Net iD Enterprise, Technical Description v6 · Net iD Enterprise is not only a Cryptographic...

1 / 90 Net iD Enterprise Technical Description v6.6 Confidentiality: Public

Copyright 2017 © SecMaker AB Confidentiality: Public

Net iD Enterprise Technical Description

v6.6

Net iD Enterprise Technical Description v6.6

Copyright 2017 © SecMaker AB

Confidentiality: Public

Document no: SMP-DO11-02

Date: 2017-07-04

Contents

1 Introduction ........................................................ 6 1.1 About this document ........................................................ 6 1.2 Who should read this document ....................................... 6 1.3 Error codes ...................................................................... 6 1.4 Feedback......................................................................... 6 1.5 Contact ............................................................................ 6

2 What is Net iD Enterprise?................................... 7 2.1 Overview ......................................................................... 7 2.2 Overview on Windows platforms ...................................... 8 2.3 Overview when using PKCS#11 ...................................... 9

3 Installation Microsoft Windows ......................... 10 3.1 What will be installed? ................................................... 10

Files ...................................................................... 10 Registry ................................................................ 11

3.2 What will be uninstalled? ............................................... 12 3.3 Package naming conventions on Windows platforms ..... 12

4 Installation Linux ............................................... 13 4.1 What will be installed? ................................................... 13

Files ...................................................................... 13 Single user installation ......................................... 14

4.2 Running installation ....................................................... 14 4.3 Build custom installation ................................................ 14 4.4 What will be uninstalled? ............................................... 14

5 Installation macOS ............................................ 15 5.1 What will be installed? ................................................... 15

Files ...................................................................... 15 5.2 Running installation ....................................................... 15 5.3 Web browser ................................................................. 15 5.4 What will be uninstalled? ............................................... 15

6 Settings ............................................................. 16 6.1 [AllowedServers] ............................................................ 16 6.2 [Command] .................................................................... 16

Admin ................................................................... 17 Watch ................................................................... 17 App ....................................................................... 17

6.3 [Components] ................................................................ 17 6.4 [CredentialProvider] ....................................................... 17

Version ................................................................. 17 Presentation ......................................................... 18 Enable .................................................................. 18 Disable ................................................................. 18 AutoLogon ............................................................ 18 Activate ................................................................ 18 DisableAutoLogon ................................................ 18 InitChangePin ....................................................... 18 Mode .................................................................... 19

WrappedGUID ...................................................... 20 BlockGUID ........................................................... 20 AcceptIssuers ....................................................... 20 DefaultIssuers ...................................................... 20 DenyIssuers ......................................................... 20 RememberLastUsed ............................................ 20

6.5 [CredentialProvider Certificate] ...................................... 21 Enable .................................................................. 21

Disable .................................................................. 21 6.6 [CredentialProvider Change] .......................................... 21 6.7 [CredentialProvider Enroll] ............................................. 21

Parameters/RequestURL/ResponseURL ............. 21 ChallengeResponse ............................................. 21 Timeout ................................................................. 21 AlwaysUnlock ....................................................... 21

6.8 [CredentialProvider Password] ....................................... 22 6.9 [CredentialProvider Pin] ................................................. 22

Enable .................................................................. 22 AutoLogon ............................................................ 22 DisableAutoLogon ................................................ 22 InitChangePin ....................................................... 22

6.10 [CredentialProvider Unlock] ............................................ 22 ChallengeResponse ............................................. 22 Timeout ................................................................. 23

6.11 [CSP] ............................................................................. 23 AcceptBothKeySet ................................................ 23 AcceptIssuers ....................................................... 23 AllowedDuplicateUsage ........................................ 23 CacheCard............................................................ 23 CertificateStoreMode ............................................ 23 ClearUserPinCache .............................................. 24 ConnectPCSC ...................................................... 24 ContainerNameMode ............................................ 24 DeleteAtNewKeySet ............................................. 24 DenyIssuers .......................................................... 24 DisableInsert ......................................................... 24 DisableNonRep ..................................................... 24 DisableRandom .................................................... 25 DisableSilent ......................................................... 25 Enable .................................................................. 25 FriendlyName ....................................................... 25 InitChangePin ....................................................... 26 InstallCaCert ......................................................... 26 LoadExternal......................................................... 26 LoadMyself ........................................................... 26 KeepCertificates ................................................... 26 KeepSessionAlive ................................................. 27 NamePrefix ........................................................... 27 OverwriteCertificate .............................................. 27 PublishMachineStore ............................................ 27 ReplaceCertificate ................................................ 27 StoreContainerName ............................................ 27 UseCritical ............................................................ 28 VerifyCertificate .................................................... 28

6.12 [DefaultCertificate].......................................................... 28 6.13 [Dialog] .......................................................................... 28

Advanced .............................................................. 28 NoUserInterface .................................................... 29 Redirect ................................................................ 29 PathApplication ..................................................... 29 PathApplicationDisable ......................................... 29 PathResource ....................................................... 29 Theme .................................................................. 29 Theme_v<nn>....................................................... 29 Timeout ................................................................. 29 Info<name>........................................................... 30 Customize ............................................................. 30

6.14 [Dialog Image] ................................................................ 31 6.15 [Dialog Presentation] ...................................................... 31

Language .............................................................. 32

3 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04


Multiple Choices ................................................... 32 Image ................................................................... 32 Title ...................................................................... 33 SubTitle ................................................................ 33 TextAbove ............................................................ 33 TextBelow ............................................................ 33

6.16 [Dialog Presentation Certificate] ..................................... 33 6.17 [Dialog Presentation Pin] ............................................... 33 6.18 [Directory] ...................................................................... 33 6.19 [DynamicStrings] ........................................................... 34

Enable .................................................................. 34 Format .................................................................. 34

6.20 [Encryption] ................................................................... 34 Format .................................................................. 34

6.21 [Encryption FileExtensions] ............................................ 34 Encrypt ................................................................. 35 Sign ...................................................................... 35

6.22 [Event <name>] ............................................................. 35 6.23 [General]........................................................................ 35

CheckCaExpire .................................................... 36 CheckCardExpire ................................................. 36 CheckEnroll .......................................................... 36 CheckSoftExpire................................................... 36 EnableWinlogon ................................................... 36 EventList .............................................................. 37 ExplorerExtension ................................................ 37 ExplorerMenu ....................................................... 37 ExtraService ......................................................... 37 StartMenu ............................................................. 37 TaskbarAccessMode ............................................ 38 TaskbarIcon ......................................................... 38 TaskbarMenuMode .............................................. 38 UseService ........................................................... 39

6.24 [Install] ........................................................................... 39 Build ..................................................................... 39 Configuration ........................................................ 39 Directory ............................................................... 39 ProductName ....................................................... 39 List ........................................................................ 39 Version ................................................................. 39

6.25 [Install Option]................................................................ 40 MergeOldConfig ................................................... 40 RemoveOldInstall ................................................. 40 ShowWizard ......................................................... 40 SpecialBuild ......................................................... 40

6.26 [Install Shortcuts] ........................................................... 40 6.27 [Language] .................................................................... 41

Allowed ................................................................. 41 Current ................................................................. 41

6.28 [License] ........................................................................ 41 Cards .................................................................... 41 Company .............................................................. 41 Issuers .................................................................. 41 Name .................................................................... 42 Value .................................................................... 42

6.29 [Links] ............................................................................ 42 Admin ................................................................... 42 Error ..................................................................... 42 Help ...................................................................... 42 Mail ....................................................................... 42 Support ................................................................. 42

6.30 [Links Action] ................................................................. 42

6.31 [Links Custom] ............................................................... 44 6.32 [LRA] .............................................................................. 44 6.33 [MiniDriver] ..................................................................... 44

AllowSecondary .................................................... 44 CacheCard............................................................ 44 CertificateCompression ........................................ 44 CheckFileCMap .................................................... 45 ClearUserPinCache .............................................. 45 Disable .................................................................. 45 DisableFileCache .................................................. 45 DisablePinCache .................................................. 45 FriendlyName ....................................................... 45 GuidKeyId ............................................................. 46 IgnoreFileCardCF ................................................. 46 IgnoreFileCMap .................................................... 46 IgnoreLogout......................................................... 46 KeyGenerateMode ................................................ 46 MaxKeySize .......................................................... 47 MinKeySize ........................................................... 47 MoveCertificates ................................................... 47 NoLoadPkcs11Keys ............................................. 47 OverwriteCertificates ............................................ 47 RegisterCertificate ................................................ 47 PinCacheDisable .................................................. 48 PinCacheTimeout ................................................. 48 ReadOnly .............................................................. 48 SetDefaultCertificate ............................................. 48 SortCertificate ....................................................... 48 UseSuppliedPadding ............................................ 48 UseExternCardCF ................................................ 49 Version ................................................................. 49 WriteCardBlock ..................................................... 49

6.34 [NetControl] .................................................................... 49 Applications .......................................................... 49 Ask ........................................................................ 49 Enable .................................................................. 49 LogonApplication .................................................. 50

6.35 [Pkcs11] ......................................................................... 50 AlwaysLoginForSSL ............................................. 50 DetectNewSlots .................................................... 50 DisableDuplicate ................................................... 50 DisableNonRep ..................................................... 50 EnableExternalMutex ............................................ 51 FriendlyName ....................................................... 51 LoginTimeout ........................................................ 51 LogonApplication .................................................. 51 LogoutAtLastSession ............................................ 51 InsertEmptySlots ................................................... 52 OpenSSL .............................................................. 52 PinMaxDigits ......................................................... 52 PinMinDigits .......................................................... 52 PinReportError ...................................................... 52 RandomDisabled .................................................. 53 ResetTempFiles .................................................... 53 SeparateThreadSearch ........................................ 53 SessionToken ....................................................... 53 SinglePin .............................................................. 53 TraceExecuteTime ................................................ 53 UpdateSlotsForEvent ............................................ 54 VerifyAlgorithms .................................................... 54 WaitForSmartCardService .................................... 54



6.36 [Plugin] .......................................................................... 54 AccessGetProperty .............................................. 54 AccessSetProperty ............................................... 54 AccessEnumProperty ........................................... 54 AccessInvoke ....................................................... 55 Audit ..................................................................... 55 Allowed ................................................................. 55 Disable ................................................................. 55 Enable .................................................................. 55 StartService .......................................................... 56

6.37 [Report LOGON] ............................................................ 56 6.38 [Report PIN] ................................................................... 56 6.39 [Report UNLOCK_WORKSTATION] .............................. 56 6.40 [SCS] ............................................................................. 56

Address ................................................................ 56 Ports ..................................................................... 57 Protocols .............................................................. 57 Size ...................................................................... 57 Start ...................................................................... 57 Stop ...................................................................... 57

6.41 [SingleSignOn]............................................................... 57 CSP ...................................................................... 57 Disable ................................................................. 57 PKCS11 ............................................................... 58 Server ................................................................... 58 StartServer ........................................................... 58 UseCache ............................................................ 58 UseService ........................................................... 58 UseStored ............................................................ 58

6.42 [SmartCard] ................................................................... 59 CalculateUsedTime .............................................. 59 CommandChaining ............................................... 59 CreateUpdateCounter .......................................... 59 DefaultProfile ........................................................ 59 MaxProfiles .......................................................... 59 NoDiskCache ....................................................... 60 ObjectSortMode ................................................... 60 PinExpire .............................................................. 60 PinHistory ............................................................. 60 PinMaxLen ........................................................... 60 PinMinLen ............................................................ 61 PinPolicy .............................................................. 61 PinType ................................................................ 61 Temporary ............................................................ 61 TemporaryValidity ................................................ 61 UseInternalUpdate ............................................... 61 ValidateUpdateCounter ........................................ 62

6.43 [SmartCard Compress] .................................................. 62 Library .................................................................. 62 UncompressOnly .................................................. 62

6.44 [SmartCard Keys] .......................................................... 62 6.45 [SmartCardProfiles] ....................................................... 62

Erase .................................................................... 62 Keys ..................................................................... 63 Parameter ............................................................ 63 SimpleErase ......................................................... 63 Files ...................................................................... 63

6.46 [SmartCardReader]........................................................ 63 AllowReaderRemoval ........................................... 63 Accepted .............................................................. 64 CachePath ........................................................... 64 CacheValidity ....................................................... 64

CacheAcceptUnknown ......................................... 64 CheckInformation .................................................. 64 CheckPinPad ........................................................ 64 Denied .................................................................. 64 Detect ................................................................... 65 KeepLoggedInLocked ........................................... 65 KeepPinCache ...................................................... 65 LockDelay ............................................................. 65 LockTimeout ......................................................... 65 MaxTransfer.......................................................... 66 Mode ..................................................................... 66 Poll ........................................................................ 66 Protocol ................................................................ 66 ReloadOnError ...................................................... 66 SingleConnection .................................................. 66 Scope ................................................................... 67 SystemCacheValidity ............................................ 67

6.47 [SmartCardReader CTAPI] ............................................. 67 Enable .................................................................. 67 List of libraries....................................................... 67

6.48 [SmartCardReader PCSC] ............................................. 67 CallTrace .............................................................. 67 Enable .................................................................. 67 Library ................................................................... 68 StateTimeout ........................................................ 68 Unload .................................................................. 68 UseCritical ............................................................ 68

6.49 [SoftToken] .................................................................... 68 Events ................................................................... 69 FileExtension ........................................................ 69 PinExpire .............................................................. 69 PinFailure ............................................................. 69 PinHistory ............................................................. 70 PinMaxLen ............................................................ 70 PinMinLen ............................................................. 70 PinPolicy ............................................................... 70 PinType ................................................................ 70

6.50 [TaskbarEvent] ............................................................... 70 [TaskbarEvent Insert] ............................................ 70 [TaskbarEvent Remove] ....................................... 70

6.51 [Trace] ........................................................................... 71 Component ........................................................... 71 File ........................................................................ 71 Server ................................................................... 71 UseLocalTime ....................................................... 71

6.52 [Trace Call] .................................................................... 71 6.53 [View] ............................................................................. 72

FileExtension ........................................................ 72 iidxwatch.exe ........................................................ 72

6.54 [Watch] .......................................................................... 72 UseService ........................................................... 72

6.55 [Multiple Watch commands] ........................................... 72 [Watch Insert]........................................................ 72 [Watch Remove] ................................................... 73

6.56 [Multiple Watch running] ................................................. 73 6.57 [Logon Watch] ................................................................ 73

[Watch Logon Insert] ............................................. 73 [Watch Logon Remove] ........................................ 73

7 Watch ................................................................ 74 7.1 Arguments ..................................................................... 74

Argument “-w” ....................................................... 74 Argument “-match” ................................................ 74



Argument “-wait” ................................................... 74 Argument “-message” ........................................... 74 Argument “-hide” .................................................. 75 Argument “-sync” .................................................. 75 Argument “-logon” ................................................ 75 Argument “-term” .................................................. 75 Argument “-recognized” ........................................ 75

7.2 Commands .................................................................... 75 Command ‘application’ ......................................... 75 Command ‘close’ .................................................. 76 Command ‘extern’ ................................................ 76 Command ‘kill’ ...................................................... 76 Command ‘load’ ................................................... 76 Command ‘open’ .................................................. 76 Command ‘set’ ..................................................... 76 Command ‘script’ .................................................. 77

8 Trace ................................................................. 78 8.1 Trace Row ..................................................................... 78

Processes and Threads ....................................... 78 Execution Time..................................................... 80

8.2 Functions ....................................................................... 80 PKCS#11 ............................................................. 80 CSP ...................................................................... 80 Minidriver .............................................................. 81 Plugin ................................................................... 81

8.3 Help Functionality .......................................................... 81 Trace Parse .......................................................... 81 Trace Split ............................................................ 82

9 Command Tool .................................................. 83 9.1 Start............................................................................... 83 9.2 Commands .................................................................... 83

10 Changes between versions ................................ 84 10.1 Changes between v6.5.1 and v6.6 ................................. 84

Chapter 5 Installation macOS .............................. 84 Chapter 6 Settings ................................................ 84 Chapter 8 Trace ................................................... 86

10.2 Changes between v6.4 and v6.5.1 ................................. 86 Chapter 6 Settings ................................................ 86

10.3 Changes between v6.1.1 and v6.4 ................................. 86 General in all texts ................................................ 86 Chapter 2 What is Net iD Enterprise? .................. 86 Chapter 3 Installation Microsoft Windows ............ 86 Chapter 5 Installation OS X .................................. 87 Chapter 6 Settings ................................................ 87 Chapter 7 Watch .................................................. 88 Chapter 9 Command Tool .................................... 88

10.4 Changes between v6.1.1 and v6.1.2 .............................. 89 Chapter 6 Settings ................................................ 89

10.5 Changes between v6.1 and v6.1.1 ................................. 89 Chapter 6 Settings ................................................ 89

10.6 Changes between v6.0 and v6.1 .................................... 89 Chapter 6 Settings ................................................ 89

11 References ........................................................ 90



1 Introduction

1.1 About this document

This document provides detailed technical information for the product Net iD Enterprise version 6.6.

1.2 Who should read this document

The document is written primarily for technicians responsible for, or involved in, configuration, packaging, installation and

support of software in the IT-infrastructure. Also software architects and developers may find useful information for the

configurations necessary to obtain certain behavior of the product.

1.3 Error codes

A link to the latest list of error codes can be found at https://www.secmaker.com/help.

1.4 Feedback

Please forward your comments and problem reports to the following e-mail addresses.

Any problems should be reported by sending an e-mail to:

[email protected].

Any other feedback may be reported by sending an e-mail to:

[email protected].

1.5 Contact

SecMaker AB

Phone: +46 (0) 8 - 6012300

E-mail: [email protected]

Ordering of Technical documents:

www.secmaker.com: Partners – Developers – Technical manuals.

mailto:[email protected]

http://www.secmaker.com/



2 What is Net iD Enterprise?

Net iD Enterprise is not only a Cryptographic Service Provider (CSP) but also a full PKI-client supporting the Minidriver

architecture and PKCS#11 in addition to Microsoft Cryptographic API. Net iD Enterprise is one of the markets most configurable

PKI-clients and a powerful enabler for numerous IT-solutions and concepts. The number of configuration parameters adds

complexity to the product but in most cases the standard packages can be used without any adjustments. Furthermore the

ability to adjust even small details often saves projects from dead ends where applications with unorthodox PKI-interpretations

can be helped/forced to work as intended.

For technicians supporting IT-solutions involving certificates and smart cards it is important to have a basic understanding of the

interfaces that Net iD Enterprise works with. The following overview pictures should be useful.

2.1 Overview

Smart Card reader

Physical and electrical interfaces

I/O Device Driver

I/O Channel Controller

Software

Hardware

CAPI-aware applications like: Internet Explorer, Outlook, etc.

PKCS#11-aware applications like: Firefox, SSH, Lotus Notes, etc.

PKCS#11

SmartCard Resource Manager

SmartCard Reader Driver (OmniKey, Gemalto....)

pcsc-lite PC/SC

Net iD additional modules: SSO, Mifare, Credential Provider etc.

Net iD PKCS#11

Microsoft Base

Smart Card

Crypto Provider

basecsp.dll

Net iD Minidriver

CAPI2 / CAPI1

Net iD - CSP Net iD Plugin

CAPI2

CNG

Microsoft Smart

Card Key Storage Provider scksp.dll



2.2 Overview on Windows platforms



2.3 Overview when using PKCS#11



3 Installation Microsoft Windows

3.1 What will be installed?

Files

The application will be installed in the standard location for applications using the product name as the folder name. The

following files will be added on all Windows operating systems:

%PROGRAMFILES%\Net iD\iid.dll

Contains core functionality

%PROGRAMFILES%\Net iD\iid.exe

Loads core library

%PROGRAMFILES%\Net iD\iidcsp.dll

CryptoAPI CSP library

%PROGRAMFILES%\Net iD\iidp11.dll

PKCS#11 library

%PROGRAMFILES%\Net iD\iidplg.dll

ActiveX and Mozilla Firefox plugin library

%PROGRAMFILES%\Net iD\iidxadm.exe

Loads administration utility

%PROGRAMFILES%\Net iD\iidxcmt.exe

Configuration commit application

Mozilla Firefox browsers will get a copy of the plugin library installed in the appropriate plugin folder (with the name npiidplg.dll).

The following files are optional and may be added, depending on package:

%PROGRAMFILES%\Net iD\iid.cfg

Global configuration if Registry settings not used

%PROGRAMFILES%\Net iD\iidxcp.dll

Credential Provider

%PROGRAMFILES%\Net iD\iidxcse.dll

GPO Client Side Extension

%PROGRAMFILES%\Net iD\iidxmd.dll

Minidriver library, complete with PKCS#11 library

%PROGRAMFILES%\Net iD\iidxmifare.dll

Mifare library

%PROGRAMFILES%\Net iD\iidxsc.dll

Minidriver library, will require PKCS#11 library

%PROGRAMFILES%\Net iD\iidxsso.dll

Single-Sign-On library

%PROGRAMFILES%\Net iD\iidxtrace.dll

Trace service library

%PROGRAMFILES%\Net iD\iidxwatch.exe

Watch application



%PROGRAMFILES%\Net iD\iidxweb.exe

Web application

The installation package may also include several images (bmp and ico files supported) loaded by either password or credential

provider dialog, depending on package:

%PROGRAMFILES%\Net iD\iidx<name>.<image file extension>

Image for password or credential provider dialog. By default only iidxcp.ico will be included.

User specific data is stored in Windows standard location for application data using product short name as the folder name:

%APPDATA%\iid\iid.cfg

Local configuration

%APPDATA%\iid\tokens\<name>.tkn

Soft tokens

Registry

Several new keys and values will be added to Windows registry: Net iD as an ActiveX component, all supported cards, Net iD

as a CSP and uninstall specifications.

[HKEY_CLASSES_ROOT\CLSID\{5BF56AD2-E297-416E-BC49-00B327C4426E}]

Registry key for the Net iD plugin class.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Net iD – <CARD NAME>]

Registry keys of supported smartcards for CSP.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Net iD - CSP]

Registry key for Cryptographic Service Provider.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iid]

Registry key for uninstall parameters for the application.

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Net iD]

Registry key for the context menu in Microsoft Explorer.

One of the following will be added depending on whether it is running as a service or as a background process.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Net iD]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] > Net iD

There are also some optional Registry entries which will be added depending on package:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{01C81C98-0787-42AF-

B2EE-9B60A616C125}]

Registry key for GPO Client Side Extension.

[HKEY_CLASSES_ROOT\CLSID\{5BF56AD2-E297-416E-BC49-00B327C44270}]

Registry key for Credential Provider.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Net iD – # <CARD NAME>]

Registry keys of supported smartcards for minidriver.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{5BF56AD2-E297-

416E-BC49-00B327C44270}

Registry key for Credential Provider.

Using Watch will add a startup entry depending on whether it is running as service or as background process.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Net iD Watch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] > Net iD Watch



The configuration is by default stored in Registry. The location is possible to configure and will be stored at Registry uninstall

key mentioned above. The default configuration location when using Registry is:

[HKEY_LOCAL_MACHINE\SOFTWARE\SecMaker\NetiD\Enterprise]

3.2 What will be uninstalled?

All files installed during installation and registry settings will be removed during uninstall with one single exception: existing soft

tokens will NOT be removed, this is to avoid problems with users removing their soft tokens by mistake.

3.3 Package naming conventions on Windows platforms

Net iD Enterprise packages follow a set of naming conventions for easy identification of a specific package

All packages starts with the prefix “iidsetup_” followed by two or three letters identifying the customer. The naming ends with

four digits describing the package contents.

First digit:

The first digit tells if it is a package intended for clients or servers:

1= Package intended for clients.

2= Package intended for servers.

Second digit:

The second digit gives information regarding which components are included in the package. The combinations are as follows:

0 = No extra components included.

1 = The “Single Sign-on” (SSO) component is included (PIN-caching).

2 = The “Logon”-component is included, i.e. a Credential Provider is installed.

3 = Both 1 and 2 described above is included (SSO and Logon).

4 = The Net iD Minidriver for usage with “Microsoft Smart Card Base CSP” is included.

5 = Both 1 and 4 described above is included (SSO and Minidriver).

6 = Both 2 and 4 described above is included (Logon and Minidriver).

7 = Both 1, 2 and 4 described above is included (SSO, Logon and Minidriver).

8 = Unused.

9 = Special packages.

Here two examples, one” clean” package and one with SSO:

Third digit:

The third digit is used to separate packages with the same components but with different configuration. For example 1901 and

1911. 1901 could be intended for standard in-house desktops and 1911 for laptops with some kind of preparations for a specific

VPN-client.

Fourth digit:

The fourth digit is used as a package counter, for instance if the first build was updated with a new link or a new logotype.



4 Installation Linux


Files

The application will be installed in the standard location for libraries and binaries. The following files will be added on all Linux

operating systems:

/etc/iid.conf

Global configuration

/etc/iid/admin/

Local web site for administration

/etc/iid/gui/

Components for graphic user interface

/etc/iid/iid.ico

Application icon

/etc/iid/uninstall

Application uninstall script

/usr/bin/iid

Symbolic link to iid.<version>

/usr/bin/iid.<version>

Loads core library

/usr/lib/libiid.so

Symbolic link to libiid.so.<version>

/usr/lib/libiid.so.<version>

Contains core functionality

/usr/lib/libiidgui.so

Symbolic link to libiidgui.so.<version>

/usr/lib/libiidgui.so.<version>

Graphical user interface library

/usr/lib/libiidp11.so

Symbolic link to libiidp11.so.<version>

/usr/lib/libiidp11.so.<version>

PKCS#11 library

/usr/lib/libiidplg.so

Symbolic link to libiidplg.so.<version>

/usr/lib/libiidplg.so

Mozilla Firefox plugin library

Netscape/Mozilla/Firefox browsers will have a copy of the plugin library installed in the appropriate plugin folder (with the name

npiidplg.so).



The following files are optional and may be added, depending on package:

/usr/bin/iidxwatch

Symbolic link to iidxwatch.<version>

/usr/bin/iidxwatch.<version>

Watch application

The installation package may also include several images (bmp and ico files supported) loaded by either password or credential

provider dialog, depending on package:

/etc/iid/ iidx<name>.<image file extension>

Image for password dialog

User specific data is stored in Linux standard location for application data using product short name as the folder name:

/home/<user>/.iid/iid.conf

Local configuration

/home/<user>/.iid/tokens/<name>.tkn

Soft tokens

Single user installation

The file location above is for all user installation, but the installation may also be single user. For single user installation the

components will be installed in the following directories:

/usr/lib => /home/<user>/.iid/lib

/usr/bin => /home/<user>/.iid/bin

/etc/iid => /home/<user>/.iid

Note: For single user installation global and local configuration file will be the same file.

4.2 Running installation

The installation package iidsetup.tar.gz contains everything, all installation files compressed to a single file. Extract all files to

any folder and run install script using sudo to install for all users:

cp iidsetup.tar.gz /tmp

tar xvf iidsetup.tar.gz

cd iidsetup

sudo ./install

Running without sudo will create a single user installation; everything is installed below /home/<user>/.iid/. This is not

recommended, since single user installation will always override any future upgrades for all users.

4.3 Build custom installation

The installation file ‘install’ is a standard shell script, any modification is possible.


The installation package includes an uninstall script, copied to /etc/iid.

sudo /etc/iid/uninstall

All files installed will be removed during uninstall with one single exception: eventual soft tokens will NOT be removed, to avoid

problems with users removing their soft tokens by mistake.



5 Installation macOS


Files

All files from Linux installation will be installed in the same location as for macOS, the difference is that library names will end

with ‘.dylib’ instead of ‘.so’.

Starting from Net iD Enterprise v6.4.1, files are installed in new locations:

/usr/local/bin/ (old location: /usr/bin/)

/usr/local/lib/ (old location: /usr/lib/)

/Library/Security/tokend/ (old location: /System/Library/Security/tokend/)

macOS will also include the following component:

/Applications/Utilities/Net iD.app

Application for starting of Net iD Enterprise app Administration GUI.

5.2 Running installation

The installation is delivered as an macOS installation file: iidsetup.app, which will initiate the standard installation wizard. A

popup will appear with a dialog to let the user enter an administration password and run the installation script in the exact same

manner as the Linux installation. There will only be an all user installation, since installation will not continue unless

administration password is entered.

5.3 Web browser

Safari should be used as web browser.


The installation package include an uninstall script, copied to /etc/iid.

sudo /etc/iid/uninstall

All files installed will be removed during uninstall with one single exception: eventual soft tokens will NOT be removed, to avoid

problems with users removing their soft tokens by mistake.



6 Settings

There are a number of settings, which can be set to change the functionality and/or behavior of the product. For Windows

platforms there is an administration utility which can be used for update of some of the configuration parameters, but for all

operating systems the parameters may be updated with the plugin object, see section 6.3.1 Operation ‘ApplyConfig’ in the Net

iD Enterprise Developer’s Guide for more information.

The storage format of the configuration file is UTF-8, and the content is classic Windows settings format with sections and

entries. From v6.0 of Net iD Enterprise, the configurations may be stored in Registry on Windows platforms, each section below

will be translated to a key with sub-keys. The location will be stored at the uninstall key for the product.

The name of the file is iid.cfg for Windows and iid.conf for Linux/macOS, see installation section for each operating system for

default location of the files. The location may be changed using environment variables ‘iidconfig’ for the global configuration file

and ‘iidconfiglocal’ for the local configuration file.

There are both a local and global configurations available, the local configuration will always be read before the global

configuration, but for most sections, the local configuration will be ignored. The following sections are read from both local and

global configuration:

[ATR]

[Language]

[SmartCard]

[SmartCard Profiles]

[SoftToken]

[Trace]

6.1 [AllowedServers]

This entry contains a list of sites and access modes for use with the plugin. Currently there are five modes available:

0 –> Blocked access – only create non-repudiation signatures is allowed

1 –> Full access – including modify configuration

2 –> Use access – all except modify configuration

3 –> Limited access – user will be asked to allow access

4 –> Limited access – user will be asked to allow access and the answer will not be saved

Wild card ‘*’ may be used to set a value for a group of sites.

Example:

http://*=0

https://*.secmaker.com=2

https://netid.secmaker.com=1

https://demo.secmaker.com=1

Note 1: File system access protection, also known as Sandbox, will also interfere with all updates. Never try to update unless

your server is registered as trusted site in the web browser.

Note 2: Parameter Plugin>Allowed is also used to set access mode for entire applications.

6.2 [Command]

This section is used to specify start parameters for internal applications instead of normal start parameters given when creating

the application process.

https://demo.secmaker.com=1/



Admin

This value is only used when no start parameters is given for the main loader component.

Example:

Admin=-command

Watch

This value is only used when no start parameter is given for the Watch component.

Example:

Watch=config

App

Default start parameter for App command.

Example:

App=-url file:///%InstallLocation%\gui\index.html -size 0x01400200 -center -resizing -useragent

6.3 [Components]

This section will contain information about the installed components. The information is only used to detect updates from the

original installation, see section 6.3.40 Operation ‘ValidateInstallation’ in the Net iD Enterprise Developer’s Guide for more

information.

6.4 [CredentialProvider]

This section specifies the behavior for Credential Provider. This provider is used by Microsoft standard dialogs in three different

scenarios: selecting credential, selecting certificate, and enter PIN. In the scenarios of smart cards with certificates; selecting

credential will be a combination of both selecting a certificate and enter PIN.

This section is used to configure the behavior for selecting credential, [CredentialProvider Certificate] is used to specify the

behavior for certificate selection and [CredentialProvider Pin] is used to specify the behavior for enter PIN.

All parameters in the CredentialProvider section can also be set using the application.

Example:

Mode=iid.exe,0x1121;*,0

This example sets Mode=0x1121 for iid.exe application and Mode=0 for all others.

It is a requirement that the credential provider component is included in the installation and that this configuration section is

present.

Version

All entries except those used for presentation may have different values depending on Windows version. A value with version

number as a postfix will only apply to that version of Windows.

<entry>_v61 -> Windows 7


<entry>_v63 -> Windows 8.1


Example:

Enable=0

Enable_v61=1

Enable_v100=1



Presentation

Presentation will be based on the information from [Dialog Presentation], but if presentation should be different it will be possible

to specify the same entries in this section.

Image

Title

SubTitle

TextAbove

TextBelow

Enable

This entry specifies whether Credential Provider should be enabled or not.

0 –> Credential Provider not available

1 –> Credential Provider available

Default value is 1, Credential Provider is available, will still require that the configuration section is present and the component is

available.

Disable

This entry specifies a list of applications that will not use the Credential Provider. Use ‘;’ to separate the applications.

By default the list is empty; all applications will use Credential Provider.

AutoLogon

This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN

already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the OK button will

automatically be pressed.

0 –> Will not use automatically logon

1 –> Will use automatically logon

Default value is 0; automatically logon is disabled.

Activate

This entry is used to prompt PIN for Credential Provider.

0 –> Will not prompt

1 –> Will prompt PIN for windows logon

2 –> Will prompt PIN for CredUI

3 –> Will prompt PIN for all scenarios

Default value is 3; prompt PIN for all scenarios.

DisableAutoLogon

This entry specifies a list of applications that should not use the automatically logon feature. Use ‘;’ to separate the applications.

Default Windows logon applications “logonui.exe;lsass.exe”.

DisableAutoLogon=lsass.exe;logonui.exe

InitChangePin

This entry is used to force a PIN change for Credential Provider. Used together with PinExpire in SmartCard section.

0 –> Will not force PIN change

1 –> Will force PIN change for windows logon

2 –> Will force PIN change for CredUI

3 –> Will force PIN change for all scenarios



Default value is 3; force PIN change for all scenarios.

Mode

This entry specifies the mode of operation, either pass-through provider or full provider. The pass-through provider will intercept

the Microsoft standard provider and modify the behavior, but the full provider will implement all functionality itself and will not

rely on anything else.

To make the full provider work as expected for all available parameters it is also necessary with some additional configurations

that will not be described.

0 –> Will use pass-through provider

0x???1 –> Will use full provider

Default value is 0; will use pass-through provider.

Full CredentialProvider Mode.

Detect insert/remove Access mode:

0x01?? –> via PC/SC.

0x02?? –> via polling.

0x03?? –> via PKCS#11.

Read certificate Access mode:

0x00?? –> using CSP.

0x10?? –> using PKCS#11.

The values for “Detect” and “Read” are combined to form the complete access value.

Example:

Detect via PC/SC and read via CSP.

Mode=0x01??

Example:

Detect via PKCS#11 and read via PKCS#11.

Mode=0x13??

Other modes:

0x??1? -> Show certificate even if it does not contain UPN.

0x??2? -> Show all certificates, not only first.

0x??4? -> Show all card readers, not all unused.

0x??8? -> Show only certificates with key usage smart card logon.

Combining Access and Other mode will give the complete Full CredentialProvider mode.

Example:

Detect PCSC, read PKCS11, show all cert.

Mode=0x1121

Detect PKCS11, read PKCS11, show all cert but require smart card logon.

Mode=0x13A1

Soft token mode, currently only supported for test.

0x???4 -> Soft token mode.

Recommended mode for Windows login with soft token (virtual smart card):



Detect PKCS11, read PKCS11, show all certificates and allow soft tokens.

Mode=0x1325

*Also [SmartCardReader]>Detect=0 is recommended for optimal performance.

Note: When using Full Credential Provider, CredentialProvider Pin must be disabled, see section 6.9.1.

WrappedGUID

This entry specifies the guid for the provider that should be wrapped when used in pass-through mode.

The default value will wrap Microsoft standard providers and is depending on provider scenario and Windows version.

BlockGUID

This entry specifies the guid which should be blocked. Default will block a possible provider that is wrapped when using pass-

through, but this entry may also specify additional providers.

AcceptIssuers

This entry specifies a list of issuers of user certificates that are allowed to be used in Credential Provider, no other certificates

will be shown. The configuration is only valid with the full provider.

Default none; certificates from all issuers are shown.

Example:

[CredentialProvider]

Mode=0x???1

AcceptIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

DefaultIssuers

This entry specifies a list of issuers that will be used when deciding which user certificate that should be considered as the

default certificate in Credential Provider. Will set the certificate that is matching the most prioritized value in the list as default.

The values in the list are prioritized from left to right. The configuration is only valid with the full provider.

Default none; no default certificate defined.

Example:


Mode=0x???1

DefaultIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

DenyIssuers

This entry specifies a list of issuers of user certificates that are not allowed to be used in Credential Provider, all other

certificates will be shown. The configuration is only valid with the full provider.

Default none; certificates from all issuers are shown.

Example:


Mode=0x???1

DenyIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

RememberLastUsed

This entry is used to remember last used credential for LogonUI and CredUI. Max 10 credentials.

0 –> Will not remember last used

1 –> Will remember last used

Default value is 0; Will not remember last used credential.



6.5 [CredentialProvider Certificate]

This section is used for certificate selection with Credential Provider.

Enable

This entry specifies whether Certificate Provider should be enabled or not.

0 –> Certificate Provider not available

1 –> Certificate Provider available

Default value is 1, Certificate Provider is available, will still require that the configuration section is present and the component is

available.

Disable

This entry specifies a list of applications that will not use the Certificate Provider. Use ‘;’ to separate the applications.

By default the list is empty; all applications will use Certificate Provider.

Disable=iexplore.exe;app.exe

6.6 [CredentialProvider Change]

This section specifies customization of a possible additional Credential Provider scenario: change PIN/password. Currently

there are many limitations, so it should not be used. This may be enhanced in the future when no longer relying on Microsoft

Credential Provider.

6.7 [CredentialProvider Enroll]

This section specifies the behavior when inserting an empty smart card; should a certificate be enrolled to the smart card or

not? The behavior is relying on an additional component called LRA (local registration authority) and is currently only available

on project basis, since it will require a connection to a certificate authority.

Parameters/RequestURL/ResponseURL

These entries are used to generate the certificate request and the value is depending on the LRA component, see LRA

documentation for more information.

ChallengeResponse

This entry tells whether challenge/response should be used when unlocking the PIN. The smart card to be enrolled may be

locked for security reasons.

0 –> Normal PUK is used to unlock PIN

1 –> Challenge/response used to unlock PIN

Default value is 0; normal PUK is used to unlock PIN.

Timeout

This entry tells the number of seconds a challenge should be valid when using challenge/response mode.

Note: The smart card will be locked during the operation, since the next call after generating the challenge should be the

response. No other application will be able to access the smart card until the timeout is reached or the operation is

finished/aborted.

AlwaysUnlock

This entry tells whether the smart card always should be unlocked during enrollment.

0 –> Will unlock smart card when locked

1 –> Will always unlock smart card

Default value is 0; will unlock smart card when locked.



6.8 [CredentialProvider Password]

This section specifies customization of a possible additional Credential Provider scenario, smart card with username/password

stored as data object on a smart card (in chip or using Mifare).

The implementation is still experimental and should only be used for proof-of-concept.

6.9 [CredentialProvider Pin]

This section is used to enter PIN dialog with Credential Provider. Must be disabled when used with Full Credential Provider.

Enable

This entry specifies whether Pin Provider should be enabled or not.

0 –> Pin Provider not available

1 –> Pin Provider available

AutoLogon

This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN

already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the ok button will

automatically be pressed.

0 –> Will not use automatically logon

1 –> Will use automatically logon

Default value is 0; automatically logon is disabled.

DisableAutoLogon

This entry specifies a list of applications that should not use the automatically logon feature. Use ‘;’ to separate the applications.

Default Windows logon applications “logonui.exe;lsass.exe”.

DisableAutoLogon=lsass.exe;logonui.exe

InitChangePin

This entry is used to force a PIN change for Pin Provider. Used together with PinExpire in SmartCard section.

0 –> Will not force PIN change

1 –> Will force PIN change for windows logon

2 –> Will force PIN change for CredUI

3 –> Will force PIN change for all scenarios

Default value is 3; force PIN change for all scenarios.

6.10 [CredentialProvider Unlock]

This section specifies the behavior when inserting a smart card with locked PIN. The same entries as available for

[CredentialProvider] may be specified. There is also some additional information that may be specified.

ChallengeResponse

This entry tells whether challenge/response should be used when unlocking the PIN.

0 –> Normal PUK used to unlock PIN

1 –> Challenge/response used to unlock PIN

Default value is 0; normal PUK used to unlock PIN.



Timeout

This entry tells the number of seconds a challenge should be valid when using challenge/response mode.

Note: The smart card will be locked during the operation, since the next call after generating the challenge should be the

response. No other application will be able to access the smart card until the timeout is reached or the operation is

finished/aborted.

6.11 [CSP]

This section specifies the behavior for the Microsoft CryptoAPI CSP.

AcceptBothKeySet

This entry will enable/disable usage of both key set types for internal key container format. Some CryptoAPI applications will not

check for correct values in the certificate store instead assume the key type.

0 –> Only correct key set may be retrieved

1 –> Both key sets may be retrieved

Default value is 0; only correct key set may be retrieved.

AcceptIssuers

This entry specifies a list of issuers which will be registered in user store for CryptoAPI, use ‘;’ to separate different issuers.

Default none, all certificate are registered.

Note: May use [CSP]>DenyIssuers to specify a list that will be denied.

AllowedDuplicateUsage

This entry can be used to limit extended usage for duplicate certificates. Specify object identifier for the extended usages that

should be allowed, separate with ';'. Use text string <none> to allow nothing. Default empty, no special handling for duplicate

certificates.

Note: Typical use for this entry is to continue to allow to use a certificate for decryption even after that the certificate has been

replaced with a new certificate.

CacheCard

This entry can be used to enable/disable writing of certificate/container information to a cache file. The cache is used by

Credential Provider when it is used in pass-through mode. Microsoft has some limitations regarding multiple access, so this is

used to avoid extra access from the Credential Provider towards the CSP when used with Microsoft Provider.

0 –> Certificate information is not written

1 –> Certificate information is written

Default value is 1; certificate information is written.

Note: DO NOT EDIT, default value should be used.

CertificateStoreMode

This entry is used to sort certificates for CSP via PP_USERCERT_STORE.

0x01 –> Newest certificate first

0x02 –> Oldest certificate first

0x04 –> Invert list

Example:

CertificateStoreMode=app.exe,0x01;app2.exe,0x04



ClearUserPinCache

This entry will enable/disable clear of user PIN cache by the internal certificate propagation service.

0 –> Will not clear user PIN cache

1 –> Will clear user PIN cache for logged on user

2 –> Will clear all user PIN cache for all smart cards

4 –> Will clear all user PIN cache for all tokens in same session

Default value is 2; will clear user PIN cache for all users.

Note: In terminal server sessions value 2 should never be used, since it will clear PIN cache for other users.

ConnectPCSC

This entry specifies a list of applications, separated by using ‘;’, that will have their own PCSC connection from CSP.

Example:

ConnectPCSC=lsass.exe;iexplore.exe

Default none; no applications will be handled.

ContainerNameMode

This entry specifies the name format of the container representing certificates and corresponding private key.

0 –> 'thumbprint (slotid)'

1 –> '\\.\cardreader\thumbprint (slotid)'

2 -> 'thumbprint'

3 -> '\\.\cardreader\thumbprint'

Default value is 0; 'thumbprint (slotid)'.

DeleteAtNewKeySet

This entry will enable/disable deletion of old key set when generating a new key.

0 –> Will not delete old key set

1 –> Will delete old key set

Default value is 0; will not delete key set.

Note: Typically used with certificate enrollment for CA’s without support for delete key set. Normal behavior is that a delete

operation is called before generating a new key set.

DenyIssuers

This entry specifies a list of issuers which will not be registered in user store for CryptoAPI, use ‘;’ to separate different issuers.

Default none; all certificates are registered.

Note: May use [CSP]>AcceptIssuers to specify a list that will be accepted.

DisableInsert

This entry will enable/disable showing of insert card dialog when requested smart card is not present.

0 –> Will show possible insert card dialog

1 –> Will not show possible insert card dialog, operation will fail.

Default value is 0; will show insert card dialog when needed.

DisableNonRep

This entry will try to enable/disable use of non-repudiation certificates for Microsoft CryptoAPI.



0 –> Will not disable certificates

1 –> Will disable certificates

Default value is 1; will try to disable use of non-repudiation certificates.

Note 1: Will set extended key usage to document signing only for certificates with key usage non-repudiation if extended key

usage is not available.

Note 2: Will disable usage for all CryptoAPI applications using CryptoAPI to get the extended key usage property, but not

applications retrieving this information from the certificate value.

DisableRandom

This entry will enable/disable use of Net iD CSP for generating random values.

0 –> Will allow to generate random values

1 –> Will not allow to generate random values

Default value is 1; will allow generating of random values.

Note: Microsoft will generate two signatures during Windows smart card logon when CSP is used to generate random values,

but only one signature when random is disabled. This will increase performance for smart cards with slow RSA operations.

DisableSilent

This entry will enable/disable check of CRYPT_SILENT flag when creating new CryptoAPI contexts with CryptAcquireContext.

Setting the CRYPT_SILENT flag when creating new CryptoAPI context means that the calling application will not allow the CSP

to show any dialogs.

0 –> Will check silent flag

1 –> Will ignore silent flag.

Default value is 0; will check silent flag.

Note: Some CryptoAPI applications require silent operation, but forget to transmit PIN when accessing the private key. This

allows CSP to show dialog even when silent operation is specified.

Enable

This entry is used to enable/disable to storage of certificates in CryptoAPI user store.

0 –> Certificate not registered

1 –> Certificate registered

Default value is 1; will register certificate in CryptoAPI user store.

FriendlyName

This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may

be used:

%label%

%issuer.<object identifier>%

%subject.<object identifier>%

Label is the certificate label stored with the certificate object, issuer and subject are any of the object identifiers available in the

subject or issuer field from the certificate. Any combination of static text and wild cards above may be used.

Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".

Note: For unknown reason some CryptoAPI applications require friendly name to be static for a certificate. This may cause

problems when both Net iD Enterprise certificate service and Microsoft is registering the certificate in CryptoAPI user certificate

store, since Microsoft will not specify any friendly name.



InitChangePin

This entry is used to initialize a change PIN dialog, when PIN is about to expire.

0 -> Will not initiate a change PIN

1 -> Will initiate a change PIN

Default value is 0; no change PIN dialog.

InstallCaCert

This entry can be used to control installation of CA certificates to CryptoAPI store.

0 -> Will not install

1 -> Will install

Default value is 1; will install CA certificates.

LoadExternal

This entry can be used to enable/disable loading of Net iD Enterprise main library directly when the CSP is loaded. This may

increase performance, but may cause unloading to be slightly slower.

0 -> Will not load external

1 -> Will load external

Default value is 0; will not load external.

Note: Do not use in terminal server sessions, since this may cause library to never be unloaded. If not unloaded this will cause

memory leaks.

LoadMyself

This entry is used to control loading and unloading of the CSP, when enabled the CSP library will not be unloaded. This was

recommended by Microsoft for enhanced performance, but is no longer recommended by Microsoft.

0 -> Will not load myself

1 -> Will load myself

Default value is 1; will load myself.

Note 1: DO NEVER use in terminal server sessions, since it will cause memory leaks.

Note 2: Recommended to use in normal client packages when not using a single-sign-on component. This loading will start

automatic caching of PIN status to avoid multiple PIN dialogs for CryptoAPI applications.

KeepCertificates

This entry is used to control the behavior of certificate storage when a smart card is removed. Normally certificates will be

removed from CryptoAPI user certificate store when smart cards are removed.

0 -> Will not keep certificates

1 -> Will keep certificates

Default value is 0; will not keep any certificates.

Note 1: Certificate stored in CryptoAPI store will cause a smart card insert dialog if any application tries to use the certificate

when the smart card is removed.

Note 2: Do not keep certificates on a computer which is used by several different users, since all users’ certificates will be

available for selection.



KeepSessionAlive

This entry is used to control the behavior of CryptoAPI contexts. Normally the PKCS#11 sessions will be closed as soon as the

context is released, using this parameter will cause the session to be alive and wait for a new identical session. This behavior

may increase performance.

0 -> Will not keep session alive

1 -> Will keep session alive

It is also possible to specify a list of application names instead of 1, specified applications will have value 1 (all other 0).

Default value is 0; will not keep session alive.

Example:

KeepSessionAlive=1

KeepSessionAlive=iexplorer.exe;lsass.exe

NamePrefix

This entry is used as prefix for names when registered for smart card logon during installation.

Default value is empty; none.

OverwriteCertificate

This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will

try to register the certificates to Net iD CSP, even if another CSP already has registered the certificate.

0 -> Will not overwrite certificate

1 -> Will overwrite certificate

Default value is 1; will overwrite certificate.

PublishMachineStore

This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will

try to register the certificate both for the user and the machine. This will allow applications running in system environment to use

the certificate.

0 -> Will not publish in machine store

1 -> Will publish in machine store

Default value is 1; will try to publish in machine store.

ReplaceCertificate

This entry is used to control the behavior when writing certificates with the CSP. Normally we only write the certificate, but this

parameter may be used to initiate a search for identical certificates and remove those if found. Identical means same

issuer/subject/key.

0 -> Will not replace certificate

1 -> Will replace certificate

Default value is 0; will not replace certificate.

Note: Replace certificate is useful for auto-enrollment to delete old certificate when new certificate is written.

StoreContainerName

This entry is used to when the container name has a special meaning for the calling application and needs to be used for future

calls, i.e. Entrust. This will limit the use of secondary certificates and should be avoided.

0 -> Container name is automatically generated

1 -> Container name is stored and will be remembered



Default value is 0; container name is automatically generated.

UseCritical

This entry is used to add a critical section for all CryptoAPI contexts. This should normally not be needed, since the same

context should not be used by multiple threads simultaneously. It will also be possible to add a global critical section, this will

only allow one single thread at each time to access the CSP.

0 -> Critical section not present

1 -> Critical section present

2 -> Global critical section present

Default value is 1; will add a critical section.

VerifyCertificate

This entry will enable/disable validation of certificates before registration in CryptoAPI store. The validation is only made on the

certificate value and signature if the CA certificate is available, no check is made regarding certificate revocation.

0 -> Will not verify certificate

1 -> Will verify certificate

Default value is 0; will not verify certificate.

6.12 [DefaultCertificate]

Some CryptoAPI applications still require the use of a default certificate and have no functionality to let the user select which

certificate to use.

This section allows registering of a specific certificate to a specific application. Format:

<application>=<number>|<issuer>|<subject>|<usage>

‘Application’ is the name of the application. The application name ‘Default’ may be used to specify the default behavior.

‘Number’ is the certificate serial number.

‘Issuer’ is the certificate issuer field.

‘Subject’ is the certificate subject field.

‘Usage’ is the certificate key usage.

Only specify those values that should be matched, set a ‘*’ character for match all. For example the following will require a

specific issuer common name and key usage when used with the application:

app.exe=*|2.5.4.3=SecMaker CA v2|*|A0

Note: This section will be ignored if any certificate on the token is marked as default.

6.13 [Dialog]

This section controls the behavior when loading dialogs.

Advanced

This entry will enable/disable advanced dialogs for the old user interface. The advanced dialogs will include a bitmap

representing the certificate used; see 6.14 [Dialog Image] configuration section for more information.

0 -> No advanced dialog

1 -> Use advanced dialog

Default value is 1; will always try to use advanced dialogs.



Note: By default not used with current GUI. Advanced dialogs requires a certificate to match correct dialog and to get name and

validity information. Will show standard dialog if no certificate is available.

NoUserInterface

For a specified list of applications this entry will disable the user interface to be shown in the same process as the application

itself. An attempt to show the user interface will instead create a separate process that will show the user interface, for example

a PIN dialog.

Default value is “lsass.exe;iexplore.exe;firefox.exe;chrome.exe;”

Redirect

This entry will enable/disable redirection of open dialog requests to another process; the value is a full path to any application.

PathApplication

This entry specifies the full path to an application that should be used to show the web-based user interface. The parameter is

required when a dialog is started from within an Internet Explorer session, since Internet Explorer will interfere with the user

interface. The recommended value is the internal loader.

Example:

PathApplication=%InstallLocation%\iid.exe

PathApplicationDisable

This entry specifies a list of applications that should not use another application to show the user interface. Use ‘;’ to separate

the applications.

Default is none; all applications will use another application when enabled.

PathResource

This entry specifies the full path to the location containing the web-based user interface. The recommended value is within the

installation directory.

Example:

PathResource=file:///%InstallLocation%\gui\

Theme

This entry specifies the theme that should be used by the web-based user interface. This will be translated to a parameter when

opening the dialog and the real meaning will be decided by the implementation of the web-based user interface.

Theme_v<nn>

This entry is the same as Theme, but specifies the theme that should be used for a specific Microsoft Windows version.

Theme_v61 -> Windows 7


Theme_v63 -> Windows 8.1


Default value is Theme_v62; Windows 8.

Timeout

This entry specifies the number of minutes the web-based dialog should be shown until it is automatically closed when using

another application to show the user interface

Default value is 10; 10 minutes.



Info<name>

The web-based user interface will require configuration for each dialog that will be shown. The following list is currently

available:

InfoAbout -> About dialog

InfoAdmin -> Administration dialog

InfoChangePIN -> Change PIN dialog

InfoExitWindows -> Exit Windows dialog

InfoFileXXXX -> ExplorerMenu dialog

InfoInsertToken -> Insert smart card dialog

InfoNotify -> Notify dialog

InfoPIN -> Enter PIN dialog

InfoSelect -> Select certificate dialog

InfoSetup -> Setup dialog

InfoUnlockPIN -> Unlock PIN dialog

InfoViewToken -> View token dialog

It is also possible to add custom utility dialogs started via main loader:

Info<custom> -> Custom Utility started via iid.exe –admin <custom>

All entries have the following format: “<file>;<size>;<dynamic>;<extra>”

The <file> value is either a full URL to any location or relative to the PathResource parameter:

Index.html

file:///%InstallLocation%/index.html

The <size> value is a hexadecimal digit where the first four digits specify the dialog width (pixels) and the last four digits specify

the dialog height (pixels).

The <dynamic> value is used when calculating the dialog height based on dynamic content, i.e. select certificate may contain

one or more certificates. The value is hexadecimal digit where the first four digits tells the number of objects that was used for

the <size> parameter and the last four digits tells the number of pixels that should be added/removed for each object.

The <extra> value specifies other useful parameters, the current available list of parameters:

-application -> Considered application and will not start new dialog (PathApplication ignored)

-center -> Will calculate position to center of screen (override –position)

-debug -> Will show any error and/or warning dialogs, i.e. javascript errors

-noframe -> Will hide standard dialog frame (only Windows)

-position <value> -> Position of dialog

-resizing -> Will add resizing frame to dialog

-secure -> Will start dialog using Secure Desktop (only Windows)

-theme -> Will start selected dialog

-transparent <value> -> Value is an RGB color value that should be translated to transparent (only Windows)

Customize

There are endless possibilities to customize the dialogs, since the web-based interface and the plugin object are available. The

actual parameters for each type of dialog are not documented and may be updated for each future version. The best approach

is to check the web pages for the delivered user interface and modify it. The parameters will probably not change until next

major release, but there is no guaranty, even a minor update may change/add/remove parameters.



6.14 [Dialog Image]

This section specifies images (bmp and ico files supported) which will be displayed to represent a certificate when the advanced

dialog is used.

Entry format:

<issuer commonname>|<issuer serialnumber>

Either issuer common name or serial number is used to identify which entry to use. Example:

SecMaker CA v2=…

Value format:

<file>[,<position name>[#<color name>]:<position time>[#<color time>]]

The value specifies full path to the image file that should be loaded and positioning/color of name and time information from the

certificate.

Example:

SecMaker CA v2=c:\images\card.bmp,0x00100044:0x00110058

Name information is subject common name from the certificate. Time information is the date part of the valid to field from the

certificate.

Position is always calculated from upper left corner of the bitmap, first four hexadecimal digits is X coordinates (left to right) and

last four hexadecimal digits is Y coordinates (top to bottom).

Color is specified with RGB values, two hexadecimal digits for each part: #RRGGBB.

Example

SecMaker CA v2=c:\images\card.bmp,0x00100044#0xFF00AA

Note: [Dialog] > Advanced must be enabled.

6.15 [Dialog Presentation]

This section is used to customize presentation for internal dialogs using the new web-based user-interface and Credential

Provider dialogs.

The intention is to be able to show different information depending on the certificate, to enhance the user experience when

selecting the certificate or enter the PIN. The information displayed is always one image and several text fields.

The following wild cards may be used below.

%cardlabel%

%cardnumber%

%expire%


%keyusage%

%pinattempts%

%scenario%

%space%


%upn%

Card label and number are retrieved from the smart card. Key usage and expire will be retrieved from the certificate. For issuer

and subject values, the object identifiers will be used to specify the values retrieved from the issuer respective subject fields of

the certificate. The UPN value is the user principal name from the certificate. The PIN attempts will be available with a warning



message when 0, 1 and 2 attempts remains. The space value is a single white space. The scenario is only available for

Credential Provider and specifies the active scenario: CREDUI/LOGON/UNLOCK_WORKSTATION.

Language

To handle different strings for different language entries: Title, SubTitle, TextAbove and TextBelow may be prefixed with a short

name of the language.

Example:

Title=eID Card %cardlabel%

en_Title=eID Card %cardlabel%

se_Title=eID Kort %cardlabel%

Multiple Choices

To handle different strings for different type of certificates: Image, Title, SubTitle, TextAbove and TextBelow may be specified

with multiple choices, first combination that generates a non-empty string will be used. Separate with ‘;’ and will check from left

to right.

Example:

Title=%subject.2.5.4.3%;%cardlabel%

Note: Since character ‘;’ is used as separator, it may not be used as a part of the value.

Image

This entry specifies a list of images which may be used to display a certificate, bmp and ico files are supported. Use the wild

cards above, wild cards will always be replaced, not found will generate an empty value. The search will try to find an entry in

the same section with the generated string after wild card replacement.

Example:

Image=BMP(%issuer.2.5.4.3%);

BMP(SecMaker CA v2)=iidxca2.ico


or

Image=BMP(CA);

BMP(CA)=iidxca_%issuer.2.5.4.3%.ico

It is also possible to specify a nomatch and default image that will be shown for unknown certificates, without this entry Microsoft

standard bitmap will be used.

Example:

BMP(Default)=iidxdef.bmp

BMP(NoMatch)=iidxnomatch.bmp

Unknown certificate means that the certificate is external, or that no smart card is present.

Example:

Image=BMP(%issuer%.2.5.4.3);BMP(NoMatch)



BMP(Default)=iidxdef.ico

BMP(NoMatch)=iidxnomatch.ico



Title

This entry specifies the title for selection entry. Use any combination of static text and wild cards above.

Default value is certificate common name. This value is always visible.

Example:

Title=%subject.2.5.4.3%

SubTitle

This entry specifies the subtitle for selection entry. Use any combination of static text and wild cards above.

Default value is static text “Smart card logon“, translated to local language. This value is always visible.

Example:

SubTitle=%issuer.2.5.4.3%

TextAbove

This entry specifies an extra text field for the selection entry, located above the PIN entry edit field. Use any combination of

static text and wild cards above.

Default value is user principle name from the certificate. This value is visible when selection entry is selected.

Example:

TextAbove=%cardlabel%

TextBelow

This entry specifies an extra text field for selection entry, located below the PIN entry edit field. Use any combination of static

text and wild cards above.

Default value is none. This value is visible when selection entry is selected.

Example:

TextBelow=%pinattempts%

6.16 [Dialog Presentation Certificate]

This section is used when different information should be presented for certificate selection and enter PIN dialog. The same

entries as for [Dialog Presentation] may be specified and the values in this section will be used for certificate selection when

specified. If not specified the entries in [Dialog Presentation] will be used.

6.17 [Dialog Presentation Pin]

This section is used when different information should be presented for certificate selection and enter PIN dialog. Same entries

as for [Dialog Presentation] may be specified and the values in this section will be used for PIN dialog when specified. If not

specified the entries in [Dialog Presentation] will be used.

6.18 [Directory]

This section contains a list of directories which may be used during search for certificates. This information may be used to store

certificates in a LDAP directory instead of the smart card. Currently this parameter is only used on Windows platforms.

Format:

<number>=<name>|<ldap>|<base>|<filter>

Value <name> is the entry description.

Value <ldap> is the complete address to the LDAP directory.

Value <base> is the LDAP search base, where the certificate search should start.



Value <filter> is the LDAP search filter used to limit the number of certificates found. Use any of the following filter criteria to find

matching certificates:

<cardserialnumber>

<subjectkeyidentifier>

<publickeydigest>

Certificate service will try to find additional certificates when a smart card is inserted based on the information above. Example:

1=SecMaker|ldap://ca.secmaker.com|CN=SecMaker CA,O=SecMaker,C=SE|card=<cardserialnumber>

6.19 [DynamicStrings]

This section is used for dynamic loading of strings. All strings are usually stored in string tables, but may instead be read from

this section when enabled. This allows for custom strings, for example an informative warning message including custom

specific information and/or link.

Enable

This entry will enable/disable the use of dynamic strings.

0 -> No dynamic strings

1 -> Use dynamic strings

Format

Any string may be replaced and they are identified by the short language name and the resource string id.

Example, about dialog title:

EN_1000=About

SE_1000=Om

Remove short language to use the same string for all languages.

Example:

1000=About

You may retrieve the available resource string ids by calling “iid.exe -strings [path]”.

6.20 [Encryption]

This section controls the behavior when creating encrypted messages.

Format

This entry specifies the default encryption format of the created encrypted message. Useful when encryption format is not

specified, for example when used with Windows Explorer.

0 -> PKCS#7

1 -> S/MIME

Default value is 0; encrypted message is according to the PKCS#7.

6.21 [Encryption FileExtensions]

This section controls the default file extensions.



Encrypt

This entry specifies the default file extension when encrypting files.

Encrypt=p7m

Default value is ‘p7m’.

Sign

This entry specifies the default file extension when signing files.

Sign=p7s

Default value is ‘p7s’.

6.22 [Event <name>]

This section contains a list of commands that should be executed when the <name> event occur. Events are only supported on

Windows platforms. The <name> event will be executed only if the current Windows user is using a smart card and the smart

card PIN is verified. The matching between logged on Windows user and the used certificate requires a user principal name in

the certificate.

The commands may be specified with wild cards to set the custom information:

%number% - Card serial number

%upn% - User principal name from the certificate

%user% - User name part of %upn%

%domain% - Domain part of %upn%

Each command is either a load external command or an application that should be started.

Example:

[Event TEST]

1=load %InstallLocation%\iid.dll,EntryAdmin –about

2=%programfiles%\view\load.exe –url index.html?number=%number%&upn=%upn%

6.23 [General]

CheckCaExpire

CheckCardExpire

CheckEnroll

CheckSoftExpire

EnableWinlogon

EventList

ExplorerExtension

ExplorerMenu

ExtraService

StartMenu

TaskbarAccessMode

TaskbarIcon

TaskbarMenuMode

TaskbarMoveColor

UseService



The entries are only available for Windows platforms.

CheckCaExpire

Use this parameter to get a warning message when a CA has expired. Specify common name from the issuer field, use ‘;’ to set

multiple issuers. Default none, no warning message.

Example:

CheckCaExpire=SecMaker CA v2;SecMaker CA v3

CheckCardExpire

Use this parameter to get a warning message when a smart card is about to expire or has expired. Specify the number of days

before the expiry that the message should be shown. It is also possible to specify a specific issuer name to only check

certificates from a certain issuer and ignore all other certificates, separate with ‘,’. May also specify a list of number of days and

issuer names, separate with ‘;’.

The card is about to expire when there is no certificate available with a validity that is longer than the specified number of days

added to the current date.

Default value is 0; no warning message.

Example:

CheckCardExpire=30,CN=SecMaker CA v2;

CheckCardExpire=30,CN=SecMaker CA v2;20,CN=Inteom CA v3;

The warning message may be replaced with a custom action dialog, see 6.30 [Links Action] for more information.

Note 1: The certificate validity time must exceed twice the number specified to get a warning. This has been implemented to be

able to handle the situation when the same CA is used to issue ‘normal’ certificates and temporary certificates with short validity

time. Temporary certificates will not get a warning message.

Note 2: Use this parameter in combination with [DynamicStrings] to set a custom message with a direct URL link to a certificate

update page.

CheckEnroll

Use this parameter to get an event when a smart card without any or a specific certificate is inserted. The value may specify a

token model name and token serial number followed by the CA which is wanted. All values may be empty, which means that

any smart card without certificates will generate an enroll event. Token model name requires a complete string match and token

number requires a start string match. May also specify a list of values, separate with ‘;’.

There is no warning message dialog, but it is possible to specify a custom action dialog, see 6.30 [Links Action] for more

information.

Example:

CheckEnroll=,,;

CheckEnroll=eID Smart Card,123456,CN=SecMaker CA v3;

CheckSoftExpire

Identical to CheckCardExpire, but will check soft tokens instead of smart cards.

EnableWinlogon

Use this parameter to enable/disable register of supported smart cards in Registry.

Smart cards must be registered to handle CryptoAPI applications using smart card reader names when connecting towards the

CSP. Typical applications are Microsoft smart card logon on all Windows platforms.

0 – Smart cards are not registered

1 – Smart cards are registered



Default value is 1; smart cards are registered.

EventList

Use this parameter to listen to custom events. The value is a list of event names separated with ‘;’ and the action is specified in

section [Event <name>].

Example:

[General]

EventList=TEST

[Event TEST]

1=%InstallLocation%\iid.exe –test

The event is generated by calling the main loader component.

iid.exe –event TEST

There is also a special INTERNAL event, the name must still be specified in the list if used. The INTERNAL event will start the

event by using the main loader.

iid.exe –event INTERNAL -about

This command will show the about box in the background service context.

ExplorerExtension

Use this parameter to specify which applications that enables/disables extending of some menu entries for Windows Explorer.

[General]

ExplorerExtension=explorer.exe

Default value is none; No applications will be configured.

ExplorerMenu

Use this parameter to enable/disable extending of some menu entries for Windows Explorer.

0 – Explorer menu not available

1 – Explorer menu available

Default value is 1; Explorer menu is available.

ExtraService

Use this parameter to configure a list of services that will be started/stopped by CertMover. Services in the list are separated by

semicolon.

Default value is none; No services will be configured.

Example:

[General]

ExtraService=SCS

StartMenu

Use this parameter to enable/disable installation of short cuts in the start menu.

0 – Start menu entries are not available

1 – Start menu entries are available

Default value is 1; start menu entries are available.



TaskbarAccessMode

Use this parameter to set access mode for the background service when moving certificates to CryptAPI store. The moving will

be initiated by checking the smart card insert/remove event or via polling. The polling will occur each ten seconds, and the

insert/remove event may be checked via PC/SC or PKCS#11.

0x01 – Check insert/remove event via PC/SC

0x02 – Check via polling

0x03 – Check insert/remove event via PKCS#11

There are also two different modes for reading certificates when a event is detected via mode above, either using PKCS#11 or

CSP.

0x00 – Read certificate using CSP

0x10 – Read certificate using PKCS#11

Those two values are added for the complete access value.

Example, detect via PC/SC and read via CSP:

0x01 + 0x00 = 0x01

Example, detect via PKCS#11 and read via PKCS#11:

0x03 + 0x10 = 0x13

Default value is 0x13.

TaskbarIcon

Use this parameter to show/hide the taskbar icon. The task bar icon will contain a menu with some short cuts for common tasks,

see TaskbarMenuMode below for more information. The taskbar icon will also show progress when cards are inserted or

removed.

0 – Taskbar icon is hidden

1 – Taskbar icon is visible

Default value is 1; task bar icon is visible.

TaskbarMenuMode

Use this parameter to limit the number of components that should be visible on the taskbar menu.

0x0001 – Change PIN

0x0002 – Unlock PIN

0x0004 - Administration (if available)

0x0008 – Crypt (if available)

0x0010 – Trace

0x0040 - Pause certificate service

0x0080 - Refresh certificate service

0x0100 – Exit

0x0200 – Certificates

0x0400 – View token

Combine the bitmasks with OR operation to select which components that should be visible. For example, to show all above:

TaskbarMenuMode=0x07DF

Default value is 0x07Df; all components are visible.

Note 1: Entries for support and help in the [Links] configuration section will be added to the task bar menu if available.

Note 2: The [Links Custom] configuration section may be used to add additional entries to the task bar menu.



UseService

Use this parameter to install the certificate service as a Windows service or a background process. The certificate service is the

process which may show a taskbar icon with menu.

0 – Install as a background process

1 – Install as a Windows service

-1 – Do not install certificate service

Default value is 1; certificate service is installed as a Windows service.

Note: It is not recommended to install as service any longer, since Windows Vista and later have increased the restrictions

between the user environment and the system environment.

6.24 [Install]

This section contains information about the installation.

Build

This entry specifies the build or rather the installation package information. Any string value is acceptable, but there are some

recommendations, more information is available through your support contact.

Configuration

This entry contains the full path to the configuration. This value is usually not specified, will use default based on what is suitable

for each platform. For Windows platforms the default location is a configuration file in the installation folder, but it may be useful

to move the entire configuration to Registry to be able to use GPO.

Example:

Configuration=%InstallLocation%\iid.cfg

Configuration=HKLM\SOFTWARE\SecMaker\NetiD\Enterprise

If the Registry is used software\policies will always be read first to check for GPO settings before other configurations are read.

At the moment this only applies for a limited number of configurations that are included in the GPO policy template supplied by

SecMaker.

Example of read order in Registry:

1. HKLM\SOFTWARE\Policies\SecMaker\NetiD\Enterprise

2. HKLM\SOFTWARE\SecMaker\NetiD\Enterprise

Directory

This entry contains the full path to the current installation.

ProductName

This entry contains the product name used by an OEM installation.

List

This entry contains a list of installed product names, used during uninstall to remove everything after an upgrade between OEM

and normal installation.

Version

This entry contains the complete version number in eight digits, two for each part:

<major><minor><fix><build>

The <major> and <minor> values specify a release, for example 05 and 04 for release 5.4.



The <fix> number always starts from 0 for first release and if there is any eventual problems found for the release which

requires a new version, this value is increased, for example first fix for 5.4 is 5.4.1.

The <build> number starts from 1 for first build for a specific <major> and <minor> value. This value is increased for each

delivered build. For example, for 5.4 was the first BETA 5.4.0.10, first RC was 5.4.0.20. The final 5.4 and 5.4.1 releases have

the values 5.4.0.26 respective 5.4.1.34.

6.25 [Install Option]

This section contains information used during the installation.

MergeOldConfig

This entry specifies the behavior during upgrade, whether a configuration should be merged or overwritten.

0 -> Overwrite configuration at upgrade

1 -> Merge configuration at upgrade

Default value is 1; configuration will be merged during upgrade.

RemoveOldInstall

This entry specifies the behavior during upgrade, whether the installation should remove old installation before a possible

upgrade.

0 -> Current installation is upgraded if old installation is available

1 -> Current installation is removed if old installation is available

Default value is 0; installation is upgraded.

ShowWizard

This entry is used to hide/show different wizard pages during installations, but some pages will always be available. The value is

a bitmask, enable bits to show the page:

0x01 -> Show select language page

0x02 -> Show accept license page

0x04 -> Show license value page

0x08 -> Show upgrade warning page when upgrading with different build names

0xFF -> Show all pages

Default value is 0xFF; show all pages.

SpecialBuild

This entry specifies the build information. There are three standard types defined, but any string value is acceptable. No value at

all, means standard release:

UD – Under Development

BETA – Pre-release

RC – Release Candidate

UD build is completely unsupported; should only be used when testing some special feature.

BETA build is not usually supported; all functionality for the coming release is present, but only development tests have been

performed.

RC build is usually not supported; all functionality for the coming release is present, but only sanity tests have been performed,

not complete system tests.

6.26 [Install Shortcuts]

This section specifies a number of additional shortcuts that will be included in the product start menu folder for Windows.



Format:

<number>=<name>;<binary>;<arguments>

Value <number> is the list entry number starting from 1.

Value <name> is the presentation name of the shortcut.

Value <binary> is the name of the application binary, must be available in the installation directory.

Value <arguments> is the eventual arguments needed by the application.

Example:

1=My Portal;iidxweb.exe;

6.27 [Language]

This section contains information about the language support.

Allowed

This entry specifies a list of supported languages, separate with ‘;’. This list can be used to limit the number of supported

languages. It is also possible to set a new name for the language. Format:

Allowed=<language name>[:<new language name>];

Example:

Allowed=English;Svenska;

Allowed=English:English US;Norsk:Norsk NN;

Default value is none; all supported languages will be available.

Current

This entry contains the current language, may also specify the string ‘auto’ to use the current local language on the computer.

Current=English

Default language is ‘English’. Any unsupported language or invalid language string will use the default language.

6.28 [License]

This section contains license information.

NOTE: Do not edit, the product will be unusable without correct license information.

Cards

This entry specifies a list of accepted smart cards defined by ATR. Seperated with “;”.

Cards=123456ABCDEF;ABCDEF123456

Company

This entry specifies the company name of the license.

Company=SecMaker AB

Issuers

This entry specifies a list of accepted certificates.

Issuers=O=SecMaker*



Name

This entry specifies the user name of the license.

Name=DEMO ONLY

Value

This entry specifies the license value.

Value=WagC-YmLC-emxh-lyne-iMvT-JKE8

6.29 [Links]

This section contains links which may be available in dialog boxes or used by the web browser plugin.

Admin

This entry controls the administration start parameter.

Admin=-admin

Admin=http://www.secmaker.com/admin

Default value is -admin; starts Administration GUI.

Error

This entry will be appended to error dialog boxes.

Error=https://www.secmaker.com/help/

Default value is none; no extra link in error dialog boxes.

Help

This entry will be shown in taskbar menu and appended to error dialog boxes if Error link is not specified.

Help=http://www.secmaker.com/help/

Default value is none; no help link in taskbar menu.

Mail

This entry will be used by administration utility for default mail address when initiating any send mail. For example when sending

a trace file from administration utility.

Mail=mailto:[email protected]

Default value is none; no default mail address.

Support

This entry will be shown in the taskbar menu.

Support=https://www.secmaker.com/support/

Default value is none; no support link in taskbar menu.

6.30 [Links Action]

There are several internal actions that may start a custom dialog instead of a message or internal dialog:

CaCertificateExpire

ChangePIN



Decrypt

Encrypt

ExitWindows Lock/Logout/Sleep/Hibernate/Disconnect/Restart/Shutdown

LicenseActivate

LicenseInvalid

PinExpired

Sign

TokenEvent

TokenInvalid

TokenNotPresent

TokenPresent

UnlockPIN

Verify

WarningCertificateEnroll

WarningCertificateExpired

WarningCertificateRenew

CA certificate expire will load custom action CaCertificateExpire instead of showing a message dialog.

ChangePIN/UnlockPIN are activated as soon as change or unlock PIN is requested, either by user selection from some menu or

as an automatic generated event for example when a smart card is inserted.

Decrypt/Encrypt/Sign/Verify are used for ExplorerMenu.

ExitWindows is used to set custom actions for Exitwindows commands.

The License actions has not been fully implemented but will be used in future versions.

PinExpired is used to trigger events when the ‘PIN validity period’ has expired according to the PIN policy, see settings in

section 6.42 [SmartCard] -> PinExpire.

The Token actions are used for custom token events.

The Warning actions are used to generate events automatically, for example when a smart card is inserted. All warning events

are generated by background process, see [General] > CheckCardExpire/CheckSoftExpire/CheckEnroll for more information.

All actions can specify a custom link to be opened:

XXX=-url http://netid.secmaker.com/xxx.html?xxx=zzz

XXX=-url file:///%InstallLocation%/xxx.html?xxx=zzz

There are some wild cards that will be used to identify the active token and/or certificate:

%ACTION% - The current action

%SLOTID% - The current slot id

%CERTIFICATE% - The current certificate

%EXPIRE% - The number of days until certificate is expired

The two latter wild cards are only availble for certificate expire/renewal.

It is also possible to add custom actions and run with -action:

TEST=-url http://www.secmaker.com

iid.exe –action TEST

http://netid.secmaker.com/xxx.html?xxx=zzz




6.31 [Links Custom]

This section includes any custom links to the taskbar menu for Windows, see 6.23.13 TaskbarMenuMode for more information.

Format:

<name>=<http address>

Any name string is allowed, this will be the presentation in the taskbar menu.

Any http address or action is allowed, this will be the link that is opened when selecting the entry in the menu. Example:

SecMaker=http://www.secmaker.com/

TESTLINK=-action TEST

6.32 [LRA]

This section specifies the behavior for the Local RA, see LRA documentation for more information.

6.33 [MiniDriver]

This section controls the behavior of the Minidriver component. It is a requirement that the Minidriver component is included in

the installation.

It is recommended to read the Microsoft Smart Card Minidriver Specification to fully understand the terminology.

Note 1: The values used are verified with Microsoft minidriver certification utility, so any changes may cause the certification to

fail.

Note 2: The minidriver certification uses a smart card with full access to administrator keys and some parameters are used to

handle situations where the smart card profile is more or less read-only.

AllowSecondary

This entry can be used to enable/disable writing of secondary certificates. When it is disabled, writing of the same certificate

object will result in the existing certificate being overwritten. The normal behavior for smart card minidriver is not to support

secondary certificates, meaning there is no support for multiple certificates using the same key.

0 –> Don’t allow secondary certificates

1 –> Allow secondary certificates

Default value is 0; secondary certificates are not allowed.

CacheCard

This entry can be used to enable/disable writing of certificate/container information to a cache file. This cache is used by

Credential Provider when used in pass-through mode. Microsoft has some limitations with multiple access, so this is used to

avoid extra access from Net iD Enterprise Credential Provider towards minidriver when used with Microsoft Provider.

0 –> Certificate information is not written

1 –> Certificate information is written

Default value is 1, certificate information is written.

Note: DO NOT EDIT, the default value should be used.

CertificateCompression

This entry is used to tell whether certificate compression is supported internally or not.

0 –> Certificate compression is not supported

1 –> Certificate compression is supported

Default value is 1; certificate compression is supported.



Note: DO NOT EDIT! Certificates are always stored compressed and without compression, the value will be compressed by the

caller when writing and will usually need the real certificate value when writing the certificates to most smart cards.

CheckFileCMap

This entry is used to tell whether certificate mapping file content should be checked before writing. When checked the mapping

file will only be written when different from the auto-generated content.

0 –> Certificate mapping file always written

1 –> Certificate mapping file only written when different from auto-generated

Default value is 0; certificate mapping file always written.

ClearUserPinCache

This entry will enable/disable clear of user PIN cache by the internal certificate propagation service.

0 –> Will not clear user PIN cache

1 –> Will clear user PIN cache for logged on user at disconnect/lock windows/exit windows

2 –> Will clear all user PIN cache for all smart cards

4 –> Will clear all user PIN cache for all tokens in same session

Default value is 2; will clear user PIN cache for all users.

Note: In terminal server sessions value 2 should never be used, since it will clear PIN cache for other users.

Disable

This entry specifies a list of applications which will not be able to use the minidriver, separated with ‘;’.

Example:

Disable=test.exe

DisableFileCache

This entry enables/disables Microsoft smart card file cache.

0 -> Microsoft smart card file cache active

1 -> Microsoft smart card file cache not active

Default value is 0; smart card file cache is active.

Note: Microsoft have some known problems with the smart card file cache when running terminal server, so it is recommended

to disable cache for these environments.

DisablePinCache

This entry enables/disables Microsoft smart card PIN cache.

0 -> Microsoft smart card PIN cache active

1 -> Microsoft smart card PIN cache not active

Default value is 0; smart card PIN cache is active.

FriendlyName

This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may

be used:

%label%





Label is the certificate label stored with the certificate object, issuer and subject are any of the object identifiers available in the

subject or issuer field from the certificate. Any combination of static text and wild cards above may be used.

Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".

Note: For unknown reason some CryptoAPI applications require friendly name to be static for a certificate. This may cause

problems when both Net iD Enterprise certificate service and Microsoft is registering the certificate in CryptoAPI user certificate

store, since Microsoft will not specify any friendly name.

GuidKeyId

This entry enables/disables the use of guid from certificate mapping file as key id.

0 -> Key id is generated from public key digest

1 -> Key id is generated from guid

Default value is 0; key id is generated from guid.

Note: Enable this parameter when certificate mapping file is disabled (IgnoreFileCMap=1). The result of the combination is that

the automatically generated mapping file will be identical to the original Microsoft mapping file.

IgnoreFileCardCF

This entry enables/disables internal use of the card cache file ‘\cardcf’. The card cache file will be automatically generated from

card update counter when disabled.

0 -> Microsoft card cache file will be used

1 -> Automaticlly generated card cache file will be used

Default value is 0; Microsoft card cache file will be used.

IgnoreFileCMap

This entry enables/disables internal use of the certificate mapping file ‘\mscp\cmapfile’. The mapping file content will be

automatically generated when disabled.

0 -> Microsoft certificate mapping file will be used

1 -> Automaticlly generated certificate mapping file will be used

Default value is 0; Microsoft certificate mapping file will be used.

Note: Will cause interoperability problems when enabled, since Microsoft will not detect changes from other components, for

example certificates written by the plugin component.

IgnoreLogout

This entry specifies a list of applications which will not be able to logout, all logout calls will be ignored. Example:

IgnoreLogout=lsass.exe;logonui.exe

Default value is none; all applications will be able to logout.

Note: This parameter should be used with Microsoft logon applications, since they always logout after accessing the smart card.

Allowing these applications to logout will disable the single-sign-on feature.

KeyGenerateMode

This entry specifies the mode for key id generation, either let the smart card decide the key id or generate a key id based on the

GuidKeyId parameter.

0 -> Key id is depending on smart card type

1 -> Let smart card decide key id

2 -> Generate random key id



Default value is 0.

MaxKeySize

This entry specifies the maximum size of the RSA keys.

Example:

MaxKeySize=2048

Default value is 2048; maximum RSA key size of 2048 bits.

Note: The value must be larger than MinKeySize, since the certification utility will hang if the same values are used for minimum

and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.

MinKeySize

This entry specifies the minimum size of the RSA keys.

Example:

MinKeySize=1024

Default value is 1024; minimum RSA key size of 1024 bits.

Note: The value must be less than MaxKeySize, since the certification utility will hang if the same values are used for minimum

and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.

MoveCertificates

This entry specifies whether internal certificate propagation to CryptoAPI store should be used or not.

0 -> Don’t move certificates to CryptoAPI store

1 -> Move certificates to CryptoAPI store

Default value is 0; Microsoft certificate propagation should be used to move certificates.

NoLoadPkcs11Keys

This entry specifies whether pkcs#11 keys without connected certificates should be mapped as minidriver keys.

0 -> Load pkcs#11 keys

1 -> Don’t load pkcs#11 keys

Default value is 0; load pkcs#11 keys.

OverwriteCertificates

This entry specifies whether move certificates should overwrite possible existing certificates for internal certificate propagation.

This will have affect when there are several different certificate propagation services enabled or when the same smart card is

supported by several vendors.

0 -> Don’t overwrite existing certificates in CryptoAPI store

1 -> Overwrite existing certificates in CryptoAPI store

Default value is 0; will not overwrite.

RegisterCertificate

This entry specifies a list of applications which will generate an event to register the certificates for CryptoAPI to Net iD CSP

instead of to Minidriver.

IgnoreLogout=lsass.exe;logonui.exe



Default value is none; no applications will generate an event to register the certificates.

Note: This parameter should be used to register Net iD CSP as default handler of certificates instead of Microsoft Base Smart

Card CSP with the Minidriver.

PinCacheDisable

This entry enables/disables Microsoft PIN cache. Will only affect PIN1, secondary PIN will always have PIN cache disabled.

0 -> Microsoft PIN cache is active

1 -> Microsoft PIN cache is inactive

Default value is 0; Microsoft PIN cache is active.

Note: Microsoft Windows logon may fail if pin cache is inactive.

PinCacheTimeout

This entry specifies the timeout value for Microsoft pin cache.

X -> Number of seconds Microsoft pin cache is active

Default value is 0; Microsoft pin cache is active as long as Microsoft think is suitable.

ReadOnly

This entry specifies whether the minidriver should report all smart cards as read-only, i.e. not possible to update in any way.

0 -> Smart cards are not considered read-only

1 -> Smart cards are considered read-only

Default value is 0; smart cards are updateable.

SetDefaultCertificate

This entry specifies whether a default certificate should be marked as default for minidriver certificate mapping file.

0 -> Don’t mark default certificate

1 -> Mark default certificate

Default value is 0; default certificate is not marked.

Note 1: Default certificate is based on certificate sorting, see SortCertificate below.

Note 2: This parameter only has effect when certificate mapping file is generated, and will be ignored when written towards

smart card; see IgnoreFileCMap above.

SortCertificate

This entry specifies how the certificates should be sorted when a default certificate is used.

0 -> Don’t sort certificate, use sorting from pkcs#11

1 -> Sort newest certificate first

2 -> Sort oldest certificate first

Default value is 0; sorting inherited from pkcs#11.

UseSuppliedPadding

This entry specifies whether the supplied key padding mechanism or the internal implementation should be used. The padding

mechanism is needed to format data to be signed or data to be encrypted before the key operation.

0 -> Use internal padding

1 -> Use supplied padding



Default value is 0; internal padding is used.

UseExternCardCF

This entry specifies whether caller is allowed to update the card update counter. When not allowed all updates will be ignored

and the update is handled internally.

0 -> Update counter internally

1 -> Use caller update counter

Default value is 0; internal update counter is used.

Version

This entry specifies which version of the minidriver specification that should be supported. Currently versions 4 to 6 are

supported.

Example:

Version=5

Default value is all versions.

WriteCardBlock

The minidriver file system will be stored in a virtual file system. This entry specifies the block size for the virtual file system, to

avoid unnecessary reallocation when objects are created on smart cards which separate data from information about the data.

Example:

WriteCardBlock=64

Default value is 0; a suitable value is chosen for the smart card type.

6.34 [NetControl]

This section controls the behavior of the net control component. This component tries to keep track of SSL/TLS sessions in

different web browsers and close those web browsers when a smart card is removed.

Note: This feature is getting harder to accomplish, since web browsers are getting better at recovering closed sessions. A better

solution is close from server side, using the Watch component.

Applications

This entry specifies a list of applications, separated with ‘;’, that may be closed if they open a SSL session. Example:

Applications=iexplore.exe;firefox.exe

Default value is none; no applications will be handled.

Ask

This entry specifies whether the user should be asked before trying to close an application.

0 -> Don’t ask user before close

1 -> Ask user before close

Default value is 1; ask user before close of application.

Enable

This entry specifies whether this feature should be active.



0 -> Net control inactive

1 -> Net control active

Default value is 0; net control is inactive.

LogonApplication

This entry specifies a list of logon applications, separated with ‘;’, that may be closed if they open a TLS session. Example:

LogonApplication=iexplore.exe;firefox.exe

Default value is none; no logon applications will be handled.

6.35 [Pkcs11]

This section controls the behavior for the PKCS#11 library.

AlwaysLoginForSSL

This entry is used to always require login for SSL/TLS. When enabled an automatic logout will be done each time an SSL/TLS

connections is established.

0 -> No automatic logout

1 -> Automatic logout

Default value is 0; no automatic logout when SSL/TLS connection is established.

See 6.35 [Pkcs11]> LoginTimeout for another way to handle automatic logout.

Note: This feature is normally used in combination with soft tokens to require password/PIN dialog even when renegotiating

SSL/TLS connections.

DetectNewSlots

This entry specifies whether new slots should be detected each time the application asks for the current slot list. A slot is either

a smart card reader or a soft token, so this parameter may be used to detect arrival of new smart card readers.

0 -> Will not detect new slots

1 -> Will detect new slots

Default value is 0; no detect of new slots.

See 6.46 [Smart Card Reader]>Detect for another way to detect arrival of smart card readers.

Recommended value for Detect is 1, when used in combination with this parameter.

DisableDuplicate

This entry specifies a list of applications, separated with ‘;’, which will not be able to use duplicate certificates. Duplicates are

certificates with identical issuer and subject field and same public key. Only the newest certificate will be available for the

application.

DisableDuplicate=Firefox;Mozilla

Default value is none; all applications will see duplicate certificates.

DisableNonRep

This entry specifies a list of applications, separated with ‘;’, which will not be able to use certificates with non-repudiation key

usage.

DisableNonRep=Firefox;Mozilla

Default value is none; all applications will be able to use non-repudiation certificates.



EnableExternalMutex

This entry enables/disables the use of external mutex to protect multi-threaded sessions.

0 -> Internal mutex used

1 -> External mutex used (if available)

Default value is 0; always use internal mutex.

Note: Multi-thread support is vital and to allow this protection to be handled externally may cause unknown results.

FriendlyName

This entry enables generation of a certificate label according to a specific format instead of using the default label from the

token. The following wild cards may be used:

%label%



Label is the certificate label stored with a certificate object, issuer and subject is any of the object identifiers available in the

subject or issuer fields from the certificate. Any combination of static texts and wild cards above may be used.

Default value is none; the stored certificate label is used.

LoginTimeout

This entry is used to set a timeout for the login. When enabled an automatic logout will happen after the number of specified

seconds.

0 -> No automatic logout

X -> Automatic logout after X seconds

Default value is 0; no automatic logout.

See AlwaysLoginForSSL above for another way to handle automatic logout.

LogonApplication

This entry specifies a list of applications that should be considered as logon applications. This means that PIN cache always is

ignored and that PIN always is verified even when being the same value as in PIN cache.

Example:

LogonApplication=lsass.exe;winlogon.exe

Default value is lsass.exe;winlogon.exe.

LogoutAtLastSession

This entry is used to control the behavior when the last session towards a token is closed. Specifies a list of applications that will

generate a logout, separated with ‘;’.

Example:

LogoutAtLastSession=svchost;winlogon

Default value is empty; no application will generate an automatic logout.

Note: The reason for not logging out is to avoid unnecessary password/PIN dialogs. Usually PKCS#11 applications will open a

session, login if needed, do something and thereafter close the session again. Setting no logout will keep the password/PIN

status when the application opens the session again.



InsertEmptySlots

This entry is used to always create a number of empty slots which always will be available even when no smart card readers

and/or soft tokens are present.

0 -> No extra empty slots

X -> Add X extra slots

Default value is 0; no extra slots.

Note: This parameter is only used for Firefox and installation of the PKCS#11 component. During installation the Firefox flag

public readable certificates must be set, to avoid password/PIN dialosg when Firefox is searching for certificates. This flag will

be set for the slots available at installation. Using this parameter will prepare a number of slots to have this flag set, so slots may

be added after the installation and still get the public readable flag.

OpenSSL

This entry is used to specify an OpenSSL library that should be loaded to generate random and/or key pairs. Typical names for

different platforms:

libeay32.dll – Windows

libcrypto.so – Linux

libcrypto.dylib – macOS

Default value is none; internal algorithms will be used for generating random and/or key pairs.

Note: For Windows platform Microsoft CryptoAPI will be used for key pair generation, since their implementation is much faster

than internal algorithm.

PinMaxDigits

This entry sets the global maximum number of digits policy. Specify the maximum number of required digits.

0 -> No maximum number of digits

X -> X number of digits required

Default value is 0; no minimum number of digits required.

Note: This parameter should not be used, use PIN policy flags in [SmartCard] or [SoftToken] instead.

PinMinDigits

This entry set the global minimum number of digits policy. Specify the minimum number of required digits.

0 -> No minimum number of digits

X -> X number of digits required

Default value is 0; no minimum number of digits required.

Note: This parameter should not be used, use PIN policy flags in [SmartCard] or [SoftToken] instead.

PinReportError

This entry is used to specify a location to report failed logon attempts on Windows platform. May be configured to report to

either Windows EventViewer or to an ODBC source. Reporting to an ODBC source will require the table to be correctly

formatted, more information is available from your support contact.

Example:

PinReportError=-eventlog

PinReportError=-database -connection <ODBC> -table <TABLE> -username <USER> -password <PWD>

Default value is none; no error reporting.



RandomDisabled

This entry is used to enable/disable the support of random generation.

0 -> Random generation support enabled

1 -> Random generation support disabled

Default value is 0; random generation available.

Note: This only affects external applications; they will not be able to use the library to generate random bytes. Internally random

generation will still be available.

ResetTempFiles

This entry is used to enable/disable reset of internal temporary files at initialize.

0 -> Reset at initialize disabled

1 -> Reset at initialize enabled

Default value is 0; reset at initialize disabled.

Note: Will delete eventual smart card cache files, which may impact performance.

SeparateThreadSearch

This entry is used to enable/disable concurrent searches in different threads using the same session.

0 -> Don’t allow concurrent searches in different threads using same session

1 -> Allow concurrent searches in different threads using same session

Default value is 0; concurrent searches are not allowed in different threads using the same session.

Note: DO NOT EDIT. This behavior is against standards and should never be used. Different threads may use the same

session context, but the expected behavior should be to follow the PKCS#11 standard. Enabling of this behavior is against the

PKCS#11 standard, but was added to show a proof-of-concept with an application unaware of their own multi-threading

implementation.

SessionToken

This entry specifies a list of applications, separated with “;”, which will set a write protected soft token.

SinglePin

This entry is used to enable/disable the use of a single password/PIN for smart cards. The parameter has no affect for soft

tokens, since they always have a single password/PIN.

0 -> All available passwords/PINs usable

1 -> Only first password/PIN usable

Default value is 0; all available PINs are usable.

Note: Will remove possible secondary PIN for the calling applications. This is usable for situations where your application has

bad support for multiple PINs, or when only the first PIN objects should be used (everything connected with secondary PINs will

be hidden).

TraceExecuteTime

This entry is used to enable/disable calculation of execute time. The time is the number of milliseconds spent within the pkcs#11

library. This will generate an extra trace entry with the number of milliseconds within library and also the number of milliseconds

spent on card during this time. Used to measure the performance.

0 -> Execute time not written to trace

1 -> Execute time written to trace



Default value is 0; execute time not written.

Note: This time may be misleading when measuring small time differences, since most of the time may be spent writing to trace.

UpdateSlotsForEvent

This entry is used to enable/disable update of slot list when library is called for active event list (C_WaitForSlotEvent). Default

behavior will use [SmartCardReader[>Poll parameter to detect smart card insert/remove and [SmartCardReader]>Detect

parameter to detect smart card reader insert/remove.

0 -> No update slot list when checking for event list

1 -> Update slot list when checking for event list

Default value is 0.

VerifyAlgorithms

This entry is used to enable/disable verification of cryptographic algorithms during initialize.

0 -> Algorithms not verified

1 -> Algorithms verified

Default value is 0; algorithms not verified.

WaitForSmartCardService

This entry is used to enable/disable wait for Windows smart cards service to start before initialize continues.

0 -> No wait

X -> Wait X number of seconds

Default value is 0; no wait for smart card service.

Note: This parameter was required for earlier versions of Windows, but is not needed any longer.

6.36 [Plugin]

This section controls the behavior of the plugin component. Will require the plugin component to be included in the installation.

From version 6.1 a new control mechanism is included to limit the usage of the plugin, each parameter and operation will be

limited/checked separately. The default requirements may be updated via configuration parameters Plugin>AccessGetProperty,

Plugin>AccessSetProperty, Plugin>AccessEnumProperty and Plugin>AccessInvoke.

More information regarding the settings mentioned in section 6.36.1 to 6.36.3 is found in Developer’s Guide.

AccessGetProperty

This entry may be used to update default access condition requirement for properties that are read from plugin.

Example:

[Plugin]

AccessGetProperty=Version,0;

AccessSetProperty

This entry may be used to update default access condition requirements and value checks for properties that are sent to plugin.

Example:

[Plugin]

AccessSetProperty=Version,1,1,0,16;

AccessEnumProperty

This entry may be used to update default access condition requirements for properties that are enumerated from plugin.



Example:

[Plugin]

AccessEnumProperty=Language,0;

AccessInvoke

This entry may be used to update default access condition requirements for invoke of plugin functions, see Developer’s Guide

for more information.

Example:

[Plugin]

AccessInvoke=Sign,0;

Audit

This entry may be used to log blocked plugin calls.

Example:

[Plugin]

Audit=C:\Temp\plugin.txt

Allowed

This entry contains a list of application names with access mode for use with the plugin, separated with ‘;’. Specify with name

and access mode value. Currently three modes are available:

0 – Blocked access – only create non-repudiation signatures is allowed

1 – Full access – including modify configuration

2 – Use access – all except modify configuration

Either specify name of file stored in installation folder, or specify full path to application (may use environment variables).

Example:

[Plugin]

Allowed=iid.exe,1;iidxcmt.exe,1;badapp.exe,0;

[Plugin]

Allowed=%programfiles%\Good\good.exe,1;%programfiles%\Bad\badapp.exe,0;

Note: Configuration section [AllowedServers] may be used to set access mode for all web browser applications, access mode

for web browsers are based on site instead of application.

Disable

This entry is used to specify a list of applications, separated with ‘;’, which will not be allowed to use the ActiveX plugin.

Default value is none; all applications will be able to use the plugin.

Note: This parameter have no affect for the Netscape plugin, since there is no good behavior in the API to block loading.

Enable

Use this parameter to enable/disable installation of web browser plugins.

0 – Web browser plugins are not available

1 – Web browser plugins are available

Default value is 1; web browser plugins are available.



StartService

This entry is used to enable/disable the start of certificate service when loaded.

0 -> Will not start service

1 -> Will start service

Default value is 0; will not start service.

6.37 [Report LOGON]

This section can be used to report successful workstation logon.

Example:

[Report LOGON]

1=load iid.dll,EntryAdmin -report -eventlog -info "Logon success %upn%" –app “LOGON” -number %number%

6.38 [Report PIN]

This section can be used to report successful PIN attempts.

Example:

[Report PIN]

1=-action <action>

6.39 [Report UNLOCK_WORKSTATION]

This section can be used to report successful workstation unlock.

Example:

[Report UNLOCK_WORKSTATION]

1=load iid.dll,EntryAdmin -report -eventlog -info "Unlock success %upn%" –app “UNLOCK” -number %number%

6.40 [SCS]

This section controls the behavior of the SCS (Signature Creation Service). SCS is a signature method used with HTML5 and

has been implemented according to the VRK (the Finnish Population Register Centre) specifications ‘HTML5 AND DIGITAL

SIGNATURES, Signature Creation Service 1.0.1’. For the specification, see

https://eevertti.vrk.fi/Default.aspx?id=0&docid=1335.

The setting [General] -> ExtraService has to include ‘SCS’ for the configurations to have any effect.].

Example:

[General]

ExtraService=SCS

[SCS]

Address=127.0.0.1

Ports=8088;23123;53951

Size=0x02000000

Protocols=https

Address

This entry is used to set the IP address of the SCS but must always be set to localhost (127.0.0.1) at the moment.

Will be used in the future if there will be any extensions for IP v6.

https://eevertti.vrk.fi/Default.aspx?id=0&docid=1335



Ports

This entry is used to set the port for the SCS. The SCS specifications defines that the first port available will be used so the

default settings should not be changed.

Will be used in the future if there will be any extensions for IP v6.

Default values is 8088;23123;53951; values should not be changed.

Protocols

This entry is used to define the protocols that are allowed for the use of SCS. Valid protocols are http or/and https.

Example:

Protocols=http;https

Default value is none; no protocols allowed.

Size

This entry is used to define the maximum size of a signature in bytes. The SCS specifications recommends to use 2 MB as the

maximum size but it is possible to set the values in the interval of 4 kB to 16 MB.

Default value is 0x02000000; maximum size of 2MB.

Start

This entry is used to enable the SCS.

Example:

[SCS]

Start=-signsrv start

Stop

This entry is used to disable the SCS.

Example:

[SCS]

Stop=-signsrv stop

6.41 [SingleSignOn]

This section controls the behavior of the single-sign-on component for Windows. It will require the single-sign-on component to

be included in the installation.

CSP

This entry is used to enable/disable the support for single-sign-on for CryptoAPI CSP.

0 -> CSP single-sign-on disabled

1 -> CSP single-sign-on enabled

Default value is 0; single-sign-on disabled.

Disable

This entry is used to specify a list of applications, separated with ‘;’, which always will have single-sign-on disabled.

Default value is none; all applications will use single-sign-on when available.



PKCS11

This entry is used to enable/disable the support for single-sign-on for PKCS#11.

0 -> PKCS#11 single-sign-on disabled

1 -> PKCS#11 single-sign-on enabled

Default value is 0; single-sign-on disabled.

Server

This entry is used to specify a list of applications, separated with ‘;’, which may act as single-sign-on server.

Server=winlogon.exe;lsass.exe

Default value is none; no application may act as single-sign-on server.

Note: The single-sign-on server process should never be stopped or restarted since the result is unpredictable if single-sign-on

client processes are connected when the server process is stopped or restarted. Either use the Windows logon process that is

always available or use StartServer below.

StartServer

This entry is used to specify a list of applications, separated with ‘;’, which may start single-sign-on server.

StartServer=winlogon.exe;lsass.exe;logonui.exe

Default value is none; no application may start single-sign-on server.

Note: See note above regarding the Server entry for information when to use StartServer respective Server parameter.

UseCache

This entry is used to enable/disable the support for single-sign-on via a cache server. The normal single-sign-on solution will

direct CSP/PKCS11 calls to a single process which will have exclusive access to the smart card.

0 -> Cache server disabled

1 -> Cache server enabled

Default value is 0; normal single-sign-on is used.

Note 1: The cache server will act as a database for PINs and therefore PIN pad may not be used.

Note 2: Disable CSP/PKCS11 single-sign-on when the cache server is enabled.

Note 3: Enable single-sign-on server as a service when the cache server is enabled.

UseService

This entry specifies whether the single-sign-on server should be running as a service or as a background process.

0 -> Run as background process

1 -> Run as service

Default value is 0; run as background service.

UseStored

This entry specifies whether the single-sign-on server should search for username/password stored on tokens and use the

information to automatically fill the username/password edit boxes.

0 -> Stored username/password not used

1 -> Stored username/password used

Default value is 0; no search for stored username/password.



The search will check the private box area for object with the following format:

<entry>=<name>;<title>;<user>;<pwd>

Value <entry> specifies the private object name, the name is “SSO” followed by a number starting from “1”.

Value <name> is a descriptive string used for presentation.

Value <title> is the title of the username/password dialog that should be filled.

Value <user> is the username that will be filled in.

Value <pwd> is the password that will be filled in.

Example:

SSO1=My;Connect Database;JohnDoe;4711

6.42 [SmartCard]

This section controls the smart card policy.

CalculateUsedTime

This entry specifies whether execution time on smart card should be written to trace.

0 -> Will not calculate and write card execution time

1 -> Will calculate and write card execution time

Default value is 1; will calculate and write execution time.

Note: This time may be misleading when measuring small time differences, since most of the time may be spent writing to trace.

CommandChaining

Command chaining will be activated when 256 or more bytes are sent towards smart card. This parameter may be used to set a

lower number to activate command chaining earlier.

X -> The number of bytes which will start command chaining

Default value is 0; command chaining is activated when needed.

CreateUpdateCounter

This entry enables/disables creation of the update counter as soon as logged in towards a smart card.

0 -> Update counter created when updating objects

1 -> Update counter created at logon

Default value is 0; will create update counter when creating any other object.

Note: The update counter is needed for public object caching; not using update counter may affect performance, since it may

cause unnecessary reading of public objects.

DefaultProfile

All smart card profiles have a detection mechanism built into the specification, but this parameter may be used to detect a card

profile not using the standard detection mechanism. Currently, only “PKCS#15” and “ISO7816-15” are supported.

Default value is none; profiles are found according to specifications.

MaxProfiles

The card profile is detected after card type detection. Some smart cards have multiple profiles on the same smart card which

should be loaded in parallel. This parameter specifies the number of maximum number of profiles that may be detected.



Example:

MaxProfiles=4

Default value is 4; the same value as the maximum number of PINs (currently 4).

NoDiskCache

This entry is used to disable writing card cache file to disk. SSO service will be used for card cache if available.

0 -> Card cache will be written to disk

1 -> Card cache will not be written to disk

Default value is 0; card cache will be written to disk.

ObjectSortMode

This entry is used to set sorting mode for the certificates on a smart card. Some applications will use the first returned certificate

as the default certificate, so it can be considered as setting the default certificate.

0 -> none -> Certificates are returned in stored order

1 -> day -> Certificates are returned in newest order based on day

2 -> second -> Certificates are returned in newest order based on seconds

Default value is 2; sorting based on seconds.

Note: The sorting order also specifies the default behavior for different versions of Net iD Enterprise. Value 0 is the behavior for

version 5.3 and earlier, value 1 is the behavior for version 5.4 to 5.5, and value 2 is behavior for version 5.6 and later.

PinExpire

This entry is used to enable/disable PIN expire policy. The PIN may be configured to require a change after X number of days.

0 -> PIN expire policy disabled

X -> PIN will expire after X days

Default value is 0; no PIN expire policy.

Note: Pin expire policy requires support for PIN update counter with time on smart card. Some smart cards only store a PIN

update counter, a single byte without connection to any time.

PinHistory

This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private

object and compared with a new password.

0 -> Password history disabled

X -> Password will compare X last passwords

Default value is 0; no password history checking.

PinMaxLen

This entry is used for maximum PIN length policy.

0 -> No maximum PIN length

X -> Maxmimum X bytes PIN length

Default value is 0; smart card profile will specify the PIN policy.

Note: Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.



PinMinLen

This entry is used for minimum PIN length policy.

0 -> No minimum PIN length

X -> Minimum X bytes PIN length



PinPolicy

This entry is used for password policy, 0xaAbBcCdD:

aA -> min/max for number of digits

bB -> min/max for number of lower characters

cC -> min/max for number of upper characters

dD -> min/max for number of special characters

Default value is 0; no special PIN policy.


PinType

This entry is used for PIN type policy, the requirement are below:

0 -> all characters (case sensitive)

1 -> all characters (case insensitive)

2 -> all characters (min 2 digits and max 2 in row or in sequence)

3 -> all characters (min 2 digits and max 2 in row)

4 -> only digits



Temporary

This entry is used to specify a list of names, separated with ‘;’, containing smart card types that should be considered temporary

smart cards. The parameter only has any meaning when used with a LRA component, see LRA documentation for more

information.

TemporaryValidity

This entry is used to specify a number of days for certificate validity to be considered as a temporary smart card. The parameter

only has any meaning when used with a LRA component, see LRA documentation for more information.

Example:

TemporaryValidity=30

UseInternalUpdate

This entry specifies the use of internal update counter. The update counter is needed to detect updates of the smart cards, so it

should usually always be activated

0 -> Internal update counter is inactive

1 -> Internal update counter is active

Default value is 1; will use internal update counter.



Note: The update counter is needed for public object caching, not using the update counter may affect performance, since it

may cause unnecessary reading of public objects.

ValidateUpdateCounter

This entry enables/disables validation of the update counter when external update counter is used.

0 -> Will assume application handling update counter will behave correct

1 -> Will validate update counter at each write to reset public cache when needed.

Default value is 0; will not validate update counter when using external update counter.

6.43 [SmartCard Compress]

Library

This entry specifies the full path to the Zlib compress library.

Default value is depending on the operating system used; will try to load by standard Zlib name.

UncompressOnly

This entry specifies the behavior for compressing. When reading uncompressing will always be done if the file is compressed,

but files may be stored with or without compressing when written.

0 -> Will compress when writing

1 -> Will not compress when writing

Default value is 0; will compress when writing.

6.44 [SmartCard Keys]

This entry is used to specify the key to be used when secure messaging is enabled for a smart card. A mapping is made

between the ATR of the smart card and the Secure Messaging key. The value of the key is usually a key identifier and

depending on card type.

6.45 [SmartCardProfiles]

This section contains a list of smart card profiles that are available for smart card initialization. This section will be enumerated

for section 6.4.6 Property ‘Profile’ in the Net iD Enterprise Developer’s Guide.

Example:

1=Smart Card Profile

Each entry points to a new section with entry name as section name. The smart card profile section contains information about

how the smart cards should be initialized, for example which files should be created. The profile information is specific for each

supported smart card.

Note 1: Do not use unless you know exactly what you are doing.

Note 2: Do not use unless you know the consequences.

Note 3: Do not use unless you accept the consequences.

Erase

This entry will enable/disable complete erasure of smart cards before initialization.

0 -> Smart card not erased

1 -> Smart card erased

Default value is 0; smart card not erased.



Keys

This entry specifies the number of key pairs that should be generated during initialization.

Default value is 0; no key pairs are generated.

Parameter

This entry specifies a custom parameter for a specific smart card.

Default value is none; no custom parameter.

SimpleErase

This entry will enable/disable simple erasure of smart card objects; delete access below will be overridden and set to ALW.

0 -> Simple erase disabled

1 -> Simple erase enabled

Default value is 0; simple erase disabled.

Files

The following entries in the section specify the files and/or directories that should be created. Format:

<name>=<type>:<size>:<access>:<content>

Value <name> is the full name of the object; dependent on the smart card used, but usually a directory starting with EF(MF):

3F00=…

3F002F00=…

Value <type> is the type of object; dependent on the smart card used, but usually: DF (directory), EF (file), SEC (PIN):

3F00=DF:…

3F002F00=EF:…

Value <size> is a number telling the size of the object; dependent on the smart card used, may be a size of a file or number of

objects that may be stored in the directory. Smart card may support the string value ‘all’ and/or ‘auto’ to take all remaining area

respective try to guess the file size. Example:

3f002f00=EF:auto:…

Value <access> is the access condition elements; dependent on the smart card used and type of object, but always four parts

separated with ‘:’; <delete>, <read>, <write> and <execute>. Each element may have one of the following values: ALW

(=always), NEV (=never), SO (admin PIN), PIN1, PIN2, PIN3 or PIN4.

3f002f00=EF:auto:ALW:SO:NEV:SO:…

Value <content> is the real object content in hexadecimal form; dependent on the smart card used and type of object.

3f002f00=EF:auto:ALW:SO:NEV:SO:0x612B4F0CA00…

6.46 [SmartCardReader]

This section controls the behavior for smart card readers.

AllowReaderRemoval

This entry enables/disables the possibility to remove smart card readers as PKCS#11 slots at runtime when reader is removed.

0 -> Reader will continue to exist

1 -> Reader will be removed



Default value is 0; reader will not be removed.

Note: The reason for not removing is that the PKCS#11 standard has no defined policy for slot removal. Removal of slots may

cause undefined behavior for PKCS#11 applications.

Accepted

This entry contains a list of smart card reader names that are acceptable, separated with ‘;’.

Default value is none; all reader names are accepted.

Use [Smart Card Reader]>Denied parameter to specify a list of reader names that are denied.

CachePath

This entry contains a full path to a directory which will be used to store the smart card cache.

Default value is none; will use the standard temporary directory, location depending on operating system and version.

CacheValidity

This entry specifies the number of minutes the smart card cache is valid for user environment.

CacheValidity=10080

Default value is 10080; one week, 7*24*60=10080 minutes.

CacheAcceptUnknown

This entry tells the status of smart card cache when no update counter is available.

0 -> Will not use cache when status is unknown

X -> Will tell the number of minutes cache is valid when no update counter is available

Default value is 0; cache is inactive when no update counter is available.

CheckInformation

This entry enables/disables the check for information from the smart card reader, for example driver version or PIN pad

information.

0 -> Will not check for information

1 -> Will check for information

Default value is 0; will not check for information.

Note: There are smart card reader drivers that will crash when checking for information. Avoid them!

CheckPinPad

This entry enables/disables the check for PIN pad from the smart card reader, will require that checkInformation above is

enabled.

0 -> Will not check for PIN pad

1 -> Will check for PIN pad

Default value is 0; will not check for PIN pad.

Denied

This entry contains a list of smart card reader names that are not acceptable, separated with ‘;’.

Default value is none, all reader names are accepted.

Use [Smart Card Reader]>Accepted parameter to specify a list of reader names that are accepted.



Detect

This entry specifies the number of seconds from initialize that the library should search for smart card readers. This allows smart

card readers to be inserted after the library has been initialized.

0 -> Will not search for readers

1 -> Will do a single search for readers

X -> Will search X seconds for readers

-1 -> Will search forever for readers

Default value is 60; will search in 60 seconds for smart card readers.

Note: This search may cause memory leaks if bad PC/SC smart card reader drivers are installed, so not recommended with

value -1 for terminal servers.

KeepLoggedInLocked

This entry controls the behavior when smart card is opened and session is logged on.

0 -> Will not lock reader when logged on

1 -> Will lock reader when logged on

Default value is 0; will not lock reader when logged on.

Note 1: Locking the reader will stop other applications from using the smart card reader in parallel. This may cause

interoperability problems.

Note 2: This behavior is identical to the situation when smart card is used with PIN pad, it will not release the reader until logged

out to avoid multiple PIN entries.

Note 3: Only use this feature when single-sign-on is enabled or a single application is using the smart card.

KeepPinCache

This entry specifies the number of milliseconds the PIN should be kept after card removal. This can be used to avoid clear of

PIN cache when a smart card reader generates strange remove/insert events, but should not be used in normal situations.

0 -> Will not keep PIN cache after remove event

X -> Number of miliseconds PIN is kept in cache after remove event

Default value is 0; PIN cache is cleared when the smart card is removed.

LockDelay

This entry specifies the number of seconds to keep the card locked after usage. This may be used to increase performance,

since lock/release card may require some substantial time.

0 -> Will not delay release

X -> Will delay X seconds before release

Default value is 0; no delay when releasing card.

LockTimeout

This entry specifies the number of seconds to keep trying to lock the card when it is in use by another application.

0 -> No lock timeout

X -> Will try to lock in X seconds

Default value is 30; will try locking the card for 30 seconds.



MaxTransfer

This entry configures the maximum number of bytes that may be transmitted for each smart card call. Minimum value is 64

bytes and maximum value is 255 bytes.

MaxTransfer=255

Default value is 255; 255 bytes.

Mode

This entry specifies the mode to connect with towards the smart card, either exclusive or shared mode. Exclusive mode requires

the application to work alone with the smart card. Shared mode allows simultaneous connections and will require transaction

handling to handle atomic operations.

0 -> Exclusive mode

1 -> Shared mode

Default value is 1; shared mode used.

Note: Exclusive mode will cause interoperability problems.

Poll

This entry specifies the number of milliseconds between polling for card presence.

Poll=333

Default value is 333; 333 milliseconds.

Protocol

This entry specifies the protocol to use when communicating with the smart card.

0 -> T0, supported by most cards

1 -> T1, faster but not supported by older cards.

-1 -> T0 or T1, negotiated with card

Default value is -1; protocol negotiated with smart card.

ReloadOnError

This entry specifies the behavior when the reader connection fails for some reason.

0 -> Do nothing

1 -> Reload connections

2 -> Reload connection and library

Default value is 0; do nothing.

SingleConnection

This entry specifies the behavior when connecting to the smart card reader. Either uses one connection for all purposes or two

connections, one connection for smart card status and one connection for transmitting smart card commands.

0 -> Two connections

1 -> One connection

2 -> One global connection (never released)

Default value is 0; two connections.



Scope

This entry specifies the scope for the smart card reader connection: user, terminal, system or global. The real meaning of scope

is depending on smart card reader type, currently only used by PC/SC. See PC/SC documentation for more information.

0 -> User scope

1 -> Terminal scope

2 -> System scope

3 -> Global scope

Default value is 0 for user processes and 2 for system processes.

SystemCacheValidity

This entry specifies the number of minutes the smart card cache is valid for system environment.

SystemCacheValidity =10080

Default value is 10080; one week, 7*24*60=10080 minutes.

6.47 [SmartCardReader CTAPI]

This section controls the behavior for the CTAPI smart card reader support.

Enable

This entry specifies whether the CTAPI smart card reader support should be available.

0 -> CTAPI support not available

1 -> CTAPI support available

Default value is 1; CTAPI smart card reader support is available.

List of libraries

All CTAPI drivers are delivered as a dynamic library and will be loaded by a numbered list starting from 1. The format for each

entry is: "<ctn>,<pn>,<library>":

<ctn> - Context number, defined by each CTAPI driver, usually 0

<pn> - Port, defined by each CTAPI driver, usually 0

<library> - Full path to dynamic library

Example:

1=0,0,C:\Program Files\Net iD\iidctapi.dll

6.48 [SmartCardReader PCSC]

This section controls the behavior of the PC/SC smart card reader support.

CallTrace

This entry is used to include writing of each PC/SC call towards trace.

0 -> PC/SC calls are not written to trace

1 -> PC/SC calls are written to trace

Default value is 0; PC/SC calls are not written.

Note: All PC/SC calls are written when enabled which may cause trace to grow large quite fast, since even smart card polling is

written.

Enable

This entry specifies whether the PC/SC smart card reader support should be available.



0 -> PC/SC support not available

1 -> PC/SC support available

Default value is 1; PC/SC smart card reader support is available.

Library

This entry specifies the PC/SC library that should be loaded. Default values:

Windows – winscard.dll

Linux – libpcsclite.so

macOS – libpcsclite.dylib

StateTimeout

This entry changes the behavior for smart card present check.

Normally smart card presence is checked by asking the smart card readers quite often by polling, the poll time is controlled by

[Smart Card Reader]>Poll entry.

Using this parameter will change to a call method which will ask for state and not return until something has changed.

0 -> Normal polling is used

X -> State driven presence is used, specify the number of minutes for timeout (10 recommended).

Default value is 0; normal polling is used.

Note 1: This feature requires enhanced support for the PC/SC implementation and eventually some enhanced support for the

PC/SC smart card reader driver. Currently this feature should only be used with Windows, since there are some unknown

problems for Linux/macOS platforms.

Note 2: This feature may work better with some PC/SC smart card drivers compared with polling, but there is no

recommendation when polling respective state driven presence check should be used.

Unload

This entry is used to control the unloading of the PC/SC library.

0 -> Library never unloaded

1 -> Library unloaded when not used

Default value is 1; library unloaded when not used.

Note: Library unloading currently works badly for Linux/macOS platforms, recommended value is therefore never unload on

these platforms.

UseCritical

This entry is used to add a global critical section for all PC/SC calls. When it is enabled only one thread will access PC/SC at

each time.

0 -> Critical section is not enabled, multiple threads may access

1 -> Critical section is enabled, multiple threads may not access

Default value is 0; critical sections should be handled by PC/SC.

Note: Normal usage will have no problem with multiple threads accessing at the same time, but some drivers have problems, so

it may be useful for testing.

6.49 [SoftToken]

This section controls the soft token policy.



The current password policy (PinMinLen, PinMaxLen and PinType) used when soft token is created will be stored within the soft

token, so will not be able change after creation.

Events

This entry is used to add events handling to soft tokens. Soft tokens may be removed when removed from other processes and

will also generate an insert event when the soft token is updated, to allow applications to detect updates.

0 -> No special event handling

1 -> Events are checked each time a calling application check for events

2 -> Events are checked each time a calling application check for slots

3 -> Events are checked each time a calling application check for events and/or slots

Default value is 0; no special event handling.

FileExtension

This entry is used to specify the file type used by soft tokens. The internal soft token format “.tkn” is the only supported value for

Windows/Linux. macOS may use the internal format or Apple “.keychain”.

Default value is none; internal soft token format.

Example:

FileExtension=.tkn

PinExpire

This entry is used to enable/disable password expire policy. The password may be configured to require a change after X

number of days.

0 -> Password expire policy disabled

X -> Password will expire after X days

Default value is 0; no password expire policy.

PinFailure

This entry is used to specify how password failures will be handled for soft tokens, i.e. if a user gives the wrong password when

trying to use the soft token.

PinFailure=0xAABBCCDD

AA -> Number of milliseconds of delay between failures to give the correct password.

Will be multiplied with the number of failed tries.

BB -> not used

CC -> Number of minutes that the password will be blocked.

DD -> Number of tries until the password is blocked.

Default value is none; no handling of password failures for soft tokens.

Example:

[SoftToken]

PinFailure=0x64000A0A

- AA=64: 100 ms of delay between tries, i.e. the delay after first try is 100ms, after second try 200ms, and so on.

- CC=0A: the password will be blocked for 10 minutes until it is possible to try again.

- DD=0A: the password will be blocked after 10 failed tries.

If no blocking period is configured, i.e. CC is set to 00, a restart of the application is necessary to be able make new tries.

If a blocking period is configured a restart will make no difference since it is stored in the object, i.e. you will have to wait until

the blocking period ends to get DD new tries.



PinHistory

This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private

object and compared with a new password.

0 -> Password history disabled

X -> Password will compare X last passwords

Default value is 0; no password history checking.

PinMaxLen

This entry is used for maximum password length policy.

0 -> No maximum password length

X -> Maxmimum X bytes password length

Default value is 64; maximum 64 bytes password.

PinMinLen

This entry is used for minimum password length policy.

0 -> No minimum password length

X -> Minimum X bytes password length

Default value is 2; minimum 2 bytes password.

PinPolicy

This entry is used for the password policy, 0xaAbBcCdD:

aA -> min/max for number of digits

bB -> min/max for number of lower characters

cC -> min/max for number of upper characters

dD -> min/max for number of special characters

Default value is 0; no password policy.

PinType

This entry is used for password type policy, the requirements are below:

0 -> all characters (case sensitive)

1 -> all characters (case insensitive)

2 -> all characters (min 2 digits and max 2 in row or in sequence)

3 -> all characters (min 2 digits and max 2 in row)

4 -> only digits

Default value is 0; all characters allowed and case sensitive.

6.50 [TaskbarEvent]

This section controls the behavior of taskbar events,

[TaskbarEvent Insert]

A list of commands executed when a smart card is inserted.

[TaskbarEvent Remove]

A list of commands executed when a smart card is removed.



6.51 [Trace]

This section is used to enable a trace for all components or specific components, always specify full path to a file.

Note: Access condition must be fulfilled when writing to trace. This is usually only a problem when using Internet Explorer on

Windows platforms, since File system access protection, also known as Sandbox, may stop updates even when everyone has

full access.

Component

Use component name as entry instead of File to enable trace for a specific component:

Admin= C:\Temp\iid.txt

CredentialProvider=C:\Temp\iid.txt

CSP= C:\Temp\iid.txt

Directory=C:\Temp\iid.txt

MiniDriver=C:\Temp\iid.txt

Pkcs11=C:\Temp\iid.txt

Plugin=C:\Temp\iid.txt

SSO=C:\Temp\iid.txt

Watch=C:\Temp\iid.txt

Web=C:\Temp\iid.txt

File

Use File entry to specify trace for all components to same file without Net iD Trace service:

File=C:\Temp\iid.txt

Server

Use Server entry to specify trace for all components to same file with Net iD Trace service:

File=server

Server=C:\Temp\iid.txt

Note: Using Net iD Trace service has less impact on the performance but must be manually started. If a reboot is needed when

creating a trace file, set service to Automatic.

UseLocalTime

This entry specifies if local time should be used when creating trace file.

0 -> Local time is not used

1 -> Trace will be created with local time

Default value is 1; local time will be used.

6.52 [Trace Call]

This section specifies the call trace for different components. The difference between Trace Call and normal Trace is that this

parameter will only trace function entries and results. Tracing will always affect speed performance, so this parameter has less

impact on the performance.

The following components have call trace available:

CSP *

Minidriver *

Pkcs11

*) The component is only available on Windows platforms.



Specify full path to the file which will receive the trace.

Example:

Pkcs11=c:\temp\iid.txt

Note: Normal Trace must be disabled.

[Trace]

File=

Server=

6.53 [View]

FileExtension

There are several ways to open different files, but to avoid misuse all file types that may be opened should be registered,

separated with ‘;’.

Example:

FileExtension=.txt;.html;.htm;.cer;.crt;http;https

Default value is “.txt;.html;.htm;.cer;.crt;http;https”.

iidxwatch.exe

There are several ways for the watch component to open different files, but to avoid misuse all file types that may be opened

should be registered, separated with ‘;’.

Example:

iidxwatch.exe=.exe;.bat;.vbs

Default value is none.

6.54 [Watch]

This section controls the behavior of the Watch component. Will require the Watch component to be included in the installation.

UseService

This entry specifies whether the Watch component should be running as a Windows service or a background process.

0 -> Run as background process

1 -> Run as Windows service

Default value is 0; run as background process. This parameter is for Windows only and will be ignored by other operating

systems.

6.55 [Multiple Watch commands]

The original approach for Watch was a single command that should be executed either at insertion or removal of a smart card.

To handle multiple commands the command “config” may be used:

iidxwatch.exe config

This command will check for a list of commands that should be executed when a smart card is inserted or removed. See section

7.2 Commands for more information about the available commands.

[Watch Insert]

A list of commands executed when a smart card is inserted.



[Watch Remove]

A list of commands executed when a smart card is removed.

6.56 [Multiple Watch running]

Some scenarios may require multiple Watch running in parallel:

iidxwatch.exe config Watch|Another

The result is that the initial Watch is started and it will spawn an additional process which will read startup and configuration

information from different sections.

The example below will run two Watch activated by insertion of a smart card with certificates from two different CAs:

[Command]

Watch=-match “2.5.4.3=SecMaker CA v2|A0” config Watch|Another

Watch Another=-match “2.5.4.3=SecMaker CA v3|A0” config Another

[Watch Insert]

1=open c:\temp\ca_v2.txt

[Watch Another Insert]

1=open c:\temp\ca_v3.txt

6.57 [Logon Watch]

The normal Watch component will execute events based on smart card insertion and removal, but some scenarios will require a

command to be executed only when a smart card for the logged on user is inserted and/or removed.

iidxwatch.exe config Logon

Note: The only difference is that the name “Logon” is reserved for logged on user scenarios.

[Watch Logon Insert]

A list of commands executed when smart card is inserted for the logged on user.

[Watch Logon Remove]

A list of commands executed when smart card is removed for the logged on user.



7 Watch

The Watch component is an executable which will do actions either when smart card is inserted or removed.

7.1 Arguments

The following arguments are available:

-w

-match <criteria>

-wait “<insert>|<remove>”

-message “<insert>”|”<remove>”

-hide insert|remove

-sync

-logon

-term

-recognized

config | <insert command>

The argument order is important for historical reasons. Last in the argument list is either the static value “config” or one single

insert command. The value “config” will activate the [Watch Insert] and [Watch Remove] configuration sections in configuration

which allow several different commands.

Watch configurations are only read from global configuration, not from local configuration file, due to security reasons.

Argument “-w”

Argument “-w” is used to wait with the execution of the command until a smart card is loaded, meaning all certificates are read.

This value only has meaning for insert commands.

Argument “-match”

Argument “-match” is used to select a specific certificate which should be used when generating an event. The match criteria

consist of an issuer field and an optional key usage, for example:

-match “2.5.4.3=SecMaker CA v2|A0”

Note: This argument is only available when used with “<insert command>” as last argument not with “config”.

Argument “-wait”

Argument “-wait” is used to specify the number of seconds to wait for a command to finish, may use separate values for insert

and remove.

-wait “60|30”

Argument “-message”

Argument “-message” is used to specify a message to be shown when command is executed, may use different messages for

insert and remove.

-message “Card inserted”|”Card removed”



Argument “-hide”

Argument “-hide” is used to specify that the command should be executed hidden, may separate with different messages for

insert and remove.

-hide

-hide insert

-hide remove

Argument “-sync”

Argument “-sync” is used by remove event. When specified remove events will not be generated until after a smart card is

inserted.

Argument “-logon”

Argument “-logon” is used only to generate a remove event for the currently logged on user.

Argument “-term”

Argument “-term” is used by remove event. Will require the process started at insert event to be terminated, currently only a

single process may be terminated.

Argument “-recognized”

Argument “-recognized” is used to require that the smart card is recognized, unknown cards will not generate any events.

7.2 Commands

The configuration sections [Watch Insert] and [Watch Remove] will specify a list of commands executed when a smart card is

inserted or removed.

The following commands are available for execution when a smart card is inserted or removed:

application <binary> <argument>

close <window name>

extern <library>,<argument>

kill <application>

load <library>,<argument>

open <file>

set –config <file>

set –registry <key>

All commands in the list may be prefixed with “parallel” to only start the execution, it will immediately continue with the next

command and ignore the result. Not in parallel will require successful execution before it continues with the next command, on

failure no more commands will be executed.

Command ‘application’

Command “application” is used to start any application <binary> with any argument <argument>.

application c:\windows\notepad.exe c:\iid.txt

Successful execution will always require the process to start, but may also depend on “-wait” argument if present.



Command ‘close’

Command “close” is used to close a Microsoft Windows application. Specify the <windows name> that should be closed.

Example:

close “iid - Notepad”

The execution will always be considered as successful.

Command ‘extern’

Command “extern” may be used for insert command to read user information from an external library. The smart card is not

supported internally, but instead the reader name is sent with the specified command arguments. The library must export a

function with the following syntax:

int CALLBACK

ReadCommand(

const char* pszReader,

const char* pszCmd,

char* pszData,

unsigned long nData)

Return non-zero for success and the data buffer should return username and domain information, separated with ‘;’.

extern c:\iid.dll,-iclassid –config c:\iid.txt

After a successful command execution the set command below will be executed with the collected user information.

This execution will be considered as successful if the user information is collected successfully.

Command ‘kill’

Command “kill” is used to terminate or kill an application. Will search for a process with the specified binary and try to kill that

process.

kill c:\windows\notepad.exe

This execution will always be considered as successful.

Command ‘load’

Command “load” will load a library and call the specified function. The function syntax must follow the parameter syntax used by

rundll32.exe:

load c:\iid.dll,EntryAdmin -argument

This execution will be considered to be successful if the function is found in the specified library, but will have no requirements

for the function to return value.

Command ‘open’

Command “open” may be used on Windows platform to open a file type defined in Registry.

open c:\temp\iid.txt

This execution will always be considered as successful.

Command ‘set’

Command “set” either specifies a configuration file or a Registry key which will be updated with user information found on the

inserted smart card. Argument “-match” may be used to specify search criteria for the user information.



set –config c:\temp\iid.txt

set –registry HKLM\Software\SecMaker\Info

This execution will be considered to be successful if user information found.

Command ‘script’

A command “script” may be used on Windows platforms in the same manner as “open”, the difference is that it will be executed

hidden.

script c:\temp\iid.vb

This execution will be considered to always be successful.



8 Trace

All components in the product have trace functionality, the trace will write to a standard text file. There are two types of trace,

standard (see section 6.51 [Trace]) or only function calls (see section 6.52 [Trace Call]). Call trace is available for the three

standard interfaces: PKCS#11, CSP and Minidriver. The call trace will only trace function calls entry and return code, so there is

little impact on performance. The complete trace will generate large amounts of information and may be hard to understand.

8.1 Trace Row

Each row in the trace file will have the following format:

[<pid>:<tid>] <time> <text>

Value <pid> is process id for the process writing the trace entry.

Value <tid> is the thread id for the process thread writing the trace entry.

Value <time> is the time since first call to the trace. Separated with ‘.’ is hour, minute, seconds and milliseconds.

Value <text> is the trace information.

Example:

[1000:1111] 00.00.00.000 Trace - Date 2010-11-23 16:13:23, 'C:\Temp\iid.txt'

First row will always contain the date and the original trace file path.

Processes and Threads

The first information for each trace row is the process and thread id.

[1000:1111] 00.00.00.000 Helper - Calling application: 'C:\Program Files\Net iD\iid.exe'

[2000:2222] 00.00.00.000 Helper - Calling application: 'C:\Program Files\Net iD\iidxadm.exe'

This example has two processes 1000 and 2000. It is always useful to search for the “Calling application” string, to find the real

application, this example iid.exe and iidxadm.exe.

Multiple applications calling in the same time may cause some confusion when trying to understand the trace, see 0



Trace Split how to separate the trace for easier understanding.

There are also scenarios where a single application will spawn several threads:

[1000:1111] 00.00.00.000 Helper - Calling application: 'C:\Program Files\Net iD\iid.exe'

[1000:1111] …

[1000:1122] …

[1000:1122] …

Understanding the difference between processes and threads is not part of this document, but the information is at least

available in the trace.



Execution Time

Second part of the trace is the execution time and this information is useful in identifying performance issues.

The example below shows 1 hour, 23 minutes and 45 milliseconds between the trace rows. This time used with functions below

will show execution time for each function.

[1000:1111] 00.00.00.000 …

…

[1000:1111] 00.01.23.045 …

If UseLocalTime is enabled execution time is presented in local time. The example below shows function executed between

1:12 PM and 1:24 PM local time.

[1000:1111] 13.12.00.000 …

…

[1000:1111] 13.24.00.000 …

Note: Enable trace will affect the execution time, consider using Net iD Trace service when performance is measured.

8.2 Functions

The product delivers standard application program interfaces: PKCS#11, CSP and Minidriver. These interfaces are well

documented; see each corresponding chapter in the Net iD Enterprise Developer’s Guide. The product will also deliver the

plugin interface which is documented in the Developer’s Guide, see chapter 6 Plugin.

PKCS#11

Each PKCS#11 function call will start with the function name and end with a standard return value:

[1000:1111] 00.00.00.000 Pkcs11 - C_Initialize ...

[1000:1111] 00.00.00.070 Pkcs11 - Return CKR_OK

From the documentation you will learn C_Initialize is the startup function and CKR_OK means success, everything is as

expected. There may be errors instead:

[1000:2222] 00.00.00.100 Pkcs11 - C_Initialize ...

[1000:2222] 00.00.00.100 Pkcs11 - Return CKR_CRYPTOKI_ALREADY_INITIALIZED

The return value is not CKR_OK, so this means an error. Is this a problem? From the documentation you will learn that this

return value actually is more like a warning message, no initialize needed, since already initialized.

CSP

Each CSP function call will start with the function name and end with the function name and a Microsoft return value string.

[1000:1111] 00.00.00.307 CSP - AcquireContext ...

[1000:1111] 00.00.00.915 CSP - AcquireContext ... (OK)

The string OK means success and all other strings mean some kind of failure. The return value from CSP is always true or

false, and Windows last error is eventually updated with some error value. If the string is not OK, the string is from Microsoft

translation of the Windows last error.

[1000:1111] 00.00.00.307 CSP - AcquireContext ...

[1000:1111] 00.00.00.915 CSP - AcquireContext ... (The operation completed successfully.)

This means an error, despite the text says operation completed successfully. There are scenarios where this is perfectly normal;

information will be available from the CSP documentation.



Minidriver

Each minidriver function call will start with the function name and end with the function name and a return value and Microsoft

translation of return value.

[1000:1111] 00.00.00.031 MiniDriver - CardAcquireContext ...

[1000:1111] 00.00.01.092 MiniDriver - CardAcquireContext ... (0x00000000, OK)

The value 0x00000000 means success. The different between CSP and Minidriver is that the return value and return string is

always connected, Minidriver calls return the real value compared with CSP which return true or false and update Windows last

error.

Plugin

Each property plugin function call will start with information about the function and the same information string ended with ‘done’

string.

[1000:1111] 00.00.01.023 Web - GetProperty '<property>' ...

[1000:1111] 00.00.01.033 Web - GetProperty '<property>' ... done

[1000:1111] 00.00.01.023 Web - SetProperty '<property>' ...

[1000:1111] 00.00.01.033 Web - SetProperty '<property>' ... done

[1000:1111] 00.00.01.023 Web - EnumProperty '<property>' ...

[1000:1111] 00.00.01.033 Web - EnumProperty '<property>' ... done

The return value is always done.

The invoke plugin function will start with information about the operation and the same string ended with return value.

[1000:1111] 00.00.01.023 Web - Web - Invoke <operation> ...

[1000:1111] 00.00.01.023 Web - Web - Invoke <operation> ... (0)

The return value is a number and the meaning is documented in chapter 6 Plugin of the Net iD Enterprise Developer’s Guide,

see section 6.3 Operations, for each operation.

8.3 Help Functionality

The product includes some help functions for better understanding of the trace:

- Trace parse

- Trace split

Trace Parse

The trace parse functionality will take a trace file as input and try to parse the content to a more readable format. The

functionality is available on all operating systems by calling the application loader:

“%PROGRAMFILES%\Net iD\iid.exe” -traceparse c:\temp\iid.txt

/usr/bin/iid -traceparse /tmp/iid.txt

Note: Must enter full path to trace file to parse.

The result will be a local web site, with starting index.html in same location as the original trace file.



Trace Split

The trace split functionality will take a trace file as input and split the content to one file for each process. The functionality is

available on all operating systems by calling the application loader:

“%PROGRAMFILES%\Net iD\iid.exe” -tracesplit c:\temp\iid.txt

/usr/bin/iid -tracesplit /tmp/iid.txt

The result will be one or more files with name ‘iid_<pid>.txt” in same location as the original trace file.

May also split all threads to separate files:

“%PROGRAMFILES%\Net iD\iid.exe” -tracesplit thread c:\temp\iid.txt

/usr/bin/iid -tracesplit thread /tmp/iid.txt

The result will be one or more files with name ‘iid_<pid>_<tid>.txt” in same location as the original trace file.

Note: Must enter full path to trace file to split.



9 Command Tool

The command tool is a utility included which will add some functionality to Windows Command Prompt, Linux Command or

macOS Terminal application.

Note 1: There is no language support, so it will always be in English.

Note 2: There is no character translation, may cause undesired effects for non-ascii characters.

9.1 Start

The command tool is started with the application loader with the command switch ‘-command’:

Windows: %PROGRAMFILES%\Net iD\iid.exe –command

Linux: /usr/bin/iid –command

macOS: /usr/bin/iid –command

9.2 Commands

The following commands are available:

[0] quit -> Quit with no action [1] system -> View system information [2] view -> View token information [3] change -> Change PIN for your token [4] unlock -> Unlock PIN for your token [5] list -> List certificates for your token [6] keys -> List private keys for your token [7] init -> Reinitialize your token (with default SO PIN) [8] expired -> Set PIN expired for your token

Select the command and follow the instructions.



10 Changes between versions

This chapter contains information regarding the changes that have been made in Technical Description between different

versions of the document. The chapters and sections mentioned are according to the updated document.

10.1 Changes between v6.5.1 and v6.6

Chapter 5 Installation macOS

- 5.1.1 Files

New file locations.

- 5.5 Known Issue

Removed section regarding installation on OS X 10.11.

Chapter 6 Settings

- 6.4 CredentialProvider

- Info of possibility to make Parameter settings via application.

- 6.4.9 Mode

Added Full CredentialProvider mode description.

- 6.4.12 AcceptIssuers

Updated example.

- 6.4.13 DefaultIssuers

Updated example.

- 6.4.14 DenyIssuers

Updated example.

- 6.4.15 RememberLastUsed

New entry.

- 6.5 CredentialProvider Certificate

- 6.5.1 Enable

New entry.

- 6.5.2 Disable

New entry.

- 6.9 CredentialProvider Pin

- 6.9.1 Enable

New entry.

- 6.9.2 AutoLogon

New entry.

- 6.9.3 DisableAutoLogon

New entry.

- 6.9.2 InitChangePin

New entry.



- 6.11 CSP

- 6.11.5 CertificateStoreMode

New entry.

- 6.11.26 ReplaceCertificate

Changed default value.

- 6.13 Dialog

- Removed information regarding old user interfaces.

- 6.13.10 Info<name>

- New configuration parameters: InfoAdmin, InfoFileXXXX, InfoNotify, InfoSetup.

- New <extra> value: Theme

- 6.23 General

- 6.23.7 ExplorerExtension

New entry.

- 6.23.13 TaskbarMenuMode

- Removed parameter ‘0x0800 – Language’

- Added information regarding default value.

- 6.23.14 UseService

New parameter ‘-1’.

- 6.28 License

- 6.28.1 Cards

New entry.

- 6.28.3 Issuers

New entry.

- 6.29 Links

- 6.29.1 Admin

New entry.

- Chapter 6.30 Links Action

- Updated actions: Sign and Verify.

- Info regarding custom actions.

- Chapter 6.32 LRA

New section.

- 6.35 Pkcs11

- 6.35.18 SessionToken

New entry.

- 6.37 Report LOGON

New section

- 6.38 Report PIN

New section.

- 6.39 Report UNLOCK_WORKSTATION

New section.

- 6.42 SmartCard

- 6.42.6 NoDiskCache

New entry.



- 6.42.9 PinHistory

New entry.

- 6.51 Trace

Rewritten section with new entries.

- 6.52 Trace call

Added note.

- 6.53 View

6.53.2 iidxwatch.exe

New entry.

Chapter 8 Trace

- 8.1.Trace Row

- 8.1.2 Execution time

Updated example and added note.

10.2 Changes between v6.4 and v6.5.1

Chapter 6 Settings

- 6.11 [CSP]

Added two new entries:

- 6.11.6 ConnectPCSC

- 6.11.7 ContainerNameMode

10.3 Changes between v6.1.1 and v6.4

General in all texts

- All references regarding Windows XP and Windows Vista have been removed since no longer supported.

- All references regarding GINA has been removed since Windows XP and Windows Server 2003 no longer are

supported.

- All references to bitmaps/bmp has been changed to images since both bitmaps and ico files are supported.

Chapter 2 What is Net iD Enterprise?

- 2.1 Overview

Picture changed, now including CNG.

Chapter 3 Installation Microsoft Windows

- 3.1.1 Files

- Global configuration file moved to optional files since most configurations are done in Registry nowadays.

- Removed optional file for GINA library.

- Added optional file for GPO Client Side Extension.

- Added Trace service library.

- 3.1.2 Registry

- Added optional Registry key for GPO Client Side Extension.

- Change in default location for configurations.

- Former 3.2 Build your own installation with IExpress 2.0

Section has been removed.

- Former 3.3 Build you own installation with Windows installer

Section has been removed.



Chapter 5 Installation OS X

- 5.1.1 Files

The Net iD Enterprise Admin GUI is installed as an web app instead of being a local site.

- 5.2 Running Installation

Changed installation file from ‘iidsetup.pkg’ to ‘iidsetup.app’.

- Former 5.3 Build custom installation

Section removed.

- 5.3 Web browser

New section.

- 5.5 Known Issues

New section regarding installation on OS X 10.11.

Chapter 6 Settings

- 6.2.3 App

New entry.

- 6.4.1 Version

- Added parameters for Windows 8.1 and Windows 10.

- Removed parameter for Windows Vista.

- 6.4.6 Activate

New entry.

- 6.4.8 InitChangePin

New entry.

- 6.4.12 AcceptIssuers

New entry.

- 6.4.13 DefaultIssuers

New entry.

- 6.4.14 DenyIssuers

New entry.

- 6.7.3 Timeout

Changed earlier incorrect information: was written ‘minutes’, shall be ‘seconds’.

- 6.10.2 Timeout

Changed earlier incorrect information: was written ‘minutes’, shall be ‘seconds’.

- 6.11.5 ClearUserPinCache

New parameter setting.

- 6.13.8 Theme_v<nn>

- Added parameters for Windows 8.1 and Windows 10.

- Removed parameter for Windows Vista.

- 6.19.2 Format

Added comment regarding configuration that will affect all languages.

- 6.23 [General]

New entry: “ExtraService”.

- 6.23.8 ExtraService

New entry.

- 6.24.2 Configuration

Registry settings read order.



- 6.30 [Links Action]

- New actions:

-- CaCertificateExpire

-- Decrypt

-- Encrypt

-- ExitWindows Lock/Logout/Sleep/Hibernate/Disconnect/Restart/Shutdown

-- LicenseActivate

-- LicenseInvalid

-- TokenEvent

-- TokenInvalid

-- TokenNotPresent

-- TokenPresent

- Discontinued actions:

-- OpenCertificateExpired

-- OpenCertificateEnroll

-- OpenCertificateRenew

- 6.32.5 ClearUserPinCache

New parameter setting.

- 6.33.1 Applications

Change of behavior, will only handle SSl sessions. For TLS sessions see parameter in 6.35.8 LogonApplication.

- 6.33.3 Enable

New default value.

- 6.33.4 LogonApplication

New entry to handle TLS sessions.

- 6.35.5 Audit

New entry.

- 6.36 SCS

New section.

- Former 6.37.12 SecureMessaging

Entry removed and replaced with section 6.40 [SmartCard Keys].

- 6.40 [SmartCard Keys]

New section.

- 6.45.4 PinFailure

New entry.

- 6.46 [TaskbarEvent]

New section.

Chapter 7 Watch

- 7.1 Arguments

Changed behavior due to security reasons: Watch configurations are only read from global configuration.

Chapter 9 Command Tool

- 9.2 Commands

Added commands ‘system’ and ‘expired’.



10.4 Changes between v6.1.1 and v6.1.2

Chapter 6 Settings

- Former 6.24 [Gina]

The section and entries regarding Gina has been removed since support for Microsoft Windows XP was ended

2014-04-08.

10.5 Changes between v6.1 and v6.1.1

Chapter 6 Settings

- 6.11.22 KeepSessionAlive

Parameter KeepSessionAlive updated with possibility to specify specific applications to be used with mode “1”.

- 6.13.2 NoUserInterface

New configuration to disable the Net iD Enterprise user interfaces for specific applications.

10.6 Changes between v6.0 and v6.1

Chapter 6 Settings

- 6.1 [AllowedServers]

An additional mode “4” has been added.

- 6.36 [Plugin]

New security configurations for plugin has been added.



11 References

Net iD Enterprise Developer’s Guide The document is intended for software developers making implementations via

any of the program interfaces delivered by the product. You may order a

personal copy of the document via www.secmaker.com:

Partners – Developers – Technical manuals.


Net iD Enterprise, Technical Description v6 · Net iD Enterprise is not only a Cryptographic...

Documents

Transcript of Net iD Enterprise, Technical Description v6 · Net iD Enterprise is not only a Cryptographic...