3.6. Managing Smart Cards

You can use the Manage Smart Cards page to perform many of the operations that can be applied to one of the cryptographic keys stored on the token.
You can use this page to format the token, set and reset the card's password, and to display card information. Two other operations, enrolling tokens and viewing the diagnostic logs, are also accessed through the Manage Smart Cards page. These operations are addressed in other sections.
Manage Smart Cards Page

Figure 3.3. Manage Smart Cards Page


3.6.1. Formatting the Smart Card

When you format a smart card, it is reset to the uninitialized state. This removes all previously generated user key pairs and erases the password set on the smart card during enrollment.
The TPS server can be configured to load newer versions of the applet and symmetric keys onto the card. The TPS supports the CoolKey applet which is shipped with Red Hat Enterprise Linux 5.6.
To format a smart card:
  1. Insert a supported smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
  2. In the Smart Card Functions section of the Manage Smart Cards screen, click Format.
  3. If the TPS has been configured for user authentication, enter the user credentials in the authentication dialog, and click Submit.
  4. During the formatting process, the status of the card changes to BUSY and a progress bar is displayed. A success message is displayed when the formatting process is complete. Click OK to close the message box.
  5. When the formatting process is complete, the Active Smart Cards table shows the card status as UNINITIALIZED.

3.6.2. Resetting a Smart Card Password

If a user forgets the password for a smart card after the card is enrolled, it is possible to reset the password. To reset the password on a smart card:
  1. Insert a supported smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
  2. In the Smart Card Functions section of the Manage Smart Cards screen, click Reset Password to display the Password dialog.
  3. Enter a new smart card password in the Enter new password field.
  4. Confirm the new smart card password in the Re-Enter password field, and then click OK.
  5. If the TPS has been configured for user authentication, enter the user credentials in the authentication dialog, and click Submit.
  6. Wait for the password to finish being reset.

3.6.3. Viewing Certificates

The Smart Card Manager can display basic information about a selected smart card, including stored keys and certificates. To view certificate information:
  1. Insert a supported smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
  2. Select the card from the list, and click View Certificates.
    This displays basic information about the certificates stored on the card, including the serial number, certificate nickname, and validity dates.
  3. To view more detailed information about a certificate, select the certificate from the list and click View.

3.6.4. Importing CA Certificates

The Xulrunner Gecko engine implements stringent controls over which SSL-based URLs can be visited by client like a browser or the Enterprise Security Client. If the Enterprise Security Client (through the Xulrunner framework) does not trust a URL, the URL can not be visited.
One way to trust an SSL-based URL is to import and trust the CA certificate chain of the CA which issued the certificates for the site. (The other is to create a trust security exception for the site, as in Section 3.6.5, “Adding Exceptions for Servers”.)
Any CA which issues certificates for smart cards must be trusted by the Enterprise Security Client application, which means that its CA certificate must be imported into the Enterprise Security Client.
  1. Open the CA's end user pages in a web browser.
    https://server.example.com:9444/ca/ee/ca/
  2. Click the Retrieval tab at the top.
  3. In the left menu, click the Import CA Certificate Chain link.
  4. Choose the radio button to download the chain as a file, and remember the location and name of the downloaded file.
  5. Open the Enterprise Security Client.
  6. Click the View Certificates button.
  7. Click the Authorities tab.
  8. Click Import.
  9. Browse to the CA certificate chain file, and select it.
  10. When prompted, confirm that you want to trust the CA.

3.6.5. Adding Exceptions for Servers

The Xulrunner Gecko engine implements stringent controls over which SSL-based URLs can be visited by client like a browser or the Enterprise Security Client. If the Enterprise Security Client (through the Xulrunner framework) does not trust a URL, the URL can not be visited.
One way to trust an SSL-based URL is to create a trust security exception for the site, which imports the certificate for the site and forces the Enterprise Security Client to recognize it. (The other option is to import the CA certificate chain for the site and automatically trust it, as in Section 3.6.4, “Importing CA Certificates”.)
The smart card may be used to access services or websites over SSL that require special security exceptions; these exceptions can be configured through the Enterprise Security Client, similar to configuring exceptions for websites in a browser like Mozilla Firefox.
  1. Open the Enterprise Security Client.
  2. Click the View Certificates button.
  3. Click the Servers tab.
  4. Click Add Exception.
  5. Enter the URL, including any port numbers, for the site or service which the smart card will be used to access. Then click the Get Certificates button to download the server certificate for the site.
  6. Click Confirm Security Exception to add the site to the list of allowed sites.

3.6.6. Enrolling Smart Cards

Most smart cards will be automatically enrolled using the automated enrollment procedure, described in Section 3.5, “Enrolling a Smart Card Automatically”. You can also use the Manage Smart Cards facility to manually enroll a smart card.
If you enroll a token with the user key pairs, then the token can be used for certificate-based operations such as SSL client authentication and S/MIME.

NOTE

The TPS server can be configured to generate the user key pairs on the server and then archived in the DRM subsystem for recovery if the token is lost.
To enroll a smart card manually:
  1. Insert a supported, unenrolled smart card into the computer. Ensure that the card is listed in the Active Smart Cards table.
  2. Click Enroll to display the Password dialog.
  3. Enter a new key password in the Enter a password field.
    Confirm the new password in the Re-Enter a password field.
  4. Click OK to begin the enrollment.
  5. If the TPS has been configured for user authentication, enter the user credentials in the authentication dialog, and click Submit.
    If the TPS has been configured to archive keys to the DRM, the enrollment process will begin generating and archiving keys.
When the enrollment is complete, the status of the smart card is displayed as ENROLLED.