Configuring the middleware required for Card or USB token accounts
To communicate with a smart card or USB token, SDS Enterprise requires the presence of middleware on user workstations.
SDS Enterprise makes it possible to use any smart card or USB token as long as its vendor provides a compatible PKCS#11 cryptographic module (standard interface).
SDS Enterprise provides the Stormshield Data Security middleware by default, but you can use others by specifying them in the security policy.
In this case, you must manually install the middleware on the users’ workstations.
For smart cards and tokens by vendors that have published mini drivers with Microsoft, the Stormshield Data Security middleware provided by default can be used so that plug-and-play can be supported.
In addition, to operate the Card or USB token account type for your users, you must first install the card extension on the workstations, as described in the sections below.
The Card Extension Configurator allows you to view the middleware used by SDS Enterprise to communicate with the card or USB token. The middleware used is registered in the registry database. If required, the extension also allows you to select another middleware that you specified in the security policy.
The installation of the extension is also required for the operation of Single Sign-on (SSO) accounts. The Stormshield Data Security middleware is used for this type of account. For more information on how to use SSO accounts, refer to the section Creating a Single Sign-On (SSO) account.
The security policy lists the middleware that can be used by SDS Enterprise on user workstations to communicate with USB cards or tokens.
If you configure the security policy via SDMC, see Configuring generic account settings. By default, the Stormshield Data Security middleware is selected. Only one middleware solution can be selected via SDMC.
In the security policy's .json configuration file, you can manually specify several middleware options to use (cardMiddlewares parameter). For more information, refer to the SDS EnterpriseAdvanced configuration guide
When the security policy is deployed and taken into account by the user workstations, the middleware to be used is registered in the registry. If more than one middleware is specified in the policy, SDS Enterprise takes into account, in order of appearance, the first middleware in the list that is functional on the workstation. This means that it must be available and run without errors.
The configuration information of the middleware used is written in the following registry keys:
-
HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Enterprise\Kernel\Components\Pkix
-
Pkcs11CardDll
: path to the middleware DLL, -
Pkcs11CardLabel
: middleware name.
-
-
HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Enterprise\Properties\NewUserWizardGP1 and NewUserWizardGP2
-
eCKA_[ATTRIBUTE]
: parameters that monitor the use of various PKCS#11 attributes during communication with smart cards/USB tokens.
-
Each time you start SDS Enterprise, the registry tells you which middleware to use. We do not recommend that you change these values manually.
You can select another middleware to use at any time from a user’s workstation. The values in the registry are then updated automatically. For further information, refer to the section Configuring log management.
The SDS Enterprise extension for smart cards and USB tokens or Single Sign-On accounts can be installed on workstations at the same time as the other features. For further information, refer to Deploy the SDS Enterprise agent installation package and a custom security policy to user workstations.
For subsequent installations, follow the steps below:
- Open the Start menu in the user workstation taskbar.
- Open the Control panel and select Add/Delete programs.
- From the list of programs, select SDS Enterprise.
- Click on Change. You will be in Maintenance mode.
- Select Modify then go through the screens that follow.
- Select Stormshield Data Card extension.
- Complete the installation procedure.
To open the Map Extension Configurator:
-
Click on the Start > Stormshield Data Security Suite > Card extension configurator menu.
The Card or USB stick type menu displays the middleware used by SDS Enterprise on the workstation, as defined by the security policy.
You can select another middleware. The drop-down list shows all those specified in the security policy, in the order they appear in the policy. In this case, the middleware configuration is changed in the registry and a restart of SDS Enterprise is required.
If the newly selected middleware is not available, an error is displayed.
-
Click Information to investigate card or token access issues. The menu is used to test the PKCS#11 interface module: the number of readers visible is indicated. If the PKCS#11 DLL cannot be reached, an error message will indicate it. In this case, simply verify the name and path of the DLL and verify whether the required items for this DLL are present (especially other DLLs).
The following screen capture shows that the card extension exists and is configured for Gemalto smart cards. However, there are no actual USB tokens.
The following screen capture shows that a USB token is inserted and presents the USB token’s characteristics as well as public objects such as public keys and certificates.
You can also select another middleware from the SDS Enterprise menu:
-
By right-clicking on the SDS Enterprise icon in the Windows taskbar, then by selecting the menu Select smart card or USB token. The menu is only visible when no user is logged in. Unlike the Map Extension Configurator, this menu only displays the middleware installed on the workstation and functional.
You can view private objects (essentially private keys) in the Card extension configurator:
- Click on Information.
- Select the line Status: not connected in the information window.
- Click on View private objects. This button will not be available if the previous line is not selected.
- Enter the PIN.
The Save as button makes it possible to save the content of the window in a text file.