7.4 Installation and configuration for Thales authentication devices

This section provides any information required when installing the minidrivers or middleware for the smart cards or configuring the smart cards through their minidriver, middleware or through MyID.

Note: The table in section 7, Thales authentication devices shows the software required for each device type in the Middleware column.

7.4.1 SafeNet Authentication Client 10.8 R6

You must configure SafeNet Authentication Client (SAC) 10.8 R6 separately for Minidriver and SafeNet eToken support.

You can configure the SAC 10.8 R6 middleware using the SAC Customization Package, obtained from Thales.

For eToken devices, use the following settings:

For minidriver-based devices, use the following settings:

See also section 2.4, Minidriver-based smart cards.

• IKB-210 – Issues with SafeNet Authentication Client

  SafeNet Authentication Client (when configured to support SafeNet eToken devices) may detect IDPrime smart cards if both device types are connected to a MyID client at the same time. This will lead to errors when issuing or managing the smart card – avoid using both card types at the same time with MyID.

  This issue relates to having SafeNet eToken PKCS#11 drivers enabled, as this is the component that may detect IDPrime devices. You are recommended to check the table in section 7, Thales authentication devices, which shows the software required for each device type in the Middleware column. If you require only the SafeNet Minidriver to be deployed, and you are customizing the SAC installation, do not select the PKCS#11 interfaces.

7.4.2 Standard mode

You must install the SafeNet Authentication Client middleware in Standard mode (that is, not the BSec-compatible mode). Standard mode is the first option that is presented when you run the middleware installer.

7.4.3 Complexity requirements

When you set up the SafeNet client tools, you must set the complexity requirement option to None. This option may be labeled Must meet complexity requirements or Password Complexity, depending on the version of the middleware you are using.

7.4.4 Initialization keys for eToken 51xx

Initialization of SafeNet eToken 5100, 5110, 5110 FIPS and 5110+ credentials is protected using an initialization key. Unless the customer has requested a diversified factory initialization key, the tokens are shipped from the factory with a default key, which is already configured in MyID.

To secure the tokens after issuance, use the Key Manager workflow to configure a customer initialization key:

1. From the Configuration category, select the Key Manager workflow.
2. From the Select Key Type to Manage drop-down list, select Initialization Key.
3. Click Next.
4. Click Add New Key.

5. Set the following values:

   • Credential Type: Aladdin eToken
   • Key Type: Customer
   • Encryption Type: 2DES

   You can configure the rest of the values as required.

6. Click Save.

If the tokens were ordered with a diversified Factory key, use the same procedure, except for the Key Type, select Factory instead of Customer.

7.4.5 Password change prompt

When you first issue a smart card, you may be prompted by the SafeNet middleware to change your password. Click Cancel to continue without changing the password.

Also, if you select the Token Password must be changed on first logon option when performing a challenge/response unlock, when the user logs in to MyID with the unlocked card, they will be prompted to change the PIN. To avoid this, deselect the Token Password must be changed on first logon option when unlocking the smart card.

7.4.6 Credential profiles for SafeNet Authentication Client smart cards

You must make sure that you have set the credential profile to use the same settings as the SafeNet Authentication Client installation. Check the SafeNet middleware to ensure that the values you use are correct.

If you do not use the same settings in the credential profile and the SafeNet client installation, you will experience an error similar to the following:

Initialize Error
Cause: Invalid PIN
Solution: Please enter a new PIN.
-2147220729 Exception thrown: class CCardException
Error: 0x80040307 : You entered an incorrect pass phrase or PIN
PKCS Error: 0x00000020 Data invalid

To set the credential profile properties:

1. From the Configuration category, select Credential Profiles.
2. Select the credential profile you want to edit, then click Modify.
3. Click PIN Settings.

4. Set the following options to match the settings used in the SafeNet client installation:

   • Maximum PIN Length – the default SafeNet client value is 16.
   • Minimum PIN Length – the default SafeNet client value is 6.
   • Logon Attempts – the default SafeNet client value is 3.
5. Click Next and complete the workflow.

7.4.7 Issuing smart cards that have PIV applets

For information on issuing smart cards that have PIV applets using a non-PIV MyID system, see section 2.12, Issuing smart cards that have PIV applets.