Smart Card support

What you need to know

This document is related to the deployment, with standalone Terminal Professional.

 

About Smart Card solution

The YSoft SafeQ4 Smart Card solution delivers advanced level of security to sensitive information for private and governmental organizations. With the smart card solution, organizations can restrict access to the MFP's walk-up features, ensuring that only authorized users are copying, scanning, emailing and faxing information.
Among the most important benefits is the two-factor identification and user's authentication via industry standard means. Users must insert their access card and enter a unique PIN at the device, providing added security in the event that a card is lost or stolen. The System validates the revocation status on all certificates (KDC and user) using the Online Certificate Status Protocol (OCSP).

YSoft SafeQ® Smart Card Solution complies with USA Homeland Security Presidential Directive (HSPD-12) and Federal Information Processing Standards (FIPS-201) for Common Access Card (CAC) and Personal Identity Verification (PIV) requirements.

There are three simple authentication steps for a user:

  1. A user's ID badge is inserted into the reader.

  2. The user's corresponding PIN is entered using the keyboard on the touch screen or the MFP or External Terminal (see Smart Card solution options).

  3. After user access is authorized and granted, the MFP panel touch screen is unlocked, allowing access to device features.

  4. Once validated, the user is logged into the MFP for all walk-up features:

    • Print Roaming and enterprise-wide print roaming; access all printed document and release them securely at the printer. Selecting individual print jobs, deleting them prior print or re-printing already printed jobs is also among options available to the user.

    • Access to the walk-up copying, scanning and faxing; only authenticated and authorized users can work with the device. YSoft SafeQ provides complete and detailed audit log for all user actions.

    • Secure workflow scanning; using YSoft SafeQ Scanning workflow feature, users are able to securely scan their documents into their home folders or directly into their email. System ensures that the scan is delivered only to secured and approved locations.

Pre-requisites

YSoft SafeQ® Smart Card solution requires following components:

  1. YSoft SafeQ4 version 4.0-SR2 or newer

  2. Compatible Smart Card infrastructure, including configured Active Directory a Kerberos v5

    • Terminal Professional can act as a standalone terminal or as a smart card reader for embedded terminal. In both cases, the configuration at the Terminal Professional is the same.

    • Unless you require No-PIN authentication (unauthenticated) communication, Smart Card solution ALWAYS requires user to enter the PIN code that is stored on the smart card.

  • To proceed with configuration, you need to have:

    • Working, supported Smart Cards (with valid certificates)

    • Working Kerberos (v5) server (e.g. Windows 2003/2008 Active Directory with Certificate Authority or MIT Kerberos v5)

    • List of REALM names (typically domains) and KERBEROS server IP addresses (typically domain servers)

    • Basic Understanding about certificates and understanding how to obtain issuer certificates for your REALMS (domains)

    • Root certificate or Issuing Authority certificate for user's certificates (that means issuer certificate for certificates on smart cards)

      • if you don't know how to get this one, find a user's certificate (e.g. in MS Internet Explorer), view the certificate path in certificate properties and export top level certificate from the path.

      • check http://support.microsoft.com/kb/179380 for more information about exporting certificates

Installation

Assuming installed YSoft SafeQ 5 server please continue with:

  1. Make sure that the Terminal Professional has properly configured smart card reader (if you insert the smart card, the terminal asks for PIN code)

  2. Add device to SafeQ and configure the terminal. If you want to use terminal as a Network Reader for embedded solution, ONLY use the terminal SN as a network card reader SN. images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/warning.svg Do not change any settings (e.g. ports) on the Terminal Professional!

  3. Get certificate from AD (issuer of users' certificates) for each domain in DER encoded binary X.509 format (.CER)

  4. Import certificates to SafeQ truststore (%SAFEQ_HOME%/conf/ssl-truststore). The keystore password is in wrapper.conf, see: javax.net.ssl.keyStorePassword attribute

    Keytool example

    java\bin\keytool -server -importcert -keystore conf\ssl-truststore -file cert.crt -alias CA-00X

  5. Update %SAFEQ_HOME%/conf/krb5.conf

    • set default_realm to your realm (typically uppercase of your domain - replace YSOFT.LOCAL in following example with your domain)

      • images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/warning.svg if you will miss-configure the Realm, YSoft SafeQ will report following error to the log file (cml.log): LoginException: Cannot get kdc for realm <REALM NAME>.

    • set default_tkt_enctypes to des-cbc-md5 or aes128-cts-hmac-sha1-96 (based on system you are using. For Windows Server 2008 R2 and newer use aes128-cts-hmac-sha1-96, otherwise use des-cbc-md5) supported algorithms

    • if you have only one domain, keep only one record in section [realms], otherwise create record for every domain you have following this example

    • example of krb5.conf
      [libdefaults]
      default_realm = YSOFT.LOCAL
      default_tkt_enctypes = des-cbc-md5 aes128-cts-hmac-sha1-96
      allow_weak_crypto = yes
      [realms]
      YSOFT.TEST = {
      kdc = 10.0.10.40
      admin_server = 10.0.10.40
      }
      YSOFT.LOCAL = {
      kdc = kdc1.ysoft.local
      kdc = kdc2.ysoft.local
      admin_server = kdc.ysoft.local
      }

  6. make sure that smartCardAuthValidateCertificates configuration option in EXPERT configuration of SafeQ is set to TRUE

  7. copy %SAFEQ_HOME%/conf/ssl-truststore and %SAFEQ_HOME%/conf/krb5.conf on other servers in cluster (in case that all servers will have same settings)

Configuration

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/warning.svg Please do not change the configuration unless you are fully aware of what and why you are changing.
The only exceptions may be:

  • smartCardAuthValidateCertificates property that MUST be enabled

  • kerberos-allow-aes if use use Windows 2000/2003 Domain Server - this server doesn't support AES, so it is necessary to disable its use, see http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx via config value kerberos-allow-aes=false

  • When your DC is running in "Windows 2003 Server Forest Functional Level" or you are using Windows 2003 Domain Server it will not accept a TGT with AES256 encryption. AES256 is only supported when the DC is running in "Windows  2008  Server Forest Functional Level".

    • edit krb5.conf and exchange line  default_tkt_enctypes with following two lines:

      • default_tkt_enctypes = rc4-hmac

      • default_tgs_enctypes = rc4-hmac

    • in Expert configuration, please remove all AES256 related options from configuration option smartCardAuthSupportedSignMethods

Area

 

 

Configuration key

default value

description

Behavior

smartCardAuthSimpleMode

false

use smart card number for authentication (card assignment is based on certificate and Kerberos authentication)

smartCardAssignmentWithoutKerberos

false

works only when smartCardAuthSimpleMode property is true, disables Kerberos authentication for card assignment, info from certificate public part is used for user matching

Features

smartCardAuthSupportedSignMethods

SHA1_RSA_PKCS_PSS,SHA1_RSA_PKCS,SHA256_RSA_PKCS_PSS,SHA256_RSA_PKCS

supported sign methods

smartCardAuthValidateCertificates

false

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/warning.svg WARNING this value must be switched to true

Storage of private data

smartCardAuthKeyId

 

 

smartCardAuthKeyName

 

 

smartCardAuthCertId

 

 

smartCardAuthCertName

 

 

smartCardAuthReqPinId

 

 

smartCardAuthReqPinName

 

 

smartCardAuthCertificateUserIdSearch

ALTNAME=1.3.6.1.4.1.311.20.2.3,ALTNAME=1.3.6.1.5.2.2,SUBJECTDN=UID

list of possible storage of user (principal) name on certificate
SUBJECTDN=x search for string x in certificate subjectDN
ALTNAME=oid searches oid in alternativeNames
EXTENSION=oid searches DERString in extensions (eg. EXTENSION=2.5.29.35)

Only for debug purposes (not part of web configuration)

smartCardTestMode

false

test certificate signature without Kerberos

kerberos-debug

false

more debug information for Kerberos communication

Notes

Alternatives with Smart Cards

The solution described in this document however comes with one important caveat: the authentication to the device takes up to 15 seconds.  YSoft SafeQ® provides two alternative solutions, based on Smart Cards with single-factor authentication. The following table describes the three different mechanisms in some detail.

User Authentication Type

Description

Benefits

Drawbacks

Caveats

Two Factor (Card + PIN) Authentication

As stated above. User inserts their card, enters their PIN, and system initiates a challenge/response protocol to authenticate the user.

This is the most secure method.  Complies with FIPS 201 and other similar global standards for an assurance level of VERY HIGH confidence.

Also the slowest authentication method.  Requires additional configuration and integration with a Kerberos KDC.  Requires CAC enablement kit on Xerox devices.

SafeQ uses low level APDU commands to communicate with the device, and thus can’t use manufacturer-provided APIs.   This means that every Smart Card manufacturer may need to be developed and tested independently.  It’s possible that the card manufacturer for the customer hasn’t been implemented by Y Soft yet, and will require some customization.

Single Factor Authentication with CHUID / FASC-N

User inserts their card, and the system extracts a unique identifier for the card from the public information on the card.

This occurs from a static location.

Provides relatively fast method of authentication.  Compllies with FIPS 201 and other similar global standards for an assurance level of SOME confidence.

This was originally developed as a customization for one particular customer, and isn’t guaranteed to work correctly at every installation. Test thoroughly before guaranteeing delivery.

Y Soft card readers may receive different numbers from Terminal Professionals vs. USB card readers.  In such cases, users may have to register their cards twice; this may be seen as a point of frustration by the end user.

Single Factor Authentication with Proximity Chip

User waves their badge by a reader that matches the embedded technology for the embedded proximity chip.

Provides the fastest method of authentication.  Doesn’t require physical contact of the card with the reader.  Card reader technology is cheaper.

Does not comply with FIPS 201 for any assurance level. This is also the easiest of the three options for a malicious user to create a forgery or spoof.

The reader technology may vary (HID Prox, HID iClass, etc.), even within the same manufacturer for different generations of Smart Cards.  Y Soft must complete card testing to verify the correct card reader.