ActivClient for Linux 3.

0
User Guide
ActivClient for Linux
User Guide

Table of Contents

CH AP TE R 1: IN TR OD UC TION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
ASSUMED KNOWLEDGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
RELATED DOCUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

CHAPTER 2: GET TING START ED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

FIRST STEPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
WORKING WITH ACTIVCLIENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Access the User Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
ActivClient tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

CHAPTER 3: SMART CARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

MANAGING SMART CARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
View smart card information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
View Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Change a smart card PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Unlock a smart card with the User Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Access the Unlock Card function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unlock with Challenge/Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unlock a smart card with My Digital ID Card Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Synchronize your smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configure your smart card-based password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Reset your smart card-based password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
USING SMART CARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Generate a One-Time Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Log on with a smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Smart card authentication is required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Smart card authentication is not required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Unlock screen with a smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Smart card authentication is required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Smart card authentication is not required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Lock your workstation on smart card removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ActivClient for Linux User Guide 2
CHAPT ER 4: DIGIT AL CERTI FICATES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
MANAGING CERTIFICATES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
View certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
USING CERTIFICATES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Access a secure web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Send/Receive signed email messages with Mozilla SeaMonkey or Thunderbird . . . . . . . . . . . . . . 26
Send signed email messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Receive signed email messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Send/Receive encrypted email messages with Mozilla SeaMonkey or Thunderbird . . . . . . . . . . . 26
Send encrypted email messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Receive encrypted email messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

CHAPT ER 5: ACTIVCLI ENT MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . 28

VIEW SYSTEM INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
FORGET STATE FOR ALL CARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
ACCESS THE ADVANCED CONFIGURATION MANAGER . . . . . . . . . . . . . . . . . 29
CONFIGURE BEHAVIOR ON SMART CARD REMOVAL . . . . . . . . . . . . . . . . . . . 30

CHAPT ER 6: TROUBLESHOOT ING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

ACTIVATE LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Turn on/off log system activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Activate log files from ActivClient User Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

TERMS AND ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

T E R M S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
A C R O N Y M S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

ActivClient for Linux User Guide 3

Chapter 1: Introduction

IN THIS CHAPTER About this guide

4 About this guide This guide provides end-user instructions for using ActivClient for Linux.

4 Audience It covers the following topics:

4 Assumed knowledge
Chapter 1, "Introduction."- Provides an overview of this guide.
4 Related
documentation Chapter 2, "Getting started." - Explains the first steps to start using ActivClient.

Chapter 3, "Smart cards." - Explains how to use and manage smart cards with
ActivClient.

Chapter 4, "Digital certificates." - Explains how to use and manage digital

certificates with ActivClient.

Chapter 5, "ActivClient management." - Explains how to manage ActivClient.

Chapter 6, "Troubleshooting." - Explains how to troubleshoot ActivClient.

Audience
This guide is intended for end users who will use ActivClient to manage their
smart cards and authenticate using smart card-based certificates and passwords.

Assumed knowledge
This guide assumes that the reader has a good understanding of authentication
scenarios, especially in Linux environments.

Related documentation
This guide is part of the ActivClient documentation set. The other documents are:

• ActivClient for Linux Overview

• ActivClient for Linux Installation Guide

ActivClient for Linux User Guide 4

Chapter 2: Getting started

IN THIS CHAPTER This chapter explains how to start using ActivClient.

5 Access the User

Console
First steps
6 ActivClient tasks Depending on your organization, you may need to configure your smart card
before you can use it for authentication or digital signature operations.

Your first steps with ActivClient are determined by your:

• Smart card status (whether or not your administrator has prepared the card
for you and it is ready to use).
• ActivClient configuration (defined during ActivClient setup).

Working with ActivClient

Access the User Console

1. From the Applications menu, select ActivClient and then User Console.

ActivClient for Linux User Guide 5

CHAPTER 2: GETTING STARTED
Working with ActivClient

For further information on the User Console, see the ActivClient for Linux
Overview.

ActivClient tasks

The following tables lists the tasks you can perform using ActivClient smart cards
and certificates:

You can... Action

View smart card View the technical information about your smart card.
information
• "View smart card information" on page 7

View your personal Available for the US Department of Defense on Common Access Cards
information (CAC) or US Government Personal Identity Verification (PIV) cards only.

• "View Personal Information" on page 8

Manage and use your • "Change a smart card PIN" on page 10

smart card • "Unlock a smart card with the User Console" on page 12
• "Synchronize your smart card" on page 17
• "Configure your smart card-based password" on page 18
• "Reset your smart card-based password" on page 19
• "Generate a One-Time Password" on page 20
• "Log on with a smart card" on page 21
• "Unlock screen with a smart card" on page 22
• "Lock your workstation on smart card removal" on page 23

Manage and use • "View certificates" on page 24

certificates • "Access a secure web site" on page 25
• "Send/Receive signed email messages with Mozilla SeaMonkey or
Thunderbird" on page 26
• "Send/Receive encrypted email messages with Mozilla SeaMonkey or
Thunderbird" on page 26

Manage ActivClient • "View system information" on page 28

• "Forget state for all cards" on page 29
• "Configure behavior on smart card removal" on page 30

Troubleshoot • "Activate logging" on page 31

ActivClient

ActivClient for Linux User Guide 6

Chapter 3: Smart cards

IN THIS CHAPTER This chapter explains how to manage and use your smart card.

7 View smart card

information
Managing smart cards
8 View Personal
Information View smart card information
10 Change a smart card
PIN
ActivClient User Console provides you with technical information about your
smart card such as:
12 Unlock a smart card
with the User Console • User name
14 Unlock a smart card • Smart card manufacturer name
with My Digital ID
Card Portal • Smart card model (when known)
• Serial number
17 Synchronize your
smart card
1. Launch the User Console and insert your smart card into the reader attached
18 Configure your smart to your machine.
card-based password
2. In the Smart Card pane (on the left), click Smart Card Info.
19 Reset your smart
card-based password
The Smart Card Info is displayed in the right pane.
20 Generate a One-Time
Password

21 Log on with a smart

card

22 Unlock screen with a

smart card

23 Lock your workstation

on smart card
removal

ActivClient for Linux User Guide 7

CHAPTER 3: SMART CARDS
Managing smart cards

Your user name is supplied by ActivClient from either one of the following:

– Your remote access (AAA) user name (if present on smart card)
– User name of your default certificate (if defined) which is determined by
your smart card settings.

View Personal Information

US Government Personal Identity Verification (PIV) and Common Access Card

(CAC) smart cards allow to display personal information for each smart card NOTE
holder.
The View my personal info
feature is read-only!
The personal information displayed may vary according to your type of card and
profile.

1. Launch the User Console and insert your smart card into the reader attached
to your machine.

2. In the Smart Card pane (on the left), click My Personal Info.

ActivClient for Linux User Guide 8

CHAPTER 3: SMART CARDS
Managing smart cards

3. Select the PIV Cardholder Info tab in the right pane.

The Personal Info contents are displayed:

– Name
– Employee information

For PIV smart cards, the validity for the digital signature information is
displayed for the:

– Facial image
– Fingerprints
4. Select the PIV Cardholder Identification tab in the right pane.

ActivClient for Linux User Guide 9

CHAPTER 3: SMART CARDS
Managing smart cards

Additional cardholder information is displayed. This includes the validity for

the digital signature of the Cardholder Identification (CHUID).

Change a smart card PIN

You should change your smart card PIN regularly to ensure that you are the only
person accessing your smart card.

1. You can launch the PIN Change Tool from the:

– Applications menu - point to ActivClient and then click PIN Change Tool.
– User Console - either:
- Select the Change PIN icon from the console toolbar.
- Select Change PIN from the Tools menu.
- Press the CTRL+E keyboard shortcut.

The PIN Change tool dialog box is displayed.

ActivClient for Linux User Guide 10

CHAPTER 3: SMART CARDS
Managing smart cards

2. Enter your current PIN in the corresponding field.

3. Enter and confirm your new PIN.

Your new PIN must satisfy the specified conditions to be accepted.

When a required condition is met, the corresponding icon changes to a green

check mark . When all the conditions are met, the Next button becomes
available.

4. Click Next.

ActivClient for Linux User Guide 11

CHAPTER 3: SMART CARDS
Managing smart cards

5. If the PIN was successfully changed, click Finish.

If the PIN change failed, click Back and restart the process, making sure you
enter your old PIN correctly.

Unlock a smart card with the User

Console

Access the Unlock Card function

• From ActivClient User Console, select Unlock Card from the Tools menu.
• Open the ActivClient User Console and insert the locked smart card into your
smart card reader.

Unlock with Challenge/Response

When ActivClient detects that a smart card is locked, the Unlock Smart Card PIN
dialog box is displayed. You can then retrieve a Challenge Code.

ActivClient for Linux User Guide 12

CHAPTER 3: SMART CARDS
Managing smart cards

NOTE
Memorize your new PIN as you
will need it for future smart card
operations.

1. Call your help desk and give them the displayed Challenge Code.

2. In the Unlock Code field, enter the unlock code that the help desk gives you.

3. In the New PIN field, enter a new PIN.

4. In the Verify field, enter the new PIN.

Your new PIN must satisfy the specified conditions to be accepted.

When a required condition is met, the corresponding icon changes to a green

check mark . When all the conditions are met, the OK button becomes
available.

5. Click OK.

ActivClient for Linux User Guide 13

CHAPTER 3: SMART CARDS
Managing smart cards

Unlock a smart card with My Digital ID NOTE

Card Portal This option is only available with
deployments of the ActivIdentity
Card Management System (CMS).
If your smart card is locked due to too many incorrect PIN entries, you can unlock
it using the My Digital ID Card portal.

PREREQUISITE
1. Access the secure My Digital ID Card portal (using your web browser). Mozilla/Firefox is configured for
CMS My Digital ID Portal as
described in the ActivClient for
Your administrator should have provided you with the URL for the portal (for
Linux Installation Guide.
example, https://cms.majorcorp.com:49153/aimse/enterprise/user).

2. Insert your smart card into the smart card reader connected to your machine
and click Start.

Depending on how your CMS administrator has configured the portal or the
state of your card, you will either be prompted to enter your password, an
emergency password, or to answer Security Questions.

ActivClient for Linux User Guide 14

CHAPTER 3: SMART CARDS
Managing smart cards

3. Either enter your LDAP Password, an emergency password, or answer the

Security Questions, and click Continue.

If the card is successfully unlocked, the new PIN page is displayed.

ActivClient for Linux User Guide 15

CHAPTER 3: SMART CARDS
Managing smart cards

4. Enter and confirm a New Smart Card PIN.

Your new PIN must satisfy the specified conditions to be accepted.

When a required condition is met, the corresponding icon changes to a green

check mark . When all the conditions are met, the Continue button becomes
NOTE
available.
Memorize your new PIN as you
will need it for future smart card
5. Click Continue.
operations.

A confirmation message is displayed.

ActivClient for Linux User Guide 16

CHAPTER 3: SMART CARDS
Managing smart cards

6. Click Done to exit.

For further information on the My Digital ID Card portal, see the ActivIdentity
MDIDC User Portal User Guide.

Synchronize your smart card

PREREQUISITE
If you are unable to authenticate using one-time passwords, contact your help
Your smart card is initialized to
desk to diagnose the problem. Your help desk may determine that your smart card use one-time passwords.
is no longer synchronized with the authentication server. In this case, perform the
following steps in order to solve the problem.

1. Open ActivClient User Console and open the One-Time Password folder.

2. To start the synchronization, in the left or right pane, right-click the ActivPack
icon and select Synchronize one-time password.

The Synchronize One-Time Password window is displayed.

ActivClient for Linux User Guide 17

CHAPTER 3: SMART CARDS
Managing smart cards

3. Give the Clock and Counter values to your help desk.

Your help desk will synchronize or re-synchronize your device on the

authentication server.

Configure your smart card-based

SMART CARD REQUIREMENTS
password
• The smart card must not be a
CAC, PIV or PIVEXT card.
You can log on to your machine using static credentials (username and password)
• The smart card can also
stored on your smart card. contain certificates and/or an
SKI instance.
To do so, you must configure your smart card-based password in the My Logins
• If the smart card was issued
folder in the User Console. by ActivIdentity CMS, it should
have the right static instance
1. Open ActivClient User Console and insert your smart card into the reader. on the card.

2. To start the configuration process, either:

– In the left, open the My Logins folder.

- Or -

– Select the reader name in the left pane, and then double-click on the My
Logins folder in the right pane.
The Linux Login icon is displayed on the right pane.

3. To configure the smart card-based password credential, in the left or right-

pane, right-click the Linux Login icon and select Configure this credential.

The Configure Linux Login window is displayed.

ActivClient for Linux User Guide 18

CHAPTER 3: SMART CARDS
Managing smart cards

4. Enter your User Name.

5. Enter and confirm your Password and click OK.

You are prompted to enter your PIN.

6. Enter the smart card PIN and click OK.

To log on to your workstation using the smart card-based password, ensure

your smart card is in the reader at logon and enter your PIN when prompted.

Reset your smart card-based password

1. Open ActivClient User Console and insert your smart card into the reader.

2. To start the reset process, either:

– In the left, open the My Logins folder.

- Or -

– Select the reader name in the left pane, and then double-click on the My
Logins folder in the right pane.
The Linux Login icon is displayed on the right pane.

3. To reset the smart card-based password credential, in the left or right-pane,

right-click the Linux Login icon and select Reset this credential.

You are prompted to confirm the action.

ActivClient for Linux User Guide 19

CHAPTER 3: SMART CARDS
Using smart cards

4. Click Yes to confirm.

Using smart cards

Generate a One-Time Password

ActivClient enables to generate a one-time password using the ActivClient User PREREQUISITES
Console. You can then use this password to log on to remote access applications. • ActivClient User Console is
open.
1. To start the password generation process, either:
• Your smart card has been
initialized to use one-time
– In the left or right pane, open the One-Time Password folder. passwords.
- Or -

– Select the reader name in the left pane, and then double-click on the One-
Time Password folder on the right pane.
The ActivPack icon is displayed on the right pane.

2. To generate a one-time password, in the left or right pane, right-click the

ActivPack icon and select Generate one-time password.

The Generate One-Time Password window is displayed.

3. Take one of the following actions depending on your administrator’s

recommendations:

ActivClient for Linux User Guide 20

CHAPTER 3: SMART CARDS
Using smart cards

• If your administrator recommends to authenticate in Automatic mode:

a. Select Automatic (synchronous) from the Type drop-down list.

b. Proceed to step Step 4.

- Or -

• If your administrator recommends to authenticate in a Challenge/Response

mode:
a. Select Manual (challenge/response) from the Type drop-down list.

A Challenge field is displayed in the Generate One-Time Password

window.

b. Locate the challenge on the application you are authenticating to. (For
challenge/response applications, the challenge is displayed in the dialog
box used when logging on).

c. Type the challenge in the Challenge field.

4. Click Generate.

Your newly generated one-time password is displayed.

5. Type (or copy and paste) it into any logon form.

Log on with a smart card

PREREQUISITE
Smart card authentication is required The PAM file must be configured
for smart card authentication.
If your system is configured to require smart card authentication to log on: For further information, see the
ActivClient for Linux Installation
Guide.
1. Start or access your workstation.

The system logon screen is displayed.

ActivClient for Linux User Guide 21

CHAPTER 3: SMART CARDS
Using smart cards

2. Insert your smart card into the smart card reader.

SMART CARD STATIC
3. Enter your PIN and click OK or press Enter. AUTHENTICATION
(Required and not required.)
After a few moments, you are logged on and your desktop is displayed.
When:

Smart card authentication is not required • static authentication is

configured as the smart card
If your system is configured to allow manual static logon: authentication method, and
• static credentials on the smart
1. Start or access your workstation.
card are either not present or
are incorrect
The system logon screen is displayed.
the user will be prompted to
manually enter their credentials.
2. Either:
These credentials are then
a. Insert your smart card into the smart card reader. stored on the smart card.

b. Enter your PIN and click OK or press Enter.

- Or -
NOTE
a. Type Enter. The update credential option
must be configured in the PAM
b. Enter your credentials (username and either password or one-time
file. For further information, see
password) and click OK or press Enter. the ActivClient for Linux
Installation Guide.
After a few moments, you are logged on and your desktop is displayed.

Unlock screen with a smart card

Smart card authentication is required

If your system is configured to require smart card authentication to log on:

1. Access your workstation.

WARNING
The unlock screen is displayed. Depending on your platform and
on the Desktop configured, you
2. Insert your smart card into the smart card reader. may have to enter your PIN in a
field named "Password" instead
of "Enter PIN".
3. Enter your PIN and click OK or press Enter.

After a few moments, the screen is unlocked and your desktop is displayed.

Smart card authentication is not required

If your system is configured to allow manual logon:

ActivClient for Linux User Guide 22

CHAPTER 3: SMART CARDS
Using smart cards

1. Access your workstation.

The unlock screen is displayed.

WARNING
2. Either: Depending on your platform and
on the Desktop configured, you
a. Insert your smart card into the smart card reader. may have to enter your PIN in a
field named "Password" instead
An Unlock window relevant to your operating system is displayed. of "Enter PIN".
b. Enter your PIN and click OK or press Enter.

- Or -

a. Enter your credential (password or one-time password) and click OK or

press Enter.

After a few moments, the screen is unlocked and your desktop is displayed.

Lock your workstation on smart card

removal

To increase the security of your computer and its contents, lock up your computer
when you are away from it and keep your smart card safely in a separate place or
on your person. PREREQUISITES
• ActivClient is configured for
Your administrator may have changed the Card Removal Behavior property. For “workstation locking on smart
card removal” (default
more information on customization, refer to the ActivClient for Linux Installation
setting).
Guide.
• You used your smart card to
log in to your workstation.
1. Remove your smart card from the smart card reader.

Your workstation is now locked.

ActivClient for Linux User Guide 23

Chapter 4: Digital certificates

IN THIS CHAPTER Managing certificates

24 View certificates
View certificates
25 Access a secure web
site
You can view details of your certificates on your smart card using the ActivClient
26 Send/Receive signed User Console.
email messages with
Mozilla SeaMonkey or 1. Open ActivClient User Console.
Thunderbird

26 Send/Receive 2. To access your certificates, either:

encrypted email
messages with Mozilla – In the left Tasks pane, select the My Certificates folder.
SeaMonkey or
Thunderbird - Or -

– From the right pane, double-click the My Certificates icon.

An icon for each of your certificates is displayed.

3. Double-click the certificate that you want to view.

The Properties tab is displayed.

ActivClient for Linux User Guide 24

CHAPTER 4: DIGITAL CERTIFICATES
Using certificates

4. To view advanced properties, click the Advanced tab.

In the Advanced tab, you can copy a value to another application:

a. Select the required information in the table.

The information is displayed in the text area below the table.

b. Right-click on the text and use the menu to copy it to the clipboard.

c. Paste the text into the required application.

Using certificates
PREREQUISITES
Access a secure web site • Mozilla or Firefox is installed
on you computer.

You can use your smart card-based digital certificate to access a web site • Your smart card contains a
certificate configured for
protected by SSL v3 for strong user authentication. authentication to this web
site.
1. Insert your smart card into the smart card reader.
• The ActivClient PKCS#11
library has been registered to
2. Start your browser from your desktop. Firefox or Mozilla. Refer to
ActivClient for Linux
3. Access the secure web site or page. Installation Guide for details.

ActivClient for Linux User Guide 25

CHAPTER 4: DIGITAL CERTIFICATES
Using certificates

4. Enter your PIN.

Your browser sends your certificate and a digital signature to the Web server.
The Web server verifies your signature and grants access to the secured site
or page.

Send/Receive signed email messages

with Mozilla SeaMonkey or
Thunderbird
PREREQUISITES
A digital signature is a combination of your private key and a message. It • Mozilla SeaMonkey or
authenticates you as the message sender and verifies the integrity of the Thunderbird is installed on
you computer.
message. With ActivClient, the digital signature is performed directly on your
smart card. • A certificate with email
signature capabilities is
available on your smart card.
Send signed email messages
• The ActivClient
PKCS#11library has been
To send a signed email message, follow the instructions provided with your email registered to the email client.
application and enter your PIN when prompted. ActivClient uses your smart card- Refer to ActivClient for Linux
based signing certificate to add your digital signature to the message. Installation Guide for details.
• You have valid certificates for
all the intended recipients.
Receive signed email messages
To read a signed email message, select the message in your inbox. If the sender
is successfully authenticated, the message opens with a secure message icon.

Send/Receive encrypted email

MOZILLA MESSAGE SECURITY
messages with Mozilla SeaMonkey or
For further information about
Thunderbird Thunderbird and SeaMonkey
message security, go to
Encrypting an email message guarantees that only the proper recipient can open
and read the message and its attachments. Email encryption is based on the http://kb.mozillazine.org/
Message_security
public key infrastructure.

Decrypting an encrypted email message is performed directly on your smart card

for increased security.

Send encrypted email messages

To send an encrypted email message, follow the instructions provided with your
email application and enter your PIN when prompted. ActivClient uses your smart

ActivClient for Linux User Guide 26

CHAPTER 4: DIGITAL CERTIFICATES
Using certificates

card-based encryption certificate to encrypt the message content and

attachments.

Receive encrypted email messages

To read an encrypted email message, select the message in your inbox and enter
your PIN when prompted. ActivClient will use your smart card-based encryption
certificate to decrypt the message content and attachments.

ActivClient for Linux User Guide 27

Chapter 5: ActivClient management

IN THIS CHAPTER This chapter explains how to manage and configure ActivClient.

28 View system
information
View system information
29 Forget state for all 1. Launch the ActivClient User Console.
cards
2. Either:
29 Access the Advanced
Configuration
Manager – Select Help and then About ActivClient from the ActivClient User
Console menu.
30 Configure behavior on
smart card removal - Or -

– Select the About ActivClient User Console icon on the toolbar.

The About ActivClient User Console window is displayed.

3. Click OK to return to the User Console.

ActivClient for Linux User Guide 28

CHAPTER 5: ACTIVCLIENT MANAGEMENT
Forget state for all cards

Forget state for all cards

To optimize performance, ActivClient stores some smart card information on the
workstation; this is limited to smart card configuration data (such as smart card
profile) and excludes any user credentials such as user names, passwords, keys
or digital certificates.

In most environments, ActivClient will refresh this information as needed when

your smart card content is updated. In some cases, for trying to solve potential
problems, your technical support may suggest to "tell" ActivClient to "forget" any
smart card information it may have saved.

1. Open ActivClient User Console.

2. Go to the Tools menu.

3. Select Advanced then, Forget state for all cards.

The information stored on your workstation about card configuration is reset.

Access the Advanced

Configuration Manager
You must have root privileges to access the Advanced Configuration Manager.

• From the ActivClient User Console’s Tools menu:

Select Advanced then, Configuration.
The Advanced Configuration Manager window is displayed.

- Or -

• From the Applications menu:

Go to ActivClient and select Advanced Configuration Manager.
The Advanced Configuration Manager window is displayed.

ActivClient for Linux User Guide 29

CHAPTER 5: ACTIVCLIENT MANAGEMENT
Configure behavior on smart card removal

For information on the settings and their values, read the description displayed at
the bottom of the window each time you select an option.

Configure behavior on smart card

removal
Only the root user can configure the smart card removal behavior (using the
Advanced Configuration Manager). When users remove their smart card from the
smart card reader, the workstation can be configured to behave in one of the
following ways:

• Log off
• Lock session
• No action

For more specific information, you can refer to the section on product
customization in the ActivClient for Linux Installation Guide.

ActivClient for Linux User Guide 30

Chapter 6: Troubleshooting

IN THIS CHAPTER Activate logging

31 Turn on/off log Log files contains detailed information for every action performed by ActivClient.
system activity The information contained in these files may be useful for your technical support
31 Activate log files from
when trying to solve problems.
ActivClient User
Console ActivClient allows you to configure log files without having necessarily
administrator rights. You can configure log system activity from either:

• ActivClient User Console.

• Advanced Configuration Manager window (reserved for system
administrators, see the ActivClient for Linux Installation Guide for details on
product customization).

In order to guarantee privacy and security, no private key nor any confidential
information are recorded in the ActivClient log files.

Tu r n o n / o f f l o g s y s t e m a c t i v i t y

• Turn off logging system activity in normal use cases.

• Turn on logging system activity only when required by your system
administrator or help desk.
After log file creation, ActivIdentity recommends disabling log system activity!

Activate log files from ActivClient

User Console

The following procedure is a quick way to configure log system activity.

You may want to access more options by going to the Logging section of the
Advanced Configuration Manager.

1. Open ActivClient User Console.

2. Go to the Tools menu.

3. Select Advanced, Log File Options.

The Log File Options dialog box is displayed.

ActivClient for Linux User Guide 31

C H A P T E R 6 : TR O U B L E S H O O T I N G
Activate logging

IMPORTANT
Ensure that the directory
containing the log file has read/
write access rights or
permissions for all users.

4. Check the Record events in log files option.

5. Enter a name in the Log File Name field.

6. Enter a size for the log file in the Max Log File Size (in MB) field.

7. Click OK.

ActivClient for Linux User Guide 32

Terms and Acronyms

Te r m s

Certificate Authority (CA)

The CA issues and manages security credentials and public keys for message encryption in a networked environment.
As part of a Public Key Infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided
by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA issues a certificate.

ActivID Card Management System (CMS)

Formerly known as AIMS-Enterprise, CMS is a Web-based, smart card, credential and application lifecycle
management system.
CMS augments and works in concert with an enterprise's primary identity management infrastructure components,
including popular directory, database, and PKI components.

Cryptographic Service Provider

An independent software module that performs cryptography algorithms for authentication, encoding, and encryption.

Federal Information Processing Standard

(FIPS)
FIPS 140-2 is the standard for crypto-module security. FIPS 140-2 level 3 adds additional requirements to FIPS 140-2
level 2. These requirements concern physical security and a trusted path for entering a Cryptographic Service Provider,
such as a PIN. FIPS 140-2 level 3 uses local ports and the key pad to enforce such security.

GlobalPlatform
Replaces OpenPlatform (OP).

My Digital ID Card
This CMS component allows end users to access the self-service CMS functions, which includes card and credential
management.

One-Time Password
A one-time password is a password used only once to authenticate to remote applications. One-Time Passwords are
only present on smart cards issued with SKI credentials.

PIN
Personal Identification Number. Is used to authenticate to your smart card in order to perform actions such as PKI login,
remote access and email signature.

ActivClient for Linux User Guide 33

TERMS AND ACRONYMS

Public Key Infrastructure (PKI)

PKI describes the laws, policies, standards, and software that regulate or manipulate certificates and public and private
keys.

Registration Authority (RA)

RA is an authority in a network that verifies user requests for a digital certificate and instructs the CA to issue it. An RA
is part of a PKI, a networked system that enables companies and users to exchange information safely and securely.

SKI
SKI (Symmetric Key Infrastructure) keys are used to perform strong authentication on remote applications. SKI keys
encrypt passwords in:

• Synchronous mode (generates 1 password without any challenge. The server

uses the same method to create a password than the smart card)
• Asynchronous: encrypts a challenge

Standalone smart card

Smart card with uploaded applets issued by the manufacturer.

Acronyms

CA
Certificate Authority

CAC
Common Access Card (for the United States Department of Defense)

CMS
Card Management System (ActivIdentity)

CRL
Certificate Revocation List

CSP
Cryptographic Service Provider

ActivClient for Linux User Guide 34

TERMS AND ACRONYMS

FIPS
Federal Information Processing Standard

GP
GlobalPlatform. Replaces OpenPlatform (OP)

OCSP
Online Certificate Status Protocol

OTP
One-Time Password

PA M
Pluggable Authentication Module

PKI
Public Key Infrastructure

PIV
Personal Identity Verification Card issued by the United States government to federal employees and contractors

RA
Registration Authority

SKI
Symmetric Key Infrastructure

ActivClient for Linux User Guide 35

Send us your comments
ActivIdentity Inc. welcomes your comments and suggestions. Your input is an important factor in future
revisions of this publication. Please let us know your opinion.

Product: ActivClient for Linux

Document: User Guide

Document Reference: AC/Linux/UG/09.2008/v3.0

Please send your feedback via email to: [email protected]

If you find errors or have general suggestions for improvement, please indicate the chapter, section and
page number.

If you would like a reply, please include your name, company, email address, and telephone number.

Sample Questions to Consider

Is the information clearly presented?

Do you need more information? If so, where?

Are the examples correct/helpful?

Important: If you have problems with the software, please contact your local ActivIdentity representative.

ActivIdentity Inc.
Corporate Headquarters
6623 Dumbarton Circle
Fremont, CA 94555
USA
Legal Information and Notice
ActivIdentity North America Corporate Headquarters
6623 Dumbarton Circle, Fremont, CA 94555 USA
Tel: 1.800.529.9499
Fax: 1.510.574.0101

Australia
Tel: +61 (2) 62 08 48 88
Fax: +61 (2) 62 81 74 60
EMEA
Tel: +33 (1) 42 04 84 00
Fax: +33 (1) 42 04 84 84

Web Site Address: www.actividentity.com

Document Reference No: AC/Linux/UG/09.2008/v3.0

ActivIdentity Intellectual Property: This document or deliverable(s) contain proprietary information of ActivIdentity Corp. and/or its
subsidiaries and affiliates (collectively, “ActivIdentity”) embodying confidential information, ideas, and expressions, no part of which
may be reproduced or transmitted in any form or by any means, electronic, mechanical, or otherwise, without prior written permission
from ActivIdentity. This document may not be modified, copied, distributed, transmitted, displayed, performed, reproduced, published,
licensed, used to create derivative works therefrom, transferred, or sold unless expressly agreed by ActivIdentity. The furnishing of
this document does not imply or expressly provide a license to any of ActivIdentity’s intellectual property.

Copyright Notice: Copyright © 2008 ActivIdentity, Inc., USA. All rights reserved worldwide. This document and ActivIdentity software
products are protected by United States copyright laws and international treaty provisions.

Trademarks: ActivIdentity, ActivIdentity (logo), ActivCard, ActivCard (logo), and/or other ActivIdentity or ActivCard products or marks
referenced herein are trademarks of ActivIdentity in the United States and/or internationally. The absence of a mark, product, service
name or logo from this list does not constitute a waiver of ActivIdentity’s trademark or other intellectual property rights concerning that
name or logo. The names of actual companies, trademarks, trade names, service marks, images and/or products mentioned herein
may be the trademarks of their respective owners. Any rights not expressly granted herein are reserved.

Patents: ActivIdentity may have patents, pending patent applications, and/or other intellectual property rights covering subject matter
contained in this document or deliverable(s).

Export Control: ActivIdentity products, programs, or services referenced in this publication may not be available in all countries in
which ActivIdentity operates due to export restrictions or changes in market conditions. Recipient agrees to comply fully with all
relevant export laws and regulations, including but not limited to the U.S. Export Administration Regulations (collectively, “Export
Controls”). Without limiting the generality of the foregoing, Recipient expressly agrees that it shall not, and shall cause its
representatives to agree not to, export, directly or indirectly, re-export, divert, or transfer the software, programs, documentation,
materials, specifications or any direct product thereof to any destination, company or person restricted or prohibited by Export
Controls. In the event that Recipient provides the software, programs, documentation, materials, specifications or any direct product
thereof to a third party located in any destination outside the country of delivery by ActivIdentity, Recipient shall ensure that it enters
into a written agreement with such third party that protects ActivIdentity’s rights and interests to the same extent protected hereunder
and specifies ActivIdentity as a third party beneficiary. Recipient agrees to provide a copy of such agreement to ActivIdentity at
ActivIdentity's request and to assist ActivIdentity, at Recipient’s expense, in enforcing ActivIdentity's rights if ActivIdentity is not
recognized as a third party beneficiary in the applicable jurisdiction.

Disclaimer: This publication is intended for informational purposes only. ActivIdentity makes no warranties, express or implied in this
document. Furthermore, the information contained in this document has not been submitted to any formal testing and is distributed
‘AS IS.’ The use of this information or the implementation of any of these techniques is a customer responsibility and depends on the
recipient’s ability to evaluate and integrate them into an operational environment. While each item may have been reviewed by
ActivIdentity for accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere.
Attempts to adapt these techniques to any environment are done so at their own risk. Information in this publication was developed in
conjunction with the use of the hardware, software, and networking arrangements specified and is thus limited in application to that
specific hardware, software products and networking arrangements. The information contained herein is not intended as a
specification of any programming interfaces that are provided by ActivIdentity. This document is subject to change without notice and
does not represent a commitment on the part of ActivIdentity. This document may contain information about product functionality not
available in your product release.