Red Hat SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT Informacje Techniczne

Red Hat Certificate System 7.3Managing Smart Cardswith the EnterpriseSecurity Client7.3ISBN: N/APublication date: Updated August 5, 2008

• Give a clear title for the bug. For example, "Incorrect command example for setupscript options" is better than "Bad example".We

Overview of the Enterprise SecurityClientThe Enterprise Security Client is a tool for Red Hat Certificate System which simplifiesmanaging smart cards.

such as the Certificate Authority to generate certificates or the Data Recovery Manager toarchive and recover keys.• The Token Key Service (TKS) gener

• The Enterprise Security Client user interface incorporates Mozilla XULRunner technology.XULRunner is a runtime package which hosts standalone applic

• Windows. When right-clicked, the tray icon shows a simple menu with options to ManageSmart Card, which opens the Enterprise Security Client interfac

Installing the Enterprise SecurityClientThe Enterprise Security Client is packaged as a set of installation executables or RPMs andother files that ar

The preferred method of obtaining RPMs is using the up2date command-line utility, as follows:# up2date escIf the up2date command completes successfull

1. Unplug all USB tokens.2. Stop the Enterprise Security Client.3. Log in as root, and use rpm -ev to remove the Enterprise Security Client RPMs in th

Figure 2.1. Launching the Installation Wizard3. The wizard displays the list of packages that will be installed.Chapter 2. Installing the Enterprise S

Figure 2.2. Launching the Installation Wizard on Windows4. The wizard prompts for the installation directory for the Enterprise Security Client. Thede

This guide is for regular users of Certificate System subsystems. It explains how to managepersonal certificates and keys using the Enterprise Securit

Figure 2.3. Specifying the Installation Directory5. The wizard prompts for the Start Menu directory for the Enterprise Security Client. Thedefault dir

Figure 2.4. Specifying the Start Menu Directory6. Proceed through the Enterprise Security Client installation wizard. Click Install to begininstalling

Figure 2.5. Ready to Start the Installation7. When the installation has completed, the Enterprise Security Client will prompt the user toinsert a toke

Figure 2.6. Launching the Smart Card Manager8. Click Finish to complete the installation.Installing the Client13

Figure 2.7. Completing the Installation4.2. Uninstalling the Client1. Unplug all USB tokens.2. Stop the Enterprise Security Client.3. Open the Control

The Mac Enterprise Security Client packages are available in the Downloads area of RedHat Network. There are two channels for the packages; Mac client

b. Read the Software License Agreement, and click Continue if you accept the terms.c. Select the installation destination.Figure 2.9. Specifying the i

Figure 2.10. Launch Installatione. Enter the administrator password, and click OK to start the installation.Figure 2.11. Entering the Administrator Pa

f. When the installation is complete, click Close.Figure 2.12. Coolkey Software Package installation in progressWhen the process is complete, the e-ga

Using the Enterprise Security ClientThe following sections contain basic instructions on using the Enterprise Security Client fortoken enrollment, for

Red Hat Certificate System 7.3: Managing Smart Cards withthe Enterprise Security ClientCopyright © 2008 Red Hat, Inc.Copyright © 2008 Red Hat. This ma

op.format.tokenKey.issuerinfo.enable=trueop.format.tokenKey.issuerinfo.value=http://server.example.com2.1. About Phone Home ProfilesThe Enterprise Sec

/Applications/ESC.app/Contents/Resources/defaults/preferences.3. Add the global Phone Home parameter line. For example:pref("esc.global.phone.hom

• The preferred method is that the information is burned onto the token at the factory. When thetokens are ordered from the manufacturer, the company

<ServiceInfo><IssuerName>Example Corp</IssuerName><Services><Operation>http://tps.example.com:12443/nk_service ## TPS se

controls the cryptographic keys belonging to the certificates.Certificate System CSP.The Certificate System CSP is designed to provide cryptographic f

1. Ensure that the Enterprise Security Client is running.2. Insert an uninitialized smart card, pre-formatted with the Phone Home information for theT

Figure 3.2. Smart Card Enrollment PageThe above illustration shows the default enrollment UI included with the TPS server. This UIis a standard HTML f

LDAP PasswordThis is the password corresponding to the user ID entered; this can be a simple passwordor a customer number.NOTEThe LDAP user ID and pas

Figure 3.3. Smart Card Enrollment Success Message5. Customizing the Smart Card Enrollment UserInterfaceRed Hat Certificate System (specifically the TP

The following is an extract from the default UI HTML file, and it includes comments on how youmight customize it to suit your requirements.<html>

Red Hat Certificate System 7.3

<td> </td><td><input type="text" id="snametf"value=""></td><td> </td><td>

Figure 3.4. Manage Smart Cards Page6.1. Formatting the Smart CardWhen you format a smart card, it is reset to the uninitialized state. This removes al

status as UNINITIALIZED.6.2. Resetting a Smart Card PasswordIf a user forgets the password for a smart card after the card is enrolled, it is possible

1. Insert a supported smart card into the computer. Ensure that the card is listed in the ActiveSmart Cards table.2. Select the card from the list, an

2. Click Enroll to display the Password dialog.NOTEThis button is active only if the inserted card is unenrolled.3. Enter a new key password in the En

The Smart Card Manager, in conjunction with the latest TPS Server software, now supports aspecial "security officer" mode of operation. This

1. Open the Smart Card Manager installation directory.On Microsoft Windows, this is C:/Program Files/Red Hat/ESC/esc.exe.On Red Hat Enterprise Linux,

./esc -secmode http://test.host.com:7888/cgi-bin/so/enroll.cgiThis opens the security officer enrollment page.2. In the Security Officer Enrollment wi

1. Click Format SO Card. Because the security officer card is already inserted, the followingscreen displays:2. Click Format to begin the operation.Wh

new or temporary cards, formatting cards, and setting the Phone Home URL.• Section 7.3.1, “Opening the User's Smart Card Interface”• Section 7.3.

About This Guide ... vii1. What Is in This Guide ..

This opens the security officer welcome page.NOTEEnsure that there is a valid and enrolled security officer card plugged into thecomputer. A security

1. Click the Enroll New Card link to display the Security Officer Select User page.2. Enter the LDAP name of the user who is to receive a new smart ca

3. Click Format. The result will be a card with the new phone home information stored on thecard.8. Diagnosing ProblemsThe Enterprise Security Client

Figure 3.6. The Smart Card Manager Diagnostics Information ScreenInformation Displayed on the Diagnostics Information Screen.The Diagnostics Informati

For each card detected, the following information is displayed:• The version of the applet running on the smart card.• The alpha-numeric ID of the sma

Using Enterprise Security ClientKeys for SSL Client Authenticationand S/MIMEAfter a token is enrolled, the token can be used for SSL client authentica

3. If the CA is not yet trusted, download and import the CA certificate.a. Open the SSL End Entity page on the CA. For example:https://example.com:944

The certificates can be used for SSL.2. S/MIME ApplicationsTo enable S/MIME on mail applications such as Mozilla Thunderbird:1. In Mozilla Thunderbird

6. In the Encryption of the Security panel, click Select to choose the certificate to encrypt anddecrypt messages.Chapter 4. Using Enterprise Security

Appendix A. Enterprise SecurityClient ConfigurationPreviously, Enterprise Security Client relied on an application-specific configuration file.Enterpr

1. Configuration ...492. Enterprise Security Client Mac T

Platform LocationRed Hat Enterprise Linux ~/.redhat/escMacintosh ~/Library/ApplicationSupport/ESC/ProfilesTable A.2. Location of Enterprise Security C

Example A.1. Example Configuration File2. Enterprise Security Client Mac TokenDThe TokenD software installed on a Macintosh computer provides a link b

Filename Purposeconfig.xul Contains the code for the configuration UI.esc_browser.xul Contains the code for hosting the externalHTML Smart Card Manage

function EnrollCoolKey(keyType, keyID, enrollmentType, screenname,pin,screennamepwd,tokencode){try {netkey.EnrollCoolKey(keyType, keyID, enrollmentTyp

File or Directory Purposeesc.exe The executable which launches EnterpriseSecurity Client in XULRunner.xulrunner\ Privately-deployed XULRunner bundle.T

File or Directory Purposeapplication.ini Enterprise Security Client XULRunnerapplication configuration file.components/ Enterprise Security Client XPC

56

Index57

58

About This GuideThe Enterprise Security Client is a simple user interface which formats and manages smartcards. This guide is intended for everyday us

• Certificate System Administration Guide explains how to install, configure, and use Red HatCertificate System.Additional Certificate System informat

NOTEA note provides additional information that can help illustrate the behavior of thesystem or provide more detail for a specific issue.TIPA tip is