5.2.5 Smart card settings

Smart cards store digital certificates that can be used to validate (authenticate) a user’s identity to the network. Digital certificates are used in X.509 systems, and are part of an organization’s public key infrastructure (PKI). Smart card support is available only on Windows platforms.

From a user’s smart card, only one certificate is used to authenticate to Management and Security Server. By default, smart card support is available for sessions using PKCS #11 (Public-Key Cryptography Standard) smart card readers, such as ActivCard.

The default setting

Management and Security Server’s default smart card parameter specifies the provider, sunpkcs11, and the associated certificate attributes.

If you use a different provider, enter the smart card provider along with certificate attributes to identify valid certificates on the user's smart card. For details and examples, see About smart card parameters.

Smart card libraries

Smart card libraries are required when using sunpkcs11 to access smart cards. (MSCAPI uses DLLs that ship with Windows, and the provider DLLs do not need to be specified in this field.)

SunPKCS11 requires one or more libraries, such as ActivClient. Noting the library examples provided in Management and Security Server, you could use acpkcs211 instead of acpkcs, and acpkcs211.dll instead of acpkcs201.dll. Separate the library names with commas.

Note: When using ActivClient7 with Management and Security Server, you must include the full Windows short (MS-DOS) path to the dll. For example, the short path on a Windows x64 system would be C:\PROGRA~2\ActivIdentity\ActivClient\acpkcs211.dll

Paths on a Windows machine can use either forward slash (/) or backward slash (\) file designations.

About smart card parameters

Smart card parameters can be used as filters to identify valid certificates on a user's smart card.

The smart card setting in Management and Security Server includes the smart card provider and certificate attributes as a filter to select a valid identity certificate.

Smart Card Provider

The first part of the parameter identifies the software provider that Management and Security Server should use to access the smart card certificate reader on the client machine.

In the default parameter, sunpkcs11 (Public-Key Cryptography Standard) is the intended software provider. Another valid provider is MSCAPI (Microsoft CryptoAPI, native to Windows).

If you use a smart card provider other than sunpkcs11, enter the provider followed by the desired certificate attributes. A colon (:) is required to separate the provider from the filter when multiple masks are used (See Certificate Attributes).

Certificate Attributes

The next part of the default parameter is made up of two filters, separated by a semi-colon (;). Each filter consists of Object-ID (OID) masks that specify certificate attributes. The masks specify which certificate attributes (encoded tokens) MUST (+) or MUST NOT (-) be on the certificate before it can be used for login or client authentication.

The default parameter specifies these attributes:

  • KU+DIGSIG,KU-NONREP,EKU+CLIAUTH,EKU+SCLOGIN,EKU-EMLPROT;
  • KU+DIGSIG,KU+NONREP,EKU-NONE.

The first filter uses the following logic for each attribute to be TRUE. When all attributes are TRUE, the certificate is valid and can be used for authentication.

  • KU+DIGSIG: Key Usage of Digital Signature OID MUST be present in the certificate.

  • KU-NONREP: Key Usage of Nonrepudiation OID MUST NOT be present in the certificate.

  • EKU+CLIAUTH: Extended Key Usage of Client Authentication OID MUST be present in the certificate.

  • EKU+SCLOGIN: Extended Key Usage of Smart Card Login OID MUST be present in the certificate.

  • EKU-EMLPROT: Extended Key Usage of Email Protection (called Secure Email) OID MUST NOT be present in the certificate.

If any attribute in the first filter is FALSE, the second filter is used. The second filter in the default parameter uses this logic for each attribute to be TRUE:

  • KU+DIGSIG: Key Usage of Digital Signature OID MUST be present in the certificate.

  • KU+NONREP: Key Usage of Nonrepudiation OID MUST be present in the certificate.

  • EKU-NONE: Extended Key Usage MUST NOT be present in the certificate.

Related topics