The Smart Card Manager is a simple client application designed manage security smart card within the context of the overall Dogtag Certificate System. Update!! Dogtag Certificate System is now live. More information on Dogtag can be found here: Dogtag. Specifically this component interacts with the Token Processing System component of Dogtag Certificate System providing the following functions:
More information on the Token Processing System portion of Dogtag can be found here: TPS
The Dogtag Certificate System creates, manages, renews, and deletes certificates and keys within an organization. There are five subsystems which govern the behavior of the public-key infrastructure (PKI) of the organization:
End users can use security tokens, which are also called smart cards, to store user certificates used for applications such as single sign-on access and client authentication. End users are issued the tokens containing certificates and keys required for signing, encryption, and other cryptographic functions. To use the tokens, the TPS must be able to recognize and communicate with them. The tokens have to be enrolled, the process of formatting tokens with keys and certificates and adding them to the Certificate System. Smart Card Manager provides the user interface for end entities to enroll tokens and to communicate with the TPS. Smart Card Manager provides the conduit through which TPS communicates with each token over a secure HTTP channel (HTTPS).
After a token is enrolled, applications such as Mozilla Firefox and Thunderbird can be configured to recognize the token and use it for security operations, like client authentication and S/MIME mail. Smart Card Manager provides the following capabilities:
The Smart Card Manager makes heavy use of Mozilla browser technology in its operation:
On each platform , Smart Card Manager, depends upon a variety of low level components for its operation. Following is a list of the low level components:
Smart Card Manager runs on the following platforms:
Smart Card Manager brings the following set of features:
The following pre-built binaries of ESC are available as follows:
ESC is part of Fedora 8 in the Extras group. To get ESC simply as root:
yum install esc
Being able to build Smart Card Manager on each platform at this point depends upon one’s ability to build a Mozilla browser. This is the case since Xulrunner is simply a build variation of the Mozilla browser base. The Linux and Windows platform build Xulrunner 1.8.0.4 while Mac builds Xulrunner 1.8.0.7 for Universal binary functionality. Building the browsers can be a lengthy process based on machine.
The code is available on CVS. To check out the code,simply do the following:
cvs -d :pserver:anonymous@cvs.fedora.redhat.com/cvs/dirsec co esc
The following build instructions are divided per platform:
Building on Linux requires that one can build the Mozilla Lizard. Building has been tested on F6 and F7. Requirements for this can be found here: Linux Build Prerequisites
Inspection of the current spec file BuildRequires section also reveals what is needed:
BuildRequires: doxygen fontconfig-devel freetype-devel >= 2.1
BuildRequires: glib2-devel libIDL-devel atk-devel gtk2-devel libjpeg-devel
BuildRequires: pango-devel libpng-devel pkgconfig zlib-devel
BuildRequires: nspr-devel nss-devel
BuildRequires: autoconf213 libX11-devel libXt-devel
BuildRequires: pcsc-lite-devel coolkey-devel
BuildRequires: desktop-file-utils zip binutils libnotify-devel
BuildRequires: dbus-devel
Requires: pcsc-lite ifd-egate coolkey nss nspr
Requires: zip dbus >= 0.90 libnotify >= 0.4.2
The above kicks off a simple script that will download the latest SRPM and build it under a buildroot under the current “rpm” directory.
Smart Card Manager and supporting components are built as universal binary executables able to run on Intel or PPC hardware.
Building Smart Card Manager on the cat requires once again that Mozilla can be built.
here: OS X Mozilla Build Prerequisites
When satisfying the Mozilla requirements make sure to install both Fink and MacPorts package management systems as directed or the build will not complete.
XCode 2.2 and greater, 2.2 and 2.3 have been tested.
RPM for OS X is helpful in building one of the sub components find it here: http://rpm4darwin.sourceforge.net/
./mac-build.sh
Note the building of the Xulrunner portion will take quite some time since Mozilla essentially builds xulrunner twice, once for PPC and once for i386.
The output Smart Card Manager bundle will be in:
./esc/dist/Darwin`<kernel>`_OPT.OBJ/esc_build/ESC.app
If the installer completes it will be in:
SmartCardManager-`<version>`.OSX4.darwin.dmg which contains:
SmartCardManager-`<version>`.pkg
The build script can be re-run to build only a specific component:
./mac-build.sh [ -do Usb || -doEgate || -DoESC || -doCoolKey || -doTokenD || -doInstaller]
The current CoolKey TokenD is built with a recent (10.4.9) version of the Mac “darwinbuild” system. “Darwinbuild” refers to an open source set of scripts designed to easily build projects included as part of their open source offerings. Previously, the CoolKey TokenD was built with an early version of darwinbuild. This version of TokenD experienced binary compatibility issues with the upcoming revision of the OS, thus the need to upgrade the version of “darwinbuild” used to build the source. The build process creates a universal TokenD for both Intel and PPC. The following is how this build can be done:
Subversion packages for the mac are readily available on the net.
% svn checkout http://svn.macosforge.org/repository/darwinbuild/trunk/
% cd trunk
% make
% sudo make install
To change the intallation tree simply do:
%sudo make install DESTDIR=<alternate_path>
Create a disk image where darwinbuild will build everything
hdiutil create -size 8g -type SPARSE -fs HFSX -volname Builds -uid 0 -gid 0 -attach Builds.dmg
Ex:
cp /usr/bin/tar /Volumes/Builds/Build8P1237/usr/bin
Now take the CoolKey TokenD code from the directory esc/mac/Tokend-30557 and transport it here:
/Volumes/Builds/Build8P1237/Sources/Tokend-30557
Attempt another build of TokenD
/usr/local/bin/darwinbiuld Tokend
Darwinbuild places the results of the latest build here:
Build8C46/BuildRoot/provate/var/tmp/Tokend/Tokend-11.root/System/Library/Security/tokend/COOLKEY.tokend, a directory bundle
The subdirectory /System/Library/Security/tokend is the actual destination on the system a TokenD lives once installed.
If the SmartCardManager installer is built with the optional TokenD, the installer will install the TokenD in the proper location.
Also a symbolic link to the CoolKey library is make from the directory "/Library/Application Support/CoolKey/PKCS11".
This link is needed to allow TokenD the access to the CoolKey PKCS#11 module that it requires for operation.
Smart Card Manager and supporting components can be built on the Windows platform using the Cygwin platform.
Once again, in order to build the application on Windows, the machine must be capable of building Xulrunner or Mozilla.
Cygwin- This is discussed in the Mozilla building instructions below:
The prerequisites for building Mozilla are listed here: [(http://developer.mozilla.org/en/docs/Windows_Build_Prerequisites_on_the_1.7_and_1.8_Branches) Windows Mozilla Prerequisites]
The build process for Smart Card Manager also builds the CoolKey component. Prerequisites for CoolKey on Windows are located here (http://www.directory.fedora.redhat.com/wiki/BuildCoolKey)
The installer is assisted by the INNO setup compiler script called “setup.iss” Following are a few snippets containing settings for the registry that are optional:
[Registry]`
;The following lines register the CSP. Comment out if not available
Root: HKLM; Subkey: Software\Microsoft\Cryptography\Defaults\Provider\CoolKey PKCS#11 CSP; ValueType: string; ValueName: PKCS11Module; ValueData: coolkeypk11.dll; Flags: uninsdeletekey
; The following lines set up Smart Card login if desired`
Root: HKLM; Subkey: Software\Microsoft\Cryptography\Calais\SmartCards\Axalto Developer; ValueType: binary; ValueName: ATRMask; ValueData: ff ff ff ff ff ff ff ff 00 00; Flags: uninsdeletekey`
Root: HKLM; Subkey: Software\Microsoft\Cryptography\Calais\SmartCards\Axalto Developer; ValueType: string; ValueName: Crypto Provider; ValueData: CoolKey PKCS#11 CSP`
Root: HKLM; Subkey: Software\Microsoft\Cryptography\Calais\SmartCards\Axalto Developer; ValueType: binary; ValueName: ATR; ValueData: 3b 75 94 00 00 62 02 02 00 00`
;End CSP registration`
Root: HKLM; Subkey: Software\`
; Turn off the "pick a cert" dialog box`
Root: HKCU; Subkey: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3; ValueType: dword; ValueName: 1A04; ValueData: 0`
; Enable TLS 1.0`
Root: HKCU; Subkey: Software\Microsoft\Windows\CurrentVersion\Internet Settings; ValueType: dword; ValueName: SecureProtocols; ValueData: 168`
The build script does the following:
The build script can be re-run with certain arguments to re-create single steps of the build process:
./build.sh [ -doEsc || -doCoolKey || -doNSS || -doInstaller ]
Building the CSP requires that one satisfies most of the requirements needed to build CoolKey. Information on the Windows CSP along with build instructions are available here
Once the Smart Card Manager has been built, the following information should be useful if attempting to add any code and rebuild.
The application can be rebuilt fairly easily during development. There are just a few things to keep in mind:
The following section contains basic instructions on using the Smart Card Manager for token enrollment, formating, and password reset operations.
esc
at the command prompt; this brings up the Smart Card Manager daemon process, which silently watches for inserted smart cards. The client can also be launched by selecting System Settings, then Smart Card Manager, from the system menu.The Smart Card Manager offers a feature called Phone Home that associates information within each smart card with information which points to distinct TPS servers and Smart Card Manager UI pages. Whenever the Smart Card Manager accesses a new smart card, it connects to the TPS server and retrieves the Phone Home information.
Phone Home quickly retrieves and then caches this information; because the information is cached locally, the TPS subsystem does not have to be contacted each time a formatted smart card is inserted.
The information can be different for every key or token, which means different TPS servers and enrollment URLs can be configured for different corporate or customer groups. Phone Home makes it possible to configure different TPS servers for different issuers or company units, without having to configure the Smart Card Manager manually to find the proper server and URL.
In order for the TPS subsystem to utilize the Phone Home feature, Phone Home must be enabled in the TPS configuration file:
op.format.tokenKey.issuerinfo.enable=true
op.format.tokenKey.issuerinfo.value=http://server.example.com
Since the Smart Card Manager is based on Mozilla XULRunner, each user has a profile similar to the user profiles used by Mozilla Firefox or Thunderbird. The Smart Card Manager accesses the configuration preferences file. When the Smart Card Manager caches information for each token, the information is stored in the user’s configuration file. The next time the Smart Card Manager is launched, it retrieves the information from the configuration file instead of contacting the server again.
The Phone Home information is put on the token in one of two ways:
The following information is used by the Phone Home feature for each smart card:
The TPS server and port. For example:
"esc.key.40900062ff020000ba87.tps.url" = "http://tps.example.com:12443//nk_service"
The TPS enrollment interface URL. For example:
"esc.key.40900062ff020000ba87.tps.url" = "http://tps.example.com:12443/cgi_bin/esc.cgi?"
The issuing company name or ID. For example:
"esc.key.40900062ff020000ba87.issuer.name" = "Example Corp"
The Phone Home URL. For example:
"esc.key.40900062ff020000ba87.phone.home.url" = "http://tps.example.com:12443/phone_home/phone_home.cgi?"
Optionally, a default browser URL to access when an enrolled smart card is inserted.
"esc.key.40900062ff020000ba87.EnrolledTokenBrowserURL" = "http://www.test.example.com)"
The Phone Home feature and the different type of information used by it only work when the TPS has been properly configured to use Phone Home. If the TPS is not configured for Phone Home, then this feature is ignored. The code below shows an example XML file used by the TPS subsystem to configure the Phone Home feature.
<ServiceInfo><IssuerName>`Example Corp`</IssuerName>
`<Services>
`<Operation>[`http://tps.example.com:12443/nk_service`](http://tps.example.com:12443/nk_service)` ## TPS server URL
`</Operation>
`<UI>[`http://tps.example.com:12443/cgi_bin/esc.cgi`](http://tps.example.com:12443/cgi_bin/esc.cgi)` ## Optional
Enrollment UI
`</UI>
`<EnrolledTokenBrowserURL>[`http://www.test.url.com`](http://www.test.url.com)` ## Optional
enrolled token url
`</EnrolledTokenBrowserURL>;
</Services>
</ServiceInfo>
Example TPS Phone Home Configuration File
Phone Home is triggered automatically when a security token is inserted into a machine. The system immediately attempts to read the Phone Home URL from the token and to contact the TPS server.
If no Phone Home information is stored on the token, the the user is prompted for the Phone Home URL, as shown below. The other information is supplied and stored when the token is formatted. In this case, the company supplies the specific Phone Home URL for the user. After the user submits the URL, the format process adds the rest of the information to the Phone Home profile. The format process is not any different for the user.
Figure Prompt for Phone Home Information
The TPS configuration URI is the URL of the TPS server which returns the rest of the Phone Home information to the Smart Card Manager. An example of this URL is https://test.example.com:12443/cgi-bin/home/index.cgi
. When the TPS configuration URI is accessed, the TPS server is prompted to return all of the Phone Home information to the Smart Card Manager.
The Test button can be used to test of the entered URL. If the server is successfully contacted, a message box indicates success. If the test connection fails, an error dialog appears. The Update Values button saves the new URLs.
Because the Smart Card Manager is configured through the Phone Home feature, simple enrollment of a smart card is extremely easy. Since the information needed to contact the backend TPS server is provided with each smart card, the enrollment process for the user is very simple.
Assuming that the smart card being enrolled is uninitialized and the appropriate Phone Home information has been configured, the user’s enrollment process is as follows:
Figure Smart Card Enrollment with a Card
This screen gives the option either to close the dialog or to proceed with enrolling the smart card. If the card be removed, a message appears that the smart card is no longer detected.
Figure . Smart Card Enrollment Message When the Card Is Removed
Reinserting the card brings the previous dialog back with the option to enroll the smart card. Click Enroll My Smart Card to continue with the enrollment process.
Figure . Smart Card Enrollment Page
LDAP User ID. This is the LDAP directory user ID of the user enrolling the smart card; this can also be a screen name or employee or customer ID number.
LDAP Password. This is the alpha-numeric password corresponding to the user ID entered; this can be a simple password or a customer number.
The LDAP user ID and password refer to the fact that the TPS server is usually associated with a Directory Server which stores user information and to which the TPS refers to authenticate users.
Password. This sets the smart card’s password, used to protect the card information.
Re-Enter Password. This confirms the smart card’s password.
Figure . Smart Card Enrollment Success Message
The Manage Smart Cards page contains many of the operations that can be applied to one of the keys. This page allows users to format the token, set and reset the card’s password, and show the card information. Two other operations, enrolling tokens and viewing the diagnostic logging, are also accessed through the Manage Smart Cards page. These are addressed in other sections.
Figure . Manage Smart Cards Page
Formatting the card brings the smart card to the uninitialized state, which removes all the user keypairs previously generated and erases the password set on the smart card during enrollment.
The TPS server can be configured to load newer versions of the applet and symmetric keys onto the card. Do the following to format the smart card:
For formatting the smart card, there is no need to enter the key password.
If a user forgets the password for a smart card after the card is enrolled, it is possible to reset the password by doing the following:
Figure . Changing Password Dialog
The View Certificates button shows basic information about the selected smart card, including the keys and certificates stored on it.
Although most smart cards will be enrolled using the automated enrollment,there is an alternative way of enrolling smart cards through the Manage Smart Cards page.
Figure. Manual Enrollment Form
Enrolling a token with the user key pairs means the token can be used for certificate-based operations such as SSL client authentication and S/MIME.
The TPS server can be configured to generate the user key pairs on the server and then archived in the DRM subsystem for recovery if the token is lost.
Confirm the new card password value in the Re-Enter a password field.
Figure LDAP Authentication Prompt
enrolled
.The Smart Card Manager includes basic diagnostic tools and a simple interface to log errors and common events such as inserting and removing a smart card or changing the card’s password. The diagnostic tools can identify and notify users about problems with the Smart Card Manager, smart cards, and TPS connections.
To open the diagnostics page, click on the Diagnostics button in the Manage Smart Cards screen.
The following problems or events are logged by the Smart Card Manager:
Figure Diagnostics Screen
The diagnostics screen displays the following information:
For each card detected, the following information is shown:
Unformatted
(no key is detected), Formatted
(the key is detected, but no certificates have been enrolled), or Enrolled
(the detected card has been enrolled with certificate and card information).Example Corp.
Previously, Smart Card Manager relied on an application-specific configuration file. Smart Card Manager is now based on Mozilla XULRunner technology, which allows the preferences facility built into Mozilla to be used for simple configuration of the Smart Card Manager.
The Smart Card Manager can be launched without requiring extra configuration.
Smart Card Manager uses the Mozilla configuration preferences system on all three supported platforms. A default configuration file is located in the following directories on each platform:
C:\Program Files\Fedora\ESC\defaults\preferences\esc-prefs.js
/usr/lib/esc-1.0.0/esc/defaults/preferences/esc-prefs.js
~/Desktop/ESC.app/defaults/preferences/esc-prefs.js
This default configuration Javascript file contains the default Smart Card Manager configuration used when Smart Card Manager is first launched.
When Smart Card Manager is launched, a separate, unique profile directory for each user on the system is created; these profiles are stored in different, accessible locations on each platform, as shown:
When the Smart Card Manager requires any changes to a user's configuration values, the updated values are written to the user's profile area, not to the default Javascript file.
C:\Documents and Settings\$USER\Application Data\RedHat\ESC\Profiles
~/.redhat/esc
~/Library/Application Support/ESC/Profiles
The esc-prefs.js
file section below shows the Smart Card Manager-supported configuration values.
Example Configuration File
#################################################################
#The entry below is the XUL chrome page where Smart Card Manager
#proceeds on startup.
#
pref(“toolkit.defaultChromeURI”, ”(chrome://esc/content/settings.xul)”);
#The entry below is the URL Smart Card Manager consults #for back end TPS functionality.
#Note this is only a fallback setting. This information #is normally obtained through the ”Phone Home” functionality.
pref(“esc.tps.url”,”https://test.host.com:7888/nk_service)”); #The following three entries are for internal use
pref(“signed.applets.codebase_principal_support”,true); pref(“capability.principal.codebase.p0.granted”,
”UniversalXPConnect”); pref(“capability.principal.codebase.p0.id”, ”file://”);
#The entry below sets how many seconds Smart Card Manager #should wait while TPS is processing a message
pref(“esc.tps.message.timeout”,”90”); #The entry can be set allow Smart Card Manager to write
#newly created certificates #to the local CAPI store after an enrollment operation.
#Also, when a format is done, those same certs will be removed #from the local CAPI store.
pref(“esc.windows.do.capi”,”yes”);
The TokenD software installed on Mac provides a link between the Certificate System CoolKeys and the Mac CDSA security API, which provides a wide variety of security functionality. For example, the Apple Mail application can use a KeyChain to perform security-related tasks. A KeyChain can hold entities such as certificates, passwords, and private and public keys. Although most KeyChains are stored in software, the CDSA API allows KeyChains to be stored on smart cards or keys. CoolKey TokenD allows a Certificate System key to show as a KeyChain.
Keychain Access
utility in the Applications/Utilities
folder.$Keychain
entry in the list of valid chains. The chain has the the key’s UID in its name.This reference shows the different directories and file locations for the different client machines.
C:\Program Files\Fedora\ESC
/usr/lib/esc-1.0.1/esc
ESC.app
directory, usually the desktop, with the default being “/Applicatons”.On Windows, Smart Card Manager uses the following directories and files:
C:\Program Files\Fedora\ESC
application.ini
components\
chrome\
defaults\
esc.exe
xulrunner\
On Linux, Smart Card Manager is installed by its binary RPM to the default location /usr/lib/esc-1.0.1/esc/
.
application.ini
components/
chrome/
defaults/
esc
xulrunner/
On Mac OS X, the XULRunner framework located in ESC.app
as follows:
Contents/
Info.plist
Frameworks/
XUL.framework/
application.ini
components/
chrome/
defaults/
xulrunner
Smart Card Manager stores the XUL markup and Javascript functionality in the ESC_INSTALL_PATH /chrome/content/esc
directory, where ESC_INSTALL_PATH is the Smart Card Manager installation directory.
The following are the primary Smart Card Manager XUL files:
settings.xul
contains the code for the Settings page.esc.xul
contains the code for the Enrollment page.config.xul
contains the code for the configuration UI.esc_browser.xul
contains the code for hosting the external HTML Smart Card Manager enrollment UI.The following are the primary Smart Card Manager Javascript files:
ESC.js
contains most of the Smart Card Manager Javascript functionality.TRAY.js
contains the tray icon functionality.AdvancedInfo.js
contains the code for the Diagnostics feature.GenericAuth.js
contains the code for the authentication prompt. This prompt is configurable from the TPS server, which requires dynamic processing by Smart Card Manager.Certificate System (specifically the TPS subsystem) comes out of the box with generic external smart card enrollment UI. Since this UI consists of HTML and Javascript, this UI can be customized for a specific deployment as desired.
Given a default TPS instance on a given machine, the enrollment UI can be located here:
/var/lib/rhpki-tps/cgi-bin/home/Enroll.html
The UI references resources such as images and Javascript files within its code. These resources are located here:
/var/lib/rhpki-tps/docroot/home
Below is a snippet of the default UI sprinkled with comments on how it might be customized:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel=stylesheet href="/home/style.css" type="text/css">
<!-- Change the title if desired -->
<title>Enrollment</title>
</head>
<script type="text/JavaScript" src="/home/util.js">
</script>
<body onload="InitializeBindingTable();" onunload=cleanup();>
<progressmeter id="progress-id" hidden="true" align = "center"/>
<table width="100%" class="logobar">
<tr>
<td>
<!-- Use customized logo here... -->
<img alt="" src="/home/logo.jpg">
</td>
<td>
<p class="headerText">Smartcard Enrollment</p>
</td>
</tr>
</table>
<table id="BindingTable" width="200px"align="center">
<tr id="HeaderRow">
</tr>
</table>
<!-- Insert customized descriptive text here. -->
<p class="bodyText">You have plugged in your smartcard! After answering a few easy questions, you will be able to use your smartcard.
</p>
<p class="bodyText">
Now we would like you to identify yourself.
</p>
<table>
<tr>
<td><p >LDAP User ID: </p></td>
<td> </td>
<td><input type="text" id="snametf" value=""></td>
<td> </td>
<td><p>LDAP Password: </p></td>
<td> </td>
<td><input type="password" id="snamepwd" value=""></td>
</tr>
</table>
<p class="bodyText"> Before you can use your smartcard, you will need a password to protect it.</p>
<table>
<tr>
<td><p >Password:</p></td>
<td><input type="password" id="pintf" name="pintf" value=""></td>
<td><p >Re-Enter Password:</p></td>
<td><input type="password" id="reenterpintf" name="reenterpintf" value=""></td>
</table>
<br>
<table width="100%">
<tr>
<td align="right">
<input type="button" id="enrollbtn" name="enrollbtn" value="Enroll My Smartcard" onClick="DoEnrollCOOLKey();">
</td>
</tr>
</table>
</body></html>