7.4 Installation and configuration for Thales authentication devices

This section provides any information required when installing the minidrivers or middleware for the smart cards or configuring the smart cards through their minidriver, middleware or through MyID.

Note: The table in section 7, Thales authentication devices shows the software required for each device type in the Middleware column.

7.4.1 SafeNet Authentication Client 10.8 R6

You must configure SafeNet Authentication Client (SAC) 10.8 R6 separately for Minidriver and SafeNet eToken support.

You can configure the SAC 10.8 R6 middleware using the SAC Customization Package, obtained from Thales.

For eToken devices, use the following settings:

SafeNet Authentication Client

For minidriver-based devices, use the following settings:

SafeNet Authentication Client

See also section 2.4, Minidriver-based smart cards.

7.4.2 Standard mode

You must install the SafeNet Authentication Client middleware in Standard mode (that is, not the BSec-compatible mode). Standard mode is the first option that is presented when you run the middleware installer.

7.4.3 Complexity requirements

When you set up the SafeNet client tools, you must set the complexity requirement option to None. This option may be labeled Must meet complexity requirements or Password Complexity, depending on the version of the middleware you are using.

7.4.4 Initialization keys for eToken 51xx

Initialization of SafeNet eToken 5100, 5110, 5110 FIPS and 5110+ credentials is protected using an initialization key. Unless the customer has requested a diversified factory initialization key, the tokens are shipped from the factory with a default key, which is already configured in MyID.

To secure the tokens after issuance, use the Key Manager workflow to configure a customer initialization key:

  1. From the Configuration category, select the Key Manager workflow.
  2. From the Select Key Type to Manage drop-down list, select Initialization Key.
  3. Click Next.
  4. Click Add New Key.
  5. Set the following values:

    • Credential Type: Aladdin eToken
    • Key Type: Customer
    • Encryption Type: 2DES

    You can configure the rest of the values as required.

  6. Click Save.

If the tokens were ordered with a diversified Factory key, use the same procedure, except for the Key Type, select Factory instead of Customer.

7.4.5 Password change prompt

When you first issue a smart card, you may be prompted by the SafeNet middleware to change your password. Click Cancel to continue without changing the password.

Also, if you select the Token Password must be changed on first logon option when performing a challenge/response unlock, when the user logs in to MyID with the unlocked card, they will be prompted to change the PIN. To avoid this, deselect the Token Password must be changed on first logon option when unlocking the smart card.

7.4.6 Credential profiles for SafeNet Authentication Client smart cards

You must make sure that you have set the credential profile to use the same settings as the SafeNet Authentication Client installation. Check the SafeNet middleware to ensure that the values you use are correct.

If you do not use the same settings in the credential profile and the SafeNet client installation, you will experience an error similar to the following:

Initialize Error
Cause: Invalid PIN

Solution: Please enter a new PIN.

-2147220729 Exception thrown: class CCardException

Error: 0x80040307 : You entered an incorrect pass phrase or PIN

PKCS Error: 0x00000020 Data invalid

To set the credential profile properties:

  1. From the Configuration category, select Credential Profiles.
  2. Select the credential profile you want to edit, then click Modify.
  3. Click PIN Settings.
  4. Set the following options to match the settings used in the SafeNet client installation:

    • Maximum PIN Length – the default SafeNet client value is 16.
    • Minimum PIN Length – the default SafeNet client value is 6.
    • Logon Attempts – the default SafeNet client value is 3.
  5. Click Next and complete the workflow.

7.4.7 FIDO for Thales authentication devices

For information on FIDO, see the FIDO Authenticator Integration Guide.