HP T5720 Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C
HP T5720 - Compaq Thin Client Manual
UPC - 882780099517
View all HP T5720 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP T5720 manual content summary:
- HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 1
Issue Smart Card User Certificate 18 Manually issue Smart Card User Certificate 24 Testing the Smart Card 27 Creating Customized User Install Packages for Clients PCs (Optional 30 Additional Information 36 Using a Smart Card For Windows Network Login 36 Administration of the GemSafe Smart Card - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 2
corporate network. This paper provides instructions for configuring a smart card with your HP Compaq t5720 thin client and CCI blade PCs. Gemalto delivers secure personal devices, software, and services through innovation and collaboration- thus, enabling our clients to offer trusted and convenient - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 3
Gemalto libraries 5.0 SE software installation. For the drivers update, visit the Gemalto support site at: http://hotline.gemalto.com/ For the HP USB SmartCard Keyboard Drivers please visit www.hp.com software support for the latest available drivers. NOTE: GemSafe Libraries 5.0 SE Registration tool - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 4
• HP Compaq t5720 series thin client running Microsoft Windows XPe w/HPSAM blade service installed. • HP desktop PC running Microsoft Windows XP w/HPSAM blade service installed. • Smart Card Readers • HP standard USB Smart Card Keyboard. Driver: HPKBCCID.sys, version 4.30.0.1. • USB CAC approved - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 5
user logon. The client install package is customizable and created by the Administrator (see "Creating Customized User Install Packages for Clients PCs (Optional)" on page 30). NOTE: During the software installation the reader should not have a smart card in it. NOTE: Thin Client PC Ram disk size - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 6
6. Click Next to continue; GemSafe Libraries Install Shield Wizard displays the License Agreement window. 7. Read the Gemalto License Agreement and click Yes to continue; the GemSafe Libraries InstallShield Wizard displays the Choose Destination Location window. 6 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 7
8. Click Next to install GemSafe Libraries to the default location or select a different location by using the Browse button. During the GemSafe Libraries installation you will see a series of dialogs similar to the following. - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 8
Module configuration please refer to the Administration or User Guide. NOTE: If you are using the smart card for network login, it will be necessary to load a certificate onto the card in order to recognize the card for login purposes. Instructions for manually issuing a certificate on the card, can - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 9
Installing Microsoft Certificate Services 1. Click Start > Control Panel. 2. Select Add or Remove Programs. 3. In the left panel, select Add/Remove Windows Components. 4. Click Certificate Services, and then click Next. 9 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 10
5. Select Enterprise Root CA, and then click Next. 6. Click Yes to accept the warning. 10 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 11
7. Type a Common name for this CA, and then click Next. 8. Select Next to accept Certificate Database Settings. 11 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 12
The installation will configure components, as shown in the following screen. 9. Click Yes when prompted to temporarily stop ISS. 12 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 13
a Certificate Authority (CA) service Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates. Refer to "Installing Microsoft Certificate Services" on page 9 on installing certificate services. After you install the CA service, perform the following - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 14
3. Create a duplicate template by right-clicking on the Smartcard Logon certificate template, and then selecting Duplicate Template. 4. Type a name for the new template in the Template Display name box. This example uses CCI Smartcard User 14 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 15
5. Click the Request Handling tab. 6. Select 1024 in the Minimum key size box. 7. Click the CSPs button. 8. Select Requests can use any CSP available on the subject's computer. 9. Click the Security tab. 15 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 16
10. In the Permissions for Authenticated Users area, in the Allow column, select both Read and Enroll. You have created the creation of the template. 11. Copy the CCI SmartCard User certificate template into the Certificates Templates folder under the certificate server. a. Expand the Certificate - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 17
d. Select New > Certificate Template to Issue. 12. Select the template, and then click OK to import the template. 17 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 18
Configuring Microsoft Certificate Authority to Issue Smart Card User Certificate 1. Click Start > Administrative Tools > Certification Authority. 2. Expand the defined CA. 3. Right-click Certificate Templates, and then select New. a. Select Certificate Template to Issue. b. Select Enrollment Agent. - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 19
4. Launch Internet Explorer and browse to http://localhost/certsrv. 5. Under Select a task, select Request a certificate. 19 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 20
6. Select advanced certificate request. 7. Select Create and submit request to this CA. 20 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 21
8. In the Certificate Templates box, select Enrollment Agent. 9. Verify Enrollment Agent Settings in the Key Options section as follows: • Create new key is selected • Microsoft Enhanced Cryptographic Provider v1.0 • Click Submit. 21 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 22
10. Accept default settings under Additional Options. 11. If a warning message displays about a potential scripting violation, press Yes to continue with the certificate request. 12. Install the Enrollment certificate requested. 22 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 23
13. Select Yes to Potential Scription Violation. You have successfully generated and installed required Enrollment Certificate, as shown below. 23 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 24
Manually issue Smart Card User Certificate 1. Launch Internet Explorer and browse to http://localhost/certsrv. 2. Select Request a certificate. 3. Select advanced certificate request. 24 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 25
4. Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station. 5. Select Smartcard User under Enrollment Options. 25 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 26
6. Define the user to enroll by clicking Select User. 7. Insert Smart Card into Reader, and then select Enroll. 26 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 27
Testing the Smart Card 1. Launch the GemSafe Toolbox by selecting Start > All Programs > Gemplus > GemSafe Toolbox. 2. Select Certificates. 27 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 28
3. Insert the smart card and type the PIN. This displays the certificates that you manually issued to the card in "Configuring Microsoft Certificate Authority to Issue Smart Card User Certificate" on page 18. 4. Select the Diagnostic/Help tab in the left frame. 28 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 29
5. Select the Smartcard and readers diagnose button. 6. From the Smartcard Diagnostic Utility, select Start. 29 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 30
for Domain logon smart card authentication with a preconfigured smart card that already contains a User certificate. Domain groups or user level policies for smart card login need to be managed and applied by the administrator. Administrators may wish to deploy a customized client GemSafe Toolbox - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 31
thin client TEMP and TMP environmental variables to a location that can support the .msi user installation package size. The environmental variables can be changed back to default Variables. NOTE: HP deployment solutions such as Altiris client manager do not require Ram Disk size adjustments or - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 32
1. Launch the GemSafe Toolbox by selecting Start > All Programs > Gemplus > GemSafe Toolbox. 2. Select Software Administration. 3. Select PIN Policy in the left frame. 32 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 33
4. To store PIN Policy settings, select Save as, and then type a file name. 5. Select GemSafe in the left frame. 6. Define what GemSafe Toolbox functionality will be provided to your users. 33 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 34
Libraries User Setup. NOTE: You must select CSP if you are operating in a Microsoft environment. NOTE: If you planning on implementing on a Citrix or Terminal Services server. a. You must select the files you configured in step 4 - 7 within the File Selection section. b. Click Next. 34 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 35
9. To provide a Setup Name for Libraries User Setup, select Create Setup. Be sure to note the setup path. 10. Select OK. The new setup has been created. 35 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 36
a Smart Card For Windows Network Login During windows logon, a normal Windows logon prompt should appear with a smart installed, please refer to the GemSafe Libraries Administration or User Guide to learn how to: • Manage the smart to sign Adobe Acrobat® or Microsoft Office XP or 2003 macros. 36 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 37
Signing PDF Documents". The Administration and User Guide also teaches security basics to help with the overall understanding of how GemSafe Libraries works to enhance your network security policy. The Guide also provides some Frequently Asked Questions (FAQs) to assist in troubleshooting problems - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 38
into the Active Directory Server Usage case 2: User authentication from client device to blade PC or Active Directory Server using RDP The following steps provides instructions for performing a functional test of the CCI SmartCard Logon certificate: 1. Log out of the RDP session. 2. Open the Remote - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 39
2. Open the HPSAM client window and initiate a connection to the blade PC or Active Directory Server PC or Active Directory Server. Usage case 4: Accessing secure Web site The following steps provide instructions for accessing a secure Web site using an Gemalto smart card through a blade PC or Active - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 40
using VPN through firewall to blade PC or Active Directory Server Instructions for installing and configuring a VPN tunnel with a firewall is beyond Gemalto smart card middleware is installed on the client. 1. In the Control Panel on the client computer, open Network and Internet Connections. - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 41
4. In the Company Name box, type the name for the VPN connection (for example, Work), and then click Next. 5. Select Do not dial the initial connection, and then click Next. 6. In the text box, type the host name or IP address of the VPN tunnel, and then click Next. 7. Select Use my smart card, and - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 42
the VPN connection. 2. In Smart card PIN, type the PIN, and then click OK. While establishing the VPN connection, the system displays Verifying username and password and Authenticated. 42 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 43
the network connection icon displays in the system tray. Usage case 6: User authentication from client device using Citrix server 1. Click the Citrix Program Neighborhood desktop shortcut. 2. Click Add ICA Connection to set up a new client connection or to use a pre-existing Citrix connec- tion. 43 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 44
3. Select properties for the ICA connection, click the Logon Information tab, select Smart card, and then click OK. 4. Double-click the shortcut to connect to the Citrix server. 5. During logon to the server, the smart card login prompt appears for authorization. 44 - HP T5720 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP C - Page 45
Service and Support If you would like additional information about GemSafe Libraries 4.2.i, you can visit: http://www.gemplus.com/products/gemsafe_libraries. For product information, local sales offices, please visit http://www.gemalto.com, or send an email to: [email protected]. Phone: (888)-343-5773.
Implementing Gemalto Smart Card for Use with HP Compaq
t5720 and HP CCI
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Reference Documents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Installing GemSafe Libraries 5.0 SE to Server and Client PCs (Optional)
. . . . . . . . . . . . . . . . . .5
Installing Microsoft Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Configuring a Certificate Authority (CA) service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Configuring Microsoft Certificate Authority to Issue Smart Card User Certificate
. . . . . . . . . . . .18
Manually issue Smart Card User Certificate
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Testing the Smart Card
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Creating Customized User Install Packages for Clients PCs (Optional) . . . . . . . . . . . . . . . . . . .30
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Using a Smart Card For Windows Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Administration of the GemSafe Smart Card
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Working with GemSafe Libraries
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Usage case 1: User authentication from blade PC to Active Directory Domain
. . . . . . . . . .37
Usage case 2: User authentication from client device to blade PC or
Active Directory Server using RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Usage case 3: User authentication from client device to blade PC or
Active Directory Server using HPSAM client
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Usage case 4: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Usage case 5: User authentication using VPN through firewall to blade PC or
Active Directory Server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Usage case 6: User authentication from client device using Citrix server
. . . . . . . . . . . . . .43
Service and Support
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45