HP Smart Card User Manual

Implementation of an ActivCard® smart card solution on HP CCI

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Configuration compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Software configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Step 1: Configuring a Certificate Authentication (CA) service . . . . . . . . . . . . . . . . . . . . . . .4

Step 2: Group policy setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Step 3: HP blade PC middleware configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Step 4: Client smart card driver configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Smart card setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Initialization of the smart card using Microsoft Remote Desktop Connection . . . . . . . . . . . . 11

Initialization of the smart card using HP Session Allocation Manager Client (HPSAM Client) . 14

Requesting a certificate from the blade PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Usage case 1: User authentication from client device to blade PC using RDP . . . . . . . . . . . 19

Usage case 2: User authentication from client device to blade PC using HPSAM client . . . .19

Usage case 3: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Usage case 4: User authentication using VPN through firewall to blade PC . . . . . . . . . . . . 21

Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

1

This white paper discusses the implementation of ActivCard® smart cards on HP Consolidated Client
Infrastructure (CCI). This white paper is not intended as a comprehensive overview of ActivCard smart
card technology.

NOTE: The images and instructions in this white paper use Microsoft Windows XPe; however, HP also
tested procedures using Microsoft XP Professional and Microsoft Windows CE.NET.

NOTE: The images in this white paper were created using ActivClient™. For information about ActivCard
Gold™, see the ActivCard Gold user guide.

Introduction

Smart cards can provide additional security to a CCI implementation. This paper describes a smart card
reference implementation that you can use in a dynamic or a static CCI environment.

Prerequisites

This white paper assumes that the reader is familiar with CCI and has a working knowledge of Microsoft
Group Policies, Microsoft Certificate Authentication (CA), and setting up smart card readers and middle­ware.

Reference hardware and software

The following list provides the reference hardware and software used to validate the CCI product with a
smart card:

• Load Balancer.

• HP Server running F5 networks BigIP version 4.6.4.

or

• HP Server running HP Session Allocation Manager version 1.0.

• Primary Domain Controller.

• HP server running Microsoft Windows Enterprise 2003 Server SP1. Configured as DNS,
DHCP, IIS, CA, and secure Web site server.

• VPN Tunnel.

• Altiris Deployment Server.

• Network Switch.

•HP Procurve 2626.

2

• Blade Enclosure.

• HP e-class blade enclosure.

• Blade PCs

• HP bc1000 blade PC running Microsoft Windows XP SP2 w/HPSAM blade service installed.

• HP bc1500 blade PC running Microsoft Windows XP SP2 w/HPSAM blade service installed.

• Clients

• HP Compaq t5000 series thin client running Microsoft Windows XPe w/HPSAM blade ser­vice installed.

• HP Compaq t5000 series thin client running Microsoft Windows CE w/HPSAM blade ser­vice installed.

• HP desktop PC running Microsoft Windows XP w/HPSAM blade service installed.

• Smart Card Readers

• HP standard USB Smart Card Keyboard.

Driver: HPKBCCID.sys, version 4.28.0.1.

• USB CAC approved smart card reader (SCM Microsystems SCR331 Reader).

Driver: SCR33X2K.sys, version 4.27.00.01.

• Serial CAC approved smart card reader (SCM Microsystems SCR131 Reader).

• USB Combo Fingerprint & Smart Card reader (SCM Microsystems SPR337).

Driver: spr337.sys, version 1.16.00.01.

• ActivCard middleware

• ActivCard ActivClient v5.4.

• ActivCard Gold v2.2.

Configuration compatibility

HP has tested the following configurations using ActivCard ActivClient v5.4, ActivCard Gold v2.2 and
confirmed that the configurations work in a CCI environment.

USB Reader SCM

Microsystems
HP USB Smart Card
Keyboard

HP Thin Client w/XPeXXXX

HP Thin Client w/CE.net X X X

HP Desktop w/XP ProXXXX

SCM Microsystems
SCR331 USB Reader

SCR131 Serial

Reader

Serial Reader SCM
Microsystems
SPR337 USB Combo
Reader

3

Software configuration

Configure the following items to set up a smart card solution on CCI:

1. Certificate Authentication (CA) service

2. Group policy settings

3. Middleware running on a HP blade PC

4. Smart card client driver

Step 1: Configuring a Certificate Authentication (CA) service

Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates.
Detailed instructions for installing a CA service is beyond the scope of this white paper. For more informa­tion about installing Certificate Services, see http://www.microsoft.com/technet/security/smallbusi-

ness/prodtech/windowsserver2003/build_ent_root_ca.mspx and http://h20000.www2.hp.com/bc/
docs/support/SupportManual/c00363517/c00363517.pdf.

After you install the CA service, perform the following configuration steps:

1. Create an MMC with the following snap-ins:

• Active Directory Users and Computers

• Certification Authority

• Certificate Templates

2. Click Certificate Templates and look for the Smartcard Logon certificate in the right pane.

3. Create a duplicate template by right-clicking on the Smartcard Logon certificate template, and then

selecting Duplicate Template.

4

4. Type a name for the new template in the Template display name box. This example uses CCI

Smartcard Logon.

5

5. Click the Request Handling tab.

6. Select or type 1024 in the Minimum key size box.

7. Click the CSPs button.

8. Select Requests can use any CSP available on subject's computer.

9. Click the Security tab.

6

10. In the Permissions for Authenticated Users box, in the Allow column, select Read and

Enroll.

You have completed creation of the template.

11. Copy the CCI Smartcard Logon certificate template into the Certificate Templates folder under the cer-

tificate server.

a) Expand the Certification Authority object in the MMC you created in step 1.

b) Expand your CA name.

c) Right-click on the Certificate Templates folder under the CA server.

7

d) Select New > Certificate Template to Issue.

12. Select the template, and then click OK to import the template.

8