Introduction
This article will describe how you can configure vSEC:CMS to support the lifecycle management of Thales (Safenet) eToken 5100 and 5110 credentials. The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to a eToken credential from vSEC:CMS console application;
- Issue a Windows logon certificate to the credential;
- Log onto a Windows client using the issued credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be necessary to have SAC installed that includes the PKCS#11 library from SAC on any host where you will manage an eToken from.
The eToken minidriver needs to be installed on any host where you will be managing these tokens from. It is recommended to use version 9.0.54 (or later) of the eToken minidriver. You can ascertain the version number from C:\Windows\System32, right click the file eTokenMD.dll and from Properties – Details you can see the version number.
It is required that you are running version 5.7.1 or later of the vSEC:CMS.
Configure Smart Card Access
Typically the smart card access is already set to the correct type but for completeness we will cover this in the article.
From Options - Smart Card Access attach a eToken credential that you will manage with the vSEC:CMS. vSEC:CMS will filter the card type and present the entry in the table.
If the Login admin for key generation above is set to YES then it will be necessary to delete the entry and add a new one. Follow the instructions in the article Add Credential Configuration for details on adding a new template for this.
Click the Edit button and for Smart Card Access make sure that Use native access if possible is selected and click Save to save and close.
If the table is empty when you attach the credential to filter for the card type then you should follow the instructions in the article Add Credential Configuration for details on how to add the correct template for the card type that you use.
Configure PIN Tries Counter Value
From version 6.3 it is possible to configure and set a specific value for the PIN tries counter that can then be set on the eToken credential during issuance. To do this you will need to set a registry key value on the server where vSEC:CMS is installed.
The registry setting is a global which means once this is set the PIN tries counter value will be set on every eToken credential issued and managed by vSEC:CMS.
You need to set a DWORD named cardinit.pintries.etoken in below location for 32-bit version of vSEC:CMS
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Versatile Security\vSEC_CMS_T\Service]
And this location for 64-bit version
[HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T\Service]
Put the value you wish for the PIN tries counter.
Once set you can verify that the value has been set by navigating to Options - Smart Cards and attach an eToken credential to filter for the card type.
Select the entry and you should see setting like the highlighted one below.
If the value above is not set then you will need to delete and add back in the template. Again filter for the card type from Options - Smart Cards and delete the record. Then click Add - Add - Get - Ok to add back in the template. Close vSEC:CMS Admin console and re-open and navigate to Options - Smart Cards to validate that the entry exists now.
Configure PIN Policy Template
From Templates – PIN Policies click the Add button.
Enter a template name and from the Card type drop-down list select Safenet cards (Safenet eToken Card). Enable Smart card managed PIN policies checkbox and leave all other settings as is for this example configuration. Click Save to save and close.
Credential Configuration
1. From Templates – Card Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach an eToken credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect that it is an eToken credential and click Ok.
Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.
In the Primary Card PIN Options section enable Apply PIN Policy and from the drop-down list select the template created earlier.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. If it is required to customize the name of the eToken then from version 6.0 this is possible. In the General Card Properties section click the Token Name button. Enable Enable encoding and in the Token name to encode field enter a name or use a variable to encode the name you wish to be encoded. For example, if you wanted to encode the user's Windows sAMAccountName as the eToken name and you have a variable that maps to the AD attribute then you can copy the variable from the drop down box and paste into the Token name to encode field.
4. Click Ok to save and close the template.
Issue Credential
From the Lifecycle page attach a blank eToken credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. Once you complete this then the credential can be used to log onto your domain environment.
Once you complete this then the credential can be used to log onto your domain environment.
Miscellaneous
Some versions of Thales eToken (please check with your provider to determine if you have such tokens) can be configured in FIPS or non-FIPS mode. If you wish to switch between these modes then it is possible to configure vSEC:CMS to set these modes during token registration.
This feature is available from version 6.6.2 upwards.
To configure this you need to set a DWORD registry named cardinit.etoken.fipsmode in this location [HKLM/Software/Versatile Security/vSEC_CMS_T/Service] on the server where vSEC:CMS is installed.
Here are the values that you can set:
- HEX:0x00000000; DEC:0 - Preserve the current token FIPS mode
- HEX:0x00010000; DEC:1 - Initialized (FIPS ON)
- HEX:0x00020000; DEC:2 - Compatible (FIPS OFF)
Once you set the above registry the vSEC:CMS will consume it and the value will disappear, i.e., the configuration is consumed in real time. If you subsequently want to change this then you should create the DWORD entry with a different name, for example cardinit.etoken.fipsmode-- then set the value you want to set and then rename the DWORD entry to the correct name, i.e. cardinit.etoken.fipsmode. This is required as the vSEC:CMS consumes the entry in real time so you will encounter an error if you don’t change the name when setting a new value.