Enabling smart card authentication

Complete the following procedure if you want to use smart card authentication.

1. Run the smart card installer. Before the installation process completes, the installer merges the entries in the registry file with the Windows Registry.
2. Create and apply the policies for smart card authentication.
   1. Log on to AccessAdmin.
   2. Navigate to Machine Policy Templates > New template > Create new machine policy template > Authentication Policies.
   3. Type smart card.
   4. Click Add.
   5. Scroll down the page and click Add again.
3. Optional: Edit the registry hive.
   1. Add the name of each supported smart card to the HKLM\SOFTWARE\IBM\ISAM ESSO\SOCIAccess\SmartCard:SupportedCards multi-string value.

      The name of the smart card must appear in the list of smart cards registered with Windows, which can be found under HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards.

      If the "SupportedCards" registry value is not specified, AccessAgent monitors ALL smart cards registered with Windows.

      By default, AccessAgent automatically detects the CSP module used to access an inserted smart card based on the registration of the smart card with Windows.

      However, if the CSP used is different from the one registered with Windows, then the DWORD registry value, AutoDetectCardMiddlewareEnabled, must be added under [HKLM\SOFTWARE\IBM\ISAM ESSO\SOCIAccess\SmartCard] and set to 0.

   2. Create a key for the smart card middleware under HKLM\SOFTWARE\IBM\ISAM ESSO\SOCIAccess\SmartCard\Middleware.

      The name of the key can be any name that can be used to identify the middleware. Under the middleware key, create and set the following values that define the parameters for the middleware.

      If this middleware information is not configured, AccessAgent uses the default values for all middleware parameters.

      Middleware Parameter	Type	Values	Mandatory?
      CSPName	REG_SZ	Name of the Cryptographic Service Provider module from the middleware.	Yes
      RsaEncryptionEnabled	DWORD	If the smart card keypair cannot be used to perform RSA encryption, this value must be set to 0. AccessAgent uses a signature-based mechanism to encrypt the Wallet instead of the encryption-based mechanism which is the default.	No
      ContainerSpecLevel	DWORD	By default, AccessAgent searches for the authentication certificate in the default container on the smart card. A default container is a special certificate container that can be accessed without specifying the container name. However, if the authentication certificate used by AccessAgent is not in the default container, AccessAgent must specify the name of the container. CSPs follow different conventions for accepting container names. This parameter defines the container name format. #1: \\.\<reader-name>\<container-id> #2: \\.\<reader-name>\\\ #3: <container-id> #4: NULL (default) If this parameter is set to 1 or 3, AccessAgent enumerates the containers and searches for the authentication certificate based on the AuthCertIssuerList and AuthCertKeyUsageBits parameters.	No
      AuthCertIssuerList	REG_MULTI_SZ	If the authentication certificate is not available in the default container, then AccessAgent uses this parameter to search the certificates available on the smart card. This multi-string must include the Common Names (CN) of the issuers of the authentication certificate. For a smart card certificate to be selected for authentication, the name of the certificate issuer must be present in this list.	No
      AuthCertKeyUsageBits	DWORD	If the authentication certificate is not available in the default container, then AccessAgent uses this parameter to search the certificates available on the smart card. This hexadecimal value is the bitwise-OR value of the possible key usage values defined in the certificate. The possible key usage bits as defined in the X509v3 specification are: 0x80: digital signature 0x40: non-repudiation 0x20: key encipherment 0x10: data encipherment 0x08: key agreement 0x04: certificate signing 0x02: CRL signing An example of CertSearchKeyUsageBits is A0, which allows the use of the keypair for digital signatures and key encipherment.	No

   3. Save the required registry settings in a .reg file and place the file in the <AccessAgent installation folder>\Reg folder.
4. Restart your machine.