7.5 Interoperability for Thales authentication devices

This section contains information about any considerations for using these smart card with other systems.

7.5.1 Unlocking PIV cards

PIV cards include a PIV applet, which means that you can use the MyID Card Utility to carry out a remote challenge/response unlock operation and change the user PIN, and the unlock credential provider to unlock the devices from the Windows logon screen.

See section 2.13, Unlocking smart cards that have a PIV applet.

7.5.2 PIN policy settings

MyID allows you to set various policies for PINs using the settings in the credential profile. MyID enforces these settings for any operations carried out by MyID. For some smart cards, some or all of these settings are applied directly to the card, which means that the settings will also be enforced by third-party tools and utilities.

The following settings are supported for on-card PIN policy settings:

	Smart card
PIN Setting	SafeNet eToken 4100	SafeNet eToken 5100/5110/5110 FIPS/5110+
Maximum PIN Length
Minimum PIN Length	Y	Y
Repeated Characters Allowed
Sequential Characters Allowed
Logon Attempts	Y	Y
PIN Inactivity Timer	Y	Y
PIN History		Y
Lowercase PIN Characters		Y
Uppercase PIN Characters		Y
Numeric PIN Characters		Y
Symbol PIN Characters		Y
Lifetime		Y

Key:

• Y – Supported.
• blank – Not supported.

7.5.3 PIN characters for PIV cards

The SP800-73 PIV specification requires that PIV cards use numeric-only PINs. It is possible to configure MyID to use non-numeric PIN characters for PIV cards, although the smart cards will fail to issue.

Make sure you set up the credential profile correctly; in the PIN Characters section of the Credential Profiles workflow, set number to be Mandatory, and uppercase letters, lowercase letters, and symbols to Not Allowed.

7.5.4 IDPrime MD840 Rev A and IDPrime MD3840 smart cards and signature only policies

IDPrime MD840 Rev A and IDPrime MD3840 smart cards have Common Criteria features that MyID does not support. Due to this limitation, issuing certificates that require a Signature Only policy is not supported with MyID.

7.5.5 IDPrime PIV card status

IDPrime PIV v2.1 and v3.0 cards are delivered in an ISD Status of OP_READY. Set the Set GlobalPlatform Card Status option (on the PINs page of the Security Settings workflow) to Yes to ensure the cards are issued in a ISD SECURED state.

7.5.6 Available certificate slots on IDPrime MD cards

IDPrime MD cards are manufactured with a limited number of slots for each key type. It is important that you order cards that can accommodate the certificates you want to use.

For example, your smart cards may be manufactured with a profile that allows only two ECC keys; if you attempt to issue a credential profile that has three ECC certificates to the card, it will fail with an error similar to:

There has been an error generating a certificate request
Solutions:
Please contact your administrator.
Error Number: -2147220715

7.5.7 Additional identities for IDPrime PIV cards

If you want to issue additional identities to devices with PIV applets, you must have a Windows minidriver installed to make the certificates available for uses such as Windows logon. MyID has not yet been tested with a minidriver that provides this feature for IDPrime PIV cards.

For more information, see the Additional identities on devices with PIV applets section in the Administration Guide.

7.5.8 Problems with Windows logon

If you have problems logging on to Windows, remove the Calais and SAC cache and then reboot.

The SAC cache is:

C:\Windows\temp\etoken.cache

The Calais cache is in the registry:

HKLM\Software\Microsoft\Cryptography\Calais\Cache