Red Hat Certificate
System - 7.1
Enterprise
Security Client Guide
Last updated: March 15, 2006
Table of Contents
Introduction
The Enterprise Security Client (ESC) is a Red Hat Certificate System
component that provides the user-facing portion of the Token Management
System. The end user can be issued security tokens
containing certificates and keys required for signing, encryption, and
other cryptographic functions. To make use of the tokens, TPS must be
able to recognize and communicate with them. ESC provides the means by
which tokens can be taken through the enrollment process.
ESC is a program that communicates over an SSL HTTP channel to the back
end of TPS. It makes use of a web browser container to provide a
simple, customizable HTML-based UI. The native functionality of the
tokens is exposed through Java script functions called from the HTML
UI. After a token is properly enrolled, applications such as those from
the Mozilla organization ( for e.g, firefox and thunderbird ) can be
configured to recognize the token and use it for security operations,
like SSL-Client Auth and SMIME.
ESC provides the following capabilities:
- Supports Visa
Open Platform compliant smart cards like -
Axalto Cyberflex egate 32k tokens
- Allows the user to enroll security tokens so they are recognized
by TPS.
- Allows the user to maintain the security token through its life
cycle. For example, ESC makes it possible to re-enroll a token with TPS.
- Provides information about the current status of the token or
tokens being managed.
- Supports having key generation on the server side so that they
could be archived and recovered on a separate token when user loses his
token.
back to top
Platform Support
Currently ESC supports only the following platforms:
- Red Hat Enterprise Linux v.4 ( Intel x86 )
- Microsoft Windows 2000
- Microsoft Windows XP
- Apple MAC OS X 10.3
back to top
SmartCard Support
Currently ESC supports only the following smartcards:
- Visa
Open Platform compliant smart cards like -
Axalto Cyberflex egate 32k tokens
NOTE: ESC will only recognize the webstore type tokens that you get
from axalto because the ATR for these tokens are hardcoded into our
pkcs11 driver.
back to top
Installation
Installation on Windows:
Please follow these steps to perform the installation on the windows
platform:
Step 1: Copy the ESC executable
packaged with Red Hat Certificate System 7.1 under
<server-root>/bin/cert/esc/windows/esc-setup-1.1.exe to your
windows machine
Step 2: Run the ESC installer by executing 'esc-setup-1.1.exe'
Step 3: Proceed through the ESC installation wizard and answer the
simple questions.
Step 4: Click 'Finish' to complete the ESC installation
Note:
- The ESC executable ESC.exe and its configuration file ESC.cfg are
placed under the selected directory, in this case, C:\Program Files\ESC\
- The above installation process also installs the egate device
drivers and the PKCS11 module.
back to top
Installation on RHEL 4:
Please follow the following steps to perform the installation on RHEL 4
:
Step 1: Copy the ESC installation rpm's
packaged along with the Red Hat Certificate System 7.1 under
<serverRoot>/bin/cert/esc/rhel4/.
CoolKey-0.5.0-2.i386.rpm
esc-1.1-1.i386.rpm
ifd-egate-0.05-4.i386.rpm
pcsc-lite-1.2.0-6.i386.rpm
Step 2: Install the rpm's as "root" in the following order
pcsc-lite-1.2.0-6.i386.rpm
ifd-egate-0.05-4.i386.rpm
CoolKey-0.5.0-2.i386.rpm
esc-1.1-1.i386.rpm
Note:
- ESC executable and its configuration file ESC.cfg are placed
under /usr/lib/esc-1.1/
- The above installation process also installs the egate device
drivers and the PKCS11 module.
back to top
Installation on MAC OS X
Please use the following steps to perform installation on MAC OS X 10.3
:
Step 1: copy the ESC.dmg ( disk image
file) file that's packaged along with the Red Hat Certificate System
7.1
to your MAC machine.
Step 2: Goto
<serverRoot>/bin/cert/esc/mac/ to get it.
Step 3: Once you have copied, double
click to open the ESC.dmg file.
Step 4: You should see a Coolkey 1.0.pkg ( Installer Package ) and a
ESC ( Application )
Step 5: Double click on the Coolkey 1.0.pkg to install the Coolkey
drivers
Step 6: copy the ESC application to your specific install location for
example, /ESC/
Step 7: double click on the ESC application to launch it.
back to top
Configuration
ESC Configuration file is called ESC.cfg and is placed under the ESC
installation directory.
The parameters and its corresponding description are given here :
ESC.cfg
parameters
|
Description
|
BROWSER_URL
|
Points to the initial page that
ESC will open when launched. This page could be a http or https URL.
|
ENROLL_URL
|
When an un-initialized token is
inserted and this parameter is configured, it enables ESC to take the
user directly to an enrollment page
|
TPS_HOST_NAME
|
Host name of the TPS server
|
TPS_HOST_PORT
|
End Entity Port number of the
TPS server
|
TPS_HOST_USES_SSL
|
Can be set to 'yes' or 'no'. ESC
will use SSL if set to 'yes'
|
back to top
Usage Scenarios
The following section provides some minimal guidance as to how to use
the Enterprise Security Client to perform token enrollment,format and
pin reset operations.
Launching ESC
On RHEL 4, with a default installation, you must change directory to '/usr/lib/esc-1.1/' and then execute
the script './esc' to launch ESC.
On Windows, with a default installation, you may goto 'C:\Program Files\ESC\' and launch
the ESC executable ESC.exe.
On MAC, goto installRoot and double click on esc.
back to top
Format the token
This operation helps the token to be brought to the 'un-initialized'
state where all of the user key pairs that were generated during the
enrollment process and that's stored in the token are removed. It also
erases the pin that was set on the token during the enrollment process.
Optionally ,
- the TPS server, can be configured to authenticate this operation
, where ESC will pop-up a dialog for the user thats performing the
operation to enter his/her credentials like an LDAP user-id and
password and upon successful authentication of the user, the operation
is allowed to continue.
- the TPS server, could be configured to load newer versions of the
applet and symmetric keys onto the token
Please use the following steps to perform the format operation:
Step 1: Plug the token into the usb port
Step 2: Start ESC. Make sure ESC is able to recognize the plugged in
token.
Step 3: Goto the Token Manager Page
Step 4: Click 'Format' to format the token.
Here are some screen shots to help you through the formatting process:
back to top
Token Enrollment
This operation helps the token to be enrolled with user key pairs and
token is brought to the 'ENROLLED' state. An 'ENROLLED' token could
then be used to perform certificate based operations like SSL-Client
Auth or SMIME.
Optionally,
- the TPS server could be configured to have the user key pairs
generated on the server side and archived in the DRM sub-system for
later recovery if the token is 'lost'.
- the TPS server could be configured to authenticate this
enrollment operation, where ESC will pop-up a dialog for the user thats
performing the
operation to enter his/her credentials like an LDAP user-id and
password and upon successful authentication of the user, the operation
is
allowed to continue.
- the TPS server could be configured to load newer versions of the
applet and symmetric keys onto the token
Please use the following steps to perform the enrollment operation:
Step 1: Plug the token into the usb port
Step 2: Start ESC. Make sure ESC is able to recognize the plugged in
token
Step 3: Goto the Key Enrollment Page
Step 4: Enter a PIN for the token
Step 5: Click 'Enroll' to begin the enrollment process.
Here are some screen shots to help you through the enrollment process:
back to top
Token Pin Reset
This operation can be used to reset the PIN on the token after doing an
enrollment operation if the user forgets the PIN on the token.
Please use the following steps to perform the pin reset operation:
Step 1: Plug the token into the usb port
Step 2: Start ESC. Make sure ESC is able to recognize the plugged in
token.
Step 3: Goto the Advanced Function Page
Step 4: Enter new PIN information
Step 5: Click 'Reset PIN' to reset the PIN on the token.
Optionally ,
- the TPS server, can be configured to authenticate this operation
, where ESC
will pop-up a dialog for the user thats performing the operation to
enter his/her credentials like an LDAP user-id and password and upon
successfull authentication of the user, the operation is allowed to
continue.
- the TPS server could be configured to load newer versions of the
applet and symmetric keys onto the token
Here are some screen shots to help you through the pin reset operation:
back to top
Use Token for
SSL-Client Auth and SMIME
Once an enrollment operation is performed on the token, that token
can then be used with the following applications.
Note:
- the PKCS#11 module is named as 'coolkeypk11.dll' in the
Windows
platform and should be available in the C:\windows\system32\ directory
- the PKCS#11 module is named as 'libcoolkeypk11.so' for the RHEL
platform and should be available under /usr/lib/
Using the certificates on the token for SSL:
Mozilla Firefox: Download from
http://www.mozilla.org, then follow these steps:
1. Open the Tools menu, choose Options, then click Advanced
2. To add a PKCS #11 driver:
1. Click Manage
Security Devices
2. Click Load
3. Enter Module Name
(e.g., token key pk11 driver)
4. Click Browse,
navigate to the PKCS #11 driver that came with the ESC bundle,
and click OK.
3. To manage certificates:
1. Click Manage
Certificates.
2. Set up your trust
relationships. If the CA is not yet trusted, click Authorities and
import the CA cert. Be sure to click Edit and set the trust for web
sites.
Now you can use your certificates for SSL.
back to top
SMIME Applications:
Thunderbird: Download from http://www.mozilla.org, then follow these
steps:
1. Add your account and set up the server to send and
receive emails. To do so, open the Tools menu and click Account
Settings.
2. Open the Tools menu, choose Options, then click
Advanced.
3. To add a PKCS #11 driver:
1. Click Manage
Security Devices
2. Click Load
3. Enter Module Name
(e.g., token key pk11 driver)
4. Click Browse,
navigate to the PKCS #11 driver that came with the ESC bundle,
and click OK.
3. To manage certificates:
1. Click Manage
Certificates.
2. Set up your trust
relationships. If the CA is not yet trusted, click Authorities and
import the CA cert. Be sure to click Edit and set the trust for
identifying web sites and mail users.
3. Open the Tools
menu, choose Account settings, click Security, and select the
certificates for signing and encryption.
Now you should be able to sign or encrypt messages. For more
information on how to configure the CA profiles to insert the user's
email address onto the encryption certificates subjaltname extension ,
please read the Red Hat Certificate
System - Administrator Guide Addendum.
back to top
Un-Installing ESC
Un-Installing on Windows
Please follow these steps to perform a 'clean' un-install of the ESC
client :
Step 1: un-plug all USB tokens
Step 2: Shutdown ESC.
Step 3: Goto Control Panel --> Add/Remove Programs --> select ESC
1.1 --> Click 'Remove'.
Step 4: Remove 'any' files left over under the installation directory.
Un-Installing on RHEL 4
Please follow these steps to perform a 'clean' un-install of the ESC
client :
Step 1: un-plug all USB tokens
Step 2: Shutdown ESC.
Step 3: Login as user 'root' and remove the following rpm's in order.
Use the command 'rpm -ev <rpmname>' to remove.
esc-1.1-1.i386.rpm
CoolKey-0.5.0-2.i386.rpm
ifd-egate-0.05-4.i386.rpm
pcsc-lite-1.2.0-6.i386.rpm
Step 4: Remove 'any' files left over under the installation directory.
Un-Installing on MAC OS X
Please follow these steps to perform a 'clean' un-install of the ESC
client:
Step 1: un-plug all usb tokens
Step 2: Shutdown ESC
Step 3: Goto ESC's installRoot , for example, /esc/ and manually remove
all the files ( or ) right-click and 'move to Trash'.
NOTE: We do not provide any specific un-installer at this point for the
MAC platform.
back to top