7.5 Interoperability for Thales authentication devices
This section contains information about any considerations for using these smart card with other systems.
7.5.1 Unlocking PIV cards
PIV cards include a PIV applet, which means that you can use the MyID Card Utility to carry out a remote challenge/response unlock operation and change the user PIN, and the unlock credential provider to unlock the devices from the Windows logon screen.
See section 2.13, Unlocking smart cards that have a PIV applet.
7.5.2 PIN policy settings
MyID allows you to set various policies for PINs using the settings in the credential profile. MyID enforces these settings for any operations carried out by MyID. For some smart cards, some or all of these settings are applied directly to the card, which means that the settings will also be enforced by third-party tools and utilities.
The following settings are supported for on-card PIN policy settings:
|
Smart card |
|
---|---|---|
PIN Setting |
SafeNet eToken 4100 |
SafeNet eToken |
Maximum PIN Length |
|
|
Minimum PIN Length |
Y |
Y |
Repeated Characters Allowed |
|
|
Sequential Characters Allowed |
|
|
Logon Attempts |
Y |
Y |
PIN Inactivity Timer |
Y |
Y |
PIN History |
|
Y |
Lowercase PIN Characters |
|
Y |
Uppercase PIN Characters |
|
Y |
Numeric PIN Characters |
|
Y |
Symbol PIN Characters |
|
Y |
Lifetime |
|
Y |
Key:
- Y – Supported.
- blank – Not supported.
7.5.3 PIN characters for PIV cards
The SP800-73 PIV specification requires that PIV cards use numeric-only PINs. It is possible to configure MyID to use non-numeric PIN characters for PIV cards, although the smart cards will fail to issue.
Make sure you set up the credential profile correctly; in the PIN Characters section of the Credential Profiles workflow, set number to be Mandatory, and uppercase letters, lowercase letters, and symbols to Not Allowed.
7.5.4 IDPrime MD840 Rev A and IDPrime MD3840 smart cards and signature only policies
IDPrime MD840 Rev A and IDPrime MD3840 smart cards have Common Criteria features that MyID does not support. Due to this limitation, issuing certificates that require a Signature Only policy is not supported with MyID.
7.5.5 IDPrime PIV card status
IDPrime PIV v2.1 and v3.0 cards are delivered in an ISD Status of OP_READY. Set the Set GlobalPlatform Card Status option (on the PINs page of the Security Settings workflow) to Yes to ensure the cards are issued in a ISD SECURED state.
7.5.6 Available certificate slots on IDPrime MD cards
IDPrime MD cards are manufactured with a limited number of slots for each key type. It is important that you order cards that can accommodate the certificates you want to use.
For example, your smart cards may be manufactured with a profile that allows only two ECC keys; if you attempt to issue a credential profile that has three ECC certificates to the card, it will fail with an error similar to:
There has been an error generating a certificate request
Solutions:
Please contact your administrator.
Error Number: -2147220715
7.5.7 Additional identities for IDPrime PIV cards
If you want to issue additional identities to devices with PIV applets, you must have a Windows minidriver installed to make the certificates available for uses such as Windows logon. MyID has not yet been tested with a minidriver that provides this feature for IDPrime PIV cards.
For more information, see the Additional identities on devices with PIV applets section in the Administration Guide.
7.5.8 Problems with Windows logon
If you have problems logging on to Windows, remove the Calais and SAC cache and then reboot.
The SAC cache is:
C:\Windows\temp\etoken.cache
The Calais cache is in the registry:
HKLM\Software\Microsoft\Cryptography\Calais\Cache
7.5.9 SafeNet eToken 5300 tokens with Touch Sensor
You can also obtain SafeNet eToken 5300 devices with a Touch capability enabled – you must touch the token sensor to carry out a transaction such as signing. These devices operate with MyID, but you will encounter problems when a signing operation is required, but the token is not touched. Frequently, MyID carries out signing operations in the background using the logged-on state of the token to sign the transaction. If the token requires the user to authenticate, the SafeNet Authentication Client generates a Windows notification; however, this notification may be hidden by Windows, or may not be noticed by the user.
Examples of issues that may be seen when the user does not respond to a touch token notification are:
-
Logging on to MyID clients may freeze.
-
Token issuance fails and does not complete.
-
Operation failure when using MyID clients to submit data to the MyID server (for example, completing a workflow or submitting a request), showing errors such as:
-
Internal consistency check failed.
-
Unable to sign data with smart card.
-
For the reasons above, these versions of the token are not currently supported with MyID. The problem may occur when using one of the following token configurations:
-
SafeNet eToken 5300 FIPS (Mini) – Part Numbers: 909-000077-001, 909-000078-001, 909-000079-001
-
SafeNet eToken 5300 (Micro) – Part Numbers: 909-000081-001, 909-000082-001, 909-000083-001
-
SafeNet eToken 5300 (USB-C) – Part Number: 909-000138-001
Versions of 5300 tokens that do not have a touch sensor are not affected by this issue.