Installing and using the card extension (smart cards and USB tokens)
If you choose to use smart card, USB token or Single Sign-On (SSO) accounts for your users, you must first install the Stormshield Data Card Extension feature on workstations and configure its use in the security policy.
The SDS Enterprise extension for smart cards and USB tokens or Single Sign-On accounts can be installed on workstations at the same time as the other features. For further information, refer to Deploying the SDS Enterprise agent installation package on user workstations.
For subsequent installations, follow the steps below:
- Open the Start menu in the task bar.
- Open the Control panel and select Add/Delete programs.
- From the list of programs, select SDS Enterprise.
- Click on Change. You will be in Maintenance mode.
- Select Modify then go through the screens that follow.
- Select Stormshield Data Card extension.
- Complete the installation procedure.
SDS Enterprise makes it possible to use any smart card or USB token as long as its vendor provides a compatible PKCS#11 cryptographic module (standard interface).
For smart cards and tokens by vendors that have published mini drivers with Microsoft, the Stormshield Data Security middleware provided by default can be used so that plug-and-play can be supported. This middleware is also used in the operation of SSO accounts.
For other smart cards and tokens, the compatible middleware must be installed manually beforehand on workstations.
SDMC makes it possible to indicate in the security policy the middleware to be used, so that SDS Enterprise can communicate with users' smart cards and tokens. For further information, refer to the section Configuring generic account settings.
In the security policy's .json configuration file, you can manually specify several middleware options to use (cardMiddlewares parameter). For more information, refer to the
On users' workstations, the list of available middleware can be shown:
By right-clicking on the SDS Enterprise icon in the Windows taskbar, then by selecting the menu Select smart card or USB token.
When several middleware programs are specified in the security policy, the first in the list will be automatically selected.
In the Card extension configurator, which can be accessed from Start > Stormshield Data Security Suite.
You can select another middleware program in the configurator or from the taskbar. If you do not find the middleware associated with your type of card from the list, the SDS Enterprise middleware installed by default can be used with all the cryptographic media compatible with Microsoft’s CNG technology (plug‑and‑play).
For the full list of smart cards and keys that SDS Enterprise supports, get in touch with our Technical Assistance Center (TAC).
in the Card extension configurator, click on Information to test the PKCS#11 interface module: the number of drives detected is indicated. If the PKCS#11 DLL cannot be reached, an error message will indicate it. In this case, simply verify the name and path of the DLL and verify whether the required items for this DLL are present (especially other DLLs).
The following screen capture shows that the card extension exists and is configured for Gemalto smart cards. However, there are no actual USB tokens;
The following screen capture shows that a USB token is inserted and presents the USB token’s characteristics as well as public objects such as public keys and certificates.
You can view private objects (essentially private keys) in the Card extension configurator:
- Click on Information.
- Select the line Status: not connected in the information window.
- Click on View private objects. This button will not be available if the previous line is not selected.
- Enter the PIN.
By using the Information window, issues with access to cards can be analyzed.
The Save as button makes it possible to save the content of the window in a file. Technical support usually asks for the content of this file when there is an issue with access to the smart card or USB token.