keyon / PKCS#11 to MS-CAPI Bridge User Guide V2.4

Similar documents
How to Import a Certificate When Using Microsoft Windows OS

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

SafeGuard LAN Crypt: Loading Profile Troubleshooting Guide

Dohatec CA. Export/Import Procedure etoken Pro 72K FOR USERS OF ETOKENS [VERSION 1.0]

Integration Guide. SafeNet Authentication Client. Using SAC CBA with BitLocker

Guide Installation and User Guide - Mac

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Copyright 2017 Trend Micro Incorporated. All rights reserved.

Guide Installation and User Guide - Windows

Registration and Renewal procedure for Belfius Certificate

Sophos Mobile Control Installation guide

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

DIGIPASS CertiID. Installation Guide 3.1.0

Architecture 1 3. SecureToken. 32-bit microprocessor smart chip. Support onboard RSA key pair generation. Built-in advanced cryptographic functions

Qlik Sense Desktop. Qlik Sense September 2018 Copyright QlikTech International AB. All rights reserved.

ActiveSecurity MyClient

Hitachi File Services Manager Release Notes

AMS Device View Installation Guide. Version 2.0 Installation Guide May 2018

KeyA3 Certificate Manager

TFS WorkstationControl White Paper

Version Installation Guide. 1 Bocada Installation Guide

Qlik Sense Desktop. Qlik Sense February 2018 Copyright QlikTech International AB. All rights reserved.

Equitrac Integrated for Konica Minolta

DigitalPersona Pro Enterprise

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

SafeSign Identity Client Standard

Hitachi File Services Manager Release Notes

VMware AirWatch Integration with RSA PKI Guide

Oracle iplanet Web Server Integration Guide

Equitrac Integrated for Konica Minolta. Setup Guide Equitrac Corporation

SailPoint IdentityIQ 6.4

SecuRemote for Windows 32-bit/64-bit

Oracle EnterpriseSingle Sign-on Authentication Manager. Installation and Setup Guide Release E

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Oracle Enterprise Single Sign-on Authentication Manager

Remote Support 19.1 Web Rep Console

Entrust. Discovery 2.4. Administration Guide. Document issue: 3.0. Date of issue: June 2014

VMware Horizon JMP Server Installation and Setup Guide. 13 DEC 2018 VMware Horizon 7 7.7

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Perceptive Content Licensing

Installation and configuration guide

Certificates for Live Data Standalone

Online documentation: Novell Documentation Web site. ( documentation/securelogin70/index.html)

SafeGuard Enterprise. user help. Product Version: 8.1

Fujitsu mpollux DigiSign Client Technical References

Equitrac Embedded for Ricoh Basic. Setup Guide Equitrac Corporation

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

Embedded for Xerox EPA-EIP Setup Guide

SSH Communications Tectia SSH

Authentication is not limited to the workstation logon but it supports also Remote Desktop, Shares, Hyper-V Sessions, etc.

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

Secure Held Print Jobs

NetIQ SecureLogin 8.5 enhances the product capability and resolves several previous issues.

Protected EAP (PEAP) Application Note

Oracle Cloud Using the Trello Adapter. Release 17.3

Secure IIS Web Server with SSL

Installing and Configuring vcloud Connector

راهنماي استفاده از توکن امنيتي کيا 3 در نرمافزارهاي مبتني بر PKI توکن امنيتي سخت افزاري

SafeNet Authentication Client

Yubico with Centrify for Mac - Deployment Guide

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

Oracle Enterprise Single Sign-on Authentication Manager. Installation and Setup Guide Release E

Liferay Security Features Overview. How Liferay Approaches Security

Echidna Concepts Guide

Pulse Secure Client for Chrome OS

Citrix Access Gateway Implementation Guide

Oracle Cloud Using the Microsoft Adapter. Release 17.3

for Unclassified Systems

Introduction to application management

Terms for Included Open Source Software. SAP AG Dietmar-Hopp-Allee Walldorf Germany T +49/18 05/ F +49/18 05/

SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Sophos Mobile in Central

Remote Support Web Rep Console

Install and upgrade Qlik Sense. Qlik Sense 3.0 Copyright QlikTech International AB. All rights reserved.

Oracle Cloud Using the Evernote Adapter. Release 17.3

VMware Horizon JMP Server Installation and Setup Guide. Modified on 19 JUN 2018 VMware Horizon 7 7.5

System Administration

Registration and Renewal procedure for Belfius Certificate

SafeNet Authentication Client

Protection! User Guide. A d m i n i s t r a t o r G u i d e. v L i c e n s i n g S e r v e r. Protect your investments with Protection!

Public Key Enabling Oracle Weblogic Server

Guide Installation and User Guide - Linux

USER GUIDE WWPass Security for (Thunderbird)

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Scout Enterprise Dashboard

Product Description. SafeSign Identity Client Standard Version 2.3 for MAC OS X 10.4

AppScaler SSO Active Directory Guide

Product Documentation. AppWave Browser. Apps User Guide. Version 4.1 Published February 12, 2013

Using ANM With Virtual Data Centers

SafeNet Authentication Client

SafeGuard Easy Demo guide. Product version: 6 Document date: February 2012

Reference manual Integrated database authentication

Internet Explorer/ Edge/ Chrome/ Opera (Windows) Edition

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

How to Configure SSL Interception in the Firewall

ZENworks 2017 Full Disk Encryption Pre-Boot Authentication Reference. December 2016

Transcription:

/ PKCS#11 to MS-CAPI Bridge V2.4 April 2017

Table of Contents Copyright 2017 by AG All rights reserved. No part of the contents of this manual may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Trademark Notice is a registered trademark of AG in Switzerland and/or other countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla, mozilla.org, Firefox, Thunderbird, Bugzilla, Camino, Sunbird, Seamonkey, Foxkeh and XUL are either registered trademarks or trademarks of the Mozilla Foundation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. 2

Table of Contents Table of contents Overview... 5 What it is the /?... 5 Key Features... 5 Changelog... 6 Version 2.4.4... 6 Installation... 7 Restartless extension... 8 Compatibility... 8 Extension Properties... 8 Installing the XPI package... 8 Installing the exploded package... 11 Manual installation (GUI)... 14 Compatibility... 14 Installing the PKCS#11 libraries in Mozilla Firefox... 14 Uninstalling the PKCS#11 libraries in Mozilla Firefox... 16 Manual installation (modutil)... 17 Compatibility... 17 CAPI Credential Usage... 18 Soft Tokens... 18 Smart Cards and other tokens... 19 Behavior if the certificate and / or key is deleted... 21 Behavior if the Workstation is locked... 21 View available CAPI certificates... 22 User certificates from the Microsoft Certificate Store... 22 Trusted CA certificates from the Microsoft Certificate Store... 24 Licensing... 25 Evaluation nag screen... 25 Entering the license string obtained from... 25 Checking the licensee and license type... 26 3

Table of Contents Deploying the license in an enterprise environment... 27 Deploy the license for specific users... 27 Deploy the license for all users of a machine... 27 License restrictions... 28 License options... 28 Reference... 29 Links... 29 4

Overview What it is the /? / is a DLL, which provides access to the credentials in the Microsoft Certificate Store over virtual tokens using the PKCS#11 (Cryptoki) API. Applications such as Microsoft Firefox can thus use certificates and keys available in the Microsoft Certificate Store and the Microsoft CryptoAPI. Please note that beginning with version 2.4, the product was renamed from / MS- CAPI Bridge for Mozilla NSS to / in order to comply with Mozilla trademark policies. Key Features Provides access to keys and certificates in the user s certificate store (MY) for client authentication and secure mail. Support RSA keys managed by the standard Crypto API (CAPI) and the Crypto API Next Generation (CNG). Supports both soft tokens and Smart Cards. As long as the key is available over the Microsoft CryptoAPI, it can be used from Mozilla NSS based applications. To support a Smart Card, only a cryptographic service provider for Windows is necessary. If a PIN is required to use a credential, the PIN entry dialog from the Microsoft CryptoAPI is used. Supports SSO if the underlying Smart Card in the CryptoAPI supports it. Certificates are added and removed from the virtual token as soon as they are added or removed in the Microsoft Certificate Store. There is no need to restart the application if new certificates become available. Access to credentials in the Microsoft Certificate Store is read only, i.e. it is not possible to accidentally delete certificates or keys e.g. in Mozilla Firefox. Provides access to certificates in the user s trust store (Root, CA, TrustedPublishers and MY) allowing easy deployment of trusted CAs using the group policy. 5

Changelog Version 2.4.4 Renamed the extension to / to comply with Mozilla trademark policy CA certificates in the user's MY store are now added to the trusted certificates Some minor bug fixes in the PKCS#11 implementation Flag the extension as compatible with multiprocess Firefox Fixes problem with PKCS#11 module not unloaded when updating the extension 6

Installation The can be installed either as an extension in XPI form (for download) or exploded form for installation in the file system. The PKCS#11 DLLs can also be installed manually by registering them as security modules over the GUI or in the security modules database. The following types of installation are supported: Type Compatibility Features Restartless extension Manual installation (GUI) Firefox 4.0 and higher Thunderbird 3.3 or higher Seamonkey 2.1 or higher Any Firefox version Any Thunderbird version Any Seamonkey version The Add-On can be installed and removed without restarting the application. It is also possible to disable and enable the plugin during runtime. Needs manual registration of the PKCS#11 ("cryptoki") DLLs in the application or the modules database. Manual installation (modutil) Any Firefox version Any Thunderbird version Any Seamonkey version Needs manual registration of the PKCS#11 ("cryptoki") DLLs in the modules database. Can also be used for manual registration in the NSS3 module database and for some other applications that use PKCS#11. Please make sure you do not install different installation types concurrently in the same application. 7

Restartless extension Compatibility Application Firefox Thunderbird Seamonkey Version requirements 4.0 and higher 3.3 or higher 2.1 or higher Extension Properties Property Extension ID Supports disable / enable Restart required after installation / removal Value capi-bridge@.ch Yes, without restart No Installing the XPI package The XPI package can be installed by downloading the XPI or by drag and drop of the XPI file to Mozilla Firefox. The XPI is signed by Mozilla, however the XPI is not available over the addons.mozilla.org web site thus you will have to explicitly allow the download: 8

After confirming the installation, the functionalitiy is available immediately and the Add-on Manager shows the installed package: Clicking more will show some additional information: The extension supports automatic updates. The update site is located at https://www..ch/update/mozilla/capi-bridge/ 9

The extension can be disabled in the Add-on Manager which immediately removes the PKCS#11 library. Certificates and keys in the Microsoft Certificate Store are no longer available when the extension is disabled: The extension can be removed in the Add-on Manager which immediately removes the PKCS#11 library. Certificates and keys in the Microsoft Certificate Store are no longer available: 10

Installing the exploded package The exploded package can be installed directly in the file system. Please check the Mozilla documentation to learn in which locations to install the exploded plugin as they may differ depending on the version and deployment scenario (e.g. per user or for all users): https://developer.mozilla.org/en/docs/installing_extensions Unlike the installation using the XPI package, exploded extensions cannot be removed from within Mozilla Firefox by the user: Clicking more will show some additional information: 11

However it is possible to disable the extension which immediately removes the PKCS#11 library. Certificates and keys in the Microsoft Certificate Store are no longer available: Removing the extension in the file system does not properly uninstall the extension. If the exploded package directory is removed, the PKCS#11 library may still show up in the configuration, however it should not have any negative effects on the application itself: 12

Including the extension with your distribution of Firefox Please consult the documentation of the Mozilla Developer Network to learn other deployment options: https://developer.mozilla.org/en-us/docs/developer_guide/customizing_firefox 13

Manual installation (GUI) Compatibility Application Firefox Thunderbird Seamonkey Other Version requirements 1.0 or higher 1.0 or higher 1.0 or higher Applications based on NSS should be able to use the PKCS#11 library. Other applications capable of using a 32-Bit DLL implementing the PKCS#11 API v2.20 may work as well. Installing the PKCS#11 libraries in Mozilla Firefox 1. Store the p11capi.dll (user certificates) and roots.dll (CA certificates) files in an appropriate location on the file system. 2. Select Options from the menu: 14

3. In the options dialog, select Advanced and the Certificates tab: 4. Click the Security Devices button: 5. Click on Load, select the p11capi.dll along with the desired name and click OK: 15

6. Click on Load, select the roots.dll along with the desired name and click OK: 7. Click on Load, select the roots.dll along with the desired name and click ok: Uninstalling the PKCS#11 libraries in Mozilla Firefox To remove the modules, open the Security Devices configuration, select the module and click Unload. 16

Manual installation (modutil) Compatibility Application Firefox Thunderbird Seamonkey Other Version requirements 1.0 or higher 1.0 or higher 1.0 or higher Applications based on NSS should be able to use the PKCS#11 library. Please consult the Mozilla Developer Network to learn how to use the modutil command line utility to update the modules database to load the DLLs. Using the Security Module Database (modutil): https://developer.mozilla.org/en/docs/nss/tools/nss_tools_modutil 17

CAPI Credential Usage Depending on the type of CAPI credential, different dialogs may be shown when a key is used over the. No CAPI dialogs are shown unless a key is actually used for a cryptographic operation. Soft Tokens Soft tokens usually do not require the entry of a password or any other confirmation when used for cryptographic operations. However if strong protection was specified when the key was generated or imported, the following dialogs may show up once per process lifetime when such a key is used for a cryptographic operation: Security level medium: Security level high: Selecting Deny permission or clicking Cancel will lead to a PKCS#11 error as the key cannot be used for cryptographic operations: 18

Smart Cards and other tokens Smart Cards usually require the user to enter a PIN unless the middleware or Smart Card implements some sort of Single Sign On functionality. Unlike with strong protected soft tokens the Smart Card or middleware defines if a PIN must be entered only once per process lifetime or for each cryptographic operation: Clicking Cancel will lead to a PKCS#11 error as the key cannot be used for cryptographic operations: If the Smart Card for the slected certificate is not available, the following dialog may be shown: 19

This dialog may not be tied to the application Window as a child Window. This is due to a bug in Windows, which does not set the Window handle for the Smart Card subsystem unlike for CAPI dialogs, which are tied to the application Window. The Insert Smart Card dialog may pop-up behind the application window making the application look unresponsive while waiting for the dialog to be answered. If the correct Smart Card is inserted, the OK button becomes active but must still be clicked by the user to continue: Cancelling this dialog will lead to the following PKCS#11 error: 20

Behavior if the certificate and / or key is deleted If a certificate or key in use, e.g. for an open SSL connection, is not longer present in the Microsoft Certificate Store, e.g. because the Smart Card was removed and the certificate deleted from the store during this process, the following error is shown: Behavior if the Workstation is locked If the Workstation is locked, cryptographic operations are only performed silent, i.e. CAPI is not allowed to show dialogs. This behavior is implemented to prevent PIN dialogs for Smart Cards beeing displayed while the screen is locked. Some middleware implementations do not allow concurrent logins while a PIN dialog is shown. Using a Smart Card to unlock the Workstation may not be possible in such a scenario thus effectively locking the user out. 21

View available CAPI certificates Start the Certificate Services Management console by selecting Options Advanced Certificates View Certificates: User certificates from the Microsoft Certificate Store User certificates from the Microsoft Certificate Store (current user) show up using Security Device MY in the certificate manager: 22

You cannot delete certificates and keys that are stored in the Microsoft Certificate Store. This behavior is implemented this way to prevent unintentation deletion of credentials managed be the Microsoft CryptAPI. You cannot backup certificates and keys that are stored in the Microsoft Certificate Store. only supports the use of keys over the CryptoAPI but not to export keys, which in case of Smart Card is impossible anyway. User certificates from the Microsoft Certificate Store will always have MY: as a prefix in the selection dialog to distinguish them from non-capi certificates and keys: 23

Trusted CA certificates from the Microsoft Certificate Store CA certificates from the Microsoft Certificate Store (current user) show up using Security Device Root, CA or TrustedPublisher (accoding to their Microsoft Certificate Store origin) in the certificate manager: If the certificate is present in the Mozilla CA database it will always show up as Builtin Object Token regardless if it is also present in the Microsoft Certificate store. The allowed usage of the CA certificate (i.e. the trust settings) is set accordingly to the extended key usage of the certificate. 24

Licensing Evaluation nag screen Unless you purchase and install a license, the will show a nag screen if a cryptographic operation with a certificate provided by the MS-CAPI Bridge is attempted: The nag screen will lock your browser window and can only be closed after some time has passed. The wait time increases over time to encourage you to purchase a license. The nag-screen is only shown if you actually try to use the private key associated with a certificate provided over the MS-CAPI Bridge. The nag screen is shown only once for each browser session. Entering the license string obtained from You can enter the license string directly in the nag screen by clicking Enter License and pasting the license string: 25

After clicking Activate, the licensee and license type is shown if the license is validated successfully Checking the licensee and license type The licensee and the license type is available in the description of the PKCS#11 token: 26

Deploying the license in an enterprise environment If you need to deploy a license for multiple users or computers, you can simply create a registry entry with the license string using e.g. the Group Policy or your software deployment system. Deploy the license for specific users Store the license string in the following registry location: [HKEY_CURRENT_USER\Software\\capi-bridge] "License"="vHvH3vGlbm18wi0DNHm...BggEB" Deploy the license for all users of a machine Store the license string in the following registry location: [HKEY_LOCAL_MACHINE\Software\\capi-bridge] "License"="vHvH3vGlbm18wi0DNHm...BggEB" 27

License restrictions Depending on the kind of license acquired, the license may be subject to one or more of the following restrictions: Restriction Expiration date User Host Domain Description If you want to evaluate the product without the evaluation nag screen, can provide you with a time limited evaluation license. While the license is not yet expired, no nag screen will be shown. The license may be restricted to one or more Windows user names. The nag screen will be shown if the current Windows user is not in the list of the allowed users. The license may be restricted to one or more Windows computers. The nag screen will be shown if the current computer is not in the list of the allowed computers. The license may be restricted to one or more Windows Active Directory domains. The nag screen will be shown if the current computer is not a member of one of the allowed domains. License options Depending on the options requested when ordering the license, the license may restrict some of the features of the : Options Disable MY Disable ROOT Description Do not make the user's certificates available. With this option set, only the ROOT, CA and TrustedPublisher certificates are available over the PKCS#11 library. (Trust only) Do not make the ROOT, CA and TrustedPublisher certificates available. With this option, only the user's certificate are available over the PKCS#11 library. (User certificates only) 28

Reference Links Mozilla PKCS#11 https://developer.mozilla.org/en- US/docs/PKCS11_Module_Installation https://developer.mozilla.org/en/docs/pkcs11_faq 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback