007-013842-001 - SafeNet Authentication Client - 10.0 - Post GA - Linux - Administrator - Guide - Rev B PDF

SafeNet Authentication
Client (Linux)
Version 10.0 (Post GA)
Administrator Guide
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
SafeNet Authentication Client Main Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
What’s New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Supported Browsers and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Supported Tokens and Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Certificate-based USB Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Software Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
External Smart Card Readers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
IDPrime MD Applet 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Number and Type of Key Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
API Adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
SafeNet eToken devices vs Gemalto IDPrime MD devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Installing SAC on Linux Standard Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Installing on Ubuntu and Debian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Installing the Core Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Installing on Red Hat Enterprise, SUSE, CentOS and Fedora . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Installing on Ubuntu and Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Linux External Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Installing the Firefox Security Module on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Installing the Thunderbird Security Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
3 Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Uninstalling Linux Standard Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Uninstalling on Ubuntu and Debian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Uninstalling the Core Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Uninstalling on Ubuntu or Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
4 Configuration Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
eToken Configuration Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Initialization Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
SafeNet Authentication Client Tools UI Initialization Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 2

Document Number: 007-013842-001, Rev B
SafeNet Authentication Client Tools UI Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Token Password Quality Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
SafeNet Authentication Client Tools UI Access Control List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
SafeNet Authentication Client Security Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Enforcing Restrictive Cryptographic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Creating Symmetric Key Objects using PKCS#11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual
property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under
any intellectual and/or industrial property rights of or concerning any of Gemalto's information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
• The copyright notice below, the confidentiality and proprietary legend and this full warning notice
appear in all copies.
• This document shall not be posted on any publicly accessible network computer or broadcast in any
media and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided "AS IS" without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information
contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to
the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-
infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the
use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall
not incur, and disclaims, any liability in this respect. Even if each product is compliant with current
security standards in force on the date of their design, security mechanisms' resistance necessarily
evolves according to the state of the art in security and notably under the emergence of new attacks.
Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case
of any successful attack against systems or equipment incorporating Gemalto products. Gemalto
disclaims any liability with respect to security for direct, indirect, incidental or consequential damages
that result from any use of its products. It is further stressed that independent testing and verification by
the person using the product is particularly encouraged, especially in any application in which defective,
incorrect or insecure e functioning could result in damage to persons or property, denial of service or
loss of privacy.
© 20010-17 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks,
whether registered or not in specific countries, are the property of their respective owners.
Product Version: 10.0 Linux (Post GA)

Document Number: 007-013842-001, Rev. B
Release Date: July 2017

Support Contacts
We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is
the first line of support when you have questions about products and services. However, if you require additional
assistance you can contact us directly at:
If you encounter a problem while installing, registering or operating this product, please make sure that you have
read the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult this
support plan for further information about your entitlements, including the hours when telephone support is
available to you.
Contact Method Contact Information
Customer Support Portal https://supportportal.gemalto.com

Existing customers with a Technical Support Customer Portal account
can log in to manage incidents, get the latest software upgrades,
and access the Gemalto Knowledge Base.
Technical Support contact email technical.support@gemalto.com
Additional Documentation
The following publications are available:
• 007-013843-001 SafeNet Authentication Client 10.0 Linux (Post GA) User Guide (Rev B)
• 007-013841-001 SafeNet Authentication Client 10.0 Linux (Post GA) Release Notes (RN - Rev B)

1 – Introduction
Introduction
SafeNet Authentication Client (SAC) is a middleware client that manages Gemalto’s extensive SafeNet portfolio
of certificate-based authenticators, including eToken, IDPrime smart cards, iKey smart card, USB and software-
based devices.
With full backward compatibility and incorporating features from previous middleware versions, SafeNet
Authentication Client ensures complete support for all currently deployed eToken and iKey devices, as well as
IDPrime MD and .NET smart cards.
Overview
SafeNet Authentication Client is Public Key Infrastructure (PKI) middleware that provides a secure method for
exchanging information based on public key cryptography, enabling trusted third-party verification of user
identities. It utilizes a system of digital certificates, Certificate Authorities, and other registration authorities that
verify and authenticate the validity of each party involved in an internet transaction.
The SafeNet Authentication Client Tools application and the SafeNet Authentication Client tray icon application
are installed with SafeNet Authentication Client, providing easy-to-use configuration tools for users and
administrators.
SafeNet Authentication Client Main Features

SafeNet Authentication Client 10.0 Linux (Post GA) introduces support for IDPrime MD cards, PKCS#11 Multi-
Slot support as well as PIN quality modifications. Support for Ubuntu, Debian, Fedora and SUSE is also included
in this version.
IDPrime MD cards are PKI smart cards. Administrators and users can use and manage IDPrime MD smart cards
seamlessly via the standard PKCS#11 interface and without the need for any additional middleware. They offer
secure IT Security and ID access and are compatible with the NFC standard.
For more details on the list of Gemalto IDPrime cards supported, See "Supported Tokens and Smart Cards" on
page 8.
NOTE:
The term Token is used throughout the document and is applicable to both Smart
Cards and Tokens.

1 – Introduction
SafeNet Authentication Client includes the following features1:
• Token usage, including:

• Digitally signing sensitive data
• Remote data access
• Use of SafeNet Virtual Token
• Management of certificates on the token
• Token management operations, including:
• Token initialization
• Initializing Common Criteria Certified devices
• Token Password changes
• Token unlock
• Configuration of token settings and Token Password quality
• Token renaming
• Logging
• SafeNet Authentication Client settings configuration
What’s New
SafeNet Authentication Client 10.0 Linux (Post GA) offers the following new features:
• Rebranding: SAC Linux UI and documentation have Gemalto branding.
• Support for the following IDPrime cards:
• IDPrime MD 830-FIPS
• IDPrime MD 830-ICP
• IDPrime MD 830 B
• IDPrime MD 3810 Dual Interface Card
• IDPrime MD 3810 MIFARE 1K (Contact and Contactless mode)
• IDPrime MD 3811
• Support for IDPrime .NET cards
• Support for the following IDPrime MD Common Criteria cards:
• IDPrime MD 840
• IDPrime MD 3840 - Dual Interface Card
• Support for SafeNet eToken 5110 Common Criteria
• Support for SafeNet eToken 5110 FIPS
• Support for unlocking IDPrime MD card range
• Friendly Admin Password - short user friendly passwords are now supported (on IDPrime MD and
eToken 5110 CC devices) instead of using 48 hexadecimal digits. For more details, see the SafeNet
Authentication Client 10.0 Linux (Post GA) User Guide.
1.- Some of the features listed under “SafeNet Authentication Client Main Features” may not be supported on
certain IDPrime MD smart cards. For more details refer to the relevant section in this document.

1 – Introduction
• Support for PKCS#11 Multi-Slots - for Common Criteria devices in unlinked mode. For information on
how to work with Multi-Slots, see the PKCS#11 Digital Signature PIN section in the SafeNet
Authentication Client 10.0 Linux (Post GA) User Guide.
• PIN Quality modifications - for IDPrime MD cards
Supported Browsers and Applications

SafeNet Authentication Client 10.0 Linux (Post GA) supports the following browsers and applications:
• Firefox up to 54.0
• Firefox (ESR) for SUSE 45.4
• Thunderbird 52.1.0 (except RH 7.3 x64 - 52.1.1)
Supported Platforms
SafeNet Authentication Client 10.0 Linux (Post GA) supports the following operating systems:
• Red Hat 7.3, 6.9
• CentOS 7.3, 6.9
• SUSE 12.2
• Debian 9.0
• Fedora 26
• Ubuntu 16.04 and 17.04
Supported Tokens and Smart Cards

SafeNet Authentication Client 10.0 Linux (Post GA) supports the following tokens:
Certificate-based USB Tokens

• SafeNet eToken 5110
• SafeNet eToken 5110 CC
• SafeNet eToken 5110 FIPS
• SafeNet eToken 5110 FIPS HID
• SafeNet eToken 5110 HID
Software Tokens
• SafeNet Virtual Token
• SafeNet Rescue Token

1 – Introduction
Smart Cards
• Gemalto IDCore 30B eToken
• Gemalto IDPrime MD 840
• Gemalto IDPrime MD 840 B
• Gemalto IDPrime MD 830-FIPS
• Gemalto IDPrime MD 830-ICP
• Gemalto IDPrime .NET
NOTE:
For more information on IDPrime MD Smart Cards, see the IDPrime MD Configuration
Guide.
End-of-Sale Tokens/Smart Cards

• SafeNet eToken 7300-HID
End-of-Life Tokens/Smart Cards

• SafeNet eToken PRO 32K v4.2B
• SafeNet eToken PRO 64K v4.2B
• SafeNet eToken Pro SC 32K v4.2B
• SafeNet eToken Pro SC 64K v4.2B
• SafeNet eToken 7100 (SafeNet eToken NG-Flash)
• SafeNet eToken PRO Java 72K
• SafeNet eToken PRO Anywhere
• SafeNet eToken PRO Smartcard 72K
• SafeNet eToken 5100/5105
• SafeNet eToken 5200/5205
• SafeNet eToken 5200/5205 HID
• SafeNet eToken 7000 (SafeNet eToken NG-OTP)

1 – Introduction
External Smart Card Readers

SafeNet Authentication Client 10.0 Linux (Post GA) supports the following smart card readers:
• Gemalto IDBridge CT30
• Gemalto IDBridge CT40
• Gemalto IDBridge CL 3000 (ex Prox-DU)
NOTE:
SC Reader drivers must be compatible with the extended APDU format in order to
be used with RSA-2048.
License Activation
SafeNet Authentication Client 10.0 Linux (Post GA) is installed by default as non-licensed.
To activate the license perform the following steps:

1. Obtain a valid SAC License Key from SafeNet Customer Service.
2. Activate the license using one of the following procedures:
• Manual Activation
See the Licensing chapter in the SafeNet Authentication Client 10.0 Linux (Post GA) User Guide.
NOTE:
SafeNet Authentication Client retrieves the license file (SACLicense.lic) automatically, if the license
file is located in the following default path:
Linux (per user): /home/<user name>
Linux (per machine): /etc/
IDPrime MD Applet 4.0

The IDPrime MD Applet 4.0 is Common Criteria certified on IDPrime MD 840 and 3840. These cards can have
certain parameters customized in the factory with different values to the standard default profile.
The following parameters can be customized:
• Number and type of key containers
• Support of RSA 4,096-bit key containers (import operation only) - Note: The card needs to be configured
by the SAC supported key length.
• Change PIN at first use Secure messaging in contactless mode
• PINs (#1, #3 and #4 only)
• Try Limit
• Unblock PIN (PIN#1 only)
• Policy values
• Properties
• PIN validity period
• Secure messaging in contactless mode

1 – Introduction
Number and Type of Key Containers

By default, the IDPrime MD Applet 4.0 is pre-personalized with:
• 2 X 2,048-bit CC Sign Only RSA Keys
• 2 X 1,024-bit Standard Sign and Decrypt RSA Keys
• 8 X 2,048-bit Standard Sign and Decrypt RSA Keys
• 2 X 256-bit Standard Sign and Decrypt EC Keys
API Adjustments
The table below provides a high-level description of the adjustments that can be made to the Standard and
Extended PKCS#11 API to work with IDPrime MD CC devices. For more detailed information, see the code
samples.
Standard PKCS#11 API Extended PKCS#11 API
The C_InitToken function must receive the current The C_InitToken function must receive the current
Security Officer (SO) Password Security Officer (SO) Password
When the C_InitToken function is called, you can To initialize the IDPrime MD CC device, the ETCKA_CC
enable linked mode on the IDPrime MD CC device by attribute must be set to CK_TRUE.
using the following setting:
To initialize a device in linked mode, set the
Set the linked mode value to 1 in ETCKA_IDP_CC_LINK attribute to 1.
/etc/eToken.conf under the [Init] section
and the device must be in the factory initialized state To pass the current Digital Signature PUK value, use the
(Admin key = 48 zeros, PUK = 6 zeros) ETCKA_IDP_CURRENT_PUK attribute.
To revert a device back to unlinked mode after it was To revert a device back to unlinked mode after it was initialized
initialized in linked mode, use the PKCS#11 Extended in linked mode, set the ETCKA_IDP_CC_LINK attribute to 0
API, or by using SAC Tools initialization process. and use the ETCKA_PUK attribute to set the new Digital
Signature PUK value.
If a device is not configured to use linked mode, the If a device is not configured to use linked mode, use
C_InitToken function ignores the Digital Signature the ETCKA_PUK attribute to set the new Digital Signature
PUK and Digital Signature PIN. PUK value.
After the device has been initialized in linked mode, the If the device is initialized to use linked mode, the C_InitPIN
C_InitPIN function initializes the Digital Signature function and C_SetPIN function behaves the same as
PIN and the User PIN. Both PIN's are set to the same described in the Standard PKCS#11 section.
value.
The C_SetPIN function used with the CKU_SO flag

changes both the Administrator PIN and Digital
Signature PUK to a new value. See the SafeNet
Authentication Client User Guide for details on Friendly
Admin Password.
The C_SetPIN function used with the CKU_USER flag

changes both the User PIN and Digital Signature PIN to
a new value.

1 – Introduction
SafeNet eToken devices vs Gemalto IDPrime MD devices

The table below displays the differences between SafeNet eToken devices and Gemalto IDPrime MD devices.
eToken 5110, eToken 5110

Feature FIPS (and all other eToken IDPrime MD, IDPrime .Net, eToken 5110 CC
based devices)
3 Roles (Initialization key, Admin 2 Roles (Admin PIN and User PIN)
PIN, User PIN)
Device erased by using the Device is cleared by using the Admin PIN (no changes
Initialization
Initialization key are made to the scheme)
Initialization key is used only for If the Admin PIN is locked, the device cannot be cleared
initializing the device.
Dynamic profile that allows an FIPS based devices - Dynamic profile limited to 15 key
Profile unlimited number of keys depending containers
on the devices memory capacity
CC based devices - Static profile defined by perso
Off-Board (saved on token) On-Board

Password Policy Full UTF-8 character encoding Only ASCII character codes supported
capabilities supported
Enhanced Support Propriety RSM mode Support Secure Key Injection

Security Mode (via IDGo800 Minidriver)
On Board Not supported Supported

RSAPadding
(PSS/OAEP)
Deprecated 4 Roles (Admin PIN, User PIN, Digital Signature PIN,

Digital Signature PUK).
Digital Signature PIN is derived from Linked mode - User PIN and Digital Signature PIN are
the User PIN and the Digital identical and Digital Signature PUK is derived from
Common Criteria Signature PUK is derived from the Admin PIN
Administrator PIN
Unlinked mode - each role has a different value
Appropriate Athena CC certified Gemalto CC certified Applet

Applet for CC keys
Symmetric Key Support 3DES and AES Not supported

operations
Protocol for Support T1 Support T1, T0 and CTL

Contact

2 – Installation
Installation
Follow the installation procedures below to install SafeNet Authentication Client 10.0 Linux. Local administrator
rights are required to install or uninstall SafeNet Authentication Client.
NOTE:
• If IDGo 800 PKCS#11 is installed, be sure to remove it before installing SAC 10.0 Linux.
Installation Files
The software package provided by SafeNet includes files for installing or upgrading to SafeNet Authentication
Client 10.0 Linux (Post GA). The following Linux installation and documentation files are provided:
File Description/Use
SafenetAuthenticationClient-10.0.xx- 32-bit Installs SafeNet Authentication Client on a 32 bit platform

0.i386.rpm
SafenetAuthenticationClient-10.0.xx- 64-bit Installs SafeNet Authentication Client on a 64 bit platform.

0.x86_64.rpm
RPM-GPG-KEYSafenetAuthenticationClient 32-bit This file is the public signature (GnuPG) for SafeNet rpm files.
64-bit Relevant only for RPM. The signature confirms that the package
was signed by an authorized party and also confirms the
integrity and origin of your file. Use this file to verify the signature
of the RPM files before installing them to ensure that they have
not been altered from the original source of the packages.
SafenetAuthenticationClient-core-10.0.xx- 32-bit Installs SafeNet Authentication Client core on 32 bit platform.

0.i386.rpm Installs eToken core library and IFD Handler.
SafenetAuthenticationClient-core-10.0.xx- 64-bit Installs SafeNet Authentication Client core on 64 bit platform.

0.x86_64.rpm Installs eToken core library and IFD Handler.
SafenetAuthenticationClient-10.0.xx- 32-bit Installs SafeNet Authentication Client on 32 bit platform.

0_i386.deb
SafenetAuthenticationClient-10.0.xx- 64-bit Installs SafeNet Authentication Client on 64 bit platform.

0_amd64.deb
SafenetAuthenticationClient-core- 32-bit Installs SafeNet Authentication Client core on 32 bit

10.0.xx-0_i386.deb platform. Installs eToken core library and IFD Handler.
SafenetAuthenticationClient-core- 64-bit Installs SafeNet Authentication Client core on 32 bit

10.0.xx-0_i386.deb platform. Installs eToken core library and IFD Handler.
Documentation Files
007-013841-001_SafeNet Authentication SafeNet Authentication Client 10.0 Linux (Post GA) Release
Client_10.0_Linux_Post GA_RN_Revision B Notes
007-013843-001_SafeNet Authentication SafeNet Authentication Client 10.0 Linux (Post GA) User Guide
Client_10.0_Linux_Post GA_User_Guide_Revision B

2 – Installation
File Description/Use
007-013842-001_SafeNet Authentication SafeNet Authentication Client 10.0 Linux (Post GA)

Client_10.0_Linux_Post Administrator Guide (this document)
GA_Administrator_Guide_Revision B
Installing SAC on Linux Standard Package

The installation package for SafeNet Authentication Client on Red Hat, SUSE, CentOS and Fedora is the RPM
Package. RPM is an installation file that can install, uninstall, and update software packages.
For the PKCS11 module to be installed automatically on a Firefox browser during the SAC installation, make sure
the nss-tools package is installed prior to installing SAC.
• On SUSE, Fedora, Centos and Red Hat operating systems, in cases where the nss-tool package is not
installed, install it as a privileged user by running the following command: yum install nss-tools
SafeNet Authentication Client .rpm packages include:
• .rpm Package Name:
• 32-bit - SafenetAuthenticationClient-10.0.xx-0.i386.rpm
• 64-bit - SafenetAuthenticationClient-10.0.xx-0.x86_64.rpm
where: xx is the build number
To install from the package installer:

1. Double-click the relevant .rpm file.
The package installer opens.
2. Click Install Package.
A password prompt appears.
3. Enter the Super User or root password. The installation process runs.
To install from the terminal:

1. On the terminal, log on as a root user.
2. Run the following:
rpm --import RPM-GPG-KEY-SafenetAuthenticationClient
3. Run one of the following:
• On a 32-bit OS: rpm -Uvh SafenetAuthenticationClient-10.0.xx-0.i386.rpm
• On a 64-bit OS: rpm -Uvh SafenetAuthenticationClient-10.0.xx-0.x86_64.rpm
where: -hi is the parameter for installation and x is the version number.

2 – Installation
Installing on Ubuntu and Debian

The installation packaging for SafeNet Authentication Client running on Ubuntu is the Debian software package
(.deb).
NOTE:
For the PKCS#11 module to be installed automatically on a Firefox browser during the
SAC installation, make sure the nss-tools package is installed prior to installing SAC.
The following is the SafeNet Authentication Client .deb package:

• .deb Package Name:
• 32-bit: SafenetAuthenticationClient-10.0.xx-0_i386.deb
• 64-bit: SafenetAuthenticationClient-10.0.xx-0_amd64.deb

1. Double-click the relevant .deb file.
3. Enter the Super User or root password.
The installation process runs.
4. To run SafeNet Authentication Client Tools, go to Applications > SafeNet > SafeNet
Authentication Client > SafeNet Authentication Client Tools.
NOTE:
To enable the tray icon menu in the notification area, log out and log back in for the icon
to appear.

1. Enter the following:
• On a 32-bit OS: sudu dpkg -i SafenetAuthenticationClient-10.0.xx-0_i386.deb
• On a 64-bit OS: sudu dpkg -i SafenetAuthenticationClient-10.0.xx-0_amd64.deb
2. Enter the password.
3. If the installation fails due to a lack of dependencies, enter the following:
sudo apt-get install -f
The dependencies are installed and the installation continues.

2 – Installation
4. To run the SafeNet Authentication Client Quick Menu, go to: Applications > SafeNet >SafeNet
Authentication Client > SafeNet Authentication Client Tools.
NOTE:
Ensure you log out and log back in to see the tray icon menu.
Installing the Core Package
Installing on Red Hat Enterprise, SUSE, CentOS and Fedora

The installation package for SafeNet Authentication Client running on RedHat and CentOS is the RPM Package
Manager. RPM is a command line package management system that can install, uninstall, and update software
packages.
SafeNet Authentication Client .rpm packages include:

.rpm Package Name:
• 32-bit: SafenetAuthenticationClient-core-10.0.xx-0.i386.rpm
• 64-bit: SafenetAuthenticationClient-core-10.0.xx-0.x86_64.rpm
where: x is the build number

1. Double-click the relevant .rpm file.

1. On the terminal, log on as a root user.
2. Run the following:
rpm --import RPM-GPG-KEY-SafenetAuthenticationClient
3. Run one of the following:
• On a 32-bit OS: rpm -hi SafenetAuthenticationClient-core-10.0.xx-0.i386.rpm
• On a 64-bit OS: rpm -hi SafenetAuthenticationClient-core-10.0.xx-0.x86_64.rpm
where: -hi is the parameter for installation and x is the version number.

2 – Installation
Installing on Ubuntu and Debian

NOTE:
• When installing from the user interface with a user that is not an administrator, the following
message is displayed: ‘The package is of bad quality’. Click Ignore and Install and continue
with the installation.
• After installing SAC on Ubuntu, log off, and then log back on in order for the SAC monitor to
run, and to display the tray icon.
The installation packaging for SafeNet Authentication Client running on Ubuntu is the Debian software package
(.deb).
The following is the SafeNet Authentication Client .deb package:
• .deb Package Name:
• 32-bit: SafenetAuthenticationClient-core-10.0.xx-0_i386.deb
• 64-bit: SafenetAuthenticationClient-core-10.0.xx-0_amd64.deb

1. Double-click the relevant .deb file.

1. Enter the following:
• On a 32-bit OS: sudu dpkg -i SafenetAuthenticationClient-core-10.0.xx-0_i386.deb
• On a 64-bit OS: sudu dpkg -i SafenetAuthenticationClient-core-10.0.xx-0_amd64.deb
where: n is the version number
2. Enter the password.
3. If the installation fails due to a lack of dependencies, enter the following:
sudo apt-get install -f
The dependencies are installed and the installation continues.

2 – Installation
Linux External Dependencies
Red Had Enterprise, SUSE, CentOS and Fedora

• PCSC (Smart Card Resource manager): libpcsclite1
Ubuntu
• PCSC (Smart Card Resource manager): libpcsclite1
Installing the Firefox Security Module on Linux

When SafeNet Authentication Client is installed, it does not install the security module in Firefox. This must be
done manually.
To install the security module in Firefox

1. Open Firefox Preferences > Advanced >Certificates.
2. On the Encryption tab click Security Devices.
The Device Manager window opens.
3. Click Load.
The Load PKCS#11 Device window opens.
4. In the Module Filename field enter the following string:
On 32-bit: /usr/lib/libeTPkcs11.so
On 64-bit: /usr/lib64/libeTPkcs11.so
NOTE:
• To work with CC devices in unlinked mode, enter the following string for Multi-Slot support:
for 32-bit: /usr/lib/libIDPrimePKCS11.so
for 64-bit: /usr/lib64/libIDPrimePKCS11.so
• For information on how to work with Multi-Slots, see the PKCS#11 Digital Signature PIN
Authentication section of the SafeNet Authentication Client User Guide.
The Confirm window opens.

5. Click OK.
The new security module is installed.

2 – Installation
Installing the Thunderbird Security Module

When SafeNet Authentication Client is installed, it does not install the security module in Thunderbird. This must
be done manually.
To install the security module in Thunderbird

1. Select Thunderbird > Preferences > Advanced.
2. On the Security tab click Security Devices.
The Device Manager window opens.
3. Click Load.
The Load PKCS#11 Device window opens.
4. In the Module Filename field enter the following string:
On 32-bit: /usr/lib/libeTPkcs11.so
On 64-bit: /usr/lib64/libeTPkcs11.so
NOTE:
• To work with CC devices in unlinked mode, enter the following string for Multi-Slot support:
for 32-bit: /usr/lib/libIDPrimePKCS11.so
for 64-bit: /usr/lib64/libIDPrimePKCS11.so
• For information on how to work with Multi-Slots, see the PKCS#11 Digital Signature PIN
Authentication section of the SafeNet Authentication Client User Guide.
The Confirm window opens.

5. Click OK.
The new security module is installed.

3 – Uninstall
Uninstall
After SafeNet Authentication Client 10.0 Linux has been installed, it can be uninstalled. Local administrator rights
are required to uninstall SafeNet Authentication Client. When SafeNet Authentication Client is uninstalled, user
configuration and policy files may be deleted.
Uninstalling Linux Standard Package

Before uninstalling SafeNet Authentication Client 10.0 Linux, make sure that SafeNet Authentication Client Tools
is closed.
Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora

To uninstall:
• Enter the following:
rpm -e SafenetAuthenticationClient-10.0.xx-0.i386.rpm
Where -e is the parameter for uninstalling.
Uninstalling on Ubuntu and Debian

To uninstall:
• In the console, enter the following:
sudo dpkg --purge safenetauthenticationclient
Where --purge is the parameter for uninstalling.

3 – Uninstall
Uninstalling the Core Package
Uninstalling on Red Hat Enterprise, SUSE, CentOS and Fedora

To uninstall:
• Enter the following:
rpm -e SafenetAuthenticationClient-core-10.0.xx-0.i386.rpm
Where -e is the parameter for uninstalling.
Uninstalling on Ubuntu or Debian

To uninstall:
• In the console, enter the following:
SafenetAuthenticationClient-core-10.0.xx-0_i386.deb
Where --purge is the parameter for uninstalling.

4 – Configuration Properties
Configuration Properties
SafeNet Authentication Client properties are stored on the computer as ini files which can be added and changed
to determine SafeNet Authentication Client behavior. Depending on where an ini value is written, it will apply
globally, or be limited to a specific user or application.
NOTE:
All properties can be manually set and edited.
eToken Configuration Keys

SafeNet Virtual Token keys are located in /etc/eToken.common.conf.
All other keys are located in /etc/eToken.conf.
General Settings
The following settings are written to the [General] section in: /etc/eToken.conf
NOTE:
On a Linux, the number of slots is determined by the PcscSlots and SoftwareSlots configuration
keys described here. The Reader Settings window in SafeNet Authentication Client Linux Tools
displays the number of slots that have been configured, but does not allow the user to change the
settings.
Description Value
Multi-Slot Support Value Name: MultiSlotSupport
Determines if SafeNet Authentication Client is backward Values: =0, =1

compatible with Gemalto PKCS#11 Common Criteria devices 1 - Multi-Slot support is enabled
(IDPrime MD 840, IDPrime MD 3840 and eToken 5110 CC). 0 - Multi-Slot support is disabled
The Mutli-Slot feature affects only SAC customized in compatible Default: 1

mode via IDPrimePKCS11.dll.
For more information on Multi-Slot, see the PKCS#11 Digital

Signature PIN Authentication section of the SafeNet
Authentication Client User Guide.
Software Slots Value Name: SoftwareSlots
Defines the number of virtual readers for SafeNet Virtual Tokens. Values: >=0
(0 = SafeNet Virtual Token is disabled; only
Note: Can be modified in ‘Reader Settings’ in SafeNet Authenti- physical tokens are enabled)
cation Client Tools also.
On Windows Vista 64-bit and on systems later than Windows 7 Default: 2
and Window 2008 R2, the total number of readers is limited to 10
from among: iKey readers, eToken readers, third-party readers,
and reader emulations.

Description (Cont.) Value (Cont.)
PCSC Slots Value Name: PcscSlots
Defines the total number of PC/SC slots for all USB tokens and Values: >=0
smartcards. (0 = Physical tokens are disabled; only SafeNet
Included in this total: Virtual Token is enabled)
• the number of allocated readers for third-party providers
• the number of allocated iKey readers, which is defined during Default: 8
installation and cannot be changed
• the number of allocated readers for other SafeNet physical
tokens, which can be modified in ‘Reader Settings’ in SafeNet
Authentication Client Tools
Note: On Windows Vista 64-bit and on systems later than
Windows 7 and Window 2008 R2, the total number of readers,
consisting of this value and any enabled reader emulations, is
limited to 10.
HID Slots Value Name: HIDSlots
Defines the total number of HID slots for all HID USB tokens. Values: =0, =4, >=0
Default: 4 slots
Legacy Manufacturer Name Value Name: LegacyManufacturerName

Values:
Determines if 'Aladdin Knowledge Systems Ltd.' is written as the 1 - The legacy manufacturer name is written
manufacturer name in token and token slot descriptions 0 - The new manufacturer name is written
Use for legacy compatibility only
Default: 0
Enable Private Cache Value Name: EnablePrvCache
Determines if SafeNet Authentication Client allows the token’s Values:

private data to be cached. 1 (True) - Private data caching is enabled
Applies only to tokens that were initialized with the private data 0 (False) - Private data caching is disabled
cache setting.
The private data is cached in per process memory. Default:1 (True)
Note: Can be set in SafeNet Authentication Client Tools
Tolerate Finalize Value Name: TolerantFinalize
Determines if C_Finalize can be called by DllMain Values:

1 (True) - C_Finalize can be called by DllMain
Note: 0 (False) - C_Finalize cannot be called by DllMain
Define this property per process
Select this setting when using Novell Modular Authentication Default: 0 (False)
Service (NMAS) applications only

Tolerate X509 Attributes Value Name: TolerantX509Attributes
Determines if CKA_SERIAL_NUMBER, CKA_SUBJECT, and Values:

CKA_ISSUER attributes can differ from those in CKA_VALUE 1 (True) - The attributes can differ
during certificate creation 0 (False) - Check that the values match
Note:
Enable TolerantX509Attributes when using certificates created in Default: 0 (False)
a non- DER encoded binary x.509 format.
In some versions of PKI Client, this setting was not selected by
default.
Tolerate Find Templates Value Name: TolerantFindObjects
Determines if PKCS#11 tolerates a Find function with an invalid Values:

template, returning an empty list instead of an error. 1 (True) - A Find function with an invalid template
is tolerated and returns an empty list
0 (False) - A Find function with an invalid
template is not tolerated and returns an error
Default: 0 (False)
Disconnect SafeNet Virtual Token on Logoff Value Name: EtvLogoffUnplug
Determines if SafeNet Virtual Tokens are disconnected when the Values:

user logs off. 1 (True) - Disconnect SafeNet Virtual Token when
logging off
0 (False) - Do not disconnect SafeNet Virtual
Token when logging off
Default: 0 (False)
Protect Symmetric Keys Value Name: SensitiveSecret
Determines if symmetric keys are protected Values:

1 - Symmetric keys cannot be extracted
Note: 0 - Symmetric keys can be extracted
If selected, even non-sensitive symmetric keys cannot be
extracted Default: 0
Cache Marker Timeout Value Name: CacheMarkerTimeout
Determines if SAC Service periodically inspects the cache Values:

markers of connected tokens for an indication that token content 1 - Connected tokens' cache markers are
has changed periodically inspected
0 - Connected tokens' cache markers are never
Note: inspected
If tokens were initialized as "eToken PKI Client 3.65 compatible"
in SafeNet Authentication Client 8.0 and later, set this value to 0 Default: 0
to improve performance.

Override Non-Repudiation OIDs Value Name: NonRepudiationOID
Overrides SAC's list of standard certificate OIDs that require a Value:

high level of security Empty
Note: Default: No override

Users must log on to their tokens whenever signing with a
certificate defined as non-repudiation.
To avoid having to authenticate every time a cryptographic

operation is required for certificates containing Entrust certificate
OID details, remove the default registration key value.
Ignore Silent Mode Value Name: IgnoreSilentMode
Determines if the Token Logon window is displayed even when Values:

the application calls the CSP/KSP in silent mode. 1 (True) - Display the Token Logon window even
in silent mode
0 (False) - Respect silent mode
Note:
Set to True when the SafeNet RSA KSP must use
SHA-2 to enroll a CA private key to a token
Default: 0 (False)
Initialization Settings
The following settings are written to the [INIT] section in: /etc/eToken.conf
NOTE:
All setting in this section are not relevant to IDPrime MD cards, except for the LinkMode setting.
Description Value
Maximum Token Password Retries Value Name: UserMaxRetry
Defines the default number of consecutive failed logon attempts Values:

that lock the token. 1-15
Default: 15
Maximum Administrator Password Retries Value Name: AdminMaxRetry
Defines the default number of consecutive failed administrator Values:

logon attempts that lock the token. 1-15
Default: 15

Description Value (Cont.)
Legacy Format Version Value Name: Legacy-Format-Version
Defines the default token format. Values:

0 - Tokens are formatted as backwardly compatible
to eToken PKI Client 3.65 (CardOS tokens only)
4 - Tokens are not formatted as backwardly

compatible, and password quality settings can be
saved on the token (CardOS tokens only)
5 - Format includes new RSA behavior that is not

controlled by key size; each key is created in a
separate directory (CardOS 4.20B FIPS or Java
Card-based tokens only)
Default:
4, for CardOS tokens
5, for 4.20B FIPS and Java Card -based tokens
RSA-2048 Value Name: RSA-2048
Determines if the token support 2048-bit RSA keys by default. Values:

Note: Can be set in SafeNet Authentication Client Tools. 1(True) - 2048-bit RSA keys are supported
0 (False) - 2048-bit RSA keys are not supported
Default: 0 (False)
OTP Support Value Name: HMAC-SHA1
Determines if the token supports OTP generation by default. Values:

This setting enables HMAC-SHA1 support, required by OTP 1 (True) - OTP generation is supported
tokens. 0 (False) - OTP generation is not supported
Note: Can be set in SafeNet Authentication Client Tools. Default: 1 (True), for OTP tokens. 0 (False), for
other tokens
RSA Area Size Value Name: RSA-Area-Size
For CardOS-based tokens, defines the default size, in bytes, of Default: depends on the token size:
the area to reserve for RSA keys. • For 16 K tokens, enough bytes for three 1024-bit
• The size of the area allocated on the token is determined keys
during token initialization, and cannot be modified without • For 32 K tokens, enough bytes for five 1024-bit
initializing the token. keys
• RSA-Area-Size is not relevant when Legacy-Format-Version is • For larger tokens, enough bytes for seven 1024-
set to 5. bit keys
Note: Can be set in SafeNet Authentication Client Tools.
Default Token Name Value Name:

DefaultLabel
Defines the default Token Name written to tokens during
initialization. Value: String
Default: My Token

API: Keep Token Settings Value Name:

KeepTokenInit
When initializing the token using the SDK, determines if the token
is automatically re-initialized with its current settings. Values:
1 (True) - Use current token settings
Note: If selected, this setting overrides all other initialization 0 (False) - Override current token settings
settings.
Default: 0 (False)
Automatic Certification Value Name:

Certification
When initializing the token using the SDK. If the token has FIPS
or Common Criteria certification, the token is automatically Values:
initialized with the original certification. 1(True) - initialize the token with the original
certification.
0 (False) - initialize the token without the certification
Default: 1 (True)
Note: Previous to SAC 8.2, the default setting was 0
(False). As CardOS 4.2 does not support both FIPS
and RSA-2048, failure to take this into account this
may lead to token initialization failure when using
PKCS#11. To prevent this, ensure that the default is
set to False, or else ensure that the application
provides both the required FIPS and RSA-2048
settings.
API: Private Data Caching Value Name:

PrvCachingMode
If using an independent API for initialization, and if 'Enable
Private Cache' is selected, determines the token’s private data Values:
cache default behavior. 0 - Always
1 - While user is logged on
2 - Never
Default: 0 (Always)
Enable Private Data Caching Modification Value Name:

PrvCachingModify
Determines if the token’s Private Data Caching mode can be
modified after initialization. Values:
1 (True) - Can be modified
0 (False) - Cannot be modified
Default: 0 (False)
Private Data Caching Mode Value Name:

PrvCachingOwner
If ‘Enable Private Data Caching Modification' is selected,
determines who has rights to modify the token’s Private Data Values:
Caching mode. 0 - Admin
1 - User
Default: 0 (Admin)

API: RSA Secondary Authentication Mode Value Name:

2ndAuthMode
If using an independent API for initialization, determines the
default behavior for protecting RSA private keys on the token.
Values:
0 - Never
1 - Prompt on application request
2 - Always prompt user
3- Always
4 - Token authentication on application request
Default: 0 -(Never)
Enable RSA Secondary Authentication Modified Value Name:

2ndAuthModify
Determines if the token’s RSA secondary authentication can be
modified after initialization. Values:
1 (True) - Can modify
0 (False) - Cannot modify
Default: 0 (False)
Use the same token and administrator passwords for digital Value Name:
signature operations. LinkMode
Values:
1 (True) - Linked
0 (False) - Unlinked
Default: 0 (False)

SafeNet Authentication Client Tools UI Initialization Settings

The following settings are written to the [AccessControl] section in: /etc/eToken.conf
Description Value
Enable Advanced View Button Value Name: AdvancedView
Determines if the Advanced View icon is enabled in SAC Tools Values:

1 - Selected
0 - Not selected
Default: 1
The following settings are written to the [InitApp] section in: /etc/eToken.conf/
Description Value
Default Token Password Value Name: DefaultUserPassword
Defines the default Token Password Values: String
Default: 1234567890
Enable Change Password on First Logon Value Name: MustChangePasswordEnabled
Determines if the “Token Password must be changed on first Values:

logon” option can be changed by the user in the Token 1 - Selected
Initialization window. 0 - Not selected
Note: Default: 1
This option is selected by default. If the option is de-selected, it
can be selected again only by setting the registry key.
Change Password on First Logon Value Name: MustChangePassword
Determines if the Token Password must be changed on first Value:

logon option is selected by default in the Token Initialization 1 - Selected
window. 0 - Not selected
Note: Default: 1
This option is not supported by iKey.
Private Data Caching Value Name: PrivateDataCaching
If Enable Private Cache is selected, determines the token’s Values:

private data cache default behavior. 0 - (fastest) private data is cached when used by an
application while the user is logged on to the token,
Note: Can be set in SafeNet Authentication Client Tools. This and erased only when the token is disconnected
option is not supported by IDPrime MD cards. 1 - private data is cached when used by an
application while the user is logged on to the token,
and erased when the user logs off or the token is
disconnected
2 - private data is not cached
Default: 0

RSA Secondary Authentication Mode Value Name: RSASecondaryAuthenticationMode

Values:
Defines the default behavior for protecting RSA private keys on 0 - Never
the token 1 - Prompt user on application request
2 - Always prompt user
Note: Can be set in SafeNet Authentication Client Tools. This 3 - Always
option is not supported by IDPrime MD cards. 4 - Token authentication on application request
Default: 0
RSA Secondary Authentication Mode (continued).

Note: This option is not supported by IDPrime MD cards.
Reuse Current Token Name Value Name: ReadLabelFromToken
Determines if the token’s current Token Name is displayed as the Values:

default Token Name when the token is re initialized. 1 -The current Token Name is displayed
0 -The current Token Name is ignored
Default: 1
Maximum number of 1024-bit RSA keys Value Name: NumOfCertificatesWith1024Keys_help
Defines the amount of space to reserve on the token for Common Values:
Criteria certificates that use 1024 -bit RSA keys. 0-16 certificates
Note: This option is not supported by IDPrime MD cards.
Default: 0
Maximum number of 2048-bit RSA keys Value Name: NumOfCertificatesWith2048Keys_help
Defines the amount of space to reserve Values:

on the token for Common Criteria 1-16 certificates
certificates that use 2048-bit RSA keys.
Note: This option is not supported by IDPrime MD cards. Default: 4

SafeNet Authentication Client Tools UI Settings

The following settings are written to the [UI] section in: /etc/eToken.conf
Description Value
Use Default Password Value Name: UseDefaultPassword
Determines if the Change Password on First Logon Values:

process assumes the current Token Password is the 1 (True) - The default Token Password is automatically
default (defined in the Default Token Password), and entered in the password field
does not prompt the user to supply it.
0 (False) -The default Token Password is not automatically
entered in the password field
Default: o (False)
Password Term Value Name: PasswordTerm
Defines the term used for the token's user password. Values (String):
Note: If a language other than English is used, ensure Password
that PIN
Passcode
Passphrase
Default: Password
Decimal Serial Number Value Name: ShowDecimalSerial
Determines if the Token Information window displays Values:

the token serial number in hexadecimal or in decimal 1 (True) -Displays the serial number in decimal format
format.
0 (False) -Displays the serial number in hexadecimal format
Default: 0
Enable Tray Icon Value Name: ShowInTray
Determines if the application tray icon is displayed Values:

when SafeNet Authentication Client is started. 0 - Never Show
1 - Always Show
Default: Always show
Enable Connection Notification Value Name: ShowBalloonEvents
Determines if a notification balloon is displayed when a Values:

token is connected or disconnected.
0 - Not Displayed
1 - Displayed
Default: 0

iKey LED On Value Name: IKeyLEDOn
Determines when the connected iKey LED is on. Values:

1 - The iKey LED is always on when SAC Monitor is running
Note: 0 -The iKey LED is on when the token has open
When working with applications related to Citrix, set connections only
this value to 0.
Default:1
Enable Logging Control Value Name: AllowLogsControl
Determines if the Enable Logging /Disable Logging Values:

button is enabled in the Client Settings Advanced tab 1 -Enabled
0 -Disabled
Default: 1
Home URL Value Name: HomeUrl
Overwrites the SafeNet home URL in SafeNet Values (String):

Authentication Client Tools Valid URL
Default: SafeNet’s home URL
eToken Anywhere Value Name: AnywhereExtendedMode
Determines if eToken Anywhere features are supported Values:

1 -Supported
0 -Not supported
Default: 1
Enable Certificate Expiration Warning Value Name: CertificateExpiryAlert
Determines if a warning message is displayed when Values:

certificates on the token are about to expire. 1 (True) - Notify the user
0 (False) - Do not notify the user
Default: 1 (True)
Ignore Expired Certificates Value Name: IgnoreExpiredCertificates
Determines if expired certificates are ignored, and no Values:

warning message is displayed for expired certificates 1 - Expired certificates are ignored
0 - A warning message is displayed if the token contains
expired certificates
Default: 0
Certificate Expiration Verification Frequency Value Name: UpdateAlertMinInterval
Defines the minimum interval, in days, between Values:

certificate expiration date verifications >0
Default:
14 days

Certificate Expiration Warning Period Value Name: ExpiryAlertPeriodStart
Defines the number of days before a certificate's Values:

expiration date during which a warning message is > =0
displayed. (0 = No warning)
Default: 30 days
Warning Message Title Value Name: AlertTitle
Defines the title to display in certificate expiration Values:

warning messages String
Default: SafeNet Authentication Client
Certificate Will Expire Warning Message Value Name: FutureAlertMessage
Defines the warning message to display in a balloon Values:

during a certificate’s “Certificate Expiration Warning String
Period.”
Default: A certificate on your token expires in
$EXPIRE_IN_DAYS days.
Certificate Expired Warning Message Value Name: PastAlertMessage
Defines the warning message to display in a balloon if a Values:

certificate's expiration date has passed. String
Default: Update your token now.
Warning Message Click Action Value Name: AlertMessageClickAction
Defines what happens when the user clicks the Values:

message balloon. 0 - No action
1 - Show detailed message
2 - Open website
Default: 0
Detailed Message Value Name: ActionDetailedMessage
If “Show detailed message” is selected in “Warning Values:

Message Click Action” setting, defines the detailed String
message to display.
No default
Website URL Value Name: ActionWebSiteURL
If “Open website” is selected in the “Warning Message Values (string):

Click Action” setting, defines the URL to display Website address
No default

Enable Password Expiration Notification Value Name: NotifyPasswordExpiration
Determines if a pop-up message is displayed in the Values:

system when the Token Password is about to expire. 1 (True)- A message is displayed
0 (False) - A message is not displayed
Default: 1 (True)
Display Virtual Keyboard Value Name: VirtualKeyboardOn
Determines if SafeNet’s keystroke-secure Virtual Values:

Keyboard replaces standard keyboard entry of 1 (True)- Virtual keyboard on
password fields in the following windows: 0 (False) - Virtual keyboard off
• Token Logon
• Change Password Default: 0 (False)
Note:
The virtual keyboard supports English characters only.
Password Policy Instructions Value Name: PasswordPolicyInstructions
If not empty, defines a string that replaces the default Values: String
password policy description displayed in the Unlock
and Change Password windows.
Define Initialization Mode Value Name: DefInitMode
Select this option if you want the 'Initialization Options' Values:

window (first window displayed when initializing a 0 - Display the ‘Initialization Options’ window
device) to be ignored. 1 - Set Preserve Mode
2 - Set Configure Mode
Default: 0
Import Certificate Chain Value Name: ImportCertChain
Determines if the certificate chain is imported to the Values:

token 0 - Do not import certificate chain
1 - Import certificate chain
2- User selects import behavior
Default: 0

Token Password Quality Settings

The following settings are written to the [PQ] section in: /etc/eToken.conf
NOTE:
These settings are not relevant to IDPrime MD cards and eToken 5110 CC, as the password quality
settings reside on the card itself.
Description Value
Password - Minimum Length Value Name: pqMinLen
Defines the minimum password length. Values:

Note: Can be set in SafeNet Authentication Client Tools. >=4
Default: 6
Password - Maximum Length Value Name: pqMaxLen
Defines the maximum password length. Values:

Note: Can be set in SafeNet Authentication Client Tools. Cannot be less than the Password Minimum Length
Default: 16
Password - Maximum Usage Period Value Name: pqMaxAge
Defines the maximum number of days a password is Values:

valid. >=0
Note: Can be set in SafeNet Authentication Client Tools. (0 =No expiration)
Note: This parameter is ‘Day Sensitive’ i.e. the system
counts the day’s and not the hour in which the user made Default: 0
the change.
Password - Minimum Usage Period Value Name: pqMinAge
Defines the minimum number of days between password Values:

changes. >=0
Note: Can be set in SafeNet Authentication Client Tools. (0 = No minimum)
Note: Does not apply to iKey devices.
Default: 0
Password - Expiration Warning Period Value Name: pqWarnPeriod
Defines the number of days before expiration during Values:

which a warning is displayed. >=0
Note: Can be set in SafeNet Authentication Client Tools. (0 = No warning)
Default: 0
Password - History Size Value Name: pqHistorySize
Defines the number of recent passwords that must not be Values:

repeated. >= 0
(0 = No minimum)
Note: Can be set in SafeNet Authentication Client Tools.
Default: 10
(iKey device history is limited to 6)

Password - Maximum Consecutive Repetitions Value Name: pqMaxRepeated
Defines the maximum number of consecutive times a Values:

character can be used in a password. 0 - 16
Note: Can be set in SafeNet Authentication Client Tools. (0 = No maximum)
Note: Does not apply to iKey devices.
Default: 3
Password - Complexity Value Name: pqMixChars
Determines if there is a minimum number of character Values:

types that must be included in a new Token Password 1 - A minimum of 2 or 3 types must be included, as defined
The character types are: upper-case letters, lower-case in the Password- Minimum Mixed Character Types setting
letters, numerals, and special characters. 0 -The rule for each character type is defined in the
Note: Can be set in SafeNet Authentication Client Tools. character type's Include setting
Default: 1
Password - Minimum Mixed Character Types Value Name: pqMixLevel
Defines the minimum number of character types that Values:

must be included in a new Token Password. 0 - At least 3 character types
The character types are: upper-case letters, lower-case 1 - At least 2 character types
letters, numerals, and special characters.
Note: Default:0
• Applies only when the Password - Complexity setting
is set to Standard complexity.
• Can be set in SafeNet Authentication Client Tools.
Password - Include Numerals Value Name: pqNumbers
Determines if the password can include numerals. Values:

0 -Permitted
Note: 1 - Forbidden
• Applies only when the Password - Complexity setting 2 - Mandatory
is set to Manual complexity.
Default: 0
Password - Include Upper-Case Value Name: pqUpperCase
Determines if the password can include upper-case Values:

letters.
0 - Permitted
Note: 1 - Forbidden
Default: 0

Password - Include Lower-Case Value Name: pqLowerCase
Determines if the password can include lower-case Values:

letters. 0 - Permitted
1 - Forbidden
Note: 2 - Mandatory
• Applies only when the Password - Complexity setting
is set to Manual complexity. Default: 0
Password - Include Special Characters Value Name: pqSpecial
Determines if the password can include special Values:

characters, such as @,!, &. 0 - Permitted
Note: 1 - Forbidden
Default: 0
Password Quality Check on Initialization Value Name: pqCheckInit
Determines if the password quality settings are checked Values:

and enforced 1 (True) -The password quality is enforced
when a token is initialized 0 (False) - The password quality is not enforced
Note: Default: 0
We recommend that this policy not be set when tokens
are enrolled using SafeNet Authentication Manager.
Password Quality Owner Value Name: pqOwner
Defines the owner of the password quality settings on a Values:

re initialized token, and defines the default of the 0 - Administrator
Password Quality Modifiable setting. 1 - User
Default:
0, for tokens with an Administrator Password.
1, for tokens without an Administrator Password.
Enable Password Quality Modification Value Name: pqModifiable
Determines if the password quality settings on a newly Values:

initialized token 1 (True)- The password quality can be modified by the
can be modified by the owner. owner
0 (False) - The password quality cannot be modified by the
See the Password Quality Owner setting. owner
Default:
1 (True), for administrator-owned tokens
0 (False), for user owned tokens.

SafeNet Authentication Client Tools UI Access Control List

Access Control Properties determine which features are enabled in the SafeNet Authentication Client Tools and
Tray Menu.
The following settings are written to the [AccessControl] section in: /etc/eToken.conf
Access Control Feature Value
All access control features listed below Values:
1 (True) - The feature is enabled.

0 (False) - The feature is disabled.
Default: 1(True), except where indicated in the table
The table lists all the Access Control Features.
NOTE:
All access control features are enabled by default, except where indicated in the table.
Access Control Feature Value Name Description
Rename Token RenameToken Enables/Disables the Rename Token feature in SafeNet

Authentication Client Tools.
Change Token Password ChangePassword Enables/Disables the Change Token Password feature in
SafeNet Authentication Client Tools.
Unlock Token UnlockEtoken Enables/Disables the Unlock Token feature in SafeNet

Delete Token Content ClearEToken Enables/Disables the Delete Token Content feature in SafeNet
View Token Information ViewTokenInfo Enables/Disables the View Token Information feature in SafeNet
Disconnect SafeNet DisconnectVirtual Enables/Disables the Disconnect SafeNet Virtual Token feature
Virtual Token in SafeNet Authentication Client Tools.
Help ShowHelp Determines if the user can open the Help file in SafeNet
Advanced View OpenAdvancedView Determines if the user can open the Advanced View in SafeNet
Reader Settings ManageReaders Enables/Disables the Reader Settings feature in SafeNet

Connect SafeNet Virtual AddeTokenVirtual Enables/Disables the Connect SafeNet Virtual Token feature in
Token SafeNet Authentication Client Tools.
Initialize Token InitializeEToken Enables/Disables the Initialize Token feature in SafeNet

Import Certificate ImportCertificate Enables/Disables the Import Certificate feature in SafeNet


Access Control Feature Value Name (Cont.) Description (Cont.)

(Cont.)
Reset Default Certificate ClearDefaultCert Enables/Disables the Reset Default Certificate Selection feature
Selection in SafeNet Authentication Client Tools.
Delete Certificate DeleteCertificate Enables/Disables the Delete Certificate feature in SafeNet

Authentication ClientTools.
Export Certificate ExportCertificate Enables/Disables the Export Certificate feature in SafeNet

Copy Certificate Data to CopyCertificateData Enables/Disables the Copy Certificate Data to Clipboard feature
Clipboard in SafeNet Authentication Client Tools.
Set Certificate as Default SetCertificateAsDefault Enables/Disables the Set Certificate as Default feature in
Set Certificate as Auxiliary SetCertificateAsAuxilary Enables/Disables the Set Certificate as Auxiliary feature in
Log On as Administrator LoginAsAdministrator Enables/Disables the Log On as Administrator feature in

Change Administrator ChangeAdministratorPa Enables/Disables the Change Administrator Password feature in

Password ssword SafeNet Authentication Client Tools.
Set Token Password SetUserPassword Enables/Disables the Set Token Password feature in SafeNet
Token Password Retries AllowChangeUserMaxR Enables/Disables the Logon retries before token is locked
etry feature (for the Token Password) in SafeNet Authentication
Client Tools.
Administrator Password AllowChangeAdminMax Enables/Disables the Logon retries before token is locked
Retries Retry feature (for the Administrator Password) in SafeNet
Advanced Initialization OpenAdvancedModeOfI Enables/Disables the Advanced button in the Token Initialization
Settings nitialize window in SafeNet Authentication Client Tools.
Change Initialization Key ChangeInitializationKey Enables/Disables the Change Initialization key button in the
during Initialization DuringInitialize Advanced Token Initialization Settings window in SafeNet
Authentication Client Tools
Common Criteria Settings CommonCriteriaPasswo Enables/Disables the Common Criteria option in the
rdSetting Certification combo box.
System Tray - Unlock TrayIconUnlockEtoken Enables/Disables the Unlock Token feature in the SafeNet
Token Authentication Client Tray Menu
System Tray - Generate GenerateOTP Enables/Disables the Generate OTP feature in the SafeNet
OTP Authentication Client Tray Menu
System Tray - Delete TrayIconClearEToken Enables/Disables the Delete Token Content feature in the
Token Content SafeNet Authentication Client Tray Menu.
Note: By default, this feature is Disabled
System Tray -Change TrayIconChangePassw Enables/Disables the Change Token Password feature in the
Token Password ord SafeNet Authentication Client Tray Menu.
System Tray - Select SwitcheToken Enables/Disables the Select Token feature in the SafeNet
Token Authentication Client Tray Menu.

Access Control Feature Value Name (Cont.) Description (Cont.)

(Cont.)
System Tray -Synchronize SyncDomainAndTokenP Enables/Disables the Synchronize Domain Token Passwords
Domain-Token Passwords ass feature in the SafeNet Authentication Client Tray Menu.
System Tray - Tools OpeneTokenProperties Enables/Disables the Tools menu item (open SafeNet
Authentication Client Tools) in the SafeNet Authentication Client
Tray Menu.
System Tray - About About Enables/Disables the About menu item in the SafeNet
Authentication Client Tray Menu.
Enable Change IdenTrust IdentrusChangePasswo Enables/Disables the Change IdenTrust PIN feature in SafeNet
Identity rd Authentication Client Tools.
Enable Unblock IdenTrust IdentrusUnlock Enables/Disables the Unlock IdenTrust feature in SafeNet
Passcode Authentication Client Tools.
Delete Data Object DeleteDataObject Enables/Disables the Delete Data Object feature in SafeNet
Allow One Factor AllowOneFactor Enables/Disables the Allow One Factor feature in the Advanced
Token Initialization Settings window in SafeNet Authentication
Client Tools.
Note: This property VerisignSerialNumber Enables/Disables the Verisign Serial number feature in SafeNet
cannot be set in the Authentication Client Tools.
Access Control Proper-
ties window. It must be
set in the registry key.

Security Settings
The following settings are written to the [Crypto] section in: /etc/eToken.conf
Description Value
Key Management Value Name:

Key-Management-Security
Defines key creation, export, unwrap, and off-board
crypto policies. Values: (String)
Compatible - has no effect, current behavior is kept
Optimized:
• Disable the generation or creation of exportable keys
• Disable the exporting of keys, regardless of how they were
generated
• Disable the unwrap-PKCS1.5 and unwrap-AES-CBC
Strict:
• Disable the generation or creation of exportable keys
• Disable the exporting of keys, regardless of how they were
generated
• Disable the unwrap-PKCS1.5 and unwrap-AES-CBC
• Disable any usage of symmetric keys off-board including
unwrap
Default: Compatible

Unsupported Cryptographic Algorithms and Features Value Name: Disable-Crypto
Values: (String)
None - All algorithms are supported

Obsolete - The following are disabled: MD5, RC2, RSA<1024,
DES, GenericSecret<80, RC4<80, ECC<160, ECB, RSA-RAW
Manual - Create your own list of algorithms
The following can be disabled:

Algorithms:
RSA, ECC, AES, DES, 3DES, RC2, RC4, SHA2, SHA1,
MD5, HMAC, GenericSecret
Padding types:
RAW, PKCS1, OAEP, PSS
Cipher modes:
ECB, CBC, CTR, CCM
Mechanisms:
MAC, HMAC, ECDSA, ECDH
Operations:
Encrypt, Decrypt, Sign, Verify, Generate, Derive, Wrap,
Unwrap, Digest, Create (keys only)
Weak key size:
RSA<1024
Example of a manual configuration:
"Encrypt-DES-ECB, Sign-3DES-MAC, DES-CTR, HMAC-
MD5, HMAC-SHA1, HMAC-SHA2, DES-CBC, Unwrap-
DES-ECB, RSA-PKCS1-MD5, Verify-RSA-PSS-SHA2,
AES-CTR, AES-MAC, Decrypt-RC2, Wrap-ECB"
Default: None

SafeNet Authentication Client Security Enhancements
Enforcing Restrictive Cryptographic Policies

To allow organizations to enforce restrictive cryptographic policies when using SafeNet smart card and USB
tokens, the following enhancements were introduced:
• Key Management Security Policy - See Security Settings on page 41 for more details.
• Disable Cryptographic Algorithm Policy - See Security Settings on page 41 for more details.
The motivation behind these enhancements:
• Legacy cryptographic schemes can cause organizations to fail current compliance requirements or
expose cryptographic weakness associated with obsolete algorithms and mechanisms.
The following enhancements were made to SafeNet Authentication Client to allow organizations to block the
use of such schemes, according to organizational policies.
• Enabling symmetric keys wrapping with other symmetric keys using GCM and CCM modes of
operation.
• Preventing legacy algorithms from being used by adding a key wrapping policy that enforces the
usage of only GCM and CCM modes of operation for symmetric encryption, and PKCS#1 v2.1
padding for RSA encryption.
• SafeNet introduced a new mechanism that allows administrators to prevent the use of legacy or obsolete
algorithms by third-party applications. These cryptographic algorithms conform to the National Institute of
Standards and Technology (NIST), preventing third-party applications from using legacy or obsolete
algorithms.
Once a restrictive policy has been set, the use of SafeNet Authentication Client with the above algorithms will
be blocked. This might have implications on the way in which the third-party’s applications currently work.
NOTE:
Administrators must make sure that the third-party applications used by the organization are
configured accordingly and do no use one of the algorithms listed above, as they will be blocked.
Creating Symmetric Key Objects using PKCS#11

The following was performed as part of SafeNet Authentication Client security enhancement campaign:
1. Protected memory was used when working with the private cache between PKCS#11 API calls. Private
cache is unlocked to retrieve data and then locked immediately after retrieving the data to ensure that there
is no sensitive data in the private cache. This ensures that the key cannot be revealed in plain text.
2. Sensitive data is securely zeroed prior to freeing up the memory.
3. AES and Generic symmetric key files were created with Secured Messaging (SM) protection so that the
Microsoft smart card transport layer does not contain any APDU data with plain symmetric key material.
For Secure Messaging (SM) to support the AES/3DES and Generic symmetric keys in SAC 10.2, the keys
must be created on an eToken Java device that is initialized in FIPS/CC mode. Applying SM to symmetric
keys changes the object format on the smart card, resulting in the keys not being backward compatible.
Keys that are created with previous SAC versions or on eToken Java devices which are formatted in non-
FIPS/CC mode will not be protected by SM.
AES/3DES keys that are created using the CKA_SENSITIVE = TRUE and CKA_EXTRACTABLE = FALSE
attributes are backward compatible (BS Object keys).

Log Settings
The following settings are written to the [Log] section in: /etc/eToken.conf
Description Value
Enabled Value Name: Enabled
Determines if the SafeNet Authentication Client Log Value:

feature is enabled. 1 - Enabled
0 - Disabled
Default: 0 (Disabled)
Days Value Name:

Days
Defines the number of days log files will be saved
from the time the log feature was enabled. Value:
Enter the number of days (numerical).
Default:
1 day
MaxFileSize Value Name: MaxFileSize
Defines the maximum size of an individual log file. Value:

Once the maximum fil size is reached, SAC removes Enter a value in Bytes.
older log records to allow saving newer log
information. Default: 2000000 (Bytes) (Approximately 2MB)
TotalMaxSizeMB Value Name: TotalMaxSizeMB
Defines the total size of all the log files when in debug Value:
mode. (Megabytes). Enter a value in Megabytes.
Default: 0 (Unlimited)
ManageTimeInterval Value Name: ManageTimeInterval
Defines how often the TotalMaxSize parameter is Value:

checked to ensure the total maximum size has not Enter a value in minutes (numerical).
been exceeded.
Default: 60 minutes


007-013842-001 - SafeNet Authentication Client - 10.0 - Post GA - Linux - Administrator - Guide - Rev B PDF

Uploaded by

Copyright:

Available Formats

007-013842-001 - SafeNet Authentication Client - 10.0 - Post GA - Linux - Administrator - Guide - Rev B PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

007-013842-001 - SafeNet Authentication Client - 10.0 - Post GA - Linux - Administrator - Guide - Rev B PDF

Uploaded by

Copyright:

Available Formats

SafeNet Authentication

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 2

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 3

Product Version: 10.0 Linux (Post GA)

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 4

Contact Method Contact Information

Customer Support Portal https://supportportal.gemalto.com

Technical Support contact email technical.support@gemalto.com

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 5

SafeNet Authentication Client Main Features

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 6

SafeNet Authentication Client includes the following features1:

• Token usage, including:

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 7

Supported Browsers and Applications

Supported Tokens and Smart Cards

Certificate-based USB Tokens

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 8

End-of-Sale Tokens/Smart Cards

End-of-Life Tokens/Smart Cards

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 9

External Smart Card Readers

To activate the license perform the following steps:

IDPrime MD Applet 4.0

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 10

Number and Type of Key Containers

Standard PKCS#11 API Extended PKCS#11 API

The C_SetPIN function used with the CKU_SO flag

The C_SetPIN function used with the CKU_USER flag

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 11

SafeNet eToken devices vs Gemalto IDPrime MD devices

eToken 5110, eToken 5110

Off-Board (saved on token) On-Board

Enhanced Support Propriety RSM mode Support Secure Key Injection

On Board Not supported Supported

Deprecated 4 Roles (Admin PIN, User PIN, Digital Signature PIN,

Appropriate Athena CC certified Gemalto CC certified Applet

Symmetric Key Support 3DES and AES Not supported

Protocol for Support T1 Support T1, T0 and CTL

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 12

SafenetAuthenticationClient-10.0.xx- 32-bit Installs SafeNet Authentication Client on a 32 bit platform

SafenetAuthenticationClient-10.0.xx- 64-bit Installs SafeNet Authentication Client on a 64 bit platform.

SafenetAuthenticationClient-core-10.0.xx- 32-bit Installs SafeNet Authentication Client core on 32 bit platform.

SafenetAuthenticationClient-core-10.0.xx- 64-bit Installs SafeNet Authentication Client core on 64 bit platform.

SafenetAuthenticationClient-10.0.xx- 32-bit Installs SafeNet Authentication Client on 32 bit platform.

SafenetAuthenticationClient-10.0.xx- 64-bit Installs SafeNet Authentication Client on 64 bit platform.

SafenetAuthenticationClient-core- 32-bit Installs SafeNet Authentication Client core on 32 bit

SafenetAuthenticationClient-core- 64-bit Installs SafeNet Authentication Client core on 32 bit

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 13

007-013842-001_SafeNet Authentication SafeNet Authentication Client 10.0 Linux (Post GA)

Installing SAC on Linux Standard Package

where: xx is the build number

To install from the package installer:

To install from the terminal:

SafeNet Authentication Client 10.0 Linux (Post GA) Administrator Guide 14

Installing on Ubuntu and Debian

The following is the SafeNet Authentication Client .deb package:

To install from the package installer:

To install from the terminal: