8.2 Installing SecureLogin for Smart Cards

8.2.1 Client Setup

During the installation of SecureLogin the smart card option can be selected by the administrator to enable a SecureLogin user to utilize a smart card to encrypt their directory data using a Public Key Infrastructure (PKI) token.

Existing ActivClient smart card settings are used by SecureLogin if they are detected unless the administrator chooses otherwise.

The administrator can optionally select an alternative cryptographic service provider (Microsoft Crypto API) from a drop-down list. SecureLogin supports ActivClient, and Microsoft BaseCSP MiniDriver smart card middleware. Contact NetIQ Support if your organization uses any other cryptographic service provider.

8.2.2 Server Side Administration Preferences

SecureLogin is a highly configurable and flexible product, with numerous preferences and options, that allow the system administrator to implement and enforce corporate directory policy across an enterprise.

Corporate policies may include, but are not limited to, enabling strong application security, how SSO data is encrypted and stored, how password and passphrase policies are implemented and enforced, and setting of management procedures for lost smart card scenarios.

In the case of strong security requirements, administrators should be fully aware of the implications of linking the use of SecureLogin to a smart card and disabling the passphrase functionality.

Various combinations and permutations of configuring SecureLogin for use with smart cards are covered in following sections.

8.2.3 Minimum Requirements

For general information about the minimum requirements for using smart cards with SecureLogin, see the NetIQ SecureLogin Installation Guidefor your directory environment.

8.2.4 Supported Configurations

SecureLogin supports the following smart card middleware:

  • ActivClient 6.x and 7.x

  • Microsoft BaseCSP MiniDriver

NOTE:SecureLogin might work with other smart card vendor middleware but those are not tested and are not supported.

While installing SecureLogin with smart card option selected, select the appropriate cryptographic service provider and PKCS#11 dynamic link library file path. If the appropriate version of PKCS#11 library file is not present during installation, SecureLogin installs without smart card support. However, if a required library file is missing errors can occur.

For example, if the PKCS#11 wrapper library file aetpksse.dll is missing, the error message Access to smart card failed is shown when the Access Manager attempts to access the smart card. To avoid this error, ensure that the aetpksse.dll file is available at C:\WINDOWS\system32\.

PKCS 11 Library Path

Smart Card Middleware

PKCS 11 Library path

ActivClient 6.2

C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll

ActivClient versions previous to 6.2

C:\Windows\Sytem32\acpkcs211.dll

If smart card middleware is installed after SecureLogin is installed, the registry key settings for cryptographic service provider and PKCS#11 dynamic link library file path must be changed manually; to activate smart the card support, uninstall or re-install SecureLogin.

NOTE:Manually configuring a third party smart card PKCS #11 link library assumes a high level of understanding of the crypto-graphic service provider’s product. System administrators are encouraged to use the ActivClient smart card support with SecureLogin whenever possible.

For detailed instructions about installing SecureLogin for use with smart cards and cryptographic tokens, see the NetIQ SecureLogin Installation Guidefor your directory environment.