Hi all,
I try to use smartcard (aladdin PRO) with Notes 6.02CF1 to authenticate with Smardcard instead of Notes.id.
My config is Windows 2000 Smartcard network logon on my PC. I use the “eTpkcs11.dll”.
When I try to “Enable the SmardCard Login” I receive the message “Notes has not detected your Smart Card…”
When I looked at details configuration in Notes, I can only see info. on the SmartCard driver.
Did I missed something?
Any help/thought will be appreciated.
Marc
Subject: The solution was posted in a past thread on this forum
We’ve never tested against the Aladdin tokens, but someone else on this forum ran into that problem and posted the solution. Here’s a link to the thread:
Date
Topic
11/09/2002
11
eToken Pro & Notes (Jan-Piet Mens)
11/11/2002
10
Solved by Eli (Jan-Piet Mens)
11/11/2002
9
Re: eToken Pro & Notes (Dave Kern)
11/12/2002
8
RE: Re: eToken Pro & Notes (Jan-Piet Mens)
11/13/2002
7
RE: Re: eToken Pro & Notes (Dave Kern)
11/14/2002
6
RE: Re: eToken Pro & Notes (Jan-Piet Mens)
11/15/2002
5
RE: Re: eToken Pro & Notes (Dave Kern)
11/17/2002
4
Error (Jan-Piet Mens)
11/18/2002
3
Notes requires the CKM_RSA_PKCS mechanism (Dave Kern)
11/19/2002
2
Asking Aladdin (Jan-Piet Mens)
12/05/2002
1
Response from Aladdin (Jan-Piet Mens)
12/06/2002
RE: Response from Aladdin (Dave Kern)
However, it doesn’t sound like the Aladdin eToken Pro supports the cryptographic mechanisms in hardware that Notes needs to use keys stored on the token, so you might not have much success beyond protecting your ID file with the token. However, Aladdin may have updated their driver software in the past 9 months, so it’s probably worth checking just to be sure. 
If you’re using 6.0.2 or later, you can write a simple C API program to determine if a given token provides what Notes needs. Check out the documentation for SECManipulateSC — calling that function with the SC_manip_CheckCard opcode will tell you if the token is likely to work with Notes or not. The call is well documented in the “Lotus C API Notes/Domino 6.0.2 Reference”.
Good luck,
dave
PS - the actual sequence of opcodes would be SC_manip_InitializeContext, then SC_manip_CheckCard, then SC_manip_TerminateContext.
Subject: RE: The solution was posted in a past thread on this forum
Dave:Is there a list of supported smartcard readers/drivers or a list of the ones that IBM/Lotus knows works best with Notes? I am searching for one and can’t find one. Could you please post a URL if you know of one where could find this information. Thanks! Duane
Subject: Tested smartcard packages
The most current list of tested smartcard packages is in the release notes for each version of Notes/Domino.
That list isn’t exclusive – it just lists the tokens that we’ve had the opportunity to test in-house. Any token that provides a PKCS#11 v2.01 or better interface that fulfills the Large Application PKCS#11 Conformance Profile (http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/pkcs11Conformance.pdf) should work just fine with Notes.
I’ve included the current release note text at the end of this message. The tokens listed below should work fine with 6.0.2. As always, check the release notes in the version of Notes that you’re using for the list that is most applicable to you.
dave
Smartcard support was introduced in Lotus Notes 6.
Notes Password on a Smartcard:
It is currently possible to lock an ID file such that a smartcard and smartcard PIN are required, instead of the Notes password. Removing the smartcard from the reader will then log the user out of Notes. This feature can be enabled through the following steps:
Ensure that your ID file is recoverable via ID File Recovery, and that your ID file is not configured for password expiration in your person document on your server’s public directory.
Install the smartcard reader hardware and software, following the instructions provided by the smartcard vendor.
Open the User Security Panel (File → Security → User Security)
Open the Your Identity // Your Smartcard Pane
Enter the path or browse to the location of the PKCS #11 library, installed by the smartcard installation. Some sample paths and names are listed below:
c:\WINNT\system32\gclib.dll (GemSAFE 3.1)
c:\WINNT\system32\acpkcs201.dll (ActivCard Gold 2.2)
c:\WINNT\system32\pk2priv.dll (GemSAFE 2.21)
c:\Program Files\Netscape\Communicator\Program\acpkcs.dll
c:\Schlumberger\Smart Cards and Terminals\Cyberflex Access Kits\v4\slbck.dll (Schlumberger Cyberflex Access V4.3)
c:\Schlumberger\Smart Cards and Terminals\Common Files\slbck.dll (Schlumberger Cyberflex Access V2)
c:\WINNT\system32\dkck201.dll (Rainbow iKey 2032)
c:\WINNT\system32\dkck201.dll (Datakey CIP 4.07)
Click on the Enable Smartcard Login button to lock the ID file using a key stored on the smartcard instead of a password.
Internet Keys on a Smartcard:
It is currently possible to place an RSA private key from the ID file onto a smartcard and use that key to sign and decrypt S/MIME mail, and to authenticate to “Internet” servers using SSL client certificate authentication.
To place an RSA private key onto a smartcard:
Open the User Security Panel (File → Security → User Security)
Open the Your Identity // Your Certificates pane
Select the Internet Certificate associated with the private key that you want to move to the smartcard.
Select Other Actions // Store Private Key on Smartcard.
Tested Smartcard packages:
Smartcard functionality has only been tested under win32-based operating systems. Untested smartcards that include PKCS #11 libraries may work with Notes 6. The following smartcard packages have been tested, and indicated (*) packages have caveats listed below:
Smartcard Package
Login with the token
Removing token will generate ‘F5’-style logout
512-bit RSA keys on the token
1024-bit RSA keys on the token
ActivCard Gold 2.2
yes
yes
yes
yes
Datakey CIP 4.07
yes
yes
yes
yes
GemSAFE libraries 3.1 SP4 (GPK16000)
yes
yes
yes
yes
GemSAFE Enterprise Workstation 2.21 (GPK8000) (*)
yes
no
no
yes
GemSAFE Enterprise Workstation 2.0 (GPK4000) (*)
yes
no
no
yes
Rainbow iKey 2032 SDK v4.7.0
yes
yes
yes
yes
Schlumberger Cyberflex Access SDK V4.3
yes
yes
no
yes
Schlumberger Cyberflex Access SDK V2
yes
yes
no
yes
Caveats and Warnings:
The only way to recover from losing or breaking a smartcard or to revert a smartcard-protected ID file to a password is through ID File Recovery. ID File Recovery should be configured for an ID file before the ID file is smartcard-enabled. Recovering a smartcard-protected ID file will revert the ID file to use a password and will restore any keys that were pushed onto the smartcard, as long as the recovery information was not changed after the key was pushed down to the smartcard.
Password expiration should be disabled in a user’s person record before they smartcard-enable their ID file.
Password checking will result in only a single smartcard being usable with a given ID file, even across multiple computers or platforms. In this scenario, one copy of the ID file should be smartcard-enabled, and then that version of the ID file should be copied to all of the other respective computers. That single smartcard will now be required for all of the copies of the ID file.
Many smartcard packages only support 1024-bit RSA keys. You can find the strength of a given key by selecting an Internet Certificate and pressing the Advanced Details button from the “Your Identity//Your Certificates” pane of the User Security Dialog (File//Security//User Security).
Server setup will not function with a smartcard-protected server ID. In order to use a smartcard-protected ID with a server, finish server setup with a password-protected version of the ID file, then add the path to the PKCS #11 library in the server’s notes.ini (PKCS11_Library=), and finally smartcard-enable the server’s ID file on a client using the steps indicated above.
Single Logon, which synchronizes the Notes and Windows passwords, cannot be used with a smartcard-protected ID file. You must restart Notes after disabling Single Logon before smartcard-enabling an ID file.
The format in which smartcard-related information is stored in the ID file has changed since the earliest beta releases of Notes 6. Using an ID file that was smartcard-enabled with one of these early beta releases will result in an “Incomplete or incorrect smartcard configuration” with Notes 6.
Notes uses version 2.01 of the PKCS #11 API to communicate with smartcards and other PKCS#11 devices. PKCS #11 libraries that only implement version 2.0 will not result in an “F5”-style logout when the card is removed from the reader. Updated libraries may be available from the smartcard vendors.
Version 2.2 is the required minimum version of ActivCard Gold supported for Notes 6.
GemSAFE 2.21’s NT Lock Workstation feature has been known to crash some versions of NT and deadlock with Notes. When installing GemSAFE 2.21, the NT lock workstation feature defaults to on. Un-check the box.
There may be problems when installing GemSAFE 2.21 on a laptop running NT 4.
Subject: RE: Tested smartcard packages
For using smartcard packages, I understand, that you mean that is essential usin a Notes6 client, but I don’t know if it’s essential using a Lotus Domino 6 server. Could this be done using a Notes6 client runing on a R5 server?
Thanks.
Subject: RE: Tested smartcard packages
If you smartcard-enable a Notes ID, the software that is directly accessing that ID file must be able to handle the smartcard. For example, if you smartcard-enable a server ID, then the Domino server must be 6.x+, but the clients can be R5 or earlier. If you smartcard-enable a client ID, then that ID can only be used with R6.x+ clients, but could be used to access an older Domino server.
Subject: RE: Tested smartcard packages
I have tested two diferent types of devices.
Fist one is a PCT-BASIC smartcard reader, and I could find the dll, but when I clicked the enable smartcard login button, Notes showed me a message: “error reading device” or something like this. I understand that this type of smartcard reader cannot be used on Lotus Notes.
Then I tried to do the same with a GemPC USB-SL smartcard reader made by GEMPLUS, but I have a problem: I don’t know what’s the name of the PKCS #11 library. I tried to find it at c:\WINNT\system32, but there are thousands of dll files. Do you know anything about it. Has anyone been with the same problem and could solve it?
Thank you again.
Subject: RE: Tested smartcard packages
The release notes include a list of the DLLs used by all of the smartcard packages that we have tested.
c:\WINNT\system32\gclib.dll (GemSAFE 3.1)
c:\WINNT\system32\acpkcs201.dll (ActivCard Gold 2.2)
c:\WINNT\system32\pk2priv.dll (GemSAFE 2.21)
c:\Program Files\Netscape\Communicator\Program\acpkcs.dll
c:\Schlumberger\Smart Cards and Terminals\Cyberflex Access Kits\v4\slbck.dll (Schlumberger Cyberflex Access V4.3)
c:\Schlumberger\Smart Cards and Terminals\Common Files\slbck.dll (Schlumberger Cyberflex Access V2)
c:\WINNT\system32\dkck201.dll (Rainbow iKey 2032)
c:\WINNT\system32\dkck201.dll (Datakey CIP 4.07)
c:\WINNT\system32\sadaptor.dll (Eutron SecIdentity CryptoKit 3.2.1)
Since you’re testing with a Gemplus card, I’d recommend searching for gclib.dll. If that isn’t there, *201.dll and pkcs.dll are possibilities. However, the best way to find out what DLLs were installed by your smartcard package would be to read the documentation and release notes for that package – I’ve found that most of them mention the name and/or install path for their PKCS#11 DLL.
Good luck,
dave
Subject: RE: Tested smartcard packages
Thanks Dave, I’ve found the dll.
But I still cant’t enable the smartcard.
I’ll try to explain my situation:
I have two diferent readers, and two diferent cards:
-Reader1 is a GYD PCT-BASIC which was provided with card1.
-Reader2 is a GemPC USB-SL which was provided with card2.
Any combination of readers and cards works well when I log at provider’s web page, and that makes me think that both cards and both readers are compatible.
The problems begin when I try to enable smartcards for logging on a Notes client.
There is no problem on readers configuration, the problems come when I click the “Enable smartcard Loging” button.
-If I try to do it with card2, even if I do it with reader1 or reader2, notes prompts to introduce the PIN, if I use a wrong PIN, notes detects it (that makes me believe that reader can read the card), and if I use the correct PIN, then appears this message box: “Smartcard login was not enabled: a password is required for this ID file”. I changed my notes password to a blank one, but it still happens the same.
Something diferent happens when I try to login using card1.
-If I login using reader1, even if I type a right or a wrong PIN next message apears on the screen: “Error reading your smartcard: please reinsert your smartcard” (this is strange to me, because the reader and the card were provided to me together)
-If I login using reader2, even if I type a right or a wrong PIN next message apears on the screen: “this smartcard has not been initialized or is incompatible with your smartcard reader”.
I don’t know what can I do. Is there any suggestion?
Do you know any card reader which has been tested on Lotus Notes, and could be compatible with any kind of card? (something like an Universal Card Reader)
Thank you again.
Subject: Try to acquire some debugging information
Shut down the client, set DEBUG_PKCS11=3 in your notes.ini file, and try again.
That notes.ini variable will print an absurd amount of information to a console window, including practically every call made into the PKCS#11 DLL and the results of those function calls. With that information, we should be able to determine exactly what is going wrong.
dave
Subject: RE: Try to acquire some debugging information
I tried to do what you told me, but I could not see any window. The only thing I noticed was a new command at notes.ini file:
DebugWinSplitterPos=256
What am I doing wrong?
Thank you
Subject: Try programmatically smartcard-enabling the ID
I don’t know why you aren’t seeing any more information.
You might be able to acquire more information by using the SECManipulateSC C-API function to try to smartcard-enable an ID file. I’ve described how to do this using before on this forum – here’s a link to one of those descriptions.
Date
Topic
10/10/2003
3
RE: Using two or more smartcard with smartcard enabled ID (Dave Kern)
Smartcard-enabling the ID file with a console C-API application will definitely result in a console to which the debugging information can be displayed.
Good luck,
dave