Post on 24-Sep-2020
transcript
1 / 90 Net iD Enterprise Technical Description v6.6 Confidentiality: Public
Copyright 2017 © SecMaker AB Confidentiality: Public
Net iD Enterprise Technical Description
v6.6
Net iD Enterprise Technical Description v6.6
Copyright 2017 © SecMaker AB
Confidentiality: Public
Document no: SMP-DO11-02
Date: 2017-07-04
Contents
1 Introduction ........................................................ 6 1.1 About this document ........................................................ 6 1.2 Who should read this document ....................................... 6 1.3 Error codes ...................................................................... 6 1.4 Feedback......................................................................... 6 1.5 Contact ............................................................................ 6
2 What is Net iD Enterprise?................................... 7 2.1 Overview ......................................................................... 7 2.2 Overview on Windows platforms ...................................... 8 2.3 Overview when using PKCS#11 ...................................... 9
3 Installation Microsoft Windows ......................... 10 3.1 What will be installed? ................................................... 10
Files ...................................................................... 10 Registry ................................................................ 11
3.2 What will be uninstalled? ............................................... 12 3.3 Package naming conventions on Windows platforms ..... 12
4 Installation Linux ............................................... 13 4.1 What will be installed? ................................................... 13
Files ...................................................................... 13 Single user installation ......................................... 14
4.2 Running installation ....................................................... 14 4.3 Build custom installation ................................................ 14 4.4 What will be uninstalled? ............................................... 14
5 Installation macOS ............................................ 15 5.1 What will be installed? ................................................... 15
Files ...................................................................... 15 5.2 Running installation ....................................................... 15 5.3 Web browser ................................................................. 15 5.4 What will be uninstalled? ............................................... 15
6 Settings ............................................................. 16 6.1 [AllowedServers] ............................................................ 16 6.2 [Command] .................................................................... 16
Admin ................................................................... 17 Watch ................................................................... 17 App ....................................................................... 17
6.3 [Components] ................................................................ 17 6.4 [CredentialProvider] ....................................................... 17
Version ................................................................. 17 Presentation ......................................................... 18 Enable .................................................................. 18 Disable ................................................................. 18 AutoLogon ............................................................ 18 Activate ................................................................ 18 DisableAutoLogon ................................................ 18 InitChangePin ....................................................... 18 Mode .................................................................... 19
WrappedGUID ...................................................... 20 BlockGUID ........................................................... 20 AcceptIssuers ....................................................... 20 DefaultIssuers ...................................................... 20 DenyIssuers ......................................................... 20 RememberLastUsed ............................................ 20
6.5 [CredentialProvider Certificate] ...................................... 21 Enable .................................................................. 21
Disable .................................................................. 21 6.6 [CredentialProvider Change] .......................................... 21 6.7 [CredentialProvider Enroll] ............................................. 21
Parameters/RequestURL/ResponseURL ............. 21 ChallengeResponse ............................................. 21 Timeout ................................................................. 21 AlwaysUnlock ....................................................... 21
6.8 [CredentialProvider Password] ....................................... 22 6.9 [CredentialProvider Pin] ................................................. 22
Enable .................................................................. 22 AutoLogon ............................................................ 22 DisableAutoLogon ................................................ 22 InitChangePin ....................................................... 22
6.10 [CredentialProvider Unlock] ............................................ 22 ChallengeResponse ............................................. 22 Timeout ................................................................. 23
6.11 [CSP] ............................................................................. 23 AcceptBothKeySet ................................................ 23 AcceptIssuers ....................................................... 23 AllowedDuplicateUsage ........................................ 23 CacheCard............................................................ 23 CertificateStoreMode ............................................ 23 ClearUserPinCache .............................................. 24 ConnectPCSC ...................................................... 24 ContainerNameMode ............................................ 24 DeleteAtNewKeySet ............................................. 24 DenyIssuers .......................................................... 24 DisableInsert ......................................................... 24 DisableNonRep ..................................................... 24 DisableRandom .................................................... 25 DisableSilent ......................................................... 25 Enable .................................................................. 25 FriendlyName ....................................................... 25 InitChangePin ....................................................... 26 InstallCaCert ......................................................... 26 LoadExternal......................................................... 26 LoadMyself ........................................................... 26 KeepCertificates ................................................... 26 KeepSessionAlive ................................................. 27 NamePrefix ........................................................... 27 OverwriteCertificate .............................................. 27 PublishMachineStore ............................................ 27 ReplaceCertificate ................................................ 27 StoreContainerName ............................................ 27 UseCritical ............................................................ 28 VerifyCertificate .................................................... 28
6.12 [DefaultCertificate].......................................................... 28 6.13 [Dialog] .......................................................................... 28
Advanced .............................................................. 28 NoUserInterface .................................................... 29 Redirect ................................................................ 29 PathApplication ..................................................... 29 PathApplicationDisable ......................................... 29 PathResource ....................................................... 29 Theme .................................................................. 29 Theme_v<nn>....................................................... 29 Timeout ................................................................. 29 Info<name>........................................................... 30 Customize ............................................................. 30
6.14 [Dialog Image] ................................................................ 31 6.15 [Dialog Presentation] ...................................................... 31
Language .............................................................. 32
3 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Multiple Choices ................................................... 32 Image ................................................................... 32 Title ...................................................................... 33 SubTitle ................................................................ 33 TextAbove ............................................................ 33 TextBelow ............................................................ 33
6.16 [Dialog Presentation Certificate] ..................................... 33 6.17 [Dialog Presentation Pin] ............................................... 33 6.18 [Directory] ...................................................................... 33 6.19 [DynamicStrings] ........................................................... 34
Enable .................................................................. 34 Format .................................................................. 34
6.20 [Encryption] ................................................................... 34 Format .................................................................. 34
6.21 [Encryption FileExtensions] ............................................ 34 Encrypt ................................................................. 35 Sign ...................................................................... 35
6.22 [Event <name>] ............................................................. 35 6.23 [General]........................................................................ 35
CheckCaExpire .................................................... 36 CheckCardExpire ................................................. 36 CheckEnroll .......................................................... 36 CheckSoftExpire................................................... 36 EnableWinlogon ................................................... 36 EventList .............................................................. 37 ExplorerExtension ................................................ 37 ExplorerMenu ....................................................... 37 ExtraService ......................................................... 37 StartMenu ............................................................. 37 TaskbarAccessMode ............................................ 38 TaskbarIcon ......................................................... 38 TaskbarMenuMode .............................................. 38 UseService ........................................................... 39
6.24 [Install] ........................................................................... 39 Build ..................................................................... 39 Configuration ........................................................ 39 Directory ............................................................... 39 ProductName ....................................................... 39 List ........................................................................ 39 Version ................................................................. 39
6.25 [Install Option]................................................................ 40 MergeOldConfig ................................................... 40 RemoveOldInstall ................................................. 40 ShowWizard ......................................................... 40 SpecialBuild ......................................................... 40
6.26 [Install Shortcuts] ........................................................... 40 6.27 [Language] .................................................................... 41
Allowed ................................................................. 41 Current ................................................................. 41
6.28 [License] ........................................................................ 41 Cards .................................................................... 41 Company .............................................................. 41 Issuers .................................................................. 41 Name .................................................................... 42 Value .................................................................... 42
6.29 [Links] ............................................................................ 42 Admin ................................................................... 42 Error ..................................................................... 42 Help ...................................................................... 42 Mail ....................................................................... 42 Support ................................................................. 42
6.30 [Links Action] ................................................................. 42
6.31 [Links Custom] ............................................................... 44 6.32 [LRA] .............................................................................. 44 6.33 [MiniDriver] ..................................................................... 44
AllowSecondary .................................................... 44 CacheCard............................................................ 44 CertificateCompression ........................................ 44 CheckFileCMap .................................................... 45 ClearUserPinCache .............................................. 45 Disable .................................................................. 45 DisableFileCache .................................................. 45 DisablePinCache .................................................. 45 FriendlyName ....................................................... 45 GuidKeyId ............................................................. 46 IgnoreFileCardCF ................................................. 46 IgnoreFileCMap .................................................... 46 IgnoreLogout......................................................... 46 KeyGenerateMode ................................................ 46 MaxKeySize .......................................................... 47 MinKeySize ........................................................... 47 MoveCertificates ................................................... 47 NoLoadPkcs11Keys ............................................. 47 OverwriteCertificates ............................................ 47 RegisterCertificate ................................................ 47 PinCacheDisable .................................................. 48 PinCacheTimeout ................................................. 48 ReadOnly .............................................................. 48 SetDefaultCertificate ............................................. 48 SortCertificate ....................................................... 48 UseSuppliedPadding ............................................ 48 UseExternCardCF ................................................ 49 Version ................................................................. 49 WriteCardBlock ..................................................... 49
6.34 [NetControl] .................................................................... 49 Applications .......................................................... 49 Ask ........................................................................ 49 Enable .................................................................. 49 LogonApplication .................................................. 50
6.35 [Pkcs11] ......................................................................... 50 AlwaysLoginForSSL ............................................. 50 DetectNewSlots .................................................... 50 DisableDuplicate ................................................... 50 DisableNonRep ..................................................... 50 EnableExternalMutex ............................................ 51 FriendlyName ....................................................... 51 LoginTimeout ........................................................ 51 LogonApplication .................................................. 51 LogoutAtLastSession ............................................ 51 InsertEmptySlots ................................................... 52 OpenSSL .............................................................. 52 PinMaxDigits ......................................................... 52 PinMinDigits .......................................................... 52 PinReportError ...................................................... 52 RandomDisabled .................................................. 53 ResetTempFiles .................................................... 53 SeparateThreadSearch ........................................ 53 SessionToken ....................................................... 53 SinglePin .............................................................. 53 TraceExecuteTime ................................................ 53 UpdateSlotsForEvent ............................................ 54 VerifyAlgorithms .................................................... 54 WaitForSmartCardService .................................... 54
4 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
6.36 [Plugin] .......................................................................... 54 AccessGetProperty .............................................. 54 AccessSetProperty ............................................... 54 AccessEnumProperty ........................................... 54 AccessInvoke ....................................................... 55 Audit ..................................................................... 55 Allowed ................................................................. 55 Disable ................................................................. 55 Enable .................................................................. 55 StartService .......................................................... 56
6.37 [Report LOGON] ............................................................ 56 6.38 [Report PIN] ................................................................... 56 6.39 [Report UNLOCK_WORKSTATION] .............................. 56 6.40 [SCS] ............................................................................. 56
Address ................................................................ 56 Ports ..................................................................... 57 Protocols .............................................................. 57 Size ...................................................................... 57 Start ...................................................................... 57 Stop ...................................................................... 57
6.41 [SingleSignOn]............................................................... 57 CSP ...................................................................... 57 Disable ................................................................. 57 PKCS11 ............................................................... 58 Server ................................................................... 58 StartServer ........................................................... 58 UseCache ............................................................ 58 UseService ........................................................... 58 UseStored ............................................................ 58
6.42 [SmartCard] ................................................................... 59 CalculateUsedTime .............................................. 59 CommandChaining ............................................... 59 CreateUpdateCounter .......................................... 59 DefaultProfile ........................................................ 59 MaxProfiles .......................................................... 59 NoDiskCache ....................................................... 60 ObjectSortMode ................................................... 60 PinExpire .............................................................. 60 PinHistory ............................................................. 60 PinMaxLen ........................................................... 60 PinMinLen ............................................................ 61 PinPolicy .............................................................. 61 PinType ................................................................ 61 Temporary ............................................................ 61 TemporaryValidity ................................................ 61 UseInternalUpdate ............................................... 61 ValidateUpdateCounter ........................................ 62
6.43 [SmartCard Compress] .................................................. 62 Library .................................................................. 62 UncompressOnly .................................................. 62
6.44 [SmartCard Keys] .......................................................... 62 6.45 [SmartCardProfiles] ....................................................... 62
Erase .................................................................... 62 Keys ..................................................................... 63 Parameter ............................................................ 63 SimpleErase ......................................................... 63 Files ...................................................................... 63
6.46 [SmartCardReader]........................................................ 63 AllowReaderRemoval ........................................... 63 Accepted .............................................................. 64 CachePath ........................................................... 64 CacheValidity ....................................................... 64
CacheAcceptUnknown ......................................... 64 CheckInformation .................................................. 64 CheckPinPad ........................................................ 64 Denied .................................................................. 64 Detect ................................................................... 65 KeepLoggedInLocked ........................................... 65 KeepPinCache ...................................................... 65 LockDelay ............................................................. 65 LockTimeout ......................................................... 65 MaxTransfer.......................................................... 66 Mode ..................................................................... 66 Poll ........................................................................ 66 Protocol ................................................................ 66 ReloadOnError ...................................................... 66 SingleConnection .................................................. 66 Scope ................................................................... 67 SystemCacheValidity ............................................ 67
6.47 [SmartCardReader CTAPI] ............................................. 67 Enable .................................................................. 67 List of libraries....................................................... 67
6.48 [SmartCardReader PCSC] ............................................. 67 CallTrace .............................................................. 67 Enable .................................................................. 67 Library ................................................................... 68 StateTimeout ........................................................ 68 Unload .................................................................. 68 UseCritical ............................................................ 68
6.49 [SoftToken] .................................................................... 68 Events ................................................................... 69 FileExtension ........................................................ 69 PinExpire .............................................................. 69 PinFailure ............................................................. 69 PinHistory ............................................................. 70 PinMaxLen ............................................................ 70 PinMinLen ............................................................. 70 PinPolicy ............................................................... 70 PinType ................................................................ 70
6.50 [TaskbarEvent] ............................................................... 70 [TaskbarEvent Insert] ............................................ 70 [TaskbarEvent Remove] ....................................... 70
6.51 [Trace] ........................................................................... 71 Component ........................................................... 71 File ........................................................................ 71 Server ................................................................... 71 UseLocalTime ....................................................... 71
6.52 [Trace Call] .................................................................... 71 6.53 [View] ............................................................................. 72
FileExtension ........................................................ 72 iidxwatch.exe ........................................................ 72
6.54 [Watch] .......................................................................... 72 UseService ........................................................... 72
6.55 [Multiple Watch commands] ........................................... 72 [Watch Insert]........................................................ 72 [Watch Remove] ................................................... 73
6.56 [Multiple Watch running] ................................................. 73 6.57 [Logon Watch] ................................................................ 73
[Watch Logon Insert] ............................................. 73 [Watch Logon Remove] ........................................ 73
7 Watch ................................................................ 74 7.1 Arguments ..................................................................... 74
Argument “-w” ....................................................... 74 Argument “-match” ................................................ 74
5 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Argument “-wait” ................................................... 74 Argument “-message” ........................................... 74 Argument “-hide” .................................................. 75 Argument “-sync” .................................................. 75 Argument “-logon” ................................................ 75 Argument “-term” .................................................. 75 Argument “-recognized” ........................................ 75
7.2 Commands .................................................................... 75 Command ‘application’ ......................................... 75 Command ‘close’ .................................................. 76 Command ‘extern’ ................................................ 76 Command ‘kill’ ...................................................... 76 Command ‘load’ ................................................... 76 Command ‘open’ .................................................. 76 Command ‘set’ ..................................................... 76 Command ‘script’ .................................................. 77
8 Trace ................................................................. 78 8.1 Trace Row ..................................................................... 78
Processes and Threads ....................................... 78 Execution Time..................................................... 80
8.2 Functions ....................................................................... 80 PKCS#11 ............................................................. 80 CSP ...................................................................... 80 Minidriver .............................................................. 81 Plugin ................................................................... 81
8.3 Help Functionality .......................................................... 81 Trace Parse .......................................................... 81 Trace Split ............................................................ 82
9 Command Tool .................................................. 83 9.1 Start............................................................................... 83 9.2 Commands .................................................................... 83
10 Changes between versions ................................ 84 10.1 Changes between v6.5.1 and v6.6 ................................. 84
Chapter 5 Installation macOS .............................. 84 Chapter 6 Settings ................................................ 84 Chapter 8 Trace ................................................... 86
10.2 Changes between v6.4 and v6.5.1 ................................. 86 Chapter 6 Settings ................................................ 86
10.3 Changes between v6.1.1 and v6.4 ................................. 86 General in all texts ................................................ 86 Chapter 2 What is Net iD Enterprise? .................. 86 Chapter 3 Installation Microsoft Windows ............ 86 Chapter 5 Installation OS X .................................. 87 Chapter 6 Settings ................................................ 87 Chapter 7 Watch .................................................. 88 Chapter 9 Command Tool .................................... 88
10.4 Changes between v6.1.1 and v6.1.2 .............................. 89 Chapter 6 Settings ................................................ 89
10.5 Changes between v6.1 and v6.1.1 ................................. 89 Chapter 6 Settings ................................................ 89
10.6 Changes between v6.0 and v6.1 .................................... 89 Chapter 6 Settings ................................................ 89
11 References ........................................................ 90
6 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
1 Introduction
1.1 About this document
This document provides detailed technical information for the product Net iD Enterprise version 6.6.
1.2 Who should read this document
The document is written primarily for technicians responsible for, or involved in, configuration, packaging, installation and
support of software in the IT-infrastructure. Also software architects and developers may find useful information for the
configurations necessary to obtain certain behavior of the product.
1.3 Error codes
A link to the latest list of error codes can be found at https://www.secmaker.com/help.
1.4 Feedback
Please forward your comments and problem reports to the following e-mail addresses.
Any problems should be reported by sending an e-mail to:
netid@secmaker.com.
Any other feedback may be reported by sending an e-mail to:
feedback@secmaker.com.
1.5 Contact
SecMaker AB
Phone: +46 (0) 8 - 6012300
E-mail: info@secmaker.com
Ordering of Technical documents:
www.secmaker.com: Partners – Developers – Technical manuals.
7 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
2 What is Net iD Enterprise?
Net iD Enterprise is not only a Cryptographic Service Provider (CSP) but also a full PKI-client supporting the Minidriver
architecture and PKCS#11 in addition to Microsoft Cryptographic API. Net iD Enterprise is one of the markets most configurable
PKI-clients and a powerful enabler for numerous IT-solutions and concepts. The number of configuration parameters adds
complexity to the product but in most cases the standard packages can be used without any adjustments. Furthermore the
ability to adjust even small details often saves projects from dead ends where applications with unorthodox PKI-interpretations
can be helped/forced to work as intended.
For technicians supporting IT-solutions involving certificates and smart cards it is important to have a basic understanding of the
interfaces that Net iD Enterprise works with. The following overview pictures should be useful.
2.1 Overview
Smart Card reader
Physical and electrical interfaces
I/O Device Driver
I/O Channel Controller
Software
Hardware
CAPI-aware applications like: Internet Explorer, Outlook, etc.
PKCS#11-aware applications like: Firefox, SSH, Lotus Notes, etc.
PKCS#11
SmartCard Resource Manager
SmartCard Reader Driver (OmniKey, Gemalto....)
pcsc-lite PC/SC
Net iD additional modules: SSO, Mifare, Credential Provider etc.
Net iD PKCS#11
Microsoft Base
Smart Card
Crypto Provider
basecsp.dll
Net iD Minidriver
CAPI2 / CAPI1
Net iD - CSP Net iD Plugin
CAPI2
CNG
Microsoft Smart
Card Key Storage Provider scksp.dll
8 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
2.2 Overview on Windows platforms
9 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
2.3 Overview when using PKCS#11
10 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
3 Installation Microsoft Windows
3.1 What will be installed?
Files
The application will be installed in the standard location for applications using the product name as the folder name. The
following files will be added on all Windows operating systems:
%PROGRAMFILES%\Net iD\iid.dll
Contains core functionality
%PROGRAMFILES%\Net iD\iid.exe
Loads core library
%PROGRAMFILES%\Net iD\iidcsp.dll
CryptoAPI CSP library
%PROGRAMFILES%\Net iD\iidp11.dll
PKCS#11 library
%PROGRAMFILES%\Net iD\iidplg.dll
ActiveX and Mozilla Firefox plugin library
%PROGRAMFILES%\Net iD\iidxadm.exe
Loads administration utility
%PROGRAMFILES%\Net iD\iidxcmt.exe
Configuration commit application
Mozilla Firefox browsers will get a copy of the plugin library installed in the appropriate plugin folder (with the name npiidplg.dll).
The following files are optional and may be added, depending on package:
%PROGRAMFILES%\Net iD\iid.cfg
Global configuration if Registry settings not used
%PROGRAMFILES%\Net iD\iidxcp.dll
Credential Provider
%PROGRAMFILES%\Net iD\iidxcse.dll
GPO Client Side Extension
%PROGRAMFILES%\Net iD\iidxmd.dll
Minidriver library, complete with PKCS#11 library
%PROGRAMFILES%\Net iD\iidxmifare.dll
Mifare library
%PROGRAMFILES%\Net iD\iidxsc.dll
Minidriver library, will require PKCS#11 library
%PROGRAMFILES%\Net iD\iidxsso.dll
Single-Sign-On library
%PROGRAMFILES%\Net iD\iidxtrace.dll
Trace service library
%PROGRAMFILES%\Net iD\iidxwatch.exe
Watch application
11 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
%PROGRAMFILES%\Net iD\iidxweb.exe
Web application
The installation package may also include several images (bmp and ico files supported) loaded by either password or credential
provider dialog, depending on package:
%PROGRAMFILES%\Net iD\iidx<name>.<image file extension>
Image for password or credential provider dialog. By default only iidxcp.ico will be included.
User specific data is stored in Windows standard location for application data using product short name as the folder name:
%APPDATA%\iid\iid.cfg
Local configuration
%APPDATA%\iid\tokens\<name>.tkn
Soft tokens
Registry
Several new keys and values will be added to Windows registry: Net iD as an ActiveX component, all supported cards, Net iD
as a CSP and uninstall specifications.
[HKEY_CLASSES_ROOT\CLSID\{5BF56AD2-E297-416E-BC49-00B327C4426E}]
Registry key for the Net iD plugin class.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Net iD – <CARD NAME>]
Registry keys of supported smartcards for CSP.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Net iD - CSP]
Registry key for Cryptographic Service Provider.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iid]
Registry key for uninstall parameters for the application.
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Net iD]
Registry key for the context menu in Microsoft Explorer.
One of the following will be added depending on whether it is running as a service or as a background process.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Net iD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] > Net iD
There are also some optional Registry entries which will be added depending on package:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{01C81C98-0787-42AF-
B2EE-9B60A616C125}]
Registry key for GPO Client Side Extension.
[HKEY_CLASSES_ROOT\CLSID\{5BF56AD2-E297-416E-BC49-00B327C44270}]
Registry key for Credential Provider.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Net iD – # <CARD NAME>]
Registry keys of supported smartcards for minidriver.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{5BF56AD2-E297-
416E-BC49-00B327C44270}
Registry key for Credential Provider.
Using Watch will add a startup entry depending on whether it is running as service or as background process.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Net iD Watch]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] > Net iD Watch
12 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
The configuration is by default stored in Registry. The location is possible to configure and will be stored at Registry uninstall
key mentioned above. The default configuration location when using Registry is:
[HKEY_LOCAL_MACHINE\SOFTWARE\SecMaker\NetiD\Enterprise]
3.2 What will be uninstalled?
All files installed during installation and registry settings will be removed during uninstall with one single exception: existing soft
tokens will NOT be removed, this is to avoid problems with users removing their soft tokens by mistake.
3.3 Package naming conventions on Windows platforms
Net iD Enterprise packages follow a set of naming conventions for easy identification of a specific package
All packages starts with the prefix “iidsetup_” followed by two or three letters identifying the customer. The naming ends with
four digits describing the package contents.
First digit:
The first digit tells if it is a package intended for clients or servers:
1= Package intended for clients.
2= Package intended for servers.
Second digit:
The second digit gives information regarding which components are included in the package. The combinations are as follows:
0 = No extra components included.
1 = The “Single Sign-on” (SSO) component is included (PIN-caching).
2 = The “Logon”-component is included, i.e. a Credential Provider is installed.
3 = Both 1 and 2 described above is included (SSO and Logon).
4 = The Net iD Minidriver for usage with “Microsoft Smart Card Base CSP” is included.
5 = Both 1 and 4 described above is included (SSO and Minidriver).
6 = Both 2 and 4 described above is included (Logon and Minidriver).
7 = Both 1, 2 and 4 described above is included (SSO, Logon and Minidriver).
8 = Unused.
9 = Special packages.
Here two examples, one” clean” package and one with SSO:
Third digit:
The third digit is used to separate packages with the same components but with different configuration. For example 1901 and
1911. 1901 could be intended for standard in-house desktops and 1911 for laptops with some kind of preparations for a specific
VPN-client.
Fourth digit:
The fourth digit is used as a package counter, for instance if the first build was updated with a new link or a new logotype.
13 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
4 Installation Linux
4.1 What will be installed?
Files
The application will be installed in the standard location for libraries and binaries. The following files will be added on all Linux
operating systems:
/etc/iid.conf
Global configuration
/etc/iid/admin/
Local web site for administration
/etc/iid/gui/
Components for graphic user interface
/etc/iid/iid.ico
Application icon
/etc/iid/uninstall
Application uninstall script
/usr/bin/iid
Symbolic link to iid.<version>
/usr/bin/iid.<version>
Loads core library
/usr/lib/libiid.so
Symbolic link to libiid.so.<version>
/usr/lib/libiid.so.<version>
Contains core functionality
/usr/lib/libiidgui.so
Symbolic link to libiidgui.so.<version>
/usr/lib/libiidgui.so.<version>
Graphical user interface library
/usr/lib/libiidp11.so
Symbolic link to libiidp11.so.<version>
/usr/lib/libiidp11.so.<version>
PKCS#11 library
/usr/lib/libiidplg.so
Symbolic link to libiidplg.so.<version>
/usr/lib/libiidplg.so
Mozilla Firefox plugin library
Netscape/Mozilla/Firefox browsers will have a copy of the plugin library installed in the appropriate plugin folder (with the name
npiidplg.so).
14 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
The following files are optional and may be added, depending on package:
/usr/bin/iidxwatch
Symbolic link to iidxwatch.<version>
/usr/bin/iidxwatch.<version>
Watch application
The installation package may also include several images (bmp and ico files supported) loaded by either password or credential
provider dialog, depending on package:
/etc/iid/ iidx<name>.<image file extension>
Image for password dialog
User specific data is stored in Linux standard location for application data using product short name as the folder name:
/home/<user>/.iid/iid.conf
Local configuration
/home/<user>/.iid/tokens/<name>.tkn
Soft tokens
Single user installation
The file location above is for all user installation, but the installation may also be single user. For single user installation the
components will be installed in the following directories:
/usr/lib => /home/<user>/.iid/lib
/usr/bin => /home/<user>/.iid/bin
/etc/iid => /home/<user>/.iid
Note: For single user installation global and local configuration file will be the same file.
4.2 Running installation
The installation package iidsetup.tar.gz contains everything, all installation files compressed to a single file. Extract all files to
any folder and run install script using sudo to install for all users:
cp iidsetup.tar.gz /tmp
tar xvf iidsetup.tar.gz
cd iidsetup
sudo ./install
Running without sudo will create a single user installation; everything is installed below /home/<user>/.iid/. This is not
recommended, since single user installation will always override any future upgrades for all users.
4.3 Build custom installation
The installation file ‘install’ is a standard shell script, any modification is possible.
4.4 What will be uninstalled?
The installation package includes an uninstall script, copied to /etc/iid.
sudo /etc/iid/uninstall
All files installed will be removed during uninstall with one single exception: eventual soft tokens will NOT be removed, to avoid
problems with users removing their soft tokens by mistake.
15 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
5 Installation macOS
5.1 What will be installed?
Files
All files from Linux installation will be installed in the same location as for macOS, the difference is that library names will end
with ‘.dylib’ instead of ‘.so’.
Starting from Net iD Enterprise v6.4.1, files are installed in new locations:
/usr/local/bin/ (old location: /usr/bin/)
/usr/local/lib/ (old location: /usr/lib/)
/Library/Security/tokend/ (old location: /System/Library/Security/tokend/)
macOS will also include the following component:
/Applications/Utilities/Net iD.app
Application for starting of Net iD Enterprise app Administration GUI.
5.2 Running installation
The installation is delivered as an macOS installation file: iidsetup.app, which will initiate the standard installation wizard. A
popup will appear with a dialog to let the user enter an administration password and run the installation script in the exact same
manner as the Linux installation. There will only be an all user installation, since installation will not continue unless
administration password is entered.
5.3 Web browser
Safari should be used as web browser.
5.4 What will be uninstalled?
The installation package include an uninstall script, copied to /etc/iid.
sudo /etc/iid/uninstall
All files installed will be removed during uninstall with one single exception: eventual soft tokens will NOT be removed, to avoid
problems with users removing their soft tokens by mistake.
16 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
6 Settings
There are a number of settings, which can be set to change the functionality and/or behavior of the product. For Windows
platforms there is an administration utility which can be used for update of some of the configuration parameters, but for all
operating systems the parameters may be updated with the plugin object, see section 6.3.1 Operation ‘ApplyConfig’ in the Net
iD Enterprise Developer’s Guide for more information.
The storage format of the configuration file is UTF-8, and the content is classic Windows settings format with sections and
entries. From v6.0 of Net iD Enterprise, the configurations may be stored in Registry on Windows platforms, each section below
will be translated to a key with sub-keys. The location will be stored at the uninstall key for the product.
The name of the file is iid.cfg for Windows and iid.conf for Linux/macOS, see installation section for each operating system for
default location of the files. The location may be changed using environment variables ‘iidconfig’ for the global configuration file
and ‘iidconfiglocal’ for the local configuration file.
There are both a local and global configurations available, the local configuration will always be read before the global
configuration, but for most sections, the local configuration will be ignored. The following sections are read from both local and
global configuration:
[ATR]
[Language]
[SmartCard]
[SmartCard Profiles]
[SoftToken]
[Trace]
6.1 [AllowedServers]
This entry contains a list of sites and access modes for use with the plugin. Currently there are five modes available:
0 –> Blocked access – only create non-repudiation signatures is allowed
1 –> Full access – including modify configuration
2 –> Use access – all except modify configuration
3 –> Limited access – user will be asked to allow access
4 –> Limited access – user will be asked to allow access and the answer will not be saved
Wild card ‘*’ may be used to set a value for a group of sites.
Example:
http://*=0
https://*.secmaker.com=2
https://netid.secmaker.com=1
https://demo.secmaker.com=1
Note 1: File system access protection, also known as Sandbox, will also interfere with all updates. Never try to update unless
your server is registered as trusted site in the web browser.
Note 2: Parameter Plugin>Allowed is also used to set access mode for entire applications.
6.2 [Command]
This section is used to specify start parameters for internal applications instead of normal start parameters given when creating
the application process.
17 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Admin
This value is only used when no start parameters is given for the main loader component.
Example:
Admin=-command
Watch
This value is only used when no start parameter is given for the Watch component.
Example:
Watch=config
App
Default start parameter for App command.
Example:
App=-url file:///%InstallLocation%\gui\index.html -size 0x01400200 -center -resizing -useragent
6.3 [Components]
This section will contain information about the installed components. The information is only used to detect updates from the
original installation, see section 6.3.40 Operation ‘ValidateInstallation’ in the Net iD Enterprise Developer’s Guide for more
information.
6.4 [CredentialProvider]
This section specifies the behavior for Credential Provider. This provider is used by Microsoft standard dialogs in three different
scenarios: selecting credential, selecting certificate, and enter PIN. In the scenarios of smart cards with certificates; selecting
credential will be a combination of both selecting a certificate and enter PIN.
This section is used to configure the behavior for selecting credential, [CredentialProvider Certificate] is used to specify the
behavior for certificate selection and [CredentialProvider Pin] is used to specify the behavior for enter PIN.
All parameters in the CredentialProvider section can also be set using the application.
Example:
Mode=iid.exe,0x1121;*,0
This example sets Mode=0x1121 for iid.exe application and Mode=0 for all others.
It is a requirement that the credential provider component is included in the installation and that this configuration section is
present.
Version
All entries except those used for presentation may have different values depending on Windows version. A value with version
number as a postfix will only apply to that version of Windows.
<entry>_v61 -> Windows 7
<entry>_v62 -> Windows 8
<entry>_v63 -> Windows 8.1
<entry>_v100 -> Windows 10
Example:
Enable=0
Enable_v61=1
Enable_v100=1
18 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Presentation
Presentation will be based on the information from [Dialog Presentation], but if presentation should be different it will be possible
to specify the same entries in this section.
Image
Title
SubTitle
TextAbove
TextBelow
Enable
This entry specifies whether Credential Provider should be enabled or not.
0 –> Credential Provider not available
1 –> Credential Provider available
Default value is 1, Credential Provider is available, will still require that the configuration section is present and the component is
available.
Disable
This entry specifies a list of applications that will not use the Credential Provider. Use ‘;’ to separate the applications.
By default the list is empty; all applications will use Credential Provider.
AutoLogon
This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN
already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the OK button will
automatically be pressed.
0 –> Will not use automatically logon
1 –> Will use automatically logon
Default value is 0; automatically logon is disabled.
Activate
This entry is used to prompt PIN for Credential Provider.
0 –> Will not prompt
1 –> Will prompt PIN for windows logon
2 –> Will prompt PIN for CredUI
3 –> Will prompt PIN for all scenarios
Default value is 3; prompt PIN for all scenarios.
DisableAutoLogon
This entry specifies a list of applications that should not use the automatically logon feature. Use ‘;’ to separate the applications.
Default Windows logon applications “logonui.exe;lsass.exe”.
DisableAutoLogon=lsass.exe;logonui.exe
InitChangePin
This entry is used to force a PIN change for Credential Provider. Used together with PinExpire in SmartCard section.
0 –> Will not force PIN change
1 –> Will force PIN change for windows logon
2 –> Will force PIN change for CredUI
3 –> Will force PIN change for all scenarios
19 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is 3; force PIN change for all scenarios.
Mode
This entry specifies the mode of operation, either pass-through provider or full provider. The pass-through provider will intercept
the Microsoft standard provider and modify the behavior, but the full provider will implement all functionality itself and will not
rely on anything else.
To make the full provider work as expected for all available parameters it is also necessary with some additional configurations
that will not be described.
0 –> Will use pass-through provider
0x???1 –> Will use full provider
Default value is 0; will use pass-through provider.
Full CredentialProvider Mode.
Detect insert/remove Access mode:
0x01?? –> via PC/SC.
0x02?? –> via polling.
0x03?? –> via PKCS#11.
Read certificate Access mode:
0x00?? –> using CSP.
0x10?? –> using PKCS#11.
The values for “Detect” and “Read” are combined to form the complete access value.
Example:
Detect via PC/SC and read via CSP.
Mode=0x01??
Example:
Detect via PKCS#11 and read via PKCS#11.
Mode=0x13??
Other modes:
0x??1? -> Show certificate even if it does not contain UPN.
0x??2? -> Show all certificates, not only first.
0x??4? -> Show all card readers, not all unused.
0x??8? -> Show only certificates with key usage smart card logon.
Combining Access and Other mode will give the complete Full CredentialProvider mode.
Example:
Detect PCSC, read PKCS11, show all cert.
Mode=0x1121
Detect PKCS11, read PKCS11, show all cert but require smart card logon.
Mode=0x13A1
Soft token mode, currently only supported for test.
0x???4 -> Soft token mode.
Recommended mode for Windows login with soft token (virtual smart card):
20 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Detect PKCS11, read PKCS11, show all certificates and allow soft tokens.
Mode=0x1325
*Also [SmartCardReader]>Detect=0 is recommended for optimal performance.
Note: When using Full Credential Provider, CredentialProvider Pin must be disabled, see section 6.9.1.
WrappedGUID
This entry specifies the guid for the provider that should be wrapped when used in pass-through mode.
The default value will wrap Microsoft standard providers and is depending on provider scenario and Windows version.
BlockGUID
This entry specifies the guid which should be blocked. Default will block a possible provider that is wrapped when using pass-
through, but this entry may also specify additional providers.
AcceptIssuers
This entry specifies a list of issuers of user certificates that are allowed to be used in Credential Provider, no other certificates
will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.
Example:
[CredentialProvider]
Mode=0x???1
AcceptIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2
DefaultIssuers
This entry specifies a list of issuers that will be used when deciding which user certificate that should be considered as the
default certificate in Credential Provider. Will set the certificate that is matching the most prioritized value in the list as default.
The values in the list are prioritized from left to right. The configuration is only valid with the full provider.
Default none; no default certificate defined.
Example:
[CredentialProvider]
Mode=0x???1
DefaultIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2
DenyIssuers
This entry specifies a list of issuers of user certificates that are not allowed to be used in Credential Provider, all other
certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.
Example:
[CredentialProvider]
Mode=0x???1
DenyIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2
RememberLastUsed
This entry is used to remember last used credential for LogonUI and CredUI. Max 10 credentials.
0 –> Will not remember last used
1 –> Will remember last used
Default value is 0; Will not remember last used credential.
21 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
6.5 [CredentialProvider Certificate]
This section is used for certificate selection with Credential Provider.
Enable
This entry specifies whether Certificate Provider should be enabled or not.
0 –> Certificate Provider not available
1 –> Certificate Provider available
Default value is 1, Certificate Provider is available, will still require that the configuration section is present and the component is
available.
Disable
This entry specifies a list of applications that will not use the Certificate Provider. Use ‘;’ to separate the applications.
By default the list is empty; all applications will use Certificate Provider.
Disable=iexplore.exe;app.exe
6.6 [CredentialProvider Change]
This section specifies customization of a possible additional Credential Provider scenario: change PIN/password. Currently
there are many limitations, so it should not be used. This may be enhanced in the future when no longer relying on Microsoft
Credential Provider.
6.7 [CredentialProvider Enroll]
This section specifies the behavior when inserting an empty smart card; should a certificate be enrolled to the smart card or
not? The behavior is relying on an additional component called LRA (local registration authority) and is currently only available
on project basis, since it will require a connection to a certificate authority.
Parameters/RequestURL/ResponseURL
These entries are used to generate the certificate request and the value is depending on the LRA component, see LRA
documentation for more information.
ChallengeResponse
This entry tells whether challenge/response should be used when unlocking the PIN. The smart card to be enrolled may be
locked for security reasons.
0 –> Normal PUK is used to unlock PIN
1 –> Challenge/response used to unlock PIN
Default value is 0; normal PUK is used to unlock PIN.
Timeout
This entry tells the number of seconds a challenge should be valid when using challenge/response mode.
Note: The smart card will be locked during the operation, since the next call after generating the challenge should be the
response. No other application will be able to access the smart card until the timeout is reached or the operation is
finished/aborted.
AlwaysUnlock
This entry tells whether the smart card always should be unlocked during enrollment.
0 –> Will unlock smart card when locked
1 –> Will always unlock smart card
Default value is 0; will unlock smart card when locked.
22 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
6.8 [CredentialProvider Password]
This section specifies customization of a possible additional Credential Provider scenario, smart card with username/password
stored as data object on a smart card (in chip or using Mifare).
The implementation is still experimental and should only be used for proof-of-concept.
6.9 [CredentialProvider Pin]
This section is used to enter PIN dialog with Credential Provider. Must be disabled when used with Full Credential Provider.
Enable
This entry specifies whether Pin Provider should be enabled or not.
0 –> Pin Provider not available
1 –> Pin Provider available
AutoLogon
This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN
already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the ok button will
automatically be pressed.
0 –> Will not use automatically logon
1 –> Will use automatically logon
Default value is 0; automatically logon is disabled.
DisableAutoLogon
This entry specifies a list of applications that should not use the automatically logon feature. Use ‘;’ to separate the applications.
Default Windows logon applications “logonui.exe;lsass.exe”.
DisableAutoLogon=lsass.exe;logonui.exe
InitChangePin
This entry is used to force a PIN change for Pin Provider. Used together with PinExpire in SmartCard section.
0 –> Will not force PIN change
1 –> Will force PIN change for windows logon
2 –> Will force PIN change for CredUI
3 –> Will force PIN change for all scenarios
Default value is 3; force PIN change for all scenarios.
6.10 [CredentialProvider Unlock]
This section specifies the behavior when inserting a smart card with locked PIN. The same entries as available for
[CredentialProvider] may be specified. There is also some additional information that may be specified.
ChallengeResponse
This entry tells whether challenge/response should be used when unlocking the PIN.
0 –> Normal PUK used to unlock PIN
1 –> Challenge/response used to unlock PIN
Default value is 0; normal PUK used to unlock PIN.
23 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Timeout
This entry tells the number of seconds a challenge should be valid when using challenge/response mode.
Note: The smart card will be locked during the operation, since the next call after generating the challenge should be the
response. No other application will be able to access the smart card until the timeout is reached or the operation is
finished/aborted.
6.11 [CSP]
This section specifies the behavior for the Microsoft CryptoAPI CSP.
AcceptBothKeySet
This entry will enable/disable usage of both key set types for internal key container format. Some CryptoAPI applications will not
check for correct values in the certificate store instead assume the key type.
0 –> Only correct key set may be retrieved
1 –> Both key sets may be retrieved
Default value is 0; only correct key set may be retrieved.
AcceptIssuers
This entry specifies a list of issuers which will be registered in user store for CryptoAPI, use ‘;’ to separate different issuers.
Default none, all certificate are registered.
Note: May use [CSP]>DenyIssuers to specify a list that will be denied.
AllowedDuplicateUsage
This entry can be used to limit extended usage for duplicate certificates. Specify object identifier for the extended usages that
should be allowed, separate with ';'. Use text string <none> to allow nothing. Default empty, no special handling for duplicate
certificates.
Note: Typical use for this entry is to continue to allow to use a certificate for decryption even after that the certificate has been
replaced with a new certificate.
CacheCard
This entry can be used to enable/disable writing of certificate/container information to a cache file. The cache is used by
Credential Provider when it is used in pass-through mode. Microsoft has some limitations regarding multiple access, so this is
used to avoid extra access from the Credential Provider towards the CSP when used with Microsoft Provider.
0 –> Certificate information is not written
1 –> Certificate information is written
Default value is 1; certificate information is written.
Note: DO NOT EDIT, default value should be used.
CertificateStoreMode
This entry is used to sort certificates for CSP via PP_USERCERT_STORE.
0x01 –> Newest certificate first
0x02 –> Oldest certificate first
0x04 –> Invert list
Example:
CertificateStoreMode=app.exe,0x01;app2.exe,0x04
24 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
ClearUserPinCache
This entry will enable/disable clear of user PIN cache by the internal certificate propagation service.
0 –> Will not clear user PIN cache
1 –> Will clear user PIN cache for logged on user
2 –> Will clear all user PIN cache for all smart cards
4 –> Will clear all user PIN cache for all tokens in same session
Default value is 2; will clear user PIN cache for all users.
Note: In terminal server sessions value 2 should never be used, since it will clear PIN cache for other users.
ConnectPCSC
This entry specifies a list of applications, separated by using ‘;’, that will have their own PCSC connection from CSP.
Example:
ConnectPCSC=lsass.exe;iexplore.exe
Default none; no applications will be handled.
ContainerNameMode
This entry specifies the name format of the container representing certificates and corresponding private key.
0 –> 'thumbprint (slotid)'
1 –> '\\.\cardreader\thumbprint (slotid)'
2 -> 'thumbprint'
3 -> '\\.\cardreader\thumbprint'
Default value is 0; 'thumbprint (slotid)'.
DeleteAtNewKeySet
This entry will enable/disable deletion of old key set when generating a new key.
0 –> Will not delete old key set
1 –> Will delete old key set
Default value is 0; will not delete key set.
Note: Typically used with certificate enrollment for CA’s without support for delete key set. Normal behavior is that a delete
operation is called before generating a new key set.
DenyIssuers
This entry specifies a list of issuers which will not be registered in user store for CryptoAPI, use ‘;’ to separate different issuers.
Default none; all certificates are registered.
Note: May use [CSP]>AcceptIssuers to specify a list that will be accepted.
DisableInsert
This entry will enable/disable showing of insert card dialog when requested smart card is not present.
0 –> Will show possible insert card dialog
1 –> Will not show possible insert card dialog, operation will fail.
Default value is 0; will show insert card dialog when needed.
DisableNonRep
This entry will try to enable/disable use of non-repudiation certificates for Microsoft CryptoAPI.
25 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
0 –> Will not disable certificates
1 –> Will disable certificates
Default value is 1; will try to disable use of non-repudiation certificates.
Note 1: Will set extended key usage to document signing only for certificates with key usage non-repudiation if extended key
usage is not available.
Note 2: Will disable usage for all CryptoAPI applications using CryptoAPI to get the extended key usage property, but not
applications retrieving this information from the certificate value.
DisableRandom
This entry will enable/disable use of Net iD CSP for generating random values.
0 –> Will allow to generate random values
1 –> Will not allow to generate random values
Default value is 1; will allow generating of random values.
Note: Microsoft will generate two signatures during Windows smart card logon when CSP is used to generate random values,
but only one signature when random is disabled. This will increase performance for smart cards with slow RSA operations.
DisableSilent
This entry will enable/disable check of CRYPT_SILENT flag when creating new CryptoAPI contexts with CryptAcquireContext.
Setting the CRYPT_SILENT flag when creating new CryptoAPI context means that the calling application will not allow the CSP
to show any dialogs.
0 –> Will check silent flag
1 –> Will ignore silent flag.
Default value is 0; will check silent flag.
Note: Some CryptoAPI applications require silent operation, but forget to transmit PIN when accessing the private key. This
allows CSP to show dialog even when silent operation is specified.
Enable
This entry is used to enable/disable to storage of certificates in CryptoAPI user store.
0 –> Certificate not registered
1 –> Certificate registered
Default value is 1; will register certificate in CryptoAPI user store.
FriendlyName
This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may
be used:
%label%
%issuer.<object identifier>%
%subject.<object identifier>%
Label is the certificate label stored with the certificate object, issuer and subject are any of the object identifiers available in the
subject or issuer field from the certificate. Any combination of static text and wild cards above may be used.
Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".
Note: For unknown reason some CryptoAPI applications require friendly name to be static for a certificate. This may cause
problems when both Net iD Enterprise certificate service and Microsoft is registering the certificate in CryptoAPI user certificate
store, since Microsoft will not specify any friendly name.
26 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
InitChangePin
This entry is used to initialize a change PIN dialog, when PIN is about to expire.
0 -> Will not initiate a change PIN
1 -> Will initiate a change PIN
Default value is 0; no change PIN dialog.
InstallCaCert
This entry can be used to control installation of CA certificates to CryptoAPI store.
0 -> Will not install
1 -> Will install
Default value is 1; will install CA certificates.
LoadExternal
This entry can be used to enable/disable loading of Net iD Enterprise main library directly when the CSP is loaded. This may
increase performance, but may cause unloading to be slightly slower.
0 -> Will not load external
1 -> Will load external
Default value is 0; will not load external.
Note: Do not use in terminal server sessions, since this may cause library to never be unloaded. If not unloaded this will cause
memory leaks.
LoadMyself
This entry is used to control loading and unloading of the CSP, when enabled the CSP library will not be unloaded. This was
recommended by Microsoft for enhanced performance, but is no longer recommended by Microsoft.
0 -> Will not load myself
1 -> Will load myself
Default value is 1; will load myself.
Note 1: DO NEVER use in terminal server sessions, since it will cause memory leaks.
Note 2: Recommended to use in normal client packages when not using a single-sign-on component. This loading will start
automatic caching of PIN status to avoid multiple PIN dialogs for CryptoAPI applications.
KeepCertificates
This entry is used to control the behavior of certificate storage when a smart card is removed. Normally certificates will be
removed from CryptoAPI user certificate store when smart cards are removed.
0 -> Will not keep certificates
1 -> Will keep certificates
Default value is 0; will not keep any certificates.
Note 1: Certificate stored in CryptoAPI store will cause a smart card insert dialog if any application tries to use the certificate
when the smart card is removed.
Note 2: Do not keep certificates on a computer which is used by several different users, since all users’ certificates will be
available for selection.
27 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
KeepSessionAlive
This entry is used to control the behavior of CryptoAPI contexts. Normally the PKCS#11 sessions will be closed as soon as the
context is released, using this parameter will cause the session to be alive and wait for a new identical session. This behavior
may increase performance.
0 -> Will not keep session alive
1 -> Will keep session alive
It is also possible to specify a list of application names instead of 1, specified applications will have value 1 (all other 0).
Default value is 0; will not keep session alive.
Example:
KeepSessionAlive=1
KeepSessionAlive=iexplorer.exe;lsass.exe
NamePrefix
This entry is used as prefix for names when registered for smart card logon during installation.
Default value is empty; none.
OverwriteCertificate
This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will
try to register the certificates to Net iD CSP, even if another CSP already has registered the certificate.
0 -> Will not overwrite certificate
1 -> Will overwrite certificate
Default value is 1; will overwrite certificate.
PublishMachineStore
This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will
try to register the certificate both for the user and the machine. This will allow applications running in system environment to use
the certificate.
0 -> Will not publish in machine store
1 -> Will publish in machine store
Default value is 1; will try to publish in machine store.
ReplaceCertificate
This entry is used to control the behavior when writing certificates with the CSP. Normally we only write the certificate, but this
parameter may be used to initiate a search for identical certificates and remove those if found. Identical means same
issuer/subject/key.
0 -> Will not replace certificate
1 -> Will replace certificate
Default value is 0; will not replace certificate.
Note: Replace certificate is useful for auto-enrollment to delete old certificate when new certificate is written.
StoreContainerName
This entry is used to when the container name has a special meaning for the calling application and needs to be used for future
calls, i.e. Entrust. This will limit the use of secondary certificates and should be avoided.
0 -> Container name is automatically generated
1 -> Container name is stored and will be remembered
28 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is 0; container name is automatically generated.
UseCritical
This entry is used to add a critical section for all CryptoAPI contexts. This should normally not be needed, since the same
context should not be used by multiple threads simultaneously. It will also be possible to add a global critical section, this will
only allow one single thread at each time to access the CSP.
0 -> Critical section not present
1 -> Critical section present
2 -> Global critical section present
Default value is 1; will add a critical section.
VerifyCertificate
This entry will enable/disable validation of certificates before registration in CryptoAPI store. The validation is only made on the
certificate value and signature if the CA certificate is available, no check is made regarding certificate revocation.
0 -> Will not verify certificate
1 -> Will verify certificate
Default value is 0; will not verify certificate.
6.12 [DefaultCertificate]
Some CryptoAPI applications still require the use of a default certificate and have no functionality to let the user select which
certificate to use.
This section allows registering of a specific certificate to a specific application. Format:
<application>=<number>|<issuer>|<subject>|<usage>
‘Application’ is the name of the application. The application name ‘Default’ may be used to specify the default behavior.
‘Number’ is the certificate serial number.
‘Issuer’ is the certificate issuer field.
‘Subject’ is the certificate subject field.
‘Usage’ is the certificate key usage.
Only specify those values that should be matched, set a ‘*’ character for match all. For example the following will require a
specific issuer common name and key usage when used with the application:
app.exe=*|2.5.4.3=SecMaker CA v2|*|A0
Note: This section will be ignored if any certificate on the token is marked as default.
6.13 [Dialog]
This section controls the behavior when loading dialogs.
Advanced
This entry will enable/disable advanced dialogs for the old user interface. The advanced dialogs will include a bitmap
representing the certificate used; see 6.14 [Dialog Image] configuration section for more information.
0 -> No advanced dialog
1 -> Use advanced dialog
Default value is 1; will always try to use advanced dialogs.
29 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Note: By default not used with current GUI. Advanced dialogs requires a certificate to match correct dialog and to get name and
validity information. Will show standard dialog if no certificate is available.
NoUserInterface
For a specified list of applications this entry will disable the user interface to be shown in the same process as the application
itself. An attempt to show the user interface will instead create a separate process that will show the user interface, for example
a PIN dialog.
Default value is “lsass.exe;iexplore.exe;firefox.exe;chrome.exe;”
Redirect
This entry will enable/disable redirection of open dialog requests to another process; the value is a full path to any application.
PathApplication
This entry specifies the full path to an application that should be used to show the web-based user interface. The parameter is
required when a dialog is started from within an Internet Explorer session, since Internet Explorer will interfere with the user
interface. The recommended value is the internal loader.
Example:
PathApplication=%InstallLocation%\iid.exe
PathApplicationDisable
This entry specifies a list of applications that should not use another application to show the user interface. Use ‘;’ to separate
the applications.
Default is none; all applications will use another application when enabled.
PathResource
This entry specifies the full path to the location containing the web-based user interface. The recommended value is within the
installation directory.
Example:
PathResource=file:///%InstallLocation%\gui\
Theme
This entry specifies the theme that should be used by the web-based user interface. This will be translated to a parameter when
opening the dialog and the real meaning will be decided by the implementation of the web-based user interface.
Theme_v<nn>
This entry is the same as Theme, but specifies the theme that should be used for a specific Microsoft Windows version.
Theme_v61 -> Windows 7
Theme_v62 -> Windows 8
Theme_v63 -> Windows 8.1
Theme_v100 -> Windows 10
Default value is Theme_v62; Windows 8.
Timeout
This entry specifies the number of minutes the web-based dialog should be shown until it is automatically closed when using
another application to show the user interface
Default value is 10; 10 minutes.
30 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Info<name>
The web-based user interface will require configuration for each dialog that will be shown. The following list is currently
available:
InfoAbout -> About dialog
InfoAdmin -> Administration dialog
InfoChangePIN -> Change PIN dialog
InfoExitWindows -> Exit Windows dialog
InfoFileXXXX -> ExplorerMenu dialog
InfoInsertToken -> Insert smart card dialog
InfoNotify -> Notify dialog
InfoPIN -> Enter PIN dialog
InfoSelect -> Select certificate dialog
InfoSetup -> Setup dialog
InfoUnlockPIN -> Unlock PIN dialog
InfoViewToken -> View token dialog
It is also possible to add custom utility dialogs started via main loader:
Info<custom> -> Custom Utility started via iid.exe –admin <custom>
All entries have the following format: “<file>;<size>;<dynamic>;<extra>”
The <file> value is either a full URL to any location or relative to the PathResource parameter:
Index.html
file:///%InstallLocation%/index.html
The <size> value is a hexadecimal digit where the first four digits specify the dialog width (pixels) and the last four digits specify
the dialog height (pixels).
The <dynamic> value is used when calculating the dialog height based on dynamic content, i.e. select certificate may contain
one or more certificates. The value is hexadecimal digit where the first four digits tells the number of objects that was used for
the <size> parameter and the last four digits tells the number of pixels that should be added/removed for each object.
The <extra> value specifies other useful parameters, the current available list of parameters:
-application -> Considered application and will not start new dialog (PathApplication ignored)
-center -> Will calculate position to center of screen (override –position)
-debug -> Will show any error and/or warning dialogs, i.e. javascript errors
-noframe -> Will hide standard dialog frame (only Windows)
-position <value> -> Position of dialog
-resizing -> Will add resizing frame to dialog
-secure -> Will start dialog using Secure Desktop (only Windows)
-theme -> Will start selected dialog
-transparent <value> -> Value is an RGB color value that should be translated to transparent (only Windows)
Customize
There are endless possibilities to customize the dialogs, since the web-based interface and the plugin object are available. The
actual parameters for each type of dialog are not documented and may be updated for each future version. The best approach
is to check the web pages for the delivered user interface and modify it. The parameters will probably not change until next
major release, but there is no guaranty, even a minor update may change/add/remove parameters.
31 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
6.14 [Dialog Image]
This section specifies images (bmp and ico files supported) which will be displayed to represent a certificate when the advanced
dialog is used.
Entry format:
<issuer commonname>|<issuer serialnumber>
Either issuer common name or serial number is used to identify which entry to use. Example:
SecMaker CA v2=…
Value format:
<file>[,<position name>[#<color name>]:<position time>[#<color time>]]
The value specifies full path to the image file that should be loaded and positioning/color of name and time information from the
certificate.
Example:
SecMaker CA v2=c:\images\card.bmp,0x00100044:0x00110058
Name information is subject common name from the certificate. Time information is the date part of the valid to field from the
certificate.
Position is always calculated from upper left corner of the bitmap, first four hexadecimal digits is X coordinates (left to right) and
last four hexadecimal digits is Y coordinates (top to bottom).
Color is specified with RGB values, two hexadecimal digits for each part: #RRGGBB.
Example
SecMaker CA v2=c:\images\card.bmp,0x00100044#0xFF00AA
Note: [Dialog] > Advanced must be enabled.
6.15 [Dialog Presentation]
This section is used to customize presentation for internal dialogs using the new web-based user-interface and Credential
Provider dialogs.
The intention is to be able to show different information depending on the certificate, to enhance the user experience when
selecting the certificate or enter the PIN. The information displayed is always one image and several text fields.
The following wild cards may be used below.
%cardlabel%
%cardnumber%
%expire%
%issuer.<object identifier>%
%keyusage%
%pinattempts%
%scenario%
%space%
%subject.<object identifier>%
%upn%
Card label and number are retrieved from the smart card. Key usage and expire will be retrieved from the certificate. For issuer
and subject values, the object identifiers will be used to specify the values retrieved from the issuer respective subject fields of
the certificate. The UPN value is the user principal name from the certificate. The PIN attempts will be available with a warning
32 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
message when 0, 1 and 2 attempts remains. The space value is a single white space. The scenario is only available for
Credential Provider and specifies the active scenario: CREDUI/LOGON/UNLOCK_WORKSTATION.
Language
To handle different strings for different language entries: Title, SubTitle, TextAbove and TextBelow may be prefixed with a short
name of the language.
Example:
Title=eID Card %cardlabel%
en_Title=eID Card %cardlabel%
se_Title=eID Kort %cardlabel%
Multiple Choices
To handle different strings for different type of certificates: Image, Title, SubTitle, TextAbove and TextBelow may be specified
with multiple choices, first combination that generates a non-empty string will be used. Separate with ‘;’ and will check from left
to right.
Example:
Title=%subject.2.5.4.3%;%cardlabel%
Note: Since character ‘;’ is used as separator, it may not be used as a part of the value.
Image
This entry specifies a list of images which may be used to display a certificate, bmp and ico files are supported. Use the wild
cards above, wild cards will always be replaced, not found will generate an empty value. The search will try to find an entry in
the same section with the generated string after wild card replacement.
Example:
Image=BMP(%issuer.2.5.4.3%);
BMP(SecMaker CA v2)=iidxca2.ico
BMP(SecMaker CA v3)=iidxca3.ico
or
Image=BMP(CA);
BMP(CA)=iidxca_%issuer.2.5.4.3%.ico
It is also possible to specify a nomatch and default image that will be shown for unknown certificates, without this entry Microsoft
standard bitmap will be used.
Example:
BMP(Default)=iidxdef.bmp
BMP(NoMatch)=iidxnomatch.bmp
Unknown certificate means that the certificate is external, or that no smart card is present.
Example:
Image=BMP(%issuer%.2.5.4.3);BMP(NoMatch)
BMP(SecMaker CA v2)=iidxca2.ico
BMP(SecMaker CA v3)=iidxca3.ico
BMP(Default)=iidxdef.ico
BMP(NoMatch)=iidxnomatch.ico
33 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Title
This entry specifies the title for selection entry. Use any combination of static text and wild cards above.
Default value is certificate common name. This value is always visible.
Example:
Title=%subject.2.5.4.3%
SubTitle
This entry specifies the subtitle for selection entry. Use any combination of static text and wild cards above.
Default value is static text “Smart card logon“, translated to local language. This value is always visible.
Example:
SubTitle=%issuer.2.5.4.3%
TextAbove
This entry specifies an extra text field for the selection entry, located above the PIN entry edit field. Use any combination of
static text and wild cards above.
Default value is user principle name from the certificate. This value is visible when selection entry is selected.
Example:
TextAbove=%cardlabel%
TextBelow
This entry specifies an extra text field for selection entry, located below the PIN entry edit field. Use any combination of static
text and wild cards above.
Default value is none. This value is visible when selection entry is selected.
Example:
TextBelow=%pinattempts%
6.16 [Dialog Presentation Certificate]
This section is used when different information should be presented for certificate selection and enter PIN dialog. The same
entries as for [Dialog Presentation] may be specified and the values in this section will be used for certificate selection when
specified. If not specified the entries in [Dialog Presentation] will be used.
6.17 [Dialog Presentation Pin]
This section is used when different information should be presented for certificate selection and enter PIN dialog. Same entries
as for [Dialog Presentation] may be specified and the values in this section will be used for PIN dialog when specified. If not
specified the entries in [Dialog Presentation] will be used.
6.18 [Directory]
This section contains a list of directories which may be used during search for certificates. This information may be used to store
certificates in a LDAP directory instead of the smart card. Currently this parameter is only used on Windows platforms.
Format:
<number>=<name>|<ldap>|<base>|<filter>
Value <name> is the entry description.
Value <ldap> is the complete address to the LDAP directory.
Value <base> is the LDAP search base, where the certificate search should start.
34 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Value <filter> is the LDAP search filter used to limit the number of certificates found. Use any of the following filter criteria to find
matching certificates:
<cardserialnumber>
<subjectkeyidentifier>
<publickeydigest>
Certificate service will try to find additional certificates when a smart card is inserted based on the information above. Example:
1=SecMaker|ldap://ca.secmaker.com|CN=SecMaker CA,O=SecMaker,C=SE|card=<cardserialnumber>
6.19 [DynamicStrings]
This section is used for dynamic loading of strings. All strings are usually stored in string tables, but may instead be read from
this section when enabled. This allows for custom strings, for example an informative warning message including custom
specific information and/or link.
Enable
This entry will enable/disable the use of dynamic strings.
0 -> No dynamic strings
1 -> Use dynamic strings
Format
Any string may be replaced and they are identified by the short language name and the resource string id.
Example, about dialog title:
EN_1000=About
SE_1000=Om
Remove short language to use the same string for all languages.
Example:
1000=About
You may retrieve the available resource string ids by calling “iid.exe -strings [path]”.
6.20 [Encryption]
This section controls the behavior when creating encrypted messages.
Format
This entry specifies the default encryption format of the created encrypted message. Useful when encryption format is not
specified, for example when used with Windows Explorer.
0 -> PKCS#7
1 -> S/MIME
Default value is 0; encrypted message is according to the PKCS#7.
6.21 [Encryption FileExtensions]
This section controls the default file extensions.
35 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Encrypt
This entry specifies the default file extension when encrypting files.
Encrypt=p7m
Default value is ‘p7m’.
Sign
This entry specifies the default file extension when signing files.
Sign=p7s
Default value is ‘p7s’.
6.22 [Event <name>]
This section contains a list of commands that should be executed when the <name> event occur. Events are only supported on
Windows platforms. The <name> event will be executed only if the current Windows user is using a smart card and the smart
card PIN is verified. The matching between logged on Windows user and the used certificate requires a user principal name in
the certificate.
The commands may be specified with wild cards to set the custom information:
%number% - Card serial number
%upn% - User principal name from the certificate
%user% - User name part of %upn%
%domain% - Domain part of %upn%
Each command is either a load external command or an application that should be started.
Example:
[Event TEST]
1=load %InstallLocation%\iid.dll,EntryAdmin –about
2=%programfiles%\view\load.exe –url index.html?number=%number%&upn=%upn%
6.23 [General]
CheckCaExpire
CheckCardExpire
CheckEnroll
CheckSoftExpire
EnableWinlogon
EventList
ExplorerExtension
ExplorerMenu
ExtraService
StartMenu
TaskbarAccessMode
TaskbarIcon
TaskbarMenuMode
TaskbarMoveColor
UseService
36 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
The entries are only available for Windows platforms.
CheckCaExpire
Use this parameter to get a warning message when a CA has expired. Specify common name from the issuer field, use ‘;’ to set
multiple issuers. Default none, no warning message.
Example:
CheckCaExpire=SecMaker CA v2;SecMaker CA v3
CheckCardExpire
Use this parameter to get a warning message when a smart card is about to expire or has expired. Specify the number of days
before the expiry that the message should be shown. It is also possible to specify a specific issuer name to only check
certificates from a certain issuer and ignore all other certificates, separate with ‘,’. May also specify a list of number of days and
issuer names, separate with ‘;’.
The card is about to expire when there is no certificate available with a validity that is longer than the specified number of days
added to the current date.
Default value is 0; no warning message.
Example:
CheckCardExpire=30,CN=SecMaker CA v2;
CheckCardExpire=30,CN=SecMaker CA v2;20,CN=Inteom CA v3;
The warning message may be replaced with a custom action dialog, see 6.30 [Links Action] for more information.
Note 1: The certificate validity time must exceed twice the number specified to get a warning. This has been implemented to be
able to handle the situation when the same CA is used to issue ‘normal’ certificates and temporary certificates with short validity
time. Temporary certificates will not get a warning message.
Note 2: Use this parameter in combination with [DynamicStrings] to set a custom message with a direct URL link to a certificate
update page.
CheckEnroll
Use this parameter to get an event when a smart card without any or a specific certificate is inserted. The value may specify a
token model name and token serial number followed by the CA which is wanted. All values may be empty, which means that
any smart card without certificates will generate an enroll event. Token model name requires a complete string match and token
number requires a start string match. May also specify a list of values, separate with ‘;’.
There is no warning message dialog, but it is possible to specify a custom action dialog, see 6.30 [Links Action] for more
information.
Example:
CheckEnroll=,,;
CheckEnroll=eID Smart Card,123456,CN=SecMaker CA v3;
CheckSoftExpire
Identical to CheckCardExpire, but will check soft tokens instead of smart cards.
EnableWinlogon
Use this parameter to enable/disable register of supported smart cards in Registry.
Smart cards must be registered to handle CryptoAPI applications using smart card reader names when connecting towards the
CSP. Typical applications are Microsoft smart card logon on all Windows platforms.
0 – Smart cards are not registered
1 – Smart cards are registered
37 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is 1; smart cards are registered.
EventList
Use this parameter to listen to custom events. The value is a list of event names separated with ‘;’ and the action is specified in
section [Event <name>].
Example:
[General]
EventList=TEST
[Event TEST]
1=%InstallLocation%\iid.exe –test
The event is generated by calling the main loader component.
iid.exe –event TEST
There is also a special INTERNAL event, the name must still be specified in the list if used. The INTERNAL event will start the
event by using the main loader.
iid.exe –event INTERNAL -about
This command will show the about box in the background service context.
ExplorerExtension
Use this parameter to specify which applications that enables/disables extending of some menu entries for Windows Explorer.
[General]
ExplorerExtension=explorer.exe
Default value is none; No applications will be configured.
ExplorerMenu
Use this parameter to enable/disable extending of some menu entries for Windows Explorer.
0 – Explorer menu not available
1 – Explorer menu available
Default value is 1; Explorer menu is available.
ExtraService
Use this parameter to configure a list of services that will be started/stopped by CertMover. Services in the list are separated by
semicolon.
Default value is none; No services will be configured.
Example:
[General]
ExtraService=SCS
StartMenu
Use this parameter to enable/disable installation of short cuts in the start menu.
0 – Start menu entries are not available
1 – Start menu entries are available
Default value is 1; start menu entries are available.
38 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
TaskbarAccessMode
Use this parameter to set access mode for the background service when moving certificates to CryptAPI store. The moving will
be initiated by checking the smart card insert/remove event or via polling. The polling will occur each ten seconds, and the
insert/remove event may be checked via PC/SC or PKCS#11.
0x01 – Check insert/remove event via PC/SC
0x02 – Check via polling
0x03 – Check insert/remove event via PKCS#11
There are also two different modes for reading certificates when a event is detected via mode above, either using PKCS#11 or
CSP.
0x00 – Read certificate using CSP
0x10 – Read certificate using PKCS#11
Those two values are added for the complete access value.
Example, detect via PC/SC and read via CSP:
0x01 + 0x00 = 0x01
Example, detect via PKCS#11 and read via PKCS#11:
0x03 + 0x10 = 0x13
Default value is 0x13.
TaskbarIcon
Use this parameter to show/hide the taskbar icon. The task bar icon will contain a menu with some short cuts for common tasks,
see TaskbarMenuMode below for more information. The taskbar icon will also show progress when cards are inserted or
removed.
0 – Taskbar icon is hidden
1 – Taskbar icon is visible
Default value is 1; task bar icon is visible.
TaskbarMenuMode
Use this parameter to limit the number of components that should be visible on the taskbar menu.
0x0001 – Change PIN
0x0002 – Unlock PIN
0x0004 - Administration (if available)
0x0008 – Crypt (if available)
0x0010 – Trace
0x0040 - Pause certificate service
0x0080 - Refresh certificate service
0x0100 – Exit
0x0200 – Certificates
0x0400 – View token
Combine the bitmasks with OR operation to select which components that should be visible. For example, to show all above:
TaskbarMenuMode=0x07DF
Default value is 0x07Df; all components are visible.
Note 1: Entries for support and help in the [Links] configuration section will be added to the task bar menu if available.
Note 2: The [Links Custom] configuration section may be used to add additional entries to the task bar menu.
39 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
UseService
Use this parameter to install the certificate service as a Windows service or a background process. The certificate service is the
process which may show a taskbar icon with menu.
0 – Install as a background process
1 – Install as a Windows service
-1 – Do not install certificate service
Default value is 1; certificate service is installed as a Windows service.
Note: It is not recommended to install as service any longer, since Windows Vista and later have increased the restrictions
between the user environment and the system environment.
6.24 [Install]
This section contains information about the installation.
Build
This entry specifies the build or rather the installation package information. Any string value is acceptable, but there are some
recommendations, more information is available through your support contact.
Configuration
This entry contains the full path to the configuration. This value is usually not specified, will use default based on what is suitable
for each platform. For Windows platforms the default location is a configuration file in the installation folder, but it may be useful
to move the entire configuration to Registry to be able to use GPO.
Example:
Configuration=%InstallLocation%\iid.cfg
Configuration=HKLM\SOFTWARE\SecMaker\NetiD\Enterprise
If the Registry is used software\policies will always be read first to check for GPO settings before other configurations are read.
At the moment this only applies for a limited number of configurations that are included in the GPO policy template supplied by
SecMaker.
Example of read order in Registry:
1. HKLM\SOFTWARE\Policies\SecMaker\NetiD\Enterprise
2. HKLM\SOFTWARE\SecMaker\NetiD\Enterprise
Directory
This entry contains the full path to the current installation.
ProductName
This entry contains the product name used by an OEM installation.
List
This entry contains a list of installed product names, used during uninstall to remove everything after an upgrade between OEM
and normal installation.
Version
This entry contains the complete version number in eight digits, two for each part:
<major><minor><fix><build>
The <major> and <minor> values specify a release, for example 05 and 04 for release 5.4.
40 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
The <fix> number always starts from 0 for first release and if there is any eventual problems found for the release which
requires a new version, this value is increased, for example first fix for 5.4 is 5.4.1.
The <build> number starts from 1 for first build for a specific <major> and <minor> value. This value is increased for each
delivered build. For example, for 5.4 was the first BETA 5.4.0.10, first RC was 5.4.0.20. The final 5.4 and 5.4.1 releases have
the values 5.4.0.26 respective 5.4.1.34.
6.25 [Install Option]
This section contains information used during the installation.
MergeOldConfig
This entry specifies the behavior during upgrade, whether a configuration should be merged or overwritten.
0 -> Overwrite configuration at upgrade
1 -> Merge configuration at upgrade
Default value is 1; configuration will be merged during upgrade.
RemoveOldInstall
This entry specifies the behavior during upgrade, whether the installation should remove old installation before a possible
upgrade.
0 -> Current installation is upgraded if old installation is available
1 -> Current installation is removed if old installation is available
Default value is 0; installation is upgraded.
ShowWizard
This entry is used to hide/show different wizard pages during installations, but some pages will always be available. The value is
a bitmask, enable bits to show the page:
0x01 -> Show select language page
0x02 -> Show accept license page
0x04 -> Show license value page
0x08 -> Show upgrade warning page when upgrading with different build names
0xFF -> Show all pages
Default value is 0xFF; show all pages.
SpecialBuild
This entry specifies the build information. There are three standard types defined, but any string value is acceptable. No value at
all, means standard release:
UD – Under Development
BETA – Pre-release
RC – Release Candidate
UD build is completely unsupported; should only be used when testing some special feature.
BETA build is not usually supported; all functionality for the coming release is present, but only development tests have been
performed.
RC build is usually not supported; all functionality for the coming release is present, but only sanity tests have been performed,
not complete system tests.
6.26 [Install Shortcuts]
This section specifies a number of additional shortcuts that will be included in the product start menu folder for Windows.
41 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Format:
<number>=<name>;<binary>;<arguments>
Value <number> is the list entry number starting from 1.
Value <name> is the presentation name of the shortcut.
Value <binary> is the name of the application binary, must be available in the installation directory.
Value <arguments> is the eventual arguments needed by the application.
Example:
1=My Portal;iidxweb.exe;
6.27 [Language]
This section contains information about the language support.
Allowed
This entry specifies a list of supported languages, separate with ‘;’. This list can be used to limit the number of supported
languages. It is also possible to set a new name for the language. Format:
Allowed=<language name>[:<new language name>];
Example:
Allowed=English;Svenska;
Allowed=English:English US;Norsk:Norsk NN;
Default value is none; all supported languages will be available.
Current
This entry contains the current language, may also specify the string ‘auto’ to use the current local language on the computer.
Current=English
Default language is ‘English’. Any unsupported language or invalid language string will use the default language.
6.28 [License]
This section contains license information.
NOTE: Do not edit, the product will be unusable without correct license information.
Cards
This entry specifies a list of accepted smart cards defined by ATR. Seperated with “;”.
Cards=123456ABCDEF;ABCDEF123456
Company
This entry specifies the company name of the license.
Company=SecMaker AB
Issuers
This entry specifies a list of accepted certificates.
Issuers=O=SecMaker*
42 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Name
This entry specifies the user name of the license.
Name=DEMO ONLY
Value
This entry specifies the license value.
Value=WagC-YmLC-emxh-lyne-iMvT-JKE8
6.29 [Links]
This section contains links which may be available in dialog boxes or used by the web browser plugin.
Admin
This entry controls the administration start parameter.
Admin=-admin
Admin=http://www.secmaker.com/admin
Default value is -admin; starts Administration GUI.
Error
This entry will be appended to error dialog boxes.
Error=https://www.secmaker.com/help/
Default value is none; no extra link in error dialog boxes.
Help
This entry will be shown in taskbar menu and appended to error dialog boxes if Error link is not specified.
Help=http://www.secmaker.com/help/
Default value is none; no help link in taskbar menu.
This entry will be used by administration utility for default mail address when initiating any send mail. For example when sending
a trace file from administration utility.
Mail=mailto:netid@secmaker.com
Default value is none; no default mail address.
Support
This entry will be shown in the taskbar menu.
Support=https://www.secmaker.com/support/
Default value is none; no support link in taskbar menu.
6.30 [Links Action]
There are several internal actions that may start a custom dialog instead of a message or internal dialog:
CaCertificateExpire
ChangePIN
43 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Decrypt
Encrypt
ExitWindows Lock/Logout/Sleep/Hibernate/Disconnect/Restart/Shutdown
LicenseActivate
LicenseInvalid
PinExpired
Sign
TokenEvent
TokenInvalid
TokenNotPresent
TokenPresent
UnlockPIN
Verify
WarningCertificateEnroll
WarningCertificateExpired
WarningCertificateRenew
CA certificate expire will load custom action CaCertificateExpire instead of showing a message dialog.
ChangePIN/UnlockPIN are activated as soon as change or unlock PIN is requested, either by user selection from some menu or
as an automatic generated event for example when a smart card is inserted.
Decrypt/Encrypt/Sign/Verify are used for ExplorerMenu.
ExitWindows is used to set custom actions for Exitwindows commands.
The License actions has not been fully implemented but will be used in future versions.
PinExpired is used to trigger events when the ‘PIN validity period’ has expired according to the PIN policy, see settings in
section 6.42 [SmartCard] -> PinExpire.
The Token actions are used for custom token events.
The Warning actions are used to generate events automatically, for example when a smart card is inserted. All warning events
are generated by background process, see [General] > CheckCardExpire/CheckSoftExpire/CheckEnroll for more information.
All actions can specify a custom link to be opened:
XXX=-url http://netid.secmaker.com/xxx.html?xxx=zzz
XXX=-url file:///%InstallLocation%/xxx.html?xxx=zzz
There are some wild cards that will be used to identify the active token and/or certificate:
%ACTION% - The current action
%SLOTID% - The current slot id
%CERTIFICATE% - The current certificate
%EXPIRE% - The number of days until certificate is expired
The two latter wild cards are only availble for certificate expire/renewal.
It is also possible to add custom actions and run with -action:
TEST=-url http://www.secmaker.com
iid.exe –action TEST
44 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
6.31 [Links Custom]
This section includes any custom links to the taskbar menu for Windows, see 6.23.13 TaskbarMenuMode for more information.
Format:
<name>=<http address>
Any name string is allowed, this will be the presentation in the taskbar menu.
Any http address or action is allowed, this will be the link that is opened when selecting the entry in the menu. Example:
SecMaker=http://www.secmaker.com/
TESTLINK=-action TEST
6.32 [LRA]
This section specifies the behavior for the Local RA, see LRA documentation for more information.
6.33 [MiniDriver]
This section controls the behavior of the Minidriver component. It is a requirement that the Minidriver component is included in
the installation.
It is recommended to read the Microsoft Smart Card Minidriver Specification to fully understand the terminology.
Note 1: The values used are verified with Microsoft minidriver certification utility, so any changes may cause the certification to
fail.
Note 2: The minidriver certification uses a smart card with full access to administrator keys and some parameters are used to
handle situations where the smart card profile is more or less read-only.
AllowSecondary
This entry can be used to enable/disable writing of secondary certificates. When it is disabled, writing of the same certificate
object will result in the existing certificate being overwritten. The normal behavior for smart card minidriver is not to support
secondary certificates, meaning there is no support for multiple certificates using the same key.
0 –> Don’t allow secondary certificates
1 –> Allow secondary certificates
Default value is 0; secondary certificates are not allowed.
CacheCard
This entry can be used to enable/disable writing of certificate/container information to a cache file. This cache is used by
Credential Provider when used in pass-through mode. Microsoft has some limitations with multiple access, so this is used to
avoid extra access from Net iD Enterprise Credential Provider towards minidriver when used with Microsoft Provider.
0 –> Certificate information is not written
1 –> Certificate information is written
Default value is 1, certificate information is written.
Note: DO NOT EDIT, the default value should be used.
CertificateCompression
This entry is used to tell whether certificate compression is supported internally or not.
0 –> Certificate compression is not supported
1 –> Certificate compression is supported
Default value is 1; certificate compression is supported.
45 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Note: DO NOT EDIT! Certificates are always stored compressed and without compression, the value will be compressed by the
caller when writing and will usually need the real certificate value when writing the certificates to most smart cards.
CheckFileCMap
This entry is used to tell whether certificate mapping file content should be checked before writing. When checked the mapping
file will only be written when different from the auto-generated content.
0 –> Certificate mapping file always written
1 –> Certificate mapping file only written when different from auto-generated
Default value is 0; certificate mapping file always written.
ClearUserPinCache
This entry will enable/disable clear of user PIN cache by the internal certificate propagation service.
0 –> Will not clear user PIN cache
1 –> Will clear user PIN cache for logged on user at disconnect/lock windows/exit windows
2 –> Will clear all user PIN cache for all smart cards
4 –> Will clear all user PIN cache for all tokens in same session
Default value is 2; will clear user PIN cache for all users.
Note: In terminal server sessions value 2 should never be used, since it will clear PIN cache for other users.
Disable
This entry specifies a list of applications which will not be able to use the minidriver, separated with ‘;’.
Example:
Disable=test.exe
DisableFileCache
This entry enables/disables Microsoft smart card file cache.
0 -> Microsoft smart card file cache active
1 -> Microsoft smart card file cache not active
Default value is 0; smart card file cache is active.
Note: Microsoft have some known problems with the smart card file cache when running terminal server, so it is recommended
to disable cache for these environments.
DisablePinCache
This entry enables/disables Microsoft smart card PIN cache.
0 -> Microsoft smart card PIN cache active
1 -> Microsoft smart card PIN cache not active
Default value is 0; smart card PIN cache is active.
FriendlyName
This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may
be used:
%label%
%issuer.<object identifier>%
%subject.<object identifier>%
46 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Label is the certificate label stored with the certificate object, issuer and subject are any of the object identifiers available in the
subject or issuer field from the certificate. Any combination of static text and wild cards above may be used.
Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".
Note: For unknown reason some CryptoAPI applications require friendly name to be static for a certificate. This may cause
problems when both Net iD Enterprise certificate service and Microsoft is registering the certificate in CryptoAPI user certificate
store, since Microsoft will not specify any friendly name.
GuidKeyId
This entry enables/disables the use of guid from certificate mapping file as key id.
0 -> Key id is generated from public key digest
1 -> Key id is generated from guid
Default value is 0; key id is generated from guid.
Note: Enable this parameter when certificate mapping file is disabled (IgnoreFileCMap=1). The result of the combination is that
the automatically generated mapping file will be identical to the original Microsoft mapping file.
IgnoreFileCardCF
This entry enables/disables internal use of the card cache file ‘\cardcf’. The card cache file will be automatically generated from
card update counter when disabled.
0 -> Microsoft card cache file will be used
1 -> Automaticlly generated card cache file will be used
Default value is 0; Microsoft card cache file will be used.
IgnoreFileCMap
This entry enables/disables internal use of the certificate mapping file ‘\mscp\cmapfile’. The mapping file content will be
automatically generated when disabled.
0 -> Microsoft certificate mapping file will be used
1 -> Automaticlly generated certificate mapping file will be used
Default value is 0; Microsoft certificate mapping file will be used.
Note: Will cause interoperability problems when enabled, since Microsoft will not detect changes from other components, for
example certificates written by the plugin component.
IgnoreLogout
This entry specifies a list of applications which will not be able to logout, all logout calls will be ignored. Example:
IgnoreLogout=lsass.exe;logonui.exe
Default value is none; all applications will be able to logout.
Note: This parameter should be used with Microsoft logon applications, since they always logout after accessing the smart card.
Allowing these applications to logout will disable the single-sign-on feature.
KeyGenerateMode
This entry specifies the mode for key id generation, either let the smart card decide the key id or generate a key id based on the
GuidKeyId parameter.
0 -> Key id is depending on smart card type
1 -> Let smart card decide key id
2 -> Generate random key id
47 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is 0.
MaxKeySize
This entry specifies the maximum size of the RSA keys.
Example:
MaxKeySize=2048
Default value is 2048; maximum RSA key size of 2048 bits.
Note: The value must be larger than MinKeySize, since the certification utility will hang if the same values are used for minimum
and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.
MinKeySize
This entry specifies the minimum size of the RSA keys.
Example:
MinKeySize=1024
Default value is 1024; minimum RSA key size of 1024 bits.
Note: The value must be less than MaxKeySize, since the certification utility will hang if the same values are used for minimum
and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.
MoveCertificates
This entry specifies whether internal certificate propagation to CryptoAPI store should be used or not.
0 -> Don’t move certificates to CryptoAPI store
1 -> Move certificates to CryptoAPI store
Default value is 0; Microsoft certificate propagation should be used to move certificates.
NoLoadPkcs11Keys
This entry specifies whether pkcs#11 keys without connected certificates should be mapped as minidriver keys.
0 -> Load pkcs#11 keys
1 -> Don’t load pkcs#11 keys
Default value is 0; load pkcs#11 keys.
OverwriteCertificates
This entry specifies whether move certificates should overwrite possible existing certificates for internal certificate propagation.
This will have affect when there are several different certificate propagation services enabled or when the same smart card is
supported by several vendors.
0 -> Don’t overwrite existing certificates in CryptoAPI store
1 -> Overwrite existing certificates in CryptoAPI store
Default value is 0; will not overwrite.
RegisterCertificate
This entry specifies a list of applications which will generate an event to register the certificates for CryptoAPI to Net iD CSP
instead of to Minidriver.
IgnoreLogout=lsass.exe;logonui.exe
48 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is none; no applications will generate an event to register the certificates.
Note: This parameter should be used to register Net iD CSP as default handler of certificates instead of Microsoft Base Smart
Card CSP with the Minidriver.
PinCacheDisable
This entry enables/disables Microsoft PIN cache. Will only affect PIN1, secondary PIN will always have PIN cache disabled.
0 -> Microsoft PIN cache is active
1 -> Microsoft PIN cache is inactive
Default value is 0; Microsoft PIN cache is active.
Note: Microsoft Windows logon may fail if pin cache is inactive.
PinCacheTimeout
This entry specifies the timeout value for Microsoft pin cache.
X -> Number of seconds Microsoft pin cache is active
Default value is 0; Microsoft pin cache is active as long as Microsoft think is suitable.
ReadOnly
This entry specifies whether the minidriver should report all smart cards as read-only, i.e. not possible to update in any way.
0 -> Smart cards are not considered read-only
1 -> Smart cards are considered read-only
Default value is 0; smart cards are updateable.
SetDefaultCertificate
This entry specifies whether a default certificate should be marked as default for minidriver certificate mapping file.
0 -> Don’t mark default certificate
1 -> Mark default certificate
Default value is 0; default certificate is not marked.
Note 1: Default certificate is based on certificate sorting, see SortCertificate below.
Note 2: This parameter only has effect when certificate mapping file is generated, and will be ignored when written towards
smart card; see IgnoreFileCMap above.
SortCertificate
This entry specifies how the certificates should be sorted when a default certificate is used.
0 -> Don’t sort certificate, use sorting from pkcs#11
1 -> Sort newest certificate first
2 -> Sort oldest certificate first
Default value is 0; sorting inherited from pkcs#11.
UseSuppliedPadding
This entry specifies whether the supplied key padding mechanism or the internal implementation should be used. The padding
mechanism is needed to format data to be signed or data to be encrypted before the key operation.
0 -> Use internal padding
1 -> Use supplied padding
49 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is 0; internal padding is used.
UseExternCardCF
This entry specifies whether caller is allowed to update the card update counter. When not allowed all updates will be ignored
and the update is handled internally.
0 -> Update counter internally
1 -> Use caller update counter
Default value is 0; internal update counter is used.
Version
This entry specifies which version of the minidriver specification that should be supported. Currently versions 4 to 6 are
supported.
Example:
Version=5
Default value is all versions.
WriteCardBlock
The minidriver file system will be stored in a virtual file system. This entry specifies the block size for the virtual file system, to
avoid unnecessary reallocation when objects are created on smart cards which separate data from information about the data.
Example:
WriteCardBlock=64
Default value is 0; a suitable value is chosen for the smart card type.
6.34 [NetControl]
This section controls the behavior of the net control component. This component tries to keep track of SSL/TLS sessions in
different web browsers and close those web browsers when a smart card is removed.
Note: This feature is getting harder to accomplish, since web browsers are getting better at recovering closed sessions. A better
solution is close from server side, using the Watch component.
Applications
This entry specifies a list of applications, separated with ‘;’, that may be closed if they open a SSL session. Example:
Applications=iexplore.exe;firefox.exe
Default value is none; no applications will be handled.
Ask
This entry specifies whether the user should be asked before trying to close an application.
0 -> Don’t ask user before close
1 -> Ask user before close
Default value is 1; ask user before close of application.
Enable
This entry specifies whether this feature should be active.
50 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
0 -> Net control inactive
1 -> Net control active
Default value is 0; net control is inactive.
LogonApplication
This entry specifies a list of logon applications, separated with ‘;’, that may be closed if they open a TLS session. Example:
LogonApplication=iexplore.exe;firefox.exe
Default value is none; no logon applications will be handled.
6.35 [Pkcs11]
This section controls the behavior for the PKCS#11 library.
AlwaysLoginForSSL
This entry is used to always require login for SSL/TLS. When enabled an automatic logout will be done each time an SSL/TLS
connections is established.
0 -> No automatic logout
1 -> Automatic logout
Default value is 0; no automatic logout when SSL/TLS connection is established.
See 6.35 [Pkcs11]> LoginTimeout for another way to handle automatic logout.
Note: This feature is normally used in combination with soft tokens to require password/PIN dialog even when renegotiating
SSL/TLS connections.
DetectNewSlots
This entry specifies whether new slots should be detected each time the application asks for the current slot list. A slot is either
a smart card reader or a soft token, so this parameter may be used to detect arrival of new smart card readers.
0 -> Will not detect new slots
1 -> Will detect new slots
Default value is 0; no detect of new slots.
See 6.46 [Smart Card Reader]>Detect for another way to detect arrival of smart card readers.
Recommended value for Detect is 1, when used in combination with this parameter.
DisableDuplicate
This entry specifies a list of applications, separated with ‘;’, which will not be able to use duplicate certificates. Duplicates are
certificates with identical issuer and subject field and same public key. Only the newest certificate will be available for the
application.
DisableDuplicate=Firefox;Mozilla
Default value is none; all applications will see duplicate certificates.
DisableNonRep
This entry specifies a list of applications, separated with ‘;’, which will not be able to use certificates with non-repudiation key
usage.
DisableNonRep=Firefox;Mozilla
Default value is none; all applications will be able to use non-repudiation certificates.
51 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
EnableExternalMutex
This entry enables/disables the use of external mutex to protect multi-threaded sessions.
0 -> Internal mutex used
1 -> External mutex used (if available)
Default value is 0; always use internal mutex.
Note: Multi-thread support is vital and to allow this protection to be handled externally may cause unknown results.
FriendlyName
This entry enables generation of a certificate label according to a specific format instead of using the default label from the
token. The following wild cards may be used:
%label%
%issuer.<object identifier>%
%subject.<object identifier>%
Label is the certificate label stored with a certificate object, issuer and subject is any of the object identifiers available in the
subject or issuer fields from the certificate. Any combination of static texts and wild cards above may be used.
Default value is none; the stored certificate label is used.
LoginTimeout
This entry is used to set a timeout for the login. When enabled an automatic logout will happen after the number of specified
seconds.
0 -> No automatic logout
X -> Automatic logout after X seconds
Default value is 0; no automatic logout.
See AlwaysLoginForSSL above for another way to handle automatic logout.
LogonApplication
This entry specifies a list of applications that should be considered as logon applications. This means that PIN cache always is
ignored and that PIN always is verified even when being the same value as in PIN cache.
Example:
LogonApplication=lsass.exe;winlogon.exe
Default value is lsass.exe;winlogon.exe.
LogoutAtLastSession
This entry is used to control the behavior when the last session towards a token is closed. Specifies a list of applications that will
generate a logout, separated with ‘;’.
Example:
LogoutAtLastSession=svchost;winlogon
Default value is empty; no application will generate an automatic logout.
Note: The reason for not logging out is to avoid unnecessary password/PIN dialogs. Usually PKCS#11 applications will open a
session, login if needed, do something and thereafter close the session again. Setting no logout will keep the password/PIN
status when the application opens the session again.
52 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
InsertEmptySlots
This entry is used to always create a number of empty slots which always will be available even when no smart card readers
and/or soft tokens are present.
0 -> No extra empty slots
X -> Add X extra slots
Default value is 0; no extra slots.
Note: This parameter is only used for Firefox and installation of the PKCS#11 component. During installation the Firefox flag
public readable certificates must be set, to avoid password/PIN dialosg when Firefox is searching for certificates. This flag will
be set for the slots available at installation. Using this parameter will prepare a number of slots to have this flag set, so slots may
be added after the installation and still get the public readable flag.
OpenSSL
This entry is used to specify an OpenSSL library that should be loaded to generate random and/or key pairs. Typical names for
different platforms:
libeay32.dll – Windows
libcrypto.so – Linux
libcrypto.dylib – macOS
Default value is none; internal algorithms will be used for generating random and/or key pairs.
Note: For Windows platform Microsoft CryptoAPI will be used for key pair generation, since their implementation is much faster
than internal algorithm.
PinMaxDigits
This entry sets the global maximum number of digits policy. Specify the maximum number of required digits.
0 -> No maximum number of digits
X -> X number of digits required
Default value is 0; no minimum number of digits required.
Note: This parameter should not be used, use PIN policy flags in [SmartCard] or [SoftToken] instead.
PinMinDigits
This entry set the global minimum number of digits policy. Specify the minimum number of required digits.
0 -> No minimum number of digits
X -> X number of digits required
Default value is 0; no minimum number of digits required.
Note: This parameter should not be used, use PIN policy flags in [SmartCard] or [SoftToken] instead.
PinReportError
This entry is used to specify a location to report failed logon attempts on Windows platform. May be configured to report to
either Windows EventViewer or to an ODBC source. Reporting to an ODBC source will require the table to be correctly
formatted, more information is available from your support contact.
Example:
PinReportError=-eventlog
PinReportError=-database -connection <ODBC> -table <TABLE> -username <USER> -password <PWD>
Default value is none; no error reporting.
53 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
RandomDisabled
This entry is used to enable/disable the support of random generation.
0 -> Random generation support enabled
1 -> Random generation support disabled
Default value is 0; random generation available.
Note: This only affects external applications; they will not be able to use the library to generate random bytes. Internally random
generation will still be available.
ResetTempFiles
This entry is used to enable/disable reset of internal temporary files at initialize.
0 -> Reset at initialize disabled
1 -> Reset at initialize enabled
Default value is 0; reset at initialize disabled.
Note: Will delete eventual smart card cache files, which may impact performance.
SeparateThreadSearch
This entry is used to enable/disable concurrent searches in different threads using the same session.
0 -> Don’t allow concurrent searches in different threads using same session
1 -> Allow concurrent searches in different threads using same session
Default value is 0; concurrent searches are not allowed in different threads using the same session.
Note: DO NOT EDIT. This behavior is against standards and should never be used. Different threads may use the same
session context, but the expected behavior should be to follow the PKCS#11 standard. Enabling of this behavior is against the
PKCS#11 standard, but was added to show a proof-of-concept with an application unaware of their own multi-threading
implementation.
SessionToken
This entry specifies a list of applications, separated with “;”, which will set a write protected soft token.
SinglePin
This entry is used to enable/disable the use of a single password/PIN for smart cards. The parameter has no affect for soft
tokens, since they always have a single password/PIN.
0 -> All available passwords/PINs usable
1 -> Only first password/PIN usable
Default value is 0; all available PINs are usable.
Note: Will remove possible secondary PIN for the calling applications. This is usable for situations where your application has
bad support for multiple PINs, or when only the first PIN objects should be used (everything connected with secondary PINs will
be hidden).
TraceExecuteTime
This entry is used to enable/disable calculation of execute time. The time is the number of milliseconds spent within the pkcs#11
library. This will generate an extra trace entry with the number of milliseconds within library and also the number of milliseconds
spent on card during this time. Used to measure the performance.
0 -> Execute time not written to trace
1 -> Execute time written to trace
54 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is 0; execute time not written.
Note: This time may be misleading when measuring small time differences, since most of the time may be spent writing to trace.
UpdateSlotsForEvent
This entry is used to enable/disable update of slot list when library is called for active event list (C_WaitForSlotEvent). Default
behavior will use [SmartCardReader[>Poll parameter to detect smart card insert/remove and [SmartCardReader]>Detect
parameter to detect smart card reader insert/remove.
0 -> No update slot list when checking for event list
1 -> Update slot list when checking for event list
Default value is 0.
VerifyAlgorithms
This entry is used to enable/disable verification of cryptographic algorithms during initialize.
0 -> Algorithms not verified
1 -> Algorithms verified
Default value is 0; algorithms not verified.
WaitForSmartCardService
This entry is used to enable/disable wait for Windows smart cards service to start before initialize continues.
0 -> No wait
X -> Wait X number of seconds
Default value is 0; no wait for smart card service.
Note: This parameter was required for earlier versions of Windows, but is not needed any longer.
6.36 [Plugin]
This section controls the behavior of the plugin component. Will require the plugin component to be included in the installation.
From version 6.1 a new control mechanism is included to limit the usage of the plugin, each parameter and operation will be
limited/checked separately. The default requirements may be updated via configuration parameters Plugin>AccessGetProperty,
Plugin>AccessSetProperty, Plugin>AccessEnumProperty and Plugin>AccessInvoke.
More information regarding the settings mentioned in section 6.36.1 to 6.36.3 is found in Developer’s Guide.
AccessGetProperty
This entry may be used to update default access condition requirement for properties that are read from plugin.
Example:
[Plugin]
AccessGetProperty=Version,0;
AccessSetProperty
This entry may be used to update default access condition requirements and value checks for properties that are sent to plugin.
Example:
[Plugin]
AccessSetProperty=Version,1,1,0,16;
AccessEnumProperty
This entry may be used to update default access condition requirements for properties that are enumerated from plugin.
55 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Example:
[Plugin]
AccessEnumProperty=Language,0;
AccessInvoke
This entry may be used to update default access condition requirements for invoke of plugin functions, see Developer’s Guide
for more information.
Example:
[Plugin]
AccessInvoke=Sign,0;
Audit
This entry may be used to log blocked plugin calls.
Example:
[Plugin]
Audit=C:\Temp\plugin.txt
Allowed
This entry contains a list of application names with access mode for use with the plugin, separated with ‘;’. Specify with name
and access mode value. Currently three modes are available:
0 – Blocked access – only create non-repudiation signatures is allowed
1 – Full access – including modify configuration
2 – Use access – all except modify configuration
Either specify name of file stored in installation folder, or specify full path to application (may use environment variables).
Example:
[Plugin]
Allowed=iid.exe,1;iidxcmt.exe,1;badapp.exe,0;
[Plugin]
Allowed=%programfiles%\Good\good.exe,1;%programfiles%\Bad\badapp.exe,0;
Note: Configuration section [AllowedServers] may be used to set access mode for all web browser applications, access mode
for web browsers are based on site instead of application.
Disable
This entry is used to specify a list of applications, separated with ‘;’, which will not be allowed to use the ActiveX plugin.
Default value is none; all applications will be able to use the plugin.
Note: This parameter have no affect for the Netscape plugin, since there is no good behavior in the API to block loading.
Enable
Use this parameter to enable/disable installation of web browser plugins.
0 – Web browser plugins are not available
1 – Web browser plugins are available
Default value is 1; web browser plugins are available.
56 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
StartService
This entry is used to enable/disable the start of certificate service when loaded.
0 -> Will not start service
1 -> Will start service
Default value is 0; will not start service.
6.37 [Report LOGON]
This section can be used to report successful workstation logon.
Example:
[Report LOGON]
1=load iid.dll,EntryAdmin -report -eventlog -info "Logon success %upn%" –app “LOGON” -number %number%
6.38 [Report PIN]
This section can be used to report successful PIN attempts.
Example:
[Report PIN]
1=-action <action>
6.39 [Report UNLOCK_WORKSTATION]
This section can be used to report successful workstation unlock.
Example:
[Report UNLOCK_WORKSTATION]
1=load iid.dll,EntryAdmin -report -eventlog -info "Unlock success %upn%" –app “UNLOCK” -number %number%
6.40 [SCS]
This section controls the behavior of the SCS (Signature Creation Service). SCS is a signature method used with HTML5 and
has been implemented according to the VRK (the Finnish Population Register Centre) specifications ‘HTML5 AND DIGITAL
SIGNATURES, Signature Creation Service 1.0.1’. For the specification, see
https://eevertti.vrk.fi/Default.aspx?id=0&docid=1335.
The setting [General] -> ExtraService has to include ‘SCS’ for the configurations to have any effect.].
Example:
[General]
ExtraService=SCS
[SCS]
Address=127.0.0.1
Ports=8088;23123;53951
Size=0x02000000
Protocols=https
Address
This entry is used to set the IP address of the SCS but must always be set to localhost (127.0.0.1) at the moment.
Will be used in the future if there will be any extensions for IP v6.
57 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Ports
This entry is used to set the port for the SCS. The SCS specifications defines that the first port available will be used so the
default settings should not be changed.
Will be used in the future if there will be any extensions for IP v6.
Default values is 8088;23123;53951; values should not be changed.
Protocols
This entry is used to define the protocols that are allowed for the use of SCS. Valid protocols are http or/and https.
Example:
Protocols=http;https
Default value is none; no protocols allowed.
Size
This entry is used to define the maximum size of a signature in bytes. The SCS specifications recommends to use 2 MB as the
maximum size but it is possible to set the values in the interval of 4 kB to 16 MB.
Default value is 0x02000000; maximum size of 2MB.
Start
This entry is used to enable the SCS.
Example:
[SCS]
Start=-signsrv start
Stop
This entry is used to disable the SCS.
Example:
[SCS]
Stop=-signsrv stop
6.41 [SingleSignOn]
This section controls the behavior of the single-sign-on component for Windows. It will require the single-sign-on component to
be included in the installation.
CSP
This entry is used to enable/disable the support for single-sign-on for CryptoAPI CSP.
0 -> CSP single-sign-on disabled
1 -> CSP single-sign-on enabled
Default value is 0; single-sign-on disabled.
Disable
This entry is used to specify a list of applications, separated with ‘;’, which always will have single-sign-on disabled.
Default value is none; all applications will use single-sign-on when available.
58 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
PKCS11
This entry is used to enable/disable the support for single-sign-on for PKCS#11.
0 -> PKCS#11 single-sign-on disabled
1 -> PKCS#11 single-sign-on enabled
Default value is 0; single-sign-on disabled.
Server
This entry is used to specify a list of applications, separated with ‘;’, which may act as single-sign-on server.
Server=winlogon.exe;lsass.exe
Default value is none; no application may act as single-sign-on server.
Note: The single-sign-on server process should never be stopped or restarted since the result is unpredictable if single-sign-on
client processes are connected when the server process is stopped or restarted. Either use the Windows logon process that is
always available or use StartServer below.
StartServer
This entry is used to specify a list of applications, separated with ‘;’, which may start single-sign-on server.
StartServer=winlogon.exe;lsass.exe;logonui.exe
Default value is none; no application may start single-sign-on server.
Note: See note above regarding the Server entry for information when to use StartServer respective Server parameter.
UseCache
This entry is used to enable/disable the support for single-sign-on via a cache server. The normal single-sign-on solution will
direct CSP/PKCS11 calls to a single process which will have exclusive access to the smart card.
0 -> Cache server disabled
1 -> Cache server enabled
Default value is 0; normal single-sign-on is used.
Note 1: The cache server will act as a database for PINs and therefore PIN pad may not be used.
Note 2: Disable CSP/PKCS11 single-sign-on when the cache server is enabled.
Note 3: Enable single-sign-on server as a service when the cache server is enabled.
UseService
This entry specifies whether the single-sign-on server should be running as a service or as a background process.
0 -> Run as background process
1 -> Run as service
Default value is 0; run as background service.
UseStored
This entry specifies whether the single-sign-on server should search for username/password stored on tokens and use the
information to automatically fill the username/password edit boxes.
0 -> Stored username/password not used
1 -> Stored username/password used
Default value is 0; no search for stored username/password.
59 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
The search will check the private box area for object with the following format:
<entry>=<name>;<title>;<user>;<pwd>
Value <entry> specifies the private object name, the name is “SSO” followed by a number starting from “1”.
Value <name> is a descriptive string used for presentation.
Value <title> is the title of the username/password dialog that should be filled.
Value <user> is the username that will be filled in.
Value <pwd> is the password that will be filled in.
Example:
SSO1=My;Connect Database;JohnDoe;4711
6.42 [SmartCard]
This section controls the smart card policy.
CalculateUsedTime
This entry specifies whether execution time on smart card should be written to trace.
0 -> Will not calculate and write card execution time
1 -> Will calculate and write card execution time
Default value is 1; will calculate and write execution time.
Note: This time may be misleading when measuring small time differences, since most of the time may be spent writing to trace.
CommandChaining
Command chaining will be activated when 256 or more bytes are sent towards smart card. This parameter may be used to set a
lower number to activate command chaining earlier.
X -> The number of bytes which will start command chaining
Default value is 0; command chaining is activated when needed.
CreateUpdateCounter
This entry enables/disables creation of the update counter as soon as logged in towards a smart card.
0 -> Update counter created when updating objects
1 -> Update counter created at logon
Default value is 0; will create update counter when creating any other object.
Note: The update counter is needed for public object caching; not using update counter may affect performance, since it may
cause unnecessary reading of public objects.
DefaultProfile
All smart card profiles have a detection mechanism built into the specification, but this parameter may be used to detect a card
profile not using the standard detection mechanism. Currently, only “PKCS#15” and “ISO7816-15” are supported.
Default value is none; profiles are found according to specifications.
MaxProfiles
The card profile is detected after card type detection. Some smart cards have multiple profiles on the same smart card which
should be loaded in parallel. This parameter specifies the number of maximum number of profiles that may be detected.
60 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Example:
MaxProfiles=4
Default value is 4; the same value as the maximum number of PINs (currently 4).
NoDiskCache
This entry is used to disable writing card cache file to disk. SSO service will be used for card cache if available.
0 -> Card cache will be written to disk
1 -> Card cache will not be written to disk
Default value is 0; card cache will be written to disk.
ObjectSortMode
This entry is used to set sorting mode for the certificates on a smart card. Some applications will use the first returned certificate
as the default certificate, so it can be considered as setting the default certificate.
0 -> none -> Certificates are returned in stored order
1 -> day -> Certificates are returned in newest order based on day
2 -> second -> Certificates are returned in newest order based on seconds
Default value is 2; sorting based on seconds.
Note: The sorting order also specifies the default behavior for different versions of Net iD Enterprise. Value 0 is the behavior for
version 5.3 and earlier, value 1 is the behavior for version 5.4 to 5.5, and value 2 is behavior for version 5.6 and later.
PinExpire
This entry is used to enable/disable PIN expire policy. The PIN may be configured to require a change after X number of days.
0 -> PIN expire policy disabled
X -> PIN will expire after X days
Default value is 0; no PIN expire policy.
Note: Pin expire policy requires support for PIN update counter with time on smart card. Some smart cards only store a PIN
update counter, a single byte without connection to any time.
PinHistory
This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private
object and compared with a new password.
0 -> Password history disabled
X -> Password will compare X last passwords
Default value is 0; no password history checking.
PinMaxLen
This entry is used for maximum PIN length policy.
0 -> No maximum PIN length
X -> Maxmimum X bytes PIN length
Default value is 0; smart card profile will specify the PIN policy.
Note: Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.
61 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
PinMinLen
This entry is used for minimum PIN length policy.
0 -> No minimum PIN length
X -> Minimum X bytes PIN length
Default value is 0; smart card profile will specify the PIN policy.
Note: Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.
PinPolicy
This entry is used for password policy, 0xaAbBcCdD:
aA -> min/max for number of digits
bB -> min/max for number of lower characters
cC -> min/max for number of upper characters
dD -> min/max for number of special characters
Default value is 0; no special PIN policy.
Note: Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.
PinType
This entry is used for PIN type policy, the requirement are below:
0 -> all characters (case sensitive)
1 -> all characters (case insensitive)
2 -> all characters (min 2 digits and max 2 in row or in sequence)
3 -> all characters (min 2 digits and max 2 in row)
4 -> only digits
Default value is 0; smart card profile will specify the PIN policy.
Note: Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.
Temporary
This entry is used to specify a list of names, separated with ‘;’, containing smart card types that should be considered temporary
smart cards. The parameter only has any meaning when used with a LRA component, see LRA documentation for more
information.
TemporaryValidity
This entry is used to specify a number of days for certificate validity to be considered as a temporary smart card. The parameter
only has any meaning when used with a LRA component, see LRA documentation for more information.
Example:
TemporaryValidity=30
UseInternalUpdate
This entry specifies the use of internal update counter. The update counter is needed to detect updates of the smart cards, so it
should usually always be activated
0 -> Internal update counter is inactive
1 -> Internal update counter is active
Default value is 1; will use internal update counter.
62 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Note: The update counter is needed for public object caching, not using the update counter may affect performance, since it
may cause unnecessary reading of public objects.
ValidateUpdateCounter
This entry enables/disables validation of the update counter when external update counter is used.
0 -> Will assume application handling update counter will behave correct
1 -> Will validate update counter at each write to reset public cache when needed.
Default value is 0; will not validate update counter when using external update counter.
6.43 [SmartCard Compress]
Library
This entry specifies the full path to the Zlib compress library.
Default value is depending on the operating system used; will try to load by standard Zlib name.
UncompressOnly
This entry specifies the behavior for compressing. When reading uncompressing will always be done if the file is compressed,
but files may be stored with or without compressing when written.
0 -> Will compress when writing
1 -> Will not compress when writing
Default value is 0; will compress when writing.
6.44 [SmartCard Keys]
This entry is used to specify the key to be used when secure messaging is enabled for a smart card. A mapping is made
between the ATR of the smart card and the Secure Messaging key. The value of the key is usually a key identifier and
depending on card type.
6.45 [SmartCardProfiles]
This section contains a list of smart card profiles that are available for smart card initialization. This section will be enumerated
for section 6.4.6 Property ‘Profile’ in the Net iD Enterprise Developer’s Guide.
Example:
1=Smart Card Profile
Each entry points to a new section with entry name as section name. The smart card profile section contains information about
how the smart cards should be initialized, for example which files should be created. The profile information is specific for each
supported smart card.
Note 1: Do not use unless you know exactly what you are doing.
Note 2: Do not use unless you know the consequences.
Note 3: Do not use unless you accept the consequences.
Erase
This entry will enable/disable complete erasure of smart cards before initialization.
0 -> Smart card not erased
1 -> Smart card erased
Default value is 0; smart card not erased.
63 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Keys
This entry specifies the number of key pairs that should be generated during initialization.
Default value is 0; no key pairs are generated.
Parameter
This entry specifies a custom parameter for a specific smart card.
Default value is none; no custom parameter.
SimpleErase
This entry will enable/disable simple erasure of smart card objects; delete access below will be overridden and set to ALW.
0 -> Simple erase disabled
1 -> Simple erase enabled
Default value is 0; simple erase disabled.
Files
The following entries in the section specify the files and/or directories that should be created. Format:
<name>=<type>:<size>:<access>:<content>
Value <name> is the full name of the object; dependent on the smart card used, but usually a directory starting with EF(MF):
3F00=…
3F002F00=…
Value <type> is the type of object; dependent on the smart card used, but usually: DF (directory), EF (file), SEC (PIN):
3F00=DF:…
3F002F00=EF:…
Value <size> is a number telling the size of the object; dependent on the smart card used, may be a size of a file or number of
objects that may be stored in the directory. Smart card may support the string value ‘all’ and/or ‘auto’ to take all remaining area
respective try to guess the file size. Example:
3f002f00=EF:auto:…
Value <access> is the access condition elements; dependent on the smart card used and type of object, but always four parts
separated with ‘:’; <delete>, <read>, <write> and <execute>. Each element may have one of the following values: ALW
(=always), NEV (=never), SO (admin PIN), PIN1, PIN2, PIN3 or PIN4.
3f002f00=EF:auto:ALW:SO:NEV:SO:…
Value <content> is the real object content in hexadecimal form; dependent on the smart card used and type of object.
3f002f00=EF:auto:ALW:SO:NEV:SO:0x612B4F0CA00…
6.46 [SmartCardReader]
This section controls the behavior for smart card readers.
AllowReaderRemoval
This entry enables/disables the possibility to remove smart card readers as PKCS#11 slots at runtime when reader is removed.
0 -> Reader will continue to exist
1 -> Reader will be removed
64 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Default value is 0; reader will not be removed.
Note: The reason for not removing is that the PKCS#11 standard has no defined policy for slot removal. Removal of slots may
cause undefined behavior for PKCS#11 applications.
Accepted
This entry contains a list of smart card reader names that are acceptable, separated with ‘;’.
Default value is none; all reader names are accepted.
Use [Smart Card Reader]>Denied parameter to specify a list of reader names that are denied.
CachePath
This entry contains a full path to a directory which will be used to store the smart card cache.
Default value is none; will use the standard temporary directory, location depending on operating system and version.
CacheValidity
This entry specifies the number of minutes the smart card cache is valid for user environment.
CacheValidity=10080
Default value is 10080; one week, 7*24*60=10080 minutes.
CacheAcceptUnknown
This entry tells the status of smart card cache when no update counter is available.
0 -> Will not use cache when status is unknown
X -> Will tell the number of minutes cache is valid when no update counter is available
Default value is 0; cache is inactive when no update counter is available.
CheckInformation
This entry enables/disables the check for information from the smart card reader, for example driver version or PIN pad
information.
0 -> Will not check for information
1 -> Will check for information
Default value is 0; will not check for information.
Note: There are smart card reader drivers that will crash when checking for information. Avoid them!
CheckPinPad
This entry enables/disables the check for PIN pad from the smart card reader, will require that checkInformation above is
enabled.
0 -> Will not check for PIN pad
1 -> Will check for PIN pad
Default value is 0; will not check for PIN pad.
Denied
This entry contains a list of smart card reader names that are not acceptable, separated with ‘;’.
Default value is none, all reader names are accepted.
Use [Smart Card Reader]>Accepted parameter to specify a list of reader names that are accepted.
65 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Detect
This entry specifies the number of seconds from initialize that the library should search for smart card readers. This allows smart
card readers to be inserted after the library has been initialized.
0 -> Will not search for readers
1 -> Will do a single search for readers
X -> Will search X seconds for readers
-1 -> Will search forever for readers
Default value is 60; will search in 60 seconds for smart card readers.
Note: This search may cause memory leaks if bad PC/SC smart card reader drivers are installed, so not recommended with
value -1 for terminal servers.
KeepLoggedInLocked
This entry controls the behavior when smart card is opened and session is logged on.
0 -> Will not lock reader when logged on
1 -> Will lock reader when logged on
Default value is 0; will not lock reader when logged on.
Note 1: Locking the reader will stop other applications from using the smart card reader in parallel. This may cause
interoperability problems.
Note 2: This behavior is identical to the situation when smart card is used with PIN pad, it will not release the reader until logged
out to avoid multiple PIN entries.
Note 3: Only use this feature when single-sign-on is enabled or a single application is using the smart card.
KeepPinCache
This entry specifies the number of milliseconds the PIN should be kept after card removal. This can be used to avoid clear of
PIN cache when a smart card reader generates strange remove/insert events, but should not be used in normal situations.
0 -> Will not keep PIN cache after remove event
X -> Number of miliseconds PIN is kept in cache after remove event
Default value is 0; PIN cache is cleared when the smart card is removed.
LockDelay
This entry specifies the number of seconds to keep the card locked after usage. This may be used to increase performance,
since lock/release card may require some substantial time.
0 -> Will not delay release
X -> Will delay X seconds before release
Default value is 0; no delay when releasing card.
LockTimeout
This entry specifies the number of seconds to keep trying to lock the card when it is in use by another application.
0 -> No lock timeout
X -> Will try to lock in X seconds
Default value is 30; will try locking the card for 30 seconds.
66 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
MaxTransfer
This entry configures the maximum number of bytes that may be transmitted for each smart card call. Minimum value is 64
bytes and maximum value is 255 bytes.
MaxTransfer=255
Default value is 255; 255 bytes.
Mode
This entry specifies the mode to connect with towards the smart card, either exclusive or shared mode. Exclusive mode requires
the application to work alone with the smart card. Shared mode allows simultaneous connections and will require transaction
handling to handle atomic operations.
0 -> Exclusive mode
1 -> Shared mode
Default value is 1; shared mode used.
Note: Exclusive mode will cause interoperability problems.
Poll
This entry specifies the number of milliseconds between polling for card presence.
Poll=333
Default value is 333; 333 milliseconds.
Protocol
This entry specifies the protocol to use when communicating with the smart card.
0 -> T0, supported by most cards
1 -> T1, faster but not supported by older cards.
-1 -> T0 or T1, negotiated with card
Default value is -1; protocol negotiated with smart card.
ReloadOnError
This entry specifies the behavior when the reader connection fails for some reason.
0 -> Do nothing
1 -> Reload connections
2 -> Reload connection and library
Default value is 0; do nothing.
SingleConnection
This entry specifies the behavior when connecting to the smart card reader. Either uses one connection for all purposes or two
connections, one connection for smart card status and one connection for transmitting smart card commands.
0 -> Two connections
1 -> One connection
2 -> One global connection (never released)
Default value is 0; two connections.
67 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Scope
This entry specifies the scope for the smart card reader connection: user, terminal, system or global. The real meaning of scope
is depending on smart card reader type, currently only used by PC/SC. See PC/SC documentation for more information.
0 -> User scope
1 -> Terminal scope
2 -> System scope
3 -> Global scope
Default value is 0 for user processes and 2 for system processes.
SystemCacheValidity
This entry specifies the number of minutes the smart card cache is valid for system environment.
SystemCacheValidity =10080
Default value is 10080; one week, 7*24*60=10080 minutes.
6.47 [SmartCardReader CTAPI]
This section controls the behavior for the CTAPI smart card reader support.
Enable
This entry specifies whether the CTAPI smart card reader support should be available.
0 -> CTAPI support not available
1 -> CTAPI support available
Default value is 1; CTAPI smart card reader support is available.
List of libraries
All CTAPI drivers are delivered as a dynamic library and will be loaded by a numbered list starting from 1. The format for each
entry is: "<ctn>,<pn>,<library>":
<ctn> - Context number, defined by each CTAPI driver, usually 0
<pn> - Port, defined by each CTAPI driver, usually 0
<library> - Full path to dynamic library
Example:
1=0,0,C:\Program Files\Net iD\iidctapi.dll
6.48 [SmartCardReader PCSC]
This section controls the behavior of the PC/SC smart card reader support.
CallTrace
This entry is used to include writing of each PC/SC call towards trace.
0 -> PC/SC calls are not written to trace
1 -> PC/SC calls are written to trace
Default value is 0; PC/SC calls are not written.
Note: All PC/SC calls are written when enabled which may cause trace to grow large quite fast, since even smart card polling is
written.
Enable
This entry specifies whether the PC/SC smart card reader support should be available.
68 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
0 -> PC/SC support not available
1 -> PC/SC support available
Default value is 1; PC/SC smart card reader support is available.
Library
This entry specifies the PC/SC library that should be loaded. Default values:
Windows – winscard.dll
Linux – libpcsclite.so
macOS – libpcsclite.dylib
StateTimeout
This entry changes the behavior for smart card present check.
Normally smart card presence is checked by asking the smart card readers quite often by polling, the poll time is controlled by
[Smart Card Reader]>Poll entry.
Using this parameter will change to a call method which will ask for state and not return until something has changed.
0 -> Normal polling is used
X -> State driven presence is used, specify the number of minutes for timeout (10 recommended).
Default value is 0; normal polling is used.
Note 1: This feature requires enhanced support for the PC/SC implementation and eventually some enhanced support for the
PC/SC smart card reader driver. Currently this feature should only be used with Windows, since there are some unknown
problems for Linux/macOS platforms.
Note 2: This feature may work better with some PC/SC smart card drivers compared with polling, but there is no
recommendation when polling respective state driven presence check should be used.
Unload
This entry is used to control the unloading of the PC/SC library.
0 -> Library never unloaded
1 -> Library unloaded when not used
Default value is 1; library unloaded when not used.
Note: Library unloading currently works badly for Linux/macOS platforms, recommended value is therefore never unload on
these platforms.
UseCritical
This entry is used to add a global critical section for all PC/SC calls. When it is enabled only one thread will access PC/SC at
each time.
0 -> Critical section is not enabled, multiple threads may access
1 -> Critical section is enabled, multiple threads may not access
Default value is 0; critical sections should be handled by PC/SC.
Note: Normal usage will have no problem with multiple threads accessing at the same time, but some drivers have problems, so
it may be useful for testing.
6.49 [SoftToken]
This section controls the soft token policy.
69 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
The current password policy (PinMinLen, PinMaxLen and PinType) used when soft token is created will be stored within the soft
token, so will not be able change after creation.
Events
This entry is used to add events handling to soft tokens. Soft tokens may be removed when removed from other processes and
will also generate an insert event when the soft token is updated, to allow applications to detect updates.
0 -> No special event handling
1 -> Events are checked each time a calling application check for events
2 -> Events are checked each time a calling application check for slots
3 -> Events are checked each time a calling application check for events and/or slots
Default value is 0; no special event handling.
FileExtension
This entry is used to specify the file type used by soft tokens. The internal soft token format “.tkn” is the only supported value for
Windows/Linux. macOS may use the internal format or Apple “.keychain”.
Default value is none; internal soft token format.
Example:
FileExtension=.tkn
PinExpire
This entry is used to enable/disable password expire policy. The password may be configured to require a change after X
number of days.
0 -> Password expire policy disabled
X -> Password will expire after X days
Default value is 0; no password expire policy.
PinFailure
This entry is used to specify how password failures will be handled for soft tokens, i.e. if a user gives the wrong password when
trying to use the soft token.
PinFailure=0xAABBCCDD
AA -> Number of milliseconds of delay between failures to give the correct password.
Will be multiplied with the number of failed tries.
BB -> not used
CC -> Number of minutes that the password will be blocked.
DD -> Number of tries until the password is blocked.
Default value is none; no handling of password failures for soft tokens.
Example:
[SoftToken]
PinFailure=0x64000A0A
- AA=64: 100 ms of delay between tries, i.e. the delay after first try is 100ms, after second try 200ms, and so on.
- CC=0A: the password will be blocked for 10 minutes until it is possible to try again.
- DD=0A: the password will be blocked after 10 failed tries.
If no blocking period is configured, i.e. CC is set to 00, a restart of the application is necessary to be able make new tries.
If a blocking period is configured a restart will make no difference since it is stored in the object, i.e. you will have to wait until
the blocking period ends to get DD new tries.
70 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
PinHistory
This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private
object and compared with a new password.
0 -> Password history disabled
X -> Password will compare X last passwords
Default value is 0; no password history checking.
PinMaxLen
This entry is used for maximum password length policy.
0 -> No maximum password length
X -> Maxmimum X bytes password length
Default value is 64; maximum 64 bytes password.
PinMinLen
This entry is used for minimum password length policy.
0 -> No minimum password length
X -> Minimum X bytes password length
Default value is 2; minimum 2 bytes password.
PinPolicy
This entry is used for the password policy, 0xaAbBcCdD:
aA -> min/max for number of digits
bB -> min/max for number of lower characters
cC -> min/max for number of upper characters
dD -> min/max for number of special characters
Default value is 0; no password policy.
PinType
This entry is used for password type policy, the requirements are below:
0 -> all characters (case sensitive)
1 -> all characters (case insensitive)
2 -> all characters (min 2 digits and max 2 in row or in sequence)
3 -> all characters (min 2 digits and max 2 in row)
4 -> only digits
Default value is 0; all characters allowed and case sensitive.
6.50 [TaskbarEvent]
This section controls the behavior of taskbar events,
[TaskbarEvent Insert]
A list of commands executed when a smart card is inserted.
[TaskbarEvent Remove]
A list of commands executed when a smart card is removed.
71 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
6.51 [Trace]
This section is used to enable a trace for all components or specific components, always specify full path to a file.
Note: Access condition must be fulfilled when writing to trace. This is usually only a problem when using Internet Explorer on
Windows platforms, since File system access protection, also known as Sandbox, may stop updates even when everyone has
full access.
Component
Use component name as entry instead of File to enable trace for a specific component:
Admin= C:\Temp\iid.txt
CredentialProvider=C:\Temp\iid.txt
CSP= C:\Temp\iid.txt
Directory=C:\Temp\iid.txt
MiniDriver=C:\Temp\iid.txt
Pkcs11=C:\Temp\iid.txt
Plugin=C:\Temp\iid.txt
SSO=C:\Temp\iid.txt
Watch=C:\Temp\iid.txt
Web=C:\Temp\iid.txt
File
Use File entry to specify trace for all components to same file without Net iD Trace service:
File=C:\Temp\iid.txt
Server
Use Server entry to specify trace for all components to same file with Net iD Trace service:
File=server
Server=C:\Temp\iid.txt
Note: Using Net iD Trace service has less impact on the performance but must be manually started. If a reboot is needed when
creating a trace file, set service to Automatic.
UseLocalTime
This entry specifies if local time should be used when creating trace file.
0 -> Local time is not used
1 -> Trace will be created with local time
Default value is 1; local time will be used.
6.52 [Trace Call]
This section specifies the call trace for different components. The difference between Trace Call and normal Trace is that this
parameter will only trace function entries and results. Tracing will always affect speed performance, so this parameter has less
impact on the performance.
The following components have call trace available:
CSP *
Minidriver *
Pkcs11
*) The component is only available on Windows platforms.
72 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Specify full path to the file which will receive the trace.
Example:
Pkcs11=c:\temp\iid.txt
Note: Normal Trace must be disabled.
[Trace]
File=
Server=
6.53 [View]
FileExtension
There are several ways to open different files, but to avoid misuse all file types that may be opened should be registered,
separated with ‘;’.
Example:
FileExtension=.txt;.html;.htm;.cer;.crt;http;https
Default value is “.txt;.html;.htm;.cer;.crt;http;https”.
iidxwatch.exe
There are several ways for the watch component to open different files, but to avoid misuse all file types that may be opened
should be registered, separated with ‘;’.
Example:
iidxwatch.exe=.exe;.bat;.vbs
Default value is none.
6.54 [Watch]
This section controls the behavior of the Watch component. Will require the Watch component to be included in the installation.
UseService
This entry specifies whether the Watch component should be running as a Windows service or a background process.
0 -> Run as background process
1 -> Run as Windows service
Default value is 0; run as background process. This parameter is for Windows only and will be ignored by other operating
systems.
6.55 [Multiple Watch commands]
The original approach for Watch was a single command that should be executed either at insertion or removal of a smart card.
To handle multiple commands the command “config” may be used:
iidxwatch.exe config
This command will check for a list of commands that should be executed when a smart card is inserted or removed. See section
7.2 Commands for more information about the available commands.
[Watch Insert]
A list of commands executed when a smart card is inserted.
73 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
[Watch Remove]
A list of commands executed when a smart card is removed.
6.56 [Multiple Watch running]
Some scenarios may require multiple Watch running in parallel:
iidxwatch.exe config Watch|Another
The result is that the initial Watch is started and it will spawn an additional process which will read startup and configuration
information from different sections.
The example below will run two Watch activated by insertion of a smart card with certificates from two different CAs:
[Command]
Watch=-match “2.5.4.3=SecMaker CA v2|A0” config Watch|Another
Watch Another=-match “2.5.4.3=SecMaker CA v3|A0” config Another
[Watch Insert]
1=open c:\temp\ca_v2.txt
[Watch Another Insert]
1=open c:\temp\ca_v3.txt
6.57 [Logon Watch]
The normal Watch component will execute events based on smart card insertion and removal, but some scenarios will require a
command to be executed only when a smart card for the logged on user is inserted and/or removed.
iidxwatch.exe config Logon
Note: The only difference is that the name “Logon” is reserved for logged on user scenarios.
[Watch Logon Insert]
A list of commands executed when smart card is inserted for the logged on user.
[Watch Logon Remove]
A list of commands executed when smart card is removed for the logged on user.
74 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
7 Watch
The Watch component is an executable which will do actions either when smart card is inserted or removed.
7.1 Arguments
The following arguments are available:
-w
-match <criteria>
-wait “<insert>|<remove>”
-message “<insert>”|”<remove>”
-hide insert|remove
-sync
-logon
-term
-recognized
config | <insert command>
The argument order is important for historical reasons. Last in the argument list is either the static value “config” or one single
insert command. The value “config” will activate the [Watch Insert] and [Watch Remove] configuration sections in configuration
which allow several different commands.
Watch configurations are only read from global configuration, not from local configuration file, due to security reasons.
Argument “-w”
Argument “-w” is used to wait with the execution of the command until a smart card is loaded, meaning all certificates are read.
This value only has meaning for insert commands.
Argument “-match”
Argument “-match” is used to select a specific certificate which should be used when generating an event. The match criteria
consist of an issuer field and an optional key usage, for example:
-match “2.5.4.3=SecMaker CA v2|A0”
Note: This argument is only available when used with “<insert command>” as last argument not with “config”.
Argument “-wait”
Argument “-wait” is used to specify the number of seconds to wait for a command to finish, may use separate values for insert
and remove.
-wait “60|30”
Argument “-message”
Argument “-message” is used to specify a message to be shown when command is executed, may use different messages for
insert and remove.
-message “Card inserted”|”Card removed”
75 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Argument “-hide”
Argument “-hide” is used to specify that the command should be executed hidden, may separate with different messages for
insert and remove.
-hide
-hide insert
-hide remove
Argument “-sync”
Argument “-sync” is used by remove event. When specified remove events will not be generated until after a smart card is
inserted.
Argument “-logon”
Argument “-logon” is used only to generate a remove event for the currently logged on user.
Argument “-term”
Argument “-term” is used by remove event. Will require the process started at insert event to be terminated, currently only a
single process may be terminated.
Argument “-recognized”
Argument “-recognized” is used to require that the smart card is recognized, unknown cards will not generate any events.
7.2 Commands
The configuration sections [Watch Insert] and [Watch Remove] will specify a list of commands executed when a smart card is
inserted or removed.
The following commands are available for execution when a smart card is inserted or removed:
application <binary> <argument>
close <window name>
extern <library>,<argument>
kill <application>
load <library>,<argument>
open <file>
set –config <file>
set –registry <key>
All commands in the list may be prefixed with “parallel” to only start the execution, it will immediately continue with the next
command and ignore the result. Not in parallel will require successful execution before it continues with the next command, on
failure no more commands will be executed.
Command ‘application’
Command “application” is used to start any application <binary> with any argument <argument>.
application c:\windows\notepad.exe c:\iid.txt
Successful execution will always require the process to start, but may also depend on “-wait” argument if present.
76 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Command ‘close’
Command “close” is used to close a Microsoft Windows application. Specify the <windows name> that should be closed.
Example:
close “iid - Notepad”
The execution will always be considered as successful.
Command ‘extern’
Command “extern” may be used for insert command to read user information from an external library. The smart card is not
supported internally, but instead the reader name is sent with the specified command arguments. The library must export a
function with the following syntax:
int CALLBACK
ReadCommand(
const char* pszReader,
const char* pszCmd,
char* pszData,
unsigned long nData)
Return non-zero for success and the data buffer should return username and domain information, separated with ‘;’.
extern c:\iid.dll,-iclassid –config c:\iid.txt
After a successful command execution the set command below will be executed with the collected user information.
This execution will be considered as successful if the user information is collected successfully.
Command ‘kill’
Command “kill” is used to terminate or kill an application. Will search for a process with the specified binary and try to kill that
process.
kill c:\windows\notepad.exe
This execution will always be considered as successful.
Command ‘load’
Command “load” will load a library and call the specified function. The function syntax must follow the parameter syntax used by
rundll32.exe:
load c:\iid.dll,EntryAdmin -argument
This execution will be considered to be successful if the function is found in the specified library, but will have no requirements
for the function to return value.
Command ‘open’
Command “open” may be used on Windows platform to open a file type defined in Registry.
open c:\temp\iid.txt
This execution will always be considered as successful.
Command ‘set’
Command “set” either specifies a configuration file or a Registry key which will be updated with user information found on the
inserted smart card. Argument “-match” may be used to specify search criteria for the user information.
77 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
set –config c:\temp\iid.txt
set –registry HKLM\Software\SecMaker\Info
This execution will be considered to be successful if user information found.
Command ‘script’
A command “script” may be used on Windows platforms in the same manner as “open”, the difference is that it will be executed
hidden.
script c:\temp\iid.vb
This execution will be considered to always be successful.
78 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
8 Trace
All components in the product have trace functionality, the trace will write to a standard text file. There are two types of trace,
standard (see section 6.51 [Trace]) or only function calls (see section 6.52 [Trace Call]). Call trace is available for the three
standard interfaces: PKCS#11, CSP and Minidriver. The call trace will only trace function calls entry and return code, so there is
little impact on performance. The complete trace will generate large amounts of information and may be hard to understand.
8.1 Trace Row
Each row in the trace file will have the following format:
[<pid>:<tid>] <time> <text>
Value <pid> is process id for the process writing the trace entry.
Value <tid> is the thread id for the process thread writing the trace entry.
Value <time> is the time since first call to the trace. Separated with ‘.’ is hour, minute, seconds and milliseconds.
Value <text> is the trace information.
Example:
[1000:1111] 00.00.00.000 Trace - Date 2010-11-23 16:13:23, 'C:\Temp\iid.txt'
First row will always contain the date and the original trace file path.
Processes and Threads
The first information for each trace row is the process and thread id.
[1000:1111] 00.00.00.000 Helper - Calling application: 'C:\Program Files\Net iD\iid.exe'
[2000:2222] 00.00.00.000 Helper - Calling application: 'C:\Program Files\Net iD\iidxadm.exe'
This example has two processes 1000 and 2000. It is always useful to search for the “Calling application” string, to find the real
application, this example iid.exe and iidxadm.exe.
Multiple applications calling in the same time may cause some confusion when trying to understand the trace, see 0
79 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Trace Split how to separate the trace for easier understanding.
There are also scenarios where a single application will spawn several threads:
[1000:1111] 00.00.00.000 Helper - Calling application: 'C:\Program Files\Net iD\iid.exe'
[1000:1111] …
[1000:1122] …
[1000:1122] …
Understanding the difference between processes and threads is not part of this document, but the information is at least
available in the trace.
80 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Execution Time
Second part of the trace is the execution time and this information is useful in identifying performance issues.
The example below shows 1 hour, 23 minutes and 45 milliseconds between the trace rows. This time used with functions below
will show execution time for each function.
[1000:1111] 00.00.00.000 …
…
[1000:1111] 00.01.23.045 …
If UseLocalTime is enabled execution time is presented in local time. The example below shows function executed between
1:12 PM and 1:24 PM local time.
[1000:1111] 13.12.00.000 …
…
[1000:1111] 13.24.00.000 …
Note: Enable trace will affect the execution time, consider using Net iD Trace service when performance is measured.
8.2 Functions
The product delivers standard application program interfaces: PKCS#11, CSP and Minidriver. These interfaces are well
documented; see each corresponding chapter in the Net iD Enterprise Developer’s Guide. The product will also deliver the
plugin interface which is documented in the Developer’s Guide, see chapter 6 Plugin.
PKCS#11
Each PKCS#11 function call will start with the function name and end with a standard return value:
[1000:1111] 00.00.00.000 Pkcs11 - C_Initialize ...
[1000:1111] 00.00.00.070 Pkcs11 - Return CKR_OK
From the documentation you will learn C_Initialize is the startup function and CKR_OK means success, everything is as
expected. There may be errors instead:
[1000:2222] 00.00.00.100 Pkcs11 - C_Initialize ...
[1000:2222] 00.00.00.100 Pkcs11 - Return CKR_CRYPTOKI_ALREADY_INITIALIZED
The return value is not CKR_OK, so this means an error. Is this a problem? From the documentation you will learn that this
return value actually is more like a warning message, no initialize needed, since already initialized.
CSP
Each CSP function call will start with the function name and end with the function name and a Microsoft return value string.
[1000:1111] 00.00.00.307 CSP - AcquireContext ...
[1000:1111] 00.00.00.915 CSP - AcquireContext ... (OK)
The string OK means success and all other strings mean some kind of failure. The return value from CSP is always true or
false, and Windows last error is eventually updated with some error value. If the string is not OK, the string is from Microsoft
translation of the Windows last error.
[1000:1111] 00.00.00.307 CSP - AcquireContext ...
[1000:1111] 00.00.00.915 CSP - AcquireContext ... (The operation completed successfully.)
This means an error, despite the text says operation completed successfully. There are scenarios where this is perfectly normal;
information will be available from the CSP documentation.
81 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Minidriver
Each minidriver function call will start with the function name and end with the function name and a return value and Microsoft
translation of return value.
[1000:1111] 00.00.00.031 MiniDriver - CardAcquireContext ...
[1000:1111] 00.00.01.092 MiniDriver - CardAcquireContext ... (0x00000000, OK)
The value 0x00000000 means success. The different between CSP and Minidriver is that the return value and return string is
always connected, Minidriver calls return the real value compared with CSP which return true or false and update Windows last
error.
Plugin
Each property plugin function call will start with information about the function and the same information string ended with ‘done’
string.
[1000:1111] 00.00.01.023 Web - GetProperty '<property>' ...
[1000:1111] 00.00.01.033 Web - GetProperty '<property>' ... done
[1000:1111] 00.00.01.023 Web - SetProperty '<property>' ...
[1000:1111] 00.00.01.033 Web - SetProperty '<property>' ... done
[1000:1111] 00.00.01.023 Web - EnumProperty '<property>' ...
[1000:1111] 00.00.01.033 Web - EnumProperty '<property>' ... done
The return value is always done.
The invoke plugin function will start with information about the operation and the same string ended with return value.
[1000:1111] 00.00.01.023 Web - Web - Invoke <operation> ...
[1000:1111] 00.00.01.023 Web - Web - Invoke <operation> ... (0)
The return value is a number and the meaning is documented in chapter 6 Plugin of the Net iD Enterprise Developer’s Guide,
see section 6.3 Operations, for each operation.
8.3 Help Functionality
The product includes some help functions for better understanding of the trace:
- Trace parse
- Trace split
Trace Parse
The trace parse functionality will take a trace file as input and try to parse the content to a more readable format. The
functionality is available on all operating systems by calling the application loader:
“%PROGRAMFILES%\Net iD\iid.exe” -traceparse c:\temp\iid.txt
/usr/bin/iid -traceparse /tmp/iid.txt
Note: Must enter full path to trace file to parse.
The result will be a local web site, with starting index.html in same location as the original trace file.
82 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Trace Split
The trace split functionality will take a trace file as input and split the content to one file for each process. The functionality is
available on all operating systems by calling the application loader:
“%PROGRAMFILES%\Net iD\iid.exe” -tracesplit c:\temp\iid.txt
/usr/bin/iid -tracesplit /tmp/iid.txt
The result will be one or more files with name ‘iid_<pid>.txt” in same location as the original trace file.
May also split all threads to separate files:
“%PROGRAMFILES%\Net iD\iid.exe” -tracesplit thread c:\temp\iid.txt
/usr/bin/iid -tracesplit thread /tmp/iid.txt
The result will be one or more files with name ‘iid_<pid>_<tid>.txt” in same location as the original trace file.
Note: Must enter full path to trace file to split.
83 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
9 Command Tool
The command tool is a utility included which will add some functionality to Windows Command Prompt, Linux Command or
macOS Terminal application.
Note 1: There is no language support, so it will always be in English.
Note 2: There is no character translation, may cause undesired effects for non-ascii characters.
9.1 Start
The command tool is started with the application loader with the command switch ‘-command’:
Windows: %PROGRAMFILES%\Net iD\iid.exe –command
Linux: /usr/bin/iid –command
macOS: /usr/bin/iid –command
9.2 Commands
The following commands are available:
[0] quit -> Quit with no action [1] system -> View system information [2] view -> View token information [3] change -> Change PIN for your token [4] unlock -> Unlock PIN for your token [5] list -> List certificates for your token [6] keys -> List private keys for your token [7] init -> Reinitialize your token (with default SO PIN) [8] expired -> Set PIN expired for your token
Select the command and follow the instructions.
84 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
10 Changes between versions
This chapter contains information regarding the changes that have been made in Technical Description between different
versions of the document. The chapters and sections mentioned are according to the updated document.
10.1 Changes between v6.5.1 and v6.6
Chapter 5 Installation macOS
- 5.1.1 Files
New file locations.
- 5.5 Known Issue
Removed section regarding installation on OS X 10.11.
Chapter 6 Settings
- 6.4 CredentialProvider
- Info of possibility to make Parameter settings via application.
- 6.4.9 Mode
Added Full CredentialProvider mode description.
- 6.4.12 AcceptIssuers
Updated example.
- 6.4.13 DefaultIssuers
Updated example.
- 6.4.14 DenyIssuers
Updated example.
- 6.4.15 RememberLastUsed
New entry.
- 6.5 CredentialProvider Certificate
- 6.5.1 Enable
New entry.
- 6.5.2 Disable
New entry.
- 6.9 CredentialProvider Pin
- 6.9.1 Enable
New entry.
- 6.9.2 AutoLogon
New entry.
- 6.9.3 DisableAutoLogon
New entry.
- 6.9.2 InitChangePin
New entry.
85 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
- 6.11 CSP
- 6.11.5 CertificateStoreMode
New entry.
- 6.11.26 ReplaceCertificate
Changed default value.
- 6.13 Dialog
- Removed information regarding old user interfaces.
- 6.13.10 Info<name>
- New configuration parameters: InfoAdmin, InfoFileXXXX, InfoNotify, InfoSetup.
- New <extra> value: Theme
- 6.23 General
- 6.23.7 ExplorerExtension
New entry.
- 6.23.13 TaskbarMenuMode
- Removed parameter ‘0x0800 – Language’
- Added information regarding default value.
- 6.23.14 UseService
New parameter ‘-1’.
- 6.28 License
- 6.28.1 Cards
New entry.
- 6.28.3 Issuers
New entry.
- 6.29 Links
- 6.29.1 Admin
New entry.
- Chapter 6.30 Links Action
- Updated actions: Sign and Verify.
- Info regarding custom actions.
- Chapter 6.32 LRA
New section.
- 6.35 Pkcs11
- 6.35.18 SessionToken
New entry.
- 6.37 Report LOGON
New section
- 6.38 Report PIN
New section.
- 6.39 Report UNLOCK_WORKSTATION
New section.
- 6.42 SmartCard
- 6.42.6 NoDiskCache
New entry.
86 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
- 6.42.9 PinHistory
New entry.
- 6.51 Trace
Rewritten section with new entries.
- 6.52 Trace call
Added note.
- 6.53 View
6.53.2 iidxwatch.exe
New entry.
Chapter 8 Trace
- 8.1.Trace Row
- 8.1.2 Execution time
Updated example and added note.
10.2 Changes between v6.4 and v6.5.1
Chapter 6 Settings
- 6.11 [CSP]
Added two new entries:
- 6.11.6 ConnectPCSC
- 6.11.7 ContainerNameMode
10.3 Changes between v6.1.1 and v6.4
General in all texts
- All references regarding Windows XP and Windows Vista have been removed since no longer supported.
- All references regarding GINA has been removed since Windows XP and Windows Server 2003 no longer are
supported.
- All references to bitmaps/bmp has been changed to images since both bitmaps and ico files are supported.
Chapter 2 What is Net iD Enterprise?
- 2.1 Overview
Picture changed, now including CNG.
Chapter 3 Installation Microsoft Windows
- 3.1.1 Files
- Global configuration file moved to optional files since most configurations are done in Registry nowadays.
- Removed optional file for GINA library.
- Added optional file for GPO Client Side Extension.
- Added Trace service library.
- 3.1.2 Registry
- Added optional Registry key for GPO Client Side Extension.
- Change in default location for configurations.
- Former 3.2 Build your own installation with IExpress 2.0
Section has been removed.
- Former 3.3 Build you own installation with Windows installer
Section has been removed.
87 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
Chapter 5 Installation OS X
- 5.1.1 Files
The Net iD Enterprise Admin GUI is installed as an web app instead of being a local site.
- 5.2 Running Installation
Changed installation file from ‘iidsetup.pkg’ to ‘iidsetup.app’.
- Former 5.3 Build custom installation
Section removed.
- 5.3 Web browser
New section.
- 5.5 Known Issues
New section regarding installation on OS X 10.11.
Chapter 6 Settings
- 6.2.3 App
New entry.
- 6.4.1 Version
- Added parameters for Windows 8.1 and Windows 10.
- Removed parameter for Windows Vista.
- 6.4.6 Activate
New entry.
- 6.4.8 InitChangePin
New entry.
- 6.4.12 AcceptIssuers
New entry.
- 6.4.13 DefaultIssuers
New entry.
- 6.4.14 DenyIssuers
New entry.
- 6.7.3 Timeout
Changed earlier incorrect information: was written ‘minutes’, shall be ‘seconds’.
- 6.10.2 Timeout
Changed earlier incorrect information: was written ‘minutes’, shall be ‘seconds’.
- 6.11.5 ClearUserPinCache
New parameter setting.
- 6.13.8 Theme_v<nn>
- Added parameters for Windows 8.1 and Windows 10.
- Removed parameter for Windows Vista.
- 6.19.2 Format
Added comment regarding configuration that will affect all languages.
- 6.23 [General]
New entry: “ExtraService”.
- 6.23.8 ExtraService
New entry.
- 6.24.2 Configuration
Registry settings read order.
88 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
- 6.30 [Links Action]
- New actions:
-- CaCertificateExpire
-- Decrypt
-- Encrypt
-- ExitWindows Lock/Logout/Sleep/Hibernate/Disconnect/Restart/Shutdown
-- LicenseActivate
-- LicenseInvalid
-- TokenEvent
-- TokenInvalid
-- TokenNotPresent
-- TokenPresent
- Discontinued actions:
-- OpenCertificateExpired
-- OpenCertificateEnroll
-- OpenCertificateRenew
- 6.32.5 ClearUserPinCache
New parameter setting.
- 6.33.1 Applications
Change of behavior, will only handle SSl sessions. For TLS sessions see parameter in 6.35.8 LogonApplication.
- 6.33.3 Enable
New default value.
- 6.33.4 LogonApplication
New entry to handle TLS sessions.
- 6.35.5 Audit
New entry.
- 6.36 SCS
New section.
- Former 6.37.12 SecureMessaging
Entry removed and replaced with section 6.40 [SmartCard Keys].
- 6.40 [SmartCard Keys]
New section.
- 6.45.4 PinFailure
New entry.
- 6.46 [TaskbarEvent]
New section.
Chapter 7 Watch
- 7.1 Arguments
Changed behavior due to security reasons: Watch configurations are only read from global configuration.
Chapter 9 Command Tool
- 9.2 Commands
Added commands ‘system’ and ‘expired’.
89 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
10.4 Changes between v6.1.1 and v6.1.2
Chapter 6 Settings
- Former 6.24 [Gina]
The section and entries regarding Gina has been removed since support for Microsoft Windows XP was ended
2014-04-08.
10.5 Changes between v6.1 and v6.1.1
Chapter 6 Settings
- 6.11.22 KeepSessionAlive
Parameter KeepSessionAlive updated with possibility to specify specific applications to be used with mode “1”.
- 6.13.2 NoUserInterface
New configuration to disable the Net iD Enterprise user interfaces for specific applications.
10.6 Changes between v6.0 and v6.1
Chapter 6 Settings
- 6.1 [AllowedServers]
An additional mode “4” has been added.
- 6.36 [Plugin]
New security configurations for plugin has been added.
90 / 90 Net iD Enterprise Technical Description v6.6 Date: 2017-07-04
Copyright 2017 © SecMaker AB Confidentiality: Public
11 References
Net iD Enterprise Developer’s Guide The document is intended for software developers making implementations via
any of the program interfaces delivered by the product. You may order a
personal copy of the document via www.secmaker.com:
Partners – Developers – Technical manuals.