The Smart Card Manager, in conjunction with the latest TPS Server software, now supports a special "Security Officer" mode of operation. This mode, presented as an alternative to the standard user-centric mode, allows a supervisory individual, (a Security Officer), the ability to oversee the face to face enrollment of regular users in a given organization.
After an individual has been enrolled, they are issued a smart card containing the necessary certificates required to perform company-supported cryptographic operations, such as encrypted email and secure web site access.
Security Officer Mode provides the following functionality:
-
Enrollment of Security Officers.
-
Enrollment of individuals under the supervision of a Security Officer, including:
-
The ability to search for an individual within an organization.
-
An interface that displays a photo and other pertinent information about an individual.
-
The ability to enroll approved individuals.
-
-
Other functions provided by this mode include:
-
An interface to format or reset a user's card.
-
An interface to format or reset a Security Officer's card.
-
An interface to enroll a temporary card for a user that has misplaced their primary card.
-
An interface to store TPS server information on a card. This server information, or "Phone Home" information, is used by the Smart Card Manager to contact a given TPS server installation.
-
Working in the Security Officer Mode falls into two distinct areas:
-
Creating and managing Security Officers.
-
Management of regular users by Security Officers.
When Security Officer Mode is enabled, the Smart Card Manager uses an external user interface provided by the server. This interface takes control of smart card operations in place of the local XUL code that the Smart Card Manager normally uses.
The external interface maintains control until Security Officer Mode is disabled.
To prepare to use Security Officer Mode:
-
Navigate to the Smart Card Manager installation directory.
On Microsoft Windows, this is
C:/Program Files/Red Hat/ESC/esc.exe.On Red Hat Enterprise Linux, this is
/usr/lib/esc-1.0.1/ -
Set the following preference in
defaults/preferences/esc-prefs.js: pref("esc.disable.password.prompt","no"); -
Ensure that the Smart Card Manager is running and that its icon is displayed in the system tray (Windows) or in the notification area (Red Hat Enterprise Linux).
To manage Security Officers:
-
In a command shell, enter the command
./esc -secmode SECURITY_URL, where "SECURITY_URL" is the pre-determined URL of the external TPS security interface.For example:
./esc -secmode http://test.host.com:7888/cgi-bin/so/enroll.cgiThis displays the Security Officer Enrollment page.
-
Enter the LDAP user name and password of the new Security Officer.
-
Enter and confirm a password to be used with the Security Officer's smart card.
-
Click Enroll My Smartcard.
This produces a smart card which contains the certificates needed by a Security Officer to gain access to the application, so that regular users can be enrolled and managed within the system.
The Security Officer Station page manages regular users through operations such as enrolling new or temporary cards, formatting cards, and setting the Phone Home URL.
-
In a command shell, enter the command
./esc -secmode SECURITY_URL, where "SECURITY_URL" is the pre-determined URL of the external TPS security interface.For example:
./esc -secmode http://test.host.com:7888/cgi-bin/sow/welcome.cgiThis displays Security Officer welcome page.
-
Ensure that there is a valid and enrolled Security Officer card plugged into the computer. A Security Officer's credentials are required to access the following pages.
-
Click Continue to display the Security Officer Station page. You may be prompted to enter the password for the Security Officer's card. This is required for SSL client authentication.
-
Click the Enroll New Card link to display the Security Officer Select User page.
-
Enter the LDAP name of the user who is to receive a new smart card.
-
Click Continue. If the user exists, the Security Officer Confirm User page displays.
-
Compare the photo of the user with the person actually present. Verify any other information presented on the screen.
-
If all the details are correct, click Continue to display the Security Officer Enroll User page. This page prompts the officer to insert a new smart card into the computer.
-
If the smart card is properly recognized, enter the new password for this card and click Start Enrollment.
A successful enrollment produces a smart card that you can present to the user, granting them the necessary access for which the smart card is required.
-
Click Enroll Temporary Card.
-
Follow the instructions given in Section 3.7.2.2.2, “Enrolling a New User”.
A successful enrollment produces a smart card which is valid for a limited time. The user can use this card until it expires.
-
Click Format Card to display the page used to format or reset an existing smart card.
-
Ensure that a card is inserted into the computer.
-
Click Format to reset the card.
After successful completion, this card can be used to enroll another user.
-
Click Set Home URL to display the screen used to write a new home URL onto the card. This "home URL" tells the Smart Card Manager where to locate the TPS servers.
This feature may prove useful if any of the TPS server information has changed since a given card was used.
-
Ensure that a valid card is inserted into the computer.
-
Click Format. The result will be a card with the new phone home information stored on the card.
-
Click Format SO Card. Because the Security Officer card is already inserted, the following screen displays:
-
Click Format to begin the operation.
When the card is successfully formatted, the Security Officer's card values are reset. Another Security Officer's card must be used to enter Security Officer Mode and perform any further operations.