How to Use Smart Card Control
Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management
What This Document Covers
The Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) Smart Card Personalization Control provides the functionality to manage smart card applets on a smart card by using the Global Platform (GP).
This document contains two walkthroughs. The first walkthrough configures this feature to personalize a smart card that has no existing personalization performed. The second walkthrough configures this feature to use the GP keys that are stored in the Hardware Security Module (HSM) to establish a secure channel with the card.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
Prerequisite Knowledge
The walkthroughs assume that the user has a basic understanding of FIM CM, smart cards, GP, custom applets form the smart card vendor, appropriate smart cards and readers, and use of an HSM.
Audience
This document is intended for information technology (IT) planners, systems administrators, system architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.
Time requirements
The procedures in this document take about 60 minutes to complete.
Walkthrough 1: Smart Card Personalization
In this walkthrough, you configure FIM CM to personalize a smart card. On a high level, you perform the following steps:
Add the smart card details to the cardmap file.
Enable personalization from the FIM CM Profile template.
Establish a secure connection with the card.
Diversify the GP keys on the card.
View the existing configuration in the card.
Delete the existing applets in the card.
Load new applets onto the card and instantiate the applets.
Run a batch script to perform direct Application Protocol Data Unit (APDU) level calls.
To personalize a smart card
On the computer that is hosting the FIM CM Portal, add the smart card Answer To Reset (ATR) to the cardmap file.
The cardmap file contains a list of smart cards that can be used for personalization. This file is located under <FIM CM Program Files>\Microsoft Forefront Identity Manager\2010\Certificate Management\web\Config\cardmap.xml.config.
Add the ATR of the smart card to be personalized. The ATR is either known from the card manufacturer or can be found in the registry. A properly installed card can be found in the registry at a location similar to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Axalto Cryptoflex.net, which shows an Axalto Cryptoflex card’s registry information, including its ATR.
The following is an example of the XML that should be added:
<!-- CyberflexAccess64v2c --> <card atr="3B959540FFAE01030000" scriptFolder="scripts/cards/Cyberflex32egate/"> <cardspecificclass>Microsoft.Clm.Ams.Protocol.GP.Axalto, Microsoft.Clm.Ams</cardspecificclass> <cardmanageraid>A0000000030000</cardmanageraid> <serialnumberparser>Heidal.SCard.AxaltoSCardSerialNoParser, Heidal</serialnumberparser> </card>Enable personalization from the FIM CM Profile template.
To enable personalization
Connect to the FIM CM Portal. On the Home page under Administration, click the Manage profile templates link.
In Views, click Smart card profile templates.
Tip
If you don’t already have a profile template for customization, you can create one using the Profile Template Management page. To do so, select a template that supports smart cards, such as FIM CM Sample Smart Card Logon Profile Template and then click Copy a selected profile template. You will have to provide a new name for the template and you then you can modify the settings to match your environment’s requirements. If you do this, skip the next step as you will have already selected the smart card template you want to modify.
Click the link of the smart card template that you want to modify.
In Select a view, click Temporary Cards Policy
On the Edit Profile Template page, under Workflow: Smart Card Application Management, click Change smart card applet management settings.
Select Enable personalization.
In Personalization Profile, type the name and path to the file that you will use for personalization. For example, if you were creating a personalization profile named woodgrovebank.teller.xml.config in the c:\smartcard\profiles\ folder, you would enter c:\smartcard\profiles\woodgrovebank.teller.xml.config.
Create an empty profile configuration template in the location you specified in the previous step. The next time this FIM CM operation is performed, smart card personalization is attempted as defined by the personalization profile that you just added.
Establish a secure connection with the card.
To perform any GP operations on the smart card, you must first establish a secure connection with the card. The secure connection is established by using GP keys that are defined using a Key Set Provider. For this walkthrough, we use GP keys that are available in clear text. Therefore, a file-based key set provider is used. The second walkthrough, Walkthrough 2: Establishing a Secure Channel by Using an HSM Key Set Provider, describes how to use GP keys that are stored in the HSM by using a HSM based Key Set Provider.
Warning
Many smart cards have very strict rules about attempting a secure connection with incorrect GP keys. Ensure that the GP keys that are attempted are accurate or you may run the risk of blocking these cards permanently.
Add the following XML code to the personalization file:
<?xml version="1.0" encoding="utf-8" ?> <cardPersonalization xmlns="https://microsoft.com/CLM/ams/cardPersonalization.xsd"> <policyInfo> <!--used for establishing secure channel--> <keyset provider="Microsoft.Clm.Ams.GP.FileKeySetProvider,Microsoft.Clm.Ams" initData="DeveloperKeySetData.xml.config" /> <!--used for diversification of keys. Required even if not diversifying keys. Use clear text GP keys here so that no diversification is performed --> <diversification provider="Microsoft.Clm.Ams.GP.TestKeyDiversificationProvider,Microsoft.Clm.Ams" initData="404142434445464748494A4B4C4D4E4F,404142434445464748494A4B4C4D4E4F,404142434445464748494A4B4C4D4E4F"/> </policyInfo> <actions> <action type="CloseSecureChannel" status="Closing secure channel..."/> <action type="EstablishSecureChannel" level="3" status="Establishing secure channel"/> <action type="CloseSecureChannel" status="Closing secure channel..."/> </actions> </cardPersonalization>Add the clear text GP keys to the DeveloperKeySetData.xml file that is located under <FIM CM Program Files>\Certificate Management\web\Config\DeveloperKeySetData.xml.config.
The following is an example of the DeveloperKeySetData file:
<?xml version="1.0" encoding="utf-8"?> <keySetData xmlns="https://microsoft.com/CLM/ams/keySetData.xsd"> <keySets> <keySet atr="3B959540FFAE01030000"> <!--Axalto CyberflexAccess64v2c --> <authKey>404142434445464748494A4B4C4D4E4F</authKey> <macKey>404142434445464748494A4B4C4D4E4F</macKey> <kekKey>404142434445464748494A4B4C4D4E4F</kekKey> </keySet> </keySets> </keySetData>Diversify the GP keys on the card.
When deploying smart cards in production, the GP keys are diversified to ensure that if one key set is compromised, no other smart card key sets are also compromised. In a production environment, it is important to diversify the GP keys. After keys are diversified, you have to reestablish a secure connection with the new set of keys.
Warning
Running the diversify process causes the GP keys on the cards to be modified. If these operations are performed incorrectly, the cards will no longer be usable. If this is a test run, we recommend that you skip this step if you do not need to diversify the keys.
In the Policy Info section, change the Diversification Provider to use an Index Key Diversification Provider instead of the Clear Text Key Diversification Provider. Then, add the action to Diversify Keys. The force flag is used to choose if the Diversification should be performed if the keys are already diversified.
<?xml version="1.0" encoding="utf-8" ?> <cardPersonalization xmlns="https://microsoft.com/CLM/ams/cardPersonalization.xsd"> <policyInfo> <!--used for establishing secure channel--> <keyset provider="Microsoft.Clm.Ams.GP.FileKeySetProvider,Microsoft.Clm.Ams" initData="DeveloperKeySetData.xml.config" /> <!--used for diversification of keys--> <diversification provider="Microsoft.Clm.Ams.GP.IndexKeyDiversificationProvider,Microsoft.Clm.Ams" initData="TestDiversificationData.xml.config" /> </policyInfo> <actions> <action type="CloseSecureChannel" status="Closing secure channel..."/> <action type="EstablishSecureChannel" level="3" status="Establishing secure channel"/> <action type="DiversifyKeys" force="false" status="Diversifying keys"/> <action type="EstablishSecureChannel" level="3" status="Establishing non needed secure channel"/> <action type="CloseSecureChannel" status="Closing secure channel..."/> </actions> </cardPersonalization>View the TestDiversificationData.xml.config file that is located under <FIM CM Program Files>\Certificate Management\web\Config\ TestDiversificationData.xml.config. This is a Card Production Life Cycle (CPLC) data file that defines how the diversification should be performed, which is similar to how the GemAlto P11 tools diversify cards.
View the existing configuration in the card.
The GetStatus call can be used to read the current set of Applets and Applet Instances on the card. This call results in an inventory provider being called on the server running FIM CM and is logged to a log file.
Add an Inventory Provider to the Policy Info and then add a GetStatus call to the Actions section. Also ensure that the CLMWebPool account has the required privileges to write to the log folder.
Note
CLMWebPool is the default account name that can be changed when the Configuration Wizard is run.
The profile looks like the following example:
<?xml version="1.0" encoding="utf-8" ?> <cardPersonalization xmlns="https://microsoft.com/CLM/ams/cardPersonalization.xsd"> <policyInfo> <!--used for establishing secure channel--> <keyset provider="Microsoft.Clm.Ams.GP.FileKeySetProvider,Microsoft.Clm.Ams" initData="DeveloperKeySetData.xml.config" /> <!--used for diversification of keys--> <diversification provider="Microsoft.Clm.Ams.GP.IndexKeyDiversificationProvider,Microsoft.Clm.Ams" initData="TestDiversificationData.xml.config" /> <inventory provider="Microsoft.Clm.Ams.DataAccess.FileInventoryProvider,Microsoft.Clm.Ams" initData="C:\logs\Status.log" /> </policyInfo> <actions> <action type="CloseSecureChannel" status="Closing secure channel..."/> <action type="EstablishSecureChannel" level="3" status="Establishing secure channel"/> <!--getting status--> <action type="GetStatus" status="Getting card status..."/> <action type="CloseSecureChannel" status="Closing secure channel..."/> </actions> </cardPersonalization>Note
In this example, Diversify Keys has been removed. If you require Diversify Keys, leave it in the policy description.
Delete the existing applets in the card.
Both Applets and Applet Instances can be deleted by using the DeleteCardObject action. Get the Applet IDs or Applet Instance IDs from the GetStatus result.
The profile looks like the following example:
<?xml version="1.0" encoding="utf-8" ?> <cardPersonalization xmlns="https://microsoft.com/CLM/ams/cardPersonalization.xsd"> <policyInfo> <!--used for establishing secure channel--> <keyset provider="Microsoft.Clm.Ams.GP.FileKeySetProvider,Microsoft.Clm.Ams" initData="DeveloperKeySetData.xml.config" /> <!--used for diversification of keys--> <diversification provider="Microsoft.Clm.Ams.GP.IndexKeyDiversificationProvider,Microsoft.Clm.Ams" initData="TestDiversificationData.xml.config" /> <inventory provider="Microsoft.Clm.Ams.DataAccess.FileInventoryProvider,Microsoft.Clm.Ams" initData="C:\logs\Status.log" /> </policyInfo> <actions> <action type="CloseSecureChannel" status="Closing secure channel..."/> <action type="EstablishSecureChannel" level="3" status="Establishing secure channel"/> <!--remove existing personalization--> <action type="DeleteCardObject" aid="A000000030000090078141100000" status="Deleting applets" /> <action type="DeleteCardObject" aid="534C4243525950544F" status="Deleting applets instance"/> <!--getting status--> <action type="GetStatus" status="Getting card status..."/> <action type="CloseSecureChannel" status="Closing secure channel..."/> </actions> </cardPersonalization>Verify that the applets were deleted by viewing the status after the GetStatus call.
Load new applets onto the card and instantiate the applets.
Get the smart card applets for the card that you are personalizing from the smart card manufacturer, or write your own applet.
Place the new applets under the folder <FIM CM Program Files>\Certificate Management\web\Config\applets.
Add the LoadApplet and CreateInstance actions to the profile.
The profile looks like the following example:
<?xml version="1.0" encoding="utf-8" ?> <cardPersonalization xmlns="https://microsoft.com/CLM/ams/cardPersonalization.xsd"> <policyInfo> <!--used for establishing secure channel--> <keyset provider="Microsoft.Clm.Ams.GP.FileKeySetProvider,Microsoft.Clm.Ams" initData="DeveloperKeySetData.xml.config" /> <!--used for diversification of keys--> <diversification provider="Microsoft.Clm.Ams.GP.IndexKeyDiversificationProvider,Microsoft.Clm.Ams" initData="TestDiversificationData.xml.config" /> <inventory provider="Microsoft.Clm.Ams.DataAccess.FileInventoryProvider,Microsoft.Clm.Ams" initData="C:\logs\Status.log" /> </policyInfo> <actions> <action type="CloseSecureChannel" status="Closing secure channel..."/> <action type="EstablishSecureChannel" level="3" status="Establishing secure channel"/> <!-- load applets --> <action type="LoadApplet" appletFile="auth.ijc" status="Loading AUTH applet..."/> <action type="LoadApplet" appletFile="manager.ijc" status="Loading MANAGER applet..."/> <action type="LoadApplet" appletFile="pki.ijc" status="Loading PKI applet..." /> <!-- instanciate applets --> <action type="CreateInstance" loadFileAid="A000000030000090078142100000" moduleAid="A000000030000090078140100000" applicationAid="A000000030000090078141100000" installParameters="0E0305053132333435363738" instanceSize="580" status="Creating instance..." /> <action type="CreateInstance" loadFileAid="A000000030000090078112100000" moduleAid="A000000030000090078110100000" applicationAid="534C4243525950544F" installParameters="00000000831644074E000000000000080000" instanceSize="11557" status="Creating instance..." /> <!--getting status--> <action type="GetStatus" status="Getting card status..."/> <action type="CloseSecureChannel" status="Closing secure channel..."/> </actions> </cardPersonalization>Verify that the applets were loaded and instantiated by viewing the status after the GetStatus call.
Run a batch script to perform APDU calls.
The SendBatch action can be used to send APDU calls to the card. For information about how to write APDUs, refer to the Global Platform specification (https://go.microsoft.com/fwlink/?LinkId=195091).
The following example shows how to change the GP key of the smart card by using the SendBatch action. Multiple actions can be performed as part of this batch file.
Warning
Do not perform the following action of changing the GP key unless you need to. If you do change the GP key for test purposes, remember to change the GP key back to the original keys after testing.
Add the SendBatch action to the profile as shown in the following example:
<?xml version="1.0" encoding="utf-8" ?> <cardPersonalization xmlns="https://microsoft.com/CLM/ams/cardPersonalization.xsd"> <policyInfo> <!--used for establishing secure channel--> <keyset provider="Microsoft.Clm.Ams.GP.FileKeySetProvider,Microsoft.Clm.Ams" initData="DeveloperKeySetData.xml.config" /> <!--used for diversification of keys--> <diversification provider="Microsoft.Clm.Ams.GP.IndexKeyDiversificationProvider,Microsoft.Clm.Ams" initData="TestDiversificationData.xml.config" /> </policyInfo> <actions> <action type="CloseSecureChannel" status="Closing secure channel..."/> <action type="EstablishSecureChannel" level="3" status="Establishing secure channel"/> <action type="SendBatch" file="ChangeKey.xml.config" secure="false" status="Changing GP Keys..."/> <action type="CloseSecureChannel" status="Closing secure channel..."/> </actions> </cardPersonalization>Create a new file named ChangeKey.xml.config in the same folder as the profile under <FIM CM Program Files>\Certificate Management\web\Config\Profiles\ChangeKey.xml.config.
<?xml version="1.0" encoding="utf-8"?> <apduBatch xmlns="https://microsoft.com/CLM/ams/apduBatch.xsd"> <!--mode: 0 - no input/output, 1 - send, 2 - receive, 3 - send/receive --> <apdu mode="1" comment="Change Key" expectedSW="9000">80D8010016CDE5F1B949F11FA76BBF0E913223C2E600</apdu> <!--CLA: 80 // Clear Text INS: D8 // PUT KEY P1: 01 // Key Version Number P2: 00 // Key Identifier Lc: 16 // Length of Data Data: CDE5F1B949F11FA76BBF0E913223C2E6 Le: 00 // ??--> </apduBatch>
Now, the GP key should be changed to the new value.
Now that you have completed the preceding steps, you know all the operations that are supported by the Smart Card Personalization Provider.
The following example Profile is the result of personalizing an Axalto Cyberflex v2c card. After this personalization, the card can be used for performing any smart card operations.
<?xml version="1.0" encoding="utf-8" ?> <cardPersonalization xmlns="https://microsoft.com/CLM/ams/cardPersonalization.xsd"> <policyInfo> <!--used for establishing secure channel--> <keyset provider="Microsoft.Clm.Ams.GP.FileKeySetProvider,Microsoft.Clm.Ams" initData="DeveloperKeySetData.xml.config" /> <!--used for diverisification of GP keys when DiversifyKeys action is called. --> <diversification provider="Microsoft.Clm.Ams.GP.IndexKeyDiversificationProvider,Microsoft.Clm.Ams" initData="TestDiversificationData.xml.config" /> <!--used for logging status when GetStatus action is called--> <inventory provider="Microsoft.Clm.Ams.DataAccess.FileInventoryProvider,Microsoft.Clm.Ams" initData="C:\logs\Status.log" /> </policyInfo> <actions> <action type="CloseSecureChannel" status="Please wait..."/> <action type="EstablishSecureChannel" level="3" status="Establishing secure channel"/> <action type="DiversifyKeys" force="false" status="Diversifying keys"/> <action type="EstablishSecureChannel" level="3" status="Establishing non needed secure channel"/> <!--remove Axalto personalization--> <action type="DeleteCardObject" aid="A000000030000090078141100000" status="Deleting applets" /> <action type="DeleteCardObject" aid="534C4243525950544F" status="Deleting applets"/> <action type="DeleteCardObject" aid="A000000030000090078111100000" status="Deleting applets" /> <action type="DeleteCardObject" aid="A000000030000090078112100000" status="Deleting applets" /> <action type="DeleteCardObject" aid="A000000030000090078142100000" status="Deleting applets" /> <action type="DeleteCardObject" aid="A000000030000090078132100000" status="Deleting applets" /> <!--load applets--> <action type="LoadApplet" appletFile="auth.ijc" status="Loading AUTH applet..."/> <action type="LoadApplet" appletFile="manager.ijc" status="Loading MANAGER applet..."/> <action type="LoadApplet" appletFile="pki.ijc" status="Loading PKI applet..." /> <!--instantiate applets--> <action type="CreateInstance" loadFileAid="A000000030000090078142100000" moduleAid="A000000030000090078140100000" applicationAid="A000000030000090078141100000" installParameters="0E0305053132333435363738" instanceSize="580" status="Creating instance..." /> <action type="CreateInstance" loadFileAid="A000000030000090078112100000" moduleAid="A000000030000090078110100000" applicationAid="534C4243525950544F" installParameters="00000000831644074E000000000000080000" instanceSize="11557" status="Creating instance..." /> <action type="GetStatus" /> <action type="SendBatch" file="AxaltoPostPerso.xml.config" secure="false" status="Personalizing..."/> <action type="CloseSecureChannel" status="Closing secure channel..."/> </actions> <diagnostics> <traceListeners> <listener name="Microsoft.Clm.Ams.TextWriter.Listener1" type="Microsoft.Clm.Ams.Diagnostics.SimpleTextWriterTraceListener, Microsoft.Clm.Ams" initializeData="c:\logs\Microsoft.Clm.Ams.log"/> </traceListeners> <switches> <switch name="EstablishSecureChannel" value="4" /> <switch name="GetStatus" value="4" /> <switch name="DiversifyKeys" value="4" /> <switch name="LoadApplet" value="4" /> <switch name="CreateInstance" value="4" /> <switch name="DeleteCardObject" value="4" /> <switch name="SendBatch" value="4" /> <switch name="General" value="4" /> </switches> </diagnostics> </cardPersonalization>
Walkthrough 2: Establishing a Secure Channel by Using an HSM Key Set Provider
In production, the GP keys should be stored in a more secure location than in a clear text file. The most common way of storing the GP keys is by using a HSM. The smart card personalization provider can use the GP keys that are stored in the HSM by using the HSM Key Set Provider.
You must perform the following steps:
Configure HSM.
Import the GP keys into the HSM.
Store the HSM password on the FIM CM server registry.
Update the profile to use the HSM-based Key Set Provider.
To establish a secure channel
Configure HSM.
This walkthrough assumes that the user has sufficient HSM expertise to configure the HSM to be a part of the same domain as the server that is running FIM CM.
For the Luna HSM, ensure that the Partition Secret is carefully noted. For the nCipher HSM, ensure that you create a password for the Operator cards.
Import the GP keys into the HSM.
First, generate a key in the HSM. Then, use the HSM key to import a new GP key into the HSM. For nCipher, use the KeySafe application to import keys. For Luna, you would need to write a little P11 application to import the GP keys into the HSM.
Ensure that the imported keys specify a label. This will later be used as search criteria.
Note
Check with your HSM vendor for specific instructions for your model and firmware version.
Store the HSM password on the FIM CM server registry.
The HSM password must be stored in the registry after it is encrypted by using the Data Protection application programming interface (API). You can do this by using CLMUtil.exe. The registry location can be defined by the user, but we recommend that you use the following registry path:
HKLM\Software\Microsoft\Clm\Ams,hsmPassword
Update the profile to use the HSM-based Key Set Provider.
In the XML Profile, replace the existing Key Set Provider with an HSM Key Set Provider, as shown in the following example:
<keyset scVersion="SC02" provider="Microsoft.Clm.Ams.GP.HsmKeySetProvider,Microsoft.Clm.Ams" initData="nCipherHSM.xml.config" />
Next, create an HSM configuration file under <FIM CM Program Files>\Certificate Management\web\Config\HSMs\nCipherHSM.xml.config, containing the following code:
<?xml version="1.0" encoding="utf-8" ?>
<hsmInfo xmlns="https://microsoft.com/CLM/ams/hsmInfo.xsd">
<p11LibraryInfo
path="C:\Program Files (x86)\nCipher\nfast\toolkits\pkcs11\cknfast-64.dll"
slotId="492971158" password="protected:Registry,DPAPI;value:HKLM\Software\Microsoft\Clm\Ams,nCipherPassword" keySetClass="Microsoft.Clm.Ams.GP.NCipherHsm, Microsoft.Clm.Ams" numberOfSessions="10"/>
<keyInfo>
<!--The only supported search types so far are CkaId and CkaLabel-->
<authKey searchType="CkaLabel" searchFilter="Key imported by KeySafe" />
<macKey searchType="CkaLabel" searchFilter="Key imported by KeySafe" />
<kekKey searchType="CkaLabel" searchFilter="Key imported by KeySafe" />
</keyInfo>
</hsmInfo>
Now, perform an Establish Secure Connection to verify that the walkthrough was a success. If the connection fails, look at the server-side logs for the details.
Diagnostics: Enabling Tracing
To enable client-side tracing
To enable client-side tracing of the exact APDU calls and responses, enable client-side tracing. This appears as a new Windows® Internet Explorer® window. We recommend copying the contents of this trace in rich text format (RTF) to maintain the table format.
Enable tracing by adding
&_trace=1to the URL that calls the Personalize.aspx file. To modify the URL, copy the URL while running, and then rerun the URL after adding the trace flag.The following is an example of a URL with the tracing enabled:
https://<FIMCMServer>/CertificateManagement/content/ams/main/Personalize.aspx?RequestUuid=<RequestUuid>&SuccessUrl=..%2f..%2fsm%2fsmartcard%2fSubscriberEnrollExecute.aspx%3fID%3d=<RequestUuid>&CancelUrl=..%2f..%2fsm%2fmain%2fSMainMenu.aspx&_trace=1
To enable server-side logging
Server-side logging provides details for all the functionality that is performed under the Microsoft.CLM.AMS.dll file and also the responses that have been received from the client.
To enable tracing, implement the following two steps:
Add the following XML code to the XML Profile:
<diagnostics> <traceListeners> <listener name="Microsoft.Clm.Ams.TextWriter.Listener1" type="Microsoft.Clm.Ams.Diagnostics.SimpleTextWriterTraceListener, Microsoft.Clm.Ams" initializeData="c:\logs\Microsoft.Clm.Ams.log"/> <!-- InitializeData holds the name and location of the Log File--> </traceListeners> <switches> <switch name="EstablishSecureChannel" value="4" /> <switch name="GetStatus" value="4" /> <switch name="DiversifyKeys" value="4" /> <switch name="LoadApplet" value="4" /> <switch name="CreateInstance" value="4" /> <switch name="DeleteCardObject" value="4" /> <switch name="SendBatch" value="4" /> <switch name="General" value="4" /> <!-- The name refers to the GP Action being performed. The value refers to trace level, With 4 being verbose.--> </switches> </diagnostics>Give the FIMCMWebPool account rights to the C:\logs folder.