Table of Contents
Advertisement
Quick Links
Implementation of an ActivCard® smart card solution on HP CCI
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Configuration compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Software configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 1: Configuring a Certificate Authentication (CA) service . . . . . . . . . . . . . . . . . . . . . . . 4
Step 2: Group policy setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Step 3: HP blade PC middleware configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Step 4: Client smart card driver configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Smart card setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Initialization of the smart card using Microsoft Remote Desktop Connection . . . . . . . . . . . . 11
Requesting a certificate from the blade PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Usage case 1: User authentication from client device to blade PC using RDP . . . . . . . . . . . 19
Usage case 3: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Usage case 4: User authentication using VPN through firewall to blade PC . . . . . . . . . . . . 21
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1
Advertisement
Table of Contents
Related Manuals for HP ActivCard Smart Card
Summary of Contents for HP ActivCard Smart Card
-
Page 1: Table Of Contents
Step 2: Group policy setting ..........9 Step 3: HP blade PC middleware configuration ....... 10 Step 4: Client smart card driver configuration . -
Page 2: Introduction
Infrastructure (CCI). This white paper is not intended as a comprehensive overview of ActivCard smart card technology. NOTE: The images and instructions in this white paper use Microsoft Windows XPe; however, HP also tested procedures using Microsoft XP Professional and Microsoft Windows CE.NET. -
Page 3: Configuration Compatibility
ActivCard ActivClient v5.4. • ActivCard Gold v2.2. Configuration compatibility HP has tested the following configurations using ActivCard ActivClient v5.4, ActivCard Gold v2.2 and confirmed that the configurations work in a CCI environment. HP USB Smart Card Keyboard HP Thin Client w/XPe HP Thin Client w/CE.net... -
Page 4: Software Configuration
Configure the following items to set up a smart card solution on CCI: Certificate Authentication (CA) service Group policy settings Middleware running on a HP blade PC Smart card client driver Step 1: Configuring a Certificate Authentication (CA) service Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates. - Page 5 Type a name for the new template in the Template display name box. This example uses CCI Smartcard Logon.
- Page 6 Click the Request Handling tab. Select or type 1024 in the Minimum key size box. Click the CSPs button. Select Requests can use any CSP available on subject's computer. Click the Security tab.
- Page 7 In the Permissions for Authenticated Users box, in the Allow column, select Read and Enroll. You have completed creation of the template. Copy the CCI Smartcard Logon certificate template into the Certificate Templates folder under the cer- tificate server. a) Expand the Certification Authority object in the MMC you created in step 1. b) Expand your CA name.
- Page 8 d) Select New > Certificate Template to Issue. Select the template, and then click OK to import the template.
-
Page 9: Step 2: Group Policy Setting
Step 2: Group policy setting Apply the following smart card group policy settings to the computer through a user policy setting or through a computer policy setting: • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Inter- active Logon: Require smart card, enable or disable. The default is disabled •... -
Page 10: Step 3: Hp Blade Pc Middleware Configuration
Step 3: HP blade PC middleware configuration The following provides HP blade PC software configuration: • For the purposes of this white paper, an HP CCI implementation with the hardware and software components listed in “Reference hardware and software” on page 2 was used. •... -
Page 11: Smart Card Setup
• USB CAC approved smart card reader (SCM Microsystems SCR331 Reader) Driver: SCR33X2K.sys, version 4.27.00.01 NOTE: For Microsoft Windows CE.NET, you may need to copy the drivers from the folder where they were installed (\Windows) to the \Hard Disk\Program Files folder so the drivers will be written to flash memory. - Page 12 d) In the right pane, expand Smart card readers. e) Select the installed smart card reader. f) Under Device status, verify the message “This device is working properly.” To begin the enrollment from the blade PC side, open the Remote Desktop Connection window by clicking Start >...
- Page 13 In the Local Devices area, select Smart cards. Connect to the blade PC on which you will set up the smart card and log in as a domain-authenti- cated user. Verify the ActivCard icon is displayed in the system tray. Insert an unprogrammed ActivCard-compatible smart card into the reader.
-
Page 14: Initialization Of The Smart Card Using Hp Session Allocation Manager Client (Hpsam Client)
Select the installed smart card reader. f. Under Device status, verify the message “This device is working properly.” To begin the enrollment from the blade PC side, open the HP PC Session Allocation Client window by clicking Start > All Programs > Hewlett-Packard. - Page 15 Connect to the blade PC on which you will set up the smart card, and then log in as a domain- authenticated user. Verify the ActivCard icon is displayed in the system tray. Insert an unprogrammed ActivCard-compatible smart card into the reader. The ActivCard icon in the system tray changes from red to blue.
-
Page 16: Requesting A Certificate From The Blade Pc
Requesting a certificate from the blade PC Open Internet Explorer and go to the Certification Server enrollment Web site. The address of this Web site was determined when the Certification Server was set up (see “Step 1: Configuring a Certif- icate Authentication (CA) service”... - Page 17 If a warning message displays about a potential scripting violation, press Yes to continue with the certificate request. After the system generates the public and private keys, the page to install the certificate displays. Select Install this certificate. This command installs the users’s certificate onto the smart card. If a warning message displays about a potential scripting violation, press Yes to continue with the certificate request.
- Page 18 To verify that the CCI SmartCard Logon certificate for the user is installed on the smart card: Click the ActivCard icon in the system tray to open the ActivCard Gold utility. In the right pane, select the My Certificates icon. The system displays the username ID. Select the username ID to view the installed certificate, which shows: •...
-
Page 19: Usage Cases
Usage cases Usage case 1: User authentication from client device to blade PC using RDP The following steps provides instructions for performing a functional test of the CCI SmartCard Logon cer- tificate: Log out of the RDP session. Open the Remote Desktop Communications window and initiate a connection to the blade. Make sure a smart card is installed in the reader. -
Page 20: Usage Case 3: Accessing Secure Web Site
Open the HPSAM client window and initiate a connection to the blade PC. Make sure a smart card is installed in the reader. The system requests the smart card PIN. Type the PIN that you assigned. The user is logged into the blade PC. Usage case 3: Accessing secure Web site The following steps provide instructions for accessing a secure Web site using an ActivCard through a blade PC. -
Page 21: Usage Case 4: User Authentication Using Vpn Through Firewall To Blade Pc
In Internet Explorer, type the address of a secure Web site. If the system displays security alert messages, click OK. The LED on the card reader indicates when the Web site is accessing the smart card to verify whether the certificate is approved for the site. After the secure Web site displays, a lock icon in the lower right corner of Internet Explorer confirms that you are connected to a secure Web site. - Page 22 In the Company Name box, type the name for the VPN connection (for example, Work), and then click Next. Select Do not dial the initial connection, and then click Next. In the text box, type the host name or IP address of the VPN tunnel, and then click Next. Select Use my smart card, and then click Next.
- Page 23 Right-click on the VPN connection icon and select Properties. You can initiate the VPN connection after setting it up, as follows: Start the VPN connection. In Smart card PIN, type the PIN, and then click OK. While establishing the VPN connection, the system displays Verifying username and password and Authenticated.
-
Page 24: Additional Information
© 2006 Hewlett-Packard Development Company, L.P. The information in this document is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.