HP bc1000 Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP
HP bc1000 - Blade PC Manual
View all HP bc1000 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP bc1000 manual content summary:
- HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 1
PC or Active Directory Server using HPSAM client 38 Usage case 4: Accessing secure Web site 39 Usage case 5: User authentication using VPN through firewall to blade PC or Active Directory Server 40 Usage case 6: User authentication from client device using Citrix server 43 Service and Support - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 2
cards can provide additional security to a corporate network. This paper provides instructions for configuring a smart card with your HP Compaq t5720 thin client and CCI blade PCs. Gemalto delivers secure personal devices, software, and services through innovation and collaboration- thus, enabling - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 3
Deployment Server • Network Switch. • HP Procurve 2626. • Blade Enclosure • HP e-class blade enclosure. • Blade PCs • HP bc1000 blade PC running Microsoft Windows XP SP2 w/HPSAM blade service installed. • HP bc1500 blade PC running Microsoft Windows XP SP2 w/HPSAM blade service installed. • Clients - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 4
blade service installed. • HP desktop PC running Microsoft Windows XP w/HPSAM blade service installed. • Smart Card Readers • HP standard USB Smart Card Keyboard. Driver ). Driver: spr337.sys, version 1.16.00.01. • Gemalto reader support, Line Casing PC Card Smart Card Reader Part Numbers HWP108765 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 5
required for the optional GemSafe Libraries 5.0 SE installation or customized user install packages on an HP Thin Client. For more information see "Creating Customized User Install Packages for Clients PCs (Optional)" on page 30. 1. Close all opened Windows programs and applications. 2. For Server - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 6
6. Click Next to continue; GemSafe Libraries Install Shield Wizard displays the License Agreement window. 7. Read the Gemalto License Agreement and click Yes to continue; the GemSafe Libraries InstallShield Wizard displays the Choose Destination Location window. 6 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 7
8. Click Next to install GemSafe Libraries to the default location or select a different location by using the Browse button. During the GemSafe Libraries installation you will see a series of dialogs similar to the following. These dialogs simply inform you as each of the components are - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 8
configuration please refer to the Administration or User Guide. NOTE: If you are using the smart card for network login, it will be necessary to load a certificate onto the card in order to recognize the card for login purposes. Instructions for manually issuing a certificate on the card, can be - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 9
Installing Microsoft Certificate Services 1. Click Start > Control Panel. 2. Select Add or Remove Programs. 3. In the left panel, select Add/Remove Windows Components. 4. Click Certificate Services, and then click Next. 9 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 10
5. Select Enterprise Root CA, and then click Next. 6. Click Yes to accept the warning. 10 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 11
7. Type a Common name for this CA, and then click Next. 8. Select Next to accept Certificate Database Settings. 11 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 12
The installation will configure components, as shown in the following screen. 9. Click Yes when prompted to temporarily stop ISS. 12 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 13
a Certificate Authority (CA) service Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates. Refer to "Installing Microsoft Certificate Services" on page 9 on installing certificate services. After you install the CA service, perform the following - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 14
3. Create a duplicate template by right-clicking on the Smartcard Logon certificate template, and then selecting Duplicate Template. 4. Type a name for the new template in the Template Display name box. This example uses CCI Smartcard User 14 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 15
5. Click the Request Handling tab. 6. Select 1024 in the Minimum key size box. 7. Click the CSPs button. 8. Select Requests can use any CSP available on the subject's computer. 9. Click the Security tab. 15 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 16
10. In the Permissions for Authenticated Users area, in the Allow column, select both Read and Enroll. You have created the creation of the template. 11. Copy the CCI SmartCard User certificate template into the Certificates Templates folder under the certificate server. a. Expand the Certificate - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 17
d. Select New > Certificate Template to Issue. 12. Select the template, and then click OK to import the template. 17 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 18
Configuring Microsoft Certificate Authority to Issue Smart Card User Certificate 1. Click Start > Administrative Tools > Certification Authority. 2. Expand the defined CA. 3. Right-click Certificate Templates, and then select New. a. Select Certificate Template to Issue. b. Select Enrollment Agent. - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 19
4. Launch Internet Explorer and browse to http://localhost/certsrv. 5. Under Select a task, select Request a certificate. 19 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 20
6. Select advanced certificate request. 7. Select Create and submit request to this CA. 20 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 21
8. In the Certificate Templates box, select Enrollment Agent. 9. Verify Enrollment Agent Settings in the Key Options section as follows: • Create new key is selected • Microsoft Enhanced Cryptographic Provider v1.0 • Click Submit. 21 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 22
10. Accept default settings under Additional Options. 11. If a warning message displays about a potential scripting violation, press Yes to continue with the certificate request. 12. Install the Enrollment certificate requested. 22 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 23
13. Select Yes to Potential Scription Violation. You have successfully generated and installed required Enrollment Certificate, as shown below. 23 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 24
Manually issue Smart Card User Certificate 1. Launch Internet Explorer and browse to http://localhost/certsrv. 2. Select Request a certificate. 3. Select advanced certificate request. 24 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 25
4. Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station. 5. Select Smartcard User under Enrollment Options. 25 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 26
6. Define the user to enroll by clicking Select User. 7. Insert Smart Card into Reader, and then select Enroll. 26 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 27
Testing the Smart Card 1. Launch the GemSafe Toolbox by selecting Start > All Programs > Gemplus > GemSafe Toolbox. 2. Select Certificates. 27 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 28
3. Insert the smart card and type the PIN. This displays the certificates that you manually issued to the card in "Configuring Microsoft Certificate Authority to Issue Smart Card User Certificate" on page 18. 4. Select the Diagnostic/Help tab in the left frame. 28 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 29
5. Select the Smartcard and readers diagnose button. 6. From the Smartcard Diagnostic Utility, select Start. 29 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 30
PASSED response. Creating Customized User Install Packages for Clients PCs (Optional) The GemSafe user install package is not the volume or the data will be lost on the next reboot. For thin client PC installation of the optional GemSafe ToolBox, modify the client's RAMDisk size from default settings - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 31
thin client PC installation of the optional GemSafe ToolBox, modify the thin client TEMP and TMP environmental variables to a location that can support the . >System Properties > Advanced tab > Environmental Variables. NOTE: HP deployment solutions such as Altiris client manager do not require Ram - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 32
1. Launch the GemSafe Toolbox by selecting Start > All Programs > Gemplus > GemSafe Toolbox. 2. Select Software Administration. 3. Select PIN Policy in the left frame. 32 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 33
4. To store PIN Policy settings, select Save as, and then type a file name. 5. Select GemSafe in the left frame. 6. Define what GemSafe Toolbox functionality will be provided to your users. 33 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 34
Libraries User Setup. NOTE: You must select CSP if you are operating in a Microsoft environment. NOTE: If you planning on implementing on a Citrix or Terminal Services server. a. You must select the files you configured in step 4 - 7 within the File Selection section. b. Click Next. 34 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 35
9. To provide a Setup Name for Libraries User Setup, select Create Setup. Be sure to note the setup path. 10. Select OK. The new setup has been created. 35 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 36
exe on designated host. Additional Information Using a Smart Card For Windows Network Login During windows logon, a normal Windows logon prompt should appear is installed, please refer to the GemSafe Libraries Administration or User Guide to learn how to: • Manage the smart cards and certificates - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 37
to enhance your network security policy. The Guide also provides some Frequently Asked Questions (FAQs) to assist in troubleshooting problems that may occur. Usage cases Usage case 1: User authentication from blade PC to Active Directory Domain The following steps provide instructions for performing - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 38
. The user is logged into the Active Directory Server Usage case 2: User authentication from client device to blade PC or Active Directory Server using RDP The following steps provides instructions for performing a functional test of the CCI SmartCard Logon certificate: 1. Log out of the RDP session - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 39
or Active Directory Server. Usage case 4: Accessing secure Web site The following steps provide instructions for accessing a secure Web site using an Gemalto smart card through a blade PC or Active Directory Server. Installing and configuring a secure Web site is beyond the scope of this white paper - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 40
case 5: User authentication using VPN through firewall to blade PC or Active Directory Server Instructions for installing and configuring a VPN tunnel with a on the client computer, open Network and Internet Connections. 2. Select the Create a connection to the network at your workplace task. 3. - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 41
VPN tunnel, you may have to change the configuration of the VPN connection. To change the configuration of the VPN window: 1. In Control Panel, open Network and Internet Connections > Network Connections. 41 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 42
2. Right-click on the VPN connection icon and select Properties. You can initiate the VPN connection after setting it up, as follows: 1. Start the VPN connection. 2. In Smart card PIN, type the PIN, and then click OK. While establishing the VPN connection, the system displays Verifying username and - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 43
After the connection is established, the network connection icon displays in the system tray. Usage case 6: User authentication from client device using Citrix server 1. Click the Citrix Program Neighborhood desktop shortcut. 2. Click - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 44
3. Select properties for the ICA connection, click the Logon Information tab, select Smart card, and then click OK. 4. Double-click the shortcut to connect to the Citrix server. 5. During logon to the server, the smart card login prompt appears for authorization. 44 - HP bc1000 | Implementing Gemalto Smart Card for Use with HP Compaq t5720 and HP - Page 45
Service and Support If you would like additional information about GemSafe Libraries 4.2.i, you can visit: http://www.gemplus.com/products/gemsafe_libraries. For product information, local sales offices, please visit http://www.gemalto.com, or send an email to: [email protected]. Phone: (888)-343-5773.
Implementing Gemalto Smart Card for Use with HP Compaq
t5720 and HP CCI
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Reference Documents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Installing GemSafe Libraries 5.0 SE to Server and Client PCs (Optional)
. . . . . . . . . . . . . . . . . .5
Installing Microsoft Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Configuring a Certificate Authority (CA) service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Configuring Microsoft Certificate Authority to Issue Smart Card User Certificate
. . . . . . . . . . . .18
Manually issue Smart Card User Certificate
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Testing the Smart Card
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Creating Customized User Install Packages for Clients PCs (Optional) . . . . . . . . . . . . . . . . . . .30
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Using a Smart Card For Windows Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Administration of the GemSafe Smart Card
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Working with GemSafe Libraries
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Usage case 1: User authentication from blade PC to Active Directory Domain
. . . . . . . . . .37
Usage case 2: User authentication from client device to blade PC or
Active Directory Server using RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Usage case 3: User authentication from client device to blade PC or
Active Directory Server using HPSAM client
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Usage case 4: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Usage case 5: User authentication using VPN through firewall to blade PC or
Active Directory Server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Usage case 6: User authentication from client device using Citrix server
. . . . . . . . . . . . . .43
Service and Support
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45