Managing Single Sign-On and Smart Cards
On Using the Enterprise Security Client
Abstract
Chapter 1. Introduction to the Enterprise Security Client
- Supports Global Platform-compliant smart cards.
- Enrolls security tokens so they are recognized by the token management system in Red Hat Certificate System.
- Maintains the security token, such as re-enrolling a token.
- Provides information about the current status of the token or tokens being managed.
- Supports server-side key generation through the Certificate System subsystems so that keys can be archived and recovered on a separate token if a token is lost.
1.1. Red Hat Enterprise Linux, Single Sign-On, and Authentication
- Kerberos-based authentication
- Smart card-based authentication, using the Enterprise Security Client tied into the public-key infrastructure implemented by Red Hat Certificate System
- A user inserts a smart card into the card reader. This is detected by the pluggable authentication modules (PAM) on Red Hat Enterprise Linux.
- The system maps the certificate to the user entry and then compares the presented certificates on the smart card to the certificates stored in the user entry.
- If the certificate is successfully validated against the key distribution center (KDC), then the user is allowed to log in.
1.2. Red Hat Certificate System and the Enterprise Security Client
- The Token Processing System (TPS) interacts with smart cards to help them generate and store keys and certificates for a specific entity, such as a user or device. Smart card operations go through the TPS and are forwarded to the appropriate subsystem for action, such as the Certificate Authority to generate certificates or the Data Recovery Manager to archive and recover keys.
- The Token Key Service (TKS) generates, or derives, symmetric keys used for communication between the TPS and smart card. Each set of keys generated by the TKS is unique because they are based on the card's unique ID. The keys are formatted on the smart card and are used to encrypt communications, or provide authentication, between the smart card and TPS.
- The Certificate Authority (CA) creates and revokes user certificates stored on the smart card.
- Optionally, the Data Recovery Manager (DRM) archives and recovers keys for the smart card.
Figure 1.1. How Certificate System Manages Smart Cards
Chapter 2. Using Pluggable Authentication Modules (PAM)
2.1. About PAM
- PAM provides a common authentication scheme that can be used with a wide variety of applications.
- PAM provides significant flexibility and control over authentication for both system administrators and application developers.
- PAM provides a single, fully-documented library which allows developers to write programs without having to create their own authentication schemes.
/usr/share/doc/pam-
version# directory contains a System Administrators' Guide, a Module Writers' Manual, and the Application Developers' Manual, as well as a copy of the PAM standard, DCE-RFC 86.0.
2.2. PAM Configuration Files
/etc/pam.d/
directory contains the PAM configuration files for each PAM-aware application.
2.2.1. PAM Service Files
/etc/pam.d/
directory. Each file in this directory has the same name as the service to which it controls access.
/etc/pam.d/
directory. For example, the login
program defines its service name as login
and installs the /etc/pam.d/login
PAM configuration file.
2.2.2. PAM Configuration File Format
module_interface control_flag module_name module_arguments
2.2.2.1. PAM Module Interfaces
auth
— This module interface authenticates use. For example, it requests and verifies the validity of a password. Modules with this interface can also set credentials, such as group memberships or Kerberos tickets.account
— This module interface verifies that access is allowed. For example, it checks if a user account has expired or if a user is allowed to log in at a particular time of day.password
— This module interface is used for changing user passwords.session
— This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user's home directory and making the user's mailbox available.
Note
pam_unix.so
provides all four module interfaces.
auth required pam_unix.so
pam_unix.so
module's auth
interface.
sufficient
or requisite
value, then the order in which the modules are listed is important to the authentication process.
reboot
command normally uses several stacked modules, as seen in its PAM configuration file:
[root@MyServer ~]# cat /etc/pam.d/reboot #%PAM-1.0 auth sufficient pam_rootok.so auth required pam_console.so #auth include system-auth account required pam_permit.so
- The first line is a comment and is not processed.
auth sufficient pam_rootok.so
— This line uses thepam_rootok.so
module to check whether the current user is root, by verifying that their UID is 0. If this test succeeds, no other modules are consulted and the command is executed. If this test fails, the next module is consulted.auth required pam_console.so
— This line uses thepam_console.so
module to attempt to authenticate the user. If this user is already logged in at the console,pam_console.so
checks whether there is a file in the/etc/security/console.apps/
directory with the same name as the service name (reboot). If such a file exists, authentication succeeds and control is passed to the next module.#auth include system-auth
— This line is commented and is not processed.account required pam_permit.so
— This line uses thepam_permit.so
module to allow the root user or anyone logged in at the console to reboot the system.
2.2.2.2. PAM Control Flags
required
— The module result must be successful for authentication to continue. If the test fails at this point, the user is not notified until the results of all module tests that reference that interface are complete.requisite
— The module result must be successful for authentication to continue. However, if a test fails at this point, the user is notified immediately with a message reflecting the first failedrequired
orrequisite
module test.sufficient
— The module result is ignored if it fails. However, if the result of a module flaggedsufficient
is successful and no previous modules flaggedrequired
have failed, then no other results are required and the user is authenticated to the service.optional
— The module result is ignored. A module flagged asoptional
only becomes necessary for successful authentication when no other modules reference the interface.include
— Unlike the other controls, this does not relate to how the module result is handled. This flag pulls in all lines in the configuration file which match the given parameter and appends them as an argument to the module.
Important
required
modules are called is not critical. Only the sufficient
and requisite
control flags cause order to become important.
pam.d
manpage.
2.2.2.3. PAM Module Names
libpam
, which can locate the correct version of the module.
2.2.2.4. PAM Module Arguments
pam_userdb.so
module uses information stored in a Berkeley DB file to authenticate the user. Berkeley DB is an open source database system embedded in many applications. The module takes a db
argument so that Berkeley DB knows which database to use for the requested service. For example:
auth required pam_userdb.so db=/path/to/BerkeleyDB_file
/var/log/secure
file.
2.2.3. Sample PAM Configuration Files
Example 2.1. Simple PAM Configuration
#%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so
- The first line is a comment, indicated by the hash mark (
#
) at the beginning of the line. - Lines two through four stack three modules for login authentication.
auth required pam_securetty.so
— This module ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the/etc/securetty
file, if that file exists.If the tty is not listed in the file, any attempt to log in as root fails with aLogin incorrect
message.auth required pam_unix.so nullok
— This module prompts the user for a password and then checks the password using the information stored in/etc/passwd
and, if it exists,/etc/shadow
.The argumentnullok
instructs thepam_unix.so
module to allow a blank password. auth required pam_nologin.so
— This is the final authentication step. It checks whether the/etc/nologin
file exists. If it exists and the user is not root, authentication fails.Note
In this example, all threeauth
modules are checked, even if the firstauth
module fails. This prevents the user from knowing at what stage their authentication failed. Such knowledge in the hands of an attacker could allow them to more easily deduce how to crack the system.account required pam_unix.so
— This module performs any necessary account verification. For example, if shadow passwords have been enabled, the account interface of thepam_unix.so
module checks to see if the account has expired or if the user has not changed the password within the allowed grace period.password required pam_cracklib.so retry=3
— If a password has expired, the password component of thepam_cracklib.so
module prompts for a new password. It then tests the newly created password to see whether it can easily be determined by a dictionary-based password cracking program.The argumentretry=3
specifies that if the test fails the first time, the user has two more chances to create a strong password.password required pam_unix.so shadow nullok use_authtok
— This line specifies that if the program changes the user's password, using thepassword
interface of thepam_unix.so
module.- The argument
shadow
instructs the module to create shadow passwords when updating a user's password. - The argument
nullok
instructs the module to allow the user to change their password from a blank password, otherwise a null password is treated as an account lock. - The final argument on this line,
use_authtok
, provides a good example of the importance of order when stacking PAM modules. This argument instructs the module not to prompt the user for a new password. Instead, it accepts any password that was recorded by a previous password module. In this way, all new passwords must pass thepam_cracklib.so
test for secure passwords before being accepted.
session required pam_unix.so
— The final line instructs the session interface of thepam_unix.so
module to manage the session. This module logs the user name and the service type to/var/log/secure
at the beginning and end of each session. This module can be supplemented by stacking it with other session modules for additional functionality.
2.3. Creating PAM Modules
/usr/share/doc/pam-
version# directory.
2.4. PAM and Administrative Credential Caching
pam_timestamp.so
module. It is important to understand how this mechanism works, because a user who walks away from a terminal while pam_timestamp.so
is in effect leaves the machine open to manipulation by anyone with physical access to the console.
pam_timestamp.so
module creates a timestamp file. By default, this is created in the /var/run/sudo/
directory. If the timestamp file already exists, graphical administrative programs do not prompt for a password. Instead, the pam_timestamp.so
module freshens the timestamp file, reserving an extra five minutes of unchallenged administrative access for the user.
/var/run/sudo/
user directory. For the desktop, the relevant file is unknown:root
. If it is present and its timestamp is less than five minutes old, the credentials are valid.
Figure 2.1. The Authentication Icon
2.4.1. Removing the Timestamp File
Figure 2.2. Dismiss Authentication Dialog
- If logged in to the system remotely using
ssh
, use the/sbin/pam_timestamp_check -k root
command to destroy the timestamp file. - Run the
/sbin/pam_timestamp_check -k root
command from the same terminal window where the privileged application was launched. - The logged in user who originally invoked the
pam_timestamp.so
module must be the user who runs the/sbin/pam_timestamp_check -k
command. Do not run this command as root. - Killing the credentials on the desktop without using theaction on the icon can be done with the
/sbin/pam_timestamp_chec
command./sbin/pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/null
Any other method only removes the credentials from the pty where the command was run.
pam_timestamp_check
man page for more information about destroying the timestamp file using pam_timestamp_check
.
2.4.2. Common pam_timestamp Directives
pam_timestamp.so
module accepts several directives, with two used most commonly:
timestamp_timeout
— Specifies the period (in seconds) for which the timestamp file is valid. The default value is 300 (five minutes).timestampdir
— Specifies the directory in which the timestamp file is stored. The default value is/var/run/sudo/
.
Chapter 3. Using Kerberos
3.1. About Kerberos
3.1.1. How Kerberos Works
kinit
program after the user logs in.
Figure 3.1. Kerberos Authentication, in Steps
kinit
program on the client then decrypts the TGT using the user's key, which it computes from the user's password. The user's key is used only on the client machine and is not transmitted over the network. The ticket (or credentials) sent by the KDC are stored in a local file, the credentials cache, which can be checked by Kerberos-aware services.
kinit
; this is kept in a keytab.
Warning
- Approximate clock synchronization between the machines on the network can be set up using a service such as
ntpd
, which is documented in/usr/share/doc/ntp-
version-number/html/index.html
. - Both DNS entries and hosts on the network must be properly configured, which is covered in the Kerberos documentation in
/usr/share/doc/krb5-server-
version-number.
3.1.2. Considerations for Deploying Kerberos
- Migrating user passwords from a standard UNIX password database, such as
/etc/passwd
or/etc/shadow
, to a Kerberos password database can be tedious. There is no automated mechanism to perform this task. This is covered in question 2.23 in the online Kerberos FAQ for the US Navy. - Kerberos assumes that each user is trusted but is using an untrusted host on an untrusted network. Its primary goal is to prevent unencrypted passwords from being transmitted across that network. However, if anyone other than the proper user has access to the one host that issues tickets used for authentication — the KDC — the entire Kerberos authentication system are at risk.
- For an application to use Kerberos, its source must be modified to make the appropriate calls into the Kerberos libraries. Applications modified in this way are considered to be Kerberos-aware, or kerberized. For some applications, this can be quite problematic due to the size of the application or its design. For other incompatible applications, changes must be made to the way in which the server and client communicate. Again, this can require extensive programming. Closed-source applications that do not have Kerberos support by default are often the most problematic.
- Kerberos is an all-or-nothing solution. If Kerberos is used on the network, any unencrypted passwords transferred to a non-Kerberos aware service are at risk. Thus, the network gains no benefit from the use of Kerberos. To secure a network with Kerberos, one must either use Kerberos-aware versions of all client/server applications that transmit passwords unencrypted, or not use that client/server application at all.
3.1.3. Additional Resources for Kerberos
Documentation | Location |
---|---|
Kerberos V5 Installation Guide (in both PostScript and HTML) | /usr/share/doc/krb5-server-version-number |
Kerberos V5 System Administrator's Guide (in both PostScript and HTML) | /usr/share/doc/krb5-server-version-number |
Kerberos V5 UNIX User's Guide (in both PostScript and HTML) | /usr/share/doc/krb5-workstation-version-number |
"Kerberos: The Network Authentication Protocol" webpage from MIT | http://web.mit.edu/kerberos/www/ |
The Kerberos Frequently Asked Questions (FAQ) | http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html |
Designing an Authentication System: a Dialogue in Four Scenes, originally by Bill Bryant in 1988, modified by Theodore Ts'o in 1997. This document is a conversation between two developers who are thinking through the creation of a Kerberos-style authentication system. The conversational style of the discussion makes this a good starting place for people who are completely unfamiliar with Kerberos. | http://web.mit.edu/kerberos/www/dialogue.html |
A how-to article for kerberizing a network. | http://www.ornl.gov/~jar/HowToKerb.html |
man
command_name.
Manpage | Description |
---|---|
Client Applications | |
kerberos | An introduction to the Kerberos system which describes how credentials work and provides recommendations for obtaining and destroying Kerberos tickets. The bottom of the man page references a number of related man pages. |
kinit | Describes how to use this command to obtain and cache a ticket-granting ticket. |
kdestroy | Describes how to use this command to destroy Kerberos credentials. |
klist | Describes how to use this command to list cached Kerberos credentials. |
Administrative Applications | |
kadmin | Describes how to use this command to administer the Kerberos V5 database. |
kdb5_util | Describes how to use this command to create and perform low-level administrative functions on the Kerberos V5 database. |
Server Applications | |
krb5kdc | Describes available command line options for the Kerberos V5 KDC. |
kadmind | Describes available command line options for the Kerberos V5 administration server. |
Configuration Files | |
krb5.conf | Describes the format and options available within the configuration file for the Kerberos V5 library. |
kdc.conf | Describes the format and options available within the configuration file for the Kerberos V5 AS and KDC. |
3.2. Installing Kerberos
# yum install krb5-server krb5-libs krb5-auth-dialog
# yum install krb5-workstation krb5-libs krb5-auth-dialog
# yum install krb5-pkinit-openssl
3.3. Configuring a Kerberos 5 Server
3.3.1. Configuring the Master KDC Server
- Ensure that time synchronization and DNS are functioning correctly on all client and server machines before configuring Kerberos.Pay particular attention to time synchronization between the Kerberos server and its clients. If the time difference between the server and client is greater than the configured limit (five minutes by default), Kerberos clients cannot authenticate to the server. This time synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user.The NTP documentation is located at
/usr/share/doc/ntp-
version-number/html/index.html
and online at http://www.ntp.org. - Install the
krb5-libs
,krb5-server
, andkrb5-workstation
packages on the dedicated machine which runs the KDC. This machine needs to be very secure — if possible, it should not run any services other than the KDC. - Edit the
/etc/krb5.conf
and/var/kerberos/krb5kdc/kdc.conf
configuration files to reflect the realm name and domain-to-realm mappings. A simple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with the correct domain name — being certain to keep uppercase and lowercase names in the correct format — and by changing the KDC from kerberos.example.com to the name of the Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. The man pages of these configuration files have full details about the file formats. - Create the database using the
kdb5_util
utility./usr/sbin/kdb5_util create -s
Thecreate
command creates the database that stores keys for the Kerberos realm. The-s
argument creates a stash file in which the master server key is stored. If no stash file is present from which to read the key, the Kerberos server (krb5kdc
) prompts the user for the master server password (which can be used to regenerate the key) every time it starts. - Edit the
/var/kerberos/krb5kdc/kadm5.acl
file. This file is used bykadmind
to determine which principals have administrative access to the Kerberos database and their level of access. Most organizations can be accommodated by a single line:*/admin@EXAMPLE.COM *
Most users are represented in the database by a single principal (with a NULL, or empty, instance, such as joe@EXAMPLE.COM). In this configuration, users with a second principal with an instance of admin (for example, joe/admin@EXAMPLE.COM) are able to exert full administrative control over the realm's Kerberos database.Afterkadmind
has been started on the server, any user can access its services by runningkadmin
on any of the clients or servers in the realm. However, only users listed in thekadm5.acl
file can modify the database in any way, except for changing their own passwords.Note
Thekadmin
utility communicates with thekadmind
server over the network, and uses Kerberos to handle authentication. Consequently, the first principal must already exist before connecting to the server over the network to administer it. Create the first principal with thekadmin.local
command, which is specifically designed to be used on the same host as the KDC and does not use Kerberos for authentication. - Create the first principal using
kadmin.local
at the KDC terminal:/usr/sbin/kadmin.local -q "addprinc username/admin"
- Start Kerberos using the following commands:
/sbin/service krb5kdc start /sbin/service kadmin start
- Add principals for the users using the
addprinc
command withinkadmin
.kadmin
andkadmin.local
are command line interfaces to the KDC. As such, many commands — such asaddprinc
— are available after launching thekadmin
program. Refer to thekadmin
man page for more information. - Verify that the KDC is issuing tickets. First, run
kinit
to obtain a ticket and store it in a credential cache file. Next, useklist
to view the list of credentials in the cache and usekdestroy
to destroy the cache and the credentials it contains.Note
By default,kinit
attempts to authenticate using the same system login username (not the Kerberos server). If that username does not correspond to a principal in the Kerberos database,kinit
issues an error message. If that happens, supplykinit
with the name of the correct principal as an argument on the command line:kinit principal
3.3.2. Setting up Secondary KDCs
kadmind
. The master KDC is also the realm's admin server. Additional secondary KDCs keep read-only copies of the database and run kpropd
.
- Copy the master KDC's
krb5.conf
andkdc.conf
files to the secondary KDC. - Start
kadmin.local
from a root shell on the master KDC.- Use the
kadmin.local add_principal
command to create a new entry for the master KDC's host service. - Use the
kadmin.local ktadd
command to set a random key for the service and store the random key in the master's default keytab file.Note
This key is used by thekprop
command to authenticate to the secondary servers. You will only need to do this once, regardless of how many secondary KDC servers you install.# kadmin.local -r EXAMPLE.COM Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin: add_principal -randkey host/masterkdc.example.com Principal "host/host/masterkdc.example.com@EXAMPLE.COM" created. kadmin: ktadd host/masterkdc.example.com Entry for principal host/masterkdc.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit
- Start
kadmin
from a root shell on the secondary KDC.- Use the
kadmin add_principal
command to create a new entry for the secondary KDC's host service. - Use the
kadmin ktadd
command to set a random key for the service and store the random key in the secondary KDC server's default keytab file. This key is used by thekpropd
service when authenticating clients.# kadmin -p jsmith/admin@EXAMPLE.COM -r EXAMPLE.COM Authenticating as principal jsmith/admin@EXAMPLE.COM with password. Password for jsmith/admin@EXAMPLE.COM: kadmin: add_principal -randkey host/slavekdc.example.com Principal "host/slavekdc.example.com@EXAMPLE.COM" created. kadmin: ktadd host/slavekdc.example.com@EXAMPLE.COM Entry for principal host/slavekdc.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit
- With its service key, the secondary KDC could authenticate any client which would connect to it. Obviously, not all potential clients should be allowed to provide the
kprop
service with a new realm database. To restrict access, thekprop
service on the secondary KDC will only accept updates from clients whose principal names are listed in/var/kerberos/krb5kdc/kpropd.acl
.Add the master KDC's host service's name to that file.# echo host/masterkdc.example.com@EXAMPLE.COM > /var/kerberos/krb5kdc/kpropd.acl
- Once the secondary KDC has obtained a copy of the database, it will also need the master key which was used to encrypt it. If the KDC database's master key is stored in a stash file on the master KDC (typically named
/var/kerberos/krb5kdc/.k5.REALM
), either copy it to the secondary KDC using any available secure method, or create a dummy database and identical stash file on the secondary KDC by runningkdb5_util create -s
and supplying the same password. The dummy database will be overwritten by the first successful database propagation. - Ensure that the secondary KDC's firewall allows the master KDC to contact it using TCP on port 754 (krb5_prop), and start the
kprop
service. - Double-check that the
kadmin
service is disabled. - Perform a manual database propagation test by dumping the realm database on the master KDC to the default data file which the
kprop
command will read (/var/kerberos/krb5kdc/slave_datatrans
).# /usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
- Use the
kprop
command to transmit its contents to the secondary KDC.# kprop slavekdc.example.com
- Using
kinit
, verify that the client system is able to correctly obtain the initial credentials from the KDC. The/etc/krb5.conf
for the client should list only the secondary KDC in its list of KDCs. - Create a script which dumps the realm database and runs the
kprop
command to transmit the database to each secondary KDC in turn, and configure thecron
service to run the script periodically.
3.4. Configuring a Kerberos 5 Client
krb5.conf
configuration file. While ssh
and slogin
are the preferred methods of remotely logging in to client systems, Kerberized versions of rsh
and rlogin
are still available, with additional configuration changes.
- Be sure that time synchronization is in place between the Kerberos client and the KDC and that DNS is working properly on the Kerberos client.
- Install the
krb5-libs
andkrb5-workstation
packages on all of the client machines. - Supply a valid
/etc/krb5.conf
file for each client (usually this can be the samekrb5.conf
file used by the KDC). - To use kerberized
rsh
andrlogin
services, install thersh
package. - Before a workstation can use Kerberos to authenticate users who connect using
ssh
,rsh
, orrlogin
, it must have its own host principal in the Kerberos database. Thesshd
,kshd
, andklogind
server programs all need access to the keys for the host service's principal.- Using
kadmin
, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the-randkey
option for thekadmin
'saddprinc
command to create the principal and assign it a random key:addprinc -randkey host/server.example.com
- The keys can be extracted for the workstation by running
kadmin
on the workstation itself and using thektadd
command.ktadd -k /etc/krb5.keytab host/server.example.com
- To use other kerberized network services, install the krb5-server package and start the services. The kerberized services are listed in Table 3.3, “Common Kerberized Services”.
Service Name | Usage Information |
---|---|
ssh | OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system. |
rsh and rlogin | Enable klogin , eklogin , and kshell . |
Telnet | Enable krb5-telnet . |
FTP | Create and extract a key for the principal with a root of ftp . Be certain to set the instance to the fully qualified hostname of the FTP server, then enable gssftp . |
IMAP |
The
cyrus-imap package uses Kerberos 5 if it also has the cyrus-sasl-gssapi package installed. The cyrus-sasl-gssapi package contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP functions properly with Kerberos as long as the cyrus user is able to find the proper key in /etc/krb5.keytab , and the root for the principal is set to imap (created with kadmin ).
An alternative to
cyrus-imap can be found in the dovecot package, which is also included in Red Hat Enterprise Linux. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos.
|
CVS | gserver uses a principal with a root of cvs and is otherwise identical to the CVS pserver . |
3.5. Setting up a Kerberos Client for Smart Cards
- Install the required PKI/OpenSSL package, along with the other client packages:
[root@server ~]# yum install krb5-pkinit-openssl [root@server ~]# yum install krb5-workstation krb5-libs krb5-auth-dialog
- Edit the
/etc/krb5.conf
configuration file to add a parameter for the public key infrastructure (PKI) to the[realms]
section of the configuration. Thepkinit_anchors
parameter sets the location of the CA certificate bundle file.[realms] EXAMPLE.COM = { kdc = kdc.example.com.:88 admin_server = kdc.example.com default_domain = example.com ... pkinit_anchors = FILE:/usr/local/example.com.crt }
- Add the PKI module information to the PAM configuration for both smart card authentication (
/etc/pam.d/smartcard-auth
) and system authentication (/etc/pam.d/system-auth
). The line to be added to both files is as follows:auth optional pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/pkcs11/libcoolkeypk11.so
3.6. Domain-to-Realm Mapping
foo.example.org → EXAMPLE.ORG foo.example.com → EXAMPLE.COM foo.hq.example.com → HQ.EXAMPLE.COM
krb5.conf
. For example:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
3.7. Setting up Cross Realm Authentication
3.7.1. Setting up Basic Trust Relationships
A.EXAMPLE.COM
to access a service in the B.EXAMPLE.COM
realm, both realms must share a key for a principal named krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM
, and both keys must have the same key version number associated with them.
kadmin
.
# kadmin -r A.EXAMPLE.COM kadmin: add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM Enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created. quit # kadmin -r B.EXAMPLE.COM kadmin: add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM Enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created. quit
get_principal
command to verify that both entries have matching key version numbers (kvno
values) and encryption types.
Important
add_principal
command's -randkey
option to assign a random key instead of a password, dump the new entry from the database of the first realm, and import it into the second. This will not work unless the master keys for the realm databases are identical, as the keys contained in a database dump are themselves encrypted using the master key.
A.EXAMPLE.COM
realm are now able to authenticate to services in the B.EXAMPLE.COM
realm. Put another way, the B.EXAMPLE.COM
realm now trusts the A.EXAMPLE.COM
realm.
B.EXAMPLE.COM
realm can trust clients from the A.EXAMPLE.COM
to authenticate to services in the B.EXAMPLE.COM
realm. However, this trust is not automatically reciprocated so that the B.EXAMPLE.COM
realm are trusted to authenticate to services in the A.EXAMPLE.COM
realm. To establish trust in the other direction, both realms would need to share keys for the krbtgt/A.EXAMPLE.COM@B.EXAMPLE.COM
service — an entry with a reverse mapping from the previous example.
3.7.2. Setting up Complex Trust Relationships
A.EXAMPLE.COM
can authenticate to services in B.EXAMPLE.COM
, and clients from B.EXAMPLE.COM
can authenticate to services in C.EXAMPLE.COM
, then clients in A.EXAMPLE.COM
can also authenticate to services in C.EXAMPLE.COM
, even if C.EXAMPLE.COM
does not directly trust A.EXAMPLE.COM
. This means that, on a network with multiple realms which all need to trust each other, making good choices about which trust relationships to set up can greatly reduce the amount of effort required.
service/server.example.com@EXAMPLE.COM
EXAMPLE.COM
is the name of the realm.
domain_realm
section of /etc/krb5.conf
to map either a hostname (server.example.com) or a DNS domain name (.example.com) to the name of a realm (EXAMPLE.COM).
krb5.conf
file.
3.7.2.1. Configuring a Shared Hierarchy of Names
A.EXAMPLE.COM
, B.EXAMPLE.COM
, and EXAMPLE.COM
. When a client in the A.EXAMPLE.COM
realm attempts to authenticate to a service in B.EXAMPLE.COM
, it will, by default, first attempt to get credentials for the EXAMPLE.COM
realm, and then to use those credentials to obtain credentials for use in the B.EXAMPLE.COM
realm.
A.EXAMPLE.COM
, authenticating to a service in B.EXAMPLE.COM
has three hops: A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM
.
A.EXAMPLE.COM
andEXAMPLE.COM
share a key forkrbtgt/EXAMPLE.COM@A.EXAMPLE.COM
EXAMPLE.COM
andB.EXAMPLE.COM
share a key forkrbtgt/B.EXAMPLE.COM@EXAMPLE.COM
SITE1.SALES.EXAMPLE.COM
, authenticating to a service in EVERYWHERE.EXAMPLE.COM
can have several series of hops:
SITE1.SALES.EXAMPLE.COM → SALES.EXAMPLE.COM → EXAMPLE.COM → EVERYWHERE.EXAMPLE.COM
SITE1.SALES.EXAMPLE.COM
andSALES.EXAMPLE.COM
share a key forkrbtgt/SALES.EXAMPLE.COM@SITE1.SALES.EXAMPLE.COM
SALES.EXAMPLE.COM
andEXAMPLE.COM
share a key forkrbtgt/EXAMPLE.COM@SALES.EXAMPLE.COM
EXAMPLE.COM
andEVERYWHERE.EXAMPLE.COM
share a key forkrbtgt/EVERYWHERE.EXAMPLE.COM@EXAMPLE.COM
DEVEL.EXAMPLE.COM
and PROD.EXAMPLE.ORG
.
DEVEL.EXAMPLE.COM → EXAMPLE.COM → COM → ORG → EXAMPLE.ORG → PROD.EXAMPLE.ORG
DEVEL.EXAMPLE.COM
andEXAMPLE.COM
share a key forkrbtgt/EXAMPLE.COM@DEVEL.EXAMPLE.COM
EXAMPLE.COM
andCOM
share a key forkrbtgt/COM@EXAMPLE.COM
COM
andORG
share a key forkrbtgt/ORG@COM
ORG
andEXAMPLE.ORG
share a key forkrbtgt/EXAMPLE.ORG@ORG
EXAMPLE.ORG
andPROD.EXAMPLE.ORG
share a key forkrbtgt/PROD.EXAMPLE.ORG@EXAMPLE.ORG
3.7.2.2. Configuring Paths in krb5.conf
capaths
section of /etc/krb5.conf
, so that clients which have credentials for one realm will be able to look up which realm is next in the chain which will eventually lead to the being able to authenticate to servers.
capaths
section is relatively straightforward: each entry in the section is named after a realm in which a client might exist. Inside of that subsection, the set of intermediate realms from which the client must obtain credentials is listed as values of the key which corresponds to the realm in which a service might reside. If there are no intermediate realms, the value "." is used.
[capaths] A.EXAMPLE.COM = { B.EXAMPLE.COM = . C.EXAMPLE.COM = B.EXAMPLE.COM D.EXAMPLE.COM = B.EXAMPLE.COM D.EXAMPLE.COM = C.EXAMPLE.COM }
A.EXAMPLE.COM
realm can obtain cross-realm credentials for B.EXAMPLE.COM
directly from the A.EXAMPLE.COM
KDC.
C.EXAMPLE.COM
realm, they will first need to obtain necessary credentials from the B.EXAMPLE.COM
realm (this requires that krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM
exist), and then use those
credentials to obtain credentials for use in the C.EXAMPLE.COM
realm (using krbtgt/C.EXAMPLE.COM@B.EXAMPLE.COM
).
D.EXAMPLE.COM
realm, they will first need to obtain necessary credentials from the B.EXAMPLE.COM
realm, and then credentials from the C.EXAMPLE.COM
realm, before finally obtaining credentials for use with the D.EXAMPLE.COM
realm.
Note
A.EXAMPLE.COM
realm can obtain cross-realm credentials from B.EXAMPLE.COM
realm directly. Without the "." indicating this, the client would instead attempt to use a hierarchical path, in this case:
A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM
Chapter 4. Setting up Enterprise Security Client
4.1. Installing the Smart Card Package Group
Smart card support
package group. For example:
yum groupinstall "Smart card support"
4.2. Launching the Smart Card Manager UI
escd
) from the command line:
esc
Figure 4.1. Selecting the Smart Card Manager Item in the Menu
4.3. Overview of Enterprise Security Client Configuration
- A local interface, based on XUL and JavaScript
- A web-hosted interface which can be used for remote access, based on CGIs, HTML, and JavaScript
- A wide UI widget set and greater control over the presentation.
- Local markup to the client machine, so it has a greater privilege level than HTML.
- JavaScript as the scripting language for convenient program logic scripting and the ability to leverage XPCOM technology.
4.3.1. Enterprise Security Client File Locations
/usr/lib/esc-1.1.0/esc
. On Red Hat Enterprise Linux 64-bit systems, the installation directory is /usr/lib64/esc-1.1.0/esc
.
Note
File or Directory | Purpose |
---|---|
application.ini | XULRunner application configuration file. |
components/ | XPCOM components. |
chrome/ | Directory for Chrome components and additional application files for Enterprise Security Client XUL and JavaScript. |
defaults/ | Enterprise Security Client default preferences. |
esc | The script which launches the Enterprise Security Client. |
4.3.2. About the Preferences Configuration Files
esc-prefs.js
, which is installed with Enterprise Security Client. The second one is prefs.js
in the Mozilla profiles directory, which is created when the Enterprise Security Client is first launched.
/usr/lib/esc-1.1.0/defaults/preferences/esc-prefs.js
. On Red Hat Enterprise Linux 64-bit, this is in /usr/lib64/esc-1.1.0/defaults/preferences/esc-prefs.js
.
esc-prefs.js
file specifies the default configuration to use when the Enterprise Security Client is first launched. This includes parameters to connect to the TPS subsystem, set the password prompt, and configure Phone Home information. Each setting is prefaced by the word pref
, then the parameter and value are enclosed in parentheses. For example:
pref(parameter, value);
esc-prefs.js
file parameters are listed in Table 4.2, “esc-prefs.js Parameters”. The default esc-prefs.js
file is shown in Example 4.1, “Default esc-prefs.js File”.
Parameter | Description | Notes and Defaults |
---|---|---|
toolkit.defaultChromeURI | Defines the URL for the Enterprise Security Client to use to contact the XUL Chrome page. | ("toolkit.defaultChromeURI", "chrome://esc/content/settings.xul") |
esc.tps.message.timeout | Sets a timeout period, in seconds, for connecting to the TPS. | ("esc.tps.message.timeout","90"); |
esc.disable.password.prompt | Enables the password prompt, which means that a password is required to read the certificate information off the smart card.
The password prompt is disabled by default, so anyone can use the Enterprise Security Client. However, in security contexts, like when a company uses security officers to manage token operations, then enable the password prompt to restrict access to the Enterprise Security Client.
|
("esc.disable.password.prompt","yes");
|
esc.global.phone.home.url |
Sets the URL to use to contact the TPS server.
Normally, the Phone Home information is set on the token already through its applet. If a token does not have Phone Home information, meaning it has no way to contact the TPS server, then the Enterprise Security Client checks for a global default Phone Home URL.
This setting is only checked if it is explicitly set. This setting also applies to every token formatted through the client, so setting this parameter forces all tokens to point to the same TPS. Only use this parameter if that specific behavior is desired.
|
("esc.global.phone.home.url", "http://server.example.com:7888/cgi-bin/home/index.cgi");
|
esc.global.alt.nss.db |
Points to a directory that contains a common security database that is used by all Enterprise Security Client users on the server.
Phone Home URL.
This setting is only checked if it is explicitly set. If this is not set, then each user accesses only each individual profile security database, rather than a shared database.
|
prefs("esc.global.alt.nss.db", "C:/Documents and Settings/All Users/shared-db");
|
Example 4.1. Default esc-prefs.js File
#pref("toolkit.defaultChromeURI", "chrome://esc/content/settings.xul"); pref("signed.applets.codebase_principal_support",true); for internal use only pref("capability.principal.codebase.p0.granted", "UniversalXPConnect"); for internal use only pref("capability.principal.codebase.p0.id", "file://"); for internal use only pref("esc.tps.message.timeout","90"); #Do we populate CAPI certs on windows? pref("esc.windows.do.capi","yes"); #Sample Security Officer Enrollment UI #pref("esc.security.url","http://test.host.com:7888/cgi-bin/so/enroll.cgi"); #Sample Security Officer Workstation UI #pref("esc.security.url","https://dhcp-170.sjc.redhat.com:7889/cgi-bin/sow/welcome.cgi"); #Hide the format button or not. pref("esc.hide.format","no"); #Use this if you absolutely want a global phone home url for all tokens #Not recommended! #pref("esc.global.phone.home.url","http:/test.host.com:7888/cgi-bin/home/index.cgi");
~/.redhat/esc/alphanumeric_string.default/prefs.js
in Red Hat Enterprise Linux 6.
Note
prefs.js
file. Editing this file is tricky. The prefs.js
file is generated and edited dynamically by the Enterprise Security Client, and manual changes to this file are overwritten when the Enterprise Security Client exits.
Parameter | Description | Notes and Defaults |
---|---|---|
esc.tps.url | Sets a URL for the Enterprise Security Client to use to connect to the TPS. This is not set by default. | |
esc.key.token_ID.tps.url |
Sets the hostname and port to use to contact a TPS.
If this Phone Home information was not burned into the card at the factory, it can be manually added to the card by adding the TPS URL, an enrollment page URL, the issuer's name, and Phone Home URL.
|
("esc.key.token_ID.tps.url" = "http://server.example.com:7888/nk_service");
|
esc.key.token_ID.tps.enrollment-ui.url |
Gives the URL to contact the enrollment page for enroll certificates on the token.
If this Phone Home information was not burned into the card at the factory, it can be manually added to the card by adding the TPS URL, an enrollment page URL, the issuer's name, and Phone Home URL.
| ("esc.key.token_ID.tps.enrollment-ui.url" = "http://server.example.com:7888/cgi_bin/esc.cgi?"); |
esc.key.token_ID.issuer.name |
Gives the name of the organization enrolling the token.
| ("esc.key.token_ID.issuer.name" = "Example Corp"); |
esc.key.token_ID.phone.home.url |
Gives the URL to use to contact the Phone Home functionality for the TPS.
The global Phone Home parameter sets a default to use with any token enrollment, if the token does not specify the Phone Home information. By setting this parameter to a specific token ID number, the specified Phone Home parameter applies only to that token.
| ("esc.key.token_ID.phone.home.url" = "http://server.example.com:7888/cgi-bin/home/index.cgi?"); |
esc.security.url |
Points to the URL to use for security officer mode.
If this is pointed to the security officer enrollment form, then the Enterprise Security Client opens the forms to enroll security officer tokens. If this is pointed to the security officer workstation URL, then it opens the workstation to enroll regular users with security officer approval.
| ("esc.security.url","https ://server.example.com:7888/cgi-bin/so/enroll.cgi "); |
4.3.3. About the XUL and JavaScript Files in the Enterprise Security Client
/usr/lib[64]/esc-1.1.0/chrome/content/esc/
.
Filename | Purpose |
---|---|
settings.xul | Contains the code for the Settings page. |
esc.xul | Contains the code for the Enrollment page. |
config.xul | Contains the code for the configuration UI. |
Filename | Purpose |
---|---|
ESC.js | Contains most of the Smart Card Manager JavaScript functionality. |
TRAY.js | Contains the tray icon functionality. |
AdvancedInfo.js | Contains the code for the Diagnostics feature. |
GenericAuth.js | Contains the code for the authentication prompt. This prompt is configurable from the TPS server, which requires dynamic processing by the Smart Card Manager. |
4.4. Configuring Phone Home
Note
op.format.userKey.issuerinfo.enable=true op.format.userKey.issuerinfo.value=http://server.example.com
4.4.1. About Phone Home Profiles
esc-prefs.js
file for the esc.global.phone.home.url
parameter.
Figure 4.2. Prompt for Phone Home Information
4.4.2. Setting Global Phone Home Information
esc-prefs.js
, has a parameter which allows a global Phone Home URL default to be set. This parameter is esc.global.phone.home.url
and is not in the file by default.
- Remove any existing Enterprise Security Client user profile directory. Profile directories are created automatically when a smart card is inserted. By default, the profile directory is
~/.redhat/esc
. - Open the
esc-prefs.js
file.On Red Hat Enterprise Linux 6, the profile directory is/usr/lib/esc-1.1.0/defaults/preferences
. On 64-bit systems, this is/usr/lib64/esc-1.1.0/defaults/preferences
. - Add the global Phone Home parameter line to the
esc-prefs.js
file. For example:pref("esc.global.phone.home.url","http://server.example.com:7888/cgi-bin/home/index.cgi");
The URL can reference a machine name, a fully-qualified domain name, or an IPv4 or IPv6 address, depending on the DNS and network configuration.
4.4.3. Adding Phone Home Information to a Token Manually
- The preferred method is that the information is burned onto the token at the factory. When the tokens are ordered from the manufacturer, the company supplies detailed information on how the tokens should be configured when shipped.
- If tokens are blank, the company IT department can supply the information when formatting small groups of tokens.
~/.redhat/esc/alphanumeric_string.default/prefs.js
file:
- The TPS server and port. For example:
"esc.key.token_ID.tps.url" = "http://server.example.com:7888/nk_service"
- The TPS enrollment interface URL. For example:
"esc.key.token_ID.tps.enrollment-ui.url" = "http://server.example.com:7888/cgi_bin/esc.cgi?"
- The issuing company name or ID. For example:
"esc.key.token_ID.issuer.name" = "Example Corp"
- The Phone Home URL. For example:
"esc.key.token_ID.phone.home.url" = "http://server.example.com:7888/cgi-bin/home/index.cgi?"
- Optionally, a default browser URL to access when an enrolled smart card is inserted.
"esc.key.token_ID.EnrolledTokenBrowserURL" = "http://www.test.example.com"
prefs.js
file are listed in Table 4.3, “prefs.js Parameters”.
Note
4.4.4. Configuring the TPS to Use Phone Home
index.cgi
in the /var/lib/pki-tps/cgi-bin/home
directory; this prints the Phone Home information to XML.
Example 4.2. TPS Phone Home Configuration File
<ServiceInfo><IssuerName>Example Corp</IssuerName> <Services> <Operation>http://server.example.com:7888/nk_service ## TPS server URL </Operation> <UI>http://server.example.com:7888/cgi_bin/esc.cgi ## Optional Enrollment UI </UI> <EnrolledTokenBrowserURL>http://www.test.url.com ## Optional enrolled token url </EnrolledTokenBrowserURL> </Services> </ServiceInfo>
http://server.example.com:7888/cgi-bin/home/index.cgi
; the URL can reference the machine name, fully-qualified domain name, or an IPv4 or IPv6 address, as appropriate. When the TPS configuration URI is accessed, the TPS server is prompted to return all of the Phone Home information to the Enterprise Security Client.
4.5. Using Security Officer Mode
- The ability to search for an individual within an organization.
- An interface that displays a photo and other pertinent information about an individual.
- The ability to enroll approved individuals.
- Formatting or resetting a user's card.
- Formatting or resetting a security officer's card.
- Enrolling a temporary card for a user that has misplaced their primary card.
- Storing TPS server information on a card. This Phone Home information is used by the Enterprise Security Client to contact a given TPS server installation.
- Creating and managing security officers.
- Managing regular users by security officers.
Note
4.5.1. Enabling Security Officer Mode
esc-prefs.js
file.
- Add the security officer user entry to the TPS database as a member of the TUS Officers group. This group is created by default in the TPS LDAP database and is the expected location for all security officer user entries.
Note
It can be simpler to add and copy user entries in the LDAP database using the Red Hat Directory Server Console. Using the Directory Server Console is described in the Red Hat Directory Server Administrators Guide in section 3.1.2, "Creating Directory Entries."There are two subtrees associated with the TPS, each associated with a different database. (Commonly, both databases can be on the same server, but that is not required.)The LDAP directory and the suffix are defined in the token profile in the TPS- The first suffix, within the authentication database, is for external users; the TPS checks their user credentials against the directory to authenticate any user attempting to enroll a smart card. This has a distinguished name (DN) like
dc=server,dc=example,dc=com
. - The other database is used for internal TPS instance entries, including TPS agents, administrators, and security officers. This subtree is within the internal database for the TPS, which includes the token database. This subtree has a DN based on the TPS server, like
dc=server.example.com-pki-tps
. The TUS Officers group entry is under thedc=server.example.com-pki-tps
suffix.
CS.cfg
file in theauthId
andbaseDN
parameters for the security officer's auth instance. For example:auth.instance.1.authId=ldap2 auth.instance.1.baseDN=dc=sec officers,dc=server.example.com-pki-tps
Any security officer entry has to be a child entry of the TUS Officers group entry. This means that the group entry is the main entry, and the user entry is directly beneath it in the directory tree.The TUS Officers group entry iscn=TUS Officers,ou=Groups,dc=server.example.com-pki-tps
.For example, to add the security officer entry usingldapmodify
:/usr/lib/mozldap/ldapmodify -a -D "cn=Directory Manager" -w secret -p 389 -h server.example.com dn:
uid=jsmith
,cn=TUS Officers,ou=Groups,dc=server.example.com-pki-tps objectclass: inetorgperson objectclass: organizationalPerson objectclass: person objectclass: top sn: smith uid: jsmith cn: John Smith mail: jsmith@example.com userPassword: secretPress the Enter key twice to send the entry, or use Ctrl+D.
- First, trust the CA certificate chain.
Note
This step is only required if the certificate is not yet trusted in the Enterprise Security Client database.If you want to point the Enterprise Security Client to a database which already contains the required certificates, use theesc.global.alt.nss.db
in theesc-prefs.js
file to point to another database.- Open the CA's end-entities page.
http
s
://server.example.com:9444/ca/ee/ca/
- Click the Retrieval tab, and download the CA certificate chain.
- Open the Enterprise Security Client.
esc
- Click the View Certificates button.
- Click the Authorities tab.
- Click thebutton, and import the CA certificate chain.
- Set the trust settings for the CA certificate chain.
- Then, format and enroll the security officer's token. This token is used to access the security officer Smart Card Manager UI.
- Insert a blank token.
- When the prompt for the Phone Home information opens, enter the security officer URL.
/var/lib/pki-tps/cgi-bin/so/index.cgi
- Click thebutton to format the security officer's token.
- Close the interface and stop the Enterprise Security Client.
- Add two parameters in the
esc-prefs.js
file. The first,esc.disable.password.prompt
, sets security officer mode. The second,esc.security.url
, points to the security officer enrollment page. Just the presence of theesc.security.url
parameter instructs the Enterprise Security Client to open in security officer mode next time it opens.pref("esc.disable.password.prompt","no"); pref("esc.security.url","http
s
://server.example.com:7888/cgi-bin/so/enroll.cgi
"); - Start the Enterprise Security Client again, and open the UI.
esc
- The Enterprise Security Client is configured to connect to the security officer enrollment form in order to enroll the new security officer's token. Enroll the token as described in Section 4.5.2, “Enrolling a New Security Officer”.
- Close the interface and stop the Enterprise Security Client.
- Edit the
esc-prefs.js
file again, and this time change theesc.security.url
parameter to point to the security officer workstation page.pref("esc.security.url","http
s
://server.example.com:7889/cgi-bin/sow/welcome.cgi
"); - Restart the Enterprise Security Client again. The UI now points to the security officer workstation to allow security officers to enroll tokens for regular users.
escd
process, and comment out the esc.security.url
and esc.disable.password.prompt
lines in the esc-prefs.js
file. When the esc
process is restarted, it starts in normal mode.
4.5.2. Enrolling a New Security Officer
- Make sure the
esc
process is running.esc
With security officer mode enabled in theesc-pref.js
file (Section 4.5.1, “Enabling Security Officer Mode”), the security officer enrollment page opens. - In the Security Officer Enrollment window, enter the LDAP user name and password of the new security officer and a password that will be used with the security officer's smart card.
Note
If the password is stored using the SSHA hash, then any exclamation point (!) and dollar sign ($) characters in the password must be properly escaped for a user to bind successfully to the Enterprise Security Client on Windows XP and Vista systems.- For the dollar sign ($) character, escape the dollar sign when the password is created:
\$
Then, enter only the dollar sign ($) character when logging into the Enterprise Security Client. - For the exclamation point (!) character, escape the character when the password is created and when the password is entered to log into the Enterprise Security Client.
\!
- Click.
4.5.3. Using Security Officers to Manage Users
4.5.3.1. Enrolling a New User
- Make sure the
esc
process is running. If necessary, start the process.esc
Also, make sure that security officer mode is enabled, as described in Section 4.5.1, “Enabling Security Officer Mode”. - Then open the Smart Card Manager UI.
Note
Ensure that there is a valid and enrolled security officer card plugged into the computer. A security officer's credentials are required to access the following pages. - Clickto display the security officer Station page. The client prompts for the password for the security officer's card (which is required for SSL client authentication) or to select the security officer's signing certificate from the drop-down menu.
- Click the Security Officer Select User page.link to display the
- Enter the LDAP name of the user who is to receive a new smart card.
- Click Security Officer Confirm User page opens.. If the user exists, the
- Compare the information returned in the Smart Card Manager UI to the person or credentials that are present.
- If all the details are correct, click Security Officer Enroll User page. This page prompts the officer to insert a new smart card into the computer.to display the
- If the smart card is properly recognized, enter the new password for this card and click.
4.5.3.2. Performing Other Security Officer Tasks
- Make sure the
esc
process is running. If necessary, start the process.esc
Also, make sure that security officer mode is enabled, as described in Section 4.5.1, “Enabling Security Officer Mode”. - Then open the Smart Card Manager UI.
Note
Ensure that there is a valid and enrolled security officer card plugged into the computer. A security officer's credentials are required to access the following pages. - Clickto display the security officer Station page. If prompted, enter the password for the security officer's card. This is required for SSL client authentication.
- Select the operation from the menu (enrolling a temporary token, formatting the card, or setting the Phone Home URL).
- Continue the operation as described in Chapter 4, Setting up Enterprise Security Client.
4.5.3.3. Formatting an Existing Security Officer Smart Card
Important
- Make sure that security officer mode is enabled, as described in Section 4.5.1, “Enabling Security Officer Mode”.
- Open the Smart Card Manager UI.
Note
Ensure that there is a valid and enrolled security officer card plugged into the computer. A security officer's credentials are required to access the following pages. - Clickto display the security officer Station page. If prompted, enter the password for the security officer's card. This is required for SSL client authentication.
- Select the operation from the menu (enrolling a temporary token, formatting the card, or setting the Phone Home URL).
- Click. Because the security officer card is already inserted, the following screen displays:
- Clickto begin the operation.
4.6. Configuring SSL Connections with the TPS
- Download the CA certificate used by the TPS.
- Open the CA's end user pages in a web browser.
http
s
://server.example.com:9444/ca/ee/ca/
- Click the Retrieval tab at the top.
- In the left menu, click the Import CA Certificate Chain link.
- Choose the radio button to download the chain as a file, and remember the location and name of the downloaded file.
- Open the Enterprise Security Client.
- Import the CA certificate.
- Click thebutton.
- Click the Authorities tab.
- Click Import.
- Browse to the CA certificate chain file, and select it.
- When prompted, confirm that you want to trust the CA.
- The Enterprise Security Client needs to be configured to communicate with the TPS over SSL; this is done by setting the Phone Home URL, which is the default URL the Enterprise Security Client uses to connect to the TPS.
- Insert a new, blank token into the machine.Blank tokens are unformatted, so they do not have an existing Phone Home URL, and the URL must be set manually. Formatted tokens (tokens can be formatted by the manufacturer or by your IT department) already have the URL set, and thus do not prompt to set the Phone Home URL.
- Fill in the new TPS URL with the SSL port information. For example:
http
s
://server.example.com:7890
/cgi-bin/home/index.cgi - Click thebutton to send a message to the TPS.If the request is successful, the client opens a dialog box saying that the Phone Home URL was successfully obtained.
4.7. Customizing the Smart Card Enrollment User Interface
/var/lib/pki-tps/cgi-bin/home/Enroll.html
for regular enrollments/var/lib/pki-tps/cgi-bin/so/Enroll.html
for security officer enrollments/var/lib/pki-tps/cgi-bin/sow/Enroll.html
for security officer workstation enrollments (users enrolled through the security officer UI)Note
The security officer workstation directory contains other HTML files for other token operations, such as formats and PIN resets.
docroot/
directory, such as /var/lib/pki-tps/docroot/esc/sow
for the security officer enrollment file in /var/lib/pki-tps/cgi-bin/sow
.
Example 4.3. Changing Page Text
<!-- Change the title if desired --> <title>Enrollment
</title> ... <p class="headerText">Smartcard Enrollment
</p> ... <!-- Insert customized descriptive text here. --> <p class="bodyText">You have plugged in your smart card!
After answering a few easy questions, you will be able to use your smart card.
</p> <p class="bodyText">Now we would like you to identify yourself.
</p> ... <table> <tr> <td><p >LDAP User ID:
</p></td> <td> </td> <td><input type="text" id="snametf" value=""></td> </tr> </table>
style.css
CSS style sheet and the logo image, logo.png
.
Example 4.4. Changing Page Styles
<link rel=stylesheethref="/esc/home/style.css"
type="text/css"> ... <table width="100%" class="logobar"> <tr> <td> <img alt=""src="/home/logo.jpg
"> </td> <td> <p class="headerText">Smartcard Enrollment</p> </td> </tr> </table>
style.css
file is a standard CSS file, so all of the tags and classes can be defined as follows:
body { background-color: grey; font-family: arial; font-size: 7p }
Enroll.html
files is through the JavaScript file which sets the page functionality. This file controls features like the progress meter, as well as processing the inputs which are used to authenticate the user to the user directory.
Example 4.5. Changing Page Script
<progressmeter id="progress-id" hidden="true" align = "center"
/> ... <table> <tr> <td><p >LDAP User ID: </p></td> <td> </td> <td><input type="text"id="snametf"
value=""></td> </tr> </table>
Warning
util.js
file. If this file is improperly edited, it can break the Enterprise Security Client UI and prevent tokens from being enrolled.
/var/lib/pki-tps/cgi-bin/home/Enroll.html
file is in Example 4.6, “Complete Enroll.html File”.
Example 4.6. Complete Enroll.html File
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link rel=stylesheet href="/esc/home/style.css" type="text/css"> <title>Enrollment</title> </head> <script type="text/JavaScript" src="/esc/home/util.js"> </script> <body onload="InitializeBindingTable();" onunload=cleanup()> <progressmeter id="progress-id" hidden="true" align = "center"/> <table width="100%" class="logobar"> <tr> <td> <img alt="" src="/home/logo.jpg"> </td> <td> <p class="headerText">Smartcard Enrollment</p>p </td> </tr> </table> <table id="BindingTable" width="200px"align="center"> <tr id="HeaderRow"> </tr> </table> <p class="bodyText">You have plugged in your smart card! After answering a few easy questions, you will be able to use your smart card. </p>p <p class="bodyText"> Now we would like you to identify yourself. </p>p <table> <tr> <td><p >LDAP User ID: </p>p</td> <td> </td> <td><input type="text" id="snametf" value=""></td> <td> </td> <td><p>LDAP Password: </p>p</td> <td> </td> <td><input type="password" id="snamepwd" value=""></td> </tr> </table> <p class="bodyText"> Before you can use your smart card, you will need a password to protect it.</p>p <table> <tr> <td><p >Password:</p>p</td> <td><input type="password" id="pintf" name="pintf" value=""></td> <td><p >Re-Enter Password:</p>p</td> <td><input type="password" id="reenterpintf" name="reenterpintf" value=""></td> </table> <br> <table width="100%"> <tr> <td align="right"> <input type="button" id="enrollbtn" name="enrollbtn" value="Enroll My Smartcard" onClick="DoEnrollCOOLKey();"> </td> </tr> </table> </body></html>
4.8. Disabling LDAP Authentication for Token Operations
- Stop the TPS subsystem.
service pki-tps stop
- Open the TPS configuration file.
vim /var/lib/pki-tps/conf/CS.cfg
- Set the authentication parameters to
false
.op.operation_type.token_type.loginRequest.enable=false op.operation_type.token_type.auth.enable=false
The operation_type is the token operation for which LDAP authentication is being disabled, such asenroll
,format
, orpinreset
. Disabling authentication for one operation type does not disable it for any other operation types.The token_type is the token profile. There are default profiles for regular users, security officers, and the users enrolled by security officers. There can also be custom token types for other kinds of users or certificates.For example:op.
enroll.userKey.
loginRequest.enable=false op.enroll.userKey
.pinReset.enable=false - Restart the TPS subsystem.
service pki-tps start
Chapter 5. Using Smart Cards with the Enterprise Security Client
5.1. Supported Smart Cards
- Safenet 330J Java smart cards
- Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB form factor key
- Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC)
- Oberthur ID One V5.2 common access cards (CAC)
- Personal identity verification (PIV) cards, compliant with FIPS 201
Note
- SCM SCR331 CCID
- OMNIKEY 3121
5.2. Setting up Users to Be Enrolled
CS.cfg
:
auth.instance.0.baseDN=dc=example,dc=com
auth.instance.0.hostport=server.example.com:389
/usr/bin/ldapmodify -a -D "cn=Directory Manager" -w secret-p 389 -h server.example.com
dn: uid=jsmith,ou=People,dc=example,dc=com
objectclass: person objectclass: inetorgperson objectclass: top uid: jsmith cn: John Smith email: jsmith@example.com userPassword: secret
5.3. Enrolling a Smart Card Automatically
Note
- Ensure that the Enterprise Security Client is running.
- Insert an uninitialized smart card, pre-formatted with the Phone Home information for the TPS and the enrollment interface URL for the user's organization.The smart card can be added either by placing a USB form factor smart card into a free USB slot, or by inserting a standard, full-sized smart card into a smart card reader.When the system recognizes the smart card, it displays a message indicating it has detected an uninitialized smart card.
- Clickto display the smart card enrollment form.
Note
If you remove the card at this point, a message displays stating that the smart card can no longer be detected. Reinsert the card to continue with the enrollment process.The enrollment files are accessed remotely; they reside on the TPS instance. If the network connection is bad or broken, then an error may come up saying Check the Network Connection and Try Again. It is also possible that the enrollment window appears to open but the enrollment process does not proceed. The enrollment pages can be cached if the Enterprise Security Client previously connect to them successfully, so the enrollment UI opens even if the network is offline. Try restarting Enterprise Security Client and check the network connection. - Because the Smart Card Manager now knows where the enrollment UI is located (it is included in the Phone Home information), the enrollment form is displayed for the user to enter the required information.This illustration shows the default enrollment UI included with the TPS server. This UI is a standard HTML form, which you can customize to suit your own deployment requirements. This could include adding a company logo or adding and changing field text.See Section 4.7, “Customizing the Smart Card Enrollment User Interface” for information on customizing the UI.
- The sample enrollment UI requires the following information for the TPS server to process the smart card enrollment operation:
- LDAP User ID. This is the LDAP user ID of the user enrolling the smart card; this can also be a screen name or employee or customer ID number.
- LDAP Password. This is the password corresponding to the user ID entered; this can be a simple password or a customer number.
Note
The LDAP user ID and password are related to the Directory Server user. The TPS server is usually associated with a Directory Server, which stores user information and through which the TPS authenticates users.Passwords must conform to the password policy configured in the Directory Server. - Password and Re-Enter Password. These fields set and confirm the smart card's password, used to protect the card information.
- After you have entered all required information, click Enroll My Smart Card to submit the information and enroll the card.
- When the enrollment process is complete, a message page opens which shows that the card was successfully enrolled and can offer custom instructions on using the newly-enrolled smart card.
5.4. Managing Smart Cards
Figure 5.1. Manage Smart Cards Page
5.4.1. Formatting the Smart Card
- Insert a supported smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
- In the Smart Card Functions section of the Manage Smart Cards screen, click .
- If the TPS has been configured for user authentication, enter the user credentials in the authentication dialog, and click.
- During the formatting process, the status of the card changes to BUSY and a progress bar is displayed. A success message is displayed when the formatting process is complete. Clickto close the message box.
- When the formatting process is complete, the Active Smart Cards table shows the card status as UNINITIALIZED.
5.4.2. Resetting a Smart Card Password
- Insert a supported smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
- In the Smart Card Functions section of the Manage Smart Cards screen, click to display the Password dialog.
- Enter a new smart card password in the Enter new password field.
- Confirm the new smart card password in the Re-Enter password field, and then click .
- If the TPS has been configured for user authentication, enter the user credentials in the authentication dialog, and click.
- Wait for the password to finish being reset.
5.4.3. Viewing Certificates
- Insert a supported smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
- Select the card from the list, and click.This displays basic information about the certificates stored on the card, including the serial number, certificate nickname, and validity dates.
- To view more detailed information about a certificate, select the certificate from the list and click.
5.4.4. Importing CA Certificates
- Open the CA's end user pages in a web browser.
http
s
://server.example.com:9444/ca/ee/ca/
- Click the Retrieval tab at the top.
- In the left menu, click the Import CA Certificate Chain link.
- Choose the radio button to download the chain as a file, and remember the location and name of the downloaded file.
- Open the Smart Card Manager GUI.
- Click thebutton.
- Click the Authorities tab.
- Click Import.
- Browse to the CA certificate chain file, and select it.
- When prompted, confirm that you want to trust the CA.
5.4.5. Adding Exceptions for Servers
- Open the Smart Card Manager UI.
- Click thebutton.
- Click the Servers tab.
- Click Add Exception.
- Enter the URL, including any port numbers, for the site or service which the smart card will be used to access. Then click thebutton to download the server certificate for the site.
- Clickto add the site to the list of allowed sites.
5.4.6. Enrolling Smart Cards
Note
- Insert a supported, unenrolled smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
- Click Password dialog.to display the
- Enter a new key password in the Enter a password field.Confirm the new password in the Re-Enter a password field.
- Clickto begin the enrollment.
- If the TPS has been configured for user authentication, enter the user credentials in the authentication dialog, and click.
- If the TPS has been configured to archive keys to the DRM, the enrollment process will begin generating and archiving keys.
5.5. Diagnosing Problems
- Open the Smart Card Manager UI.
- Select the smart card to check from the list.
- Click thebutton.
- This opens thewindow for the selected smart card.
- The Enterprise Security Client version number (listed as the Smart Card Manager version).
- The version information for the XULRunner framework upon which the client is running.
- The number of cards detected by the Enterprise Security Client.
- The version of the applet running on the smart card.
- The alpha-numeric ID of the smart card.
- The card's status, which can be any of the three things:
- NO_APPLET No key was detected.
- UNINITIALIZED. The key was detected, but no certificates have been enrolled.
- ENROLLED. The detected card has been enrolled with certificate and card information.
- The card's Phone Home URL. This is the URL from which all Phone Home information is obtained.
- The card issuer name, such as
Example Corp.
- The card's answer-to-reset (ATR) string. This is a unique value that can be used to identify different classes of smart cards. For example:
3BEC00FF8131FE45A0000000563333304A330600A1
- The TPS Phone Home URL.
- The TPS server URL. This is retrieved through Phone Home.
- The TPS enrollment form URL. This is retrieved through Phone Home.
- Detailed information about each certificate contained on the card.
- A running log of the most recent Enterprise Security Client errors and common events.
5.5.1. Errors
- The Enterprise Security Client does not recognize a card.
- Problems occur during a smart card operation, such as a certificate enrollment, password reset, or format operation.
- The Enterprise Security Client loses the connection to the smart card. This can happen when problems occur communicating with the
PCSC
daemon. - The connection between the Enterprise Security Client and TPS is lost.
tps-debug.log
or tps-error.log
files, depending on the cause for the message.
Return Code | Description |
---|---|
General Error Codes | |
6400 | No specific diagnosis |
6700 | Wrong length in Lc |
6982 | Security status not satisfied |
6985 | Conditions of use not satisfied |
6a86 | Incorrect P1 P2 |
6d00 | Invalid instruction |
6e00 | Invalid class |
Install Load Errors | |
6581 | Memory Failure |
6a80 | Incorrect parameters in data field |
6a84 | Not enough memory space |
6a88 | Referenced data not found |
Delete Errors | |
6200 | Application has been logically deleted |
6581 | Memory failure |
6985 | Referenced data cannot be deleted |
6a88 | Referenced data not found |
6a82 | Application not found |
6a80 | Incorrect values in command data |
Get Data Errors | |
6a88 | Referenced data not found |
Get Status Errors | |
6310 | More data available |
6a88 | Referenced data not found |
6a80 | Incorrect values in command data |
Load Errors | |
6581 | Memory failure |
6a84 | Not enough memory space |
6a86 | Incorrect P1/P2 |
6985 | Conditions of use not satisfied |
5.5.2. Events
- Simple events such as card insertions and removals, successfully completed operations, card operations that result in an error, and similar events.
- Errors are reported from the TPS to the Enterprise Security Client.
- The NSS crypto library is initialized.
- Other low-level smart card events are detected.
Chapter 6. Configuring Applications for Single Sign-On
/usr/lib/libcoolkeypk11.so
.
6.1. Configuring Firefox to Use Kerberos for Single Sign-On
- In the address bar of Firefox, type
about:config
to display the list of current configuration options. - In the Filter field, type
negotiate
to restrict the list of options. - Double-click the network.negotiate-auth.trusted-uris entry.
- Enter the name of the domain against which to authenticate.
- Next, configure the network.negotiate-auth.delegation-uris entry, using the same domain as for network.negotiate-auth.trusted-uris.
Note
kinit
command and supply the user password for the user on the KDC.
[jsmith@host ~] $ kinit Password for jsmith@EXAMPLE.COM:
- Close all instances of Firefox.
- In a command prompt, export values for the
NSPR_LOG_*
variables:export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/moz.log
- Restart Firefox from that shell, and visit the website where Kerberos authentication is failing.
- Check the
/tmp/moz.log
file for error messages with nsNegotiateAuth in the message.
- The first error says that no credentials have been found.
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure No credentials cache found
This means that there are no Kerberos tickets (meaning that they expired or were not generated). To fix this, runkinit
to generate the Kerberos ticket and then open the website again. - The second potential error is if the browser is unable to contact the KDC, with the message Server not found in Kerberos database.
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos database
This is usually a Kerberos configuration problem. The correct entries must be in the[domain_realm]
section of the/etc/krb5.conf
file to identify the domain. For example:.example.com = EXAMPLE.COM example.com = EXAMPLE.COM
- If there are no errors in the log, then the problem could be that an HTTP proxy server is stripping off the HTTP headers required for Kerberos authentication. Try to connect to the site using HTTPS, which allows the request to pass through unmodified.
6.2. Enabling Smart Card Login
Note
- nss-tools
- esc
- pam_pkcs11
- coolkey
- ccid
- gdm
- authconfig
- authconfig-gtk
- krb5-libs
- krb5-workstation
- krb5-auth-dialog
- krb5-pkinit-openssl
- Log into the system as root.
- Download the root CA certificates for the network in base 64 format, and install them on the server. The certificates are installed in the appropriate system database using the
certutil
command. For example:# certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/ca_cert.crt
- In the top menu, select themenu, select , and then click .
- Open the Advanced Options tab.
- Click the Enable Smart Card Support checkbox.
- When the button is active, click.There are two behaviors that can be configured for smart cards:
- The Require smart card for login checkbox requires smart cards and essentially disables Kerberos password authentication for logging into the system. Do not select this until after you have successfully logged in using a smart card.
- The Card removal action menu sets the response that the system takes if the smart card is removed during an active session.
Ignore
means that the system continues functioning as normal if the smart card is removed, whileLock
immediately locks the screen.
- By default, the mechanisms to check whether a certificate has been revoked (Online Certificate Status Protocol, or OCSP, responses) are disabled. To validate whether a certificate has been revoked before its expiration period, enable OCSP checking by adding the
ocsp_on
option to thecert_policy
directive.- Open the
pam_pkcs11.conf
file.vim /etc/pam_pkcs11/pam_pkcs11.conf
- Change every
cert_policy
line so that it contains theocsp_on
option.cert_policy = ca,
ocsp_on,
signature;Note
Because of the way the file is parsed, there must be a space betweencert_policy
and the equals sign. Otherwise, parsing the parameter fails.
- If the smart card has not yet been enrolled (set up with personal certificates and keys), enroll the smart card, as described in Section 5.3, “Enrolling a Smart Card Automatically”.
- If the smart card is a CAC card, the PAM modules used for smart card login must be configured to recognize the specific CAC card.
- As root, create a file called
/etc/pam_pkcs11/cn_map
. - Add the following entry to the
cn_map
file:MY.CAC_CN.123454 -> login
MY.CAC_CN.123454 is the common name on the CAC card and login is the Red Hat Enterprise Linux login ID.
Note
pklogin_finder
tool (in debug mode) first maps the login ID to the certificates on the card and then attempts to output information about the validity of certificates.
pklogin_finder debug
6.3. Setting up Browsers to Support SSL for Tokens
- In Mozilla Firefox, open themenu, choose , and then click .
- Open thetab.
- Add a PKCS #11 driver.
- Click Device Manager window, and then click the button.to open the
- Enter a module name, such as
token key pk11 driver
. - Click, find the Enterprise Security Client PKCS #11 driver, and click . The PKCS #11 module used by these applications, by default, is located in
/usr/lib/libcoolkeypk11.so
.
- If the CA is not yet trusted, download and import the CA certificate.
- Open the SSL End Entity page on the CA. For example:
http
s
://server.example.com:9444/ca/ee/ca/
- Click the Retrieval tab, and then click Import CA Certificate Chain.
- Click Download the CA certificate chain in binary form and then click .
- Choose a suitable directory to save the certificate chain, and then click.
- Click Advanced tab., and select the
- Click thebutton.
- Click, and import the CA certificate.
- Set the certificate trust relationships.
- Click Advanced tab., and select the
- Click thebutton.
- Click, and set the trust for websites.
6.4. Using the Certificates on Tokens for Mail Clients
- In Mozilla Thunderbird, open themenu, choose , and then click .
- Open thetab.
- Add a PKCS #11 driver.
- Click Device Manager window.to open the
- Click thebutton.
- Enter the module name, such as
token keypk11 driver
. - Click, find the Enterprise Security Client PKCS #11 driver, and click . The PKCS #11 module used by these applications, by default, is located in
/usr/lib/libcoolkeypk11.so
.
- If the CA is not yet trusted, download and import the CA certificate.
- Open the SSL End Entity page on the CA. For example:
http
s
://server.example.com:9444/ca/ee/ca/
- Click the Retrieval tab, and then click Import CA Certificate Chain.
- Click Download the CA certificate chain in binary form and then click .
- Choose a suitable directory to save the certificate chain, and then click.
- In Mozilla Thunderbird, open themenu, choose , and then click .
- Open thetab, and click the button.
- Click thetab, and import the CA certificate.
- Set up the certificate trust relationships.
- In Mozilla Thunderbird, open themenu, choose , and then click .
- Open thetab, and click the button.
- In the Authorities tab, select the CA, and click the button.
- Set the trust settings for identifying websites and mail users.
- In the Digital Signing section of the Security panel, click to choose a certificate to use for signing messages.
- In the Encryption of the Security panel, click to choose the certificate to encrypt and decrypt messages.
Appendix A. Revision History
Revision History | |||
---|---|---|---|
Revision 6.7-4 | Wed Mar 8 2017 | ||
| |||
Revision 6.7-3 | Wed May 4 2016 | ||
| |||
Revision 6.7-2 | Thu Jan 7 2016 | ||
| |||
Revision 6.7-1 | Tue Jan 5 2016 | ||
| |||
Revision 6.7-0 | Tue Jul 14 2015 | ||
| |||
Revision 6.6-1 | Fri Dec 19 2014 | ||
| |||
Revision 6.6-0 | Fri Oct 10 2014 | ||
| |||
Revision 6.4-0 | March 28, 2013 | ||
| |||
Revision 6.2-4 | December 5, 2011 | ||
| |||
Revision 6.1-0 | Thu May 5, 2011 | ||
| |||
Revision 6.0-0 | Thu Oct 22 2009 | ||
|