Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE, Manual

Page 1: ...Red Hat Certificate System Enterprise Security Client Guide Red Hat Author s Red Hat Inc ISBN N A Publication date ...

Page 2: ...Red Hat Certificate System Enterprise Security Client Guide ...

Page 3: ...distributed only subject to the terms and conditions set forth in the Open Publication License V1 0 A copy of this license is available at http www opencontent org openpub1 Any Red Hat trademarks that are incorporated in the documentation are not subject to the Open Publication License and may only be used or replicated with the express permission of Red Hat Inc ...

Page 4: ...Red Hat Certificate System Enterprise Security Client Guide ...

Page 5: ...6 4 Enrolling Smart Cards 35 7 Diagnosing Problems 37 5 Using Enterprise Security Client Keys for SSL Client Authentication and S MIME 41 1 Using the Certificates on the Token for SSL 41 2 S MIME Applications 43 6 Uninstalling Enterprise Security Client 45 1 Uninstalling on Windows 45 2 Uninstalling on Red Hat Enterprise Linux 45 3 Uninstalling on Mac OS X 45 A Enterprise Security Client Configura...

Page 6: ...vi ...

Page 7: ...use the tokens the TPS must be able to recognize and communicate with them The tokens have to be enrolled the process of formatting tokens with keys and certificates and adding them to the Certificate System Enterprise Security Client provides the user interface for end entities to enroll tokens and to communicate with the TPS Enterprise Security Client provides the conduit through which TPS commu...

Page 8: ...rogram logic scripting XUL Javascript code can make use of the array of Mozilla functionality by using their XPCOM technology The Mac Enterprise Security Client ships with a smart card specific TokenD component which bridges the gap between Certificate System supported tokens and the Mac CDSA security layer allowing current OS X applications like Apple Mail and Safari to take advantage of the capa...

Page 9: ...erprise Security Client to the tray Double clicking the tray icon brings Enterprise Security Client to the front There are also notification messages shown as standard balloon tooltips on events like inserting or removing a card Linux The tray icon appears only if the notification area in Gnome has been enabled The tray icon options are identical to the Windows options Clicking the X in the top le...

Page 10: ...4 ...

Page 11: ...prise Linux 4 AS Intel x86 Red Hat Enterprise Linux 4 ES Intel x86 Microsoft Windows XP Apple MAC OS X 10 4 x Tiger Smart Card Support Enterprise Security Client supports the following smart cards Visa Open Platform compliant smart cards such as Axalto Cyberflex egate 32k tokens Chapter 2 5 ...

Page 12: ...6 ...

Page 13: ...Linux platforms the preferred method of obtaining RPMs is using the up2date command line utility up2date esc If the up2date process is successful all of the necessary Enterprise Security Client RPMs are installed and ready for use Both the Mac and Windows Enterprise Security Client bundles are available only in the Downloads area of the Red Hat Network There are two channels for the packages one f...

Page 14: ...Figure 3 1 Launching the Installation Wizard 3 The wizard displays the list of packages which will be installed Chapter 3 Installation 8 ...

Page 15: ...gure 3 2 Launching the Installation Wizard 4 The wizard screen asks for the final installation directory for Enterprise Security Client The default is C Program Files Red Hat ESC Installation on Windows 9 ...

Page 16: ...Figure 3 3 Installation Directory 5 The wizard screen asks for the start menu directory for Enterprise Security Client The default is Red Hat Chapter 3 Installation 10 ...

Page 17: ... the CoolKey PKCS 11 driver and Egate drivers needed for Certificate System supported keys and automatically installs the Certificate System PKCS 11 module in any Mozilla browsers it can locate The installer places the Certificate System Cryptographic Service Provider CSP on the user s system to allow users to use their smart cards with Microsoft products such as Outlook and Internet Explorer Inst...

Page 18: ...Figure 3 5 Beginning Installation Chapter 3 Installation 12 ...

Page 19: ...gure 3 6 Installation Progress 7 Once the installation has completed Enterprise Security Client will prompt for the user to insert a token and can be launched for immediate use Installation on Windows 13 ...

Page 20: ...Figure 3 7 Launching the Smart Card Manager 8 Click the Finish button to complete the installation Chapter 3 Installation 14 ...

Page 21: ... up2date utility was already used to install Enterprise Security Client there is no need for further installation the client has already been installed The following procedure is for installing from a CD ROM image 1 Copy the Enterprise Security Client installation RPMs packaged with Red Hat Certificate System 2 Install the RPMs as root in the following order Installation on Red Hat Enterprise Linu...

Page 22: ...terprise Security Client guides the user through the enrollment process The client can also be launched manually by selecting System Settings then Smart Card Manager from the system menu 3 Installation on Mac OS X To install Enterprise Security Client and its supporting components on Mac OS X do the following 1 Obtain the ESC dmg file on the Red Hat Network channel 2 Double click on ESC dmg exposi...

Page 23: ...Figure 3 9 Mac Installation Program b Select the location to install the CoolKey package Figure 3 10 Installation Location c Click the Upgrade button to begin installation Installation on Mac OS X 17 ...

Page 24: ...Figure 3 11 Launch Installation d Supply the Mac administrator password Figure 3 12 Mac Admin Password Chapter 3 Installation 18 ...

Page 25: ...ton to complete the installation Figure 3 13 Finish Installation When the process is completed the Egate token drivers the PKCS11 module and the TokenD software are installed on the local system Installation on Mac OS X 19 ...

Page 26: ...20 ...

Page 27: ...ne Home that associates information within each smart card with information which points to distinct TPS servers and Enterprise Security Client UI pages Whenever the Enterprise Security Client accesses a new smart card it connects to the TPS server and retrieves the Phone Home information Phone Home quickly retrieves and then caches this information because the information is cached locally the TP...

Page 28: ... should also supply detailed information on how the tokens should be configured when shipped If tokens are blank the company IT department can supply the information when formating small groups of tokens The following information is used by the Phone Home feature for each smart card The TPS server and port For example esc key 40900062ff020000ba87 tps url http tps example com 12443 nk_service The T...

Page 29: ...ww test url com Optional enrolled token url EnrolledTokenBrowserURL gt Services ServiceInfo Example 4 1 TPS Phone Home Configuration File Phone Home is triggered automatically when a security token is inserted into a machine The system immediately attempts to read the Phone Home URL from the token and to contact the TPS server If no Phone Home information is stored on the token the the user is pro...

Page 30: ... the Enterprise Security Client installs a Windows Cryptographic Service Provider CSP that is compatible with the Certificate System supported smart cards Microsoft Windows supports a software library designed to implement the Microsoft Cryptographic Application Programming Interface CAPI CAPI allows Windows based applications such as the Windows version of the Enterprise Security Client to be dev...

Page 31: ...ise Security Client the newly created certificates are automatically inserted into the user s CAPI store When a smart card is formatted the certificates associated with that card are removed from the CAPI store When using applications like Outlook or Internet Explorer the user may be prompted to enter the smart card s password This is required when the smart card is asked to perform protected cryp...

Page 32: ...dicating it has detected an uninitiated smart card Figure 4 2 Smart Card Enrollment with a Card This screen gives the option either to close the dialog or to proceed with enrolling the smart card If the card be removed a message appears that the smart card is no longer detected Chapter 4 Using the Enterprise Security Client 26 ...

Page 33: ...tion to enroll the smart card Click Enroll My Smart Card to continue with the enrollment process 4 Since the Enterprise Security Client now knows where the enrollment UI is located because of Phone Home the enrollment form opens for the user to enter the required information This UI can be customized Smart Card Auto Enrollment 27 ...

Page 34: ...he sample enrollment UI requires the following information for the TPS server to process the smart card enrollment operation LDAP User ID This is the LDAP directory user ID of the user enrolling the smart card this can also be a screen name or employee or customer ID number LDAP Password This is the alpha numeric password corresponding to the user ID entered this can be a simple password or a cust...

Page 35: ...card s password used to protect the card information Re Enter Password This confirms the smart card s password 7 Once the form is filled out click Enroll My Smartcard to submit the information and enroll the card 8 When the enrollment process is complete a message page opens which shows that the card was successfully enrolled and can offer custom instructions on using the newly enrolled smart card...

Page 36: ...which is formatted in standard HTML and Javascript This makes the interface page appearance easy to customize The default HTML file for the enrollment UI is located at var lib rhpki tps cgi bin home Enroll html The UI references resources such as images and Javascript files within its code These resources are located in var lib rhpki tps docroot home Chapter 4 Using the Enterprise Security Client ...

Page 37: ...er id progress id hidden true align center table width 100 class logobar tr td Use customized logo here img alt src home logo jpg td td p class headerText Smartcard Enrollment p td tr table table id BindingTable width 200px align center tr id HeaderRow tr table Insert customized descriptive text here p class bodyText You have plugged in your smartcard After answering a few easy questions you will ...

Page 38: ...ame enrollbtn value Enroll My Smartcard onClick DoEnrollCOOLKey td tr table body html Example 4 2 Customizing the Smart Card Enrollment User Interface 6 Managing Smart Cards The Manage Smart Cards page contains many of the operations that can be applied to one of the keys This page allows users to format the token set and reset the card s password and show the card information Two other operations...

Page 39: ...t of the computer Make sure the card shows up in the Active Smart Cards table 2 Select Format from the Smart Card Functions section in the Manage Smart Cards screen 3 The TPS can be configured to authenticate smart card operations using credentials such as an LDAP user ID and password If the TPS has been configured for user authentication fill in the user credentials in the authentication prompt a...

Page 40: ...ting the password on the card then opens 3 Enter a new smart card password value in the Enter new password field 4 Confirm the new smart card password value in the Re Enter password field Figure 4 7 Changing Password Dialog 5 The TPS can be configured to authenticate smart card operations using credentials such as an LDAP user ID and password If the TPS has been configured for user authentication ...

Page 41: ...ation about the certificates stored on the card is shown including the serial number certificate nickname and validity dates More detailed information about the certificate can be viewed by selecting a certificate from the list and clicking View Figure 4 8 Viewing Certificates 6 4 Enrolling Smart Cards Although most smart cards will be enrolled using the automated enrollment described in Section 4...

Page 42: ...en is lost 1 Place a supported unenrolled smart card into the USB slot of the computer Make sure the card shows up in the Active Smart Cards table at the top 2 Press the Enroll button This button is active only if the inserted card is unenrolled 3 A dialog opens which is used to set the password on the smart card Enter a new key password value in the Enter a password field Confirm the new card pas...

Page 43: ...d as enrolled 7 Diagnosing Problems The Enterprise Security Client includes basic diagnostic tools and a simple interface to log errors and common events such as inserting and removing a smart card or changing the card s password The diagnostic tools can identify and notify users about problems with the Enterprise Security Client smart cards and TPS connections To open the diagnostics page click o...

Page 44: ...s communicating with the PCSC daemon Simple events are detected such as when a card is inserted or removed a user cancels an operation an operation is successfully completed or errors are reported from the TPS The connection between the Enterprise Security Client and TPS is lost The NSS crypto library is initialized Other low level smart card events are detected Chapter 4 Using the Enterprise Secu...

Page 45: ...ng information The Enterprise Security Client version number The version information for the system upon which the client is running The number of cards detected by the Enterprise Security Client For each card detected the following information is shown Diagnosing Problems 39 ...

Page 46: ...detected card has been enrolled with certificate and card information The card s Phone Home URL This is the URL from which all Phone Home information is obtained The card issuer name such as Example Corp The TPS server URL This is retrieved through Phone Home The TPS enrollment form URL This is retrieved through Phone Home Detailed information about each certificate contained on the card Chapter 4...

Page 47: ... Library Application Support CoolKey PKCS11 1 Using the Certificates on the Token for SSL To use the certificate on the token for SSL in an application such as Mozilla Firefox 1 In Mozilla Firefox open the Tools menu choose Options and then click Advanced 2 Add a PKCS 11 driver NOTE Windows and Macs automatically attempt to load the PKCS 11 module to any Mozilla browsers they find a Click Manage S...

Page 48: ...ck Submit d Choose a suitable directory to save the certificate chain and then click OK e Click Edit Preferences and select the Advanced tab f Click the View Certificates button g Click Authorities and import the CA certificate 4 Set the certificate trust relationships a Click Edit Preferences and select the Advanced tab b Click the View Certificates button c Click Edit and set the trust for websi...

Page 49: ... tab and then click Import CA Certificate Chain c Click Download the CA certificate chain in binary form and then click Submit d Choose a suitable directory to save the certificate chain and then click OK e In Thunderbird open the Edit menu and select Account Settings f Select Security on the left and click the Manage Certificates button g Click the Authorities tab and import the CA certificate 5 ...

Page 50: ... In the Encryption of the Security panel click Select to choose the certificate to encrypt and decrypt messages Chapter 5 Using Enterprise Security Client Keys for SSL Client Authentication and S MIME 44 ...

Page 51: ...eft in the installation directory 2 Uninstalling on Red Hat Enterprise Linux 1 Unplug all USB tokens 2 Stop Enterprise Security Client 3 Log in as root and use rpm ev to remove the Enterprise Security Client RPMs in the following order rpm ev ccid 1 0 1 5 i386 rpm rpm ev pcsc lite 1 3 1 7 i386 rpm rpm ev pcsc lite libs 1 3 1 7 i386 rpm rpm ev ifd egate 0 05 15 i386 rpm rmp ev coolkey 1 0 1 4 i386 ...

Page 52: ...NOTE There is no uninstallation program for the Mac Chapter 6 Uninstalling Enterprise Security Client 46 ...

Page 53: ...orted platforms A default configuration file is located in the following directories on each platform Windows C Program Files Red Hat ESC defaults preferences esc prefs js Red Hat Enterprise Linux usr lib esc 1 0 0 esc defaults preferences esc prefs js Mac Desktop ESC app defaults preferences esc prefs js This default configuration Javascript file contains the default Enterprise Security Client co...

Page 54: ...entry below sets how many seconds Enterprise Security Client should wait while TPS is processing a message pref esc tps message timeout 90 The entry can be set allow Enterprise Security Client to write newly created certificates to the local CAPI store after an enrollment operation Also when a format is done those same certs will be removed from the local CAPI store pref esc windows do capi yes Ex...

Page 55: ...he certificates and keys on the token can easily be viewed 3 Enterprise Security Client XUL and Javascript Functionality Enterprise Security Client stores the XUL markup and Javascript functionality in the ESC_INSTALL_PATH chrome content esc directory where ESC_INSTALL_PATH is the Enterprise Security Client installation directory The following are the primary Enterprise Security Client XUL files s...

Page 56: ...rivilegeManager enablePrivilege UniversalXPConnect netkey Components classes redhat com rhCoolKey getService netkey netkey QueryInterface Components interfaces rhICoolKey gNotify new jsNotify netkey rhCoolKeySetNotifyCallback gNotify catch e alert Can t get UniversalXPConnect e Sample function to complete Enrollment of a key function EnrollCoolKey keyType keyID enrollmentType screenname pin screen...

Page 57: ...ences defaults The executable which launches Enterprise Security Client in XULRunner esc exe Privately deployed XULRunner bundle xulrunner 4 2 Red Hat Enterprise Linux On Linux Enterprise Security Client is installed by its binary RPM to the default location usr lib esc 1 0 0 esc Enterprise Security Client XULRunner application configuration file application ini Enterprise Security Client XPCOM co...

Page 58: ...plication ini Enterprise Security Client XPCOM components components Directory for Chrome components and additional application files for Enterprise Security Client XUL and Javascript chrome Enterprise Security Client default preferences defaults The script which launches Enterprise Security Client xulrunner Appendix A Enterprise Security Client Configuration 52 ...

Page 59: ...Index 53 ...

Page 60: ...54 ...