During the installation of Novell SecureLogin the smart card option can be selected by the administrator to enable a Novell SecureLogin user to utilize a smart card to encrypt their directory data using a Public Key Infrastructure (PKI) token.
Existing ActivClient smart card settings is used by Novell SecureLogin if they are detected (highly recommended) unless the administrator chooses otherwise.
The administrator can optionally select an alternative cryptographic service provider (Microsoft Crypto API) from a drop-down list. Novell SecureLogin supports ActivClient, Gemalto (formerly Axalto), AET SafeSign, Athena, and Fujitsu mPollux DigiSign smart card middleware. Contact Novell Support if your organization uses any other cryptographic service provider.
Novell SecureLogin is a highly configurable and flexible product and numerous preferences and options are available to the system administrator to implement and enforce corporate directory policy across an enterprise.
Corporate policies may include, but are not limited to, enabling strong application security, how SSO data is encrypted and stored, how password and passphrase policies are implemented and enforced, and setting of management procedures for lost smart card scenarios.
In the case of strong security requirements, administrators should be fully aware of the implications of linking the use of Novell SecureLogin to a smart card and disabling the passphrase functionality.
Various combinations and permutations of configuring Novell SecureLogin for use with smart cards are covered in following sections.
For general information about the minimum requirements for using smart cards with Novell SecureLogin, see the Novell SecureLogin Installation Guidefor your directory environment.
SecureLogin supports the following smart card middleware:
ActivClient version 6.2 or later.
Gemalto (formerly Axalto) 5.3 hotfix 11
AET SafeSign 2.3.0
Athena Middleware v5.22
Fujitsu mPollux DigiSign v3.1.9
NOTE:SecureLogin might work with other smart card vendor middleware but these are untested and are not supported.
While installing SecureLogin with smart card option selected, select the appropriate cryptographic service provider and PKCS#11 dynamic link library file path. If the appropriate version of PKCS#11 library file is not present during installation, SecureLogin installs without smart card support. However, if a required library file is missing errors can occur.
For example, if the PKCS#11 wrapper library file aetpksse.dll is missing, the error message Access to smart card failed is shown when the Access Manager attempts to access the smart card. To avoid this error, ensure that the aetpksse.dll file is available at C:\WINDOWS\system32\.
If ActivClient is installed after SecureLogin is installed, the registry key settings must be changed manually; to activate smart the card support, uninstall or re-install SecureLogin.
|
Smart Card Middleware |
PKCS 11 Library path |
|---|---|
|
ActivClient 6.2 |
C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll |
|
ActivClient versions previous to 6.2 |
C:\Windows\Sytem32\acpkcs211.dll |
|
Gemalto |
C:\Program Files\Gemalto\DotNet PKCS11\gtop11dotnet.dll |
|
AET SafeSign |
C:\Windows\System32\aetpksse.dll |
|
Athena Middleware |
C:\Windows\System32\asepkcs.dll |
|
Fujitsu mPollux DigiSign |
C:\Program Files\Fujitsu Services\Fujitsu mPollux DigiSign Client\Cryptoki.dll |
If smart card middleware is installed after SecureLogin is installed, the registry key settings for cryptographic service provider and PKCS#11 dynamic link library file path must be changed manually; to activate smart the card support, uninstall or re-install SecureLogin.
NOTE:Manually configuring a third party smart card PKCS #11 link library assumes a high level of understanding of the crypto-graphic service provider’s product. System administrators are encouraged to use the ActivClient smart card support with Novell SecureLogin whenever possible.
For detailed instructions about installing Novell SecureLogin for use with smart cards and cryptographic tokens, see the Novell SecureLogin Installation Guidefor your directory environment.