CIP User Guide

Datakey CIP
User’s Guide
Version 4.7
Datakey Inc is now SafeNet Inc.
In Q4 2004 Datakey Inc. was acquired by SafeNet Inc. In connection with this
acquisition all copyright and trademark information in this guide has been updated
to reflect the SafeNet name. Contact information has also been changed where
appropriate. For this release the name Datakey CIP is still being used as the product
name.
ii Datakey CIP User’s Guide

Copyright notice
Copyright © 2002 - 2005 SafeNet Inc. All rights reserved.
No part of this document may be reproduced or retransmitted in any form or by any

means electronic, mechanical, or otherwise, including photocopying and recording
for any purpose other than the purchaser’s personal use without written permission
of SafeNet, Inc.
Trademarks
SafeNet and Datakey are registered trademarks of SafeNet, Inc. Datakey CIP is a
trademark of SafeNet, Inc. Microsoft is a registered trademark of Microsoft Corpo-
ration. Windows and Windows NT are registered trademarks of Microsoft Corpo-
ration. Netscape, Netscape Communications, and Netscape product names are
trademarks of Netscape Communications Corporation. All other brand names and
product names used in this manual are trademarks, registered trademarks, or trade
names of their respective holders.
Print history
Date Software Release Description

June, 2002 Datakey CIP Initial release of the Datakey CIP
Version 4.7 User’s Guide in updated format
March 2003 Datakey CIP Updated for Maintenance Update 9
Version 4.7
October 2003 Datakey CIP Updated for Maintenance Update 15,
Version 4.7 adding Citrix and CAC information
June 2004 Datakey CIP Updated for Maintenance Update 19,
Version 4.7 including enhanced biometric support
August 2004 Datakey CIP Updated for Maintenance Update 20,
Version 4.7 adding Terminal Server support
Datakey CIP User’s Guide iii

Date Software Release Description
October 2004 Datakey CIP Remove all references to the Configura-
Version 4.7 tion Wizard
March 2005 Datakey CIP Updated for Maintenance Update 20.3,
Version 4.7 adding Passphrase Complexity support
iv Datakey CIP User’s Guide

TABLE OF CONTENTS
Chapter 1 Introduction ............................................1

What is a token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Benefits of tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features of Datakey tokens . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Tokens, email, and the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What is a digital ID? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Datakey CIP support of Common Access Card . . . . . . . . . . . . . . 5
Chapter 2 Getting Started .........................................7

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Compatible smart cards and tokens . . . . . . . . . . . . . . . . . . . . . . . 8
Compatible readers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installing Datakey CIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Checking for software updates . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Initializing the token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Uninstalling Datakey CIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Removing, adding, or changing token readers . . . . . . . . . . . . . . 19
To add a token reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
To change token readers . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Using Datakey CIP with different applications . . . . . . . . . . . . . . 19
Online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Additional support information . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Logging on to your smart card . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Standard passphrase logon . . . . . . . . . . . . . . . . . . . . . . . . . 21
Secure PIN Pad reader logon . . . . . . . . . . . . . . . . . . . . . . . 22
Biometric reader logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Windows PKI-Based Smart Card Logon . . . . . . . . . . . . . . . 23
Non-PKI smart card logon . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Datakey CIP User’s Guide v

Passphrase Complexity Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Non-conforming passphrases . . . . . . . . . . . . . . . . . . . . . . . 26
How it works with other versions of SafeNet CIP . . . . . . . . . 26
PIN Pad readers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 3 Datakey CIP ISign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Datakey CIP ISign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Identrus token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
RSA key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Identity key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Initial Identity PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Identity PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Utility key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Utility PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Unblocking PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Signing Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Datakey ISign - Identrus Signing Interface . . . . . . . . . . . . . . 30
Chapter 4 Datakey CIP Thin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Citrix features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Citrix architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Installing Datakey CIP Thin on a MetaFrame server . . . . . . . . . 35
Installing Datakey CIP on a client workstation . . . . . . . . . . . . . . 36
Using Datakey CIP Thin from the client . . . . . . . . . . . . . . . . . . . 36
Token logon using a Microsoft certificate . . . . . . . . . . . . . . . . . . 37
NFuse/Web Interface support . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Two ways to authenticate, two places to authenticate . . . . . 37
Configuring NFuse/Web Interface for
token/certificate-based authentication . . . . . . . . . . . 38
Configuring Microsoft IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A Note on Citrix Secure Gateway and NFuse/Web Interface . 40
Publishing PKI applications when Datakey CIP Thin is installed . . 41
Microsoft Terminal Server features . . . . . . . . . . . . . . . . . . . . . . 42
Terminal Server architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Installing Datakey CIP Thin on a Terminal Server . . . . . . . . . . . 43
Installing Datakey CIP on a Windows client workstation . . . . . . 44
Using Datakey CIP Thin from a Windows client . . . . . . . . . . . . . 44
vi Datakey CIP User’s Guide

Fat client capabilities with remote Windows XP machines . . . . . 45
Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Troubleshooting Citrix and Terminal Server issues . . . . . . . . . . 46
Chapter 5 Using the CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Starting CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Starting CIP Utilities using the Windows Start button . . . . . 47
Starting CIP Utilities using SmartMonitor . . . . . . . . . . . . . . . 47
The CIP Utilities window—Some basics . . . . . . . . . . . . . . . . . . . 48
Copying and clearing text in the right pane . . . . . . . . . . . . . 49
Changing the background color in the right pane . . . . . . . . 50
Changing the font settings . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Toolbar buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Modifying and updating the display . . . . . . . . . . . . . . . . . . . . . . 52
Configuring CIP Utilities options . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring CIP DKLogger settings . . . . . . . . . . . . . . . . . . . 54
Configuring CIP Log settings . . . . . . . . . . . . . . . . . . . . . . . . 54
Enabling/disabling the Token Server . . . . . . . . . . . . . . . . . . 54
Enabling/disabling 10SR readers . . . . . . . . . . . . . . . . . . . . . 55
Configuring the Auto Cert Register Utility . . . . . . . . . . . . . . 55
Enabling/disabling the CIP Utilities log . . . . . . . . . . . . . . . . . 55
Configuring the object name display . . . . . . . . . . . . . . . . . . 55
Launching the Quality Agent . . . . . . . . . . . . . . . . . . . . . . . . 56
Specifying CIP Utilities program options . . . . . . . . . . . . . . . 56
Token reader tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Logging on/off a token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Changing the token passphrase . . . . . . . . . . . . . . . . . . . . . 59
Changing the token label . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Changing the Inactivity Timer . . . . . . . . . . . . . . . . . . . . . . . . 60
Initializing a token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Testing a token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Importing a PKCS#12 file . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Displaying library version information . . . . . . . . . . . . . . . . . 64
Importing a certificate from the Windows certificate store . . . . 65
Displaying Common Access Card (CAC) data . . . . . . . . . . . 65
Certificate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Deleting a certificate from a token . . . . . . . . . . . . . . . . . . . . 66
Moving a certificate to/from Windows . . . . . . . . . . . . . . . . . 66
Datakey CIP User’s Guide vii

Exporting a certificate to a file . . . . . . . . . . . . . . . . . . . . . . . 67
Set a certificate as the default container . . . . . . . . . . . . . . . 67
Editing certificate attributes . . . . . . . . . . . . . . . . . . . . . . . . . 68
Updating a token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Public key and private key tasks . . . . . . . . . . . . . . . . . . . . . . . . 69
Deleting a key from a token . . . . . . . . . . . . . . . . . . . . . . . . . 69
Exporting key information to a file . . . . . . . . . . . . . . . . . . . . 69
Set a key as the default container . . . . . . . . . . . . . . . . . . . . 70
Editing public/private key attributes . . . . . . . . . . . . . . . . . . . 70
Updating a key on a token . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Data object tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Deleting a data object from a token . . . . . . . . . . . . . . . . . . . 72
Export data object information to a file . . . . . . . . . . . . . . . . . 72
Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Troubleshooting using CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . 73
Common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Possible solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Exiting CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Chapter 6 Unblocking a Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Unblocking a Datakey 330u token . . . . . . . . . . . . . . . . . . . . . . . 75
Unblocking a token from within CIP Utilities . . . . . . . . . . . . . 75
Unblocking a token using CIP Desktop . . . . . . . . . . . . . . . . 76
Unblocking an Identrus Token . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 7 Using Biometric Smart Cards and Card Readers . . . . . . . . . . . . 79

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Initializing the Datakey smart card . . . . . . . . . . . . . . . . . . . . 80
Enrolling your fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Troubleshooting enrollment errors . . . . . . . . . . . . . . . . . . . . 86
Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Logging on using one fingerprint . . . . . . . . . . . . . . . . . . . . . 88
Logging on with multiple fingerprints . . . . . . . . . . . . . . . . . . 89
Completing the login process . . . . . . . . . . . . . . . . . . . . . . . . 90
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
viii Datakey CIP User’s Guide

Chapter 8 Datakey CIP Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
SmartMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
SmartLogon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
SmartNotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Passphrase Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Auto Cert Registration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Appendix A Modifying PIN Timeout and Single Sign-On Values . . . . . . . . . . . 97

PIN timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Default PIN timeout values . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Creating the DWORD values . . . . . . . . . . . . . . . . . . . . . . . . 98
Modifying the PIN timeout policy . . . . . . . . . . . . . . . . . . . . . 98
AccessPolicy DWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
ResetPolicy DWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
TimePeriod DWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Single Sign-On (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuring SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Trusted Application Policy . . . . . . . . . . . . . . . . . . . . . . . . . 103
Appendix B Common Access Card Differences . . . . . . . . . . . . . . . . . . . . . . . 105

What is a CAC? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Benefits of CACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Functional differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Appendix C CAPI and PKCS#11 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

CAPI functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
PKCS#11 functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
PKCS#11 Version 1 – DKCK132.DLL . . . . . . . . . . . . . . . 111
PKCS#11 Version 2.0 – DKCK232.DLL . . . . . . . . . . . . . . . 114
PKCS#11 Version 2.01 – DKCK201.DLL . . . . . . . . . . . . . . 117
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Datakey CIP User’s Guide ix

x Datakey CIP User’s Guide
Chapter 1 Introduction
Datakey Cryptographic Interface Provider (Datakey CIP) is a package of software

and hardware components designed to enhance the security of Internet applications
that support PKCS #11 (versions 1.0 and 2.01) or Microsoft Cryptographic Appli-
cation Programming Interface (CAPI—version 2.0) standard cryptography. The
Datakey CIP user stores public and private keys on a personal token. The token is
read by the system, when necessary, to work with encrypted documents or digital
signatures.
The Datakey CIP interface software is recognized and validated by all PKCS #11 or
Microsoft CAPI-enabled security applications, which safeguards the user from any
attempt to compromise the key access software.
Popular applications that support this standard include Microsoft Outlook,

Microsoft Internet Explorer, Netscape Communicator, the Entrust PKI, Checkpoint
VPN-1 Key Management System, Betrusted UniCERT, and many other compatible
applications. Keys and certificates contained in Datakey smart cards may be shared
by Microsoft Internet Explorer, Netscape Communicator, and a host of other appli-
cations that use these powerful Internet client products.
You may choose from two token formats: smart cards, which are credit-card sized
cards, or USB tokens, which fit on a key-ring. The complete Datakey CIP package
includes a token reader with the selected format (card or key), a blank token, and
the required interface software. Token readers attach to the computer a number of
ways: via an available serial port; or, when using a portable laptop computer, the
token reader can be a PCMCIA device that is inserted in an available PCMCIA slot.
Datakey CIP User’s Guide 1

What is a token?
The contents of the Datakey CIP basic package includes:

Interface Software (CD-ROM)
User’s Guide (this document)
Quick Start Guide
One of the following types of tokens:
z Smart card (Model 330)
z USB token (iKey 2032)
z Smart card (Model 320)
One of the following types of readers:
z Serial Port Smart Card Reader (DKR 810, DKR 711, DKR 610/611)
z PCMCIA-compatible Card Reader (DKR 800, DKR 700/701, DKR 600)
z USB Port Smart Key Reader (DKR 830, DKR 730/731, DKR 630/631)
z PIN Pad Card Reader (Vasco Digipass DESK 850)
z Biometric Card Reader (Precise Biometrics 100SC or 100MC )
What is a token?
A token is a tool that is ideally suited for use with applications that require the
secure storage of digital IDs and credentials. The tokens act as secure “digital car-
riers”—vehicles capable of storing one or more digital representations of a particu-
lar person. Datakey offers two main token formats:
z Smart cards, which are credit card-sized cards
z USB tokens, which are small, lightweight devices that fit on a key-ring
2 Datakey CIP User’s Guide

What is a token?
Benefits of tokens
Tokens provide a number of benefits:
z Security: Your private information never leaves the token, and is protected by
two-factor security—something that is owned (the token) and something that is
known (the token passphrase).
z Portability: Your digital credentials can go wherever you go.
z Flexibility: A token can be used to store a variety of information, including cer-
tificates, public keys, private key, user names and passwords, etc.
z Simplicity: Your many passwords can be stored on a single token. In addition,
you are less likely to lose a token than forget a password.
z Ease of use: A token is simply inserted into a token reader to activate an appli-
cation; no complex codes need be read or entered. Further, one token can be
used for several applications.
Features of Datakey tokens

Some of the primary features of the Datakey tokens include:
Built-in crypto/security application (ROM-based)
z Cryptographic functions
z Certificate storage and handling
z Support for multiple keys and certificates (up to EEPROM limits)
z High performance crypto functions
z GSA card edge interface
FIPS 140-2 Level 2 validated.
Supports PKCS #11 and Microsoft CryptoAPI interface requirements, enabling
use of the same smart card to secure email and to act as an authentication token.
32K EEPROM for secure storage of keys, passwords, certificates, application
programs, and data. Each smart card can hold anywhere from 15-30 certifi-
cates, depending on the size of the digital profile.
On-card key generation—This means the critical private key never leaves the
card and can't be stolen over the network or from a user's PC.
Supports multiple encryption algorithms including RSA, DES, and Triple DES.
Supports Secure Hash Algorithm (SHA-1) & Dig. Signature Algorithm (DSA).
Hardware/software protection against differential power attacks and timing
attacks.

Tokens, email, and the Web
Tokens, email, and the Web

Using your token enables you to send and receive secure e-mail and to interact
securely on the Internet. Your token provides protection against many undesirable
actions, such as data disclosure to unauthorized recipients, unauthorized content
changes, message spoofing, and message repudiation. This protection is the result
of using encryption and a digital signature.
Encryption scrambles data so that only the intended recipients (who have the cor-
rect “key”) may view it. A digital signature is an electronic mark attached to a mes-
sage that creates a strong binding between the signer and the contents of the
document. No unauthorized changes to a message can be made. A digital signature
proves who the author of the message was—the author can’t deny sending the mes-
sage.
What is a digital ID?

A digital ID is a set of electronic credentials that uniquely identify an individual.
There are two parts to a digital ID: a private key and a certificate.
Your private key is the piece of information unique to you within the Public Key
Infrastructure (PKI). Anyone who has access to your private key can impersonate
you without detection. An impersonator can read messages meant for your eyes
only, or sign documents as you. Therefore, it is important to keep your private key
secure—this is the main benefit of a token. It serves as an impenetrable safe for
your private key, ensuring that only you have access to it.
Your certificate is the public part of your digital ID. It contains your name and other
identifying information. It also contains your public key, which is mathematically
related to your private key. Using your certificate, other people can verify that you
hold your private key, and therefore, must really be who you say you are.
Digital IDs are created in a three-step process:

1. You generate a public and private key pair.
This is done directly on your token. The private key is permanently stored on
your token; it never leaves. The public key is sent to a trusted third party, called
a Certificate Authority (CA).

Datakey CIP support of Common Access Card
2. The CA verifies the public key really belongs to you.

If the verification succeeds, it creates a certificate for you and sends instruc-
tions on how to obtain the certificate.
3. You then download the certificate, completing the digital ID.
While this sounds like a complicated process, in practice, it is really very simple.
Most of the details are handled for you behind the scenes in software.

The U.S. Department of Defense (DoD) has adopted a smart card called the Com-
mon Access Card (CAC) for securing access to network resources and for assured,
private electronic communications by its users. Datakey CIP is fully compliant with
the DoD CAC requirements and specifications and will support CAC cards as well
as Datakey model 330 cards in a mixed environment. For more specific information
regarding Common Access Card support refer to Appendix B on page 105.


Chapter 2 Getting Started
This chapter provides the information you need to start using Datakey CIP.
System requirements
The computer on which you install Datakey CIP software must be running one of
the following Microsoft operating systems:
z Windows 98
z Windows 2000 Professional or Windows Server 2000
z Windows 2003 Server
z Windows XP Professional
z Microsoft Windows NT 4.0 Client, Service Pack 4 or higher
In addition, your computer must meet the following minimum hardware

requirements:
z A Pentium or later processor
z A minimum of 8 Mbytes of RAM, but 16 Mbytes is recommended.
z One of the following:
z An available serial port is you are using a token reader
z An available PCMCIA slot if you are using a laptop computer
z An available USB port if you are using a USB token

Compatible smart cards and tokens
Compatible smart cards and tokens

Datakey CIP supports the following smart cards and tokens:
z Model 320 smart card
z Model 330, Model 330i, Model 330u, Model 330g, & Model 330m smart cards
z Model 330j Java card
z Rainbow iKey 2032 USB token
Compatible readers
Datakey CIP software is compatible with the following readers:
Datakey Serial Port Smart Card Reader
z DKR 810 (PC/SC) [SCM SCR 131]
z DKR 711 (PC/SC) [OMNIKEY CardMan 2011]
z DKR 610 (PC/SC) [Gemplus GemPC410]
z DKR 611 (PC/SC) [Gemplus GemPC Serial]
z 10SR
Datakey PCMCIA Smart Card Reader
Datakey USB Port Smart Key Reader
z DKR 631 (PC/SC) [Gemplus GemPC USB]
PIN Pad Card Readers
z Vasco Digipass DESK 850
Biometric Card Readers (Requires a Datakey 330m or 330g3 smart card)
z Precise Biometrics 100SC
z Precise Biometrics 100MC (USB only)

Installing Datakey CIP
Note: Datakey CIP uses the PC/SC resource manager as an alternative smart card
reader source when used with the model 330 smart card. Please refer to the
readme.txt file on the installation CD or contact Datakey Support for a list
of qualified readers.

To install Datakey CIP:
Note: Entrust and Citrix users must install their client software before installing
Datakey CIP.
1. Close all programs and applications.
2. Remove all previously installed versions of Datakey CIP.
Uninstall instructions are provided on page 18.
3. Insert the Datakey CIP CD-ROM.
It should automatically start the installation program. If it does not, navigate to
the CD and double-click the file named setup.exe.
The Welcome window is displayed.

4. Click Next.
5. Read the license information, then click Yes.
The Serial Number window is displayed.
6. Type your serial number, then click Next.

Your serial number is located on a label affixed to the back of the Datakey CIP
CD jewel case.
The Choose Destination Location window is displayed.

7. Follow the instructions for choosing the folder in which to install Datakey CIP,
then click Next.
The CIP Install window is displayed.
8. Select the CIP options you would like to install, then click Next.
A description of each is displayed when you select the option. If you are unsure
which options to select, just take the default options.
Note: The CIP Options dialog that you see depends on the Windows operating
system you are using and whether you are installing standard Datakey
CIP, Datakey CIP ISign, or Datakey CIP Thin.
z Windows 2000 and Windows XP users: If you are installing on Windows
2000 or Windows XP and want to activate secure Windows logon, be sure
to enable the Windows 2000/XP Logon option.
z Non-PKI users: If you want users to be able to enroll their non-PKI cre-
dentials on their tokens during Windows logon, be sure to enable the
Windows 2000/XP GINA option. See page 24 for more information.
z Entrust users: If you want to use tokens in your Entrust environment, be
sure to enable the Entrust Application Support option. In addition, if you
are using a biometric (fingerprint) or a PIN pad card reader with your smart
card, be sure to also enable the Datakey Identity Device option.
z Passphrase Complexity Rules users: This option requires the Windows
2000/XP GINA option to also be enabled. See page 25 for information
about the passphrase complexity rules.

The CIP Desktop Install window is displayed.
9. Select the CIP Desktop features you wish to install, then click Next.
A description of each feature is displayed when you select the option. The
SmartLogon and SmartNotes CIP Desktop features are available for selection
only if you have purchased the CIP Desktop option.
The Reader Install window is displayed.

10. Select the reader(s) you will be using with CIP, then click Next to continue.
If you are using a reader that is not listed, uncheck all reader options and use the
reader installation that came with your reader to install and configure it after
CIP is installed.
Note: If you are using Windows 98, only one PC/SC reader can be installed on
the PC. If you are using Windows 2000 or Windows XP, the operating
system will support more than one PC/SC reader, but only one can be
installed at a time. If you are using Window NT 4.0, you may install more
than one PC/SC reader but problems may occur.
The Start Copying Files window is displayed.
11. Click Next to begin copying files to your computer.

The installation program will begin copying files to your computer. Follow any
special instructions that may appear. When the installation process is complete
the following window is displayed:

Checking for software updates
12. Attach your token reader to your computer.

13. Select the appropriate restart option, then click Finish.
You must restart your computer before using Datakey CIP. Follow any subse-
quent prompts that may appear (for example, registering Datakey CIP with
Netscape) to complete the installation process.

You should periodically check for updates to your CIP software. Datakey provides
a simple and easy method for checking for updates.
1. Verify that you have an active Internet connection.
2. Choose Start -> Programs -> Datakey CIP -> Check For Updates to Datakey
CIP.
The CIP AutoUpdate screen appears:

3. Click Check for Update.

A connection is made to the Datakey Web site and a search is made for updates
that apply to your version of Datakey CIP.
If a new update is available the View Readme and the Update and Install buttons
are activated.
4. To read information about the available update, click View Readme.
5. To download and install the update, click Update and Install.
The update is downloaded from the Datakey Web site. This may take a few
minutes depending on the size of the update and on the speed of your Internet

connection. When the update file has finished downloading to your computer a
dialog box similar to the following appears:
6. Click Next.
A dialog box similar to the following appears while the update is installed:
When the installation is complete a dialog box similar to the following appears:

Initializing the token
7. Select the appropriate restart option and then click Finish.
IMPORTANT! You must restart your computer before the update will take effect.
Initializing the token

After Datakey CIP has been installed, your token may need to be initialized using
the CIP Utilities. If you received your card directly from Datakey you will need to
initialize it. If you received your card from your administrator, please consult him
or her to verify that this step is necessary. See “Initializing a token” on page 61 for
information on initializing a token.

Uninstalling Datakey CIP
Uninstalling Datakey CIP

If it becomes necessary to uninstall Datakey CIP, perform the following steps:
Note: The following procedure does not remove any token reader software. Your
reader software must be uninstalled separately using a similar procedure.
1. From Start menu, select Settings -> Control Panel.
2. Double-click the Add/Remove Programs icon. The Add/Remove Programs
Properties dialog is displayed.
3. Select Datakey CIP.
4. Click Change/Remove and follow the online instructions.

5. Restart the computer.

Removing, adding, or changing token readers
Removing, adding, or changing token readers

If you want to remove (uninstall) token readers, perform the following steps:
1. Detach (remove) the reader.
2. Access the computer configuration by choosing Start -> Settings -> Control
Panel -> System -> Device Manager.
3. Choose the reader to be removed and click Remove or Uninstall.
To add a token reader

Re-install Datakey CIP to select the new reader from the reader selection window.
Do not install the reader until the CIP re-installation is completed.
To change token readers

Remove the current reader and add the new token reader (see above).
Using Datakey CIP with different applications

Datakey CIP operates with several different applications. Datakey provides infor-
mation about using Datakey CIP with each application in separate Integration and
Configuration Guides.
z If you are using Entrust 3.0 or later version, see the Datakey CIP/Entrust Inte-
gration and Configuration Guide, available on the Datakey Web site. If you
plan to use Entrust but have not already installed it, you will need to re-install
Datakey CIP after installing Entrust.
z If you are using Microsoft Internet Explorer, Outlook (or Outlook Express) '98,
or Outlook 2000 with Datakey CIP, first personalize your token using the CIP
Utilities (see Chapter 5). Then see the Datakey CIP/Microsoft Integration and
Configuration Guide.
z If you are using Netscape Communicator with Datakey CIP, first personalize
your token using the CIP Utilities (see Chapter 5). Then see the Datakey CIP/
Netscape Integration and Configuration Guide.
z If you are using Check Point software, see the Datakey CIP/Check Point
Integration and Configuration Guide.

Online help
Online help
An online help system is built into Datakey CIP Utilities and can be accessed by
selecting Help -> Help Topics at the CIP Utilities main menu.
Additional support information

Additional support is available from:
z Customer Service Engineers: SafeNet offers personal help, if necessary. There
is no charge for help requests by fax, mail, or e-mail
(support@safenet-inc.com).
z Telephone Support: Telephone support is available from SafeNet, Inc. Call
Technical Support between 8:00 a.m. and 4:30 p.m. CST: (1-888-328-2539).
After the warranty period, there is a fee per call without a maintenance contract.
Registration
If you did not complete the online registration, fill out the warranty/registration
card and mail or fax it to:
Mail: Fax:
SafeNet, Inc. (952) 890-2726
2051 Killebrew Drive
Suite #620
Bloomington, MN 55425
Online: http://www.datakey.com/products/registration

Logging on to your smart card
Overview
Smart card logons are controlled in a standard Windows environment by the
Microsoft GINA (Graphical Interface and Authentication). The standard Microsoft
GINA is a replaceable DLL component loaded and run by Winlogon. Datakey sup-
plements the standard Microsoft GINA by adding Datakey-specific GINA capabili-
ties to Datakey’s smart card software. A Datakey module, DKGINASR, is used for
Windows smart card logon and adds the following features to the standard
Microsoft GINA:
Allows secure smart card logon with PIN pad readers
Allows smart card logon using biometric card readers
Allows for Windows PKI-based smart card logon
Allows for Windows non-PKI smart card logon
Datakey CIP provides the appropriate logon prompts as needed.
Standard passphrase logon

If you are using a standard smart card and reader, you will see the following dialog
box during smart card logon:
To log on to the smart card:

1. Type your passphrase.
2. Click OK.

Secure PIN Pad reader logon
Note: PIN pad readers are supported with Windows 2000 and Windows XP.
If you are using a secure PIN Pad smart card reader, you will see the following dia-
log box during smart card logon:
Enter your PIN on the secure PIN Pad smart card reader, then press OK. Due to the
nature of secure PIN pad readers, this dialog box contains no Cancel or Shutdown
buttons. Everything is controlled directly through the PIN pad reader. This pro-
vides additional protection for your PIN because the smart card is unlocked without
the PIN traversing any of your computer’s components (keyboard, memory, etc.).
Biometric reader logon

If you are using a biometric smart card reader along with a Datakey smart card that
has your fingerprint enrolled on it, you will see a dialog box similar to one of the
following during smart card logon:
- OR -
Log on using your fingerprint as described in “Using Biometric Smart Cards and
Card Readers” on page 79.

Windows PKI-Based Smart Card Logon
Note: This feature is supported with Windows 2000 and Windows XP.
A PKI (public key infrastructure) provides security to otherwise unsecure public

networks. It enables you to conduct secure and private transactions through the use
of a several key components, including a Certificate Authority (CA), a public and
private cryptographic key pair, and a certificate management system.
The standard Microsoft Windows PKI-based smart card logon is supported trans-
parently by Datakey CIP. The smart card must contain a private/public key pair,
and a matching certificate must also be on the smart card.
To log on to a Windows PKI system using your smart card, insert your smart card
into the card reader and follow the on-screen instructions.
Non-PKI smart card logon
Note: Non-PKI smart card logon is supported with Windows 2000, Windows NT,
and Windows XP.
Non-PKI Windows smart card logon is also supported by Datakey CIP. It is

designed to let you log on to your computer with your smart card without using a
certificate that has been issued by a Certificate Authority. You can use smart card
logon without the overhead required by a PKI infrastructure.
Instead of using a certificate and server, your logon credentials are stored on the
smart card. Your credentials consist of your user name, domain name, and pass-
word. Your credentials are stored privately and encrypted on the smart card, and
can only be retrieved after you have logged on to the smart card itself.
After enrolling your credentials, you can log on to your computer by simply log-
ging on to your smart card; your credentials are read securely from your smart card.

Enrolling your non-PKI credentials. To enroll your Windows logon credentials

onto your smart card:
1. Begin with a prepared smart card.
Make sure the smart card is initialized and that you have properly set up the
smart card's passphrase or fingerprint enrollment.
2. Log out of your computer so you get the standard Microsoft logon screen.
You are prompted to either insert your smart card or press Ctrl-Alt-Delete.
3. Insert your smart card.
The standard Microsoft logon window appears.
4. Enter your user name, domain name, and password to logon to Microsoft win-
dows.
If you log on to Windows successfully, and all three elements (user name,
domain, password) were entered, the following dialog box appears:
5. To add your credentials to your smart card, click OK.

6. When prompted, log on to your smart card.
Your credentials will be stored securely on the smart card.
Logging on. To log on to Windows using your smart card:

1. Make sure you have a smart card with your credentials enrolled as described
above.
2. Log out of your computer to get the standard Microsoft logon screen.
3. Insert your smart card.
4. Log on to your smart card.
If successful, the credentials enrolled on the smart card will be used to log you
onto Microsoft Windows.

Passphrase Complexity Rules
Troubleshooting
If you experience difficulty logging on to Windows using your smart card (for
example, if your password or user name changes), you can still log on to Windows
by pressing Ctrl-Alt-Delete.
If, through user name changes or password changes, the credentials on your smart
card become obsolete, you can use CIP utilities to re initialize your smart card and
re-enroll.

If the Passphrase Complexity Rules option is enabled during installation (see
page 11), the following rules are enforced on smart card passphrases.
z Passphrase expiration: The passphrase used to access a smart card will expire
in no more than six months.
z Passphrase history: The new passphrase cannot be the same as any of the pre-
vious five passphrases.
z Passphrase length: The passphrase must be a minimum of eight characters in
length.
z Passphrase composition: The passphrase must be composed of characters
from at least three of the following four groups from the standard keyboard:
z Upper case letters (A-Z)
z Lower case letters (a-z)
z Arabic numerals (0 through 9)
z Nonalphanumeric characters (punctuation symbols)
Note: The default passphrase created when initializing a smart card is

PASSWORD, which does not conform to the composition rules. This
passphrase, however, will expire after one week and the composition
rules will be enforced on subsequent passphrases.

Non-conforming passphrases
If a user tries to create a new passphrase that does not conform to these rules, the
following dialog is displayed:
How it works with other versions of SafeNet CIP

z If a smart card is initialized on a SafeNet CIP 4.7 mu20.3 system that has the
Passphrase Complexity Rules option enabled, the complexity rules will be
enforced by all SafeNet CIP mu20.3 systems, even if those other systems do not
have the option enabled.
z The complexity rules are not supported by SafeNet CIP 4.7 versions earlier than
mu20.3. For example, if a smart card is initialized on a SafeNet CIP mu20.3
system that has the Passphrase Complexity Rules option enabled, but the smart
card is subsequently initialized on a pre-SafeNet CIP 47 mu20.3 system, the
complexity rules will NOT be enforced.
PIN Pad readers

The Passphrase Complexity Rules option is not supported on PIN Pad readers.

Chapter 3 Datakey CIP ISign
Datakey CIP ISign
Overview
Identrus is a PKI business-to-business e-commerce solution when business-to-
financial authentication is required to verify transactions. Financial institutions act
as the trusted third parties enabling digital signatures to provide non-repudiation for
transactions. The Identrus infrastructure enables trading partners, through their
financial institutions, to conclusively identify one another over the Internet.
The PKI functionality is supported throughout the Identrus Infrastructure. The pri-
vate keys required by the PKI infrastructure are stored on a token. When a user
signs a document as part of a transaction, the Identrus signing interface (Datakey
ISign) uses the token to create a signature.
Datakey CIP ISign is installed by selecting the ISign option during installation of
Datakey CIP, provided you have licensed Datakey CIP ISign.
Requirements
z Microsoft Internet Explorer 5.5 or later
z Microsoft Java Virtual Machine
Identrus token
The Identrus token generally refers to a PKI smart card. This token is initialized at
an initialization station within an Identrus infrastructure and contains the keys and
PKI functions necessary for signing documents and transactions within that Iden-
trus infrastructure. It is designated the Datakey Model 330i smart card.

RSA key pairs
RSA key pairs

Identrus tokens are required to have at least one RSA key pair, called the Identrus
Identity key. The Identity key is only used to sign documents during Identrus trans-
actions.
The token can also have a second optional RSA key pair, called the Identrus Utility
key. The Utility key is used for regular SSL and encryption.
Identity key
The Identity key is used to generate signatures in Identrus Identity applications.
This is done through a signing interface using the on-token key.
Initial Identity PIN
After token personalization, but before the end-user has received the token, the
Identity key is protected by the initial Identity PIN. The initial key PIN is normally
sent to the end-user via a PIN mailer.
Before signing a document with the identity key, you must unlock the key by
assigning a PIN known only to you. Use the Passphrase Utility to assign a new PIN.
The initial Identity PIN is entered as the current PIN.
Identity PIN
The Identity PIN must be entered for every signature and must be at least six alpha-
numeric characters. Each time a document is to be signed you must enter the Iden-
tity PIN. If the PIN is entered incorrectly, the document will not be signed. If you
enter the wrong PIN wrong several times in a row, the Identity key will be blocked
and you will need a special PIN to use the Identity key again. The number of con-
secutive wrong PINs that will block the key is set by the administrator. An unblock-
ing PIN (available from your administrator) will need to be used to unlock it.

Utility key
Utility key
The Utility key is used to establish SSL or TLS sessions, encrypt S/MIME mes-
sages, E-Mail, etc. The use of this key is optional and is at the discretion of the par-
ties involved.
Utility PIN
The Utility PIN must be entered before the Utility key can be used for any function.
If the PIN is entered incorrectly, the function requesting the Utility key will be
denied access to the key.
Unblocking PINs
If the Identity PIN is entered incorrectly a specified number of times (this adminis-
trator-specified count is usually set to 5), the Identity key will be blocked and can-
not be used again until a valid unblocking PIN is entered.
Up to six unblocking PINs can be loaded during personalization. Each one is good
once to unblock the Identity key. If the Identity key is blocked after all the unblock-
ing PINs are used, the Identity key will be permanently blocked.
The Passphrase Utility is used when updating the PIN to a new value and to
unblock the Identity PIN. To unblock the Identity PIN, just enter the unblocking
PIN as the current PIN and enter a new Identity PIN. See Chapter 6 for more
details.
Note: The new Identity PIN must be different than both the unblocking PIN and the
previously valid Identity PIN.

Signing Interface
Signing Interface
The Signing Interface can be a Plug-In for the browser or a Java Applet called dur-
ing the request for the document signature. This interface allows you to view the
document prior to performing the signing action.
Note: Before signing a document with the Identity Key, the user must unlock the
key by assigning a new PIN. The Identrus PIN Utility is used to assign a new
Identity PIN. The Initial Identity PIN is entered as the current PIN.
Datakey ISign - Identrus Signing Interface
The Datakey Identrus Signing Interface is called "Datakey ISign." This interface is
automatically activated when an Identrus Signature is requested. The user has the
option to review, save, and sign the document at that time.
Note: The Datakey ISign signing interface only supports text documents at this
time. It is inadvisable to sign text you cannot read, so there are security
issues due to possible hidden text in PDF and Microsoft Word documents.

Signing Interface
The Datakey ISign interface includes the following:

z Main Text Area: The main text area, which in the sample above is displaying
the text This is a test file, will display the entire text that is to be signed. If the
text does not fit in the viewing area, scroll bars can be used to scroll through the
document. This is the text that you are being asked to sign.
z Identrus Certificate Store: The Identrus Certificate Store field displays the
certificate name. This name is part of the certificate requested from the Identrus
Certificate Server (CA).
z Identity Pin: Enter the Identity PIN in the Identity PIN field. Each character
displays as a '*' to maintain the PIN’s privacy.
z Save As: The Save As button prompts for a name and location to save the docu-
ment. You can then save the document and return to the signing interface win-
dow.
z Sign: The Sign button signs the document displayed in the main text area with
the on-token key and closes the signing interface window.
z Cancel: The Cancel button cancels the signing operation and closes the signing
interface window.

Signing Interface

Chapter 4 Datakey CIP Thin
Overview
Datakey CIP Thin software is designed to be installed on servers such as Citrix
MetaFrame servers and on Windows Terminal Servers. Doing so gives a thin client
(a computer containing only the very basic hardware and software components) the
ability to access PKI and smart card-enabled applications that reside on those serv-
ers. And because the server applications are able to access a token reader that is
attached to the thin client, token-based authentication using certificates/keys and
user names/passwords is possible. Installing Datakey CIP Thin on servers there-
fore:
z Provides token-based security for thin clients that need access to PKI and smart
card-enabled applications that reside on a server
z Simplifies your ongoing integration and deployment tasks because software is
installed only on your servers and not on your workstations
If desired, standard Datakey CIP software can be installed on a client workstation

to provide additional capabilities. Installing Datakey CIP on a workstation creates
a fat client. This gives the user the ability to authenticate to and run applications
that reside on either a server or on the local workstation. Both sets of applications
are able to access the same locally attached token. In addition, fat clients support
“roaming”—users can disconnect from a session on one fat client and reconnect to
that same session on a different fat client.
The remainder of this chapter is broken into two parts:

Citrix implementation considerations (page 34 - page 41)
Terminal Server and Remote Desktop implementation considerations
(page 42 - page 45)

Citrix features
Citrix features
The following list identifies the functionality supported by Datakey CIP Thin
within a Citrix environment.
z Token logon to Citrix MetaFrame servers (MetaFrame XP FR 2) from either a
thin client or a fat client.
z Token access by server applications to client card readers/tokens.
z Same token access by both fat client applications and server-based applications.
z Direct token logon to server console via a token attached to the server.
z Biometric and PIN Pad logon from a fat client to MetaFrame server.
z Connections between clients and server via Citrix Program Neighborhood.
z Connections between clients and server via NFuse/Web Interface.
z Reestablishment of disconnected sessions from a fat client (fat client roaming).
Citrix architecture
The following figure illustrates the use of Datakey CIP Thin in a Citrix environ-
ment.
Thin Client Windows-based MetaFrame Server

- Citrix client access via with:
software Citrix Program - Datakey CIP Thin
Neighborhood - Win NT4.0, Server
2000, 2003 Server
- Published Appls
Fat Client - Published Desktop
- Datakey CIP
- Win 98SE, NT 4.0 SP6,
2000 Pro, or XP Pro
Internet
Web access via

NFuse/Web Interface

Installing Datakey CIP Thin on a MetaFrame server
Installing Datakey CIP Thin on a MetaFrame server

Datakey CIP Thin software cannot be installed on the server until the Citrix
MetaFrame server software has been installed and is operable. Datakey CIP Thin
can be installed on any MetaFrame server containing Windows NT 4.0 SP6a, Win-
dows Server 2000, or Windows 2003 Server. Datakey CIP Thin should be installed
on all the MetaFrame servers in your server farm.
To install Datakey CIP Thin, perform the following steps:
Note: The administrator does this, and it is only done once.

1. Log directly onto the MetaFrame server console as administrator.
Installation will fail if logged in through a Citrix session.
2. From a command prompt, type the following command:
change user /install
3. Install Datakey CIP Thin from the CD, using the serial number supplied.
If you have both Datakey CIP and Datakey CIP Thin serial numbers, be sure to
enter the CIP Thin serial number.
4. When presented with the list of reader types:
z If there is a card reader attached to the server be sure to select that reader.
z If there is no card reader attached to the server do not select a reader.
z If there are one or more thin clients in your network that use a Datakey
10SR reader, select the Datakey 10SR reader in addition to your server
reader.
5. When the installation is finished, reboot the MetaFrame server and log on as the
administrator to complete the installation process.

Installing Datakey CIP on a client workstation
Installing Datakey CIP on a client workstation

If you require secure access to both workstation- and server-based applications, you
must create a fat client configuration by installing Datakey CIP on each client
workstation. Datakey CIP cannot be installed on a client workstation until the Cit-
rix client software has been installed and configured to enable the user to log on to
the MetaFrame server.
To install Datakey CIP on a workstation, perform the following steps:

Note: The administrator does this, and it is done once per workstation.
1. Logon to the client workstation as administrator.
2. Install Datakey CIP from the CD using the appropriate serial number.
3. Proceed with the installation using the standard Datakey CIP install process.
Using Datakey CIP Thin from the client

From the client perspective, the server-based Datakey CIP Thin software functions
exactly the same as the workstation-based Datakey CIP software. When a client
logs on to a server application through Citrix MetaFrame, Datakey CIP Thin pro-
vides the same token-based functionality available in standard Datakey CIP. Not
only can the client authenticate to an application using certificates/keys or user
names/passwords, they can also personalize tokens, view information about the
reader and the token, test the token, and manage certificates.
Fat clients (clients with Datakey CIP installed) can do all that thin clients can do,
but in addition they have secure access to local applications.

Token logon using a Microsoft certificate
Token logon using a Microsoft certificate

Users can log on to a MetaFrame server from a thin or fat client machine using a
Microsoft logon certificate that is stored on a local token. In order to do so the fol-
lowing requirements must be met:
z The MetaFrame server must be a Windows 2000 server (or higher)
z The MetaFrame server must contain MetaFrame XP software (Feature
Release 2) and Datakey CIP Thin 4.7 software (MU 20 or higher)
z The client machine must contain PC/SC software (e.g. Microsoft Resource
Manager and WinSCard.dll)
z The client machine must contain Citrix client software that supports tokens
(ICA Client 6.3.x or higher)
z The Citrix client software must be configured to enable token (smart card)
logon
z The logon certificate must be stored on a token and the token inserted into a
card reader that is attached to the client machine
z The MetaFrame server should be a member of the domain listed in the logon
certificate that is stored on the token.
NFuse/Web Interface support

All Datakey CIP MetaFrame features that work though Citrix Program Neighbor-
hood also work though the Citrix NFuse/Web Interface client software. Users can
authenticate to the NFuse/Web Interface using either user names and passwords or
via certificates stored on their token. Once authenticated to the NFuse/Web Inter-
face users can launch MetaFrame published applications or connect to published
desktops through their Web browser rather than through Citrix Program Neighbor-
hood. Applications that run on the MetaFrame server, regardless of whether
launched as a published application or started within a published desktop, will be
able to access the token residing at the user’s client machine.
Two ways to authenticate, two places to authenticate
When a user connects to a MetaFrame server using Citrix Program Neighborhood

the user only needs to authenticate to one server: the MetaFrame server. On the
other hand, when a user connects to a MetaFrame server via the NFuse/Web Inter-

face the user needs to authenticate to two servers; first to the NFuse/Web Interface
Web server, and then again to the MetaFrame server each time the user launches a
published application or published desktop. These two authentication steps can be
configured independent of each other. For example, you could configure the Web
server to require token/certificate-based authentication but configure MetaFrame to
allow user name/password-based authentication. With two ways to authenticate,
and two places to which to authenticate, there are four different possible configura-
tions:
NFuse/Web Interface
Configuration Web server MetaFrame server
1 User name/password User name/password
2 User name/password Certificate from token
3 Certificate from token User name/password
4 Certificate from token Certificate from token
Datakey CIP Thin supports all four configurations. There are, however, limitations
with some of the configurations. Configurations 3 and 4 are only supported from
fat clients because Datakey CIP must be present on the client machine to support
the retrieval of the certificate from the token.
Configurations 1 and 2 are supported on either thin or fat clients and do not require
any special configuration steps. The standard NFuse/Web Interface installation and
configuration instructions provided by Citrix will suffice. Configurations 3 and 4,
however, do require additional configuration steps beyond what is mentioned in the
Citrix documentation.
Configuring NFuse/Web Interface for token/certificate-based

authentication
Refer to the Citrix NFuse Classic Administrator’s Guide or the Citrix Web Inter-
face for MetaFrame XP Administrator’s Guide for details how to enable NFuse/
Web Interface token support. All the required steps listed in those administrator’s
guides are necessary. However, do not enable any of the Citrix-provided pass-
through authentication features; they are not secure.
In addition to the steps listed in the Citrix administrator’s guides, the Web server
itself must be configured to require secure SSL connections and token/certificate-

based authentication. The following section describes a sample set of Microsoft IIS
settings which enables secure SSL connections and token/certificate-based authen-
tication to your NFuse/Web Interface Web site.
Configuring Microsoft IIS
Note: To enable token/certificate-based authentication to the NFuse/Web Interface

Web server, both the full Citrix client software and Datakey CIP must be
installed on the client workstation. It is not possible to do token/certificate-
based authentication to NFuse/Web Interface from thin clients.
1. Using the Administrator application Internet Information Services, right-click
on <server-name> and select Properties.
2. Select the Master Properties WWW Service, click Edit and then select the
Directory Security tab.
3. Enable the Enable the Windows directory service mapper check box.
4. In the Anonymous access and authentication control section, click Edit and then
enable the Integrated Windows authentication check box.
5. Right-click on <server-name>/Default Web Site, select Properties and then
select the Directory Security tab.
6. Install a server certificate.
7. In the Secure communications section click Edit and then enable the following:
z Require secure channel (SSL)
z Require client certificates
z Enable client certificate mapping
8. In the Anonymous access and authentication control section, click Edit and
then:
z Clear the Anonymous access check box (disable it)
z Enable the Integrated Windows authentication check box.
If the Inheritance Overrides dialog box appears, click Select All and then click
OK.
9. Right-click on <server-name>/Default Web Site/Citrix, select Properties and
then select the Directory Security tab.

10. In the Secure communications section click Edit and then enable the following:
z Require secure channel (SSL)
z Require client certificates
z Enable client certificate mapping
11. In the Anonymous access and authentication control section, click Edit and
then:
z Clear the Anonymous access check box (disable it)
z Enable the Integrated Windows authentication check box.
If the Inheritance Overrides dialog box appears, click Select All and then click
OK.
A Note on Citrix Secure Gateway and NFuse/Web Interface
If you are deploying both Citrix Secure Gateway and NFuse/Web Interface and you
wish to use authentication configurations 3 or 4, you must not configure the NFuse/
Web Interface to be behind the Citrix Secure Gateway; these two must be config-
ured to be in parallel. See Figure 1.1 in the Citrix document Best Practices for
Securing Citrix Secure Gateway Deployment.

Publishing PKI applications when Datakey CIP Thin is installed
Publishing PKI applications when Datakey CIP

Thin is installed
The Citrix MetaFrame product gives administrators the ability to configure pub-
lished applications. Perform the following steps to publish PKI applications once
Datakey CIP Thin is installed:
Note: The following steps apply only to Windows NT 4.0 Terminal Server users.
Windows 2000 Server (or later) users can simply follow the instructions in
the MetaFrame Administrator's Guide.
1. Logon to the MetaFrame Server as Administrator.
2. Begin following the steps in the MetaFrame Administrator's Guide for publish-
ing an application.
3. When asked to enter the command line to run the application, click on the
Browse button and navigate to the folder in which Datakey CIP Thin is
installed.
This is typically W:\Program Files\Datakey\crypt32. Select the file
StartApp.bat and click Open.
4. Edit the command line entry that appears and add as a parameter to StartApp.bat
the path to the application to publish. For example:
“M:\Program Files\Datakey\Crypt32\StartApp.bat" M:\MyFolder\MyApp.exe
The path to the application must be outside the double quotes.
5. Change the working directory if a different one is desired.
6. Continue following the steps in the MetaFrame Administrator's Guide.
7. When finished, right-click on the new entry that appears in the Published Appli-
cation Manager display and select Properties.
8. Click the Change Icon button.
9. Navigate to the application just published (e.g. M:\MyFolder\MyApp.exe),
select it and click Open.
10. Click OK twice to exit the Properties dialog.

Microsoft Terminal Server features
Microsoft Terminal Server features

The following list identifies the functionality supported by Datakey CIP Thin
within a Microsoft Terminal Server environment.
z Token (smart card) logon to Terminal Servers (Windows 2003 Server ) from
either a thin client or a fat client.
z Token access by server applications to client card readers/tokens.
z Same token access by both fat client applications and server-based applications.
z Direct token logon to server console (Windows Server 2000 or Windows 2003
Server) via a token attached to the server.
z Biometric and PIN Pad logon from a fat client to Terminal Server.
z Connections from clients to Terminal Servers via Remote Desktop Protocol
(RDP) V5.1.
z Reestablishment of disconnected Windows 2003 Terminal Server or Windows
XP sessions from a fat client (fat client roaming).
Terminal Server architecture

The following figure illustrates the use of Datakey CIP Thin in a Terminal Server
environment.
Thin Client
Terminal Server
- MS Remote
with:
Desktop software
- Datakey CIP
Connections via Thin
Remote Desktop - Windows 2003 Server
Protocol (RDP)
Fat Client
- Datakey CIP
- Windows 2000 Pro
or XP Pro

Installing Datakey CIP Thin on a Terminal Server
Installing Datakey CIP Thin on a Terminal Server

To install Datakey CIP Thin on a Windows 2003 Terminal Server, perform the fol-
lowing steps:
Note: You must install Datakey CIP Thin on any server that has terminal services
enabled. Failing to install Datakey CIP Thin on such a server will prevent
Datakey CIP from functioning.
1. Log directly onto the Terminal Server console as administrator.
2. From a command prompt, type the following command:
change user /install
3. Install Datakey CIP Thin from the CD using the serial number supplied (you
must use the CD; you cannot install Datakey CIP Thin from over a network).
If you have both Datakey CIP and Datakey CIP Thin serial numbers, be sure to
enter the Datakey CIP Thin serial number.
4. When presented with the list of reader types:
z If there is a card reader attached to the server be sure to select that reader.
z If there is no card reader attached to the server do not select a reader.
z If there are one or more thin clients in your network that use a Datakey
10SR reader, select the Datakey 10SR reader in addition to your server
reader.
5. When the installation is finished, reboot the Terminal Server and log on as the
administrator to complete the installation process.

Installing Datakey CIP on a Windows client workstation
Installing Datakey CIP on a Windows client workstation

If you require secure access to both workstation- and server-based applications, you
must create a fat client configuration by installing Datakey CIP on each Windows
client workstation.
To install Datakey CIP on a workstation, perform the following steps:
Note: The administrator does this, and it is done once per workstation.
1. Logon to the client workstation as administrator.
2. Install Datakey CIP from the CD using the appropriate serial number.
3. Proceed with the installation using the standard Datakey CIP install process.
Using Datakey CIP Thin from a Windows client

From the Windows client perspective, the server-based Datakey CIP Thin software
functions exactly the same as the workstation-based Datakey CIP software. When a
client logs on to a Terminal Server application, Datakey CIP Thin provides the
same token-based functionality available in standard Datakey CIP. Not only can
the client authenticate to an application using certificates/keys or user names/pass-
words, they can also personalize tokens, view information about the reader and the
token, test the token, and manage certificates.
Fat clients (clients with Datakey CIP installed) can do all that thin clients can do,
but in addition they have secure access to local applications.

Fat client capabilities with remote Windows XP machines
Fat client capabilities with remote Windows XP machines
Architecture
The following figure illustrates how fat clients can interact with remote Windows
XP machines.
Fat Client
- Datakey CIP
- Windows 2000 Pro or
Windows XP Pro Remote
Windows XP
Connections via Machine
Remote Desktop - Datakey CIP
Protocol (RDP) Thin or
Datakey CIP
Fat Client
- Datakey CIP
- Windows 2000 Pro or
Windows XP Pro
Capabilities
z Remote desktop connections from a fat client to a remote Windows XP
machine.
z Token (smart card) logon to remote Windows XP machines from a fat client.
z Biometric and PIN Pad logon from a fat client to a remote Windows XP
machine.
z Reestablishment of disconnected Windows XP sessions from a fat client
(fat client roaming).
z Fast user switching (switching between different users on the same Windows
XP machine) is supported but is mutually exclusive with Remote Desktop—the
Windows XP machine cannot be configured for both fast user switching and
Remote Desktop.

Troubleshooting Citrix and Terminal Server issues
Troubleshooting Citrix and Terminal Server issues

This section contains solutions to some of the more common problems you might
exerience while using CIP Thin in a Citrix or Terminal Server environment.
z Improperly disconnecting from a Citrix server: If you are on a thin client
and you disconnect from a Citrix server rather than logging off, the session will
remain open but in a disconnected state. In order to reestablish communication
with the local smart card reader, you must log off properly and then log back in.
z Roaming: If you leave a session on one computer and then attempt to reestab-
lish the session at a different computer (roaming), both computers must contain
the same number of readers and the same models of readers. Roaming will fail
if both computers do not have the exact same reader configuration.
z Remote desktop connections: In order to make a remote desktop connection,
both computers must contain the exact same reader configuration. Also, before
starting the connection, make sure the smart card is inserted in the card reader.
z Attempting to “multi-hop”: You can make a remote desktop connection from
Computer A to Computer B, but if you attempt to multi-hop by making a subse-
quent connection to Computer C, the connection will fail.

Chapter 5 Using the CIP Utilities
The Datakey CIP Utilities is an intuitive, easy-to-use program that is used to view
and manage Datakey tokens and the objects contained on the tokens. The program
reports token and reader status and can be used for base-level diagnostics. Admin-
istrators can configure the functionality and features available for enterprise
deployment through an administrative wizard included with CIP Utilities.
This chapter describes how to use the CIP Utilities program. Not every menu
option described in this chapter may be available to every user. See page 56 for
more information.
Starting CIP Utilities

There are two methods for starting the CIP Utilities program.
z Using the Windows Start button
z Using SmartMonitor
Starting CIP Utilities using the Windows Start button
To start CIP Utilities from the Windows Start button, select Start -> Programs ->
Datakey CIP -> CIP Utilities. The CIP Utilities window is displayed.
Starting CIP Utilities using SmartMonitor

If Datakey CIP Desktop is installed on your system, you can start CIP Utilities
using the SmartMonitor icon.

The CIP Utilities window—Some basics
1. Right-click the SmartMonitor icon located in your computer’s system tray.
SmartMonitor
2. Select the CIP Utilities menu option.
The CIP Utilities window is displayed.

When CIP Utilities is started a window similar to the following appears:
Left pane
Right pane

The CIP Utilities window is divided into two panes.

z The left pane displays all the available tokens, readers, and the contents of the
token within each reader. The contents displayed for each token will vary: The
public contents are always displayed; the private contents (private keys, data
objects, etc.) are displayed only if you are logged in to the token.
z The right pane displays information about the item selected in the left pane.
You can adjust the size of the right pane by clicking and dragging the left edge
of the right pane.
It is very simple to get information about any object displayed in the left pane.
Simply click the item that you want information about, and the information is auto-
matically displayed in the right pane.
Note: Many of the tasks performed within CIP Utilities involves right-clicking
objects to display a right-click menu. If you don’t have a mouse or if you
prefer to use the keyboard, pressing either Shift-F10 or the Windows Appli-
cation key will display the right-click menu.
Copying and clearing text in the right pane
You can copy some or all of the text displayed in the right pane to your computer’s
clipboard. You can also clear all text from the right pane. To perform either of
these actions, perform the following steps:
1. Position the cursor in the right pane.
2. (Conditional) If you wish to copy a specific block of text, select the desired text
from within the right pane.
3. Right-click the mouse.
The following menu appears:

4. Select the appropriate menu option.

z To copy selected text, select Copy.
z To copy all text in the right pane, select Copy All.
z To clear all text in the right pane, select Clear.
Note: If you paste copied text into another application and the text is not visible,
it’s probably because your font color is set to white. Try changing the font
color within the application or within CIP Utilities (see page 51).
Changing the background color in the right pane
You can modify the appearance of the information displayed in the right pane by
changing the background color and font settings. To change the background color
in the right pane, perform the following steps:
1. Position the cursor in the right pane, then right-click the mouse.
2. Select Set Background Color.

The Color window appears.
3. Select the desired background color, then click OK.

Changing the font settings
To change the font settings in the right pane, perform the following steps:
1. Position the cursor in the right pane, then right-click the mouse.
2. Select one of the font menu items.

z Set Font Color: Select this menu item to modify the font color.
z Font: Select this menu item to specify a Normal font, a Bold font, or an
Italic font.
z Font Size: Select this menu item to specify the size of the font.
Toolbar buttons
The toolbar contains the following buttons:
Refreshes the display.
Displays the Cryptoki Trace Settings window. This is

used to determine what items will be stored in the CIP
log for each Datakey CIP event.
Launches the Quality Feedback Agent. This is a utility
that enables Datakey customers experiencing problems
with their tokens and/or token readers to collect
pertinent data and send a problem report to the Datakey
Technical Support staff.
Displays version information about CIP Utilities and
other Datakey programs.
Displays context sensitive Help for selected items.

Modifying and updating the display
Icons
Unique icons are used to identify the following object types within the left pane:
= a card reader
= a digital certificate
= a certificate that is also contained in the

Windows certificate store
= a public key
(blue)
= a private key
(gold)
= a data object
Modifying and updating the display

The View menu enables you to modify how CIP Utilities displays information and
to update the information currently being displayed.

Configuring CIP Utilities options
z View -> Toolbar: Select this option to toggle the toolbar menu on and off. The
toolbar menu is located directly beneath the primary menu and contains the fol-
lowing icons:
z View -> Status Bar: Select this option to toggle the status bar on and off. The
status bar is located at the bottom of the CIP Utilities window.
z View -> Detailed Display: Select this option to specify how much information
is displayed in the right pane—either complete details about an item or just the
basic information.
z View -> Refresh: Select this option to refresh the CIP Utilities window with the
most current information.

The Options menu enables you to uniquely configure a number of CIP Utilities
options.

Configuring CIP DKLogger settings

Select Options -> CIP -> DKLogger Settings to configure the level of messages
that will be logged in DKLogger.
Configuring CIP Log settings

Select Options -> CIP -> CIP Log Settings to configure the Cryptoki Trace Set-
tings. The trace settings determine what items will be stored in the CIP log for
each event.
A check mark appears in front of an item when the item is enabled.
Enabling/disabling the Token Server

Select Options -> CIP -> Start Token Server to specify whether the CIP Token
Server will be automatically started each time the computer is activated. The
Token Server must be active in order for Datakey CIP to interact with a token
reader. A check mark appears in front of this option when it is enabled.
Note: You must reboot your computer before any change takes effect.

Enabling/disabling 10SR readers

Select Options -> CIP -> Enable 10SR Readers to specify whether support will be
provided for a model 10SR serial token reader. Enable this option only if you have
a 10SR reader. If you do not have a model 10SR token reader, disabling this option
will enhance your system performance. A check mark appears in front of this
option when it is enabled.
Configuring the Auto Cert Register Utility

The Auto Cert Registration Utility automatically registers digital credentials con-
tained on a Datakey token with Microsoft Windows and many other desktop appli-
cations. If you want the digital credentials to be deleted from the Windows
certificate store whenever the token is removed from the reader, select Options ->
Auto Cert Register and toggle on the Delete On Removal option. A check mark
appears when this option is enabled.
For detailed information about the Auto Cert Registration Utility, refer to the
Datakey CIP Desktop User’s Guide.
Enabling/disabling the CIP Utilities log

Select Options -> CIP Utilities -> Enable CIP Util Logging to toggle the CIP Util-
ities log option on or off. The CIP Utilities log is separate from the CIP log; the
CIP Utilities log only collects information about the CIP Utilities. CIP Utility log
information is collected in a file named ciputils.log. The file is saved in the same
directory as the ciputils.exe executable file.
A check mark appears when this option is enabled.
Configuring the object name display

Select Options -> CIP Utilities -> Choose Object Name to define which identifier
is displayed in parentheses next to each item in the left pane. The following figure
illustrates the position of the object name:
Object
names

Valid options are:
Launching the Quality Agent

Select Options -> Launch Quality Agent to start the Quality Agent. The Quality
Agent is a utility that enables Datakey customers experiencing problems with their
tokens and/or token readers to collect pertinent data and send a problem report to
the Datakey Technical Support group. For detailed information about the Quality
Agent, after launching the utility, press F1 and read the online Help system.
Specifying CIP Utilities program options
Note: This option applies only to administrators.

Select Options -> Configuration to specify the CIP Utilities program options that
will be made available to your users. When you select the Configuration option the
following window appears:

The CIP Utilities are shipped with all options fully enabled. If you, as an
administrator, wish to restrict the tasks your users can perform, you can do so
using the Configuration option. After setting the parameters the way you want,
click OK to save the new configuration to the DKAdmin.dat file. The DKAd-
min.dat file is a control file for CIP Utilities. When you install Datakey CIP on
your users’ computers, simply use the new configuration file rather than the
original file.
IMPORTANT! By default the DKAdmin.dat file is stored in the \Program

Files\Datakey\Crypt32 directory. Be careful not to overwrite
your own default DKAdmin.dat file or you may inadvertently
restrict your own options.
If you make changes to the default setting, be sure to disable the Enable access
to the Configuration Dialog option. Otherwise, your users may be able to mod-
ify these settings on their own.

Token reader tasks
Token reader tasks

There are a number of tasks you can perform on a token reader. Simply right-click
on a token reader and the following menu is displayed:
Logging on/off a token

To log on to a token, perform the following steps.
1. Right-click the token reader that contains the desired token.
2. Select Login.
3. The Login window appears:
4. Type your token passphrase, then click OK.

CIP Utilities will indicate you are currently logged on to the token by displaying
Logged In on the token reader header line. CIP Utilities will also display both
public and private objects contained on the token.

Token reader tasks
To log off a token, perform the following steps.

1. Right-click the token reader that contains the desired token.
This time the top menu item will be Logout rather than Login.
2. Click Logout.
You are immediately logged off the token.
Changing the token passphrase

The token passphrase is used to protect and activate your token. If you wish to
change your passphrase, perform the following steps:
Note: If you have the Datakey CIP Desktop installed on your system, you can also
use the Passphrase Utility to change your token passphrase. See the
Datakey CIP Desktop User’s Guide for details.
1. Right-click the reader containing the token, then select Change Passphrase.
The Change Passphrase window appears.
2. Type your old (current) passphrase in the Old Passphrase field.

Asterisks appear in the display instead of the passphrase characters in order to
keep your passphrase safe. Be careful when typing your old passphrase,
because typing the wrong passphrase too many times will result in your token
becoming permanently blocked.
3. Type your new passphrase in the New Passphrase field.
The minimum length of a passphrase is four alphanumeric characters, and the
maximum length is 20 alphanumeric characters. Select a passphrase that is dif-
ficult to guess. Avoid using the obvious types of passphrases such as your first,
middle, or last name, birth date, employee number, social security number, etc.
Passphrases are case sensitive, so verify the position of the Caps Lock button.

Token reader tasks
4. Re-type the same new passphrase in the Reenter New Passphrase field.
5. Click OK.
Note: The Secure Authenticate fields are not used at this time.
Changing the token label

The token label is a user-friendly label used to identify the token. If no label has
been assigned to the token, this field defaults to the token serial #.
To change the token label, perform the following steps:

1. Right-click the reader containing the token, then select Change Label.
The Token Label window appears.
2. Type the new label in the Token Label field.

The label can be from 1 to 32 characters long.
3. Click OK.
To view the token label, select the reader containing the token; the label is dis-
played in the right pane.
Changing the Inactivity Timer

CIP Utilities contains an Inactivity Timer. This option gives you the ability to set
the inactivity timer on the token. To configure the Inactivity Timer, perform the fol-
lowing steps:
1. Right-click the reader containing the token, then select Change Inactivity Timer.
The Token Inactivity Timer window appears.

Token reader tasks
2. Select the desired timeout option.

z Card login required for each operation: Programs that use the token will
prompt the user to log on to the token each time the program requires
access to the token.
z Card login remains valid until card is removed: After an initial login, pro-
grams can access the token without further user interaction until the token
is removed from the card reader.
z Logout from card after inactivity of: Programs are logged off the token if
the token is idle for the specified number of minutes. Use the up and down
arrows to specify the number of minutes the token can remain idle before it
times out. You can also type a value directly into the field. Valid values are
from 1 - 240.
3. Click OK.
Initializing a token
New tokens must be initialized before keys, certificates, or other items may be
stored on the token. The initialization process also removes existing items from the
token, leaving only the serial number and the token label intact. Initialization can
also be used to unlock a blocked token.
IMPORTANT! Do not perform this process once you have personalized your
token. Initialization removes all information except the serial
number and the token label. All your exchange and signature keys
are removed and your security administrator will need to replace
the exchange key for you.

Token reader tasks
IMPORTANT! Windows 2000/XP users only: If the token was used to logon to the
active Windows 2000 or Windows XP session, it should not be ini-
tialized. Log off of Windows and bring the token to another station
to be initialized or use another method to logon.
To initialize a token, perform the following steps:

1. Right-click the reader containing the token, then select Initialize Token.
The Token Initialization window appears.
2. Read the warning messages, then either click Continue Initialization to continue
the initialization process or click Cancel to terminate the process.
3. If you click Continue Initialization, the token is initialized.
When the process is complete a window similar to the following appears.
4. Click OK.
5. See page 59 for information on changing the default passphrase to a more
secure passphrase.

Token reader tasks
Testing a token
You can test the token to verify it is working properly. The test function checks the
token for defects by exercising the basic cryptographic operations such as generat-
ing, storing, and deleting a public/private key pair.
To test a token, perform the following steps:

1. Right-click the reader containing the token, then select Test Token.
The following window appears.
2. Click OK.
Information about each step in the test process is displayed in the right pane.
When the test process is complete the following message is displayed:
Test Token Successful
Importing a PKCS#12 file

You can import existing PKCS#12 files (certificates) to a token. To import a
PKCS#12 file, perform the following steps:
1. Right-click the reader containing the token, then select Import PKCS#12 File.
The Import File window appears.

Token reader tasks
2. Navigate to the location of the PKCS#12 file, select the file, then click Open.
3. Type the password associated with the PKCS#12 file, then click OK.
The Select Container Name window appears.
4. Accept the default container name or type a new container name for the certifi-
cate, then click OK.
This is the CSP container name displayed in parentheses on the public and pri-
vate key names. See page 55 for information on displaying CSP container
names.
The PKCS#12 file is unwrapped and the certificate is copied to the token.
When the process is complete the following message box appears.
Displaying library version information
To determine the version of driver software currently running on a token, simply

right-click the reader containing the token, then select Library Version. The soft-
ware driver information is displayed at the bottom of the right pane in the
CIP Utilities window. For example:

Token reader tasks
Library version
information
Note: The library version information is written to the bottom of the right pane
each time you perform this operation.
Importing a certificate from the Windows certificate store

If a certificate is stored in the Windows certificate store, but the certificate is not
contained on the desired token, you can import the certificate from the certificate
store to the token. You do this by right-clicking the reader containing the token,
then selecting Import Certificate from System. The certificate that is stored in the
certificate store must be associated with a key pair on the token in order to success-
fully import the certificate to the token.
Displaying Common Access Card (CAC) data

This applies only if a CAC card is inserted in the token reader. To view the data on
the CAC card, right-click the reader and then select Display Common Card Data.

Certificate tasks
Certificate tasks
A certificate is used to positively identify yourself to others, or vice versa. A certif-
icate is a confirmation of your identity and contains information used to protect
data or to establish secure network connections. A certificate can be used to digi-
tally sign a piece of information so that you can determine the author of the infor-
mation. A copy of your public key is contained within a certificate.
There are a number of tasks you can perform on a certificate. Simply right-click on
a certificate and the following menu is displayed:
Deleting a certificate from a token

To delete a certificate from a token, right-click the certificate and then select Delete
From Token. Select Yes at the confirmation dialog box.
Moving a certificate to/from Windows

Certificates that Windows “knows” about are stored in the certificate store on your
computer. If you are working on a computer that does not contain a copy of your
certificate in its certificate store, you will not be able to encrypt a file or an email
message. Why? Because the certificate in the certificate store acts as a pointer to
the more secure portion of your digital credentials—the private key located on your
smart card. Without this pointer the system will not be able to locate your private
key.
Copying a certificate to the Windows certificate store: To copy a certificate

from your token to the certificate store on a computer, perform the following steps:
1. Right-click the certificate.
2. Select Copy to System.
The certificate is copied to the Windows certificate store. The certificate icon
changes to a double certificate, indicating the certificate also resides in the
certificate store.

Certificate tasks
Deleting a certificate from the Windows certificate store: To delete a certificate

from the certificate store, perform the following steps:
1. Right-click the certificate.
2. Select Delete From System.
The certificate is deleted from the Windows certificate store. The certificate
icon changes to a single certificate, indicating the certificate resides only on the
token.
Exporting a certificate to a file

If you wish to move a copy of a certificate located on your token to a hard drive or
some other location, you must first export the certificate to a DER encoded binary
X.509 file. To export a certificate to a file, perform the following steps:
1. Right-click the certificate, then select Export To File.
2. Navigate to the folder you want to save the file in, then type a name in the File
name field.
The file name must end with a .cer extension.
When the export process is complete an informational message is displayed in
the right pane.
Set a certificate as the default container

A container consists of three related components: A public key, a private key, and a
certificate. The default container is the first container on a token. If a token con-
tains multiple containers you may wish to specify one of the containers as the
default container. For example, the Windows 2000 and the Windows XP logon

Certificate tasks
procedure uses only the default container; if you are using Windows 2000 or Win-
dows XP logon you probably want to set the certificate and the keys used with Win-
dows 2000/XP logon as the default container.
To set a certificate and its related public/private keys as the default container, right-
click the desired certificate, then select Set to Default Container. The public key is
technically the component that defines the default container, so the public key
associated with the default container is displayed in a bold face font in order to
highlight the default container.
Editing certificate attributes

To modify a certificate’s label, container name, or ID, perform the following steps:
Caution! Only qualified administrators should edit a certificate’s attributes.

1. Right-click the certificate, then select Edit Object.
The Edit Certificate File Attributes window appears.
2. Click in the desired field and modify the contents as desired.

3. If you want to use the hash value of the public modulus as the certificate ID,
click Use hash of public modulus for CKA_ID.
The value is computed and inserted in the CKA_ID field.
Updating a token
Sometimes certain components that should be available on a token are temporarily
“lost.” CIP Utilities provides the ability to restore certain missing components. For
example, a missing public key can be restored by retrieving it from the associated
private key.

Public key and private key tasks
To update a token, right-click the desired certificate, then select Update Token.
Missing components are retrieved and automatically displayed in the left pane. The
update token process also renames all three components to the same container name
as the related private key.

Public and private keys are used to encrypt/decrypt files and messages. Your public
key is freely distributed and used by others when encrypting messages sent to you.
Your private key is used to decrypt the encrypted messages. Your private key must
be protected at all costs.
There are a number of tasks you can perform on a public or private key. Simply
right-click on the desired key and the following menu is displayed:
Deleting a key from a token

To delete a public or private key from a token, right-click the key and then select
Delete From Token. Select Yes at the confirmation dialog box.
Exporting key information to a file

If you wish to move information about a particular public or private key to a file,
one way to do it is to export the information to a text file. To export key information
to a file, perform the following steps:
Note: Information about the key is exported, not the key itself.
1. Right-click the key, then select Export To File.
The Select the key file window is displayed.
2. Specify the name and location of the file, then click Save.
The default name for the file is KeyInfo.txt.

Set a key as the default container

A container consists of three related components: A public key, a private key, and a
certificate. The default container is the first container on a token. If a token con-
tains multiple containers you may wish to specify one of the containers as the
default container. For example, the Windows 2000 logon procedure uses only the
default container; if you are using Windows 2000 logon you probably want to set
the certificate and the keys used with Windows 2000 logon as the default container.
To set a key and its related components as the default container, right-click the
desired key, then select Set to Default Container. The public key is technically the
component that defines the default container, so the public key associated with the
default container is displayed in a bold face font in order to highlight the default
container. The public key associated with the default container also becomes the
first key on the token.
Editing public/private key attributes

To modify a public or private key’s attributes, perform the following steps:
Caution! Only qualified administrators should edit a key’s attributes.

1. Right-click the public or private key, then select Edit Object.
If you are editing a public key the Edit Public Key Attributes window appears.

If you are editing a private key the Edit Private Key Attributes window appears.
2. Click in the desired field and modify the contents as desired.

3. If you want to use the hash value of the public modulus as the certificate ID,
click Use hash of public modulus for CKA_ID.
The value is computed and inserted in the CKA_ID field.
Updating a key on a token

Sometimes certain components that should be available on a token are temporarily
“lost.” CIP Utilities provides the ability to restore certain missing components. For
example, a missing public key can be restored by retrieving it from the associated
private key.
To update a token, right-click the desired certificate, then select Update Token.
Missing components are retrieved and automatically displayed in the left pane. The
update token process also renames all three components to the same container name
as the related private key.

Data object tasks
Data object tasks

In general, CIP Utilities treats as a data object any object that is not a certificate, a
public key, or a private key. A data object can be almost anything, from sensitive
information to input/output associated with a particular application. For example,
SmartLogon and SmartNotes, two Datakey CIP Desktop applications, both store
data objects on a token.
There are a number of tasks you can perform on a data object. Simply right-click
on the desired data object and the following menu is displayed:
Deleting a data object from a token

To delete a data object from a token, right-click the object and then select Delete
From Token. Select Yes at the confirmation dialog box.
Export data object information to a file

If you wish to move information about a particular data object to a file, one way to
do it is to export the information to a text file. To export data object information to
a file, perform the following steps:
1. Right-click the data object, then select Export To File.
The Select the key file window is displayed.
2. Specify the name and location of the file, then click Save.
The default name for the file is DataInfo.txt.

Help menu
Help menu
To view the online Help system, click Help -> Help Topics.
To display version information about CIP Utilities and other Datakey software,
click Help -> About CIP Utilities.
Troubleshooting using CIP Utilities

CIP Utilities is a useful application for troubleshooting problems when using
Datakey CIP. It can be used to verify that your token reader and token are function-
ing properly. If you are able to perform the following tests successfully, your prob-
lem is most likely with the application you are trying to use with Datakey CIP.
To verify that your reader and token are functioning properly, do the following:
1. Ensure that your card reader is securely plugged into your machine and that
your token is fully inserted.
2. Shut down all applications that are currently running on your machine.
3. Reboot.
4. If you are using a serial token reader, watch the light on your token reader. It
should blink off, then on again shortly after reboot.
5. Launch CIP Utilities. After it launches, you should see your token label and
serial number displayed. This confirms that your machine is communicating
with your token.
Common problems
If the above tests do not succeed, your reader is not communicating with the
Datakey CIP drivers. Common causes of this problem include:
z Reader/token not securely plugged in.
z Software not installed or installed improperly.

Exiting CIP Utilities
z Serial port conflict. Another serial device is configured to use the same COM
port that your token reader is plugged into.
z Serial port interrupt conflict. You have a device configured to use a COM port
that shares an interrupt with the port that your token reader is plugged into. For
example, COM1 and COM3 usually share an interrupt, as do COM2 and
COM4.
Possible solutions
The following list provides suggestions to help get your reader to function properly:
z Check to ensure that the reader is plugged into the machine tightly and the card
is plugged in all the way.
z If you are using a serial reader and you suspect your reader may not have been
plugged in securely, reboot your machine. Your serial reader must be present at
startup in order to be recognized.
z If you have another COM port available, try swapping the reader into it.
z Try plugging another piece of hardware into the serial port, such as a 9-pin
serial mouse. If the device works, then you know the port is in proper working
order.
z Look for any serial devices in use on the machine in question. Common prob-
lem devices are internal modems and infrared ports on laptops. If you locate
such a device, try configuring it to use a different COM port or disable it to
complete the test.
Exiting CIP Utilities

If you wish to exit the CIP Utilities program, click File -> Exit.
The program will terminate immediately.

Chapter 6 Unblocking a Token
Overview
A Datakey 330u token is similar to a Datakey 330 token, with the exception that a
Model 330u token contains up to six “one time use” unblocking PINs that can be
used in the event the token becomes blocked. A token becomes blocked if the pass-
phrase used to access the token is not entered correctly within a specified number of
attempts.
Note: Datakey 330 tokens cannot be unblocked. If they become blocked they must
be re-initialized.
Unblocking a Datakey 330u token
Unblocking a token from within CIP Utilities

To unblock a Datakey 330u token from CIP Utilities, perform the following steps:
1. Ask your administrator for the next available unblocking PIN.
1. Insert the blocked token into the reader.
2. Right-click the reader containing the token, then select Change Passphrase.

Unblocking a Datakey 330u token
3. The Update Passphrase window is displayed.
4. Type the unblocking code in the Enter Unblocking Code field.

5. Type your new passphrase in the New Passphrase and in the Reenter new Pass-
phrase fields.
The new passphrase must be different than your previous passphrase. The pass-
phrase must be from 4 - 20 characters and must not contain spaces.
6. Click OK.
Unblocking a token using CIP Desktop
If you have CIP Desktop installed on your computer, you can unblock a Datakey
330u token by launching the Passphrase Utility directly. To do so, perform the fol-
lowing steps:
1. Ask your administrator for the next available unblocking PIN.
1. Insert the blocked token into the reader.
2. Start the Passphrase Utility.
3. You can start the Passphrase Utility either by right-clicking the SmartMonitor
icon or by selecting Start -> Programs -> Datakey CIP -> Passphrase Utility.
4. Click the Update Passphrase button.
A dialog box appears asking you to enter the next available unblocking pass-
phrase.
5. Click OK.

Unblocking an Identrus Token
The unblocking window appears.
6. Type the unblocking PIN in the Passphrase Unblocking field.

7. Type your new passphrase in the New Passphrase and the Reenter new Pass-
phrase fields.
The new passphrase must be different than your previous passphrase. The pass-
phrase must be from 4 - 20 characters and must not contain spaces.
8. Click OK.

The procedure for unblocking an Identrus token is virtually identical to the proce-
dure used to unblock a Datakey 330u token. The only difference you will see are
the Identrus-specific buttons on the main Passphrase Utility window:
Simply click the appropriate button and type the necessary information, using the
procedure described on page 76 as your guideline.


Chapter 7 Using Biometric Smart Cards
and Card Readers
Overview
This chapter describes the biometric capabilities of Datakey CIP. The biometric
capabilities allow you to log on to a smart card by simply pressing a fingertip on a
card reader. Your fingerprint is read by the biometric card reader and the authenti-
cation process is then performed directly and securely on the smart card.
A Datakey 330m or a Datakey 330g3 smart card is required when using the biomet-
ric capabilities of Datakey CIP. The Datakey 330m smart card is designed specifi-
cally for use with biometric card readers. It is known as a match-on-card smart
card because the fingerprint authentication match takes place securely on the smart
card. The Datakey 330g3 is a GSA compatible smart card that ensures “any card,
any software” operation.
Note: See page 8 for more information about the biometric smart cards and card
readers supported by Datakey.
Before the smart card will recognize your fingerprint, you must enroll your finger-
print on the smart card. Up to four of your fingerprints may be enrolled at one time.
Enrolling multiple fingerprints enables you to use a different fingerprint to log on if
for some reason you can't use your usual fingerprint (for example, due to injury).

Enrollment
Enrollment
When you first receive your Datakey smart card your fingerprint information will
not be on the smart card. A good first step after receiving your Datakey smart card
is to initialize the card. You can then enroll your fingerprint information.
Initializing the Datakey smart card
IMPORTANT! Initializing your smart card will erase anything already on the
smart card.
1. Start CIP Utilities by selecting Start -> Programs -> Datakey CIP ->
CIP Utilities.
2. In the left pane, right-click on the appropriate card reader.
A menu appears.
3. Select Initialize Token.
This will format your smart card and ensure it is ready for use.
After initializing the smart card, the passphrase for the smart card is set to the
default value PASSWORD (or 12345678 if you are using a PIN Pad reader).
Enrolling your fingerprint

To enroll your fingerprint on the smart card:
1. From within CIP Utilities, right-click the appropriate biometric card reader.
2. Select Enroll Fingerprint.
You will be asked to log on to the smart card. Because you have not yet
enrolled your fingerprint, CIP Utilities will ask for your passphrase. If you just
initialized the smart card, it will be PASSWORD or 12345678.

Enrollment
3. Type your passphrase, then click OK.

The following dialog box appears:
This dialog box enables you to configure the following:

z Which fingerprint(s) you want to enroll
z Various enrollment options
4. Use the check boxes by each finger to select which fingerprint(s) you want
enrolled on the smart card.
If you want, you can select just one finger and then log on only with that finger-
print. Or you can choose two, three, or four fingerprints. That will let you log
on to the smart card if, for some reason, your usual fingerprint cannot be used.
Up to four fingerprints may be enrolled. If you select four fingertips, all
remaining check boxes will disappear. Clearing a check box will cause the
other check boxes to reappear.
5. Click Options.

Enrollment
The following enrollment options are displayed:
By default all options but the first are initially off. Please read the following
descriptions carefully before enabling any of the options.
z False Acceptance Rate (FAR): The FAR determines how carefully the
smart card will look at your fingerprint. Setting the FAR very high (1 in
1,000,000) gives you very good security but can make it difficult to log in
sometimes. Depending on the condition of the smart card reader and your
fingerprint, your logon may be rejected when it shouldn't. Setting the FAR
very low (1 in 100) makes it easier to log on, but also makes it a little more
likely that a wrong fingerprint will be accepted for log on. The setting 1 in
10,000 provides a good balance between security and ease-of-use.
z Logon Mode: Specifies what a user must provide in order to log on to the
smart card. There are three choices:
(1) A fingerprint or a passphrase
(2) A fingerprint only (no passphrase allowed)
(3) A fingerprint and a passphrase (both required)
z Bad Fingerprint Logon Retry Limit: Specifies the number of times a user
can attempt to use their fingerprint to log on to the card before the finger-
print capability becomes locked. The fingerprint retry limit is different than
the passphrase retry limit, so it may be possible to log on using a passphrase

Enrollment
if the fingerprint retry limit is reached (but only if Logon Mode =

Fingerprint -OR- Passphrase).
z No Reenrollment Allowed: Specifies if it is possible to go through the
fingerprint enrollment process on a smart card more than once. Enabling
this option means that, following the initial enrollment, no one is allowed to
change fingerprint credentials unless the card is reinitialized.
z No “Retry Limit” Change on Reenrollment: (This option is not available if
No Reenrollment Allowed is enabled.) Specifies if the Bad Fingerprint
Logon Retry Limit option can be changed if someone has previously
enrolled to the smart card.
z No “Logon Mode” Change on Reenrollment: (This option is not available
if No Reenrollment Allowed is enabled.) Specifies if the Logon Mode
option can be changed if someone has previously enrolled to the smart card.
z Keep Enrollment When Smart Card Initialized: Specifies if the finger-
print(s) enrolled on the smart card will be preserved if the smart card is re-
initialized.
6. After selecting the fingerprints you want enrolled and the desired fingerprint
options, click OK.
A dialog box similar to the following appears:
Follow the instructions on the screen to enroll each finger you selected in the
previous dialog box. A green dot highlights the finger currently being enrolled.
Pay close attention to the green dot so you don't accidentally use the wrong
finger.

Enrollment
For each fingerprint, you will press your finger on the biometric card reader
four times. The first three times are to get a good measure of your fingerprint,
and the fourth time is to verify that the first three worked correctly. The enroll-
ment process goes very quickly.
After pressing your finger on the reader the first time, the following dialog box
appears:
7. Follow the instructions in the dialog box.

As you proceed, the next instruction in the dialog box will be highlighted. After
placing your finger three times, the following dialog box appears:

Enrollment
8. Place your finger for the last time.

The sequence is repeated for each additional fingerprint that must be enrolled.
When all fingerprints have been successfully collected, the following dialog box
will appear while the fingerprint data is written to your smart card:

Enrollment
After your fingerprints are enrolled on the smart card, the following dialog box
appears:
9. Click OK.
Your fingerprint(s) are now enrolled on the smart card. The next time you log on to
the smart card you will be prompted for your fingerprint(s) instead of the pass-
phrase.
Troubleshooting enrollment errors

The following errors may occur while enrolling your fingerprint:
z Finger not centered: While enrolling, you may be prompted to move your fin-
gerprint. The dialog box looks similar to the following:
In this case, move your finger up a little and try again.

Enrollment
z Finger too wet or too dry: Sometimes your finger may be too dry or too wet
for the biometrics card reader to get a good reading:
If your fingerprint is too dry, either breath on your fingertip or wipe it on your
temple and try again. If your fingerprint is too wet, wipe it on a dry cloth and
try again.
z Card reader behaves erratically: If the biometrics card reader is acting errati-
cally (if the reader light is constantly flickering or it displays messages out of
context), try unplugging and reconnecting the reader and then restarting your
computer. Sometimes an electric static buildup occurs and the reader simply
needs to be reset.

Login
Login
To log on to the smart card using your fingerprint, first make sure you have enrolled
your fingerprint properly. You can verify your fingerprint is enrolled by checking
in the Flags section in the right pane of CIP Utilities.
Verify fingerprint
enrollment
IMPORTANT! You can only log on with your fingerprint if you are using an
enrolled Datakey smart card in a Precise Biometrics Smart Card
Reader.
Logging on using one fingerprint

1. Right-click the appropriate biometric card reader.
2. Select Login.
The following dialog box appears:

Login
3. Put the appropriate fingertip on the card reader, then follow the instructions on
the screen.
Logging on with multiple fingerprints

1. Right-click the appropriate biometric card reader.
2. Select Login.
A dialog box similar to the following appears:
Note: The dialog box above shows that four fingerprints are enrolled on the
smart card, with the right index finger currently selected.

Login
3. If the correct finger is selected, press your fingerprint on the reader and follow
instructions. Otherwise, use the mouse to click on the fingerprint you want, and
then press your fingerprint on the reader.
Completing the login process

After the biometric card reader reads your fingerprint, the fingerprint is sent to the
smart card for authentication matching. A dialog box similar to the following
appears:
Note: You can lift your finger at this point, because the fingerprint has already
been read.

Login
z If the authentication succeeds, you'll be logged onto the smart card and the fol-
lowing dialog box appears:
z If the authentication fails the following dialog box appears:

Login
Troubleshooting
The following are solutions to some of the most common problems that occur when
logging on using a fingerprint:
z If your fingerprint isn't placed in the center of the fingerprint reader, a dialog
box similar to the following appears:
Simply move your finger and try again.

z If your fingerprint is too wet or too dry for the biometric card reader to get a
good reading, a dialog box similar to the following appears:
If your fingerprint is too dry, either breath on your fingertip or wipe it on your
temple and try again. If your fingerprint is too wet, wipe it on a dry cloth and
try again.

Chapter 8 Datakey CIP Desktop
Datakey CIP Desktop is a suite of complementary applications and utilities that

work in concert with Datakey CIP client software. Datakey CIP Desktop makes
your personal Datakey token more flexible and powerful for everyday use. The
individual applications and utilities that comprise Datakey CIP Desktop include:
SmartMonitor
SmartLogon
SmartNotes
Passphrase Utility
Auto Cert Registration Utility
CIP Utilities
The Datakey CIP Desktop suite of applications and utilities is an optional feature of
Datakey CIP. The applications and utilities are described in detail in the Datakey
CIP Desktop User Guide. For convenience, a brief description of each of the CIP
Desktop components is provided here.
SmartMonitor
SmartMonitor provides an easy method for launching and controlling your Datakey
CIP Desktop components. The CIP Desktop installation process places a Smart-
Monitor icon into your computer’s system tray. When active, you can left-click this
icon to use the SmartLogon Auto Fill feature, or you can right-click the icon to
quickly access CIP Utilities, the SmartLogon application, the SmartNotes applica-
tion, or the Passphrase utility.

SmartLogon
When active, the SmartMonitor icon will appear in your computer’s system tray.
The SmartMonitor icon looks similar to a small computer chip.
SmartMonitor
SmartLogon
SmartLogon enables you to store user name and/or password entries on your
Datakey smart card. The program recognizes and remembers the application or
Web site associated with each entry. This simplifies the logon process because you
no longer need to remember which unique logon combination applies to which
application or Web site—SmartLogon automatically fills in the correct user name
and/or password for you.
For example, you might have unique user name/password entries for:
z Your bank’s Web site
z Your favorite airline Web site
z Your email service
z Your network applications
z Your desktop applications
z A Microsoft Word file that requires password authentication
z Other Web sites and applications that require a unique user name and/or pass-
word
Using SmartLogon you only need to remember one password—your smart card
password—to access any of these applications or Web sites. Your user names and
passwords are secure, and you can access your favorite applications and Web sites
worry-free.

SmartNotes
SmartNotes
SmartNotes enables you to securely store personal notes and data on your Datakey
token. With SmartNotes your token becomes a portable electronic notebook,
allowing you to store account information, favorite URLs, personal reminder notes,
and other often-used data. And this information is safe, protected by the passphrase
needed to activate the token.
Passphrase Utility
The Passphrase Utility allows you to update and change the passphrase that protects
and activates your token. You can also use this utility to issue unblocking codes—
passphrases that unlock a token should it become blocked by too many incorrect
log-in attempts. Unblocking codes are available on Datakey Model 330U tokens.
Finally, the Passphrase Utility can be used to initiate the Identity PIN on a Datakey
Model 330i Identrus token and to change both the Identity PIN and the Utility PIN
on an Identrus token.
Auto Cert Registration Utility

The Auto Cert Registration Utility automatically registers digital credentials con-
tained on a Datakey token with Microsoft Windows and all desktop applications.
This provides a quick and easy deployment of your personal digital credentials,
enabling instant and transparent use of all Windows applications that require digital
credentials.
The Auto Cert Registration Utility does not need to be started. It runs automati-
cally, requiring no user intervention. The utility checks the token for unregistered
credentials each time the computer is started and each time a new token is inserted
into the token reader. If unregistered credentials are discovered on the token, the
utility automatically registers the credentials with Windows and any other applica-
tion that requires the use of digital credentials. It does this by placing copies of any
certificates contained on your token into the Windows certificate store.

CIP Utilities
CIP Utilities
The Datakey CIP Utilities is an intuitive, easy-to-use program that is used to view
and manage Datakey tokens and the objects contained on the tokens. The program
reports token and reader status and can be used for base-level diagnostics. Admin-
istrators can configure the functionality and features available for enterprise
deployment through an administrative wizard included with CIP Utilities.
Although it is treated as a Datakey CIP Desktop component, the CIP Utilities pro-
gram is originally provided with your Datakey CIP software. See Chapter 5 of this
guide for details about the CIP Utilities.

Appendix A Modifying PIN Timeout and
Single Sign-On Values
This appendix describes how to modify the PIN timeout and the Single Sign-On
(SSO) features supported by Datakey CIP.
IMPORTANT! Only experienced administrators should attempt to modify the PIN

timeout and SSO values.
PIN timeouts
The Datakey CIP PIN timeout policy controls the token timeout behavior. It deter-
mines how long the token can remain idle before it times out, and it controls what
happens when the timeout limit is reached. The PIN timeout feature enables
Datakey CIP to control the timeout rules and actions rather than allowing individual
applications to control their timeout behavior.
Default PIN timeout values
The Datakey CIP PIN timeout policy is controlled by three specific DWORD val-
ues within the Windows system registry. When Datakey CIP is initially installed
the DWORD values do not exist, so the system registry simply assumes the data
values are zero. The effect is that the PIN timeout is ignored. Therefore, by
default, each application requiring access to a token must initially log on to the
token, but then remains logged on until it logs off on its own accord.

PIN timeouts
Creating the DWORD values

You can create the DWORD values manually using the Windows Registry Editor,
but an easier and safer method is to use the CIP Utilities to create the values. To
create the DWORD values using the CIP Utilities:
1. From within CIP Utilities, right-click the reader containing the desired token,
then select Change Inactivity Timer.
2. Select the desired timeout option.
The values on this screen define the default DWORD values. See “Changing
the Inactivity Timer” on page 60 for detailed information about the options.
3. Click OK.
This generates the three registry DWORD values. The DWORD values are
located in the following directory:
HKEY_LOCAL_MACHINE\Software\Datakey\Cryptoki\1.0
Modifying the PIN timeout policy

To modify the PIN timeout policy you must modify the appropriate DWORD val-
ues within the system registry. This can be done using either the Datakey CIP
Quality Agent or by manually modifying the registry using the Windows Registry
Editor (regedit).
IMPORTANT! Only experienced administrators should attempt to modify the sys-

tem registry. Errors in your system registry may cause your com-
puter to function improperly.
To modify the PIN timeout policy using the Windows Registry Editor:
1. Choose Start -> Run.
2. Type regedit and then click OK.

PIN timeouts
The Registry Editor appears:
3. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Datakey\Cryptoki\1.0

directory.
The DWORD values are listed in the right pane. The three that affect the PIN
timeout policy are:
z AccessPolicy
z ResetPolicy
z TimePeriod
4. To modify a value, double-click the value in the right pane.
For example, if you double-click AccessPolicy the following dialog box
appears:
Use the following tables to guide you when modifying any of the three DWORD
values.

PIN timeouts
AccessPolicy DWORD
The AccessPolicy DWORD controls the PIN timeout behavior.
Value
data Short description Long description
0 No PIN Cache Each application is required to supply a PIN to use
private objects on the token. Private objects are then
available until the application logs off. The Inactiv-
ity Timer is ignored.
The Single Sign-On feature (SSO) is unavailable.
1 PIN Cache Active/No One application is required to supply a PIN in order
Inactivity Timer to use private objects on the token. Private objects
are then available for use by all applications. The
Inactivity Timer is ignored and access is permitted
until the computer is rebooted or the token is
removed.
The Single Sign-On feature is available.
2 PIN Cache and One application is required to supply a PIN in order
Inactivity Timer Active to use private objects on the token. Private objects
are then available for use by all applications. When
the Inactivity Timer expires, the cached PIN is
erased and all applications are logged off.
The Single Sign-On feature is available.
4 PIN Cache Timeout on The Inactivity Timer expires only when the Win-
Screen Saver Active dows screen saver becomes active. The cached PIN
is erased and all applications are logged off.
6 PIN Cache Timeout or The Inactivity Timer expires according to the Time-
Screen Saver Active Period value or when the Windows screen saver
becomes active. The cached PIN is erased and all
applications are logged off.

PIN timeouts
ResetPolicy DWORD
The ResetPolicy DWORD determines what activities will reset the PIN timer.
Value
data Short description Long description
0 No Reset of PIN Cache/ Inactivity timer period is never restarted. The use of
Timeout private objects will time out upon expiration of the
inactivity timer period, and the PIN will need to be
supplied to re-enable access to private objects.
1 PIN Cache/Timeout Inactivity timer period is restarted by any signing/
Based on Private Token decryption operation performed by CIP.
Activity
2 PIN Cache/Timeout Inactivity timer period restarted by any CIP activity
Based on General that requires a PIN to access or operate. Activities
Private Activity include cryptographic operations that use, read,
write, create, or change private keys or objects,
regardless of whether the particular object is resi-
dent on a token, in PC memory, or some combina-
tion of both.
4 PIN Cache/Timeout Inactivity timer period is restarted when CIP has
Based on General any exchanges with the token for any type of
Token Activity access.
8 PIN Cache/Timeout Inactivity timer period is restarted by calls of any
Based on General type to the Cryptoki middleware.
Library Activity
16 Timeout Reset on Keyboard presses or mouse movement or clicks
Mouse/Keyboard restarts the inactivity timer period.
Activity
32 PIN Cache/Timeout Inactivity timer period is reset before it expires, so
Auto Reset as to allow access to private objects at all times.
Access is permitted until the computer is rebooted
or the token is removed.

Single Sign-On (SSO)
TimePeriod DWORD
The TimePeriod DWORD specifies the length of the timeout period (in seconds).
When the inactivity timer expires, the Access policy (based on the registry
DWORD AccessPolicy), will be enforced. During the period that the inactivity
timer has not expired, individual applications may access the token as allowed by
the AccessPolicy.

The SSO feature gives you the option to log on to the token once for all applica-
tions. Once you are logged in, all applications requiring information on the token
have access to the token. This means you don’t need to log on to the token each
time you use a different application or each time an authentication request is issued
by an application. You remain logged in until either a token event or a time event
logs you off the token.
Configuring SSO
SSO is controlled by the system registry. To enable or disable the SSO policy you
must modify the AccessPolicy DWORD value within the registry. This can be done
using either the Datakey CIP Utilities or by manually modifying the value using the
Windows Registry Editor (regedit).
To enable or disable the SSO policy using regedit:

1. Follow the instructions beginning on page 98 for accessing the AccessPolicy
DWORD value.
2. Set the AccessPolicy value to one of the following:
z To disable SSO: AccessPolicy = 0
z To enable SSO: AccessPolicy=1 or AccessPolicy=2
SSO is controlled by the same timeouts as Datakey CIP via the ResetPolicy
DWORD value.

Trusted Application Policy

In order to use SSO an application must be considered a trusted application. A
trusted application will have a SHA-1 hash of its .exe file stored in the registry. The
hash value is stored in a key located in HKEY_LOCAL_MACHINE\Soft-
ware\Datakey\Cryptoki\1.0\TrustedApp. When needed, Datakey CIP will read the
application’s .exe file and generate a SHA-1 hash value. A search is then made for
that hash in the list of trusted application hashes contained in the registry. If a
match is detected, the current registry settings for TimePeriod, AccessPolicy, and
ResetPolicy will be used for that application. If no match is detected, all PIN cach-
ing and SSO capabilities for that application are disabled.


Appendix B Common Access
Card Differences
Since a Common Access Card (CAC) is a read only smart card, a number of fea-
tures and functions in Datakey CIP are not allowed when interfacing to a CAC.
Datakey CIP automatically detects when a CAC is present and will prevent these
features and functions from being used. The features and functions of Datakey CIP
that do not apply to CAC users are identified in the table on page 106.
What is a CAC?
A CAC is a tool that is ideally suited for use with applications that require the
secure storage of digital IDs and credentials. CACs act as secure “digital carri-
ers”—vehicles capable of storing one or more digital representations of a particular
person. A sample CAC is illustrated below:

Functional differences
Benefits of CACs
CACs provide a number of benefits:
z Security: Your private information never leaves the CAC, and is protected by
two-factor security—something that is owned (the CAC) and something that is
known (the CAC PIN).
z Portability: Your digital credentials can go wherever you go.
z Flexibility: A CAC can be used to store a variety of information, including cer-
tificates, public keys, private key, user names and passwords, etc.
z Simplicity: Your many passwords can be stored on a single CAC. In addition,
you are less likely to lose a CAC than forget a password.
z Ease of use: A CAC is simply inserted into a CAC reader to activate an applica-
tion; no complex codes need be read or entered. Further, one CAC can be used
for several applications.
If you are a CAC user, a few of the features and functions of Datakey CIP do not
apply to you. The following table shows the features and functions that do not
apply to CAC users.
Datakey CIP Feature Functions that do not apply to CAC users

Datakey CIP ISign
(Chapter 3) None of the functions apply
Datakey CIP Thin
Datakey CIP Utilities z Changing the Token Label
Token Reader Tasks z Initializing a Token
(Chapter 5) z Importing a PKCS#12 Files
z Import Certificate From System
Datakey CIP Utilities z Delete From Token
CertificateTasks z Set to Default Container
(Chapter 5) z Edit Object
z Update Token
Cont’d

Datakey CIP Feature Functions that do not apply to CAC users

Datakey CIP Utilities z Delete From Token
Public Key and Private Key z Set to Default Container
Tasks z Edit Object
(Chapter 5) z Update Token
Datakey CIP Utilities
Data Object Tasks None of the functions apply
(Chapter 5)
Unblocking a Token
Using Biometric Smart
Cards and Card Readers None of the functions apply
(Chapter 7)
Datakey CIP Desktop z SmartLogon
(Chapter 8) z SmartNotes
z Passphrase Utility


Appendix C CAPI and PKCS#11
Functions
This appendix provides a list of the CAPI 2.0 and the PKCS#11 functions
supported by Datakey CIP.
CAPI functions
All of the required functions for CAPI 2.0, and some of the optional functions, are
supported. Unsupported functions are labeled as such. The functions with asterisks
are optional and may be supported in the future. All nonsupported functions will
return valid error codes.
Type Function
Hash and Digital Signature
Functions CryptCreateHash
CryptDestroyHash
CryptDuplicateHash (currently not implemented, but
returns the correct error code)
CryptGetHashParam
CryptHashData
CryptHashSessionKey
CryptSetHashParam
CryptSignHash
CryptVerifySignature
Cont’d

CAPI functions
Type Function
Key Generation and
Exchange Functions CryptAcquireCertificatePrivateKey*
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey (currently not implemented, but
returns the correct error code)
CryptExportKey
CryptGenKey
CryptGenRandom
CryptGetKeyParam
CryptGetUserKey
CryptImportKey
CryptSetKeyParam
Service Provider
Functions CryptAcquireContext
CryptContextAddRef*
CryptEnumProviders*
CryptEnumProviderTypes*
CryptGetDefaultProvider*
CryptGetProvParam
CryptInstallDefaultContext*
CryptReleaseContext
CryptSetProvider* (CryptSetProviderEx*)
CryptSetProvParam*
CryptUninstallDefaultContext*
Data Encryption/Decryption
Functions CryptDecrypt
CryptEncrypt
CryptProtectData*
CryptUnprotectData*
(Cont’d)

PKCS#11 functions
Type Function
CryptEncodeObject / Crypt-
DecodeObject Functions CryptDecodeObject*
CryptDecodeObjectEx*
CryptEncodeObject*
CryptEncodeObjectEx*
PKCS#11 functions
Supported functions are divided by the version of PKCS#11. For the specification
of the PKCS#11 cryptographic token standard, refer to http://www.rsalabs.com.
PKCS#11 Version 1 – DKCK132.DLL
Type Function
General Purpose
Functions C_Initialize
C_GetInfo
Slot and Token Management
Functions C_GetSlotList
C_GetSlotInfo
C_GetTokenInfo
C_GetMechanismList
C_GetMechanismInfo
C_InitToken
C_InitPIN
C_SetPin
Session Management
Functions C_OpenSession
C_CloseSession
C_CloseAllSessions
(Cont’d)

PKCS#11 functions
Type Function
C_GetSessionInfo
C_Login
C_Logout
Object Management
Functions C_CreateObject
C_CopyObject
C_DestroyObject
C_GetObjectSize
C_GetAttributeValue
C_SetAttributeValue
C_FindObjectsInit
C_FindObjects
Encryption and
Decryption Functions EncryptInit
Encrypt
EncryptUpdate
EncryptFinal
DecryptInit
Decrypt
DecryptUpdate
DecryptFinal
Message Digesting
Functions DigestInit
Digest
DigestUpdate
DigestFinal
Signature and
Verification Functions SignInit
Sign
SignUpdate
SignFinal
(Cont’d)

PKCS#11 functions
Type Function
SignRecoverInit
SignRecover
VerifyInit
Verify
VerifyUpdate
VerifyFinal
VerifyRecoverInit
VerifyRecover
Key Management
Functions C_GenerateKey
C_GenerateKeyPair
C_WrapKey
C_UnwrapKey
C_DeriveKey
Random Number
Generation Functions C_SeedRandom
C_GenerateRandom
Parallel Function
Management Functions C_GetFunctionStatus
C_CancelFunction
Callback Function Notify

PKCS#11 functions
PKCS#11 Version 2.0 – DKCK232.DLL
Type Function
General Purpose
Functions Initialize
Finalize
GetInfo
GetFunctionList
Functions GetSlotList
GetSlotInfo
GetTokenInfo
GetMechanismList
GetMechanismInfo
InitToken
InitPIN
SetPin
Session Management
C_CloseSession
C_CloseAllSessions
C_GetSessionInfo
C_GetOperationState
C_SetOperationState
C_Login
C_Logout
Object Management
C_CopyObject
C_DestroyObject
C_GetObjectSize
Cont’d

PKCS#11 functions
Type Function
C_GetAttributeValue
C_SetAttributeValue
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
Encryption
Functions EncryptInit
Encrypt
EncryptUpdate
EncryptFinal
Decryption
Functions DecryptInit
Decrypt
DecryptUpdate
DecryptFinal
Message Digesting
Functions DigestInit
Digest
DigestUpdate
DigestKey
DigestFinal
Signing and MACing
Functions SignInit
Sign
SignUpdate
SignFinal
SignRecoverInit
SignRecover
Verifying Signatures and
MACs Functions VerifyInit
Verify
Cont’d

PKCS#11 functions
Type Function
VerifyUpdate
VerifyFinal
VerifyRecoverInit
VerifyRecover
Dual-Function
Cryptographic Functions DigestEncryptUpdate
DecryptDigestUpdate
SignEncryptUpdate
DecryptVerifyUpdate
Key Management
C_GenerateKeyPair
C_WrapKey
C_UnwrapKey
C_DeriveKey
Random Number
C_GenerateRandom
Parallel Function
C_CancelFunction
Callback
Functions Token insertion callbacks
Token removal callbacks
Parallel function completion callbacks
Serial function surrender callbacks

PKCS#11 functions
PKCS#11 Version 2.01 – DKCK201.DLL
Type Function
General Purpose
Functions C_Initialize
C_Finalize
C_GetInfo
C_GetFunctionList
Functions C_GetSlotList
C_GetSlotInfo
C_GetTokenInfo
C_WaitForSlotEvent
C_GetMechanismList
C_GetMechanismInfo
C_InitToken
C_InitPIN
C_SetPin
Session Management
C_CloseSession
C_CloseAllSessions
C_GetSessionInfo
C_GetOperationState
C_SetOperationState
C_Login
C_Logout
Object Management
C_CopyObject
C_DestroyObject
C_GetObjectSize
Cont’d

PKCS#11 functions
Type Function
C_GetAttributeValue
C_SetAttributeValue
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
Encryption
Functions C_EncryptInit
C_Encrypt
C_EncryptUpdate
C_EncryptFinal
Decryption
Functions C_DecryptInit
C_Decrypt
C_DecryptUpdate
C_DecryptFinal
Message Digesting
Functions C_DigestInit
C_Digest
C_DigestUpdate
C_DigestKey
C_DigestFinal
Signing and MACing
Functions C_SignInit
C_Sign
C_SignUpdate
C_SignFinal
C_SignRecoverInit
C_SignRecover
Verifying Signatures and
MACs Functions C_VerifyInit
C_Verify
Cont’d

PKCS#11 functions
Type Function
C_VerifyUpdate
C_VerifyFinal
C_VerifyRecoverInit
C_VerifyRecover
Dual-Function
Cryptographic Functions C_DigestEncryptUpdate
C_DecryptDigestUpdate
C_SignEncryptUpdate
C_DecryptVerifyUpdate
Key Management
C_GenerateKeyPair
C_WrapKey
C_UnwrapKey
C_DeriveKey
Random Number
C_GenerateRandom
Parallel Function
C_CancelFunction
Callback
Functions Surrender callbacks
Vendor-defined callbacks

PKCS#11 functions

Index
INDEX
Numerics CIP 1
installing 9
10SR reader 35 uninstalling 18
330u token 75 CIP Desktop 12, 76
CIP Utilities 47, 96
background color 50
A basics 48
configuration 56
AccessPolicy DWORD value 100
configuring 53
Administrator 56
enable log 55
Auto Cert Registration Utility 55, 95
exit 74
font settings 51
B icons 52
left pane 49
Background color 50 log 55
Biometrics 79 right pane 49
starting 47
toolbar buttons 51
C troubleshooting 73
Citrix 9, 34, 35
CAC
Color 50
functional differences 106
Common problems 73
what is 105
Container 67, 70
CAC card 65
CryptoAPI 3
CAPI functions 97, 109
Cryptoki Trace settings 51, 54
Card readers 8
Certificate
attributes 68 D
default container 67, 70
deleting 66 Data object 72
exporting 67 deleting 72
moving 66 exporting 72
overview 4 Datakey CIP Desktop 47
Certificate Authority (CA) 4, 23 Datakey CIP Thin 33
Certificate store 66 Default container 67, 70
Change user/install command 35 Delete On Removal option 55
Detailed display 53
Digital ID 4

DKAdmin.dat file 57 deleting 69
DKGINASR 21 exporting 69
DKLogger 54 private 4, 23, 66, 69
DWORD value 97 public 4, 23, 69
AccessPolicy 100 Key sharing 1
ResetPolicy 101 Keyboard users 49
TimePeriod 102
L
E
Library version 64
Enable access to the Configuration Dialog Log settings 54
option 57 Logging on/off 58
Entrust 9, 11, 19
M
F
Match-on-card 79
Fast user switching 45 MetaFrame 35
Fat client 33 Microsoft 19
Feedback Agent 51 Microsoft IIS 39
FIPS 140-2 3
Fonts 51
N
G Netscape 19
NFuse 37
GINA 21
O
H
Object name 55
Help system 20, 73 Online Help 20, 73
I P
Icons 52 Passphrase
Identrus token 27, 77 changing 59
IIS 39 Passphrase complexity rules 11, 25
iKey 2 Passphrase Utility 95
Inactivity timer 60 PIN pad reader 22
Initializing a token 61 PIN timeout 97
Installation 9 PKCS#11 1, 3
functions 111
PKCS#12 file 63
K PKI 4, 23
Private key 4, 23, 66, 69
Key
Public key 4, 23, 69, 70
attributes 70
Publishing Citrix applications 41

Q testing 63
updating 68, 71
Quality Feedback Agent 51, 56 what is 2
Token server 54
Toolbar buttons 51
R Troubleshooting 73
Trusted application 103
Reader 2, 8
changing 19
enabling serial reader 55 U
installing (adding) 19
uninstalling 19 Unblocking 75
readers 8
Refresh 53
Registration 20
V
Registry editor 98 Version 64
Requirements 7
ResetPolicy DWORD value 101
Right-click menu 49 W
Roaming 33, 34, 42, 45
Web Interface 37
Windows 2000 logon 67, 70
S Windows certificate store 66
Windows XP machine 45
Secure Gateway 40
SHA-1 103
Single sign-on 97 X
SmartLogon 12
what is 94 X.509 67
SmartMonitor 47, 93
SmartNotes 12, 95
SSO 97, 102
Status bar 53
Support 20
System requirements 7
T
Terminal Server 42
Testing a token 63
Thin client 33
Timeout 97
TimePeriod DWORD value 102
Token 2, 8
features 2
initializing 17, 61
label 60
logging on/off 58

SafeNet Inc.
2051 Killebrew Drive
Suite 620
Bloomington, MN 55425
Phone: (952) 890-6850
Toll-free: 1-888-328-2539
Fax: (952) 890-2726

CIP User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIP User Guide

Uploaded by

Copyright:

Available Formats

Datakey CIP

ii Datakey CIP User’s Guide

No part of this document may be reproduced or retransmitted in any form or by any

Date Software Release Description

Datakey CIP User’s Guide iii

iv Datakey CIP User’s Guide

Chapter 1 Introduction ............................................1

Chapter 2 Getting Started .........................................7

Datakey CIP User’s Guide v

Chapter 3 Datakey CIP ISign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 4 Datakey CIP Thin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

vi Datakey CIP User’s Guide

Chapter 5 Using the CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Datakey CIP User’s Guide vii

Chapter 6 Unblocking a Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Chapter 7 Using Biometric Smart Cards and Card Readers . . . . . . . . . . . . 79

viii Datakey CIP User’s Guide

Appendix A Modifying PIN Timeout and Single Sign-On Values . . . . . . . . . . . 97

Appendix B Common Access Card Differences . . . . . . . . . . . . . . . . . . . . . . . 105

Appendix C CAPI and PKCS#11 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Datakey CIP User’s Guide ix

Datakey Cryptographic Interface Provider (Datakey CIP) is a package of software

Popular applications that support this standard include Microsoft Outlook,

Datakey CIP User’s Guide 1

The contents of the Datakey CIP basic package includes:

2 Datakey CIP User’s Guide

Features of Datakey tokens

Datakey CIP User’s Guide 3

Tokens, email, and the Web

What is a digital ID?

Digital IDs are created in a three-step process:

4 Datakey CIP User’s Guide

2. The CA verifies the public key really belongs to you.

Datakey CIP support of Common Access Card

Datakey CIP User’s Guide 5

6 Datakey CIP User’s Guide

In addition, your computer must meet the following minimum hardware

Datakey CIP User’s Guide 7

Compatible smart cards and tokens

8 Datakey CIP User’s Guide

Installing Datakey CIP

Datakey CIP User’s Guide 9

6. Type your serial number, then click Next.

10 Datakey CIP User’s Guide

Datakey CIP User’s Guide 11

The CIP Desktop Install window is displayed.

12 Datakey CIP User’s Guide

11. Click Next to begin copying files to your computer.

Datakey CIP User’s Guide 13

12. Attach your token reader to your computer.

Checking for software updates

14 Datakey CIP User’s Guide

3. Click Check for Update.

Datakey CIP User’s Guide 15

16 Datakey CIP User’s Guide

7. Select the appropriate restart option and then click Finish.

Initializing the token

Datakey CIP User’s Guide 17

Uninstalling Datakey CIP

4. Click Change/Remove and follow the online instructions.

18 Datakey CIP User’s Guide

Removing, adding, or changing token readers

To add a token reader

To change token readers