Infrastructure (CCI). This white paper is not intended as a comprehensive overview of ActivCard smart card technology. NOTE: The images and instructions in this white paper use Microsoft Windows XPe; however, HP also tested procedures using Microsoft XP Professional and Microsoft Windows CE.NET.
ActivCard ActivClient v5.4. • ActivCard Gold v2.2. Configuration compatibility HP has tested the following configurations using ActivCard ActivClient v5.4, ActivCard Gold v2.2 and confirmed that the configurations work in a CCI environment. HP USB Smart Card Keyboard HP Thin Client w/XPe HP Thin Client w/CE.net...
Configure the following items to set up a smart card solution on CCI: Certificate Authentication (CA) service Group policy settings Middleware running on a HP blade PC Smart card client driver Step 1: Configuring a Certificate Authentication (CA) service Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates.
Page 5
Type a name for the new template in the Template display name box. This example uses CCI Smartcard Logon.
Page 6
Click the Request Handling tab. Select or type 1024 in the Minimum key size box. Click the CSPs button. Select Requests can use any CSP available on subject's computer. Click the Security tab.
Page 7
In the Permissions for Authenticated Users box, in the Allow column, select Read and Enroll. You have completed creation of the template. Copy the CCI Smartcard Logon certificate template into the Certificate Templates folder under the cer- tificate server. a) Expand the Certification Authority object in the MMC you created in step 1. b) Expand your CA name.
Page 8
d) Select New > Certificate Template to Issue. Select the template, and then click OK to import the template.
Step 2: Group policy setting Apply the following smart card group policy settings to the computer through a user policy setting or through a computer policy setting: • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Inter- active Logon: Require smart card, enable or disable. The default is disabled •...
Step 3: HP blade PC middleware configuration The following provides HP blade PC software configuration: • For the purposes of this white paper, an HP CCI implementation with the hardware and software components listed in “Reference hardware and software” on page 2 was used. •...
• USB CAC approved smart card reader (SCM Microsystems SCR331 Reader) Driver: SCR33X2K.sys, version 4.27.00.01 NOTE: For Microsoft Windows CE.NET, you may need to copy the drivers from the folder where they were installed (\Windows) to the \Hard Disk\Program Files folder so the drivers will be written to flash memory.
Page 12
d) In the right pane, expand Smart card readers. e) Select the installed smart card reader. f) Under Device status, verify the message “This device is working properly.” To begin the enrollment from the blade PC side, open the Remote Desktop Connection window by clicking Start >...
Page 13
In the Local Devices area, select Smart cards. Connect to the blade PC on which you will set up the smart card and log in as a domain-authenti- cated user. Verify the ActivCard icon is displayed in the system tray. Insert an unprogrammed ActivCard-compatible smart card into the reader.
Select the installed smart card reader. f. Under Device status, verify the message “This device is working properly.” To begin the enrollment from the blade PC side, open the HP PC Session Allocation Client window by clicking Start > All Programs > Hewlett-Packard.
Page 15
Connect to the blade PC on which you will set up the smart card, and then log in as a domain- authenticated user. Verify the ActivCard icon is displayed in the system tray. Insert an unprogrammed ActivCard-compatible smart card into the reader. The ActivCard icon in the system tray changes from red to blue.
Requesting a certificate from the blade PC Open Internet Explorer and go to the Certification Server enrollment Web site. The address of this Web site was determined when the Certification Server was set up (see “Step 1: Configuring a Certif- icate Authentication (CA) service”...
Page 17
If a warning message displays about a potential scripting violation, press Yes to continue with the certificate request. After the system generates the public and private keys, the page to install the certificate displays. Select Install this certificate. This command installs the users’s certificate onto the smart card. If a warning message displays about a potential scripting violation, press Yes to continue with the certificate request.
Page 18
To verify that the CCI SmartCard Logon certificate for the user is installed on the smart card: Click the ActivCard icon in the system tray to open the ActivCard Gold utility. In the right pane, select the My Certificates icon. The system displays the username ID. Select the username ID to view the installed certificate, which shows: •...
Usage cases Usage case 1: User authentication from client device to blade PC using RDP The following steps provides instructions for performing a functional test of the CCI SmartCard Logon cer- tificate: Log out of the RDP session. Open the Remote Desktop Communications window and initiate a connection to the blade. Make sure a smart card is installed in the reader.
Open the HPSAM client window and initiate a connection to the blade PC. Make sure a smart card is installed in the reader. The system requests the smart card PIN. Type the PIN that you assigned. The user is logged into the blade PC. Usage case 3: Accessing secure Web site The following steps provide instructions for accessing a secure Web site using an ActivCard through a blade PC.
In Internet Explorer, type the address of a secure Web site. If the system displays security alert messages, click OK. The LED on the card reader indicates when the Web site is accessing the smart card to verify whether the certificate is approved for the site. After the secure Web site displays, a lock icon in the lower right corner of Internet Explorer confirms that you are connected to a secure Web site.
Page 22
In the Company Name box, type the name for the VPN connection (for example, Work), and then click Next. Select Do not dial the initial connection, and then click Next. In the text box, type the host name or IP address of the VPN tunnel, and then click Next. Select Use my smart card, and then click Next.
Page 23
Right-click on the VPN connection icon and select Properties. You can initiate the VPN connection after setting it up, as follows: Start the VPN connection. In Smart card PIN, type the PIN, and then click OK. While establishing the VPN connection, the system displays Verifying username and password and Authenticated.