Classic Client 5.1 Administration Guide · viii Introduction an understanding of the basic operations in Windows. administrative privileges for the computer on which Classic Client

Classic Client 5.1Administration Guide

All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.

Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.

This document can be used for informational, non-commercial, internal and personal use only provided that:

• The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.

• This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.

The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.

The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.

Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document.Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy.© Copyright 2007–2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.

GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE.

Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90

Printed in France. Document Reference: DOC116108C

May 6, 2008

www.gemalto.com

http//www.gemalto.com

Contents

Introduction vii

Classic Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiWho Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiDocumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiConventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixAdditional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixContact Our Hotline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Chapter 1 Installation 1

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installing Classic Client 5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Removing Previous Versions of Classic Client 5.1 . . . . . . . . . . . . . . . . . . . . . . . . 4Installing the Classic Client 5.1 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Connecting the Smart Card Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Installing Gemalto Cryptographic Security Modules . . . . . . . . . . . . . . . . . . . . . . . 8

Uninstalling Classic Client 5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11End User Package Creation and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 The Classic Client Toolbox 13

About PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13The Classic Client Toolbox Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . 14Card Contents Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Certificates Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Card Properties Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Card Administration Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22PIN Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Software Administration Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23PIN Policy Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Diagnostic/Help Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Diagnostic Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 3 The Registration Tool 33

Contextual Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Launch Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Start/Pause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Restarting the Registration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

iv Contents

Registration Tool Management of Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Forced Change PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Chapter 4 Administration Tasks 37

User Setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38How to Create a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38How to Create a PIN Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40How to Select the Modules for a User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 41How to Deploy a User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

PIN Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47How to Change an Administration PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47How to Change a User PIN or IdenTrust PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . 48How to Check The PIN Ratification Counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49How to Unblock a User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50How to Remotely Unblock a Connected Smart Card/Token . . . . . . . . . . . . . . . . 51

Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53How to Get a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53How to Import a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54How to Export a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60How to Set Certificates as Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62How to Register Certificates to the IE Store Manually . . . . . . . . . . . . . . . . . . . . 62How to Display Certificate Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64How to Erase Certificates (PKCS#11 Objects) . . . . . . . . . . . . . . . . . . . . . . . . . . 64

How to Use a PIN Pad Reader with Classic Client . . . . . . . . . . . . . . . . . . . . . . . . . . 66How to Log in with a PIN Using a PIN pad and the Toolbox . . . . . . . . . . . . . . . . 66How to Change and Unblock PINs with a PIN Pad and the Toolbox . . . . . . . . . 67PIN Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Registration Tool Behavior with the PIN Pad Reader . . . . . . . . . . . . . . . . . . . . . 67

Appendix A Security Basics 69

Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Secret Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

What is Classic Client? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Appendix B Troubleshooting 77

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Appendix C End User License Agreement 83

Terminology 97

Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Contents v

List of FiguresFigure 1 - Add/Remove Programs Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Figure 2 - Choose Setup Language Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Figure 3 - InstallShield Wizard Welcome Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . 6Figure 4 - InstallShield Wizard Destination Folder Window . . . . . . . . . . . . . . . . . . . . . 7Figure 5 - InstallShield Wizard Completed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Figure 6 - The Options Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Figure 7 - Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Figure 8 - The Device Manager Dialog and the Load PKCS#11 Device . . . . . . . . . . 10Figure 9 - Cryptographic Modules Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Figure 10 - Add/Remove Programs Window (Classic Client 5.1) . . . . . . . . . . . . . . . 12Figure 11 - Classic Client Toolbox Graphical User Interface . . . . . . . . . . . . . . . . . . . 15Figure 12 - Certificates Tool Window (Not logged in) . . . . . . . . . . . . . . . . . . . . . . . . 17Figure 13 - Certificates Tool Window (Logged in) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Figure 14 - Card Properties Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Figure 15 - Card Properties Window (Not logged in) . . . . . . . . . . . . . . . . . . . . . . . . . 20Figure 16 - Card Properties Window (Logged in) . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Figure 17 - Card Properties Window (Showing Key Containers and Attributes) . . . . 21Figure 18 - PIN Management Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Figure 19 - Configuration Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Figure 20 - PIN Policy Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Figure 21 - User Setup First Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Figure 22 - Diagnostic Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Figure 23 - SmartDiag Welcome Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 24 - SmartDiag Passed Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Figure 25 - SmartDiag Advanced Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Figure 26 - SmartDiag Failed Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Figure 27 - SmartDiag Getting Technical Assistance Window . . . . . . . . . . . . . . . . . 31Figure 28 - Documentation Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Figure 29 - Registration Tool Icon in the System Tray . . . . . . . . . . . . . . . . . . . . . . . 34Figure 30 - Registration Tool Right-Click Action Options . . . . . . . . . . . . . . . . . . . . . 34Figure 31 - Classic Client Toolbox Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Figure 32 - “About” the Reg Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Figure 33 - Registration Tool: Install Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Figure 34 - The Reg Tool Change PIN Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Figure 35 - Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Figure 36 - PIN Policy Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Figure 37 - User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Figure 38 - User Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 39 - Create Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 40 - User Setup Creation Complete Confirmation . . . . . . . . . . . . . . . . . . . . . 45Figure 41 - Change PIN Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Figure 42 - Change PIN Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Figure 43 - Card Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Figure 44 - PIN Management Tool: Unblock PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Figure 45 - PIN Management-Remote Unblock PIN . . . . . . . . . . . . . . . . . . . . . . . . . 52Figure 46 - PIN Management-Remote Unblock PIN (2) . . . . . . . . . . . . . . . . . . . . . . 52Figure 47 - Certificates Tool Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Figure 48 - Choice of Methods to Import a Certificate . . . . . . . . . . . . . . . . . . . . . . . . 55Figure 49 - Certificates Tool Window: Open Window . . . . . . . . . . . . . . . . . . . . . . . . 56Figure 50 - Certificates Tool Window: Import Certificate File (1) . . . . . . . . . . . . . . . . 57Figure 51 - Certificates Tool Window: Import Certificate File (2) . . . . . . . . . . . . . . . . 57Figure 52 - Certificates Tool Window: Import Certificate - Selecting the store . . . . . 58Figure 53 - Certificates Tool Window: Import Certificate List . . . . . . . . . . . . . . . . . . 59Figure 54 - Certificates Tool Window: Export Button Activated. . . . . . . . . . . . . . . . . 60

vi Contents

Figure 55 - Choice of Methods to Export a Certificate . . . . . . . . . . . . . . . . . . . . . . . . 61Figure 56 - Security Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Figure 57 - Certificates Tool Window (All Objects Selected) . . . . . . . . . . . . . . . . . . . 63Figure 58 - Certificate Successfully Registered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Figure 59 - Window Certificate Information Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . 64Figure 60 - Logging in Using a PIN Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Figure 61 - Secure PIN Entry Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Figure 62 - Logged in Using a PIN PAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Figure 63 - Force User to Change PIN Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

List of TablesTable 1 - Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Table 2 - Supported Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Table 3 - Diagnostic Tool Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Table 4 - Registration Tool Status Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Table 5 -Toolbox Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Table 6 -Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Introduction

Welcome to Gemalto Classic Client.

You have made a wise investment by purchasing Classic Client as a safeguard for secure network services.

This chapter presents an overview of Classic Client, the documentation provided with it, and additional resources available for working with Classic Client.

This document specifically helps an administrator of Classic Client to install the software and set up the administrator environment. As the administrator, administrative duties will include managing the smart cards/tokens issued to end–users, creating user versions of the software, and deploying installations of the software to end users. All of the tasks associated with these duties are available in the administrative installation of Classic Client.

Classic ClientClassic Client is for individual users, who want to use a smart card/token to protect information and transactions made via computers, including stand-alone workstations and Citrix client-server environments.

With Classic Client you can use a digital certificate stored on a smart card/token to:

■ Securely log on and off a Windows 2000, XP or Vista workstation; or Windows Server 2000/2003.

■ Lock and unlock a Windows 2000, XP or Vista workstation, or Windows Server 2000/2003.

■ Sign Microsoft Office 2003, or XP macros and Adobe Acrobat documents.

■ Open and verify signed documents.

■ Send and receive secure e-mail using Microsoft or Mozilla e-mail software.

■ Connect securely with a Web server.

Classic Client also includes features for managing certificates and smart card/token security.

This guide introduces you to Classic Client and provides easy-to-follow instructions. Read the entire guide for assistance in the installation, configuration, and use of Classic Client.

Classic Client includes two user profiles, the administrator and the user.

Who Should Read This BookThis guide is intended for Classic Client administrators who are familiar with smart cards/tokens and smart card reader technology, as well as PC hardware and software, the Internet and the World Wide Web.

It is assumed that the administrator of Classic Client has:

Note: A token is in fact a smart card embedded in a device that can be plugged into the USB port of a PC. In this document, “connecting a device” can mean inserting a card in a reader or plugging a token in the USB port of a PC.

viii Introduction

■ an understanding of the basic operations in Windows.

■ administrative privileges for the computer on which Classic Client will be installed.

■ an understanding that the procedures in this manual refer to the Administrator and User as two separate people, but they may be the same person using a stand-alone workstation.

This guide gives the administrator simple easy-to-follow instructions for installing, configuring, and using Classic Client.

DocumentationClassic Client documentation includes:

■ Classic Client User Guide

■ Classic Client Administration Guide

■ Readme.txt. A separate file is included with each Classic Client software release version and contains the complete version history.

Classic Client 5.1 documentation is available as .pdf document files. The Classic_Client_Administration_Guide.pdf is located on the Classic Client 5.1 CD and in the Classic Client installation folder or through the Documentation plug in the Classic Client Toolbox GUI.

The Classic_Client_User_Guide.pdf is selected by the administrator to be included in each particular user setup.

These files can be printed out or read on screen using the Adobe Acrobat Reader.

To obtain the Adobe Acrobat Reader, you can download it from Adobe’s Web site at: www.adobe.com.

These files are best viewed with the Acrobat Reader, version 7.0 or later.

ConventionsThe following conventions are used in this document:

Numeric valuesBy default, numeric values are expressed in decimal notation.

■ Binary numbers are followed by the ‘b’ character. For example, the decimal value 13 is expressed in binary as 1101b.

■ Hexadecimal numbers are followed by the ‘h’ character. For example, the decimal value 13 is expressed in hexadecimal as 0Dh.

RFU valuesThe value 00h is assigned to each RFU (Reserved for Future Use) byte.

Bit NumberingA byte consists of 8 bits, b8 to b1, where b8 is the most significant bit and b1 the least significant bit, as shown below:

One byte b8 b7 b6 b5 b4 b3 b2 b1

http://www.adobe.com/products/acrobat/readstep2.html

Introduction ix

Byte numberingA string of n bytes consists of n number of concatenated bytes: BnBn-1 ...B2B1.Bn is the most significant byte and B1 is the least significant byte:

Typographical ConventionsClassic Client documentation uses the following typographical conventions to assist the reader of this document.

Additional ResourcesFor further information or more detailed use of Classic Client, additional resources and documentation are available by contacting Gemalto technical support.

Contact Our HotlineIf you do not find the information you need in this manual, or if you find errors, contact the Gemalto hotline at http://support.gemalto.com/.

Please note the document reference number, your job function, and the name of your company. (You will find the document reference number at the bottom of the legal notice on the inside front cover.)

String on n bytes Bn Bn-1 ... B4 B3 B2 B1

Convention Example Description

Courier transaction Code examples.

Bold Enter myscript.dll Actual user input or screen output.

> Select File > Open Indicates a menu selection. In this example you are instructed to select the “Open” option from the “File” menu.

Note: Example screen shots of the Classic Client software are provided throughout this document to illustrate the various procedures and descriptions. These screen shots were produced with Classic Client running on Windows 2000, XP or Vista.

x Introduction

1
Installation
This chapter discusses information related to the installation of Classic Client 5.1 and the information necessary for administrators to create installation and user profiles for other users.

The installation requirements are outlined below.

This chapter describes:

■ The hardware and software you need to use Classic Client 5.1.

■ How to install Classic Client 5.1 on the administrator’s computer.

■ How, as the administrator, to generate profiles and installations for other users.

System RequirementsThe following sections describe the hardware, operating systems, peripherals and software you need to use Classic Client 5.1.

These requirements are also necessary for the end user computers on which Classic Client 5.1 will be installed via the user installation packages created by the administrator.

For any computer on which Classic Client 5.1 will be installed, the user installing the software must have administrator rights to that computer.

ComputerThe workstation must have at least 50 MB of available hard disk space (100 MB for the Administrator version) and meet the normal system requirements to run one of the versions of Windows in Table 1, “Operating Systems”, on page 2.

Operating SystemsClassic Client 5.1 comes in two versions, one for 64–bit operating systems and one for 32–bit operating systems (OS). Install the version according to your OS. “Table 1” on page 2 summarizes the OS that Classic Client supports for the two versions.

2 Installation

Gemalto recommends that your machine has a RAM at least equal to that normally recommended for the OS. If this RAM requirement is met, Classic Client should run normally.

ApplicationsClassic Client 5.1 is compliant with:

BrowsersTo view secure Web sites and send secure e-mail from your computer with Classic Client 5.1, you can use any of the following Web browsers:

■ Microsoft Internet Explorer (IE) V6.0 and 7.0, which also support SSL and secure e-mail.

You can download the latest version, free of charge, from the Microsoft Internet Explore Download page.

■ Mozilla Firefox version 2.0.

You can download the latest version, free of charge, from www.mozilla.org.

E-mail ClientsClassic Client 5.1. supports Office 2000 and Office 2003 (up to SP 1) and Mozilla Thunderbird version 1.5.

Note: You can download the latest version of Thunderbird, free of charge, from www.mozilla.org.

To use the secure e-mail program included in your Web browser, you need one of the following types of Internet e-mail accounts:

■ Post Office Protocol (POP3) account.

■ Internet Message Access Protocol (IMAP) compatible account.

To find out what kind of account you have, do one of the following:

■ Check the properties of your e-mail account using your e-mail program; its documentation should include instructions on how to do this.

■ Ask your e-mail service provider.

Table 1 - Operating Systems

Operating System Bits

Windows 2000 Professional (with SP4) 32

Windows XP Home (up to SP2) 32

Windows XP Professional (up to SP2) 32 and 64

Windows Server 2000 32

Windows Server 2003 32 and 64

Windows Vista 32 and 64

Note: The Service Packs associated with various versions are also supported.

Note: You do not need an e-mail account to securely browse the Web with Classic Client 5.1.

http://www.microsoft.com/windows/ie/downloads/default.mspx

http://www.microsoft.com/windows/ie/downloads/default.mspx

http://www.mozilla.org



Installation 3

Adobe AcrobatClassic Client 5.1 supports Adobe Acrobat readers 7.0 and 8.0, which can be downloaded from the following site:

http://www.adobe.com/

Other ApplicationsClassic Client 5.1 should work with any CSP or PKCS#11 based application. Gemalto has tested the following applications that work successfully with Classic Client:

■ Citrix Metaframe Presentation Server

■ Microsoft Terminal Services Windows 2003; Remote Desktop Connection; Fast User Switching.

■ Checkpoint VPN-1 Secure Client

PeripheralsClassic Client 5.1 requires the following peripherals:

■ A CD ROM drive.

■ An available USB or PCMCIA port (not mandatory for the Administrator version and not needed if your PC has a reader embedded).

Smart Card ReadersOne of the following plug-and-play smart card readers certified by Microsoft:

■ PC Card Reader for laptops (old name = GemPC Card for laptops)

■ PC Express Reader (old name = GemPC Express)■ USB Shell Token V2 (old name = GemPCKey

■ PC Twin Reader (old name = GemPC Twin)■ USB e-Seal Token (old name = Gem e-Seal)

Secure PIN Pad ReadersClassic Client 5.1 supports smart card readers providing a highly secure way to enhance your smart card-based application by protecting the smart card PIN code from unauthorized access. The PIN code is entered locally and safely on the reader, and is never transmitted to the PC.

The following Secure PIN PAD readers are supported:

■ PC Pinpad from Gemalto

■ Digipass 850 from Vasco.

Note: The Vasco Digipass 850 PC/SC card reader is also supported by Classic Client. However, as of writing, the reader driver must be obtained from the VASCO website. Additional documentation for users of Vasco card readers is available from Gemalto support. This driver is not included in a user setup even if you select the “Readers” option (see “User Setup” on page 25, in the section “Smart Card Readers”).

http://www.adobe.com/

4 Installation

Smart CardsGemalto has recently renamed many of its products. The following table lists the smart cards supported by Classic Client and gives their previous names:

Installing Classic Client 5.1Removing Previous Versions of Classic Client 5.1

Installing Classic Client 5.1 automatically removes version 5.0. – then known as GemSafe Standard Edition. However it does not automatically install previous versions older than 5.0. These must be removed manually. Remember that versions older than 5.0. are called “GemSafe Libraries”.

For every workstation on which a new version of Classic Client 5.1 is to be installed, the administrator must check that all older versions are removed successfully.

Table 2 - Supported Smart Cards

Card and installed applets Previous name

Classic TPC IXS (Classic Applet V1) GemSafeXpresso 16K (GemSafe v1.11 applet)

Classic TPC IS (Classic Applet V1) GemSafeXpresso 32K (GemSafe v1.11 applet)

Classic TPC IS v2 (Classic Applet V2 default - V1 on demand)

New product

Classic TPC IS CC (Classic Applet V2) GemSafeXpresso 36K CC (GemSafe v2 applet by default or GemSafe V1.11 on demand)

Classic TPC IM (Classic Applet V2) New product

Classic TPC IM CC (Classic Applet V2 default - V1 on demand)

GemSafeXpresso 64K CC (GemSafe v2 applet by default or GemSafe V1.11 on demand)

Classic TPC IM CC v3 (Classic Applet V3)

New product

Classic MDE TPC IM (Classic MDE Instance of PIV Applet)

■ GemXpresso R4 72PK with GemPIV v1.20 applet installed

■ GemCombiXpresso R4 S with GemPIV v1.20 applet installed

PIV TPC DM FIPS (PIV instance of PIV applet)

GemCombiXpresso R4 72PK with GemPIV v1.20 applet installed

PIV TPC DM FIPS - with Classic MDE option (PIV & Classic MDE instances of PIV applet)

GemCombiXpresso R4 72PK with GemPIV v1.20 applet installed

GPK16000 (no applet). Supported by 32–bit version only

Unchanged

Note: For versions of GemSafe Libraries previous to 4.0, a special Uninstall Tool has been developed and is available from Gemalto Support Services. If you have problems uninstalling previous versions, contact Gemalto Technical Support (refer to “Contact Our Hotline” on page ix).

Caution: Before removing the software, make sure you disconnect all devices (smart cards/tokens).

Installation 5

To remove a previous version of GemSafe Libraries:1 Open the Control Panel (Start > Settings > Control Panel).2 Click Add or Remove Programs.

3 Locate GemSafe Libraries as shown in “Figure 1”.

Figure 1 - Add/Remove Programs Window

4 Click Remove. A window appears asking if you are sure that you want to remove GemSafe Libraries.

5 Click Yes. A progress bar displays while GemSafe Libraries is removed.

6 At the end of the removal, the progress bar closes, removal is complete and GemSafe Libraries is removed from your computer.

7 If prompted, restart your computer.

Installing the Classic Client 5.1 SoftwareThis section describes how to install Classic Client 5.1.

To install Classic Client 5.1:1 Insert the Classic Client 5.1 CD-ROM into the CD-ROM reader of your computer.

Note: The Smart Card reader installations are not removed.

Caution: Before installing the software, make sure you disconnect all devices (smart cards/tokens).

Note: Remember that the installation of Classic Client 5.1 does not automatically remove versions of GemSafe Libraries older than 5.0.i. These must be manually removed as described in “Removing Previous Versions of Classic Client 5.1” on page 4.

6 Installation

If your computer is configured to autorun a CD, the installation wizard starts automatically.

If the installation wizard does not start automatically, do the following:

a) In Windows, navigate to Start > Run to open the Run dialog box.

b) Enter d:\Classic_Client_32_Admin_setup.exe in the Run dialog box, where d: is your CD-ROM drive.

c) Click OK to start installing the software.

Alternatively, navigate to the location of the installation file on the CD and double click on the Classic_Client_32_Admin_setup.exe file.

The InstallShield Wizard displays the Choose Setup Language dialog.

Figure 2 - Choose Setup Language Window

2 Select the required language for your installation (English in this example) and click OK to continue.

The Classic Client InstallShield Wizard displays the window indicating that it is preparing to install.

Allow the installation to continue until the Welcome window appears.

Figure 3 - InstallShield Wizard Welcome Dialog Box

Note: If you are installing the 64–bit version of Classic Client, enter d:\Classic_Client_64_Admin_setup.exe instead.

Note: If the operating system language is available in the Classic Client 5.1 software, the setup.exe file it will automatically suggest the correct language. If not, English is the default choice.

Installation 7

3 When the Welcome dialog box appears, click Next to continue; the Classic Client InstallShield Wizard displays the License Agreement window.

4 Read the Gemalto License Agreement. Accept the terms if you wish to continue by choosing “I accept the terms in the license agreement...” button and then click on Next.

The Classic Client InstallShield Wizard displays the Destination Folder window.

Figure 4 - InstallShield Wizard Destination Folder Window

5 The destination folder is the location where the plug–ins and other files are installed. Either click Next to accept the proposed default (recommended) or use the Change function to choose another location and click Next.

The Ready to Install the Program dialog appears.

6 Click Install to start the installation. An “Installing” window displays showing a progress bar during the installation.

When the Classic Client 5.1 InstallShield Wizard has completed the installation, the “Completed” dialog appears as shown in the following figure:

Note: If you prefer, you can also read this agreement in the “Appendix C - End User License Agreement”.

Caution: For 64–bit operating systems; if you choose a different location, the location must not be under c:\Program Files\... You can choose c:\Program Files (x86)\...or another location.

8 Installation

Figure 5 - InstallShield Wizard Completed

7 Click Finish to complete the installation. The Classic Client InstallShield Wizard displays the Reboot Dialog.

8 Click Yes to restart the system immediately or No if you want to restart your computer later.

Classic Client 5.1 is now installed on the computer.

Connecting the Smart Card ReaderTo use Classic Client 5.1 on your workstation, you must connect a smart card reader to your computer.

If the card reader is not recognized on your workstation, you may need to install the latest card reader drivers. You can download these from http://support.gemalto.com.

Installing Gemalto Cryptographic Security Modules Security Modules are software add-ons that provide a variety of cryptographic services, such as secure browsing, and support the use of smart cards/tokens.

In Classic Client 5.1, the installation of Security Modules can be done either automatically or manually, depending on the application with which Classic Client is being used.

Classic Client must be declared as a security module, so that applications can communicate with it. For some applications, such as Firefox for example, the security module cannot be installed automatically and must be done manually.

To manually install a security module for Firefox: 1 Open Firefox and from the Tools menu choose Options. The Options dialog

opens.

2 Click the Advanced icon, then the Encryption tab to display the settings as shown in “Figure 6”.

Note: You will not be able to use the Classic Client 5.1 software until you have restarted your computer.

http://support.gemalto.com


Installation 9

Figure 6 - The Options Dialog

3 Click Security Devices to display the Device Manager window. This displays the modules currently available as shown in “Figure 7”.

Figure 7 - Device Manager

4 Click the Load button to the right in the dialog. This displays the Load PKCS#11 Device window, as shown in “Figure 8”.

10 Installation

Figure 8 - The Device Manager Dialog and the Load PKCS#11 Device

5 Enter a Module Name.6 In Module filename, use the Browse button to select the gclib.dll file in

\install dir\BIN\gclib.dll.

Where:

install dir is the directory where you installed Classic Client. By default, this is

– c:\Program Files\Gemalto\Classic Client\ (32–bit OS) or

– c:\Program Files (x86)\Gemalto\Classic Client\ (64–bit OS)

7 Click OK. The “Confirm” dialog appears asking if you are sure that you want to install the security module.

8 Click OK.

A brief progress dialog appears indicating that the module is being loaded.

When this is completed an “Alert” indicates that the module has been installed.

9 Click OK to close this Alert.The Device Manager indicates the presence of the new module as shown in “Figure 9”:

Note: 64–bit refers to the OS, not the version of Firefox. The default for a 32–bit version of Firefox on a 64–bit PC is the “X86” option.

Installation 11

Figure 9 - Cryptographic Modules Available

Uninstalling Classic Client 5.1This example show the Administrator version. The procedure to remove the User version is the same except that the program appears as “Classic Client 5.1” instead of “Classic Client 5.1 Administrator”.

To remove Classic Client 5.1:1 Open the Control Panel (Start > Settings > Control Panel).2 Click Add or Remove Programs.

3 Locate Classic Client 5.1 as shown in “Figure 10”.

Note: The example shown in “Figure 9” shows the name of the reader (Gemplus USB Smart Card Reader 0) because no card is inserted in the reader. If a card is inserted at the time you are loading the module, then the name of the card appears instead of the reader.

12 Installation

Figure 10 - Add/Remove Programs Window (Classic Client 5.1)

4 Click Remove. A message box displays asking “Are you sure you want to remove Classic Client 5.1 from your computer.

5 Click Yes to confirm the removal of Classic Client 5.1. A progress bar appears during the removal.

At the end of the removal, the progress bar closes, removal is complete and Classic Client is removed from your computer.

6 If prompted, restart your computer.

End User Package Creation and Deployment Once Classic Client 5.1 has been installed on a computer with administrator privileges, as administrator you can access the administration tools necessary for generating installation setups for other users, which are then usually deployed to the end user over a network or using a CD.

“Chapter 4 - Administration Tasks” describes how to create installation setup packages and to set use parameters for end users. See also “How to Deploy a User Setup” on page 46.

2
The Classic Client Toolbox
This chapter discusses the Classic Client Toolbox, the dedicated tool for working with Classic Client.

The Classic Client Toolbox is made up of a number of tools that enable the user to perform tasks associated with the use of Classic Client products. Some of the tools are product specific and will include the product name in the title.

Some of the tools described in this Classic Client Administrator Guide are available to administrators but not end users. The Classic Client User Guide describes only those tools that are available for the end user.

About PINsThe User PINA PIN (Personal Identification Number) is a private code. It can be a sequence of numeric or alphanumeric characters or a mix of the two and is used as a type of password. As a user, your User PIN must be verified before you can perform security tasks with the card/token, such as logging on to a workstation, or creating a digital signature.

The user PIN of a smart card/token may be the original PIN value set at the time of manufacture or it may be a PIN value assigned by the administrator.

The user PIN should be unique to the user’s card/token and known only to the user. If the administrator gives the user the rights, it is standard practice, upon reception of a smart card/token, to change the user PIN value so that only the user knows it. The administrator can even force the user to change the PIN value upon first use in the software.

To perform a security operation, the card/token user must demonstrate knowledge of the PIN. Software that performs a security operation usually displays a window requesting the user enter the PIN before performing the security operation or there is a field where the user can enter the PIN, as is shown in the Classic Client Toolbox.

■ When creating a digital signature, successful PIN validation proves that the user is the correct card/token holder and permits the user to sign with the selected key.

■ By using the PIN to log on a network, the user proves both that the user card/token is valid in the system and that the card/token holder, is physically there. If the PIN is truly secret, the person entering the PIN must also be the card/token holder.

14 The Classic Client Toolbox

The Administrator PINThe administrator PIN is an extremely important part of the security of the smart card/token. Knowledge of this PIN means that the administrator can change the value of all the user PINs on the card/token and unblock the card/token if the user PIN is blocked.

It is extremely important for smart card/token administrators to keep the value of the admin PIN secure and secret. The administrator has to know the admin PIN value for all smart cards/tokens he or she has deployed. The admin PIN value of a card/token should never be shared with anyone else, and it is strongly recommended not to give this value to the card/token user, unless your security policy requests it.

Once an administration PIN has been entered incorrectly the requisite number of times, it becomes blocked and the card/token can never be used again.

The original Admin PIN value of a smart card/token is included in the packaging of the card/token. As the administrator you may want to change the Admin PIN value of the cards/tokens you deploy so that only you, the administrator, knows it.

The Classic Client Toolbox Graphical User InterfaceTo access the tools in the Classic Client Toolbox:Navigate through Start > All Programs > Gemalto > Classic Client Toolbox to open the Toolbox.

Caution: Do not allow the User PIN for your card/token to be blocked. If, for example, you forget the user PIN and enter a predetermined number of failed validation attempts (the PIN is entered incorrectly), the card/token becomes blocked and you cannot perform any further security operations with it. If you know the Admin PIN you can unblock your card/token as described in “How to Unblock a User PIN” on page 50. However most companies’ security policy does not allow this, in which case you must ask the Classic Client system administrator to unblock the card/token using the Admin PIN. If your user setup allows it, you may be able to unblock your card/token remotely. This operation is described in “How to Remotely Unblock a Connected Smart Card/Token” on page 51. Sometimes card/token technology or software on-board the card/token limits the absolute number of these unblocking operations. For more information, see your card/token technology documentation.

Note: Normally, if the administrator blocks a smart card/token’s admin PIN, the card/token becomes unusable. However, some smart cards/tokens permit unblocking or re-initializing the administrator PIN. See your card/token documentation for more information.

The Classic Client Toolbox 15

Figure 11 - Classic Client Toolbox Graphical User Interface

In the left panel of the GUI, the tools are located in folders with labelled tabs. The various tools are located within each folder, grouped according to tool use.

Tool Folders

Tool Icons and Names

Exit ButtonAbout Button

Minimize ButtonViewing Details Area

Note: The Software Administration folder appears only in the Administrator setup and not the usual User setup.

Card Contents folder

Certificates: The Certificates tool allows you to view information on the objects on your card/token. According to PKCS#11, these objects can be certificates, keys and data objects.

Card Properties: The Card Properties tool allows you to view information associated with a particular smart card/token.

Card Administration folder

PIN Management: The PIN Management tool allows you to make changes to the PIN associated with a particular smart card/token.

Software Administration folder

Configuration: The Configuration tool allows you as administrator to set the privileges for the use of a smart card/token and for Classic Client.


Click the folder tab and view the tools within. Click the tool icon to display tool parameters in the right panel. Some information is available for viewing without logging in using the PIN.

Most options are self explanatory in the graphical user interface. Further explanations follow.

Logging in with a PIN In order to perform certain tasks using the tools of the toolbox, you must log in with a PIN.

Card Contents FolderThe Card Contents folder contains all the tools associated with viewing and interacting with the contents of a particular smart card/token. These tools are the Certificates tool and the Card Properties tool.

PIN Policy: The PIN Policy tool allows you as administrator to set the PIN policy for a particular end user or group of end users.

User Setup: The User Setup tool allows you as administrator to set the policy for what will be included in the setup folder of a particular end user.

Diagnostic/Help folder

Diagnostic Tool: The Diagnostic Tool is used to examine all components of the Classic Client installation to determine if there are problems using Classic Client.

Documentation: The Documentation folder displays all the documentation available to you, and will vary according to your user setup. It includes the Classic Client Administration Guide, the Classic Client User Guide, the Readme and the EULA.

Note: Only one login session in any tool is sufficient for using other tools in the toolbox. If the use of a tool is not possible even after logging in, this tool is not available to you. The padlock icon beside the PIN Code login area is either open or locked and indicates if you are logged in or not .


Certificates ToolThe Certificates Tool allows you to view information on certificates and key pairs in the smart card/token.

Figure 12 - Certificates Tool Window (Not logged in)

The Certificate Tool displays information about the following certificates and key pairs:

■ Certificates:

– Serial number

– Expiration date

– Owner

– Issuing Certificate Authority

– The keys associated with each certificate

■ Keys:

– Public keys

– Private keys (some cards/tokens require that you log in first)

The Certificates Tool allows you to:

■ Manually register all certificates

■ Set a default certificate

Note: The Certificates Tool is only available if the Administrator has included it in the user setup.

Tool Folders

Tool Icons and Names

Login Entry AreaExit Button

About Button

Minimize Button

Tool Title

Viewing Details Area


■ Erase one or more certificates or key pairs in the smart card/token (if this feature is enabled by the administrator)

■ Show details about a certificate or a key

■ Import and export a certificate.

There are some important points to note:

– You can import a certificate without logging in, because certificates are always imported to the card’s/token’s public area. But if you do not log in, and the certificate has a key pair associated with it, the key pair is not imported.

– You must login before you can perform any export operations with the Certificates Tool.

– You can never export a certificate’s associated key pair.

– If you are not logged in, you may not be able to view private objects on the card/token. This depends on the card/token technology and the on-board software. If you cannot view a private key that you are sure you imported in a previous session, make sure that you are logged in before you conclude that the import process did not work.

Figure 13 - Certificates Tool Window (Logged in)

For the procedures to follow to perform tasks with the Certificates Tool, refer to “Managing Certificates” on page 53.

Note: The option to Erase or Erase All using the Certificates Tool does not determine the capability of other applications that can also perform these functions.


Certificate and Key IconsThe Certificate Tool can display the following icons, each representing a PKCS#11 object.

Card Properties ToolThe Card Properties tool allows you to view information associated with a particular smart card/token.

The Card Properties window displays all available card readers or PKCS#11 slots.

Figure 14 - Card Properties Window

To view information on a smart card/token.1 Choose the smart card reader from the list that holds the card/token you are

interested in and then click on Next to continue.

Information on the card/token is displayed:

Certificate

Default Certificate

Imported Public Key

On-board Public Key

Imported Private Key

On-board Private Key


Figure 15 - Card Properties Window (Not logged in)

Classic Client may not be able to display all information on the smart card/token because not all smart cards/tokens have the same technology and the same on board software.

In general, you can see information about:

■ Card/Token Type and Firmware

■ Card/Token Label and Card/Token Serial Number

■ Maximum number of incorrect PIN entry attempts (when supported) before blocking occurs

■ Smart Card/Token Memory Space

Some smart cards/tokens do not allow Classic Client to view the number of PIN attempts remaining before the card/token becomes blocked. See “How to Check The PIN Ratification Counter” on page 49 for information on how to work around this.

2 Enter the PIN associated with the smart card/token in the PIN Code area and click on Login.

– The padlock symbol in the GUI unlocks to indicate that the user is successfully logged in with that smart card/token and PIN, as shown in “Figure 16” on page 21.

– With cards/tokens where private information on the card/token is PIN protected, logging in enables this information to become visible, for example, Cryptographic Mechanisms and Key lengths.


Figure 16 - Card Properties Window (Logged in)

3 By clicking on the Advance button, all key containers associated with the card/token are displayed and additional information can be viewed by clicking on the plus symbol to expand the key container. This information includes how many keys are available in the container or if it is free.

Figure 17 - Card Properties Window (Showing Key Containers and Attributes)


Card Administration FolderThe Card Administration folder contains the PIN Management tool.

PIN Management ToolThe PIN Management tool allows you to make changes to the PIN associated with a particular smart card/token. It also allows you to view the PIN policy that has already been defined by the administrator for this particular installation.

To access the PIN Management Tool:Click the PIN Management icon in the Card Administration folder. This displays the tool as shown in “Figure 18” on page 22.

Figure 18 - PIN Management Tool Window

From this window, choose the function you want to perform, Change PIN or Unblock PIN and click Next.

For the procedures of how to perform these functions, refer to “PIN Management” on page 47.

PIN TypesClassic Client recognizes three types of PIN that may be in a smart card/token:

■ User PIN – the standard PIN used by a user to access the card/token

■ Admin PIN – the PIN that is necessary to unblock the card/token (for example after too many consecutive incorrect presentations of the User PIN)

■ IdenTrust PIN – a PIN similar to the User PIN with some particular rules (minimum length of 6 characters). This PIN appears only on certain types of smart card/token.

Caution: PIN policies are established according to a company’s security policy, but they are also established in relation to the particular type of smart card/token you use and the on-board software the card/token features. For example, some cards/tokens allow a user PIN to be a minimum of 4 characters, and other cards/tokens allow a minimum of 6 characters. Please see your card/token documentation for more information.

Note: The list next to the Unblock PIN option appears only if you have been granted both “unblock” and “remote unblock” rights in your user setup.


Software Administration FolderOverview

In the Software Administration folder, you can use the Configuration tool and the PIN Policy tool to create and save configuration files that determine a user’s profile regarding the individual rights of that user according to his or her company’s security policy.

You can then use the User Setup tool to create the end user setup by selecting the configuration file and PIN Policy file mentioned above, then by entering other parameters discussed in detail further on in this guide.

Then you deploy the end user setup to the end user, and these end user setups are then installed on the end user’s computer.

Read through the following descriptions of the tools available to learn more about the full range of administrative tools in Classic Client as well as how to set up end user installation packages. For specific instructions on how to perform all administrative tasks, refer to “Chapter 4 - Administration Tasks”.

Configuration Tool

OverviewThe Configuration tool displays various features and parameters for how to use a smart card/token, for example, how the smart card/token can be unblocked, whether the user has been given the right to erase certificates from the smart card/token, whether the user can change the user PIN, and so on.

When you have set all the parameters, you save that configuration in a file. You can therefore use this tool to save new configurations or modify existing configurations.

Configuration files are used later when setting up user profiles in User Setup.

To access the Configuration Tool:In the Software Administration folder, click the Configuration icon. This displays the default configuration as shown in “Figure 19” on page 24.


Figure 19 - Configuration Tool Window

For details on how to complete this window, see “How to Create a Configuration File” on page 38.

PIN Policy Tool

OverviewWith the PIN Policy tool the administrator sets the PIN policy for a particular end user. The parameters to be set for a PIN policy include specifications for minimum and maximum PIN lengths, characters allowed or not allowed, the use or not of repeated patterns for PINs, and the use or not of weak PINs.

When you have set all the parameters for a policy, you save them in a PIN policy file. You can therefore use this tool to save new policies or modify existing policies.

Policy files contain the settings for each type of PIN; User, Admin and IdenTrust.

PIN policies are used later when setting up user profiles in User Setup.

To access the PIN Policy Tool:In the Software Administration folder, click the PIN Policy icon. This displays the default PIN policy as shown in “Figure 20”.


Figure 20 - PIN Policy Window

For details on how to complete this window, see “How to Create a PIN Policy File” on page 40.

User Setup

OverviewWith the User Setup you determine what will be included in the user setup for a particular end user. There are three windows in all, and you click Next in a window to access the next one.

In the first window, you choose the following:

■ The tools that are to be made available for the user

■ The cards/tokens that can be used

■ The Cryptographic modules that will be allowed

■ The language in which the user interface will display,

In the second window, you choose the following:

■ The appearance of the toolbox

■ The configuration file

■ The PIN policy file

In the final window you choose the following:

■ The name and location for your setup

■ Whether the setup is 32-bit or 64-bit.

To access the User Setup:In the Software Administration folder, click the User Setup icon. This displays the default user setup as shown in “Figure 21”.


Figure 21 - User Setup First Window

For details on how to complete this and the other User Setup windows, see “How to Select the Modules for a User Setup” on page 41.

Diagnostic/Help FolderThe Diagnostic/Help folder contains the Diagnostic Tool which is used to troubleshoot any problems you may encounter when using Classic Client and the Documentation plug-in which contains all the relevant documentation.

Diagnostic Tool The Diagnostic Tool is used to examine all components of the Classic Client installation to determine if there are problems using Classic Client. The Diagnostic Tool is then able to diagnose where potential problems may be.

Figure 22 - Diagnostic Tool Window


Expand the folders to reveal further items. Click an item in the top pane to display information about that component in the lower pane.

From the Diagnostic Tool window you can view the status of the program. The Diagnostic Tool provides the following:

■ System Information

■ PKCS#11 registry values and files

■ Classic Client product information

■ Classic Client registry values

■ Status of the Classic Client installation files (executables, dynamic link libraries)

The following table provides a key to the symbols found in the Diagnostic Tool.

To generate a status report of the application click Save report as. From the Save as window save the .txt file to a suitable location.

Smart Card/Token and Reader DiagnosticsYou can also view the smart card/token and smart card reader properties using the SmartDiag Tool.

The SmartDiag Tool verifies the availability of the following:

■ Operating system services that allow smart card/token support

■ Smart card readers

Note: For 64-bit OS, there are two registry folders “Registry” (for the 32-bit values) and “Registry 64” (for the 64-bit values).

Table 3 - Diagnostic Tool Icons

Icon Description

The PC icon shows details about operating system of the Classic Client installation.

A green magnifying glass icon shows that the registry item is stored and functioning correctly.

A red magnifying glass icon indicates that the registry item is absent. In this case, you should remove the current installation of Classic Client and re-install it.

A blue magnifying glass icon shows that the registry item is optional.

A file icon with a green tick shows that the file or dll is installed and functioning correctly.

A white cross on a red background indicates that the file does not correspond to a known version. In this case, you should reinstall Classic Client.

A file icon with a question mark tick indicates that the file could not be read or is an unexpected version.

A blue arrow indicates that more information is available.


■ Smart cards/tokens

The tool also reports any software or hardware problems and gives troubleshooting information. If the displayed information still does not solve the problem, you can generate a diagnostic report. This report will be required if you ask Technical Support for help.

To use the Gemalto SmartDiag Tool1 Open the SmartDiag Tool using one of the following ways:

– In the Diagnostic Tool window (see “Figure 22” on page 26) click Smart card and readers diagnostics.

– Navigate through Start > Programs > Gemalto > SmartDiag > SmartDiag.exe.

This opens the Welcome window as shown in “Figure 23”.

Figure 23 - SmartDiag Welcome Window

2 Click Start to begin a diagnostic session. The SmartDiag Tool begins a diagnostic session to examine possible problems with the installation of the smart card reader or the smart card/token used.

There are three possible outcomes:

– Passed

– Failed

– Warning

3 If all components are as they should be, the following dialog appears.

Note: SmartDiag tests only the smart card’s/token’s basic functionality. It does not test the suitability of your smart card/token for use with a specific application.


Figure 24 - SmartDiag Passed Window

a) If the result is Warning, it is recommended that you click Advanced View to obtain all the details.

The Advanced View provides information on the smart card/token sub-system and the program's management facility.

The Advanced View’s purpose is to give a real-time status and description of smart card/token related resources. This can be particularly useful to reveal obscure and low-level problems, or to identify the version of various software and hardware smart card/token components.

The window shown in “Figure 25” screen is displayed.

Figure 25 - SmartDiag Advanced Window

From the Gemalto SmartDiag window you can view the status and other information about:

– Smart card readers and smart cards/tokens

– Services (application compatibility, reader identification)


– System (Resource Manager, driver library, Smart Cards Database).

By expanding the folders and selecting the required node, the information for each is displayed in the right frame.

To generate a status report of the information, from the Report menu choose Generate. From the Save as window save the .txt file to a chosen location.

Reports containing this information can be generated and saved as text files and may be valuable should you need to communicate with your Technical Support department. They can be saved as a Report in a text (.txt) file format.

Click Close to quit the tool.

b) If the outcome of the diagnostic session is Failed, read the accompanying message carefully. It explains the most probable source of the problem and how to get your smart card and reader working. In addition, you can generate a diagnostic report by clicking on Get Assistance. This displays the window shown in “Figure 27”.

Figure 26 - SmartDiag Failed Window

A blue question icon indicates that there is no smart card/token inserted in the smart card reader or there is an error reading the smart card/token.

Note: For more information about using the SmartDiag Tool, navigate to the Help drop-down list to access the SmartDiag online help.


Figure 27 - SmartDiag Getting Technical Assistance Window

Product SupportIf you experience problems getting your smart card/token or reader to work, and the advice given by SmartDiag does not solve the problem, contact Gemalto Technical Support, using the information given in this document (refer to “Contact Our Hotline” on page ix). You may want to generate and send a diagnostic report that your Technical Support representative will need in order to help you.

DocumentationThe Documentation plug-in contains all the documentation associated with the product. This is available only if the administrator chose to include it when creating the user setup.

To open the documentation:1 Click Documentation to open the Documentation window.

2 Expand the Classic Client folder to display the available documents, as shown in the following figure.

Figure 28 - Documentation Window

3 Double–click the document that you want to open.


3

The Registration Tool

If the Registration Tool is installed, it automatically starts when you start Windows.

When a smart card/token is connected, the Registration Tool automatically reads the data on the card/token and attempts to register any certificates for CAPI applications that it finds on the card/token.

When you remove a card/token, the Registration Tool removes the certificates from the IE store.

Under Windows 2000, XP, Server 2000 and Server 2003, there is an equivalent Microsoft application, that registers certificates. However, unlike the Registration Tool, it does not remove the certificates from the IE store, when you remove your card/token.

Under Windows Vista, if the Registration Tool is present, Classic Client deactivates the equivalent Microsoft tool.

The tool’s status is reflected by changes that appear in the system tray icon:

Note: When the Registration Tool is installed, each smart card reader connected to the computer is represented by a card reader icon in the system tray.

Table 4 - Registration Tool Status Icons

Icon Definition

Registration Tool icon indicating that no card/token is connected.

Registration Tool icon with card inserted in the reader but indicating that no certificates are on the card/token.

Registration Tool icon with card inserted and indicating that there are registered certificate(s).

Registration Tool icon with green box over the card end indicates that the Tool is in the Pause mode.

Registration Tool icon with a red X over the reader indicates that no card reader is detected.

Registration Tool Icon

System Tray

34 The Registration Tool

You can display information about the reader and the card/token in it by hovering the mouse over the icon in the system tray as shown in “Figure 29”.

Figure 29 - Registration Tool Icon in the System Tray

Contextual MenuThe tool has no interface, as it functions automatically. However, the user can interact with the tool by right clicking on the icon so that the tool displays a contextual menu from which to choose actions to take with the tool, as shown in “Figure 30”, and explained below.

Figure 30 - Registration Tool Right-Click Action Options

Launch ToolboxSelecting Launch Toolbox will open the Classic Client Toolbox if this has been included in the user setup and is available. If it is already open, a dialog appears.

Figure 31 - Classic Client Toolbox Active

Start/PauseSelecting Start/Pause allows the user to manually start and pause the Registration Tool without having to remove the card/token, which may be useful if other applications need exclusive access to the card/token. The Tool can be simply restarted by selecting this option again to restart it.

StopSelecting Stop allows the user to manually stop the Registration Tool without having to remove the card/token. Navigate through the Start/Programs... to restart the Registration Tool, see.“Restarting the Registration Tool” on page 35.

The Registration Tool 35

AboutSelecting About displays information about the Registration Tool, as shown in “Figure 32”.

Figure 32 - “About” the Reg Tool

Restarting the Registration ToolIf you stopped the Registration Tool and want to restart it, you need to do this from the Start Menu, by choosing Start > Programs (or All Programs) > Gemalto > Classic Client > Reg Tool.

Registration Tool Management of CertificatesIf the Registration Tool finds any CA certificates in the card/token, it will ask your for confirmation that you want to install (or register) them. This is a precaution because by installing a CA certificate, Windows will automatically trust any certificate issued by that CA. This confirmation appears as a security warning, as shown in “Figure 33” on page 35.

Figure 33 - Registration Tool: Install Certificate

Click Yes to install the certificate to the IE Certificate store, or No to not install the certificate at this time.

Note: The above screen only appears for CA certificates

36 The Registration Tool

If you close the card/token session (remove the card/token), and then reinsert the card/token, the tool again offers you the choice to install any unregistered certificates it finds.

Forced Change PINThe Registration Tool may detect that the User PIN in the card/token must be changed. There are two main reasons for this:

■ The card/token is a brand new card/token whose PIN has not yet been initialized.

■ The card/token has had its User PIN reset by the administrator, for example because it was blocked, and the administrator has set Force User to Change PIN.

In either case, when you connect the card/token a Change PIN dialog appears as shown in “Figure 34”.

Figure 34 - The Reg Tool Change PIN Screen

Enter the values, and when all the rules on the right show green ticks, click Change PIN.

Note: If you are working on a Citrix workstation, the Registration Tool is not installed on your workstation. You can register or install certificates without the Registration Tool by using the Certificates Tool (if your Citrix administrator has included the tool in the distributed end user setup).

4
Administration Tasks
This chapter discusses information related to specific tasks that you will most often be required to carry out when using the Classic Client software and where to find the information about them. These tasks are:

■ User Setups.

– “How to Create a Configuration File” on page 38

– “How to Create a PIN Policy File” on page 40

– “How to Select the Modules for a User Setup” on page 41

– “How to Deploy a User Setup” on page 46

■ PIN Management

– “How to Change an Administration PIN” on page 47

– “How to Change a User PIN or IdenTrust PIN” on page 48

– “How to Check The PIN Ratification Counter” on page 49

– “How to Unblock a User PIN” on page 50

– “How to Remotely Unblock a Connected Smart Card/Token” on page 51

■ Managing Certificates

– “How to Get a Certificate” on page 53

– “How to Import a Certificate” on page 54

– “How to Export a Certificate” on page 60

– “How to Set Certificates as Default” on page 62

– “How to Register Certificates to the IE Store Manually” on page 62

– “How to Display Certificate Details” on page 64

– “How to Erase Certificates (PKCS#11 Objects)” on page 64

■ Using a PIN Pad Reader with Classic Client

– “How to Log in with a PIN Using a PIN pad and the Toolbox” on page 66

– “How to Change and Unblock PINs with a PIN Pad and the Toolbox” on page 67

■ In addition, the following tasks related to using Windows are described in the Classic Client User Guide:

– “How to Use Windows Secure Logon”

– “How to Use E-mail Securely”

– “Viewing Secure Web Sites”

38 Administration Tasks

User SetupsUser Setups contain three components:

■ A configuration file

■ A PIN policy file

■ One or more modules

You need all three components to create a User Setup.

The Software Administration folder contains three tools, each dedicated to one of the three components.

How to Create a Configuration FileThe Configuration file determines the user’s rights.

To create a configuration file used for the user setup:1 Click the Configuration tool icon in the Software Administration folder to

display the Configuration tool interface as shown in “Figure 35”.

Figure 35 - Configuration Tool

If you want to use or view a previously defined configuration, for example one that closely resembles the one you want to create, click Browse in the File Selection area and navigate to the required file. In this case the check boxes in the window reflect the values in the file you selected. Configuration files have a .gsl suffix.

2 Check or clear the check boxes in the Configuration as required:

Certificate Featuresa) User can erase objects on the card lets the user erase PKCS#11 objects,

that is certificates and their associated keys and data, on the smart card/token. It is not recommended that this option be systematically given to the end user.

b) Import / export certificates allowed lets the user manage certificates on the smart card/token. This makes it easy to manage certificates that are in an IE certificate store, as well as allowing importing from and exporting to certificate files.

Administration Tasks 39

PIN Management Featuresc) User can unblock card allows the user to unblock his or her own smart card/

token.

d) User can remotely unblock connected card allows the user to unblock his or her smart card/token by a simple telephone call to the help desk. This option means a user can unblock a smart card/token without explicit knowledge of the Admin PIN.

e) Change User PIN(s) allowed; this specifies that the user can change his or her PIN at any time. It is independent of the Change PIN popup allowed used to initialize a PIN (first use and first use after PIN is unblocked). That popup is the one under Certificate Registration Tool Feature.

f) Change Admin PIN allowed; this specifies that the user can change the Admin PIN.

Certificate Registration Tool Featuresg) Certificate registration allowed; if checked, the registration tool checks the

card/token automatically for certificates and registers any that it finds in the IE store.

h) Change PIN popup allowed; if checked, the registration tool checks the User PIN in the card/token and automatically forces the user to change the User PIN value if it has not been initialized. It does this by displaying a Change PIN window.

Classic Client Toolbox Featurei) Display timeout(ms) lets the administrator determine how long (in

milliseconds) the Splash screen will be displayed. The default configuration is 3000 ms.

3 Click Save as, navigate to the required location for the file, enter the required file name, and press Save to create a new configuration file.

To modify an existing configuration file:1 Click the Configuration tool icon in the Software Administration folder to

display the Configuration tool interface as shown in “Figure 35” on page 38.

Note: Checking User can unblock card is NOT recommended in a user setup because it means that the administrator would have to give the administration PIN to the user thus creating a security risk. This permission should only be authorized to the user if your security policies specifically require that the user must be able to unblock his or her own smart card/token locally without outside intervention.

Note: For this option you will need an additional software tool in order to generate encrypted PINs. Gemalto can develop this tool with you. Remote unblocking is explained in “How to Remotely Unblock a Connected Smart Card” on page 68

Note: Checking Change Admin PIN allowed is NOT recommended in a user setup. It should only be used for the administrator setup if he needs to change the Admin PIN of his or a user’s smart card/token.

Note: Initializing a PIN means changing its value the first time it is used or the first time after it has been unblocked by the administrator.


2 Click Browse in the File Selection area and navigate to the file to be modified. The check boxes in the window will reflect the current values in the file.

3 Check or clear the check boxes in the Configuration as required:

4 Click Save.

How to Create a PIN Policy FileAs its name implies, the PIN policy file determines the rules that must be respected for PINS.

To create a user PIN policy used for the user setup:1 Click on the PIN Policy tool icon in the Software Administration folder to

display the PIN Policy tool interface as shown in “Figure 36”.

Figure 36 - PIN Policy Tool

2 If you want to use an existing policy file on which to base your new file, click Browse in the File Selection area and navigate to the previously created PIN policy file. The window reflects the values in the file you selected. PIN policy files have a .ppc suffix.

3 In PIN select the type of PIN whose policy you want to define.

For each User Setup, there are up to three types of PIN (User, Admin or IdenTrust). The PIN types available depends on the type of card/token used and your companies security policy.

4 Check Enable PIN Policy and select items according to the following:

– PIN minimum length: enter the required minimum PIN length value in the field; this must be 4 or greater.

– PIN maximum length: enter the required maximum PIN length value in the field: the maximum length depends on the card/token.

– Numeric only specifies that the user can enter only numbers for the PIN.

Note: Make sure you respect the technical restrictions of the smart cards/tokens that users have when you define the PIN policy. For example, some smart cards/tokens or their on-board software have a minimum PIN length of 6 characters, while others have a minimum length of 4 characters.


– Alphabetic AND numeric specifies that the user MUST include both letters AND numbers for the PIN.

– Upper AND lower cases specifies that the user MUST include both upper case AND lower case letters for the PIN.

– Different from previous one specifies that the user MUST enter a PIN that is different to the previous PIN defined. This only applies to the Change PIN option.

– No repeated pattern specifies that the user MUST enter a PIN that does not contain repeated characters; for example, the PIN cannot be “6666”, “qwqw”, “zzzz,” and so on.

– Check weak PIN forbids the user from using any of the PINs in the weak PIN list.

■ If you checked the box Check weak PIN, you need to define a list of weak PINs in the Weak PIN list. A weak PIN can be any value that you consider to be insecure because it is easy to guess, for example the name of the company or “1234” or another sequential list of numbers or letters.

To add a value to the Weak PIN list, enter it in Weak PIN and click Add. The value appears in Weak PIN list. To remove a value from the Weak PIN list, select it and click Remove. The value disappears from the list.

5 Repeat steps 3 and 4 for each PIN type.

6 Click Save as, navigate to the required location for the file, enter the required file name, and press Save to create the new PIN policy file.

To modify an existing user PIN policy file:1 Click on the PIN Policy tool icon in the Software Administration folder to

display the PIN Policy tool interface as shown in “Figure 36” on page 40.

2 Click Browse in the File Selection area and navigate to the previously created PIN policy file.

3 In PIN select the type of PIN whose policy you want to define.

4 If necessary check Enable PIN Policy and modify the settings. You can of course clear Enable PIN Policy if you want to disable an existing policy.

5 Repeat steps 3 and 4 for each type of PIN you want to modify.

6 Click Save.

How to Select the Modules for a User SetupTo select the modules and define the User Setup:1 Click on the User Setup tool icon in the Software Administration folder to

display the User Setup tool window.


Figure 37 - User Setup

2 If you want to use an existing User Setup on which to base your new one, click Browse in the File Selection area and navigate to the previously created User Setup. The window will reflect the values in the file you selected. User Setup files have an .msi suffix.

3 In the Readers area check the options as required:

– SmartDiag; Checking this option provides the end user with the SmartDiag Tool that can be used to view the smart card/token and reader information for use in troubleshooting (see “Smart Card/Token and Reader Diagnostics” on page 27).

– Drivers; The Drivers option specifies the reader drivers to be installed for the user setup. For a list of supported readers, see “Smart Card Readers” on page 3.

Check this option to display the list of drivers. Scroll down the list and select the drivers to be installed for the user setup.

4 In the Tokens area check the boxes corresponding to your types of cards/tokens and their installed applets as required. You can choose any combination of tokens, but you must choose at least one.

Note: Checking this option automatically checks the Drivers option because the SmartDiag tool requires at least on driver.

Note: Unless you know that your user already has the correct drivers for his or her readers, Gemalto recommends that you install drivers using this feature.Note: For the readers PC Express Reader, USB Shell Token V2 and PC Twin Reader, choose the driver called “CCID Readers”.Note: When the Registration Tool is installed, each smart card reader connected to the computer is represented by a card reader icon in the system tray.

Note: GPK16000 is available only for the 32–version of Classic Client.


5 In the Classic Client Toolbox area choose the tools that are to be made available to the user. Checking a box, makes the corresponding tool appear in the User’s Toolbox.

6 In the Tools area check the option as required:

Checking the box Registration Tool includes the Registration Tool in the User Setup. The Registration Tool performs two functions (according to the configuration):

– It allows the user to register certificates to the IE store automatically, see Chapter 4 -” The Registration Tool”. If you select it, the CSP option in the Crypto Modules section is mandatory and automatic.

– It reminds the user to change his or her PIN if the PIN is not initialized. It does this by displaying a Change PIN pop up window.

7 In the Crypto Modules area, the PKCS#11 Crypto module is mandatory in a user setup and selected for you. You can additionally check the box CSP:

– The CSP Crypto module allows using the IE Certificate Store and smart card/token logon. If your user uses Mozilla tools only, including it in a user setup is optional.

If you choose the Registration Tool option in the Tools section, including the CSP is mandatory and automatic.

8 In the Languages area choose the interface language of use for the end user. Languages supported are English, Chinese (simplified and traditional), Czech, Dutch, French, German, Hungarian, Italian, Japanese, Latvian, Polish, Portuguese, Spanish, Slovenian, Swedish, and Turkish.

9 Click Next to access the User Setup creation options, as shown in “Figure 38”.

Table 5 - Toolbox Options

Tool Folder Purpose

Certificates Card Contents Allows the user to manage certificates on the smart card/token.

Card Properties Card Contents Allows the user to view information associated with a particular smart card/token.

PIN Management Card Administration Allows the user to make changes to the PIN or unblock a blocked PIN.

Documentation Diagnostic/Help Allows the user access to the Classic Client Documentation. The user setup generally includes the Classic Client User Guide.

Diagnostic Tool Diagnostic/Help Troubleshoots common issues

Note: These tools are strongly recommended in a user setup, as they allow the user to perform basic tasks with smart cards/tokens, but they are not mandatory.

Selecting any of the first four plugins automatically selects the Diagnostic Tool.


Figure 38 - User Setup

10 If you checked at least one box in the Classic Client Toolbox panel of the preceding window (refer to step 5 on page 43), the Classic Client ToolBox Customization option is available. This allows you to customize the appearance of the Toolbox in the User Setup as follows:

a) Check the box(es) for the aspects that you want to change. Checking a box, activates its corresponding Browse button.

b) Click the Browse button and select the file containing the option, for example containing the Splash screen.

11 In the File Selection area, use the two Browse buttons and select:

– the configuration file

– the PIN policy file

12 Click on Next. This displays the final User Setup window as shown in “Figure 39”.

Figure 39 - Create Setup


13 In Setup Name, enter a name for the setup. This creates a setup folder of the name you choose.

14 In Setup Path, choose the path to the location where you want to save the user setup. You can either leave the location that displays by default or click Change Path and browse to another location.

15 In Setup Creation, check one of the boxes 32–bit setup or 64–bit setup depending on your operating system.

The following table lists the types of setup for various OS and applications.

16 Click Create Setup to create and save the User Setup in the location you specified in the previous step.

A confirmation message is displayed once the user setup creation has completed.

Figure 40 - User Setup Creation Complete Confirmation

17 Click OK.

To modify an existing User Setup:1 Click on the User Setup tool icon in the Software Administration folder to

display the User Setup window as shown in “Figure 37” on page 42.

2 Click Browse in the File Selection area and navigate to the User Setup you want to modify. The window displays the values in the file you selected.

3 Make any modifications you want in the first window (“Figure 37” on page 42), then click Next.

4 Make any modifications you want in the second window (“Figure 38” on page 44), then click Next.

Note: You cannot install a 32-bit setup on a 64-bit OS or vice-versa.

Table 6 - Operating Systems

Operating System Bits

Windows 2000 Professional (with SP4) 32

Windows XP Home (up to SP2) 32

Windows XP Professional (up to SP2) 32 and 64

Windows Server 2000 32

Windows Server 2003 32 and 64

Windows Vista 32 and 64

Internet Explorer 7 64

Outlook Express 32 and 64

Citrix Presentation Server v4 64


5 In the final window (“Figure 39” on page 44), make sure you enter the same Setup Name and Setup Path as your original file.

6 Click Create Setup to save your changes to the User Setup.

A confirmation message is displayed once the user setup creation has completed.

7 Click OK.

To delete an existing User Setup:In Windows Explorer, physically delete the .msi file for the setup that you want to delete.

How to Deploy a User Setup

Deploying User Setup Packages Once the end user setup has been created, it can be either saved to a CD, automatically deployed using parameters for the silent installation, or placed on a network available to the end user. The installation options for the end user are summarized as follows.

CD-ROMThe end user setup is made available to the user on a CD-ROM. In order to install Classic Client, the user navigates to the folder on the CD-ROM in which the user setup has been stored. The user clicks on the setup executable and the installation automatically begins.

Silent InstallationIn the “silent” installation, the user setup is deployed to the user’s computer by the administrator without any action on the part of the end user.

The administrator can deploy the user setup in the following manner:

In the Command Prompt dialog enter:

msiexec.exe /qn /i Classic_Client_32_User_setup.msi

Network AvailabilityThe end user setup is made available to the user on a local network. In order to install Classic Client, the user navigates to the folder on the local network in which the user setup has been stored. The user clicks on the setup executable and the installation automatically begins.

Including a REG File with the SetupIf you want to customize the registry values for your users, you can include a .reg file with the Classic Client User Setup. This .reg file is executed when you execute the User setup.msi file. You just have two points to remember:

■ The .reg file must be called ClassicClient.reg

■ The .reg file must be located in the same directory as the “User setup.msi” file.

Note: If your user has a 64-bit OS, remember the .msi file is Classic_Client_64_User_setup.msi


PIN ManagementPIN policies are established according to a company’s security policy, but they are also established in relation to the particular type of smart card/token you use and the on-board software the card/token features. For example, some cards/tokens allow a user PIN to be a minimum of 4 characters, and other cards/tokens allow a minimum of 6 characters. Please see your card/token documentation for more information.

How to Change an Administration PINUse the PIN Management tool to change the administration PIN for a smart card/token.

If the card/token allows the unblocking of Admin PINs, then this operation must be performed either on a PC with the administrator setup of Classic Client or a user setup version with the “Change Admin PIN allowed” access rights (see “How to Create a Configuration File” on page 38). For simplicity, the following procedure just says “administrator’s PC”.

To change an Admin PIN1 Connect the smart card/token whose Admin PIN you want to change to the

administrator’s PC.

2 Click on the PIN Management tool icon in the Card Administration folder; the PIN Management tool interface is displayed in the right hand area of the GUI.

3 From the PIN Management Tool, choose the Change PIN option (see “Figure 18” on page 22 and click Next. The window shown in “Figure ” appears:

Figure 41 - Change PIN Window

Caution: Normally, if you block a smart card’s/token’s Admin PIN, the card/token becomes unusable. However, some smart cards/tokens allow unblocking or re-initializing the administrator PIN. See your card/token documentation for more information.

Note: The Classic Client padlock icon is either open or locked to indicate if you are logged in or not logged in. . You do not have to log in, in order to change a PIN.


4 In the PIN section, select the type Admin (instead of User). The options available depend on the PINs that exist in the card/token.

PIN Policy in the right pane displays your company’s policy for Admin PIN’s. Ticks or crosses next each rule to tell you if your New PIN value respects the policy rules.

The PIN Policy is set using the PIN Policy tool in the software administration folder, see “How to Create a PIN Policy File” on page 40.

5 Enter the current PIN value in Current PIN, and the new value in New PIN.

6 If all the rules in PIN Policy display green ticks, reenter the new value in Confirm New PIN, otherwise choose a different value for New PIN until PIN Policy displays only green ticks.

7 Click Change PIN. A pop-up window confirms a successful PIN change.

If the PIN change is unsuccessful an error message is displayed with details of why the operation was unsuccessful.

How to Change a User PIN or IdenTrust PINUse the PIN Management tool to change the user PIN.

To perform this operation, your Classic Client setup must have been granted the “Change User PIN allowed” access rights by your administrator.

To change a User PIN or IdenTrust PIN1 Connect the smart card/token whose User PIN you want to change.

2 Click on the PIN Management tool icon in the Card Administration folder; the PIN Management tool interface is displayed in the right hand area of the GUI. If you don’t see the tool, you don’t have the rights to change the PIN.

3 From the PIN Management Tool, choose the Change PIN option (see “Figure 18 -PIN Management Tool Window” on page 22) and click Next. The window shown in “Figure 42” appears:

Figure 42 - Change PIN Window

Note: The Classic Client padlock icon is either open or locked to indicate if you are logged in or not logged in. . You do not have to log in, in order to change a PIN.


4 In the PIN section, select the type User or IdenTrust. The options available depend on the PINs that exist in the card/token and the rights given to by the Administrator in your User Setup.

PIN Policy in the right pane displays your company’s policy for the type of PIN chosen. Ticks or crosses next each rule to tell you if your New PIN value respects the policy rules.

The PIN Policy is set using the PIN Policy tool in the software administration folder, see “How to Create a PIN Policy File” on page 40.

5 Enter the current PIN value in Current PIN, and the new value in New PIN.

6 If all the rules in PIN Policy display green ticks, reenter the new value in Confirm New PIN, otherwise choose a different value for New PIN until PIN Policy displays only green ticks.

7 Click Change PIN. A pop-up window confirms a successful PIN change.

If the PIN change is unsuccessful an error message is displayed with details of why the operation was unsuccessful.

How to Check The PIN Ratification CounterSmart cards/tokens are security protected against brute force PIN attacks by the ratification counter. The counter decreases by one each time you enter the wrong PIN code. When you enter the correct PIN, the ratification counter resets to its initial (highest) value. However, if the ratification counter reaches zero, it becomes blocked.

Depending on the technology of the card/token and its on-board software features, it may be possible to display the value of the PIN ratification counter value.

To check the PIN ratification counter (for cards/tokens that allow this feature)1 In the Card Contents folder, click Card Properties, select the reader and click

Next.

Figure 43 - Card Properties

2 The detail of the PIN ratification counter is in the lower left of the right pane. If you do not see any numerical values for the counter, then the card/token does not support this feature.


How to Unblock a User PINAs Administrator you can use the PIN Management tool to unblock user smart cards/tokens that have been blocked after repeated attempts to enter an incorrect user PIN. This operation can be done at your “Administrator” PC with the blocked smart card/token inserted in the attached smart card reader.

If your security policy allows it, a user’s smart card/token can also be unblocked by the user if the user is in possession of the unblocking code (Admin PIN) and has been given the rights to unblock the user card/token in the user setup. However, it is not recommended the user be given the Admin PIN of the user card/token.

If you want your user to have the right to unblock the user card/token, but don’t want the user to have the Admin PIN, you can provide the user the right to unblock the card/token remotely. See “How to Remotely Unblock a Connected Smart Card/Token” on page 51.

To unblock a PIN1 Connect the blocked smart card/token to the PC.

2 Click on the PIN Management tool icon in the Card Administration folder; the PIN Management tool interface is displayed in the right hand area of the GUI as shown in “Figure 18 - PIN Management Tool Window” on page 22.

3 Check Unblock PIN and if the list next to it is visible, choose Local.4 Click Next; The window shown in “Figure 44” appears:

Figure 44 - PIN Management Tool: Unblock PIN

5 In the PIN section, select the PIN you need to unblock. Depending on your rights and the connected smart card/token, you can choose from User, Admin and IdenTrust.

6 Enter the Admin PIN, the New PIN, and the Confirm New PIN in the areas provided. Modify the New PIN value if the rules in PIN Policy display any red crosses.

Note: The Unblock PIN option is available even if the card/token is not blocked. However, it is only available if you were given the right to use it in the user setup.


7 If required check Force user to change PIN. This means that the user must change his or her PIN the first time he or she tries to access his smart card/token.

8 Click Unblock PIN.

A pop up dialog will inform you if the PIN has been successfully unblocked.

How to Remotely Unblock a Connected Smart Card/TokenNormally you unblock a smart card/token using the Admin PIN. If the user knows the admin PIN, he or she can do it themselves, but this method is not recommended because the security chain is less secure.

However, you can configure a user to allow him or her to unblock the card/token remotely by checking the box “User can remotely unblock connected card” in the User Setup (see “Figure 35” on page 38 and in particular d) on page 39). In this case, the user does not need to know the unblocking code as you provide an encrypted value of the Admin PIN.

Read the procedure below, as it treats the user’s perspective of the situation. Do not hesitate to contact your Gemalto representative if you want to use this feature of the software.

To unblock a smart card/token remotely

1 Connect the blocked smart card/token, click on the PIN Management tool icon in the Card Administration folder,

2 Select Unblock PIN and if the list next to it is visible, choose Remote. This displays the window shown in “Figure 45”.

Note: Do not use the Force user to change PIN option if your security policy does not grant the user the right to change his or her PIN.

Note: The user does not need the right to change the User PIN, as this is a different right from the right to unblock the PIN.

Caution: Remote user PIN unblocking requires an additional tool that can be installed with the Classic Client Toolbox for help desk staff. For more information about this tool, please contact your Gemalto representative.

Note: You can do this only if the administrator has set “User can remotely unblock connected card” in your user setup.


Figure 45 - PIN Management-Remote Unblock PIN

3 Telephone the help desk and tell them the card serial number (CSN) and the random number. With this information, the help desk will generate an encrypted unblock PIN and tell you its value.

4 Click Next to display the window shown in “Figure 46”.

Figure 46 - PIN Management-Remote Unblock PIN (2)

5 In Encrypted PIN, enter the value given to you by the help desk. Enter your new PIN value in New PIN and again in Confirm New PIN.

6 Leave Force user to change PIN unchecked.

7 Make sure that all the rules in PIN Policy show green ticks. If they do not, re–enter the values until they do.

8 Click Unblock PIN. A pop up dialog confirms if the card/token has been successfully unblocked.


Managing CertificatesIntroduction

This section talks about using smart cards/tokens with certificates.

Cards/Tokens and CertificatesA digital certificate contains information about the user and the user’s public key, and is used to authenticate the user’s identity during secure transactions. The certificate identifying the user must be registered with a certificate authority and this information must be available to both parties. To use smart cards/tokens and certificates together, the user must generate a key pair on his card/token and then get a digital certificate corresponding to the public key and store it on the card/token.

Working with Different Cards/TokensMany types of cards/tokens are supported by Classic Client. You can check if a card/token is supported simply by connecting it. For unsupported cards/tokens, the reader icon displays a warning sign like this:

How to Get a CertificateThe following sections explain where to get a certificate for the smart card/token. If you know you already have a certificate on your smart card/token, then skip this section.

If you need to use the computer to get a certificate but cannot log on because you don’t have one yet, just press CTRL+ALT+DEL to log on manually.

You can get a digital certificate from the following two sources:

■ The Microsoft Certificate Server This application, included in Windows Server 2000 and Windows Server 2003 can issue and manage digital certificates used in software security systems employing cryptography. Contact your network administrator to see if the network server includes this application and to find out how to get a certificate from it. You can also download instructions and find further information about Certificate Services at support.microsoft.com.

■ A Certificate Authority (CA) A trusted organization that issues and manages digital certificates, such as Verisign.

TipsWhen you request a certificate, you will be asked to enter information about yourself such as your name, e-mail address, and the type of certificate you want. The type of information required depends upon what organization is issuing the certificate, and may include the following:

■ Key length value The default value is 1024. Classic Client also supports 512– and 2048–bit keys, though this ability may be restricted by the card/token used.

■ Certificate type The Microsoft Certificate Server asks you to specify a certificate type. Select Smartcard User, which can be used for secure e-mail (signature and encryption) and code signing (if configured appropriately).

Note: 1) You cannot change anything on read-only cards/tokens.

Note: 2) Some cards/tokens, such as IdenTrust cards/tokens may have two user keys, intended for two different purposes.

http://support.microsoft.com


■ Cryptographic Service Provider (CSP) You will need this if requesting a certificate using Internet Explorer.

■ Cryptographic Security Module You will need this if requesting a certificate using Mozilla Firefox.

■ Give the correct name according to the tool you are using when enrolling. If you give a different name, your certificate will be stored on your hard drive instead of your smart card/token.

– Internet Explorer: Choose Gemalto Classic Card CSP– Firefox: Choose Classic Smart Card.

How to Import a CertificateYou can import certificates to a card/token if the administrator gave you the rights to do so in your user setup. You can import certificates from the IE certificate store or from a certificate file.

When importing certificates, note the following important points:

■ You cannot import certificates to a read-only card/token.

■ You can import a certificate without verifying your user PIN (logging in), but if the certificate has an associated key pair, the key pair is not imported: you must be logged in to import an associated key pair.

■ Your PIN must be initialized, that is, it’s value must have been changed from the original value set when the PIN was issued (or set by the administrator if it has been unblocked).

It is recommended that you read the section “Introduction” on page 53 before performing these tasks.

To import a certificate to a smart card/token:1 In the Classic Client Toolbox, click Certificates in the Card Contents folder.

Make sure that the smart card/token for which you want to import a certificate is connected.

Caution: Take care to give the correct name; Gemalto Classic Card CSP. If you do not, then your certificate will be stored on your hard drive instead of your smart card/token.

Note: This service is referred to as a security device or cryptographic module in Firefox.


Figure 47 - Certificates Tool Window

2 Select the smart card reader. This activates the Import button.

3 Click Import (you can also do a right–click on the reader and select Import from the contextual menu). You are offered a choice of two ways to import the certificate as shown in the following figure:

Figure 48 - Choice of Methods to Import a Certificate

Note: This example treats the case of a smart card/token featuring two operational modes: the Standard mode, and the IdenTrust mode.

You can import a certificate without verifying your user PIN, but if the certificate has an associated key pair, the key pair is not imported unless you can verify your user PIN when requested.


4 Choose the option and follow the instructions for your choice:

– If importing from a file, see page 56.

– If importing from the IE certificate store, see page 58.

To Import from a Certificate File1 Follow the instructions in “To import a certificate to a smart card/token:” on

page 54.

2 When you reach the window shown in “Figure 48”, choose Import from File and click Open. This opens the standard windows Open window as shown in “Figure 49”.

Figure 49 - Certificates Tool Window: Open Window

3 Navigate to the certificate file you want.

Compatible Files:

– PKCS#12 file: (*.pfx), (*.p12). These types of files can have one or more certificates and may contain the certificate’s key pair value. These types of files are usually protected with a password.

– Binary certificate file: (*.der), (*.cer), (*.crt). These types of files have only one certificate and have no keys.

– PKCS#7 certificate list file: (*.p7b). These types of files can have one or more certificates and have no keys.

– Base 64 encoded certificate file: (*.b64). These types of files have only one certificate and have no keys.

4 In the example in “Figure 49”, the choice is among four PKCS#12 objects. These objects can require that you prove knowledge of a password before you can work with their certificates, keys or data objects. Select a file and click Open. The window changes as shown in “Figure 50”.


Figure 50 - Certificates Tool Window: Import Certificate File (1)

5 Enter the File Password and click Verify.

If the password is correct, in the case of a PKCS#12 object, all the certificates in the file are displayed in the Certificate(s) to import field as shown in “Figure 51”.

Figure 51 - Certificates Tool Window: Import Certificate File (2)

All the other certificate file types don’t require password verification, so you immediately see the certificate(s) without the File password field.

Note: 1) A P12 certificate is often associated with public and private keys. If you import the certificate, Classic Client automatically attempts to import its associated key pair, and succeeds if you can prove knowledge of the card/token PIN.

Note: 2) The Figure above displays an example of a smart card/token with two operational modes: the Standard mode, and the IdenTrust mode. Cards/tokens with only one mode do not display the option IdenTrust for the Card PIN field, as cards/tokens with one mode only require one user PIN.


6 In Certificate(s) to import, select the certificate you want to import.

7 Do one of the following:

– If the PKCS#11 object(s) (certificates and keys) are to be used for IdenTrust security operations, check the IdenTrust option and enter your IdenTrust user PIN in the Card PIN field to permit Classic Client to copy the certificate and, if present, the key pair to the card’s/token’s public data area.

– If the PKCS#11 object(s) (certificates and keys) are to be used for non-IdenTrust security operations, do not select IdenTrust and instead simply enter your user PIN to permit Classic Client to copy the certificate and if present the key pair, with the private key copied to the card’s/token’s private data area and the public key copied to the card’s/token’s public area.

8 Once you have entered a valid PIN, click Import. A window confirms that the selected certificate is imported.

To Import from the IE Certificate Store1 Follow the instructions in “To import a certificate to a smart card/token:” on

page 54.

2 When you reach the window shown in “Figure 48”, choose Import from IE store and select a store from the list:

– Personal: Selects a certificate from the IE Store called Personal.

– Intermediate Certification Authorities: Selects a certificate from the IE Store called Intermediate Certification Authorities.

– Trusted Root Certification Authorities: Selects a certificate from the IE Store called Trusted Root Certificates.

For this example, the choice is from the Personal store:

Figure 52 - Certificates Tool Window: Import Certificate - Selecting the store

3 Click Open. Classic Client displays the certificates you have in this IE store as shown in “Figure 53”.


Figure 53 - Certificates Tool Window: Import Certificate List

4 Click on the certificate you want to import. You can select more than one certificate by holding down the shift key to select a group, or the control key to add certificates to the selection one by one.

The example in “Figure 53” on page 59 shows an example of a smart card/token with two operational modes: the Standard mode, and the IdenTrust mode. Cards/tokens with only one mode do not display the option IdenTrust for the Card PIN field, as cards/tokens with one mode only require one user PIN.

5 Do one of the following:

– If the PKCS#11 object(s) (certificates and keys) are to be used for IdenTrust security operations, select IdenTrust and enter your IdenTrust user PIN in the Card PIN field to allow Classic Client to copy the certificate and if present, the keys, to the card’s/token’s public data area.

– If the PKCS#11 object(s) (certificates and keys) are to be used for non-IdenTrust security operations, do not select IdenTrust and instead simply enter your user PIN to permit Classic Client to copy the certificate and, if present, the keys, with the private key copied to the card’s/token’s private data area and the public key copied to the card’s/token’s public area.

6 Once you have entered a valid PIN in Card PIN, click Import. A window confirms that the selected certificate has been imported.

Note: 1) A P12 certificate is often associated with a public and private key pair. If you import a P12 certificate, Classic Client automatically attempts to import its associated key pair, and succeeds if you can prove knowledge of the card/token PIN.

Note: 2) P12 objects may require that you prove knowledge of a password before you can work with their certificates, keys or data objects. If you click on an item, you may be prompted to enter a password. If this occurs, enter the password and click OK.


How to Export a CertificateYou can export certificates from the card/token if the administrator gave you the rights to do so in your user setup.

It is recommended that you read the introductory remarks in the section “Managing Certificates” on page 53.

Export allows you to export certificates from a smart card/token, one certificate at a time (if you have been given the right to export certificates from a smart card/token). You can export certificates from the smart card/token to the IE certificate store or to a certificate file.

To export a certificate from a smart card/token:1 In the Classic Client Toolbox, click Certificates in the Card Contents folder.

Make sure that the smart card/token from which you want to export a certificate is connected.

2 If not already logged in, enter your PIN in PIN Code and click Login.

3 Select the certificate. This activates the Export button as shown in “Figure 54”.

Figure 54 - Certificates Tool Window: Export Button Activated.

4 Click Export (you can also do a right–click on the reader and select Export from the contextual menu). You are offered a choice of two ways to export the certificate as shown in the following figure.

Note: If a certificate on the card/token is associated with a cryptographic key pair, when you export the certificate, you cannot export the key pair as well.

Caution: You cannot export any type of cryptographic key from the card/token to a file or to the IE Certificate Store.


Figure 55 - Choice of Methods to Export a Certificate

5 Choose the option and follow the instructions for your choice:

– If exporting to a certificate file, see “To export to a certificate file” on page 61.

– If exporting to the IE certificate store, see “To export to the IE certificate store” on page 61.

To export to a certificate file1 Select Export to File and click Export. This opens the standard Windows Save As

window.

2 Type the file name and select among the following types of certificate files:

– Binary certificate file: (*.der), (*.cer), (*.crt). These types of files can contain only one certificate.

– PKCS#7 certificate list file: (*.p7b). These types of files can contain one or more certificates.

– Base 64 encoded certificate file: (*.b64). These types of files can contain only one certificate.

3 Click Save as. A window confirms that the selected certificate is exported.

To export to the IE certificate store1 Select Export to IE store and select a store from the list:

– Personal: Exports the selected certificate to the IE Store called Personal.

– Intermediate Certification Authorities: Exports the selected certificate to the IE Store called Intermediate Certification Authorities.

Note: You cannot export to a P12 certificate file because you cannot export any kind of cryptographic key from the card/token.

Tip: Classic Client cannot export a certificate chain to a P7 certificate file in one action. Export the root certificate to a P7 format, then export the rest of the chain into respective *.der certificate files. You can then add the *.der certificates in order to your P7 certificate file and recreate the chain.


– Trusted Root Certification Authorities: Exports the selected certificate to the IE Store called Trusted Root Certificates. If you export a certificate to this store, Windows prompts you to be confident as to the source of the certificate. If you are, click Yes to continue.

Figure 56 - Security Warning

2 Click Export. A window confirms that the selected certificate is exported.

How to Set Certificates as DefaultYou can specify which certificate on your smart card/token you want to use as the default certificate for logging on to your PC using the card/token.

To set the default certificate:1 Make sure that the smart card/token for which you want to set a default certificate is

connected.

2 If not already logged in, enter your PIN and click Login.

3 Select the certificate you want to become the default certificate.

4 Click Set as default; the selected certificate is set as the default certificate.

How to Register Certificates to the IE Store Manually The Registration Tool can automatically register your certificate in the IE cert store. To do this, simply start IE and connect your card/token.

The Registration Tool is available only if the administrator has included it in your User Setup package. You can check it is available by the presence of the icon that is displayed in the tool bar.

For a more information about this and other registration tool features, see “Chapter 3 - The Registration Tool”.

Note: In versions of Windows older than Vista, the OS can use only the default certificate.

Note: The Registration Tool does not copy certificate information to the IE store; it creates a link from the IE cert store to the certificate information on the card/token to ensure security.

Note: The Registration Tool is not available in Citrix client-server environments.


If the Registration Tool is not available, then Windows 2000, XP Server 2000 and Server 2003 will perform this automatic registration in its place. However Classic Client deactivates this feature in Windows Vista.

Classic Client’s Certificates Tool enables you to register all your certificates to the IE store manually. This tool is indicated by the certificate tool icon in your Card Contents folder. Its availability depends on whether the administrator included it in your User Setup package.

To register all certificates manually:1 Make sure that the smart card/token for which you want to register all the

certificates is connected.

2 Open the Certificate Tool in the Classic Client Toolbox (Card Contents > Certificates).


4 Select the smart card reader . This selects all the PKCS#11 objects stored on the smart card/token.

The register all certificates function is only available when all objects are selected.

Figure 57 - Certificates Tool Window (All Objects Selected)

5 Click Register All. A confirmation window summarizes how many certificates were registered.

Figure 58 - Certificate Successfully Registered

6 Click OK to complete the Register All operation.


How to Display Certificate DetailsYou can view details of the certificates on the card/token and see if your card/token has any data objects on it, although you cannot see details on the data itself. This is useful to ensure you have the right certificates for a particular action that you want to perform.

To see the details of a certificate:1 Make sure that the smart card/token for which you want to register certificates is

connected.

2 If not already logged in, enter your PIN and click Login. This ensures you can see both public and private details.

3 Select the certificate you want to display information about.

4 Double click the certificate, or click Show details; the Microsoft Certificate viewer opens.

Figure 59 - Window Certificate Information Viewer

How to Erase Certificates (PKCS#11 Objects)Certificates are PKCS#11 objects, as are keys and data.

You can erase all the objects on your card/token, or erase an individual object. This is useful if you have no more space on the card/token for any new objects.

Note: The Show Details button is for certificates only.

Note: You cannot erase anything from a card/token that is read-only.


The introductory remarks in the section “Managing Certificates” on page 53 provide some useful background information.

Erasing All CertificatesThe Erase All function enables you to erase ALL the PKCS#11 objects on the card/token (certificates, keys and data). The function’s availability depends on whether it was included by the Administrator in your User Setup.

To erase all certificates (PKCS#11 objects):1 Make sure that the smart card/token on which you want to Erase All is connected.


3 Select the smart card reader. This selects all PKCS#11 objects on the smart card/token, see “Figure 57” on page 63.

The Erase All function is only available when the smart card reader is selected.

4 Click Erase All; all objects are erased from the smart card/token.

Erasing an Individual CertificateThe Erase function enables you to erase individual PKCS#11 objects on the card/token (certificates and keys) one at a time. The function’s availability depends on whether it was included by the Administrator in your User Setup. This is useful to clear up space on the card/token and to erase old keys or certificates.

To erase an individual certificate (PKCS#11 object):1 Make sure that the smart card/token on which you want to Erase the certificate is

connected.


3 Select the object to erase and click Erase.

Note: In some circumstances the Erase All option does not remove all items from the memory. The memory space may still be occupied by proprietary objects.

Note: The Erase button deletes a key pair only when the certificate it is associated with has already been deleted. The key pair associated with a certificate is displayed after the certificate with which it is associated.


How to Use a PIN Pad Reader with Classic ClientHow to Log in with a PIN Using a PIN pad and the Toolbox

1 Insert the smart card in the PIN pad reader.

2 Open the Classic Client Toolbox and in Card Contents, click Certificates to open the Certificates Tool as shown in “Figure 60”.

Figure 60 - Logging in Using a PIN Pad

3 Click the Login button.

The following dialog box is displayed:

Figure 61 - Secure PIN Entry Dialog Box

The PIN pad displays “Enter PIN”.

4 Enter the PIN in the PIN pad (remember to press Enter).5 The PIN pad displays “PIN OK” and the Certificate Tool changes to show that you

are logged in:


Figure 62 - Logged in Using a PIN PAD

How to Change and Unblock PINs with a PIN Pad and the ToolboxFor these operations, the PIN pad reader behaves like an ordinary reader, that is, a reader without a PIN pad. You should therefore use the Toolbox as described in “PIN Management” on page 47.

PIN Presentation

Under some circumstances, the PIN pad Reader requires several presentations of the PIN by the User to gain access to certain tasks. When enrolling a user on the smart card, for example, 3 presentations of the PIN is required.

Registration Tool Behavior with the PIN Pad Reader If the option “Force user to change PIN” was chosen in the PIN management tool, or if the User PIN is not initialized, the Registration Tool displays the following message when you insert the smart card.

Figure 63 - Force User to Change PIN Error

Click OK. If the Classic Client Toolbox is not already running, the Reg Tool starts it for you.

Caution: The PIN pad reader is managed by the application that calls Classic Client. Consequently the PIN pad’s behavior when interacting with Classic Client will vary according to the application.


A
Security Basics
This chapter introduces you to the IT security standards integral to Classic Client.

CryptographyCommunicating and conducting business electronically is quickly becoming the most convenient, effective means of transaction. An essential condition for the continued growth toward an electronic market is security. The identities of both corporations and individuals must be authentic. The integrity and privacy of information must be guaranteed.

Encryption/decryption enables you to send and receive secure e-mail and documents to protect confidential or private information. You can use the signature function to sign your messages. By signing messages, you can prove to the recipient that you are who you claim to be.

The IT industry uses cryptography to render information secret and known only by authorized entities.

There are two types of cryptography:

■ Secret Key Cryptography.

■ Public Key Cryptography

Both crypto systems use keys to digitally sign or encrypt/decrypt data. A key is a series of random numbers (bits) in electronic format used to perform cryptographic functions on electronic data.

The differences between secret key and public key cryptography include:

■ Key management.

■ Complexity of the key structure.

Key management is central to having a successful crypto system. If keys are not managed in a secure environment, the overall security of the crypto system is at risk. Keys must also be convenient to use.

The complexity of a key length is determined by the degree of mathematical properties applied to the random numbers that comprise the key.

70 Security Basics

Secret Key CryptographySecret key cryptography is the traditional crypto system, which remains in widespread use even today. Secret key cryptography uses a single secret key to digitally sign or encrypt/decrypt electronic data. The most widely used secret key crypto systems are DES and RC2 (also known as symmetric key cryptography).

The sender and receiver must use the same secret key for the session in which secure information is exchanged. The sender uses the secret key to encrypt the message; the receiver uses the same secret key to decrypt the message.

The primary advantage of secret key cryptography is the speed at which data can be encrypted/decrypted.

The primary weakness of secret key cryptography regards key management. Because sender and receiver must share knowledge of the secret key, there must be a transfer of the secret key at some point. Introducing a third party (such as a telephone line or courier) to deliver the secret key to the receiver presents a security risk.

Secret keys are included in the cryptographic functionality of both Microsoft and Mozilla e-mail and browser products.

Public Key CryptographyPublic key cryptography was introduced in 1976 and is the most advanced, secure crypto system for digitally signing and encrypting/decrypting electronic data. Public key cryptography refers to a crypto system that uses key pairs. The most popular and widely-used public key crypto system uses the RSA key pair.

A key pair is a matched set of keys used to digitally sign or encrypt/decrypt electronic data. RSA key pairs, like secret keys, are strings of random numbers. However, RSA keys are not only significantly longer than secret keys, they also possess complex mathematical properties.

A single user owns an RSA key pair. One key is private, while the other key is public. The private key remains private and accessible only to the owner of the key pair. The public key is made available by the owner to public users. The public key is used to encrypt data. The private key is used to decrypt data.

The strengths of using an RSA key pair is that the need for sender and receiver to share knowledge of the single secret key used in secret key crypto systems is eliminated.

Classic Client takes advantage of the speed the secret key offers and the robust security and convenience of the RSA key pair. When you use Classic Client to send secure e-mail, the actual message data is encrypted using a secret key. The secret key is then encrypted using the public key of the intended recipient. Only the recipient's private key can decrypt the secret key. Only the secret key can decrypt the message data.

Classic Client offers the most advanced digital security at the greatest speed and convenience.

Security Basics 71

What is a digital certificate?A digital certificate is an electronic document that serves as your digital passport. Your digital certificate stores your public key and other personal information about you and the certificate.

The most widely accepted standard for digital certificates is defined by International Telecommunications Union standard ITU-T X.509. Version three is the most current version of X.509.

The X.509v3 certificate includes the following data:

■ Version.

■ Serial number.

■ Signature algorithm ID.

■ Issuer name.

■ Expiration Date.

■ User name.

■ User public key information.

■ Issuer unique identifier.

■ User unique identifier.

■ Extensions.

■ Signature on the above fields.

As a convenience to recipients, it is standard practice to attach your digital certificate to every secure e-mail that you send. The recipient uses your public key, included in your digital certificate, to encrypt e-mail addressed to you. If you do not attach your digital certificate to outgoing e-mails, recipients must retrieve your public key from a public directory if they want to reply to you with an encrypted e-mail.

What is a Certificate Authority?Certificate Authorities (CAs) are trusted third parties that issue digital certificates. CAs vouch for the identity of the individual or enterprise to whom they are issuing a certificate. CAs provide a transfer of trust from CA to the individual or enterprise. When you trust the CA certificate, you can transfer that trust to all certificates published by that CA.

When you obtain your digital certificate, you provide the CA with your public key and any personal information requested by the CA. The CA verifies your personal information and the integrity of your public key. After the verification process, the CA signs your public key, stores appropriate personal information and your public key on the digital certificate, and issues your digital certificate to you.

CAs issue certificates with varying levels of identification requirements. CA policies and the level of identification of the digital certificate determine the method and requirements for proving your identity to the CA. The most simple digital certificate only requires your e-mail address and name. However, some CAs require a driver's license, notarized certificate request form, or any other personal documentation attesting to your identity. Some CAs may even go as far as requiring biometric data such as fingerprints.

The CA public key must be widely available so that users can validate the authenticity of all certificates published by this CA.

72 Security Basics

What is a digital signature?A digital signature is a piece of information created using message data and the owner's private key. Digital signatures provide message authentication, non-repudiation of origin, and data integrity.

Digital signatures are created by mathematical, or hash, and private signing functions. The one-way hash function produces a message digest, a condensed version of the original message text. The message digest is encrypted using the sender’s private key, turning it into a digital signature.

The digital signature can only be decrypted using the public key of the same sender. The recipient of the data decrypts the digital signature and compares the result with a message digest, recalculated from the original message text. If the two are identical, the message was not manipulated, thus is authentic.

What is S/MIME?Secure/Multipurpose Internet Mail Extensions (S/MIME) is an open protocol standard, that provides encryption and digital signature functionality to Internet e-mail. S/MIME uses public key cryptography standards to define e-mail security services.

S/MIME enables you to encrypt and digitally sign Internet e-mail using Web messaging applications such as Microsoft Outlook, Microsoft Outlook Express, and Mozilla Thunderbird. S/MIME also enables you to authenticate incoming messages.

S/MIME provides the following security functions:

■ Sender Authentication to verify the sender's identity. By reading the sender's digital signature, the recipient can see who signed the message and view the certificate for additional details.

■ Message Encryption to ensure that your messages remain private. Mozilla Thunderbird and Microsoft Outlook Express support domestic and export-level public key and secret key encryption.

■ Data Integrity to guard against unauthorized manipulation of messages. S/MIME uses a secure hashing function to detect message tampering.

■ Inter-operability to work with other S/MIME-compliant software.

What is SSL?Secure Sockets Layer (SSL), developed by Netscape Communications, is a standard security protocol that provides security and privacy on the Web. The protocol allows client/server applications to communicate securely. SSL uses both public and secret key cryptography.

The SSL protocol is application independent, which enables higher-level protocols such as Hyper Text Transfer Protocol (HTTP) to be layered on top of it transparently. Therefore, the client can negotiate encryption and authentication with the server before data is exchanged by the higher-level application.

The SSL Handshake Protocol process includes two phases:

■ Server Authentication in which the client requests the server's certificate. In response, the server returns its digital certificate and signature to the client. The server certificate provides the server's public key. The signature proves that the server currently has the private key corresponding to the certificate.

■ Client Authentication (optional) in which the server requests the client's certificate. In response, the client sends the digital certificate and signature to the server. If the SSL Server requests it, the client is prompted to enter a PIN to visit a secure Web site.

Security Basics 73

The SSL process is repeated for every secure session you attempt to establish unless you specify a permanent session. The SSL process will not proceed if the Web server's certificate is expired.

SSL provides the following security functions:

■ Data Encryption to ensure data security and privacy. Both public key and secret key encryption are used to achieve maximum security. All traffic between an SSL server and SSL client is encrypted using both public key and secret key algorithms. Encryption thwarts the capture and decryption of TCP/IP sessions.

■ Mutual Authentication to verify the identities of the server and client. Identities are digital certificates. The entity presenting the certificate must digitally sign the data to prove ownership of the certificate. The combination of the certificate and signature authenticates the entity.

■ Data Integrity to ensure that SSL session data is not manipulated en route. SSL uses hash functions to provide the integrity service.

Note: In some instances, the SSL Handshake takes place between the Web server and the browser and does not require the client’s certificate.

74 Security Basics

What is Classic Client?Classic Client is a smart card−based solution designed to secure e−mail communications and Internet transactions. Classic Client smart cards/tokens support encryption/decryption and signature functions. Classic Client also supports Windows 2000/XP secure Libraries and the capability to sign Office 2003 macros.

Classic Client and a smart card/token provide the following advantages:

■ Your private key is never removed from your smart card/token.

■ The smart card/token is hardware-based security.

■ The PIN code protects key use.

■ Classic Client is portable and convenient.

The encryption/decryption function enables you to send and receive secure e-mail to protect confidential or private information. You can use the signature function to sign your messages. By signing messages, you can prove to the recipient that you are who you claim to be.

Classic Client combines the privacy, integrity, and authentication functionality provided by cryptographic algorithms with the simplicity, portability, and convenience of smart cards/tokens. Your private key, digital certificate, and other personal information are securely stored on your Classic Client smart card/token to prevent fraudulent use of your electronic identity.

The latest industry standards such as SSL3 (for Web access) and S/MIME (for e−mail) enable inter−operability of security services between any browser interface and any Web server. However, the security hole in SSL3 and S/MIME is the management of your private key and digital certificate. Without Classic Client, your private key and digital certificate are stored on your hard drive, which makes them susceptible to unauthorized access and fraudulent use. Without Classic Client, your electronic identity is at risk.

Classic Client provides double-barreled security! Classic Client, you get the hardware-based security inherent in smart cards/tokens and software-based encryption security, as well as the added advantage of individual PIN codes. Hardware-based security is a principal security advantage. It is significantly more secure than software-only solutions. Without the possession of your smart card/token and knowledge of your PIN code, no one can use your identity.

Classic Client is your electronic passport to the digital world.

What is a Smart Card/Token?A smart card is the size of a conventional credit card. But unlike the credit card, which has a magnetic stripe, the smart card has a silicon microprocessor chip to store and process electronic data and applications. The advantage of the smart card is security.

Gemalto manufactures various types of smart cards. Contact smart cards use a microprocessor chip to store and process data. They must be inserted into a smart card reader. Contactless smart cards use a microprocessor chip and antenna to store and process data.

Smart cards can also be embedded in tokens such as USB devices, that you can plug directly into a PC.

Smart cards/tokens provide the most sophisticated security available on the market.

Security Basics 75

What is the Classic Client Smart Card/Token?Your Classic Client smart card/token stores your private key and digital certificate. In the past, your only option was to store your private key on your local hard drive, rendering it susceptible to theft and fraudulent use. With Classic Client, your electronic identity is secure. You must have both the smart card/token and PIN code to use the smart card/token.

The Classic Client smart card/token is tamper resistant. The structure and operating system of the smart card/token make it practically impossible to penetrate, probe, or pilfer smart card/token data.

Perhaps the most convenient aspect of the Classic Client smart card/token is portability. With Classic Client, you can carry your electronic passport with you at all times and use it on any Classic Client–equipped computer in the world.

The Classic Client smart card/token has a robust and flexible design. These features offer greater freedom and enhanced security.

On-board Key GenerationThe Classic Client smart card/token offers on-board key generation. With this feature, every time you enroll a new certificate on your smart card/token, a new key pair is generated on your smart card/token. In other words, you are not limited to using the same key pair for every certificate that you enroll.

One significant advantage of onboard key generation is the ability to monitor and control the life span of your RSA key pairs and that the generated key pair is unique.

Increased Certificate StorageYou can store up to six key pairs and multiple digital certificates on your Classic Client smart card/token, depending upon the size of your certificates and space available on your smart card/token. This feature provides the convenience of using up to eight digital certificates for whatever purposes you want; for example, you can use certificates with varying degrees of encryption (from 1024–bit to 512–bit RSA key pairs) to communicate securely with contacts in various parts of the world.

Another reason for obtaining more than one digital certificate is the level of certification that the Certificate Authority (CA) requires. You may want to obtain and use a digital certificate from a CA that requires stringent identity certification if you are using the certificate for sensitive business communications or financial transactions. However, if you want to encrypt/sign data for personal communications, you may decide that a certificate from a CA that requires minimal identity certification meets your needs.

The costs of obtaining a digital certificate from a CA are somewhat based on the degree of identity certification the CA requires.

76 Security Basics

B
Troubleshooting
This appendix lists answers to some questions you may have about Classic Client Toolbox.

Frequently Asked QuestionsGemalto Localization System Warning MessageIf the following warning message appears on your screen it is to inform you that the GSLibs.res file has been modified by either the toolbox or someone else. There is no direct impact on the functionality of the software however, for details on how to remove this message from your screen you should contact Gemalto Support (see “Contact Our Hotline” on page ix).

Setup-Update of Windows Installer ComponentsThe setup.exe file automatically updates the Windows Installer version to 2.0 if necessary. In this case, the system is rebooted and the setup is restarted again. Under special circumstances, two instances of set.exe may start. If this happens, one of them should be closed manually while the other is allowed to continue.

I don't know where to get a digital certificateYou can also consult a Certificate Authority via Internet, telephone, or e-mail to request a digital certificate. The Certificate Authority may offer services to work with you to determine the type of certificate that best suits your security needs. Afterward, you can purchase the certificate that is appropriate for your needs.

Some Certificate Authorities even offer trial certificates for no cost. Typically, trial certificates only require you to provide your name and e-mail address. Certificate Authorities typically do not invest in validating your identity when you obtain a trial certificate. Consequently, the level of trust assigned to your certificate is minimal.

Certificate Authorities may deliver your digital certificate to you via e-mail, post, or the Internet. The most popular means of distribution is via the Internet.

78 Troubleshooting

I downloaded my certificate using Mozilla and now I can't use it with Internet Explorer and Outlook.When you download a digital certificate using Mozilla, you must register your certificate with the Certificates Tool before you can use it with Internet Explorer and Outlook. In fact, you must do this on every computer on which you want to use this certificate with Internet Explorer and Outlook.

If the Classic Client Toolbox Registration Tool (certificate registry) is installed, it will do this for you automatically simply by removing and reinserting your card/token.

The certificate I use with Internet Explorer doesn’t seem to work on any other computer.If you want to use your certificate on another computer with Internet Explorer, you must register it first using the Certificates Tool.

I have an expired certificate in Internet Explorer and I can't delete it.

To delete a certificate with Internet Explorer 6.0 or later:1 Click Tools > Options to open the Internet Options dialog box.

2 In the Internet Options dialog box, click the Content tab

3 Click Certificates to open the Certificate Manager dialog box.

4 Select the certificate you want to remove.

5 Click Remove.

Internet Explorer is available free for download from www.microsoft.com.

I'm not sure that my certificate is stored on my Classic Client smart card/token.Use the Certificates tool to see information about your certificate. If you cannot see information about your certificate, it might not be on your Classic Client smart card/token. Either your certificate was stored on your hard drive during download or you do not have a certificate.

If you did not select the correct CSP when you requested your certificate then your certificate is stored on your hard drive. You must obtain a new certificate and be sure to specify the correct CSP during the download process. Contact your Certificate Authority if you purchased a digital certificate. You may be able to avoid fees for obtaining a new certificate.

The correct CSPs to specify are:

■ Gemalto Classic Card CSP

If your Classic Client smart card/token or browser and e-mail applications do not list your digital certificate, then there was probably an error during download or enrollment of your certificate. Contact your Certificate Authority for additional help.

I tried to send a secure e-mail but received a message that something was wrong with the recipient's certificate.Check the validity of the user certificate. You may also want to contact the user directly to inquire about the status of their certificate. The user can always send a new signed message to you so that you can refresh or add the valid certificate.

www.microsoft.com

Troubleshooting 79

I tried to send a secure e-mail but received a message that something was wrong with my certificate.Check the following:

■ Verify that a valid certificate is linked to your e-mail account.

■ Use the Certificates tool to make sure the certificate you are using to send secure e-mail has not expired.

If the previous conditions are met and you still get the message that something is wrong with your certificate, contact your Certificate issuer for further assistance.

When I try to send secure e-mail, I get the message that there is no certificate associated with my e-mail account.Before you can send secure e-mail using the digital certificate stored on your Classic Client smart card/token, you must link your certificate to your e-mail account.

When I try to send secure e-mail, I get a message that says I don't have a certificate for the person I'm trying to e-mail.You could have one of three problems:

■ You do not have a certificate for this person If you do not have a certificate for the user, you can add the user certificate by receiving a signed e-mail from the user or by obtaining the user's certificate from a public directory.

■ You do not have a certificate linked to the user's e-mail address If you already received a signed e-mail from the user but the certificate is not associated with the user's e-mail address, you must open the signed e-mail and add the user's certificate to your Address Book (Outlook Express) or Contacts folder (Outlook 2003). If you are using Mozilla Thunderbird, you should not encounter this problem because when you receive a signed message from a user, their digital certificate is automatically linked to their e-mail address.

■ The certificate that you have for this user is not valid You can view the user certificate to determine if it is valid using your e-mail software.

The recipients of my e-mail cannot decrypt my messages or attached files.Your contacts may not be able to decrypt the e-mail or attachments that you send to them because of the session key length specified in your browser. A session key is the cryptographic secret key that is used to encrypt the actual message text of your e-mail and attachments. (The RSA key pair is used to decrypt/encrypt the session key).

Until recently, Mozilla and Microsoft browsers and e-mail applications were subject to cryptographic export regulations. As such, if you were sending e-mail to international contacts outside of the United States and Canada, you could have been using a session key that was too long or too strong. The session key length limitation for all versions of Internet Explorer and Mozilla Firefox is 128-bits. For some countries, the limit used to be 40-bits for the international versions of both products.

In order to decrypt your e-mails, your recipients should be instructed to install Microsoft’s High Encryption Package.

80 Troubleshooting

When I try to connect to a secure Web site that requests client authentication, it takes an exceptionally long time to connect if it ever connects.If you experience an extremely slow connection when you are trying to connect to a secure server, the problem could be related to the Web server, your computer, or your digital certificate.

The best thing to do is to disconnect and try again. You may have simply had a bad connection.

You can test connections to other secure Web sites to determine if the problem is related to a specific Web server.

To rule out problems related to your computer, verify your hardware connections, communication settings, and security settings.

Finally, view your certificate to make sure it is valid and make sure your Classic Client smart card/token is properly connected.

When I try to connect to a secure Web site that requests client authentication, I am rejected.If your certificate is rejected, try again. If your certificate is rejected again, investigate.

You could be rejected if your certificate is not valid. Check the validity of your certificate using the Certificates tool.

The certificate might be getting rejected because:

■ The Web server does not have an entry for the Certificate Authority that issued and signed the certificate.

■ Your smart card reader is not properly connected or you do not have the appropriate reader driver installed.

■ Your digital signature is temporarily corrupt, as in the case of an intruder trying to spy on your secure connection.

I am not warned prior to entering a secure Web site.You can tell a Web site is secure when its address starts with the characters https. If you want, you can set your browser to warn you before entering a secure Web site.

In Internet Explorer 6.0 or later:1 Click Tools > Options to open the Internet Options dialog box.

2 In the Internet Options dialog box, click the Security tab

3 Select a Web content zone to specify its security settings.

4 Click Custom Level.5 Select Prompt under the actions for which you want to be warned.

In Firefox 2.0:1 Click Security to open Firefox’s security window.

2 Click Navigator on the left side of the window.

3 Select the options you want under Show a warning before.

Troubleshooting 81

When I start my computer, I get a message that the appropriate smart card reader driver is not installed.Normally all the smart card reader drivers you will need are installed automatically when you install Classic Client.

If for some reason it appears you are missing a driver, then install it by running the Smart Diag Tool. Refer to “Diagnostic Tool” on page 26.

The LED on my smart card reader blinks while my smart card is in the reader.Check if your Classic Client smart card is properly inserted into your reader. The smart card should be inserted such that the front of the smart card is facing the Gemalto logo on your smart card reader. You will not be able to see the microprocessor contact (the gold-plated area on the front of your Classic Client smart card) when your smart card is in the smart card reader.

Make sure that your smart card is firmly inserted. When the smart card is in the reader, the LED should remain lit.

Make sure that the smart card is supported and recognized by Classic Client Toolbox (see Table 2, “Supported Smart Cards”, on page 4.

The LED on my smart card reader does not blink nor does it stay on. There is no light.If your smart card reader is properly installed and your Classic Client smart card is in the reader, the LED should show a steady green light. The LED should blink when the smart card is not in the reader.

Verify that your smart card reader is properly installed. Refer to instructions on the smart card reader box or this guide. The LED will not blink or remain on when your computer is off.

I lost/forgot my PIN.If you lost or forgot your User PIN, you can try to unblock the PIN with the PIN Management Tool, only if this option has been granted to you upon installation by the Administrator. If you do not have this privilege, you must contact the Administrator to unblock your smart card.

The rapid removal and re-insertion of a smart card/token causes problems.If you quickly remove and re-insert a smart card/token the computer may “hang”. Whenever you remove or re-insert a smart card/token, be careful not to do it too quickly; wait until the computer finishes processing a task before removing the smart card/token.

Removing the smart card/token while the it is being read or written to may cause the application to interrupt the smart card/token session. During write operations, removing the smart card/token may even destroy data stored on the smart card/token.

If your smart card/token stops workingIf your smart card/token stops working, consider the following reasons:

■ Your smart card’s/token’s PIN may be blocked You can unblock your smart card/token as described in the section about unblocking a PIN.

Note: If you do not have the Smart Diag Tool, download the corresponding driver from the Gemalto web site at: http://support.gemalto.com.



82 Troubleshooting

■ Your smart card’s/token’s certificate may have expired You need to get a new certificate. See information about getting a new certificate.

■ Your smart card’s/token’s certificate may not be registered If you are using Microsoft e-mail software, you may need to register your certificate. See information about registering a certificate.

■ You may be experiencing hardware failure Ask your Administrator for help.

C
End User License Agreement
IMPORTANT-READ CAREFULLY: This End-User License Agreement for Gemplus software (“EULA”) is a legal and binding agreement between you and the subsidiary or affiliate of Gemalto NV. (“Gemplus”) that distributed this version of the Software (as defined below) under this EULA (“Gemplus”). “You” are a person or legal entity wishing to use the Software. This EULA governs your use of all of the Software distributed or delivered hereunder. “Software” means all computer software, associated media, any printed materials and any accompanying “online” or electronic information provided to you hereunder. By downloading, installing, copying, breaking any seal on, or otherwise using the Software, you acknowledge that you have read this EULA and agree to be bound by its terms. If you do not agree to the terms and provisions of this EULA, do not download, install, copy, or otherwise use the Software; if you have already broken the seal or paid for this Software and do not agree to the terms and conditions of the EULA, please return the Software and any accompanying items to Gemplus within thirty (30) days of the date of purchase for a full refund of amounts paid. If these terms are considered an offer, acceptance is expressly limited to these terms.

1 Ownership. The Software is owned by Gemplus or its third party suppliers and is licensed (and not sold) to you. Gemplus's third party suppliers or distributors may assert and protect any of their rights (and with Gemplus's permission, Gemplus's rights) in connection with this EULA.

2 Grant of License. Subject to the terms of this EULA, Gemplus grants you the world-wide, non-exclusive, non-sublicensable, non-transferable (except as set forth in this EULA), license to use one copy of the Software, in object code format, solely for your internal use.

a) You must reproduce on any copy all copyright notices and any other ownership, confidentiality or proprietary legends that are on the original copy of the Software and accompanying documentation, and you may make only one copy of the Software solely for backup or archival purposes, provided that such backup copy is not installed on any computer.

b) You may not reverse-engineer, decompile, or disassemble the Software, or otherwise reduce the code of the Software to a human perceivable form, except and only to the extent that the restriction of such activity is prohibited by applicable law, and in such event you shall provide Gemplus prompt notification of such activities. You may not alter or remove any of Gemplus's trademarks affixed to or otherwise contained on or within the Software.

c) You may not market, distribute, transfer copies of the Software to others or electronically transfer the Software from one computer to another over a network except for Software installations permitted under Section 2 of this EULA. You may not rent, lease, or lend the Software. You may not modify,

84 End User License Agreement

adapt or translate the Software or create derivative works based on the Software.

d) All rights not expressly granted to you in this EULA are reserved by Gemplus and its suppliers. No rights are granted by implication or otherwise.

3 Termination. This EULA may be terminated by Gemplus upon notice and without further action upon the breach of any of your obligations or the license rights granted to you under this EULA. Upon termination, all use of the Software by you must cease and all rights granted to you under this EULA are terminated. Upon termination you hereby agree to return to Gemplus or to destroy all copies of the Software in your possession or control within fourteen (14) days of such termination and certify the same in an affidavit to Gemplus upon request.

This remedy is in addition to any other remedies available to Gemplus. Provisions contained in this EULA that expressly or by their sense and context are intended to survive the expiration or termination of this Agreement shall so survive the expiration or termination including without limitation Sections 1, 3, 4, and 7 through 10 hereof.

4 Proprietary Rights. All rights, title, and proprietary rights in and to the Software (including, but not limited to, any patents, trade secrets, trademarks, copyrights, images, photographs, animations, video, audio, music, text, software code and “applets” incorporated into the Software) are owned by Gemplus or its suppliers. The Software is protected by copyright laws, international treaty provisions, and other laws. An act in violation of this EULA may also be a crime punishable by fine or imprisonment under applicable law. You understand that Gemplus may update or revise the Software in its sole discretion, but has no obligation to furnish any Software updates or revisions to you. If you upgrade the Software to a higher-numbered or later version of the Software (e.g., from Program 3.x to Program 4.x) or to a comparable Gemplus software product including versions for different operating systems (“Replacement Software”), unless otherwise indicated in any end user license agreement accompanying such Replacement Software, this EULA is terminated to the extent it covers the replaced software and your rights in the Replacement Software will be governed by the end user license terms applicable to that Replacement Software. If any Replacement Software, or other Software of Gemplus, is distributed to you without a separate end user license agreement, this EULA shall govern all your rights and obligations therein.

5 Compliance with Laws. In the performance of the obligations under this Agreement, you shall at all times comply with the laws, regulations, and orders in effect and applicable to their performance hereunder. Without limiting the generality of the preceding sentence, you shall comply with applicable U.S. Foreign Corrupt Practices Act provisions (regarding, among other things, payments to government officials) and all applicable U.S. export laws and restrictions and regulations of the U.S. Department of Commerce, the Department of Treasury Office of Foreign Assets Control (“OFAC”), or other U.S. or non-U.S. agency or authority, and not export, or allow the export or re-export of any Gemplus product (or any product incorporating such Gemplus product) in violation of any such restrictions, laws or regulations. You shall obtain and bear all expenses relating to any necessary licenses and/or exemptions with respect to the export from the U.S. of all Gemplus products to any location and shall demonstrate to Gemplus compliance with all applicable laws and regulations prior to delivery thereof by Gemplus.

6 U.S. Government Restricted Rights. If a user of the Software is an agency, department, or other entity of the United States government (the “Government”), the use, duplication, reproduction, release, modification, disclosure, or transfer of such Software, or of any related documentation of any kind, including technical data, is restricted in accordance with Federal Acquisition Regulation (“FAR”) 12.212, Defense Federal Acquisition Regulation Supplement (“DFARS”) 227.7202,

End User License Agreement 85

subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19, as applicable. The Software is commercial computer software and commercial computer software documentation. The use of this Software by the Government is further restricted in accordance with the terms of this EULA.

7 Limited Warranty, Disclaimer of Implied Warranties & Duties, Limited Warranty Remedy.

a) Disclaimer of Implied Warranties and Duties. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT AS SET FORTH IN SECTION 7.b, GEMPLUS, ITS SUPPLIERS, AND DISTRIBUTORS PROVIDE THE SOFTWARE AND ANY (IF ANY) SUPPORT SERVICES RELATED TO THE SOFTWARE (“SUPPORT SERVICES”) WITHOUT ANY EXPRESS WARRANTY OR INDEMNITY, AND THE SOFTWARE AND SUPPORT SERVICES ARE PROVIDED “AS IS” AND “WITH ALL FAULTS”. GEMPLUS HEREBY DISCLAIMS ALL IMPLIED INDEMNITIES AND WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY (IF ANY) IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, TITLE, OR THAT THE OPERATION OF THE SOFTWARE WILL BE ACCURATE, VIRUS-FREE, OR WILL CORRESPOND TO ANY DOCUMENTATION. SOME JURISDICTIONS DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY, SO THE ABOVE EXCLUSION MAY NOT FULLY APPLY TO YOU, AND YOU MAY HAVE OTHER RIGHTS THAT VARY BETWEEN JURISDICTIONS.

b) Limited Warranty Remedy. Gemplus warrants for a period of 90 days from the date of purchase that the medium on which the Software is provided will be free from defects in material and workmanship. This limited warranty covers only such defects. This limited warranty does not cover any other defects or problems of any kind.

Gemplus's sole obligation, and your exclusive remedy, under the limited warranty set forth in this Section 7.b shall be, at the sole discretion of Gemplus, to supply you with a corrected or replacement copy of the Software or a refund of all amounts received by Gemplus from you for the subject Software provided under this EULA. Any replacement Software will be warranted as set forth above for the remainder of the original warranty period or thirty (30) days from your receipt of such replacement Software, whichever is longer. This warranty gives you specific legal rights, and you may have other rights that vary between jurisdictions.

c) Gemplus does not warrant that the Software will be resistant to all possible efforts to defeat or disable its functions, including its security mechanisms, and Gemplus shall not incur, and disclaims, any liability in this respect. Security mechanisms' resistance and strength necessarily evolve according to the applicable state of the art in security and with reference to the emergence of new technologies and methods developed in efforts to defeat or disable such mechanisms. To the maximum extent permissible by law, Gemplus shall not be held liable for any third party actions and in particular in case of any successful effort to defeat or disable security functions of the Software, or computing devices and equipment using, accessing or incorporating the Software.

d) NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY GEMPLUS, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES CREATES A WARRANTY AND YOU MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.


8 Exclusion of Incidental, Consequential and Certain Other Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL GEMPLUS OR ITS SUPPLIERS OR DISTRIBUTORS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, REVENUES OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, OR LOSS OF PRIVACY), ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, IN TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR UNDER ANY OTHER LEGAL THEORY, AND EVEN IF GEMPLUS OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

9 Limitation of Liability and Remedies. Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all damages referenced above and all direct or general damages), the entire liability of Gemplus and any of its suppliers under this EULA and your exclusive remedy for all of the foregoing is limited to the greater of the amount actually paid by you for the Software or U.S. $50.00. The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, even if such remedy fails its essential purpose. You hereby waive and forever release Gemplus from any and all claims in excess of that amount.

10 General Provisions. This EULA contains the entire agreement between the parties with respect to its subject matter, and supersedes all prior or contemporaneous agreements or understandings (oral or written). This EULA is governed by and shall be interpreted in accordance with the laws of the jurisdiction or location (“Location”) of the offices of the Gemplus entity distributing the Software to you or as indicated in the documentation accompanying the Software, without giving effect to any applicable choice of law principles. Any and all disputes, claims or legal proceedings arising hereunder shall be subject to the nonexclusive jurisdiction of the competent courts of the Location. This EULA is not governed by the United Nations Convention on Contracts for the International Sales of Goods, the application of which is expressly excluded. This EULA may not be modified except by a written addendum issued by a duly authorized representative of Gemplus. No provision of this EULA can be waived unless such waiver is in writing and signed by a duly authorized representative of Gemplus. Unless you notify Gemplus that you prefer not to be listed as a customer, which you may do by emailing us at [email protected], Gemplus may list you as a customer and describe in general terms the services provided by Gemplus under this EULA in proposals and other marketing materials and Gemplus may use your logos and trademarks in support thereof. If any part of this EULA is found to be unenforceable or void, the remainder that part shall be limited or eliminated to the minimum extent necessary so that the remainder of this EULA shall otherwise stay valid and enforceable.

If you have any questions about this EULA, please immediately contact Gemalto at www.gemalto.com.

=============================================

This product contains code from pcsc-lite http://pcsclite.alioth.debian.org/

Copyright (c) 1999-2003 David Corcoran <[email protected]> All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:


1 Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2 Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

Changes to this license can be made only by the copyright author with explicit written consent.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

=============================================

This product contains code from OpenSC

http://www.opensc-project.org/

The files from OpenSC are:

./src/libopensc/asn1.c

./src/libopensc/asn1.h

./src/libopensc/card.c

./src/libopensc/cards.h

./src/libopensc/dir.c

./src/libopensc/errors.c

./src/libopensc/errors.h

./src/libopensc/internal.h

./src/libopensc/log.c

./src/libopensc/log.h

./src/libopensc/opensc.h

./src/libopensc/padding.c

./src/libopensc/pkcs15.c

./src/libopensc/pkcs15.h

./src/libopensc/pkcs15-algo.c

./src/libopensc/pkcs15-cache.c

./src/libopensc/pkcs15-cert.c

./src/libopensc/pkcs15-data.c

./src/libopensc/pkcs15-pin.c


./src/libopensc/pkcs15-prkey.c

./src/libopensc/pkcs15-pubkey.c

./src/libopensc/pkcs15-syn.c

./src/libopensc/pkcs15-wrap.c

./src/libopensc/sc.c

./src/libopensc/sec.c

./src/libopensc/types.h

./src/libopensc/ui.h

./src/scconf/scconf.c

./src/scconf/scconf.h

GNU LESSER GENERAL PUBLIC LICENSE

Version 2.1, February 1999

Copyright (C) 1991, 1999 Free Software Foundation, Inc.

51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.

When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.

To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.


For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.

To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.

Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.

Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.

When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.

We call this license the “Lesser” General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.

For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.


In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.

Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.

The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a “work based on the library” and a “work that uses the library”. The former contains code derived from the library, whereas the latter must be combined with the library in order to run.

GNU LESSER GENERAL PUBLIC LICENSE

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called “this License”).

Each licensee is addressed as “you”.

A “library” means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.

The “Library”, below, refers to any such software library or work which has been distributed under these terms. A “work based on the Library” means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term “modification”.)

“Source code” for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.

1 You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.


You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2 You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) The modified work must itself be a software library.

b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.

c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.

d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.

(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.

In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.

Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.

This option is useful when you wish to copy part of the code of the Library into a program that is not a library.

4 You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-


readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.

5 A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a “work that uses the Library”. Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.

However, linking a “work that uses the Library” with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a “work that uses the library”. The executable is therefore covered by this License.

Section 6 states terms for distribution of such executables.

When a “work that uses the Library” uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not.

Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.

If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)

Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6.

Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.

6 As an exception to the Sections above, you may also combine or link a “work that uses the Library” with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.

You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:

a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable “work that uses the Library”, as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)


b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.

c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.

d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.

e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.

For an executable, the required form of the “work that uses the Library” must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.

7 You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:

a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.

b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.

8 You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

9 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.

10 Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You


may not impose any further restrictions on the recipients' exercise of the rights granted herein.

You are not responsible for enforcing compliance by third parties with this License.

11 If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

12 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

13 The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time.

Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.

14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY


15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.

EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


Terminology

AbbreviationsCA Certificate Authority

CAPI Crypto Application Program Interface

CMS Card Management System

CSP Cryptographic Service Provider

EEPROM Electrically Erasable Programmable Read-only Memory

ID Identification

IE Internet Explorer

IMAP Internet Message Access Protocol

LED Light Emitting Diode

PC/SC Personal Computer/Smart CardPersonal Computer to smart card. Entry point for all applications that use a smart card.

PIN Personal Identification Number

PKCS Public Key Cryptography Standard

PKCS#11 Public Key Cryptography Standard #11. For further information about this and other PKCS standards, refer to the RSA Laboratories web sit at http://www.rsa.com/rsalabs/

PKI Public Key Infrastructure

POP Post Office Protocol

RSA Rivest, Shamir, Adleman (inventors of public key cryptography standards)

S/MIME Secure/Multipurpose Internet Mail Extensions

SSL Secure Sockets LayerA protocol, v.3.0.v, for securing TCP/IP sessions

WinSCard Microsoft PC/SC library which provides the smart card API (Application Programming Interface)

http://www.rsa.com/rsalabs

http://www.rsa.com/rsalabs

98 Terminology

Glossary

Algorithm A mathematical formula used to perform computations that can be used for security purposes.

Certificate A certificate provides identification for secure transactions. It consists of a public key and other data, all of which have been digitally signed by a CA. It is a condition of access to secure e-mail or to secure Web sites.

Certificate Authority

An entity with the authority and methods to certify the identity of one or more parties in an exchange (an essential function in public key crypto systems).

Cryptography The science of transforming confidential information to make it unreadable to unauthorized parties.

Digital Signature A data string produced using a Public Key Crypto system to prove the identity of the sender and the integrity of the message.

Encryption A cryptographic procedure whereby a legible message is encrypted and made illegible to all but the holder of the appropriate cryptographic key.

Key A value that is used with a cryptographic algorithm to encrypt, decrypt, or sign data. Secret key crypto systems use only one secret key. Public key crypto systems use a public key to encrypt data and a private key to decrypt data.

Key Length The number of bits forming a key. The longer the key, the more secure the encryption. Government regulations limit the length of cryptographic keys.

Public Key Crypto system

A cryptographic system that uses two different keys (public and private) for encrypting data. The most well-known public key algorithm is RSA.

SSL Secure Sockets Layer: A Security protocol used between servers and browsers for secure Web sessions.

SSL Handshake The SSL handshake, which takes place each time you start a secure Web session, identifies the server. This is automatically performed by your browser.

S/MIME A Standard offline message format for use in secure e-mail applications.

Token In a security context, a token is a hardware object like a smart card, but it could also be a pluggable software module designed to interact with a specific hardware module, such as a smart card. Token-based authentication provides enhanced security because success depends on a physical identifier (the smart card) and a personal identification number (PIN).

Documents

Classic Client 5.1 Administration Guide · viii Introduction an understanding of the basic operations in Windows. administrative privileges for the computer on which Classic Client