Beruflich Dokumente
Kultur Dokumente
Administrators Guide
Version 5.1 Revision A
All attempts have been made to make the information in this document complete and accurate.
Aladdin is not responsible for any direct or indirect damages or loss of business resulting from
inaccuracies or omissions. The specifications in this document are subject to change without
notice.
Date of publication: April 2009
Last update: March, 2009
iii
Contact
1-866-202-3417
etoken.ts.us@aladdin.com
00800-22523346
+972-3-9781299
Website
http://www.aladdin.com/eToken
Additional Documentation
We recommend reading the following Aladdin eToken publication:
iv
Table of Contents
1. Introduction................................................................................................ 1
Overview.................................................................................................................... 2
New Features in eToken PKI Client 5.1 .................................................................... 3
2. Architecture Overview.............................................................................. 5
eToken PKI Client Architecture.................................................................................. 6
eToken PKI Client Modules ....................................................................................... 7
eToken PKI Client Monitor..................................................................................... 7
eToken PKI Client Properties................................................................................ 7
eToken Service...................................................................................................... 8
3. System Requirements.............................................................................. 9
Remote Desktop Connection ...................................................................................11
vi
Chapter 1
Introduction
eToken PKI Client enables eToken operations and the implementation
of eToken PKI-based solutions.
In this chapter:
Overview
Overview
Public Key Infrastructure (PKI) is a framework for creating a secure
method for exchanging information based on public key
cryptography, providing for trusted third-party vetting of, and
vouching for, user identities. It is an arrangement that consists of a
system of digital certificates, Certificate Authorities, and other
registration authorities that verify and authenticate the validity of
each party involved in an internet transaction.
Aladdins eToken PKI Client enables integration with various security
applications. It enables eToken security applications and third party
applications to communicate with the eToken device so that it can
work with various security solutions and applications. These include
eToken PKI solutions using either PKCS#11 or CAPI, proprietary
eToken applications such as eToken SSO (Single Sign-On), eToken for
Network Logon, and management solutions such as eToken TMS
(Token Management System). eToken TMS manages all aspects of
token assignment, deployment and personalization within an
organization.
eToken PKI Client enables the implementation of strong two-factor
authentication using standard certificates as well as encryption and
digital signing of data. Generic integration with both Microsoft CAPI
and PKCS#11 security interfaces enables out-of-the-box
interoperability with a variety of security applications offering secure
web access, secure network logon, PC and data security, secure email,
and more. PKI keys and certificates can be created, stored, and used
securely from within eToken hardware or software devices.
eToken PKI Client can be deployed and updated using any standard
software distribution system, such as GPO and SMS.
The eToken PKI Client Properties application and the eToken PKI
Client Monitor process are installed with eToken PKI Client,
providing easy-to-use configuration tools for users and
administrators.
Chapter 2
Architecture Overview
This chapter describes the eToken PKI Client 5.1 architecture.
In this chapter:
Certificate propagation
Password expiry pop-up messages
eToken PKI Client tray icon functionality
to:
eToken Service
This module is a system service added to the Windows Services
Manager. The operating system automatically recognizes the
connection of an eToken Virtual found in the appropriate folder on a
mass storage device as an emulation of a smartcard connection.
Chapter 3
System Requirements
Before installing eToken PKI Client ensure that your system meets the
minimum requirements.
In this chapter:
System Requirements
10
System Requirements
Windows Server 2008 (32-bit and 64-bit)
Windows Server 2003 SP2 (32 bit and 64bit
Supported Operating Systems
Supported Browsers
IE 6 and 7
eToken PRO
eToken NG-OTP
Supported eToken Devices
eToken NG-FLASH
eToken PRO Smartcard
eToken PRO Anywhere
Required Hardware
Operating System
eToken Hardware
Auhtneticators
eToken Software
Authenticators on
Client
Supported
Not supported
Not supported
Notes:
11
12
Chapter 4
2.
3.
4.
5.
14
Chapter 5
Installation
eToken PKI Client includes all the necessary files and drivers to
support eToken integration. It also includes the eToken PKI Client
Properties configuration tool, which enables easy user management of
eToken names and passwords.
eToken PKI Client must be installed on each computer on which an
eToken device is to be used. Local administrator rights are required to
install or uninstall eToken PKI Client.
In this chapter:
Uninstalling
16
To maintain the registry settings from the earlier eToken PKI Client
installation, select the Use existing configuration option.
17
To clear all registry keys set by any eToken PKI Client implementation:
1.
2.
3.
Log on as an administrator.
Close all applications.
Double-click the appropriate 32-bit or 64-bit PKIClient msi file.
18
The eToken PKI Client 5.1 Installation Wizard opens.
4.
Click Next.
The Select interface language dialog box is displayed.
5.
From the dropdown list, select the language in which the eToken
PKI Client user screens will appear.
7.
8.
19
Read the license agreement, and select the option, I accept the
license agreement.
Click Next.
The Destination Folder window opens, displaying the default
installation folder.
10. If there are no other eToken applications installed, you can click
Browse to select a different destination folder.
This folder will be used as the installation library for all future
eToken application installations.
9.
Note:
If an eToken application is already installed, the destination folder
cannot be changed.
11. Click Next.
The installation begins.
When the installation is complete, a confirmation message is
displayed.
20
21
where
PKIClient-x32-5.1.msi is the 32-bit PKIClient installation file. For 64bit use PKIClient-x64-5.1.msi.
To install via the command line:
1.
2.
3.
4.
Log on as an administrator.
Close all applications.
Open Start > Programs > Accessories > Command Prompt.
When running on Windows Vista, right-click Command Prompt
and select Run as. Set the user to administrator.
Type the msiexec command with the appropriate parameters,
properties, and feature settings, as described in this chapter.
2.
22
The Windows Installer opens, displaying the available parameters
and their explanations.
where
PKIClient-x32-5.1.msi is the 32-bit PKIClient installation file. For 64bit use PKIClient-x64-5.1.msi
Note:
To have a basic user interface level, use the /qb parameter.
23
Note:
PROP_REG_FILE, on page 26, does not follow this rule.
Properties can be set only during installation, and not during repair.
To set properties during installation, use the following command
format:
msiexec /i PKIClient-x32-5.1.msi PROPERTY=VALUE
PROPERTY=VALUE /qb
where
See the eToken PKI Client Command Line Installation Properties table on
page 24 for the list of properties that can be set during installation.
Some properties are stored as registry keys and can be set or modified
after installation. These properties are described in the Registry Key
Tables section on page 60.
Some properties can be set only during command line installation,
and may not be modified afterward. These properties are described in
the Installation-Only Properties section on page 25.
Example: To install the Spanish version of eToken PKI Client, with
24
Description
ET_LANG_NAME
See page 25
PROP_ADVANCED_VIEW
See page 70
PROP_CLEAR_REG
See page 25
PROP_EXPLORER_DEFENROL
See page 71
PROP_FAKE_READER
See page 25
PROP_PCSCSLOTS
See page 62
PROP_PQ_HISTORYSIZE
See page 77
PROP_PQ_MAXAGE
See page 78
PROP_PQ_MINAGE
See page 79
PROP_PQ_MINLEN
See page 79
PROP_PQ_MIXCHARS
See page 80
PROP_PQ_WARNPERIOD
See page 82
PROP_PROPAGATECACER
See page 74
PROP_PROPAGATEUSERCER
See page 74
PROP_REG_FILE
See page 26
PROP_SINGLELOGON
See page 63
PROP_SINGLELOGONTO
See page 63
PROP_SOFTWARESLOTS
See page 64
PROP_UPD_INFPATH
See page 26
READER_COUNT
See page 27
TARGETDIR
See page 27
25
Installation-Only Properties
The following properties, unless stated otherwise, can be set only
during command line installation, and may not be modified
afterwards:
ET_LANG_NAME Property
Property Name
ET_LANG_NAME
Description
Value
Default
English
PROP_CLEAR_REG Property
Property Name
PROP_CLEAR_REG
Description
Value
Default
0 (False)
PROP_FAKE_READER Property
Property Name
PROP_FAKE_READER
Description
Value
Default
1 (True)
Note:
For more information on the PROP_FAKE_READER property, please
contact Aladdin eToken customer support.
26
PROP_REG_FILE Property
Property Name
PROP_REG_FILE
Description
Value
Default
none
Note:
While other command line installation properties set values only in
HKEY_LOCAL_MACHINE\Software\Aladdin\eToken\MIDDLEWARE,
values set in the PROP_REG_FILE file are written to the
HKEY_LOCAL_MACHINE subfolders specified in the file.
PROP_UPD_INFPATH Property
Property Name
PROP_UPD_INFPATH
Description
Value
Default
none
Note:
For more information on the PROP_UPD_INFPATH property, please
contact Aladdin eToken customer support.
27
READER_COUNT Property
Note:
This feature can also be set using eToken Properties
Property Name
READER_COUNT
Description
Value
0-16
Default
TARGETDIR Property
Property Name
TARGETDIR
Description
Value
Default
Note:
Important! Only include the TARGETDIR property if there are no
other eToken applications installed on the computer.
28
To install only specific features, use the following command format:
msiexec /i PKIClient-x32-5.1.msi ADDDEFAULT=F1,F2Fn /qb
where
See the eToken PKI Client Features to Add or Remove table on page 30 for
the list of features that can be included during installation.
where
29
See the eToken PKI Client Features to Add or Remove table on page 30 for
the list of features.
Note:
Only optional features can be removed.
Example: To remove the eToken PKI Client Properties application
after it was installed with eToken PKI Client, type the following
command:
msiexec /i PKIClient-x32-5.1.msi REMOVE=etPropsFeature /qb
30
Description
Optional or Required
DriverFeature
CoreFeature
Required
UIFeature
etPropsFeature
etMonitor
Required
etVerifierFeature
NgFlashFeature
etFSFeature
Optional
ETOKSRV
31
Note:
To enable eToken device support without installing the eToken PKI
Client application, use the eToken PKI Client command line
installation with the DriverFeature feature only.
Also, you can install PKI without Aladdin drivers also with the
following command:
msiexec /i PKIClient-x32-5.1.msi PROP_FAKEREADER=128
Uninstalling
To remove eToken PKI Client 5.1, use one of the following methods:
Note:
If a DLL is in use by another application, a Files in Use dialog box is
displayed. Click Ignore to continue the uninstallation, and when the
uninstallation completes, restart the computer.
32
5.
6.
7.
Log on as an administrator.
Close all applications.
Double-click the appropriate 32-bit or 64-bit PKIClient msi file.
Uninstalling
The Application Maintenance dialog box is displayed.
4.
5.
Click Next.
33
34
The Updating System dialog box is displayed.
6.
7.
8.
Uninstalling
9.
35
4.
Log on as an administrator.
Close all applications.
Open Start > Programs > Accessories > Command Prompt.
When running on Windows Vista, right-click Command Prompt
and select Run as. Set the user to administrator.
Type the command line utility:
msiexec /x PKIClient-x32-5.1.msi
5.
where
PKIClient-x32-5.1.msi is the 32-bit PKIClient installation file. For
64-bit use PKIClient-x64-5.1.msi.
To uninstall in silent mode, add /q to the end of the command.
When the uninstallation completes, restart the computer.
36
Chapter 6
38
Note:
See Chapter 7: Registry Key Tables, on page 58 for an explanation of the
registry key settings.
The sample adm file is configured to write registry settings to:
HKEY_LOCAL_MACHINE\Software\Policies\Aladdin\eToken\
MIDDLEWARE.
The values in this folder have a higher priority than values in any
other registry folder.
To write settings to a different registry folder, modify the adm file.
Note:
See Chapter 7:Application Properties Hierarchy, on page 58 for an
explanation of the registry folders.
39
2.
40
The Properties window opens.
3.
4.
41
5.
6.
42
7.
8.
Click Close.
2.
43
44
The Properties window opens.
3.
4.
45
5.
46
2.
Click OK.
The Console window opens.
3.
4.
Click Add.
The Add Standalone Snap-in window opens.
5.
47
48
The Group Policy Wizard opens.
6.
7.
8.
9.
49
50
In Console Root window, the eToken PKI Client Settings node is
added under Administrative Templates.
13. When you close the Console window, you are prompted to save the
file.
51
52
2.
3.
4.
Select the Explain tab for an explanation of the setting and its
values.
53
54
5.
6.
7.
2.
Click OK.
The registry values on the server are updated to the eToken PKI
Client Settings values.
On each client computer, open the command line (Start>Run),
and enter gpupdate.
Click OK.
The registry values are copied from the server to the client
computer.
3.
4.
55
56
Chapter 7
58
Note:
Value set using the eToken PKI Client Properties application are
saved on a per user basis in HKEY_CURRENT_USER, and not in
HKEY_LOCAL_MACHINE.
59
For each property, the setting found in the highest level of the
following hierarchy determines the applications behavior:
1.
HKEY_LOCAL_MACHINE\Software\Policies\Aladdin\
eToken\MIDDLEWARE
HKEY_CURRENT_USER\Software\Policies\Aladdin
eToken\MIDDLEWARE
HKEY_CURRENT_USER\Software\Aladdin\eToken\MIDDLEWARE
HKEY_LOCAL_MACHINE\Software\Aladdin\eToken\MIDDLEWARE
5.
60
In the example, the GENERAL registry key is selected in
HKEY_LOCAL_MACHINE\SOFTWARE\Aladdin\eToken\MIDDLEWARE.
Registry settings that are not displayed in the right pane can be added.
61
Note:
The registry keys described in this section are located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Aladdin\eToken\MIDDL
EWARE.
EmulateConnectedVR
Description
DWORD Value
Default
0 (False)
Note:
Regardless of the Emulate Connected Virtual Reader setting, the
most recently connected eToken Virtual always emulates a smartcard
if it is on a USB flash device.
62
Enable Private Cache
Property Name
EnablePrvCache
Description
Default
1 (True)
Can be set by
PCSC Slots
Property Name
PROP_PCSCSLOTS
PcscSlots
Description
DWORD Value
0-16
0 = Physical tokens are disabled; only eToken Virtual is enabled
Default
Can be set by
63
Single Logon
Property Name
PROP_SINGLELOGON
SingleLogon
Description
DWORD Value
Default
0 (False)
Can be set by
Note:
If Single Logon Timeout is > 0, Single Logon is automatically set to 1.
Single Logon Timeout
Property Name
PROP_SINGLELOGONTO
SingleLogonTimeout
Description
DWORD Value
>=0
Default
0 (no timeout)
Can be set by
64
Software Slots
Property Name
PROP_SOFTWARESLOTS
SoftwareSlots
Description
DWORD Value
0-10
0 = eToken Virtual is disabled; only physical tokens are enabled
Default
Can be set by
Tolerant Finalize
Property Name
TolerantFinalize
Description
DWORD Value
Default
0 (False)
Note:
Enable TolerantFinalize when using Novell Modular Authentication
Service (NMAS) applications only.
65
TolerantFindObjects
Description
DWORD Value
Default
0 (False)
TolerantX509Attributes
Description
DWORD Value
Default
0 (False)
Note:
Enable TolerantX509Attributes when using certificates created in a
non- DER encoded binary x.509 format.
TolerantX509Attributes was enabled by default in eToken PKI Client
versions earlier than 4.0.
66
eToken Virtual Disconnected when Logging Off
Registry Key Name
EtvLogoffUnplug
Description
DWORD Value
Default
Does not exist (The registry key is not created during the
installation of eToken PKI client, so must be added manually)
Domain
Description
String Value
Default
None
HMAC-SHA1
Description
DWORD Value
Default
Can be set by
Legacy-Format-Version
Description
DWORD Value
Default
Can be set by
67
68
Private Data Caching
Property Name
PrivateDataCaching
Description
DWORD Value
Default
2 (Full caching)
Can be set by
RSA-Area-Size
Description
Determines the size, in bytes, of the area to reserve for RSA keys
on CardOS-based tokens.
The size of the area allocated on the token is determined during
token initialization, and cannot be modified without re-initializing the
token.
DWORD Value
>=0
0 = RSA keys cannot be created on the token
Default
Note:
RSA-Area-Size is not relevant when Legacy-Format-Version is set to
5.
For information regarding the size of the RSA key space, see Aladdins
eToken Knowledge Base article, Reserved RSA Key Space.
RSASecondaryAuthenticationMode
Description
DWORD Value
0 - ETCK_2NDAUTH_PROMPT_NEVER
New RSA private keys are not protected with an additional
password
1 - ETCK_2NDAUTH_PROMPT_CONDITIONAL
If an external application has set the
Can be set by
RSA-2048
Property Name
RSA-2048
Description
DWORD Value
Default
0 (False)
Can be set by
69
70
PROP_ADVANCED_VIEW
AdvancedView
Description
DWORD Value
Default
1 (True)
Can be set by
Show In Tray
Property Name
ShowInTray
Description
DWORD Value
Default
1 (True)
71
Logout Mode
Property Name
LogoutMode
Description
DWORD Value
Default
0 (False)
PROP_EXPLORER_DEFENROL
Description
DWORD Value
Default
Can be set by
Note:
The NoDefaultKeyContainer value is set per process on a per machine
basis.
72
Default Enrollment Container
Registry Key Name
DefEnrollType
Description
DWORD Value
Default
Does not exist (The registry key is not created during the
installation of eToken PKI client, so must be added manually)
Password Timeout
Property Name
PasswordTimeout
Description
DWORD Value
>=0
0 = No timeout
Default
ASCII Password
Property Name
AsciiPassword
Description
DWORD Value
Default
0 (False)
73
AddToTokenOnNewCertInStore
Description
DWORD Value
Default
1 (True)
CertsToRemoveStorePeriod
Description
DWORD Value
>=0
Default
Note:
This setting applies when the token from which a certificate was
exported is not inserted when the certificate is removed from the user
store.
74
Propagate CA Certificates
Property Name
PROP_PROPAGATECACER
PropagateCACertificates
Description
DWORD Value
Default
1 (True)
Can be set by
PROP_PROPAGATEUSERCER
PropagateUserCertificates
Description
DWORD Value
Default
1 (True)
Can be set by
75
RemoveFromStoreOnRemoveFromToken
Description
DWORD Value
Default
1 (True)
RemoveFromTokenOnRemoveFromStore
Description
DWORD Value
Default
RemoveFromTokenOnRemoveFromStoreTemplates
Description
String Value
Template name(s)
Default
None
76
Remove User Certificates Upon Token Removal
Property Name
RemoveUserCertsOnTokenRemove
Description
DWORD Value
Default
1 (True)
Synchronize Store
Property Name
SynchronizeStore
Description
DWORD Value
Default
1 (True)
NotifyPasswordExpiration
Description
DWORD Value
Default
1 (True)
PROP_PQ_HISTORYSIZE
pqHistorySize
Description
DWORD Value
>=0
Default
10
Can be set by
77
78
Password Quality Lower Case
Property Name
pqLowerCase
Description
DWORD Value
Default
PROP_PQ_MAXAGE
pqMaxAge
Description
DWORD Value
>=0
0 = No expiration
Default
Can be set by
pqMaxRepeated
Description
DWORD Value
>=0
0 = No maximum
Default
PROP_PQ_MINAGE
pqMinAge
Description
DWORD Value
>=0
0 = No minimum
Default
Can be set by
PROP_PQ_MINLEN
pqMinLen
Description
DWORD Value
>=4
Default
Can be set by
79
80
Password Quality Mixed Characters
Property Name
PROP_PQ_MIXCHARS
pqMixChars
Description
DWORD Value
Default
1 (True)
Can be set by
pqModifiable
Description
DWORD Value
Default
pqNumbers
Description
DWORD Value
Default
81
pqOwner
Description
DWORD Value
Default
pqSpecial
Description
DWORD Value
Default
pqUpperCase
Description
DWORD Value
Default
82
Password Quality Warning Period
Property Name
PROP_PQ_WARNPERIOD
pqWarnPeriod
Description
DWORD Value
>=0
0 = No warning
Default
Can be set by
pqCheckInit
Description
DWORD Value
Default
Does not exist (The registry key is not created during the
installation of eToken PKI client, so must be added manually)
83
ShowDecimalSerial
Description
DWORD Value
Default
Does not exist (The registry key is not created during the
installation of eToken PKI client, so must be added manually)
UseDefaultPassword
Description
DWORD Value
Default
0 (False)
84
DWORD Value
Default
1 (True)
DWORD Value
Default
0 (False)
85
86
Appendix A
88
Appendix B
FCC Compliance
eToken USB has been tested and found to comply with the limits for a
Class B digital device, pursuant to Part 15 of the FCC rules. These
limits are designed to provide reasonable protection against harmful
interference in a residential installation.
This equipment generates uses and can radiate radio frequency
energy and, if not installed and used in accordance with the
instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will
not occur in a particular installation.
If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the
equipment off and on, the user is encouraged to try to correct the
interference by one of the following measures:
a. Reorient or relocate the receiving antenna.
b. Increase the separation between the equipment and receiver.
c. Connect the equipment to an outlet on a circuit different from that
to which the receiver is connected.
d. Consult the dealer or an experienced radio/TV technician.
FCC Warning
Modifications not expressly approved by the manufacturer could void
the user authority to operate the equipment under FCC rules.
All of the above applies also to the eToken USB.
90
FCC authorities have determined that the rest of the eToken product
line does not contain a Class B Computing Device Peripheral and
therefore does not require FCC regulation.
CE Compliance
The eToken product line complies with the CE EMC Directive and
related standards*.eToken products are marked with the CE logo and
an eToken CE conformity card is included in every shipment or upon
demand.
*EMC directive 89/336/EEC and related standards EN 55022, EN
50082-1.
UL Certification
The eToken product line successfully completed UL 94 Tests for
Flammability of Plastic Materials for Parts in Devices and Appliances.
eToken products comply with UL 1950 Safety of Information
Technology Equipment regulations.
ISO 9002 Certification
The eToken product line is designed and manufactured by Aladdin
Knowledge Systems, an ISO 9002-certified company. Aladdin's quality
assurance system is approved by the International Organization for
Standardization (ISO), ensuring that Aladdin products and customer
service standards consistently meet specifications in order to provide
outstanding customer satisfaction.
Certificate of Compliance
Upon request, Aladdin Knowledge Systems will supply a Certificate
of Compliance to any software developer who wishes to demonstrate
that the eToken product line conforms to the specifications stated.
Software developers can distribute this certificate to the end user
along with their programs
Appendix C
92