Redhat CERTIFICATE SYSTEM ENTERPRISE User Manual

Red Hat Certificate System Enterprise

Security Client Guide

Red Hat Author(s): Red Hat, Inc.

ISBN: N/A

Publication date:

Red Hat Certificate System Enterprise Security Client Guide

Red Hat Certificate System Enterprise Security Client Guide:

This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0. A copy of this license is available at http://www.opencontent.org/openpub1. Any Red Hat trademarks that are incorporated in the documentation are not subject to the Open Publication License and may only be used or replicated with the express permission of Red Hat, Inc.

http://www.opencontent.org/openpub

Red Hat Certificate System Enterprise Security Client Guide

1. Introduction ........................................................................................................... 1

1. Features ........................................................................................................ 1

2. Platform Support .................................................................................................... 5

3. Installation ............................................................................................................. 7

1. Installation on Windows .................................................................................. 7

2. Installation on Red Hat Enterprise Linux .........................................................15

3. Installation on Mac OS X ...............................................................................16

4. Using the Enterprise Security Client .......................................................................21

1. Launching Enterprise Security Client ..............................................................21

2. Phone Home ................................................................................................21

3. Windows Cryptographic Service Provider .......................................................24

4. Smart Card Auto Enrollment ..........................................................................25

5. Customizing the Smart Card Enrollment User Interface ...................................30

6. Managing Smart Cards ..................................................................................32

6.1. Formatting the Smart Card ..................................................................33

6.2. Reset Smart Card Password ...............................................................34

6.3. Viewing Certificates ............................................................................34

6.4. Enrolling Smart Cards ........................................................................35

7. Diagnosing Problems ....................................................................................37

5. Using Enterprise Security Client Keys for SSL Client Authentication and S/MIME ......41

1. Using the Certificates on the Token for SSL ....................................................41

2. S/MIME Applications .....................................................................................43

6. Uninstalling Enterprise Security Client ....................................................................45

1. Uninstalling on Windows ................................................................................45

2. Uninstalling on Red Hat Enterprise Linux ........................................................45

3. Uninstalling on Mac OS X ..............................................................................45

A. Enterprise Security Client Configuration .................................................................47

1. Configuration ................................................................................................47

2. Enterprise Security Client Mac TokenD ..........................................................48

2.1. Verifying the TokenD Is Working .........................................................49

3. Enterprise Security Client XUL and Javascript Functionality .............................49

3.1. Quick Javascript UI Guide ...................................................................50

4. Enterprise Security Client File Locations .........................................................50

4.1. Windows ............................................................................................51

4.2. Red Hat Enterprise Linux ....................................................................51

4.3. Mac OS X ..........................................................................................51

Index .......................................................................................................................53

Chapter 1.

Introduction

The Red Hat Certificate System creates, manages, renews, and deletes certificates and keys within an organization. There are five subsystems which govern the behavior of the public-key infrastructure (PKI) of the organization:

• The Certificate Authority (CA), which creates, renews, and revokes certificates.

• The Data Recovery Manager (DRM), which archives and recovers keys.

• The Online Certificate Status Manager, which stores lists of revoked certificates for client applications to use to check if a certificate is valid.

• The Token Processing System (TPS), which interacts with smart cards to generate and store keys and certificates for a specific user.

• The Token Key Service (TKS), which generates and stores master keys used by the TPS.

End users can use security tokens, which are also called smart cards, to store user certificates used for applications such as single sign-on access and client authentication. End users are issued the tokens containing certificates and keys required for signing, encryption, and other cryptographic functions. To use the tokens, the TPS must be able to recognize and communicate with them. The tokens have to be enrolled, the process of formatting tokens with keys and certificates and adding them to the Certificate System. Enterprise Security Client provides the user interface for end entities to enroll tokens and to communicate with the TPS. Enterprise Security Client provides the conduit through which TPS communicates with each token over a secure HTTP channel (HTTPS).

After a token is enrolled, applications such as Mozilla Firefox and Thunderbird can be configured to recognize the token and use it for security operations, like client authentication and S/MIME mail. Enterprise Security Client provides the following capabilities:

• Supports Visa Open Platform-compliant smart cards like Axalto Cyberflex egate 32k tokens.

• Enrolls security tokens so they are recognized by TPS.

• Maintains the security token, such as re-enrolling a token with TPS.

• Provides information about the current status of the token or tokens being managed.

• Supports server-side key generation so that keys can be archived and recovered on a separate token if a token is lost.

1. Features

• The Phone Home feature defines the token issuer name, TPS server, and TPS end-entities

Chapter 1. Introduction

interface URL without requiring any user configuration.

• Enterprise Security Client has diagnostic logging that records common access and events and records potential errors such as interruptions with the connection between the Enterprise Security Client and TPS server.

• The Enterprise Security Client user interface incorporates Mozilla XULRunner technology. XULRunner is a runtime package which hosts standalone applications based on XUL, an XML markup language with a rich feature set for user interfaces. XUL has the following advantages over HTML for applications:

• XUL provides a wide UI widget set and greater control over the presentation.

• XUL markup is local to the client machine, so it has a greater privilege level than HTML.

• XUL also uses Javascript as the scripting language for convenient program logic scripting.

• XUL Javascript code can make use of the array of Mozilla functionality by using their

XPCOM technology.

• The Mac Enterprise Security Client ships with a smart card-specific TokenD component which bridges the gap between Certificate System-supported tokens and the Mac CDSA security layer, allowing current OS X applications like Apple Mail and Safari to take advantage of the capabilities of Certificate System tokens:

• The Mac Keychain Access utility can be used to view the certificates and keys on

Certificate System tokens.

• The Apple Mail client can be used to view signed and encrypted emails using Certificate

System tokens.

• The Apple Safari browser can use Certificate System tokens to log onto secure SSL web

sites.

• This version of Enterprise Security Client provides tray icon functionality on all three platforms, including tool tips for errors and actions such as inserting or removing a smart card.

Figure 1.1. Example Token Tray Icon and Tool Tip

Features

On most operating systems, many programs maintain an icon in the tray or notification area. These icons can be used to control the operation of the program, usually through context menus when the icon is right-clicked. In the default Enterprise Security Client configuration, Enterprise Security Client launches and automatically minimizes to the tray. This tray functionality behaves differently on the different operating systems:

• Windows. When right-clicked, the tray icon shows a simple menu with options to Manage

Smart Card, which opens the Enterprise Security Client interface, and to Exit Smart Card Manager, which exits the Enterprise Security Client. The exit option in that menu is the only

want to exist the Enterprise Security Client on Windows; clicking the X in the top right corner minimizes Enterprise Security Client to the tray. Double-clicking the tray icon brings Enterprise Security Client to the front. There are also notification messages, shown as standard balloon tooltips, on events like inserting or removing a card.

• Linux. The tray icon appears only if the notification area in Gnome has been enabled. The

tray icon options are identical to the Windows options. Clicking the X in the top left corner closes the current window and minimizes Enterprise Security Client to the tray.

• Mac. On Mac, the tray is called the dock. Since Enterprise Security Client is based on

Mozilla, right-clicking on the Enterprise Security Client dock icon reveals all the standard Mozilla Firefox menu options, including options to hide, show, and quit the client. The Enterprise Security Client also has a menu item called Manage Smart Cards in the dock menu, which opens the card management UI. The top level application menu has a menu under Go, Manage Smart Card, which also opens the card management window.

Chapter 2.

Platform Support

Enterprise Security Client supports the following platforms:

• Red Hat Enterprise Linux 4 AS (Intel x86)

• Red Hat Enterprise Linux 4 ES (Intel x86)

• Microsoft Windows XP

• Apple MAC OS X 10.4.x (Tiger)

Smart Card Support.

Enterprise Security Client supports the following smart cards:

• Visa Open Platform-compliant smart cards such as Axalto Cyberflex egate 32k tokens

Chapter 3.

Installation

Enterprise Security Client is packaged as a set of RPMs and other files that are part of the complete Certificate System distribution. These are listed in the installation chapter of the Certificate System Administrator's Guide.

The first step for installing Enterprise Security Client is successfully obtaining the needed Enterprise Security Client packages. The Certificate System Administrator's Guide explains how to retrieve these RPMs and other files through the Red Hat Certificate System 7.2 (AS v.4 for x86) or Red Hat Certificate System 7.2 (ES v.4 for x86) Red Hat Network channels. There are two ways to obtain the packages:

• Downloading an ISO image or packages through the Red Hat Network channel

• Using the Red Hat up2date utility

On Linux platforms, the preferred method of obtaining RPMs is using the up2date command-line utility.

up2date esc

If the up2date process is successful, all of the necessary Enterprise Security Client RPMs are installed and ready for use.

Both the Mac and Windows Enterprise Security Client bundles are available only in the Downloads area of the Red Hat Network. There are two channels for the packages, one for 32-bit and one for 64-bit; Mac and Windows clients are only available in 32-bit.

• The Mac Enterprise Security Client package is ESC.dmg.

• The Windows Enterprise Security Client package is Smart Card Manager Setup.exe.

1. Installation on Windows

To install Enterprise Security Client on Windows, do the following:

1. Obtain the Windows Enterprise Security Client installer Smart Card Manager Setup.exe

from the Red Hat Network channel.

2. Double-click the Smart Card Manager Setup.exe file to launch the Enterprise Security

Client installation program.

Chapter 3. Installation

Figure 3.1. Launching the Installation Wizard

3. The wizard displays the list of packages which will be installed.

Installation on Windows

Figure 3.2. Launching the Installation Wizard

4. The wizard screen asks for the final installation directory for Enterprise Security Client. The

default is C:\Program Files\Red Hat\ESC.

Chapter 3. Installation

Figure 3.3. Installation Directory

5. The wizard screen asks for the start menu directory for Enterprise Security Client. The default

is Red Hat.

Installation on Windows

Figure 3.4. Start Menu Directory

6. Proceed through the Enterprise Security Client installation wizard. Click Install to begin

installing the Enterprise Security Client components.

NOTE

The installation process also installs the CoolKey PKCS #11 driver and Egate drivers needed for Certificate System-supported keys and automatically installs the Certificate System PKCS #11 module in any Mozilla browsers it can locate. The installer places the Certificate System Cryptographic Service Provider (CSP) on the user's system to allow users to use their smart cards with Microsoft products such as Outlook and Internet Explorer.

Chapter 3. Installation

Figure 3.5. Beginning Installation

+ 42 hidden pages