Before beginning this article, it is necessary that you have successfully completed the article Install and Configure S-Series on First Use.
This article will describe how to configure the S-Series in order to manage the lifecycle of the Gemalto-Safenet eToken 5110 smart card tokens as these tokens have unique behavior to other smart card tokens in the Gemalto-Safenet minidriver suite. In this use-case we will configure the smart card token to be issued with a Windows smart card logon certificate.
Note: The PKI used in this example use case will be an MS CA.
Important: The eToken should not be enabled for FIPS support as the eToken minidriver currently does not support administration key change when the token is FIPS enabled.
Important: The eToken type needs to be a particular type. Please ensure that you use request stock type SKU: 909-000107-001 or 909-000417-002 when requesting this token type from your smart card provider.
Important: The eToken minidriver needs to be installed on any host where you will be managing the token from. It is recommended to use version 9.0.54 (or later) of the eToken minidriver. You can ascertain the version number from C:\Windows\System32, right click the file eTokenMD.dll and from Properties – Details you can see the version number.
Important: It is recommended that you are running version 5.3 or later of the S-Series.
Step 1 – Configure Smart Card Access
1. From Options – Smart Cards attach an eToken 5110 smart card that you will manage with the S-Series. The S-Series will filter the card type and present the card template.
2. Click the Edit button and for Smart Card Access select Use minidriver if possible.
3. Additionally, the Key type should be set to: DES-EDE3.
4. In the Administration Key section, the value set in Key on card before register and Key on card after unregister should be: 1D6A4F7A652E18203E3D3B0C70451022107F7420216E611B
Important: It is expected that the eToken 5110 are shipped with this specific profile in place where the administration key has the value as described in 4 above. However, it maybe that the token is not pre-configured with this profile. In this case you can enable the check box Initialize the token at registration. This will allow you to manage eTokens that are not in this expected profile state. However, it will be required to have the Safenet Authentication Client (SAC) PKCS#11 library available on the host where you are managing this token from. Also, the token will need to have been initialized using the SAC client where the Use default initialization key was used.
Step 2 – Configure Smart Card Template
1. From Templates – Card Templates click the Add
2. Click the Edit link beside General.
3. Enter a template name and attach an eToken 5110 smart card that is to be managed by this template and click the Detect You should see information in the window showing that a SafeNet eToken is detected. Click Ok to close out of the dialog.
4. Accept all default settings in the General dialog and click Ok to save the settings and close this dialog.
5. Click the Edit link for Issue Card.
6. From User ID Options section enable Assign User ID and select the AD connection already configured.
From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA connection already configured from the Certificate Authority drop down list and select the smart card logon certificate template as configured on your CA from the Certificate template list.
Accept all other defaults for the Issue Card dialog and click Ok to save and close.
7. Click Ok to save and close the template.
Important: It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 3 – Issue Smart Card Token
1. From the Lifecycle page attach the smart card token that is to be issued and click the Issued Select the card template from the Select card template drop-down list and click the Execute button.
2. Enter the Operator token PIN (Passcode) code when prompted.
3. Select a user from AD that the smart card token is to be issued to.
4. When the issuance completes a message dialog indicating that an authentication key has been added to the S-Series will appear followed by a short summary dialog with details on what operations have been performed.
The smart card token is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card will set the PIN code on the smart card.
5. Click the Active oval and click the Execute button.
6. Enter the Operator token PIN (Passcode) code when prompted.
7. Enter the PIN code that will be set on the smart card token. Click Initiate to set the PIN code on the smart card and make it active.
8. A summary dialog will appear. Click Ok to close.
9. As the smart card supports 2 PINs a second PIN will need to be set for the qualified Digital signature PIN even though this is not typically used. The PIN code needs to meet the PIN policy as set on the card. Click Initiate to set the PIN code on the smart card and make it active.
10. A summary dialog will appear. Click Ok to close.
11. The smart card will now be in an active state and can be used to perform Windows Smart Card logon.
Step 4 – Perform Windows Smart Card Logon
On a Windows system connected to the domain attach the smart card token and enter the smart card PIN code created earlier to logon.
This completes the use case.