Support for 64K V2 CAC Cards with NetSign CAC 4.2
Description:
This article addresses support for new GSCIS 2.1 64K cards with NetSign CAC 4.2x
Product:
NetSign CAC 4.2
64K V2 CAC Cards
Issue / Problem:
The recent deployment of 64K JAVA CAC cards with V2 CAC applets are backward compatible with the NetSign CAC 4.2 - CAC V1 Middleware. NetSign CAC 4.2 recognizes the new 64K V2 CAC cards as a compatible CAC card and automatically adds the new card ATR to the windows registry. Upon subsequent card insertions the 64K V2 CAC card is recognized based upon the previously added card ATR and operates normally. A problem has been encountered on Windows 2000 SP4 systems where the ATR is not automatically registered due to insufficient privilege of non-administrator users to update the registry.
This document will clarify the use and special instructions for configuring a system with NetSign CAC 4.2 and 64K V2 CAC cards.
It should be noted that while NetSign CAC 4.2 does support the new 64K V2 CAC cards, that the 4.2 NetSign CAC middleware only supports the GSC-IS 2.0 middleware API. For applications requiring compatibility with GSC-IS 2.1, users should upgrade to the NetSign CAC 5.5 middleware version.
Solution:
When NetSign CAC 4.2 is installed it creates entries in the registry that associate smart cards to the NetSign CAC application so that NetSign will function properly when a CAC card is inserted and cryptographic operations are performed. NetSign CAC 4.2 provides a built in feature that will examine a smart card when inserted and determine if the card is recognized by the list of known CAC smart cards in the system registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards]
If the card is not recognized by the system then the NetSign CAC Middleware will try to determine if the card is a Common Access Card by looking for the Applet Identification (AID) on the JAVA card. If the card contains a CAC AID then NetSign CAC 4.2 will create a generic "Common Access Card" entry in the system registry that contains the ATR (Answer to Reset) value of that card. After this occurs NetSign CAC 4.2 can operate with this card.
Special Considerations:
Windows XP
Inserting a GSC-IS 2.1 CAC card in Windows XP will go through the process outlined above and create the necessary modifications to the system registry. Within moments the user can perform CAC related functions as if using a CAC V1 Card with all of the functionality available in a CAC V1 Middleware application. No special configuration is required.
[b:7c8d360f06](Note: In the event that a user is not able to recognize the card then a system administrator should either (a) login to the system and insert the card to have it register or; (b) follow the steps outlined in the section below for Windows 2000 SP4 to install the appropriate registry entries to support these cards)[/b:7c8d360f06]
Windows 2000 SP4
Configuring a GSC-IS 2.1 CAC card in Windows 2000 requires an administrator manually register the new card type(s) on the local machine by logging into the machine and inserting the card(s). Alternatively, the Administrator can install a registry entry to add the generic Common Access Card registry value and complete the task for this system or similarly for many Windows 2000 client systems within a domain environment using administrative tools.
The values of the Windows 2000 SP4 registry that will support both of the current 64K cards are outlined below.
1. Create the Gemplus .reg value for a Windows 2000 SP4 system by cutting and pasting the following using NOTEPAD and naming the file with the .reg suffix. Load or merge this into the registry by double clicking the file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - 0]
"ATR"=hex:3b,6b,00,00,80,65,b0,83,01,04,74,83,00,90,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"CRYPTO PROVIDER"="CAC Cryptographic Service Provider"
"TOKEN_MODULE"="CAC.CKM"
2. Create the Axalto .reg value for a Windows 2000 SP4 system by cutting and pasting the following using NOTEPAD and naming the file with the .reg suffix. Load or merge this into the registry by double clicking the file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - 1]
"ATR"=hex:3b,75,12,00,00,29,05,01,04,01
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"CRYPTO PROVIDER"="CAC Cryptographic Service Provider"
"TOKEN_MODULE"="CAC.CKM"
Summary / Troubleshooting:
Use of GSC-IS 2.1 CAC cards with NetSign CAC 4.2 (a V1 CAC Middleware) will function when NetSign CAC 4.2 recognizes the smart card that contains the appropriate CAC Applet ID. NetSign CAC 4.2 will create a generic registry entry to associate that CAC ATR with the NetSign CAC "CAC Cryptographic Service Provider".
Customers should upgrade to NetSign CAC 5.5 to get the GSC-IS 2.1 Basic Services Interfaces (BSI) (which is the PIV transitional API mentioned in SP800-73, section 2.1).
Keywords: Axalto Access, GemExpresso, 64K, GSC-IS V2.1
Description:
This article addresses support for new GSCIS 2.1 64K cards with NetSign CAC 4.2x
Product:
NetSign CAC 4.2
64K V2 CAC Cards
Issue / Problem:
The recent deployment of 64K JAVA CAC cards with V2 CAC applets are backward compatible with the NetSign CAC 4.2 - CAC V1 Middleware. NetSign CAC 4.2 recognizes the new 64K V2 CAC cards as a compatible CAC card and automatically adds the new card ATR to the windows registry. Upon subsequent card insertions the 64K V2 CAC card is recognized based upon the previously added card ATR and operates normally. A problem has been encountered on Windows 2000 SP4 systems where the ATR is not automatically registered due to insufficient privilege of non-administrator users to update the registry.
This document will clarify the use and special instructions for configuring a system with NetSign CAC 4.2 and 64K V2 CAC cards.
It should be noted that while NetSign CAC 4.2 does support the new 64K V2 CAC cards, that the 4.2 NetSign CAC middleware only supports the GSC-IS 2.0 middleware API. For applications requiring compatibility with GSC-IS 2.1, users should upgrade to the NetSign CAC 5.5 middleware version.
Solution:
When NetSign CAC 4.2 is installed it creates entries in the registry that associate smart cards to the NetSign CAC application so that NetSign will function properly when a CAC card is inserted and cryptographic operations are performed. NetSign CAC 4.2 provides a built in feature that will examine a smart card when inserted and determine if the card is recognized by the list of known CAC smart cards in the system registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards]
If the card is not recognized by the system then the NetSign CAC Middleware will try to determine if the card is a Common Access Card by looking for the Applet Identification (AID) on the JAVA card. If the card contains a CAC AID then NetSign CAC 4.2 will create a generic "Common Access Card" entry in the system registry that contains the ATR (Answer to Reset) value of that card. After this occurs NetSign CAC 4.2 can operate with this card.
Special Considerations:
Windows XP
Inserting a GSC-IS 2.1 CAC card in Windows XP will go through the process outlined above and create the necessary modifications to the system registry. Within moments the user can perform CAC related functions as if using a CAC V1 Card with all of the functionality available in a CAC V1 Middleware application. No special configuration is required.
[b:7c8d360f06](Note: In the event that a user is not able to recognize the card then a system administrator should either (a) login to the system and insert the card to have it register or; (b) follow the steps outlined in the section below for Windows 2000 SP4 to install the appropriate registry entries to support these cards)[/b:7c8d360f06]
Windows 2000 SP4
Configuring a GSC-IS 2.1 CAC card in Windows 2000 requires an administrator manually register the new card type(s) on the local machine by logging into the machine and inserting the card(s). Alternatively, the Administrator can install a registry entry to add the generic Common Access Card registry value and complete the task for this system or similarly for many Windows 2000 client systems within a domain environment using administrative tools.
The values of the Windows 2000 SP4 registry that will support both of the current 64K cards are outlined below.
1. Create the Gemplus .reg value for a Windows 2000 SP4 system by cutting and pasting the following using NOTEPAD and naming the file with the .reg suffix. Load or merge this into the registry by double clicking the file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - 0]
"ATR"=hex:3b,6b,00,00,80,65,b0,83,01,04,74,83,00,90,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"CRYPTO PROVIDER"="CAC Cryptographic Service Provider"
"TOKEN_MODULE"="CAC.CKM"
2. Create the Axalto .reg value for a Windows 2000 SP4 system by cutting and pasting the following using NOTEPAD and naming the file with the .reg suffix. Load or merge this into the registry by double clicking the file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Common Access Card - 1]
"ATR"=hex:3b,75,12,00,00,29,05,01,04,01
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"CRYPTO PROVIDER"="CAC Cryptographic Service Provider"
"TOKEN_MODULE"="CAC.CKM"
Summary / Troubleshooting:
Use of GSC-IS 2.1 CAC cards with NetSign CAC 4.2 (a V1 CAC Middleware) will function when NetSign CAC 4.2 recognizes the smart card that contains the appropriate CAC Applet ID. NetSign CAC 4.2 will create a generic registry entry to associate that CAC ATR with the NetSign CAC "CAC Cryptographic Service Provider".
Customers should upgrade to NetSign CAC 5.5 to get the GSC-IS 2.1 Basic Services Interfaces (BSI) (which is the PIV transitional API mentioned in SP800-73, section 2.1).
Keywords: Axalto Access, GemExpresso, 64K, GSC-IS V2.1