HP ActivCard Smart Card Configuration
1 Implementati on of an A cti vC ar d® smar t car d soluti on on HP CCI Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Configuration compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Software configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Step 1: Configuring a Certificate Authentication (CA) service . . . . . . . . . . . . . . . . . . . . . . . 4 Step 2: Group policy setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Step 3: HP blade PC middleware conf iguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Step 4: Client smart card driver configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Smart card setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 1 Initialization of the smart card using Microsoft Remote Desktop Connection . . . . . . . . . . . . 11 Initialization of the smart card using HP Session Allocation Manager Client (HPSAM Client) . 14 Requesting a certificate from the blade PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 9 Usage case 1: User authentication from client devi ce to blade PC using RDP . . . . . . . . . . . 19 Usage case 2: User authentication from client de vice to blade PC using HPSAM client . . . . 19 Usage case 3: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Usage case 4: User authentication using VPN through firewall to blade PC . . . . . . . . . . . . 21 Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4
2 This w hite paper disc usses the impl e mentation of A ctivC ard® smart car ds on HP Consoli dated Client Infr astru cture (C CI) . T his white paper is no t intend ed as a compr ehensi ve o vervi ew of A cti vCard smart card tec hnology . NO TE: T he images and instructi ons in this white pa pe r use Mi cr osoft W indow s XP e; ho we ver , HP also tested p r oc edu res using Micr osoft XP Profession al an d Micr osof t Windows CE .N ET . NO TE: The images in this w hite paper w ere c reated using A cti vClientâ¢. F or infor mation about Ac tivCar d Goldâ¢, see the Ac tivC ard Gold us er guide . Intr oduction Smart cards can pr ovi de additional sec urity to a CCI implementation . This paper desc ribes a smart car d r efer ence implementati on that you can u se in a dy namic or a stati c CCI env ironment . Pr er equisites This w hite paper as sumes that the reader is f amiliar w ith CCI and has a w orking kno wledge o f Mic ro soft Gr oup P olic ies, Mi cr osoft Ce r tifi cate Authen tication (CA ) , and setting up smart car d readers and mi ddle- ware. Re f e re n c e h a rd wa re a n d s o f t w a re The f ollo wing lis t pro vide s the ref er ence hard war e and softwar e used to v alidate the CCI pr oduct w ith a smart card: ⢠Load Balancer . ⢠HP Server r unning F5 networks Bi gIP versi on 4.6.4. or ⢠HP Server r unning HP Session A llocation Manager v ersion 1. 0. ⢠Primary Domain Con troller . ⢠HP server r unning Mic ros oft Windo ws Ente rpris e 2003 Serv er SP1. Confi gured as DNS , DHCP , IIS, CA, and s ecur e W eb site server . ⢠VPN T unnel. ⢠Altir is Deploymen t Server . ⢠Networ k S witc h. â¢H P P r o c u r v e 2 6 2 6 .
3 ⢠Blade Enclo sure . ⢠HP e -class blade enc l osur e . ⢠Blade PC s ⢠HP bc1000 blade PC running Mic r osoft W indow s XP SP2 w/HP SA M blade service ins talled. ⢠HP bc1500 blade P C running Mi cr osoft Windo w s XP SP2 w/HPS AM blade servi ce installed. ⢠Clien ts ⢠HP Compaq t5 000 ser ies thin cli ent running Mi cr osoft W indow s XP e w/HPS AM blade ser- vi ce installed . ⢠HP Compaq t5 000 ser ies thin cli ent running Mi cr osoft W indow s CE w/HP SAM blade s er- vi ce installed . ⢠HP desktop PC r unning Mic ro soft Windo ws XP w/HP SAM blade se r v ice installed . ⢠Smart Card R eaders ⢠HP standar d USB Smart Car d K ey board . Dri ver : HPKBCCID .s ys , versi on 4.2 8. 0.1. ⢠USB CA C appr ov ed smart card reader (S CM Mic ros ystems S CR331 R eader). Dri ver : SCR3 3X2K.s ys, v ersi on 4.2 7 . 00.01. ⢠Ser ial CA C appro ved smart card r eader (SCM Mi cr os ystems S CR131 Reader ) . ⢠USB C ombo F ingerpr int & Smar t Car d reader (S CM Mic ros ystems SP R3 3 7) . Dri ver : spr3 3 7 .s ys, v ersi on 1.16. 00.01. ⢠Acti vCard mi ddlew ar e ⢠Acti vCard A cti vClient v5 .4. ⢠Acti vCard Gold v2 .2 . Co nfi gur ation compatib ilit y HP has tes ted the follo wing conf igurati ons using Ac ti vCard A cti vClient v5 .4, Ac tivC ard Gold v2 .2 and confir med that the configur ations wor k in a CCI en vir onment. HP USB Smart Card Keyb oa rd SCM Mi crosystems SCR331 U SB Reader USB Reade r SCM Micr os yste ms SCR131 Serial Reade r Serial Reader SCM Micr os yste ms SPR3 3 7 USB Combo Read er H P T h i n C l i e n t w / X P e XXXX HP Thin C lient w/CE .net X X X H P D e s k t o p w / X P P r o XXXX
4 Sof t war e co nfigu ratio n Conf igur e the follo wing items to set up a smart card so lution on CCI: 1. Certif icate Au thentication (CA ) servi ce 2. Group poli cy settings 3. Middle war e running on a HP blade PC 4. Smart card c lient dr iv er St ep 1: Conf iguring a C ertifi cate Authenti cation (CA ) ser v ice Conf igur e a CA servi ce. T his white pa per uses Mic r os oft Cer t ific ate Se r vices t o c on figu re ce rt ific at es. Detailed instruc tions f or installing a CA servi ce is be y ond the scope of this w hite paper . Fo r more inf orma- tion abou t installing Certifi cate Servi ces, see http://www .microsoft.com/technet/security/smallbusi- ness/prodtech/windo wsserver2003/build_ent_r oot_ca.mspx and http://h20000.www2.hp.com/bc/ docs/suppor t/SupportManual/c0036 3517/c003 63517 .pdf . After y ou install the CA serv ice , perfor m the follo wing conf igur ation step s: 1. Cr eate an MMC with the f ollo wing sna p-ins: ⢠Acti ve Dir ectory Users and Co mputers ⢠Certifi cation Au thority ⢠Certificate T emp lates 2. Cl ick Certifi cate T emplates and look for the Smartcar d Logon certifi cate in the right pane . 3. Cr eate a duplicate template b y right-clic king on the Smartcard L ogon certificate templat e, and then select ing Dupl icate T emplate .
5 4. T y pe a name for the ne w template in the Te m p l a t e d i s p l a y n a m e box . This ex ample use s CCI Smartcard Logon .
6 5. Click the R equest Handling tab . 6. Select or type 1024 in the Minimum k ey size bo x. 7. Click t he CSP s button. 8. Select Reque sts can u se an y C SP a vailable on subject' s compute r . 9. Click the Sec urity tab .
7 10. In the P e rmissions for Auth enticated Us ers bo x, in the Allo w column, selec t Re ad and Enroll . Y ou have completed c reation of the template . 11. Cop y the CCI Smartcard L ogon cer tifi cate template in to the C ertificate T emplates f older under the cer- tifi cate server . a) Expand the Certifi cation A uthority obj ect in the MMC y ou cr eated in step 1. b) Expand y our CA name. c) R ight-clic k on the Certificate T emplates fo lder under the CA server .
8 d) Select Ne w > Certifica te T emp late to I ssue . 12. Select the te mplate , and then clic k OK to import the template.
9 St ep 2: Gr oup polic y setting Apply the f ollow ing smart card gr oup polic y settings to the computer through a user poli cy setting or thr ough a computer policy s etting: ⢠Compu ter Conf igur ation\Windo ws Settings\S ecur ity Settings\Local P olic ies\Sec urity Options - In ter- acti ve L ogon: Requir e smar t card , enable or disable . The def ault is disabled ⢠Compu ter Conf igur ation\Windo ws Settings\S ecur ity Settings\Local P olic ies\Sec urity Options - In ter- acti ve L ogon: Smart card r emov al behav ior , no acti on or lock w orkst ation or fo rce logoff . The de fault is no action .
10 St ep 3: HP blade PC mi ddlew are conf igur ation The f ollo wing pr ov ides HP blade P C softwar e confi gurati on: ⢠F or the purpo ses of this whit e paper , an HP CC I implementation w ith the hard war e and softwar e components listed in âR efer ence hard war e and softwar e â on page 2 was u sed. ⢠Install one of the f ollow ing Acti vCar d middlew are pack ages on the HP Blade PCs: ⢠Acti vCard A ctivC lient v5 .4 ⢠Acti vCard Gold v2 .2 St ep 4: Client smart car d dri ver conf igur ation Conf igur e thin client so ft w are (XP e and CE) . D etailed instruc tions f or installing dr iv ers on an XP e or CE image is be yond the scope o f this white pa per . Y ou can find instr uctions f or XP e at ht tp:// h200001.ww w2.hp .com/bc/docs/suppor t/SupportM anual/c00 2644 6 9/c002 6446 9 .pdf and instruc- tions f or CE http://h200001.w ww2.hp.com/bc/docs/support/SupportM anual/c002 34 77 8/ c002 34 77 8.pdf. >> Install the appr opriate dr iver f r om the list below f or the de vi ce that you w ill use. ⢠HP standar d USB Smart Car d K ey board Dri ver : HPKBCCID .sy s, ve rsion 4.2 8.0.1
11 ⢠USB CA C appr ov ed smart card reader (S CM Mic ros ystems S CR331 R eader) Dri ver : SCR3 3X2K.s ys, v ersi on 4.2 7 . 00.01 NO TE: Fo r Mic ro soft Windo ws CE .NET , y ou may need to cop y the dri vers f rom the f older whe re the y wer e installed ( \Windo ws ) to the \Hard Disk\Progr am Files folder so the dr i vers w ill be wr it ten to fla sh memor y . ⢠Ser ial CA C appr ov ed smar t car d read er (S CM Micr osy stems S CR131 Reader ) NO TE: Fo r Mic ro soft Windo ws CE .NET , y ou may need to cop y the dri vers f rom the f older whe re the y wer e installed ( \Windo ws ) to the \Hard Disk\Progr am Files folder so the dr i vers w ill be wr it ten to fla sh memor y .USB Combo F inger print & Smart Car d Reader (S CM Mic ros ystems SPR3 3 7) Dri ver : spr3 3 7 .s ys, v ersi on 1.16. 00.01 Smart car d setup Initiali z ation of the smart car d using Mi cr oso ft Remot e Desktop Connec tion 1. P o wer on the thin c lient w ith the smart card r eader installed . 2. Open Devi ce Manager to ve rify that the dri vers f or the card r eader are installed: a) Clic k Star t . b) R ight- cli ck on My C o m pu t e r and select Manage . c) In the left pane , select De vice Manager .
12 d) In the ri ght pane, e xpand Smar t card readers . e) Select the ins talled smart card r eader . f) Under De vice status , v eri f y the mess age âThis de vi ce is wo rking pr operly . â 3. T o begin the enrollment f rom the blade P C side, open the R emote Desktop C onnection w indow b y click in g Start > All Pr ograms > Accessories > Communications . 4. Select the L ocal Resour ces tab .
13 5. In the Local Devices ar ea, select Smart cards . 6. Connect to the blade PC on w hich y ou w ill set up the smart card and log in as a domain-authenti- cated user . 7. V erify the Ac tivCar d icon is display ed in the sy stem tr ay . 8. Insert an unprogr ammed Acti vCard-compatible smart ca rd into the r eader . The Ac tivCar d icon in the s ystem tr ay change s fr om red to blue . 9. Select the Acti vCard i con in the sy stem tra y to open the Acti vCard utility . 10. Select To o l s > Ne w Card to initiali z e the smart card. 11. In the Ne w PIN and Ve r i f y box es, type a P IN for the car d, and then cli ck OK . Th e sys te m d i sp l ays the unlock code f or this car d in case the PIN is lost . 12. Close the A cti vCard u tility .
14 Initiali z ation of the smart car d using HP Ses sion A llocation Manager C lient (HP S AM Client) 1. P o wer on the thin c lient w ith the smart card r eader installed . 2. Open Devi ce Manager to ve rify that the dri vers f or the card r eader are installed: a. C li ck Star t . b. Ri g h t - c l i ck o n My C om p u t er and select Manage . c. In the le ft pane, selec t De vice Manager . d. In the r ight pane , expand Smar t card read ers . e . Select the installed smart car d reader . f . Under De vice s tatus, v erify the message âT his dev ice is w orking pr operly . â 3. T o b e g i n t h e e n ro l l m e n t f ro m t h e b l a d e PC s i d e, o p e n t h e H P PC S e s s i o n Al l o c a t i o n Cl ie n t wi n d ow by click in g Start > All Pro grams > He wl ett-P ack ard . 4. Click Opti ons . 5. Select the Miscellaneous t ab and ver ify the Sm art C ards bo x is selected .
15 6. Connect to the blade PC on w hich y ou w ill set up the smart card , and then log in as a domain- authenticated user . 7. V erify the Ac tivCar d icon is display ed in the sy stem tr ay . 8. Insert an unprogr ammed Acti vCard-compatible smart ca rd into the r eader . The Ac tivCar d icon in the s ystem tr ay change s fr om red to blue . 9. Select the Acti vCard i con in the sy stem tra y to open the Acti vCard utility . 10. Select To o l s > Ne w Card to initiali z e the smart card. 11. In the Ne w Pi n and Ve r i f y box es, ty pe a PIN f or the card , and then cli ck OK . The s yst em display s the unlock code f or this car d in case the PIN is lost . 12. Close the A cti vCard u tility .
16 R equesting a certifi cate fr om the blade P C 1. Open Internet Explor er and go to the Certifi cation Server enr ollment W eb site. T h e addr ess of this W eb site was det ermined w hen the Certifi cation Serve r was se t up (see âStep 1: C onfi guring a Certif- icate A uthenticati on (CA) serv ice â on page 4) . If y ou do not kno w the W eb addre ss, consult y our net- w ork administr ator . In this e xample , the addre ss used is http://pecert/cer tsrv . 2. Cl ick th e Req uest a C erti fic ate task. 3. On the Req uest a Certifi cate page , clic k adv ance d cert ificat e re quest . 4. On the Ad vanced Certif icate Req uest page , select Create and submit a request to t his CA . 5. On the Adv ance Certifi cate Reques t page: a) Select CCI Smartcard Logon as the certificate templat e. b) Select Acti vCard Gold Cryptog raphic Serv ice Pro vider as t he CS P . c) Submit the r equest , whi ch r equests a C CI Smar tCar d Logon certifi cate for the selec ted user .
17 6. If a warning message displa ys about a potenti al scr ipting v iolatio n, pr ess Ye s to continue w ith the cer tificate request. 7. After the s ystem gener ates the public and pri vate k ey s, the page to install the certifi cate display s. Select Install t his certifica te . This command installs the u sers âs certificat e onto the smart card . 8. If a war ning message display s about a potential sc ripting v iolation , pres s Ye s to continue w ith the cer tificate request. 9. Upon successful completi on, the s ystem displa ys the C ertificat e installed page . Y ou may clo se Interne t Explor er .
18 T o ver i fy that the CCI SmartCar d Logon certifi cate fo r the user is installed o n the smar t car d: 1. Clic k the ActivC ard i con in the sy stem tra y to open the Acti vCard Gold utility . 2. In the right pane , select the My C er t if i c a te s icon. T he sy stem display s the username ID . 3. Select the u sername ID to v iew the ins talled certificate , whic h show s: ⢠who it w as issued to ⢠who it w as issued by ⢠vali d dates
19 Usage cases Usage case 1 : User aut hent ication fr om client de vi ce to blade PC u sing RDP The f ollo wing s teps pr ov ides instruc tions fo r performing a f unctional te st of the CCI SmartCar d Logon cer- tifi cate: 1. Log out o f the RD P sessi on. 2. Open the Remote Desktop C ommunicati ons wind o w and initiate a connectio n to the blade. 3. Mak e sure a smart car d is installed in the reade r . The s y stem r equests the smart card P IN. 4. T y pe the PIN that y ou assigned . The u ser is logged into the blade Usage cas e 2: U ser authenti cation f r om cli ent dev ice to blade P C using HP S AM client The f ollo wing st eps pro vide ins tructi ons for perfor ming a functi onal test o f the CCI SmartCard L ogon certif- icat e: 1. Log out o f the RD P sessi on.
20 2. Open the HPS AM client w indo w and initiate a connectio n to the blade PC. 3. Mak e sure a smart car d is installed in the reade r . The s y stem r equests the smart card P IN. 4. T y pe the PIN that y ou assigned . The user is logged into the blade P C. Usage cas e 3: Accessing s ec ure W eb site The f ollo wing s teps pr ov ide instr uctions f or accessing a secur e W eb site using an A ctivC ard thr ough a blade PC. Inst alling and configur ing a sec ure W eb site is bey ond the scope of this w hite paper; ther efor e, the white pa per assumes the sec ur e W e b site is alr eady f unctional and acces sible fr om the blade PC. T he white pa per also assumes that y ou can use the certifi cate installed on the smart car d to access this sec ur e We b s i t e . 1. Log in t o a blade PC using a smart car d, as demonstr ated in usage case 1. 2. Use Inter net Explorer to connec t to a W eb site to make sur e the sy stem is func tioning pr operly . Con- nect to a W e b page on the same se rver as t he secure W eb site. 3. Conf irm that the lo wer r ight corner o f the Internet Explor er w indow does not dis play a lock i con.
21 4. In Internet Explor er , type the addr ess of a sec ure W eb site. 5. I f the s ystem di splays secur it y al ert messag es, click OK . The LED on the car d reader indi cates when the W eb si te is accessing the smart card t o ver i fy whether the certific ate is appro ved for the sit e. 6. After the secur e W eb site display s, a loc k icon in th e lo wer r ight corner of In ter net Explorer conf irms that y ou are connec ted to a sec ur e W eb site . Usage cas e 4: User authenti cation using VPN thr ough fir ew a ll to blade P C Instruc tions for ins talling and confi guring a VPN tunnel w ith a fir ew all is bey ond the scope of this white paper ; ther efor e, the w hite paper assumes the VPN tunnel and f ire wall ar e alread y installed and func- tional . The white paper als o assumes that y ou hav e a broadband Int ernet connecti on and that Acti vCar d middle war e is installed on the client . 1. In the Contr ol P anel on the client com puter , open N etwork and Internet Connec tions . 2. Select the Create a connection to t he net w ork at your w orkpla ce task. 3. In the New C onnection W iz ard , select Virtu al Priva te N et work con nec ti on .
22 4. In the Compa ny Name box , t ype the name f or the VPN connection (f or ex ample , Work ) , and then click Ne xt . 5. Sel ect Do not dial the initi al connec tion , and then clic k Ne xt . 6. In the text bo x, type the ho st name or IP address o f the VPN tunnel, and then c lick Ne xt . 7. Select Use my smart card , and then c lic k Ne xt . 8. Select Add a shor tcut for th is connection to my desktop , and then c lic k Fin ish . Depending upon the conf igurati on of the VPN tunnel , you ma y hav e to change the conf igur ation of the VPN connectio n. T o change the conf igurati on of the VPN w indow : 1. In Contr ol P anel, open Net work and Internet Connec tions > Netw ork Conne ctions .
23 2. Ri g h t - cl i ck o n th e VPN connec tion icon and selec t Properti es . Y ou can initiate the VPN connecti on after setting it up , as follo ws: 1. Start the VPN connecti on. 2. In Sm art card PIN , type the PIN , and then cli ck OK . While est ablishing the VPN connection , the sy stem displa ys Verifying username and password and Authenticated .
24 After the connecti on is established , the net w ork connection i con display s in the sy stem tr ay . Additi onal infor matio n F or mor e informati on about HP C onsolidated C lient Infr astru ctur e, see http://h71028.www7 .hp.com/ enterprise/cache/988 5-0 -0 - 22 5-121.html. F or mor e infor mation about A cti vCard , see http://w ww .ac tivcar d.com. © 2006 Hew lett -P ack ard De velopmen t Compan y , L.P . T he informati o n in this document is sub ject to c hange witho ut notice . The only w arr anties f or HP produc ts and service s are set f or th in the expr ess warr ant y statements accompan ying suc h products and servi ces. Nothing her ein should be constr ued as constituting an additi onal warr anty . HP shall not be liable fo r technical or editorial er rors or omissi ons contained h er ein. Mic ro soft , MS-DOS, W indow s, and Windo ws NT ar e trademarks o f Micr osoft Cor porati on in the U. S. and other countri es. 40 9 5 31-002 , 4/2006
2 This w hite paper disc usses the impl e mentation of A ctivC ard® smart car ds on HP Consoli dated Client Infr astru cture (C CI) . T his white paper is no t intend ed as a compr ehensi ve o vervi ew of A cti vCard smart card tec hnology . NO TE: T he images and instructi ons in this white pa pe r use Mi cr osoft W indow s XP e; ho we ver , HP also tested p r oc edu res using Micr osoft XP Profession al an d Micr osof t Windows CE .N ET . NO TE: The images in this w hite paper w ere c reated using A cti vClientâ¢. F or infor mation about Ac tivCar d Goldâ¢, see the Ac tivC ard Gold us er guide . Intr oduction Smart cards can pr ovi de additional sec urity to a CCI implementation . This paper desc ribes a smart car d r efer ence implementati on that you can u se in a dy namic or a stati c CCI env ironment . Pr er equisites This w hite paper as sumes that the reader is f amiliar w ith CCI and has a w orking kno wledge o f Mic ro soft Gr oup P olic ies, Mi cr osoft Ce r tifi cate Authen tication (CA ) , and setting up smart car d readers and mi ddle- ware. Re f e re n c e h a rd wa re a n d s o f t w a re The f ollo wing lis t pro vide s the ref er ence hard war e and softwar e used to v alidate the CCI pr oduct w ith a smart card: ⢠Load Balancer . ⢠HP Server r unning F5 networks Bi gIP versi on 4.6.4. or ⢠HP Server r unning HP Session A llocation Manager v ersion 1. 0. ⢠Primary Domain Con troller . ⢠HP server r unning Mic ros oft Windo ws Ente rpris e 2003 Serv er SP1. Confi gured as DNS , DHCP , IIS, CA, and s ecur e W eb site server . ⢠VPN T unnel. ⢠Altir is Deploymen t Server . ⢠Networ k S witc h. â¢H P P r o c u r v e 2 6 2 6 .
3 ⢠Blade Enclo sure . ⢠HP e -class blade enc l osur e . ⢠Blade PC s ⢠HP bc1000 blade PC running Mic r osoft W indow s XP SP2 w/HP SA M blade service ins talled. ⢠HP bc1500 blade P C running Mi cr osoft Windo w s XP SP2 w/HPS AM blade servi ce installed. ⢠Clien ts ⢠HP Compaq t5 000 ser ies thin cli ent running Mi cr osoft W indow s XP e w/HPS AM blade ser- vi ce installed . ⢠HP Compaq t5 000 ser ies thin cli ent running Mi cr osoft W indow s CE w/HP SAM blade s er- vi ce installed . ⢠HP desktop PC r unning Mic ro soft Windo ws XP w/HP SAM blade se r v ice installed . ⢠Smart Card R eaders ⢠HP standar d USB Smart Car d K ey board . Dri ver : HPKBCCID .s ys , versi on 4.2 8. 0.1. ⢠USB CA C appr ov ed smart card reader (S CM Mic ros ystems S CR331 R eader). Dri ver : SCR3 3X2K.s ys, v ersi on 4.2 7 . 00.01. ⢠Ser ial CA C appro ved smart card r eader (SCM Mi cr os ystems S CR131 Reader ) . ⢠USB C ombo F ingerpr int & Smar t Car d reader (S CM Mic ros ystems SP R3 3 7) . Dri ver : spr3 3 7 .s ys, v ersi on 1.16. 00.01. ⢠Acti vCard mi ddlew ar e ⢠Acti vCard A cti vClient v5 .4. ⢠Acti vCard Gold v2 .2 . Co nfi gur ation compatib ilit y HP has tes ted the follo wing conf igurati ons using Ac ti vCard A cti vClient v5 .4, Ac tivC ard Gold v2 .2 and confir med that the configur ations wor k in a CCI en vir onment. HP USB Smart Card Keyb oa rd SCM Mi crosystems SCR331 U SB Reader USB Reade r SCM Micr os yste ms SCR131 Serial Reade r Serial Reader SCM Micr os yste ms SPR3 3 7 USB Combo Read er H P T h i n C l i e n t w / X P e XXXX HP Thin C lient w/CE .net X X X H P D e s k t o p w / X P P r o XXXX
4 Sof t war e co nfigu ratio n Conf igur e the follo wing items to set up a smart card so lution on CCI: 1. Certif icate Au thentication (CA ) servi ce 2. Group poli cy settings 3. Middle war e running on a HP blade PC 4. Smart card c lient dr iv er St ep 1: Conf iguring a C ertifi cate Authenti cation (CA ) ser v ice Conf igur e a CA servi ce. T his white pa per uses Mic r os oft Cer t ific ate Se r vices t o c on figu re ce rt ific at es. Detailed instruc tions f or installing a CA servi ce is be y ond the scope of this w hite paper . Fo r more inf orma- tion abou t installing Certifi cate Servi ces, see http://www .microsoft.com/technet/security/smallbusi- ness/prodtech/windo wsserver2003/build_ent_r oot_ca.mspx and http://h20000.www2.hp.com/bc/ docs/suppor t/SupportManual/c0036 3517/c003 63517 .pdf . After y ou install the CA serv ice , perfor m the follo wing conf igur ation step s: 1. Cr eate an MMC with the f ollo wing sna p-ins: ⢠Acti ve Dir ectory Users and Co mputers ⢠Certifi cation Au thority ⢠Certificate T emp lates 2. Cl ick Certifi cate T emplates and look for the Smartcar d Logon certifi cate in the right pane . 3. Cr eate a duplicate template b y right-clic king on the Smartcard L ogon certificate templat e, and then select ing Dupl icate T emplate .
5 4. T y pe a name for the ne w template in the Te m p l a t e d i s p l a y n a m e box . This ex ample use s CCI Smartcard Logon .
6 5. Click the R equest Handling tab . 6. Select or type 1024 in the Minimum k ey size bo x. 7. Click t he CSP s button. 8. Select Reque sts can u se an y C SP a vailable on subject' s compute r . 9. Click the Sec urity tab .
7 10. In the P e rmissions for Auth enticated Us ers bo x, in the Allo w column, selec t Re ad and Enroll . Y ou have completed c reation of the template . 11. Cop y the CCI Smartcard L ogon cer tifi cate template in to the C ertificate T emplates f older under the cer- tifi cate server . a) Expand the Certifi cation A uthority obj ect in the MMC y ou cr eated in step 1. b) Expand y our CA name. c) R ight-clic k on the Certificate T emplates fo lder under the CA server .
8 d) Select Ne w > Certifica te T emp late to I ssue . 12. Select the te mplate , and then clic k OK to import the template.
9 St ep 2: Gr oup polic y setting Apply the f ollow ing smart card gr oup polic y settings to the computer through a user poli cy setting or thr ough a computer policy s etting: ⢠Compu ter Conf igur ation\Windo ws Settings\S ecur ity Settings\Local P olic ies\Sec urity Options - In ter- acti ve L ogon: Requir e smar t card , enable or disable . The def ault is disabled ⢠Compu ter Conf igur ation\Windo ws Settings\S ecur ity Settings\Local P olic ies\Sec urity Options - In ter- acti ve L ogon: Smart card r emov al behav ior , no acti on or lock w orkst ation or fo rce logoff . The de fault is no action .
10 St ep 3: HP blade PC mi ddlew are conf igur ation The f ollo wing pr ov ides HP blade P C softwar e confi gurati on: ⢠F or the purpo ses of this whit e paper , an HP CC I implementation w ith the hard war e and softwar e components listed in âR efer ence hard war e and softwar e â on page 2 was u sed. ⢠Install one of the f ollow ing Acti vCar d middlew are pack ages on the HP Blade PCs: ⢠Acti vCard A ctivC lient v5 .4 ⢠Acti vCard Gold v2 .2 St ep 4: Client smart car d dri ver conf igur ation Conf igur e thin client so ft w are (XP e and CE) . D etailed instruc tions f or installing dr iv ers on an XP e or CE image is be yond the scope o f this white pa per . Y ou can find instr uctions f or XP e at ht tp:// h200001.ww w2.hp .com/bc/docs/suppor t/SupportM anual/c00 2644 6 9/c002 6446 9 .pdf and instruc- tions f or CE http://h200001.w ww2.hp.com/bc/docs/support/SupportM anual/c002 34 77 8/ c002 34 77 8.pdf. >> Install the appr opriate dr iver f r om the list below f or the de vi ce that you w ill use. ⢠HP standar d USB Smart Car d K ey board Dri ver : HPKBCCID .sy s, ve rsion 4.2 8.0.1
11 ⢠USB CA C appr ov ed smart card reader (S CM Mic ros ystems S CR331 R eader) Dri ver : SCR3 3X2K.s ys, v ersi on 4.2 7 . 00.01 NO TE: Fo r Mic ro soft Windo ws CE .NET , y ou may need to cop y the dri vers f rom the f older whe re the y wer e installed ( \Windo ws ) to the \Hard Disk\Progr am Files folder so the dr i vers w ill be wr it ten to fla sh memor y . ⢠Ser ial CA C appr ov ed smar t car d read er (S CM Micr osy stems S CR131 Reader ) NO TE: Fo r Mic ro soft Windo ws CE .NET , y ou may need to cop y the dri vers f rom the f older whe re the y wer e installed ( \Windo ws ) to the \Hard Disk\Progr am Files folder so the dr i vers w ill be wr it ten to fla sh memor y .USB Combo F inger print & Smart Car d Reader (S CM Mic ros ystems SPR3 3 7) Dri ver : spr3 3 7 .s ys, v ersi on 1.16. 00.01 Smart car d setup Initiali z ation of the smart car d using Mi cr oso ft Remot e Desktop Connec tion 1. P o wer on the thin c lient w ith the smart card r eader installed . 2. Open Devi ce Manager to ve rify that the dri vers f or the card r eader are installed: a) Clic k Star t . b) R ight- cli ck on My C o m pu t e r and select Manage . c) In the left pane , select De vice Manager .
12 d) In the ri ght pane, e xpand Smar t card readers . e) Select the ins talled smart card r eader . f) Under De vice status , v eri f y the mess age âThis de vi ce is wo rking pr operly . â 3. T o begin the enrollment f rom the blade P C side, open the R emote Desktop C onnection w indow b y click in g Start > All Pr ograms > Accessories > Communications . 4. Select the L ocal Resour ces tab .
13 5. In the Local Devices ar ea, select Smart cards . 6. Connect to the blade PC on w hich y ou w ill set up the smart card and log in as a domain-authenti- cated user . 7. V erify the Ac tivCar d icon is display ed in the sy stem tr ay . 8. Insert an unprogr ammed Acti vCard-compatible smart ca rd into the r eader . The Ac tivCar d icon in the s ystem tr ay change s fr om red to blue . 9. Select the Acti vCard i con in the sy stem tra y to open the Acti vCard utility . 10. Select To o l s > Ne w Card to initiali z e the smart card. 11. In the Ne w PIN and Ve r i f y box es, type a P IN for the car d, and then cli ck OK . Th e sys te m d i sp l ays the unlock code f or this car d in case the PIN is lost . 12. Close the A cti vCard u tility .
14 Initiali z ation of the smart car d using HP Ses sion A llocation Manager C lient (HP S AM Client) 1. P o wer on the thin c lient w ith the smart card r eader installed . 2. Open Devi ce Manager to ve rify that the dri vers f or the card r eader are installed: a. C li ck Star t . b. Ri g h t - c l i ck o n My C om p u t er and select Manage . c. In the le ft pane, selec t De vice Manager . d. In the r ight pane , expand Smar t card read ers . e . Select the installed smart car d reader . f . Under De vice s tatus, v erify the message âT his dev ice is w orking pr operly . â 3. T o b e g i n t h e e n ro l l m e n t f ro m t h e b l a d e PC s i d e, o p e n t h e H P PC S e s s i o n Al l o c a t i o n Cl ie n t wi n d ow by click in g Start > All Pro grams > He wl ett-P ack ard . 4. Click Opti ons . 5. Select the Miscellaneous t ab and ver ify the Sm art C ards bo x is selected .
15 6. Connect to the blade PC on w hich y ou w ill set up the smart card , and then log in as a domain- authenticated user . 7. V erify the Ac tivCar d icon is display ed in the sy stem tr ay . 8. Insert an unprogr ammed Acti vCard-compatible smart ca rd into the r eader . The Ac tivCar d icon in the s ystem tr ay change s fr om red to blue . 9. Select the Acti vCard i con in the sy stem tra y to open the Acti vCard utility . 10. Select To o l s > Ne w Card to initiali z e the smart card. 11. In the Ne w Pi n and Ve r i f y box es, ty pe a PIN f or the card , and then cli ck OK . The s yst em display s the unlock code f or this car d in case the PIN is lost . 12. Close the A cti vCard u tility .
16 R equesting a certifi cate fr om the blade P C 1. Open Internet Explor er and go to the Certifi cation Server enr ollment W eb site. T h e addr ess of this W eb site was det ermined w hen the Certifi cation Serve r was se t up (see âStep 1: C onfi guring a Certif- icate A uthenticati on (CA) serv ice â on page 4) . If y ou do not kno w the W eb addre ss, consult y our net- w ork administr ator . In this e xample , the addre ss used is http://pecert/cer tsrv . 2. Cl ick th e Req uest a C erti fic ate task. 3. On the Req uest a Certifi cate page , clic k adv ance d cert ificat e re quest . 4. On the Ad vanced Certif icate Req uest page , select Create and submit a request to t his CA . 5. On the Adv ance Certifi cate Reques t page: a) Select CCI Smartcard Logon as the certificate templat e. b) Select Acti vCard Gold Cryptog raphic Serv ice Pro vider as t he CS P . c) Submit the r equest , whi ch r equests a C CI Smar tCar d Logon certifi cate for the selec ted user .
17 6. If a warning message displa ys about a potenti al scr ipting v iolatio n, pr ess Ye s to continue w ith the cer tificate request. 7. After the s ystem gener ates the public and pri vate k ey s, the page to install the certifi cate display s. Select Install t his certifica te . This command installs the u sers âs certificat e onto the smart card . 8. If a war ning message display s about a potential sc ripting v iolation , pres s Ye s to continue w ith the cer tificate request. 9. Upon successful completi on, the s ystem displa ys the C ertificat e installed page . Y ou may clo se Interne t Explor er .
18 T o ver i fy that the CCI SmartCar d Logon certifi cate fo r the user is installed o n the smar t car d: 1. Clic k the ActivC ard i con in the sy stem tra y to open the Acti vCard Gold utility . 2. In the right pane , select the My C er t if i c a te s icon. T he sy stem display s the username ID . 3. Select the u sername ID to v iew the ins talled certificate , whic h show s: ⢠who it w as issued to ⢠who it w as issued by ⢠vali d dates
19 Usage cases Usage case 1 : User aut hent ication fr om client de vi ce to blade PC u sing RDP The f ollo wing s teps pr ov ides instruc tions fo r performing a f unctional te st of the CCI SmartCar d Logon cer- tifi cate: 1. Log out o f the RD P sessi on. 2. Open the Remote Desktop C ommunicati ons wind o w and initiate a connectio n to the blade. 3. Mak e sure a smart car d is installed in the reade r . The s y stem r equests the smart card P IN. 4. T y pe the PIN that y ou assigned . The u ser is logged into the blade Usage cas e 2: U ser authenti cation f r om cli ent dev ice to blade P C using HP S AM client The f ollo wing st eps pro vide ins tructi ons for perfor ming a functi onal test o f the CCI SmartCard L ogon certif- icat e: 1. Log out o f the RD P sessi on.
20 2. Open the HPS AM client w indo w and initiate a connectio n to the blade PC. 3. Mak e sure a smart car d is installed in the reade r . The s y stem r equests the smart card P IN. 4. T y pe the PIN that y ou assigned . The user is logged into the blade P C. Usage cas e 3: Accessing s ec ure W eb site The f ollo wing s teps pr ov ide instr uctions f or accessing a secur e W eb site using an A ctivC ard thr ough a blade PC. Inst alling and configur ing a sec ure W eb site is bey ond the scope of this w hite paper; ther efor e, the white pa per assumes the sec ur e W e b site is alr eady f unctional and acces sible fr om the blade PC. T he white pa per also assumes that y ou can use the certifi cate installed on the smart car d to access this sec ur e We b s i t e . 1. Log in t o a blade PC using a smart car d, as demonstr ated in usage case 1. 2. Use Inter net Explorer to connec t to a W eb site to make sur e the sy stem is func tioning pr operly . Con- nect to a W e b page on the same se rver as t he secure W eb site. 3. Conf irm that the lo wer r ight corner o f the Internet Explor er w indow does not dis play a lock i con.
21 4. In Internet Explor er , type the addr ess of a sec ure W eb site. 5. I f the s ystem di splays secur it y al ert messag es, click OK . The LED on the car d reader indi cates when the W eb si te is accessing the smart card t o ver i fy whether the certific ate is appro ved for the sit e. 6. After the secur e W eb site display s, a loc k icon in th e lo wer r ight corner of In ter net Explorer conf irms that y ou are connec ted to a sec ur e W eb site . Usage cas e 4: User authenti cation using VPN thr ough fir ew a ll to blade P C Instruc tions for ins talling and confi guring a VPN tunnel w ith a fir ew all is bey ond the scope of this white paper ; ther efor e, the w hite paper assumes the VPN tunnel and f ire wall ar e alread y installed and func- tional . The white paper als o assumes that y ou hav e a broadband Int ernet connecti on and that Acti vCar d middle war e is installed on the client . 1. In the Contr ol P anel on the client com puter , open N etwork and Internet Connec tions . 2. Select the Create a connection to t he net w ork at your w orkpla ce task. 3. In the New C onnection W iz ard , select Virtu al Priva te N et work con nec ti on .
22 4. In the Compa ny Name box , t ype the name f or the VPN connection (f or ex ample , Work ) , and then click Ne xt . 5. Sel ect Do not dial the initi al connec tion , and then clic k Ne xt . 6. In the text bo x, type the ho st name or IP address o f the VPN tunnel, and then c lick Ne xt . 7. Select Use my smart card , and then c lic k Ne xt . 8. Select Add a shor tcut for th is connection to my desktop , and then c lic k Fin ish . Depending upon the conf igurati on of the VPN tunnel , you ma y hav e to change the conf igur ation of the VPN connectio n. T o change the conf igurati on of the VPN w indow : 1. In Contr ol P anel, open Net work and Internet Connec tions > Netw ork Conne ctions .
23 2. Ri g h t - cl i ck o n th e VPN connec tion icon and selec t Properti es . Y ou can initiate the VPN connecti on after setting it up , as follo ws: 1. Start the VPN connecti on. 2. In Sm art card PIN , type the PIN , and then cli ck OK . While est ablishing the VPN connection , the sy stem displa ys Verifying username and password and Authenticated .
24 After the connecti on is established , the net w ork connection i con display s in the sy stem tr ay . Additi onal infor matio n F or mor e informati on about HP C onsolidated C lient Infr astru ctur e, see http://h71028.www7 .hp.com/ enterprise/cache/988 5-0 -0 - 22 5-121.html. F or mor e infor mation about A cti vCard , see http://w ww .ac tivcar d.com. © 2006 Hew lett -P ack ard De velopmen t Compan y , L.P . T he informati o n in this document is sub ject to c hange witho ut notice . The only w arr anties f or HP produc ts and service s are set f or th in the expr ess warr ant y statements accompan ying suc h products and servi ces. Nothing her ein should be constr ued as constituting an additi onal warr anty . HP shall not be liable fo r technical or editorial er rors or omissi ons contained h er ein. Mic ro soft , MS-DOS, W indow s, and Windo ws NT ar e trademarks o f Micr osoft Cor porati on in the U. S. and other countri es. 40 9 5 31-002 , 4/2006