Creating smart card or USB token accounts
To create a smart card or USB token account, enable automatic account creation in SDMC so that the account creation process is transparent for the user when they insert their USB token or smart card for the first time. You can also manually create an account from the agent on the workstation.
In either case, the Stormshield Data Card Extension feature must be installed on users' workstations, with the other features from the SDS Enterprise agent. For more information, refer to the sections Deploying the SDS Enterprise agent installation package on user workstations and Installing and using the card extension (smart cards and USB tokens).
With a smart card or a USB token:
- Your private keys and certificates are stored on the smart card,
- The smart card will perform the calculations (signature and decryption) that generate your private keys.
When an account associated with a smart card is created, the smart card must already contain the associated private keys and certificates.
To make it easier to deploy smart card or USB token accounts and to minimize user intervention, SDS Enterprise can automatically create the user’s account when the card or token is inserted for the first time. To do so, you must first install and configure the required middleware and enable the feature in SDMC. To select the appropriate middleware and enable automatic account creation, refer to the sections Configuring generic account settings and Setting account creation parameters.
The user simply needs to insert a USB token or smart card. SDS Enterprise automatically detects that the user does not have an existing account and offers to create one. To continue, the user only needs to enter the PIN for the smart card or USB token, and the SDS Enterprise account is then created.
- On the user workstation, right-click on the SDS Enterprise icon in the Windows system tray.
- Select New user.
- Select Account with physical or virtual smart card.
- Select the smart card or USB token you wish to use.
- Choose the type of key you want to create from the drop-down menu:
- Use two different keys to encrypt and sign,
- Use one key to encrypt only,
- Use one key to sign only.
- Click on Create your account.
- Insert your smart card or token in the reader, type your PIN and click on Connect.
SDS Enterprise reads the card and displays its contents: the card must contain all the required information (public key, private key, certificate).
- Select the key to be reused.
- Proceed to the next screen and check the summary of your account.
- Click on Finish.
The SDS Enterprise account created using a smart card or USB token has the serial number of the card or token as an identifier.
In addition to the user’s current keys, other encryption keys may be saved on the smart card or USB token.
SDS Enterprise automatically uses these encryption keys to decrypt documents (messages/files) when the current key cannot do it.
These keys can come from several sources:
- The user’s old encryption keys. Obsolete keys may be saved on the card (with their associated certificates) to allow the user to decrypt files that were encrypted with old keys. This is particularly useful for archived files,
- External keys. For example, keys for former employees that can be used to retrieve information (files/messages).
Depending on the SDS Enterprise features, the keys on the card are not identified in the same way. For some features, the keys are identified by their CKA_ID PKCS#11 attribute (so they must always keep the same CKA_ID value), but for other features, identification is done using information from the certificate (issuer and serial number).
We recommend that keys stored on the cards always have the same CKA_ID PKCS#11 attribute and that all of the associated certificates are also present.
To renew certificates or keys on smart cards and USB tokens, take note of the information below.
When renewing certificates on the smart card or USB token, the new certificates are effective the next time the user connects to SDS Enterprise.
When a new certificate is added, the certificate object that is created must have the same CKA_ID PKCS#11 attribute as the old one.
The old certificate should not be deleted unless SDS Enterprise has correctly recognized the new one. You can check whether the new certificate is recognized in the SDS Enterprise agent's key ring.
When renewing keys (with the associated certificate), the new keys are used when the old keys become obsolete or, more specifically, when their certificate becomes obsolete.
For an account with several keys (one for encryption and one for signing), the new keys are selected based on the use of the associated certificates.
The old keys (signature and encryption) should not be deleted unless SDS Enterprise has correctly recognized the new ones. You can check whether the new keys are recognized in the SDS Enterprise agent's key ring.