6.2 Prerequisites for CardSpace

6.2.1 Enabling High Encryption

To enable high encryption, you need to replace the US_export_policy.jar and local_policy.jar files.

  1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 (jce_policy-6.zip).

  2. Extract the files.

  3. Copy the US_export_policy.jar and local_policy.jar files to the security directory for the JRE. They should replace the existing files:

    • Linux Identity Server: /opt/novell/java/jre/lib/security

    • Windows Identity Server: C:\Program Files\Novell\jre\lib\security

  4. Restart Tomcat.

    • Linux Identity Server: Enter the following command:

      /etc/init.d/novell-tomcat5 restart

    • Windows Identity Server: Enter the following commands:

      net stop Tomcat5

      net start Tomcat5

  5. Complete these steps on the Identity Server that is going to be the relying party and the Identity Server that is going to be the identity provider.

6.2.2 Configuring the Client Machines for CardSpace

The client machines require a CardSpace card selector application. They also need to be configured to trust the machine that is acting as an identity provider.

Configuring Windows Clients for CardSpace

Windows clients require the Microsoft .NET Framework 3.5 service pack, and Internet Explorer needs to be configured to trust the identity providers that supply managed cards.

  1. (Conditional) Install the Microsoft .NET Framework 3.5 service pack.

    For Vista clients, this is included with the operating system.

    For XP clients, you need to download and install it.

    1. Download the package. See Microsoft .NET Framework 3.5

    2. Install the package.

    3. To verify that it has been installed, click Control Panel > Add and Remove Programs, then search for a Microsoft .NET Framework 3.5 entry.

  2. (Conditional) Install the trusted root certificate of the Identity Server CA so that Internet Explorer trusts the Identity Server. If you are using Access Manager generated certificates, you need to complete these steps.

    You must be an administrator user to complete these steps.

    1. In Internet Explorer, enter the base URL of the Identity Server.

    2. Click Continue to this website.

    3. In the URL line, click Certificate Error > View Certificates.

      The Certificate Information page displays information about the Identity Server server certificate.

    4. Click Certification Path, select the root CA certificate, then click View Certificate.

      The Certificate Information page displays information about the root CA certificate.

    5. Click Install Certificate > Next.

    6. Select Place all certificates in the following store, then click Browse.

    7. Select to Show physical stores, scroll to the Trusted Root Certification Authorities, open it, select Local Computer, then click OK.

    8. Click Next > Finish > OK.

    9. Close the browser.

    10. To verify that the correct certificate was installed, open the browser, then enter the base URL of the Identity Server.

      The certificate error should not appear in the URL line.

Configuring Linux Clients for CardSpace

The following instructions are for Linux clients running SUSE® Linux 10. They use the Bandit™ DigitalMe® card selector and explain how to download it, install it, and configure it so that it trusts the Identity Server.

  1. Verify that you have updated Firefox to 2.x. DigitalMe does not work with Firefox 1.5.x.

  2. In Firefox, access the Bandit Card site by entering the following URL:

    http://cards.bandit-project.org

  3. Click Download a selector, then select to download the selector for OpenSuse® 10.2 and SUSE Linux Enterprise Desktop (SLED) 10.

  4. Scroll to the bottom of the page, and install the Firefox add-on.

    1. Click Download DigitalMe add-on for Firefox (All Platforms).

    2. If you haven’t enabled the Bandit site to install plug-ins, click Edit Options, then enable the site and install the add-on.

  5. Download the appropriate selector for your OS. For SLES 10 with 32-bit hardware, select Download DigitalMe for SUSE Linux Enterprise 10 (i586) and save it as a file.

  6. Close Firefox.

  7. Open the download and install it.

  8. Export the public key certificates of the Identity Server. You need both the CA and server certificates.

    The following instructions explain how to log in to the Administration Console from the client machine with DigitalMe and export the certificates to the required directory.

    1. From a browser on the DigitalMe machine, log into the Administration Console.

    2. Click Security > Certificates.

    3. Click the name of the Identity Server certificate, then click Export Public Certificate > DER File.

    4. Select to save the file to disk, then click OK.

    5. Click Close, then click Trusted Roots.

    6. Click the name of the trusted root (the default name is configCA), then select to Export Public Certificate > DER File.

    7. Select to save the file to disk, then click OK.

    8. Copy the two certificate files to the following directory:

      /usr/share/digitalme/certs

  9. From the Application Browser, start the DigitalMe card selector.

  10. At the prompt to create a default keying, enter a password, reenter the password, then click OK.