Implementation of an ActivCard® smart card solution on HP CCI
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Configuration compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Software configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Step 1: Configuring a Certificate Authentication (CA) service . . . . . . . . . . . . . . . . . . . . . . . 4 Step 2: Group policy setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Step 3: HP blade PC middleware configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Step 4: Client smart card driver configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Smart card setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Initialization of the smart card using Microsoft Remote Desktop Connection . . . . . . . . . . . . 11 Initialization of the smart card using HP Session Allocation Manager Client (HPSAM Client) . 14 Requesting a certificate from the blade PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Usage case 1: User authentication from client device to blade PC using RDP . . . . . . . . . . . 19 Usage case 2: User authentication from client device to blade PC using HPSAM client . . . . 19 Usage case 3: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Usage case 4: User authentication using VPN through firewall to blade PC . . . . . . . . . . . . 21
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1
This white paper discusses the implementation of ActivCard® smart cards on HP Consolidated Client Infrastructure (CCI). This white paper is not intended as a comprehensive overview of ActivCard smart card technology.
NOTE: The images and instructions in this white paper use Microsoft Windows XPe; however, HP also tested procedures using Microsoft XP Professional and Microsoft Windows CE.NET.
NOTE: The images in this white paper were created using ActivClient™. For information about ActivCard Gold™, see the ActivCard Gold user guide.
Introduction
Smart cards can provide additional security to a CCI implementation. This paper describes a smart card reference implementation that you can use in a dynamic or a static CCI environment.
Prerequisites
This white paper assumes that the reader is familiar with CCI and has a working knowledge of Microsoft Group Policies, Microsoft Certificate Authentication (CA), and setting up smart card readers and middleware.
Reference hardware and software
The following list provides the reference hardware and software used to validate the CCI product with a smart card:
•Load Balancer.
•HP Server running F5 networks BigIP version 4.6.4. or
•HP Server running HP Session Allocation Manager version 1.0.
•Primary Domain Controller.
•HP server running Microsoft Windows Enterprise 2003 Server SP1. Configured as DNS, DHCP, IIS, CA, and secure Web site server.
•VPN Tunnel.
•Altiris Deployment Server.
•Network Switch.
•HP Procurve 2626.
2
•Blade Enclosure.
•HP e-class blade enclosure.
•Blade PCs
•HP bc1000 blade PC running Microsoft Windows XP SP2 w/HPSAM blade service installed.
•HP bc1500 blade PC running Microsoft Windows XP SP2 w/HPSAM blade service installed.
•Clients
•HP Compaq t5000 series thin client running Microsoft Windows XPe w/HPSAM blade service installed.
•HP Compaq t5000 series thin client running Microsoft Windows CE w/HPSAM blade service installed.
•HP desktop PC running Microsoft Windows XP w/HPSAM blade service installed.
•Smart Card Readers
•HP standard USB Smart Card Keyboard. Driver: HPKBCCID.sys, version 4.28.0.1.
•USB CAC approved smart card reader (SCM Microsystems SCR331 Reader). Driver: SCR33X2K.sys, version 4.27.00.01.
•Serial CAC approved smart card reader (SCM Microsystems SCR131 Reader).
•USB Combo Fingerprint & Smart Card reader (SCM Microsystems SPR337). Driver: spr337.sys, version 1.16.00.01.
•ActivCard middleware
•ActivCard ActivClient v5.4.
•ActivCard Gold v2.2.
Configuration compatibility
HP has tested the following configurations using ActivCard ActivClient v5.4, ActivCard Gold v2.2 and confirmed that the configurations work in a CCI environment.
|
|
|
USB Reader SCM |
Serial Reader SCM |
|
|
|
Microsystems |
Microsystems |
|
HP USB Smart Card |
SCM Microsystems |
SCR131 Serial |
SPR337 USB Combo |
|
Keyboard |
SCR331 USB Reader |
Reader |
Reader |
|
|
|
|
|
HP Thin Client w/XPe |
X |
X |
X |
X |
|
|
|
|
|
HP Thin Client w/CE.net |
X |
X |
X |
|
|
|
|
|
|
HP Desktop w/XP Pro |
X |
X |
X |
X |
|
|
|
|
|
3
Software configuration
Configure the following items to set up a smart card solution on CCI:
1.Certificate Authentication (CA) service
2.Group policy settings
3.Middleware running on a HP blade PC
4.Smart card client driver
Step 1: Configuring a Certificate Authentication (CA) service
Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates. Detailed instructions for installing a CA service is beyond the scope of this white paper. For more information about installing Certificate Services, see http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsserver2003/build_ent_root_ca.mspx and http://h20000.www2.hp.com/bc/ docs/support/SupportManual/c00363517/c00363517.pdf.
After you install the CA service, perform the following configuration steps:
1.Create an MMC with the following snap-ins:
•Active Directory Users and Computers
•Certification Authority
•Certificate Templates
2.Click Certificate Templates and look for the Smartcard Logon certificate in the right pane.
3.Create a duplicate template by right-clicking on the Smartcard Logon certificate template, and then selecting Duplicate Template.
4
4.Type a name for the new template in the Template display name box. This example uses CCI Smartcard Logon.
5
5. Click the Request Handling tab.
6.Select or type 1024 in the Minimum key size box.
7.Click the CSPs button.
8.Select Requests can use any CSP available on subject's computer.
9.Click the Security tab.
6
10.In the Permissions for Authenticated Users box, in the Allow column, select Read and Enroll.
You have completed creation of the template.
11.Copy the CCI Smartcard Logon certificate template into the Certificate Templates folder under the certificate server.
a)Expand the Certification Authority object in the MMC you created in step 1.
b)Expand your CA name.
c)Right-click on the Certificate Templates folder under the CA server.
7
d) Select New > Certificate Template to Issue.
12. Select the template, and then click OK to import the template.
8
Loading...