SmartCard

HCL Domino Domino Forum
1

Hello,

could anybody give me some informations about using,installing,handling or links of smartCards with notes.

Is it possible to copy the notes.id to the smart card to identify the user on the server?

kind regards to any reply

andreas

2

Subject: The smartcard support in Notes/Domino is well documented

Check out the documentation and the release notes – this topic is thoroughly covered.

Smartcard support was introduced in Lotus Notes 6.

Notes Password on a Smartcard:

It is currently possible to lock an ID file such that a smartcard and smartcard PIN are required, instead of the Notes password. Removing the smartcard from the reader will then log the user out of Notes. This feature can be enabled through the following steps:

  1. Ensure that your ID file is recoverable via ID File Recovery, and that your ID file is not configured for password expiration in your person document on your server’s public directory.

  2. Install the smartcard reader hardware and software, following the instructions provided by the smartcard vendor.

  3. Open the User Security Panel (File → Security → User Security)

  4. Open the Your Identity // Your Smartcard Pane

  5. Enter the path or browse to the location of the PKCS #11 library, installed by the smartcard installation. Some sample paths and names are listed below:

    c:\WINNT\system32\gclib.dll (GemSAFE 3.1)

    c:\WINNT\system32\acpkcs201.dll (ActivCard Gold 2.2)

    c:\WINNT\system32\pk2priv.dll (GemSAFE 2.21)

    c:\Program Files\Netscape\Communicator\Program\acpkcs.dll

    c:\Schlumberger\Smart Cards and Terminals\Cyberflex Access Kits\v4\slbck.dll (Schlumberger Cyberflex Access V4.3)

    c:\Schlumberger\Smart Cards and Terminals\Common Files\slbck.dll (Schlumberger Cyberflex Access V2)

    c:\WINNT\system32\dkck201.dll (Rainbow iKey 2032)

    c:\WINNT\system32\dkck201.dll (Datakey CIP 4.07)

    c:\WINNT\system32\sadaptor.dll (Eutron SecIdentity CryptoKit 3.2.1)

  6. Click on the Enable Smartcard Login button to lock the ID file using a key stored on the smartcard instead of a password.

Internet Keys on a Smartcard:

It is currently possible to place an RSA private key from the ID file onto a smartcard and use that key to sign and decrypt S/MIME mail, and to authenticate to “Internet” servers using SSL client certificate authentication.

To place an RSA private key onto a smartcard:

Open the User Security Panel (File → Security → User Security)

Open the Your Identity // Your Certificates pane

Select the Internet Certificate associated with the private key that you want to move to the smartcard.

Select Other Actions // Store Private Key on Smartcard.

Tested Smartcard packages:

Smartcard functionality has only been tested under win32-based operating systems. Untested smartcards that include PKCS #11 libraries may work with Notes 6. The following smartcard packages have been tested, and indicated (*) packages have caveats listed below:

Smartcard Package

Login with the token

Removing token will generate ‘F5’-style logout

512-bit RSA keys on the token

1024-bit RSA keys on the token

ActivCard Gold 2.2

yes

yes

yes

yes

Datakey CIP 4.07

yes

yes

yes

yes

Eutron SecIdentity CryptoKit 3.2.1

yes

yes

yes

yes

GemSAFE libraries 3.1 SP4 (GPK16000)

yes

yes

yes

yes

GemSAFE Enterprise Workstation 2.21 (GPK8000) (*)

yes

no

no

yes

GemSAFE Enterprise Workstation 2.0 (GPK4000) (*)

yes

no

no

yes

Rainbow iKey 2032 SDK v4.7.0

yes

yes

yes

yes

Schlumberger Cyberflex Access SDK V4.3

yes

yes

no

yes

Schlumberger Cyberflex Access SDK V2

yes

yes

no

yes

Caveats and Warnings:

The only way to recover from losing or breaking a smartcard or to revert a smartcard-protected ID file to a password is through ID File Recovery. ID File Recovery should be configured for an ID file before the ID file is smartcard-enabled. Recovering a smartcard-protected ID file will revert the ID file to use a password and will restore any keys that were pushed onto the smartcard, as long as the recovery information was not changed after the key was pushed down to the smartcard.

Password expiration should be disabled in a user’s person record before they smartcard-enable their ID file.

Password checking will result in only a single smartcard being usable with a given ID file, even across multiple computers or platforms. In this scenario, one copy of the ID file should be smartcard-enabled, and then that version of the ID file should be copied to all of the other respective computers. That single smartcard will now be required for all of the copies of the ID file.

Many smartcard packages only support 1024-bit RSA keys. You can find the strength of a given key by selecting an Internet Certificate and pressing the Advanced Details button from the “Your Identity//Your Certificates” pane of the User Security Dialog (File//Security//User Security).

Server setup will not function with a smartcard-protected server ID. In order to use a smartcard-protected ID with a server, finish server setup with a password-protected version of the ID file, then add the path to the PKCS #11 library in the server’s notes.ini (PKCS11_Library=), and finally smartcard-enable the server’s ID file on a client using the steps indicated above.

Single Logon, which synchronizes the Notes and Windows passwords, cannot be used with a smartcard-protected ID file. You must restart Notes after disabling Single Logon before smartcard-enabling an ID file.

The format in which smartcard-related information is stored in the ID file has changed since the earliest beta releases of Notes 6. Using an ID file that was smartcard-enabled with one of these early beta releases will result in an “Incomplete or incorrect smartcard configuration” with Notes 6.

Notes uses version 2.01 of the PKCS #11 API to communicate with smartcards and other PKCS#11 devices. PKCS #11 libraries that only implement version 2.0 will not result in an “F5”-style logout when the card is removed from the reader. Updated libraries may be available from the smartcard vendors.

Version 2.2 is the required minimum version of ActivCard Gold supported for Notes 6.

GemSAFE 2.21’s NT Lock Workstation feature has been known to crash some versions of NT and deadlock with Notes. When installing GemSAFE 2.21, the NT lock workstation feature defaults to on. Un-check the box.

There may be problems when installing GemSAFE 2.21 on a laptop running NT 4.

Starting in Domino 6.0.4 and Domino 6.5.1, EM_GETPASSWORD extension manager callouts can be used to unlock smartcard-protected ID files by passing the cryptographic token’s PIN in through the extension manager instead of the password.

Domino/Notes 6.0.2 now supports the ability to import Internet keys stored on Smartcards by entities other than Notes. Since the private key, by definition, can never be extracted from the hardware device, the import mechanism consists of copying the X.509 certificate from the token, extracting the public key from the certificate, generating a “pointer” to the private key on the Smartcard, and then storing those three objects in the ID file so they can be found by, and used with, Notes.

In Notes/Domino 6.0, users could “push” one or more of the private keys associated with Internet certificates in their ID file onto a PKCS #11-compliant Smartcard or token, and then use the hardware-based cryptographic support in that token to sign and decrypt S/MIME mail and to perform SSL client certificate authentication to Web sites. This provided a much greater level of security than storing the private key in the ID file, as an intruder would then need to acquire a copy of the user’s ID file, physically steal the Smartcard or token, and learn the token’s PIN in order to use that key. Additionally, the loss of the token would prevent the actual user from logging into Notes and be brought to the immediate notice of an administrator, who could then take preventive measures to protect the system against the intruder. However, users and administrators were unable to import keys and certificates that were pre-loaded onto a Smartcard by entities other than Notes itself.

A new function call has been added to the Lotus C API Toolkit for Notes/Domino 6.0.2 to support this feature.

To import Internet certificates from a Smartcard

To support this feature, there is a new option in the User Security dialog.

Note: This option is only available to users who have a Smartcard reader installed on their PCs and whose Notes IDs have been Smartcard-enabled. Otherwise, it is not available for selection.

Select File > Security > User Security.

Click Your Identity > Your Certificates.

Click “Get Certificates.” A drop-down list appears, listing different ways of importing certificates into the ID file.

Select “Import Internet Certificate from a Smartcard.” This imports all available certificates from the current Smartcard.

3

Subject: SmartCard

It depends on the software and the general setup. I worked at a place where SmartCards were used, utilising Utimaco software for the single-login stuff. We did not copy the UserID to the card; rather the password and the http password were on the card.

Thus, when the user logged into Notes client, or a secure Domino intranet web page, Utimaco filled in their password for them.

Also, the users could not change their password because they didn’t know them - the passwords were randomly generated alphanumeric strings.

The biggest problem we faced was that people regularly forget their SmartCard, and we then have to create a new one, but in terms of use with Notes it had no real bearing, except that SSL with Domino caused a few issues.