7.5 Interoperability for Thales authentication devices

This section contains information about any considerations for using these smart card with other systems.

7.5.1 Unlocking PIV cards

PIV cards include a PIV applet, which means that you can use the MyID Card Utility to carry out a remote challenge/response unlock operation and change the user PIN, and the unlock credential provider to unlock the devices from the Windows logon screen.

See section 2.12, Unlocking smart cards that have a PIV applet.

7.5.2 PIN policy settings

MyID allows you to set various policies for PINs using the settings in the credential profile. MyID enforces these settings for any operations carried out by MyID. For some smart cards, some or all of these settings are applied directly to the card, which means that the settings will also be enforced by third-party tools and utilities.

The following settings are supported for on-card PIN policy settings:

 

Smart card

PIN Setting

SafeNet eToken 4100

SafeNet eToken
5100/5110/5110 FIPS/5110+

Maximum PIN Length

 

 

Minimum PIN Length

Y

Y

Repeated Characters Allowed

 

 

Sequential Characters Allowed

 

 

Logon Attempts

Y

Y

PIN Inactivity Timer

Y

Y

PIN History

 

Y

Lowercase PIN Characters

 

Y

Uppercase PIN Characters

 

Y

Numeric PIN Characters

 

Y

Symbol PIN Characters

 

Y

Lifetime

 

Y

Key:

7.5.3 PIN characters for PIV cards

The SP800-73 PIV specification requires that PIV cards use numeric-only PINs. It is possible to configure MyID to use non-numeric PIN characters for PIV cards, although the smart cards will fail to issue.

Make sure you set up the credential profile correctly; in the PIN Characters section of the Credential Profiles workflow, set number to be Mandatory, and uppercase letters, lowercase letters, and symbols to Not Allowed.

7.5.4 IDPrime MD840 Rev A and IDPrime MD3840 smart cards and signature only policies

IDPrime MD840 Rev A and IDPrime MD3840 smart cards have Common Criteria features that MyID does not support. Due to this limitation, issuing certificates that require a Signature Only policy is not supported with MyID.

7.5.5 IDPrime PIV card status

IDPrime PIV v2.1 and v3.0 cards are delivered in an ISD Status of OP_READY. Set the Set GlobalPlatform Card Status option (on the PINs page of the Security Settings workflow) to Yes to ensure the cards are issued in a ISD SECURED state.

7.5.6 Available certificate slots on IDPrime MD cards

IDPrime MD cards are manufactured with a limited number of slots for each key type. It is important that you order cards that can accommodate the certificates you want to use.

For example, your smart cards may be manufactured with a profile that allows only two ECC keys; if you attempt to issue a credential profile that has three ECC certificates to the card, it will fail with an error similar to:

There has been an error generating a certificate request
Solutions:
Please contact your administrator.
Error Number: -2147220715

7.5.7 Additional identities for IDPrime PIV cards

If you want to issue additional identities to devices with PIV applets, you must have a Windows minidriver installed to make the certificates available for uses such as Windows logon. MyID has not yet been tested with a minidriver that provides this feature for IDPrime PIV cards.

For more information, see the Additional identities on devices with PIV applets section in the Administration Guide.

7.5.8 Problems with Windows logon

If you have problems logging on to Windows, remove the Calais and SAC cache and then reboot.

The SAC cache is:

C:\Windows\temp\etoken.cache

The Calais cache is in the registry:

HKLM\Software\Microsoft\Cryptography\Calais\Cache

7.5.9 SafeNet eToken 5300 tokens with Touch Sensor

You can also obtain SafeNet eToken 5300 devices with a Touch capability enabled – you must touch the token sensor to carry out a transaction such as signing. These devices operate with MyID, but you will encounter problems when a signing operation is required, but the token is not touched. Frequently, MyID carries out signing operations in the background using the logged-on state of the token to sign the transaction. If the token requires the user to authenticate, the SafeNet Authentication Client generates a Windows notification; however, this notification may be hidden by Windows, or may not be noticed by the user.

Examples of issues that may be seen when the user does not respond to a touch token notification are:

For the reasons above, these versions of the token are not currently supported with MyID. The problem may occur when using one of the following token configurations:

Versions of 5300 tokens that do not have a touch sensor are not affected by this issue.