8.2 Prerequisites for CardSpace

8.2.1 Enabling High Encryption

To enable high encryption, you need to replace the US_export_policy.jar and local_policy.jar files. The Identity Server that is going to be the relying party and the Identity Server that is going to be the identity provider need to be enabled for high encryption.

  1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 (jce_policy-6.zip).

  2. Extract the files.

  3. Copy the US_export_policy.jar and local_policy.jar files to the security directory for the JRE. They should replace the existing files:

    • Linux Identity Server: /opt/novell/java/jre/lib/security

    • Windows Server 2003 Identity Server: \Program Files\Novell\jre\lib \security

    • Windows Server 2008 Identity Server: \Program Files (x86)\Novell\jre\lib \security

  4. Restart Tomcat.

    • Linux Identity Server: Enter the following command:

      /etc/init.d/novell-tomcat5 restart

    • Windows Identity Server: Enter the following commands:

      net stop Tomcat5

      net start Tomcat5

8.2.2 Configuring the Client Machines for CardSpace

The client machines require a CardSpace card selector application. They also need to be configured to trust the machine that is acting as an identity provider.

Configuring Windows Clients for CardSpace

Windows clients require the Microsoft .NET Framework 3.5 service pack, and Internet Explorer needs to be configured to trust the identity providers that supply managed cards.

  1. (Conditional) Install the Microsoft .NET Framework 3.5 service pack.

    For Windows 7 and Vista clients, this is included with the operating system.

    For XP clients, you need to download and install it:

    1. Download the package. See Microsoft .NET Framework 3.5

    2. Install the package.

    3. To verify that it has been installed, click Control Panel > Add and Remove Programs, then search for a Microsoft .NET Framework 3.5 entry.

  2. (Conditional) If you are using Access Manager generated certificates, you need to install the trusted root certificate of the Identity Server CA so that Internet Explorer trusts the Identity Server.

    You must be an administrator user to complete these steps.

    1. In Internet Explorer, enter the base URL of the Identity Server.

    2. Click Continue to this website.

    3. In the URL line, click Certificate Error > View Certificates.

      The Certificate Information page displays information about the Identity Server server certificate.

    4. Click Certification Path, select the root CA certificate, then click View Certificate.

      The Certificate Information page displays information about the root CA certificate.

    5. Click Install Certificate > Next.

    6. Select Place all certificates in the following store, then click Browse.

    7. Select to Show physical stores, scroll to the Trusted Root Certification Authorities, open it, select Local Computer, then click OK.

    8. Click Next > Finish > OK.

    9. Close the browser.

    10. To verify that the correct certificate was installed, open the browser, then enter the base URL of the Identity Server.

      The certificate error should not appear in the URL line.

Configuring Linux Clients for CardSpace

The following instructions are for Linux clients running SUSE Linux Enterprise Server (SLES) 10. They explain how to use the Bandit DigitalMe card selector, including how to download it, install it, and configure it so that it trusts the Identity Server.

  1. Verify that you have updated Firefox to 2.x or later. DigitalMe does not work with Firefox 1.5.x.

  2. In Firefox, access the Bandit Card site by entering the following URL:

    http://cards.bandit-project.org

  3. Click Download a selector, then select to download the selector for OpenSUSE.

  4. Scroll to the bottom of the page, and install the Firefox add-on.

    1. Click Download DigitalMe add-on for Firefox (All Platforms).

    2. If you haven’t enabled the Bandit site to install plug-ins, click Edit Options, then enable the site and install the add-on.

  5. Download the appropriate selector for your OS. For SLES 10 with 32-bit hardware, select Download DigitalMe for SUSE Linux Enterprise 10 (i586) and save it as a file.

  6. Close Firefox.

  7. Open the download and install it.

  8. Export the public key certificates of the Identity Server. You need both the CA and server certificates.

    The following instructions explain how to log in to the Administration Console from the client machine with DigitalMe and export the certificates to the required directory.

    1. From a browser on the DigitalMe machine, log into the Administration Console.

    2. Click Security > Certificates.

    3. Click the name of the Identity Server certificate, then click Export Public Certificate > DER File.

    4. Select to save the file to disk, then click OK.

    5. Click Close, then click Trusted Roots.

    6. Click the name of the trusted root (the default name is configCA), then select to Export Public Certificate > DER File.

    7. Select to save the file to disk, then click OK.

    8. Copy the two certificate files to the following directory:

      /usr/share/digitalme/certs

  9. From the Application Browser, start the DigitalMe card selector.

  10. At the prompt to create a default keying, enter a password, reenter the password, then click OK.