatingaRecoveryFile................................... 41
4 Managing Security and Smart Cards
TheHPSmartCardSecurityManager........................ 44
For Windows NT 4.0 and Windows 2000 Users . . . . . . . . . . . . ........ 44
ForWindows95andWindows98Users ......................... 45
Running the HP Smart Card Security Manager . . . . . . . . . . . . ........ 46
AccessingtheOnlineHelp .................................... 46
ManagingSecurity:ConfigurationSettings.................... 47
Smart Card–AllowInitializationOption.......................... 47
BeeponSmartCardRemovalOption ........................... 48
Win NT–LogonPoliciesOptions................................ 49
Win NT–LogonTextConfigurationOptions....................... 54
Win NT–LogonPowerManagementOptions...................... 54
viii English
AccountPolicies............................................. 55
BIOS Password Options (OmniBooks Only) . . . . . . . . . ............. 57
Win95/98Options ........................................... 58
CustomizingSecurityForYourInstalledBaseofPCs............... 59
ManagingSmartCards ..................................... 61
Using Smart Cards under Windows NT and Windows 2000 . . . . . . . . . . 62
InitializingFurtherSmartCards ............................... 63
Changing a Smart Card’sPIN .................................. 63
RestoringaSmartCardfromaRecoveryFile ..................... 64
Restoring a Smart Card Without the Recovery File . . . . . . . . . . . . . . . . . 65
Adding an Account to a Smart Card (Windows NT/Windows 2000). . . . 65
Removing an Account (Windows NT/Windows 2000) . . . . . . . . . . . . . . . 66
Changing an Account Password (Windows NT/Windows 2000) . . . . . . . 66
HPTopTools.............................................. 67
5 Troubleshooting
SmartCardTroubleshootingHelpZone....................... 70
IfYouDisconnecttheSmartCardReader ........................ 70
IfthePCFreezesAfterYouRestartIt ........................... 70
If the Smart Card’sPasswordisNotUpToDate ................... 70
WaitforService ............................................. 71
TroubleshootingTable........................................ 72
HPSmartCardDiagnosticsTool............................. 75
DiagnosticsOnlineHelp....................................... 75
UsingHPSmartCardDiagnostics .............................. 75
Documentation,HelpandSupport........................... 77
English ix
x English
1
Introduction to HP ProtectTools 2000
This chapter introduces the HP ProtectTools 2000 Smart Card Kit and
provides information about system requirements and compatibility. It
also tells you where you can get more information about ProtectTools
2000 and smart cards.
1 Introduction to HP ProtectTools 2000
Introduction
Introduction
The HP ProtectTools 2000 Smart Card Kit can be installed on a range
of HP PCs, OmniBook Notebooks and PC Workstations. It provides
smart card secured access to Microsoft Windows 95, Windows 98,
Windows NT 4.0 and Windows 2000 platforms.
To discover on which PCs you can install Protectools 2000, go to:
www.hp.com/go/support
What is a Smart Card?
Smart cards are small plastic cards the size of a credit card that carry a
microchip containing memory and a microprocessor.
Like personal computers, they have an operating system to manage
input/output, and include security features to resist tampering.
A Personal Identification Number (PIN) is needed to gain access to the
contents of the microchip. This means that you can easily gain access
to a computer protected by a smart card only if you have the- correct
smart card and you know the PIN. See “PIN Numbers” on page 13 for
more information.
.
Smart Card Kit Contents
Your HP Smart Card Security Kit contains:
•
One smart card reader. This is either internal or external depending
on your model of PC:
•
an internal PCMCIA card reader for OmniBook Notebook PCs
•
an external serial card reader for all desktop PC models
•
Two smart cards. One spare card is for backup/recovery purposes.
•
One CD-ROM containing software, drivers and documentation.
12
1 Introduction to HP ProtectTools 2000
Introduction
GemSAFE Smart Cards
If your ProtectTools 2000 Smart Card Kit comes with a pair of
GemSAFE GPK 8K smart cards, you can, as well as enjoying secure
Web access, send and receive secure e-mail. GemSAFE cards support
encryption/decryption and signature functions.
For more information on using GemSAFE smart cards, refer to the
GemSAFE User Guide, available by selecting
GemSAFEUser Guide
Gemplus\gemsafe\Doc
on your PC or by looking in the folder
on the HP ProtectTools 2000 CD-ROM.
NOTE Export regulations and national law dictate maximum session key
lengths. The maximum session key length in the United States and
Canada is 128 bits (for example, with Microsoft Internet Explorer). The
maximum session key length for the international version is 40 bits. If
you are sending a message internationally, you may need to change the
session key length (or encryption algorithm) so that the recipient has
the cryptographic capacity to decrypt your message.
StartPrograms
You currently have the international version preloaded on your VL600
Secure Bundle. If you are using this system in the US or in Canada,
downloading the High Encryption Pack directly from Microsoft at
www.microsoft.com will enable you to use the strong key length version.
PIN Numbers
When using smart cards with ProtectTools 2000, the PIN for logging on
to your PC is 8 characters in length. It can contain any letters or
numbers (a-z, A-Z, 0-9) and is case sensitive (“hellojoe” is not the same
as “HelloJoe”). If you fail to enter this PIN code in five successive
attempts, the card will become unusable. For information on changing
this PIN, refer to “Changing a Smart Card’sPIN” on page 63.
In addition to this, GemSAFE smart cards also use a second PIN for
secure e-mail and Web access. The default PIN code for accessing
these features is 1234. However, you may use from four to eight
characters when you set your own PIN. Subsequently, when you use
the card, you have three attempts to type in the correct PIN number. If
13
1 Introduction to HP ProtectTools 2000
Introduction
you fail to enter the correct PIN in three successive attempts, you will
no longer be able to use the secure e-mail and Web access features.
The card can be reactivated with a special unblock code by going to
StartProgramsGemSAFECard Details.
The default unblock
code is also 1234, and can be changed from within this application.
14
Windows NT 4.0
1 Introduction to HP ProtectTools 2000
Before You Begin
Before You Begin
System Requirements (HP Desktop PCs)
The minimum system requirements are:
•
Onefree9-pinserialport
(If you do not have a free serial port, you can order the
HP Serial/Parallel Interface Card D7503A/T)
•
Windows 95 OSR2, Windows 98, Windows NT 4.0 or Windows 2000.
•
Windows NT 4.0 Service Pack 4 or later is required. Windows NT 4.0
Service Pack 6a is provided on the ProtectTools 2000 CD-ROM
•
Approximately 20 MB of free hard disk space (not including the
space required if you need to install Windows NT 4.0 Service Pack
6a).
Windows NT 4.0
System Requirements (OmniBook Notebook PCs)
The minimum system requirements for OmniBooks are:
•
An OmniBook 900 or 4150 or later with Window s95 OSR2,
Windows 98, Windows NT 4.0 or Windows 2000 (a Smart Card BIOS
is included), or
An OmniBook XE2 with Windows 98 or Windows 2000. BIOS
security features are not supported. Future models may support
other operating systems and BIOS security.
•
A CD-ROM drive installed in your OmniBook or available via a
network (on certain OmniBook models the CD-ROM drive is an
option that must be purchased separately).
•
OnefreePCMCIAslot
•
Windows NT 4.0 Service Pack 4 or later is required. Windows NT 4.0
Service Pack 6a is provided on the ProtectTools 2000 CD-ROM
•
At least 7 megabytes of free hard disk space.
15
1 Introduction to HP ProtectTools 2000
Before You Begin
Windows NT 4.0
Software Compatibility for PCs Running Windows NT 4.0
ProtectTools 2000 replaces Windows NT's standard logon library
(MSGINA.DLL). You may experience compatibility problems with
software that replaces the same library (for example Novell Netware
Client or pcAnywhere 32). In order to have HP ProtectTools 2000 work
properly, do NOT install such software along with HP ProtectTools
2000.
If you install Novell Netware Client after ProtectTools 2000, you will
get a message "Novell has detected a GINA difference on this machine.
Do you want to replace it with Netware GINA.DLL?". If you answer Yes,
neither Netware Client nor HP ProtectTools 2000 will work correctly.
16
1 Introduction to HP ProtectTools 2000
Features of HP ProtectTools 2000
ProtectTools 2000 can provide several types of security for your PC.
The security you have available depends on your HP hardware,
operating system, your security setup options, and your system BIOS.
Features on Desktop PCs
Windows 95 Windows 98 NT4.0 (SP6a or later) Windows 2000
Folder Encryption (page 40) Microsoft EFS
n/a Logon Authorization (page 49)
Lock at Card Removal (page 50)
Lock at Suspend/Resume (page 58) n/a Lock at
Suspend/Resume
Secure Screen Saver (page 58)
1. Microsoft EFS (Encrypted File System) is the file encryption security system available with Windows 2000.
Since file encryption is already part of the operating system, HP ProtectTools does not offer its file encryption
feature for the Windows 2000 environment. Note that you must have a Windows 2000 NTFS partition on your
hard drive to use Microsoft EFS.
Before You Begin
1
Features on OmniBook Notebook PCs
Windows 95 Windows 98 NT4.0 (SP6a or later) Windows 2000
Folder Encryption (page 40)
BIOS Smart Card Security Feature (page 39)
n/a Logon Authorization (page 49)
Lock at Undock (page 58) n/a
Lock at Card Removal (page 50)
Lock at Suspend/Resume (page 58)
Secure Screen Saver (page 58)
1. Except for OmniBook 800, 2000, 3000 and 5x00 PCs.
2. Microsoft EFS (Encrypted File System) is the file encryption security system available with Windows 2000. Since
file encryption is already part of the operating system, HP ProtectTools does not offer its file encryption feature
for the Windows 2000 environment. Note that you must have a Windows 2000 NTFS partition on your hard
drive to use Microsoft EFS.
3. Except for OmniBook XE2.
1
Microsoft EFS
3
2
17
1 Introduction to HP ProtectTools 2000
Contents of the HP ProtectTools 2000 CD-ROM
Contents of the HP ProtectTools 2000 CD-ROM
The CD-ROM provided with your HP ProtectTools 2000 Smart Card Kit
contains:
•
HP smart card reader driver
•
HP Smart Card Security System
This software takes care of the encryption and the secure logon and
logoff features when using the smart card. The software includes the
Smart Card Security Manager, used to configure security and
manage smart cards. Refer to chapter 4 for information about using
the Smart Card Security Manager.
•
HP Smart Card Diagnostics
You can use the diagnostics to ensure that your smart card reader is
working correctly or to help you to troubleshoot problems. Refer to
page 75 for information about using the diagnostics utility.
•
ProtectTools 2000 Documentation
Includes the online help and this manual (in PDF format). The online
help provides information about HP Smart Card Security Manager.
The online help is installed when you install the HP Smart Card
Security System.
Windows 95
Windows 98
Windows NT 4.0
Windows NT 4.0
•
GemSAFE software and documentation.
This software, in conjunction with GemSAFE smart cards, provides
secure e-mail and Web access.
•
Acrobat Reader
Provided so that you can view and print this manual.
•
Microsoft Smart Card Base Components
These components provide operating-system level support for the
ProtectTools 2000 Smart Card components. You must install both
updates 1 and 2.
•
Microsoft Windows NT 4.0 Service Pack 6a
Windows NT 4.0 Service Pack 4 or later is required before installing
any of the ProtectTools 2000 smart card components.
18
Windows NT 4.0
1 Introduction to HP ProtectTools 2000
Contents of the HP ProtectTools 2000 CD-ROM
•
HP NTLock (for Vectra and Kayak only)
This utility allows users to lock their PC during short absences to
prevent unauthorized access.
If you use HP NTLock, you must first uninstall any previous version
then install the appropriate latest version.
Only these versions (and later) will work correctly with the
ProtectTools 2000 software.
NOTE
NOTE
Windows NT 4.0
Windows 95
Windows 98
Windows NT 4.0
HP NTLock is NOT supported on HP Vectra VE or VEi series PCs (with
the exception of the HP Vectra VE5 series 4). For the latest information
on supported utilities for your PC, refer to
then click on
•
HP Soft PowerDown (for Vectra and Kayak only)
Utilities
.
www.hp.com/go/support
This utility automatically powers off your HP PC or HP PC
WorkstationwhenyoushutdownWindowsNT.
•
HP TopTools Agent
HP TopTools is a device management tool for HP PCs and other
devices. This version of the Agent is compatible with HP
ProtectTools 2000 Smart Card technology. For more information
about TopTools, connect to HP’swebsite
www.hp.com/toptools
Note that you can obtain a Windows 2000 version of the HP TopTools
agent (when it becomes available) either on your PC’s hard drive or
from HP’swebsite
Please consult the
www.hp.com/toptools
Readme.txt
file provided in the root directory of the
.
CD-ROM. It contains the most up to date information about the drivers
and software provided. The information contained in this file
supersedes any information given in this manual or other
documentation provided with the accessory.
,
.
19
1 Introduction to HP ProtectTools 2000
Contents of the HP ProtectTools 2000 CD-ROM
20
2
Installing HP ProtectTools 2000 Software
This chapter describes how to install ProtectTools 2000 software
components. This is not necessary for HP Secure Bundle PCs on which
the software is preinstalled. This chapter also has information about
uninstalling ProtectTools 2000.
2 Installing HP ProtectTools 2000 Software
Windows NT 4.0
Windows 2000
Before Installing the Software
Before Installing the Software
Before installing any software or drivers, ensure that:
•
You have at least one uninitialized smart card ready. Two
uninitialized cards are provided with the smart card reader. Once the
installation process is complete, you will be asked to insert a smart
card so that you can initialize it.
•
You have logged on as the PC’s Administrator.
HP strongly recommends that:
•
You prepare a formatted blank floppy disk. You will need one if you
want to create a recovery file of the smart card once the smart card
has been initialized.
NOTE For the most up to date information about ProtectTools 2000 software
and drivers, please consult the
directory of the CD-ROM. The information contained in this file
supersedes any information given in this manual or other
documentation provided with the accessory.
Readme.txt
file provided in the root
22
2 Installing HP ProtectTools 2000 Software
Software Installation Procedure
Software Installation Procedure
Make sure you have carried out the tasks outlined in “Before Installing
the Software” on page 22 before proceeding with the following:
1 Prepare your PC (PCs running Windows NT 4.0 only).
2 Install the drivers, software and smart card reader.
3 Install other items, if required (TopTools hardware resource
monitoring utility and this manual).
Windows NT 4.0
Preparing a PC Running Windows NT 4.0 (HP Desktop PCs)
1 Install Microsoft Windows NT 4.0 Service Pack 6a from the
ProtectTools 2000 CD-ROM (if you do not already have Service Pack
4 or later installed) and restart the PC.
To find Service Pack 6a, go to the
Microsoft\sp6ai386
open the folder for your language. To install, double-click on the
setup program
sp6i386.exe
.
2 IfyouarecurrentlyusingHPNTLockonyourPC(anditisolderthan
version 2.2) or you want to use it:
a Uninstall the version of HP NTLock currently on the PC using the
Add/Remove Programs
Panel
).
utility in
StartSettingsControl
b Restart the PC.
c Install the appropriate version of HP NTLock provided (or any
later version). Two versions are supplied, one for HP Vectra VL
and VLi PCs only (not for Vectra VE and VEi PCs) and the other
(the light version without power management) for HP Kayak PC
Workstations. The Vectra version is in the folder
ntlock\vectra\disk1
ntlock\kayak\disk1.
and the Kayak version in
folder, then
23
2 Installing HP ProtectTools 2000 Software
Software Installation Procedure
3 If you currently use HP Soft PowerDown (and it is older than version
5.08) or you want to use it:
a Uninstall the version of HP Soft PowerDown currently on the PC
using the
Control Panel
Add/Remove Programs
utility in
).
StartSettings
b Restart the PC.
c Install the version of HP Soft PowerDown provided on the CD-
ROM (or a later version that is compatible with HP ProtectTools
2000). The Soft PowerDown software is in the
spd
folder on the
CD-ROM.
4 Restart the PC.
Windows NT 4.0
Preparing a PC Running Windows NT 4.0 (HP Notebook PCs)
1 Install Microsoft Windows NT 4.0 Service Pack 6a from the
ProtectTools 2000 CD-ROM (if you do not already have Service Pack
4 or later installed) and restart your Notebook PC.
To find Service Pack 6a, go to the
Microsoft\sp6ai386
open the folder for your language. To install, double-click on the
setup program
sp6i386.exe
.
2 If Card Executive or APM is installed on your computer, you should
update them with the latest versions using the HP ProtectTools
2000 CD-ROM.
a Uninstall Card Executive or APM using the
Programs
utility in
StartSettingsControl Panel
Add/Remove
b Insert the HP ProtectTools 2000 CD-ROM in the CD-ROM drive.
If your CD-ROM drive is configured to “autorun”,the
ProtectTools 2000 installation screen will appear automatically. If
this screen does not appear, use Windows Explorer to browse the
CD contents and double-click the file
setup.exe
directory to run the installation.
c Install the new versions of Card Executive or APM from the
ProtectTools 2000 installation screen.
folder, then
).
in the root
3 Restart the PC.
24
Loading...