007-013842-001 - SafeNet Authentication Client - 10.0 - Post GA - Linux - Administrator - Guide - Rev B PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 44

SafeNet Authentication

Client (Linux)
Version 10.0 (Post GA)
Administrator Guide
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
SafeNet Authentication Client Main Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
What’s New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Supported Browsers and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Supported Tokens and Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Certificate-based USB Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Software Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
External Smart Card Readers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
IDPrime MD Applet 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Number and Type of Key Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
API Adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
SafeNet eToken devices vs Gemalto IDPrime MD devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Installing SAC on Linux Standard Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Installing on Ubuntu and Debian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Installing the Core Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Installing on Red Hat Enterprise, SUSE, CentOS and Fedora . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Installing on Ubuntu and Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Linux External Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Installing the Firefox Security Module on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Installing the Thunderbird Security Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

3 Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Uninstalling Linux Standard Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Uninstalling on Ubuntu and Debian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Uninstalling the Core Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Uninstalling on Ubuntu or Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

4 Configuration Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
eToken Configuration Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Initialization Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
SafeNet Authentication Client Tools UI Initialization Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 2


Document Number: 007-013842-001, Rev B
SafeNet Authentication Client Tools UI Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Token Password Quality Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
SafeNet Authentication Client Tools UI Access Control List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
SafeNet Authentication Client Security Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Enforcing Restrictive Cryptographic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Creating Symmetric Key Objects using PKCS#11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 3


Document Number: 007-013842-001, Rev B
All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual
property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under
any intellectual and/or industrial property rights of or concerning any of Gemalto's information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
• The copyright notice below, the confidentiality and proprietary legend and this full warning notice
appear in all copies.
• This document shall not be posted on any publicly accessible network computer or broadcast in any
media and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided "AS IS" without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information
contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to
the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-
infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the
use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall
not incur, and disclaims, any liability in this respect. Even if each product is compliant with current
security standards in force on the date of their design, security mechanisms' resistance necessarily
evolves according to the state of the art in security and notably under the emergence of new attacks.
Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case
of any successful attack against systems or equipment incorporating Gemalto products. Gemalto
disclaims any liability with respect to security for direct, indirect, incidental or consequential damages
that result from any use of its products. It is further stressed that independent testing and verification by
the person using the product is particularly encouraged, especially in any application in which defective,
incorrect or insecure e functioning could result in damage to persons or property, denial of service or
loss of privacy.
© 20010-17 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks,
whether registered or not in specific countries, are the property of their respective owners.

Product Version: 10.0 Linux (Post GA)


Document Number: 007-013842-001, Rev. B
Release Date: July 2017

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 4


Document Number: 007-013842-001, Rev B
Support Contacts
We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is
the first line of support when you have questions about products and services. However, if you require additional
assistance you can contact us directly at:
If you encounter a problem while installing, registering or operating this product, please make sure that you have
read the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult this
support plan for further information about your entitlements, including the hours when telephone support is
available to you.

Contact Method Contact Information

Customer Support Portal https://supportportal.gemalto.com


Existing customers with a Technical Support Customer Portal account
can log in to manage incidents, get the latest software upgrades,
and access the Gemalto Knowledge Base.

Technical Support contact email technical.support@gemalto.com

Additional Documentation
The following publications are available:
• 007-013843-001 SafeNet Authentication Client 10.0 Linux (Post GA) User Guide (Rev B)
• 007-013841-001 SafeNet Authentication Client 10.0 Linux (Post GA) Release Notes (RN - Rev B)

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 5


Document Number: 007-013842-001, Rev B
1 – Introduction

Introduction

SafeNet Authentication Client (SAC) is a middleware client that manages Gemalto’s extensive SafeNet portfolio
of certificate-based authenticators, including eToken, IDPrime smart cards, iKey smart card, USB and software-
based devices.
With full backward compatibility and incorporating features from previous middleware versions, SafeNet
Authentication Client ensures complete support for all currently deployed eToken and iKey devices, as well as
IDPrime MD and .NET smart cards.

Overview
SafeNet Authentication Client is Public Key Infrastructure (PKI) middleware that provides a secure method for
exchanging information based on public key cryptography, enabling trusted third-party verification of user
identities. It utilizes a system of digital certificates, Certificate Authorities, and other registration authorities that
verify and authenticate the validity of each party involved in an internet transaction.

The SafeNet Authentication Client Tools application and the SafeNet Authentication Client tray icon application
are installed with SafeNet Authentication Client, providing easy-to-use configuration tools for users and
administrators.

SafeNet Authentication Client Main Features


SafeNet Authentication Client 10.0 Linux (Post GA) introduces support for IDPrime MD cards, PKCS#11 Multi-
Slot support as well as PIN quality modifications. Support for Ubuntu, Debian, Fedora and SUSE is also included
in this version.
IDPrime MD cards are PKI smart cards. Administrators and users can use and manage IDPrime MD smart cards
seamlessly via the standard PKCS#11 interface and without the need for any additional middleware. They offer
secure IT Security and ID access and are compatible with the NFC standard.
For more details on the list of Gemalto IDPrime cards supported, See "Supported Tokens and Smart Cards" on
page 8.

NOTE:
The term Token is used throughout the document and is applicable to both Smart
Cards and Tokens.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 6


Document Number: 007-013842-001, Rev B
1 – Introduction

SafeNet Authentication Client includes the following features1:

• Token usage, including:


• Digitally signing sensitive data
• Remote data access
• Use of SafeNet Virtual Token
• Management of certificates on the token
• Token management operations, including:
• Token initialization
• Initializing Common Criteria Certified devices
• Token Password changes
• Token unlock
• Configuration of token settings and Token Password quality
• Token renaming
• Logging
• SafeNet Authentication Client settings configuration

What’s New
SafeNet Authentication Client 10.0 Linux (Post GA) offers the following new features:
• Rebranding: SAC Linux UI and documentation have Gemalto branding.
• Support for the following IDPrime cards:
• IDPrime MD 830-FIPS
• IDPrime MD 830-ICP
• IDPrime MD 830 B
• IDPrime MD 3810 Dual Interface Card
• IDPrime MD 3810 MIFARE 1K (Contact and Contactless mode)
• IDPrime MD 3811
• Support for IDPrime .NET cards
• Support for the following IDPrime MD Common Criteria cards:
• IDPrime MD 840
• IDPrime MD 840 B
• IDPrime MD 3840 - Dual Interface Card
• IDPrime MD 3840 B
• Support for SafeNet eToken 5110 Common Criteria
• Support for SafeNet eToken 5110 FIPS
• Support for unlocking IDPrime MD card range
• Friendly Admin Password - short user friendly passwords are now supported (on IDPrime MD and
eToken 5110 CC devices) instead of using 48 hexadecimal digits. For more details, see the SafeNet
Authentication Client 10.0 Linux (Post GA) User Guide.

1.- Some of the features listed under “SafeNet Authentication Client Main Features” may not be supported on
certain IDPrime MD smart cards. For more details refer to the relevant section in this document.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 7


Document Number: 007-013842-001, Rev B
1 – Introduction

• Support for PKCS#11 Multi-Slots - for Common Criteria devices in unlinked mode. For information on
how to work with Multi-Slots, see the PKCS#11 Digital Signature PIN section in the SafeNet
Authentication Client 10.0 Linux (Post GA) User Guide.
• PIN Quality modifications - for IDPrime MD cards

Supported Browsers and Applications


SafeNet Authentication Client 10.0 Linux (Post GA) supports the following browsers and applications:
• Firefox up to 54.0
• Firefox (ESR) for SUSE 45.4
• Thunderbird 52.1.0 (except RH 7.3 x64 - 52.1.1)

Supported Platforms
SafeNet Authentication Client 10.0 Linux (Post GA) supports the following operating systems:
• Red Hat 7.3, 6.9
• CentOS 7.3, 6.9
• SUSE 12.2
• Debian 9.0
• Fedora 26
• Ubuntu 16.04 and 17.04

Supported Tokens and Smart Cards


SafeNet Authentication Client 10.0 Linux (Post GA) supports the following tokens:

Certificate-based USB Tokens


• SafeNet eToken 5110
• SafeNet eToken 5110 CC
• SafeNet eToken 5110 FIPS
• SafeNet eToken 5110 FIPS HID
• SafeNet eToken 5110 HID

Software Tokens
• SafeNet Virtual Token
• SafeNet Rescue Token

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 8


Document Number: 007-013842-001, Rev B
1 – Introduction

Smart Cards
• Gemalto IDCore 30B eToken
• Gemalto IDPrime MD 840
• Gemalto IDPrime MD 840 B
• Gemalto IDPrime MD 3840
• Gemalto IDPrime MD 3840 B
• Gemalto IDPrime MD 830-FIPS
• Gemalto IDPrime MD 830-ICP
• Gemalto IDPrime MD 830 B
• Gemalto IDPrime MD 3810
• Gemalto IDPrime MD 3811
• Gemalto IDPrime .NET

NOTE:
For more information on IDPrime MD Smart Cards, see the IDPrime MD Configuration
Guide.

End-of-Sale Tokens/Smart Cards


• SafeNet eToken 7300
• SafeNet eToken 7300-HID

End-of-Life Tokens/Smart Cards


• SafeNet eToken PRO 32K v4.2B
• SafeNet eToken PRO 64K v4.2B
• SafeNet eToken Pro SC 32K v4.2B
• SafeNet eToken Pro SC 64K v4.2B
• SafeNet eToken 7100 (SafeNet eToken NG-Flash)
• SafeNet eToken PRO Java 72K
• SafeNet eToken PRO Anywhere
• SafeNet eToken PRO Smartcard 72K
• SafeNet eToken 5100/5105
• SafeNet eToken 5200/5205
• SafeNet eToken 5200/5205 HID
• SafeNet eToken 4100
• SafeNet eToken 7000 (SafeNet eToken NG-OTP)

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 9


Document Number: 007-013842-001, Rev B
1 – Introduction

External Smart Card Readers


SafeNet Authentication Client 10.0 Linux (Post GA) supports the following smart card readers:
• Gemalto IDBridge CT30
• Gemalto IDBridge CT40
• Gemalto IDBridge CL 3000 (ex Prox-DU)

NOTE:
SC Reader drivers must be compatible with the extended APDU format in order to
be used with RSA-2048.

License Activation
SafeNet Authentication Client 10.0 Linux (Post GA) is installed by default as non-licensed.

To activate the license perform the following steps:


1. Obtain a valid SAC License Key from SafeNet Customer Service.
2. Activate the license using one of the following procedures:
• Manual Activation
See the Licensing chapter in the SafeNet Authentication Client 10.0 Linux (Post GA) User Guide.

NOTE:
SafeNet Authentication Client retrieves the license file (SACLicense.lic) automatically, if the license
file is located in the following default path:
Linux (per user): /home/<user name>
Linux (per machine): /etc/

IDPrime MD Applet 4.0


The IDPrime MD Applet 4.0 is Common Criteria certified on IDPrime MD 840 and 3840. These cards can have
certain parameters customized in the factory with different values to the standard default profile.
The following parameters can be customized:
• Number and type of key containers
• Support of RSA 4,096-bit key containers (import operation only) - Note: The card needs to be configured
by the SAC supported key length.
• Change PIN at first use Secure messaging in contactless mode
• PINs (#1, #3 and #4 only)
• Try Limit
• Unblock PIN (PIN#1 only)
• Policy values
• Properties
• PIN validity period
• Secure messaging in contactless mode

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 10


Document Number: 007-013842-001, Rev B
1 – Introduction

Number and Type of Key Containers


By default, the IDPrime MD Applet 4.0 is pre-personalized with:
• 2 X 2,048-bit CC Sign Only RSA Keys
• 2 X 1,024-bit Standard Sign and Decrypt RSA Keys
• 8 X 2,048-bit Standard Sign and Decrypt RSA Keys
• 2 X 256-bit Standard Sign and Decrypt EC Keys

API Adjustments
The table below provides a high-level description of the adjustments that can be made to the Standard and
Extended PKCS#11 API to work with IDPrime MD CC devices. For more detailed information, see the code
samples.

Standard PKCS#11 API Extended PKCS#11 API

The C_InitToken function must receive the current The C_InitToken function must receive the current
Security Officer (SO) Password Security Officer (SO) Password

When the C_InitToken function is called, you can To initialize the IDPrime MD CC device, the ETCKA_CC
enable linked mode on the IDPrime MD CC device by attribute must be set to CK_TRUE.
using the following setting:
To initialize a device in linked mode, set the
Set the linked mode value to 1 in ETCKA_IDP_CC_LINK attribute to 1.
/etc/eToken.conf under the [Init] section
and the device must be in the factory initialized state To pass the current Digital Signature PUK value, use the
(Admin key = 48 zeros, PUK = 6 zeros) ETCKA_IDP_CURRENT_PUK attribute.

To revert a device back to unlinked mode after it was To revert a device back to unlinked mode after it was initialized
initialized in linked mode, use the PKCS#11 Extended in linked mode, set the ETCKA_IDP_CC_LINK attribute to 0
API, or by using SAC Tools initialization process. and use the ETCKA_PUK attribute to set the new Digital
Signature PUK value.

If a device is not configured to use linked mode, the If a device is not configured to use linked mode, use
C_InitToken function ignores the Digital Signature the ETCKA_PUK attribute to set the new Digital Signature
PUK and Digital Signature PIN. PUK value.

After the device has been initialized in linked mode, the If the device is initialized to use linked mode, the C_InitPIN
C_InitPIN function initializes the Digital Signature function and C_SetPIN function behaves the same as
PIN and the User PIN. Both PIN's are set to the same described in the Standard PKCS#11 section.
value.

The C_SetPIN function used with the CKU_SO flag


changes both the Administrator PIN and Digital
Signature PUK to a new value. See the SafeNet
Authentication Client User Guide for details on Friendly
Admin Password.

The C_SetPIN function used with the CKU_USER flag


changes both the User PIN and Digital Signature PIN to
a new value.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 11


Document Number: 007-013842-001, Rev B
1 – Introduction

SafeNet eToken devices vs Gemalto IDPrime MD devices


The table below displays the differences between SafeNet eToken devices and Gemalto IDPrime MD devices.

eToken 5110, eToken 5110


Feature FIPS (and all other eToken IDPrime MD, IDPrime .Net, eToken 5110 CC
based devices)

3 Roles (Initialization key, Admin 2 Roles (Admin PIN and User PIN)
PIN, User PIN)

Device erased by using the Device is cleared by using the Admin PIN (no changes
Initialization
Initialization key are made to the scheme)

Initialization key is used only for If the Admin PIN is locked, the device cannot be cleared
initializing the device.

Dynamic profile that allows an FIPS based devices - Dynamic profile limited to 15 key
Profile unlimited number of keys depending containers
on the devices memory capacity
CC based devices - Static profile defined by perso

Off-Board (saved on token) On-Board


Password Policy Full UTF-8 character encoding Only ASCII character codes supported
capabilities supported

Enhanced Support Propriety RSM mode Support Secure Key Injection


Security Mode (via IDGo800 Minidriver)

On Board Not supported Supported


RSAPadding
(PSS/OAEP)

Deprecated 4 Roles (Admin PIN, User PIN, Digital Signature PIN,


Digital Signature PUK).

Digital Signature PIN is derived from Linked mode - User PIN and Digital Signature PIN are
the User PIN and the Digital identical and Digital Signature PUK is derived from
Common Criteria Signature PUK is derived from the Admin PIN
Administrator PIN
Unlinked mode - each role has a different value

Appropriate Athena CC certified Gemalto CC certified Applet


Applet for CC keys

Symmetric Key Support 3DES and AES Not supported


operations

Protocol for Support T1 Support T1, T0 and CTL


Contact

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 12


Document Number: 007-013842-001, Rev B
2 – Installation

Installation

Follow the installation procedures below to install SafeNet Authentication Client 10.0 Linux. Local administrator
rights are required to install or uninstall SafeNet Authentication Client.

NOTE:
• If IDGo 800 PKCS#11 is installed, be sure to remove it before installing SAC 10.0 Linux.

Installation Files
The software package provided by SafeNet includes files for installing or upgrading to SafeNet Authentication
Client 10.0 Linux (Post GA). The following Linux installation and documentation files are provided:

File Description/Use

SafenetAuthenticationClient-10.0.xx- 32-bit Installs SafeNet Authentication Client on a 32 bit platform


0.i386.rpm

SafenetAuthenticationClient-10.0.xx- 64-bit Installs SafeNet Authentication Client on a 64 bit platform.


0.x86_64.rpm

RPM-GPG-KEYSafenetAuthenticationClient 32-bit This file is the public signature (GnuPG) for SafeNet rpm files.
64-bit Relevant only for RPM. The signature confirms that the package
was signed by an authorized party and also confirms the
integrity and origin of your file. Use this file to verify the signature
of the RPM files before installing them to ensure that they have
not been altered from the original source of the packages.

SafenetAuthenticationClient-core-10.0.xx- 32-bit Installs SafeNet Authentication Client core on 32 bit platform.


0.i386.rpm Installs eToken core library and IFD Handler.

SafenetAuthenticationClient-core-10.0.xx- 64-bit Installs SafeNet Authentication Client core on 64 bit platform.


0.x86_64.rpm Installs eToken core library and IFD Handler.

SafenetAuthenticationClient-10.0.xx- 32-bit Installs SafeNet Authentication Client on 32 bit platform.


0_i386.deb

SafenetAuthenticationClient-10.0.xx- 64-bit Installs SafeNet Authentication Client on 64 bit platform.


0_amd64.deb

SafenetAuthenticationClient-core- 32-bit Installs SafeNet Authentication Client core on 32 bit


10.0.xx-0_i386.deb platform. Installs eToken core library and IFD Handler.

SafenetAuthenticationClient-core- 64-bit Installs SafeNet Authentication Client core on 32 bit


10.0.xx-0_i386.deb platform. Installs eToken core library and IFD Handler.

Documentation Files

007-013841-001_SafeNet Authentication SafeNet Authentication Client 10.0 Linux (Post GA) Release
Client_10.0_Linux_Post GA_RN_Revision B Notes

007-013843-001_SafeNet Authentication SafeNet Authentication Client 10.0 Linux (Post GA) User Guide
Client_10.0_Linux_Post GA_User_Guide_Revision B

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 13


Document Number: 007-013842-001, Rev B
2 – Installation

File Description/Use

007-013842-001_SafeNet Authentication SafeNet Authentication Client 10.0 Linux (Post GA)


Client_10.0_Linux_Post Administrator Guide (this document)
GA_Administrator_Guide_Revision B

Installing SAC on Linux Standard Package


The installation package for SafeNet Authentication Client on Red Hat, SUSE, CentOS and Fedora is the RPM
Package. RPM is an installation file that can install, uninstall, and update software packages.
For the PKCS11 module to be installed automatically on a Firefox browser during the SAC installation, make sure
the nss-tools package is installed prior to installing SAC.
• On SUSE, Fedora, Centos and Red Hat operating systems, in cases where the nss-tool package is not
installed, install it as a privileged user by running the following command: yum install nss-tools
SafeNet Authentication Client .rpm packages include:
• .rpm Package Name:
• 32-bit - SafenetAuthenticationClient-10.0.xx-0.i386.rpm
• 64-bit - SafenetAuthenticationClient-10.0.xx-0.x86_64.rpm

where: xx is the build number

To install from the package installer:


1. Double-click the relevant .rpm file.
The package installer opens.
2. Click Install Package.
A password prompt appears.
3. Enter the Super User or root password. The installation process runs.

To install from the terminal:


1. On the terminal, log on as a root user.
2. Run the following:
rpm --import RPM-GPG-KEY-SafenetAuthenticationClient
3. Run one of the following:
• On a 32-bit OS: rpm -Uvh SafenetAuthenticationClient-10.0.xx-0.i386.rpm
• On a 64-bit OS: rpm -Uvh SafenetAuthenticationClient-10.0.xx-0.x86_64.rpm

where: -hi is the parameter for installation and x is the version number.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 14


Document Number: 007-013842-001, Rev B
2 – Installation

Installing on Ubuntu and Debian


The installation packaging for SafeNet Authentication Client running on Ubuntu is the Debian software package
(.deb).

NOTE:
For the PKCS#11 module to be installed automatically on a Firefox browser during the
SAC installation, make sure the nss-tools package is installed prior to installing SAC.

The following is the SafeNet Authentication Client .deb package:


• .deb Package Name:
• 32-bit: SafenetAuthenticationClient-10.0.xx-0_i386.deb
• 64-bit: SafenetAuthenticationClient-10.0.xx-0_amd64.deb
where: xx is the build number

To install from the package installer:


1. Double-click the relevant .deb file.
The package installer opens.
2. Click Install Package.
A password prompt appears.
3. Enter the Super User or root password.
The installation process runs.
4. To run SafeNet Authentication Client Tools, go to Applications > SafeNet > SafeNet
Authentication Client > SafeNet Authentication Client Tools.

NOTE:
To enable the tray icon menu in the notification area, log out and log back in for the icon
to appear.

To install from the terminal:


1. Enter the following:
• On a 32-bit OS: sudu dpkg -i SafenetAuthenticationClient-10.0.xx-0_i386.deb
• On a 64-bit OS: sudu dpkg -i SafenetAuthenticationClient-10.0.xx-0_amd64.deb
where: xx is the build number
A password prompt appears.
2. Enter the password.
The installation process runs.
3. If the installation fails due to a lack of dependencies, enter the following:
sudo apt-get install -f
The dependencies are installed and the installation continues.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 15


Document Number: 007-013842-001, Rev B
2 – Installation

4. To run the SafeNet Authentication Client Quick Menu, go to: Applications > SafeNet >SafeNet
Authentication Client > SafeNet Authentication Client Tools.

NOTE:
Ensure you log out and log back in to see the tray icon menu.

Installing the Core Package

Installing on Red Hat Enterprise, SUSE, CentOS and Fedora


The installation package for SafeNet Authentication Client running on RedHat and CentOS is the RPM Package
Manager. RPM is a command line package management system that can install, uninstall, and update software
packages.

SafeNet Authentication Client .rpm packages include:


.rpm Package Name:
• 32-bit: SafenetAuthenticationClient-core-10.0.xx-0.i386.rpm
• 64-bit: SafenetAuthenticationClient-core-10.0.xx-0.x86_64.rpm

where: x is the build number

To install from the package installer:


1. Double-click the relevant .rpm file.
The package installer opens.
2. Click Install Package.
A password prompt appears.
3. Enter the Super User or root password.
The installation process runs.

To install from the terminal:


1. On the terminal, log on as a root user.
2. Run the following:
rpm --import RPM-GPG-KEY-SafenetAuthenticationClient
3. Run one of the following:
• On a 32-bit OS: rpm -hi SafenetAuthenticationClient-core-10.0.xx-0.i386.rpm
• On a 64-bit OS: rpm -hi SafenetAuthenticationClient-core-10.0.xx-0.x86_64.rpm

where: -hi is the parameter for installation and x is the version number.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 16


Document Number: 007-013842-001, Rev B
2 – Installation

Installing on Ubuntu and Debian


NOTE:
• When installing from the user interface with a user that is not an administrator, the following
message is displayed: ‘The package is of bad quality’. Click Ignore and Install and continue
with the installation.
• After installing SAC on Ubuntu, log off, and then log back on in order for the SAC monitor to
run, and to display the tray icon.

The installation packaging for SafeNet Authentication Client running on Ubuntu is the Debian software package
(.deb).
The following is the SafeNet Authentication Client .deb package:
• .deb Package Name:
• 32-bit: SafenetAuthenticationClient-core-10.0.xx-0_i386.deb
• 64-bit: SafenetAuthenticationClient-core-10.0.xx-0_amd64.deb
where: xx is the build number

To install from the package installer:


1. Double-click the relevant .deb file.
The package installer opens.
2. Click Install Package.
A password prompt appears.
3. Enter the Super User or root password.
The installation process runs.

To install from the terminal:


1. Enter the following:
• On a 32-bit OS: sudu dpkg -i SafenetAuthenticationClient-core-10.0.xx-0_i386.deb
• On a 64-bit OS: sudu dpkg -i SafenetAuthenticationClient-core-10.0.xx-0_amd64.deb
where: n is the version number
A password prompt appears.
2. Enter the password.
The installation process runs.
3. If the installation fails due to a lack of dependencies, enter the following:
sudo apt-get install -f
The dependencies are installed and the installation continues.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 17


Document Number: 007-013842-001, Rev B
2 – Installation

Linux External Dependencies

Red Had Enterprise, SUSE, CentOS and Fedora


• PCSC (Smart Card Resource manager): libpcsclite1

Ubuntu
• PCSC (Smart Card Resource manager): libpcsclite1

Installing the Firefox Security Module on Linux


When SafeNet Authentication Client is installed, it does not install the security module in Firefox. This must be
done manually.

To install the security module in Firefox


1. Open Firefox Preferences > Advanced >Certificates.
2. On the Encryption tab click Security Devices.
The Device Manager window opens.
3. Click Load.
The Load PKCS#11 Device window opens.
4. In the Module Filename field enter the following string:
On 32-bit: /usr/lib/libeTPkcs11.so
On 64-bit: /usr/lib64/libeTPkcs11.so

NOTE:
• To work with CC devices in unlinked mode, enter the following string for Multi-Slot support:
for 32-bit: /usr/lib/libIDPrimePKCS11.so
for 64-bit: /usr/lib64/libIDPrimePKCS11.so
• For information on how to work with Multi-Slots, see the PKCS#11 Digital Signature PIN
Authentication section of the SafeNet Authentication Client User Guide.

The Confirm window opens.


5. Click OK.
The new security module is installed.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 18


Document Number: 007-013842-001, Rev B
2 – Installation

Installing the Thunderbird Security Module


When SafeNet Authentication Client is installed, it does not install the security module in Thunderbird. This must
be done manually.

To install the security module in Thunderbird


1. Select Thunderbird > Preferences > Advanced.
2. On the Security tab click Security Devices.
The Device Manager window opens.
3. Click Load.
The Load PKCS#11 Device window opens.
4. In the Module Filename field enter the following string:
On 32-bit: /usr/lib/libeTPkcs11.so
On 64-bit: /usr/lib64/libeTPkcs11.so

NOTE:
• To work with CC devices in unlinked mode, enter the following string for Multi-Slot support:
for 32-bit: /usr/lib/libIDPrimePKCS11.so
for 64-bit: /usr/lib64/libIDPrimePKCS11.so
• For information on how to work with Multi-Slots, see the PKCS#11 Digital Signature PIN
Authentication section of the SafeNet Authentication Client User Guide.

The Confirm window opens.


5. Click OK.
The new security module is installed.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 19


Document Number: 007-013842-001, Rev B
3 – Uninstall

Uninstall

After SafeNet Authentication Client 10.0 Linux has been installed, it can be uninstalled. Local administrator rights
are required to uninstall SafeNet Authentication Client. When SafeNet Authentication Client is uninstalled, user
configuration and policy files may be deleted.

Uninstalling Linux Standard Package


Before uninstalling SafeNet Authentication Client 10.0 Linux, make sure that SafeNet Authentication Client Tools
is closed.

Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora


To uninstall:
• Enter the following:
rpm -e SafenetAuthenticationClient-10.0.xx-0.i386.rpm
Where -e is the parameter for uninstalling.

Uninstalling on Ubuntu and Debian


To uninstall:
• In the console, enter the following:
sudo dpkg --purge safenetauthenticationclient
Where --purge is the parameter for uninstalling.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 20


Document Number: 007-013842-001, Rev B
3 – Uninstall

Uninstalling the Core Package

Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora


To uninstall:
• Enter the following:
rpm -e SafenetAuthenticationClient-core-10.0.xx-0.i386.rpm
Where -e is the parameter for uninstalling.

Uninstalling on Ubuntu or Debian


To uninstall:
• In the console, enter the following:
SafenetAuthenticationClient-core-10.0.xx-0_i386.deb
Where --purge is the parameter for uninstalling.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 21


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Configuration Properties

SafeNet Authentication Client properties are stored on the computer as ini files which can be added and changed
to determine SafeNet Authentication Client behavior. Depending on where an ini value is written, it will apply
globally, or be limited to a specific user or application.

NOTE:
All properties can be manually set and edited.

eToken Configuration Keys


SafeNet Virtual Token keys are located in /etc/eToken.common.conf.
All other keys are located in /etc/eToken.conf.

General Settings
The following settings are written to the [General] section in: /etc/eToken.conf

NOTE:
On a Linux, the number of slots is determined by the PcscSlots and SoftwareSlots configuration
keys described here. The Reader Settings window in SafeNet Authentication Client Linux Tools
displays the number of slots that have been configured, but does not allow the user to change the
settings.

Description Value

Multi-Slot Support Value Name: MultiSlotSupport

Determines if SafeNet Authentication Client is backward Values: =0, =1


compatible with Gemalto PKCS#11 Common Criteria devices 1 - Multi-Slot support is enabled
(IDPrime MD 840, IDPrime MD 3840 and eToken 5110 CC). 0 - Multi-Slot support is disabled

The Mutli-Slot feature affects only SAC customized in compatible Default: 1


mode via IDPrimePKCS11.dll.

For more information on Multi-Slot, see the PKCS#11 Digital


Signature PIN Authentication section of the SafeNet
Authentication Client User Guide.

Software Slots Value Name: SoftwareSlots

Defines the number of virtual readers for SafeNet Virtual Tokens. Values: >=0
(0 = SafeNet Virtual Token is disabled; only
Note: Can be modified in ‘Reader Settings’ in SafeNet Authenti- physical tokens are enabled)
cation Client Tools also.
On Windows Vista 64-bit and on systems later than Windows 7 Default: 2
and Window 2008 R2, the total number of readers is limited to 10
from among: iKey readers, eToken readers, third-party readers,
and reader emulations.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 22


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

PCSC Slots Value Name: PcscSlots

Defines the total number of PC/SC slots for all USB tokens and Values: >=0
smartcards. (0 = Physical tokens are disabled; only SafeNet
Included in this total: Virtual Token is enabled)
• the number of allocated readers for third-party providers
• the number of allocated iKey readers, which is defined during Default: 8
installation and cannot be changed
• the number of allocated readers for other SafeNet physical
tokens, which can be modified in ‘Reader Settings’ in SafeNet
Authentication Client Tools
Note: On Windows Vista 64-bit and on systems later than
Windows 7 and Window 2008 R2, the total number of readers,
consisting of this value and any enabled reader emulations, is
limited to 10.

HID Slots Value Name: HIDSlots

Defines the total number of HID slots for all HID USB tokens. Values: =0, =4, >=0

Default: 4 slots

Legacy Manufacturer Name Value Name: LegacyManufacturerName


Values:
Determines if 'Aladdin Knowledge Systems Ltd.' is written as the 1 - The legacy manufacturer name is written
manufacturer name in token and token slot descriptions 0 - The new manufacturer name is written
Use for legacy compatibility only
Default: 0

Enable Private Cache Value Name: EnablePrvCache

Determines if SafeNet Authentication Client allows the token’s Values:


private data to be cached. 1 (True) - Private data caching is enabled
Applies only to tokens that were initialized with the private data 0 (False) - Private data caching is disabled
cache setting.
The private data is cached in per process memory. Default:1 (True)
Note: Can be set in SafeNet Authentication Client Tools

Tolerate Finalize Value Name: TolerantFinalize

Determines if C_Finalize can be called by DllMain Values:


1 (True) - C_Finalize can be called by DllMain
Note: 0 (False) - C_Finalize cannot be called by DllMain
Define this property per process
Select this setting when using Novell Modular Authentication Default: 0 (False)
Service (NMAS) applications only

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 23


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

Tolerate X509 Attributes Value Name: TolerantX509Attributes

Determines if CKA_SERIAL_NUMBER, CKA_SUBJECT, and Values:


CKA_ISSUER attributes can differ from those in CKA_VALUE 1 (True) - The attributes can differ
during certificate creation 0 (False) - Check that the values match
Note:
Enable TolerantX509Attributes when using certificates created in Default: 0 (False)
a non- DER encoded binary x.509 format.
In some versions of PKI Client, this setting was not selected by
default.

Tolerate Find Templates Value Name: TolerantFindObjects

Determines if PKCS#11 tolerates a Find function with an invalid Values:


template, returning an empty list instead of an error. 1 (True) - A Find function with an invalid template
is tolerated and returns an empty list
0 (False) - A Find function with an invalid
template is not tolerated and returns an error

Default: 0 (False)

Disconnect SafeNet Virtual Token on Logoff Value Name: EtvLogoffUnplug

Determines if SafeNet Virtual Tokens are disconnected when the Values:


user logs off. 1 (True) - Disconnect SafeNet Virtual Token when
logging off
0 (False) - Do not disconnect SafeNet Virtual
Token when logging off

Default: 0 (False)

Protect Symmetric Keys Value Name: SensitiveSecret

Determines if symmetric keys are protected Values:


1 - Symmetric keys cannot be extracted
Note: 0 - Symmetric keys can be extracted
If selected, even non-sensitive symmetric keys cannot be
extracted Default: 0

Cache Marker Timeout Value Name: CacheMarkerTimeout

Determines if SAC Service periodically inspects the cache Values:


markers of connected tokens for an indication that token content 1 - Connected tokens' cache markers are
has changed periodically inspected
0 - Connected tokens' cache markers are never
Note: inspected
If tokens were initialized as "eToken PKI Client 3.65 compatible"
in SafeNet Authentication Client 8.0 and later, set this value to 0 Default: 0
to improve performance.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 24


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

Override Non-Repudiation OIDs Value Name: NonRepudiationOID

Overrides SAC's list of standard certificate OIDs that require a Value:


high level of security Empty

Note: Default: No override


Users must log on to their tokens whenever signing with a
certificate defined as non-repudiation.

To avoid having to authenticate every time a cryptographic


operation is required for certificates containing Entrust certificate
OID details, remove the default registration key value.

Ignore Silent Mode Value Name: IgnoreSilentMode

Determines if the Token Logon window is displayed even when Values:


the application calls the CSP/KSP in silent mode. 1 (True) - Display the Token Logon window even
in silent mode
0 (False) - Respect silent mode
Note:
Set to True when the SafeNet RSA KSP must use
SHA-2 to enroll a CA private key to a token

Default: 0 (False)

Initialization Settings
The following settings are written to the [INIT] section in: /etc/eToken.conf

NOTE:
All setting in this section are not relevant to IDPrime MD cards, except for the LinkMode setting.

Description Value

Maximum Token Password Retries Value Name: UserMaxRetry

Defines the default number of consecutive failed logon attempts Values:


that lock the token. 1-15

Default: 15

Maximum Administrator Password Retries Value Name: AdminMaxRetry

Defines the default number of consecutive failed administrator Values:


logon attempts that lock the token. 1-15

Default: 15

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 25


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description Value (Cont.)

Legacy Format Version Value Name: Legacy-Format-Version

Defines the default token format. Values:


0 - Tokens are formatted as backwardly compatible
to eToken PKI Client 3.65 (CardOS tokens only)

4 - Tokens are not formatted as backwardly


compatible, and password quality settings can be
saved on the token (CardOS tokens only)

5 - Format includes new RSA behavior that is not


controlled by key size; each key is created in a
separate directory (CardOS 4.20B FIPS or Java
Card-based tokens only)

Default:
4, for CardOS tokens
5, for 4.20B FIPS and Java Card -based tokens

RSA-2048 Value Name: RSA-2048

Determines if the token support 2048-bit RSA keys by default. Values:


Note: Can be set in SafeNet Authentication Client Tools. 1(True) - 2048-bit RSA keys are supported
0 (False) - 2048-bit RSA keys are not supported

Default: 0 (False)

OTP Support Value Name: HMAC-SHA1

Determines if the token supports OTP generation by default. Values:


This setting enables HMAC-SHA1 support, required by OTP 1 (True) - OTP generation is supported
tokens. 0 (False) - OTP generation is not supported

Note: Can be set in SafeNet Authentication Client Tools. Default: 1 (True), for OTP tokens. 0 (False), for
other tokens

RSA Area Size Value Name: RSA-Area-Size

For CardOS-based tokens, defines the default size, in bytes, of Default: depends on the token size:
the area to reserve for RSA keys. • For 16 K tokens, enough bytes for three 1024-bit
• The size of the area allocated on the token is determined keys
during token initialization, and cannot be modified without • For 32 K tokens, enough bytes for five 1024-bit
initializing the token. keys
• RSA-Area-Size is not relevant when Legacy-Format-Version is • For larger tokens, enough bytes for seven 1024-
set to 5. bit keys
Note: Can be set in SafeNet Authentication Client Tools.

Default Token Name Value Name:


DefaultLabel
Defines the default Token Name written to tokens during
initialization. Value: String

Default: My Token

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 26


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description Value (Cont.)

API: Keep Token Settings Value Name:


KeepTokenInit
When initializing the token using the SDK, determines if the token
is automatically re-initialized with its current settings. Values:
1 (True) - Use current token settings
Note: If selected, this setting overrides all other initialization 0 (False) - Override current token settings
settings.
Default: 0 (False)

Automatic Certification Value Name:


Certification
When initializing the token using the SDK. If the token has FIPS
or Common Criteria certification, the token is automatically Values:
initialized with the original certification. 1(True) - initialize the token with the original
certification.

0 (False) - initialize the token without the certification

Default: 1 (True)
Note: Previous to SAC 8.2, the default setting was 0
(False). As CardOS 4.2 does not support both FIPS
and RSA-2048, failure to take this into account this
may lead to token initialization failure when using
PKCS#11. To prevent this, ensure that the default is
set to False, or else ensure that the application
provides both the required FIPS and RSA-2048
settings.

API: Private Data Caching Value Name:


PrvCachingMode
If using an independent API for initialization, and if 'Enable
Private Cache' is selected, determines the token’s private data Values:
cache default behavior. 0 - Always
1 - While user is logged on
2 - Never

Default: 0 (Always)

Enable Private Data Caching Modification Value Name:


PrvCachingModify
Determines if the token’s Private Data Caching mode can be
modified after initialization. Values:
1 (True) - Can be modified
0 (False) - Cannot be modified

Default: 0 (False)

Private Data Caching Mode Value Name:


PrvCachingOwner
If ‘Enable Private Data Caching Modification' is selected,
determines who has rights to modify the token’s Private Data Values:
Caching mode. 0 - Admin
1 - User

Default: 0 (Admin)

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 27


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description Value (Cont.)

API: RSA Secondary Authentication Mode Value Name:


2ndAuthMode
If using an independent API for initialization, determines the
default behavior for protecting RSA private keys on the token.
Values:
0 - Never
1 - Prompt on application request
2 - Always prompt user
3- Always
4 - Token authentication on application request

Default: 0 -(Never)

Enable RSA Secondary Authentication Modified Value Name:


2ndAuthModify
Determines if the token’s RSA secondary authentication can be
modified after initialization. Values:
1 (True) - Can modify
0 (False) - Cannot modify

Default: 0 (False)

Use the same token and administrator passwords for digital Value Name:
signature operations. LinkMode

Values:
1 (True) - Linked
0 (False) - Unlinked

Default: 0 (False)

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 28


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

SafeNet Authentication Client Tools UI Initialization Settings


The following settings are written to the [AccessControl] section in: /etc/eToken.conf

Description Value

Enable Advanced View Button Value Name: AdvancedView

Determines if the Advanced View icon is enabled in SAC Tools Values:


1 - Selected
0 - Not selected

Default: 1

The following settings are written to the [InitApp] section in: /etc/eToken.conf/

Description Value

Default Token Password Value Name: DefaultUserPassword

Defines the default Token Password Values: String

Default: 1234567890

Enable Change Password on First Logon Value Name: MustChangePasswordEnabled

Determines if the “Token Password must be changed on first Values:


logon” option can be changed by the user in the Token 1 - Selected
Initialization window. 0 - Not selected

Note: Default: 1
This option is selected by default. If the option is de-selected, it
can be selected again only by setting the registry key.

Change Password on First Logon Value Name: MustChangePassword

Determines if the Token Password must be changed on first Value:


logon option is selected by default in the Token Initialization 1 - Selected
window. 0 - Not selected

Note: Default: 1
This option is not supported by iKey.

Private Data Caching Value Name: PrivateDataCaching

If Enable Private Cache is selected, determines the token’s Values:


private data cache default behavior. 0 - (fastest) private data is cached when used by an
application while the user is logged on to the token,
Note: Can be set in SafeNet Authentication Client Tools. This and erased only when the token is disconnected
option is not supported by IDPrime MD cards. 1 - private data is cached when used by an
application while the user is logged on to the token,
and erased when the user logs off or the token is
disconnected
2 - private data is not cached

Default: 0

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 29


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

RSA Secondary Authentication Mode Value Name: RSASecondaryAuthenticationMode


Values:
Defines the default behavior for protecting RSA private keys on 0 - Never
the token 1 - Prompt user on application request
2 - Always prompt user
Note: Can be set in SafeNet Authentication Client Tools. This 3 - Always
option is not supported by IDPrime MD cards. 4 - Token authentication on application request

Default: 0

RSA Secondary Authentication Mode (continued).


Note: This option is not supported by IDPrime MD cards.

Reuse Current Token Name Value Name: ReadLabelFromToken

Determines if the token’s current Token Name is displayed as the Values:


default Token Name when the token is re initialized. 1 -The current Token Name is displayed
0 -The current Token Name is ignored

Default: 1

Maximum number of 1024-bit RSA keys Value Name: NumOfCertificatesWith1024Keys_help

Defines the amount of space to reserve on the token for Common Values:
Criteria certificates that use 1024 -bit RSA keys. 0-16 certificates
Note: This option is not supported by IDPrime MD cards.
Default: 0

Maximum number of 2048-bit RSA keys Value Name: NumOfCertificatesWith2048Keys_help

Defines the amount of space to reserve Values:


on the token for Common Criteria 1-16 certificates
certificates that use 2048-bit RSA keys.
Note: This option is not supported by IDPrime MD cards. Default: 4

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 30


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

SafeNet Authentication Client Tools UI Settings


The following settings are written to the [UI] section in: /etc/eToken.conf

Description Value

Use Default Password Value Name: UseDefaultPassword

Determines if the Change Password on First Logon Values:


process assumes the current Token Password is the 1 (True) - The default Token Password is automatically
default (defined in the Default Token Password), and entered in the password field
does not prompt the user to supply it.
0 (False) -The default Token Password is not automatically
entered in the password field

Default: o (False)

Password Term Value Name: PasswordTerm

Defines the term used for the token's user password. Values (String):
Note: If a language other than English is used, ensure Password
that PIN
Passcode
Passphrase

Default: Password

Decimal Serial Number Value Name: ShowDecimalSerial

Determines if the Token Information window displays Values:


the token serial number in hexadecimal or in decimal 1 (True) -Displays the serial number in decimal format
format.
0 (False) -Displays the serial number in hexadecimal format

Default: 0

Enable Tray Icon Value Name: ShowInTray

Determines if the application tray icon is displayed Values:


when SafeNet Authentication Client is started. 0 - Never Show
1 - Always Show

Default: Always show

Enable Connection Notification Value Name: ShowBalloonEvents

Determines if a notification balloon is displayed when a Values:


token is connected or disconnected.
0 - Not Displayed
1 - Displayed

Default: 0

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 31


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

iKey LED On Value Name: IKeyLEDOn

Determines when the connected iKey LED is on. Values:


1 - The iKey LED is always on when SAC Monitor is running
Note: 0 -The iKey LED is on when the token has open
When working with applications related to Citrix, set connections only
this value to 0.
Default:1

Enable Logging Control Value Name: AllowLogsControl

Determines if the Enable Logging /Disable Logging Values:


button is enabled in the Client Settings Advanced tab 1 -Enabled
0 -Disabled

Default: 1

Home URL Value Name: HomeUrl

Overwrites the SafeNet home URL in SafeNet Values (String):


Authentication Client Tools Valid URL

Default: SafeNet’s home URL

eToken Anywhere Value Name: AnywhereExtendedMode

Determines if eToken Anywhere features are supported Values:


1 -Supported
0 -Not supported

Default: 1

Enable Certificate Expiration Warning Value Name: CertificateExpiryAlert

Determines if a warning message is displayed when Values:


certificates on the token are about to expire. 1 (True) - Notify the user
0 (False) - Do not notify the user

Default: 1 (True)

Ignore Expired Certificates Value Name: IgnoreExpiredCertificates

Determines if expired certificates are ignored, and no Values:


warning message is displayed for expired certificates 1 - Expired certificates are ignored
0 - A warning message is displayed if the token contains
expired certificates

Default: 0

Certificate Expiration Verification Frequency Value Name: UpdateAlertMinInterval

Defines the minimum interval, in days, between Values:


certificate expiration date verifications >0

Default:
14 days

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 32


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

Certificate Expiration Warning Period Value Name: ExpiryAlertPeriodStart

Defines the number of days before a certificate's Values:


expiration date during which a warning message is > =0
displayed. (0 = No warning)

Default: 30 days

Warning Message Title Value Name: AlertTitle

Defines the title to display in certificate expiration Values:


warning messages String

Default: SafeNet Authentication Client

Certificate Will Expire Warning Message Value Name: FutureAlertMessage

Defines the warning message to display in a balloon Values:


during a certificate’s “Certificate Expiration Warning String
Period.”
Default: A certificate on your token expires in
$EXPIRE_IN_DAYS days.

Certificate Expired Warning Message Value Name: PastAlertMessage

Defines the warning message to display in a balloon if a Values:


certificate's expiration date has passed. String

Default: Update your token now.

Warning Message Click Action Value Name: AlertMessageClickAction

Defines what happens when the user clicks the Values:


message balloon. 0 - No action
1 - Show detailed message
2 - Open website

Default: 0

Detailed Message Value Name: ActionDetailedMessage

If “Show detailed message” is selected in “Warning Values:


Message Click Action” setting, defines the detailed String
message to display.
No default

Website URL Value Name: ActionWebSiteURL

If “Open website” is selected in the “Warning Message Values (string):


Click Action” setting, defines the URL to display Website address

No default

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 33


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

Enable Password Expiration Notification Value Name: NotifyPasswordExpiration

Determines if a pop-up message is displayed in the Values:


system when the Token Password is about to expire. 1 (True)- A message is displayed
0 (False) - A message is not displayed

Default: 1 (True)

Display Virtual Keyboard Value Name: VirtualKeyboardOn

Determines if SafeNet’s keystroke-secure Virtual Values:


Keyboard replaces standard keyboard entry of 1 (True)- Virtual keyboard on
password fields in the following windows: 0 (False) - Virtual keyboard off
• Token Logon
• Change Password Default: 0 (False)
Note:
The virtual keyboard supports English characters only.

Password Policy Instructions Value Name: PasswordPolicyInstructions

If not empty, defines a string that replaces the default Values: String
password policy description displayed in the Unlock
and Change Password windows.

Define Initialization Mode Value Name: DefInitMode

Select this option if you want the 'Initialization Options' Values:


window (first window displayed when initializing a 0 - Display the ‘Initialization Options’ window
device) to be ignored. 1 - Set Preserve Mode
2 - Set Configure Mode

Default: 0

Import Certificate Chain Value Name: ImportCertChain

Determines if the certificate chain is imported to the Values:


token 0 - Do not import certificate chain
1 - Import certificate chain
2- User selects import behavior

Default: 0

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 34


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Token Password Quality Settings


The following settings are written to the [PQ] section in: /etc/eToken.conf

NOTE:
These settings are not relevant to IDPrime MD cards and eToken 5110 CC, as the password quality
settings reside on the card itself.

Description Value

Password - Minimum Length Value Name: pqMinLen

Defines the minimum password length. Values:


Note: Can be set in SafeNet Authentication Client Tools. >=4

Default: 6

Password - Maximum Length Value Name: pqMaxLen

Defines the maximum password length. Values:


Note: Can be set in SafeNet Authentication Client Tools. Cannot be less than the Password Minimum Length

Default: 16

Password - Maximum Usage Period Value Name: pqMaxAge

Defines the maximum number of days a password is Values:


valid. >=0
Note: Can be set in SafeNet Authentication Client Tools. (0 =No expiration)
Note: This parameter is ‘Day Sensitive’ i.e. the system
counts the day’s and not the hour in which the user made Default: 0
the change.

Password - Minimum Usage Period Value Name: pqMinAge

Defines the minimum number of days between password Values:


changes. >=0
Note: Can be set in SafeNet Authentication Client Tools. (0 = No minimum)
Note: Does not apply to iKey devices.
Default: 0

Password - Expiration Warning Period Value Name: pqWarnPeriod

Defines the number of days before expiration during Values:


which a warning is displayed. >=0
Note: Can be set in SafeNet Authentication Client Tools. (0 = No warning)

Default: 0

Password - History Size Value Name: pqHistorySize

Defines the number of recent passwords that must not be Values:


repeated. >= 0
(0 = No minimum)
Note: Can be set in SafeNet Authentication Client Tools.
Default: 10
(iKey device history is limited to 6)

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 35


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

Password - Maximum Consecutive Repetitions Value Name: pqMaxRepeated

Defines the maximum number of consecutive times a Values:


character can be used in a password. 0 - 16
Note: Can be set in SafeNet Authentication Client Tools. (0 = No maximum)
Note: Does not apply to iKey devices.
Default: 3

Password - Complexity Value Name: pqMixChars

Determines if there is a minimum number of character Values:


types that must be included in a new Token Password 1 - A minimum of 2 or 3 types must be included, as defined
The character types are: upper-case letters, lower-case in the Password- Minimum Mixed Character Types setting
letters, numerals, and special characters. 0 -The rule for each character type is defined in the
Note: Can be set in SafeNet Authentication Client Tools. character type's Include setting

Default: 1

Password - Minimum Mixed Character Types Value Name: pqMixLevel

Defines the minimum number of character types that Values:


must be included in a new Token Password. 0 - At least 3 character types
The character types are: upper-case letters, lower-case 1 - At least 2 character types
letters, numerals, and special characters.
Note: Default:0
• Applies only when the Password - Complexity setting
is set to Standard complexity.
• Can be set in SafeNet Authentication Client Tools.

Password - Include Numerals Value Name: pqNumbers

Determines if the password can include numerals. Values:


0 -Permitted
Note: 1 - Forbidden
• Applies only when the Password - Complexity setting 2 - Mandatory
is set to Manual complexity.
Default: 0
• Can be set in SafeNet Authentication Client Tools.

Password - Include Upper-Case Value Name: pqUpperCase

Determines if the password can include upper-case Values:


letters.
0 - Permitted
Note: 1 - Forbidden
• Applies only when the Password - Complexity setting 2 - Mandatory
is set to Manual complexity.
Default: 0
• Can be set in SafeNet Authentication Client Tools.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 36


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

Password - Include Lower-Case Value Name: pqLowerCase

Determines if the password can include lower-case Values:


letters. 0 - Permitted
1 - Forbidden
Note: 2 - Mandatory
• Applies only when the Password - Complexity setting
is set to Manual complexity. Default: 0
• Can be set in SafeNet Authentication Client Tools.

Password - Include Special Characters Value Name: pqSpecial

Determines if the password can include special Values:


characters, such as @,!, &. 0 - Permitted
Note: 1 - Forbidden
• Applies only when the Password - Complexity setting 2 - Mandatory
is set to Manual complexity.
Default: 0
• Can be set in SafeNet Authentication Client Tools.

Password Quality Check on Initialization Value Name: pqCheckInit

Determines if the password quality settings are checked Values:


and enforced 1 (True) -The password quality is enforced
when a token is initialized 0 (False) - The password quality is not enforced

Note: Default: 0
We recommend that this policy not be set when tokens
are enrolled using SafeNet Authentication Manager.

Password Quality Owner Value Name: pqOwner

Defines the owner of the password quality settings on a Values:


re initialized token, and defines the default of the 0 - Administrator
Password Quality Modifiable setting. 1 - User

Default:
0, for tokens with an Administrator Password.
1, for tokens without an Administrator Password.

Enable Password Quality Modification Value Name: pqModifiable

Determines if the password quality settings on a newly Values:


initialized token 1 (True)- The password quality can be modified by the
can be modified by the owner. owner
0 (False) - The password quality cannot be modified by the
See the Password Quality Owner setting. owner

Default:
1 (True), for administrator-owned tokens
0 (False), for user owned tokens.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 37


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

SafeNet Authentication Client Tools UI Access Control List


Access Control Properties determine which features are enabled in the SafeNet Authentication Client Tools and
Tray Menu.
The following settings are written to the [AccessControl] section in: /etc/eToken.conf

Access Control Feature Value

All access control features listed below Values:

1 (True) - The feature is enabled.


0 (False) - The feature is disabled.

Default: 1(True), except where indicated in the table

The table lists all the Access Control Features.

NOTE:
All access control features are enabled by default, except where indicated in the table.

Access Control Feature Value Name Description

Rename Token RenameToken Enables/Disables the Rename Token feature in SafeNet


Authentication Client Tools.

Change Token Password ChangePassword Enables/Disables the Change Token Password feature in
SafeNet Authentication Client Tools.

Unlock Token UnlockEtoken Enables/Disables the Unlock Token feature in SafeNet


Authentication Client Tools.

Delete Token Content ClearEToken Enables/Disables the Delete Token Content feature in SafeNet
Authentication Client Tools.

View Token Information ViewTokenInfo Enables/Disables the View Token Information feature in SafeNet
Authentication Client Tools.

Disconnect SafeNet DisconnectVirtual Enables/Disables the Disconnect SafeNet Virtual Token feature
Virtual Token in SafeNet Authentication Client Tools.

Help ShowHelp Determines if the user can open the Help file in SafeNet
Authentication Client Tools.

Advanced View OpenAdvancedView Determines if the user can open the Advanced View in SafeNet
Authentication Client Tools.

Reader Settings ManageReaders Enables/Disables the Reader Settings feature in SafeNet


Authentication Client Tools.

Connect SafeNet Virtual AddeTokenVirtual Enables/Disables the Connect SafeNet Virtual Token feature in
Token SafeNet Authentication Client Tools.

Initialize Token InitializeEToken Enables/Disables the Initialize Token feature in SafeNet


Authentication Client Tools.

Import Certificate ImportCertificate Enables/Disables the Import Certificate feature in SafeNet


Authentication Client Tools.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 38


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Access Control Feature Value Name (Cont.) Description (Cont.)


(Cont.)

Reset Default Certificate ClearDefaultCert Enables/Disables the Reset Default Certificate Selection feature
Selection in SafeNet Authentication Client Tools.

Delete Certificate DeleteCertificate Enables/Disables the Delete Certificate feature in SafeNet


Authentication ClientTools.

Export Certificate ExportCertificate Enables/Disables the Export Certificate feature in SafeNet


Authentication Client Tools.

Copy Certificate Data to CopyCertificateData Enables/Disables the Copy Certificate Data to Clipboard feature
Clipboard in SafeNet Authentication Client Tools.

Set Certificate as Default SetCertificateAsDefault Enables/Disables the Set Certificate as Default feature in
SafeNet Authentication Client Tools.

Set Certificate as Auxiliary SetCertificateAsAuxilary Enables/Disables the Set Certificate as Auxiliary feature in
SafeNet Authentication Client Tools.

Log On as Administrator LoginAsAdministrator Enables/Disables the Log On as Administrator feature in


SafeNet Authentication Client Tools.

Change Administrator ChangeAdministratorPa Enables/Disables the Change Administrator Password feature in


Password ssword SafeNet Authentication Client Tools.

Set Token Password SetUserPassword Enables/Disables the Set Token Password feature in SafeNet
Authentication Client Tools.

Token Password Retries AllowChangeUserMaxR Enables/Disables the Logon retries before token is locked
etry feature (for the Token Password) in SafeNet Authentication
Client Tools.

Administrator Password AllowChangeAdminMax Enables/Disables the Logon retries before token is locked
Retries Retry feature (for the Administrator Password) in SafeNet
Authentication Client Tools.

Advanced Initialization OpenAdvancedModeOfI Enables/Disables the Advanced button in the Token Initialization
Settings nitialize window in SafeNet Authentication Client Tools.

Change Initialization Key ChangeInitializationKey Enables/Disables the Change Initialization key button in the
during Initialization DuringInitialize Advanced Token Initialization Settings window in SafeNet
Authentication Client Tools

Common Criteria Settings CommonCriteriaPasswo Enables/Disables the Common Criteria option in the
rdSetting Certification combo box.

System Tray - Unlock TrayIconUnlockEtoken Enables/Disables the Unlock Token feature in the SafeNet
Token Authentication Client Tray Menu

System Tray - Generate GenerateOTP Enables/Disables the Generate OTP feature in the SafeNet
OTP Authentication Client Tray Menu

System Tray - Delete TrayIconClearEToken Enables/Disables the Delete Token Content feature in the
Token Content SafeNet Authentication Client Tray Menu.
Note: By default, this feature is Disabled
System Tray -Change TrayIconChangePassw Enables/Disables the Change Token Password feature in the
Token Password ord SafeNet Authentication Client Tray Menu.

System Tray - Select SwitcheToken Enables/Disables the Select Token feature in the SafeNet
Token Authentication Client Tray Menu.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 39


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Access Control Feature Value Name (Cont.) Description (Cont.)


(Cont.)

System Tray -Synchronize SyncDomainAndTokenP Enables/Disables the Synchronize Domain Token Passwords
Domain-Token Passwords ass feature in the SafeNet Authentication Client Tray Menu.

System Tray - Tools OpeneTokenProperties Enables/Disables the Tools menu item (open SafeNet
Authentication Client Tools) in the SafeNet Authentication Client
Tray Menu.

System Tray - About About Enables/Disables the About menu item in the SafeNet
Authentication Client Tray Menu.

Enable Change IdenTrust IdentrusChangePasswo Enables/Disables the Change IdenTrust PIN feature in SafeNet
Identity rd Authentication Client Tools.

Enable Unblock IdenTrust IdentrusUnlock Enables/Disables the Unlock IdenTrust feature in SafeNet
Passcode Authentication Client Tools.

Delete Data Object DeleteDataObject Enables/Disables the Delete Data Object feature in SafeNet
Authentication Client Tools.

Allow One Factor AllowOneFactor Enables/Disables the Allow One Factor feature in the Advanced
Token Initialization Settings window in SafeNet Authentication
Client Tools.

Note: This property VerisignSerialNumber Enables/Disables the Verisign Serial number feature in SafeNet
cannot be set in the Authentication Client Tools.
Access Control Proper-
ties window. It must be
set in the registry key.

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 40


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Security Settings
The following settings are written to the [Crypto] section in: /etc/eToken.conf

Description Value

Key Management Value Name:


Key-Management-Security
Defines key creation, export, unwrap, and off-board
crypto policies. Values: (String)

Compatible - has no effect, current behavior is kept

Optimized:
• Disable the generation or creation of exportable keys
• Disable the exporting of keys, regardless of how they were
generated
• Disable the unwrap-PKCS1.5 and unwrap-AES-CBC
Strict:
• Disable the generation or creation of exportable keys
• Disable the exporting of keys, regardless of how they were
generated
• Disable the unwrap-PKCS1.5 and unwrap-AES-CBC
• Disable any usage of symmetric keys off-board including
unwrap

Default: Compatible

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 41


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Description (Cont.) Value (Cont.)

Unsupported Cryptographic Algorithms and Features Value Name: Disable-Crypto

Values: (String)

None - All algorithms are supported


Obsolete - The following are disabled: MD5, RC2, RSA<1024,
DES, GenericSecret<80, RC4<80, ECC<160, ECB, RSA-RAW
Manual - Create your own list of algorithms

The following can be disabled:


Algorithms:
RSA, ECC, AES, DES, 3DES, RC2, RC4, SHA2, SHA1,
MD5, HMAC, GenericSecret
Padding types:
RAW, PKCS1, OAEP, PSS
Cipher modes:
ECB, CBC, CTR, CCM
Mechanisms:
MAC, HMAC, ECDSA, ECDH
Operations:
Encrypt, Decrypt, Sign, Verify, Generate, Derive, Wrap,
Unwrap, Digest, Create (keys only)
Weak key size:
RSA<1024
Example of a manual configuration:
"Encrypt-DES-ECB, Sign-3DES-MAC, DES-CTR, HMAC-
MD5, HMAC-SHA1, HMAC-SHA2, DES-CBC, Unwrap-
DES-ECB, RSA-PKCS1-MD5, Verify-RSA-PSS-SHA2,
AES-CTR, AES-MAC, Decrypt-RC2, Wrap-ECB"

Default: None

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 42


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

SafeNet Authentication Client Security Enhancements

Enforcing Restrictive Cryptographic Policies


To allow organizations to enforce restrictive cryptographic policies when using SafeNet smart card and USB
tokens, the following enhancements were introduced:
• Key Management Security Policy - See Security Settings on page 41 for more details.
• Disable Cryptographic Algorithm Policy - See Security Settings on page 41 for more details.
The motivation behind these enhancements:
• Legacy cryptographic schemes can cause organizations to fail current compliance requirements or
expose cryptographic weakness associated with obsolete algorithms and mechanisms.
The following enhancements were made to SafeNet Authentication Client to allow organizations to block the
use of such schemes, according to organizational policies.
• Enabling symmetric keys wrapping with other symmetric keys using GCM and CCM modes of
operation.
• Preventing legacy algorithms from being used by adding a key wrapping policy that enforces the
usage of only GCM and CCM modes of operation for symmetric encryption, and PKCS#1 v2.1
padding for RSA encryption.
• SafeNet introduced a new mechanism that allows administrators to prevent the use of legacy or obsolete
algorithms by third-party applications. These cryptographic algorithms conform to the National Institute of
Standards and Technology (NIST), preventing third-party applications from using legacy or obsolete
algorithms.
Once a restrictive policy has been set, the use of SafeNet Authentication Client with the above algorithms will
be blocked. This might have implications on the way in which the third-party’s applications currently work.

NOTE:
Administrators must make sure that the third-party applications used by the organization are
configured accordingly and do no use one of the algorithms listed above, as they will be blocked.

Creating Symmetric Key Objects using PKCS#11


The following was performed as part of SafeNet Authentication Client security enhancement campaign:
1. Protected memory was used when working with the private cache between PKCS#11 API calls. Private
cache is unlocked to retrieve data and then locked immediately after retrieving the data to ensure that there
is no sensitive data in the private cache. This ensures that the key cannot be revealed in plain text.
2. Sensitive data is securely zeroed prior to freeing up the memory.
3. AES and Generic symmetric key files were created with Secured Messaging (SM) protection so that the
Microsoft smart card transport layer does not contain any APDU data with plain symmetric key material.
For Secure Messaging (SM) to support the AES/3DES and Generic symmetric keys in SAC 10.2, the keys
must be created on an eToken Java device that is initialized in FIPS/CC mode. Applying SM to symmetric
keys changes the object format on the smart card, resulting in the keys not being backward compatible.
Keys that are created with previous SAC versions or on eToken Java devices which are formatted in non-
FIPS/CC mode will not be protected by SM.
AES/3DES keys that are created using the CKA_SENSITIVE = TRUE and CKA_EXTRACTABLE = FALSE
attributes are backward compatible (BS Object keys).

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 43


Document Number: 007-013842-001, Rev B
4 – Configuration Properties

Log Settings
The following settings are written to the [Log] section in: /etc/eToken.conf

Description Value

Enabled Value Name: Enabled

Determines if the SafeNet Authentication Client Log Value:


feature is enabled. 1 - Enabled
0 - Disabled

Default: 0 (Disabled)

Days Value Name:


Days
Defines the number of days log files will be saved
from the time the log feature was enabled. Value:
Enter the number of days (numerical).

Default:
1 day

MaxFileSize Value Name: MaxFileSize

Defines the maximum size of an individual log file. Value:


Once the maximum fil size is reached, SAC removes Enter a value in Bytes.
older log records to allow saving newer log
information. Default: 2000000 (Bytes) (Approximately 2MB)

TotalMaxSizeMB Value Name: TotalMaxSizeMB

Defines the total size of all the log files when in debug Value:
mode. (Megabytes). Enter a value in Megabytes.

Default: 0 (Unlimited)

ManageTimeInterval Value Name: ManageTimeInterval

Defines how often the TotalMaxSize parameter is Value:


checked to ensure the total maximum size has not Enter a value in minutes (numerical).
been exceeded.
Default: 60 minutes

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 44


Document Number: 007-013842-001, Rev B

You might also like