Chapter 1. Overview of the Enterprise Security Client
The Enterprise Security Client is a tool for Red Hat Certificate System which simplifies managing smart cards. End users can use security tokens (smart cards) to store user certificates used for applications such as single sign-on access and client authentication. End users are issued the tokens containing certificates and keys required for signing, encryption, and other cryptographic functions.
The Enterprise Security Client is the third part of Certificate System's complete token management system. Two subsystems — the Token Key Service (TKS) and Token Processing System (TPS) — are required to process token-related operations; optionally, the Data Recovery Manager (DRM) can be used with the token management system for server-side key generation and key archival and recovery. The Enterprise Security Client is the interface which allows the smart card and user to access the token management system.
After a token is enrolled, applications such as Mozilla Firefox and Thunderbird can be configured to recognize the token and use it for security operations, like client authentication and S/MIME mail. Enterprise Security Client provides the following capabilities:
Supports Global Platform-compliant smart cards like Gemalto Cyberflex Access e-gate 32K and Cyberflex Access 64K V2 Standard tokens.
Enrolls security tokens so they are recognized by TPS.
Maintains the security token, such as re-enrolling a token with TPS.
Provides information about the current status of the token or tokens being managed.
Supports server-side key generation so that keys can be archived and recovered on a separate token if a token is lost.
1.1. About Smart Card Management
Certificate System creates, manages, renews, and revokes certificates, as well as archiving and recovering keys. For organizations which use smart cards, the Certificate System has a token management system — a collection of subsystems with established relationships — to generate keys and requests and receive certificates to be used for smart cards. These relationships are show in Figure 1.1, “How Certificate System Manages Smart Cards”.
Four Certificate System subsystems are involved with managing tokens:
The Token Processing System (TPS) interacts with smart cards to help them generate and store keys and certificates for a specific entity, such as a user or device. Smart card operations go through the TPS and are forwarded to the appropriate subsystem for action, such as the Certificate Authority to generate certificates or the Data Recovery Manager to archive and recover keys.
The Token Key Service (TKS) generates, or derives, symmetric keys used for communication between the TPS and smart card. Each set of keys generated by the TKS is unique because they are based on the card's unique ID. The keys are formatted on the smart card and stored on the TPS and are used to encrypt communications, or provide authentication, between the smart card and TPS.
The Certificate Authority (CA) creates and revokes user certificates stored on the smart card.
Optionally, the Data Recovery Manager (DRM) archives and recovers keys for the smart card.
The Enterprise Security Client is the conduit through which TPS communicates with each token over a secure HTTP channel (HTTPS), and, through the TPS, with the Certificate System.
Figure 1.1. How Certificate System Manages Smart Cards
To use the tokens, the Token Processing System must be able to recognize and communicate with them. The tokens must first be enrolled to format the tokens with required keys and certificates and add the tokens to the Certificate System. The Enterprise Security Client provides the user interface for end entities to enroll tokens.