Over the last few years we have implemented all sorts of authentication and authorization mechanisms within our products to match the needs of our corporate and government users. Our integrated authentication solutions include LDAP servers, Kerberos, NTLM, RADIUS, as well as a very rich OATH implementation for multi-factor authentication (in addition to RSA SecurID).

Many of our key customers also use PKI for authentication and authorization as well as smartcards, but up until now, our product PKI support has been usable, but not exactly exciting or as flexible as it should be.

Improved Smartcard and Certificate Support

For the next version of Enterprise / Random Password Manager (ERPM), also known as 4.83.4, we decided to do a full blown PKI support implementation of certificate enrollment, authentication and authorization in collaboration with some of our major US Government accounts and major commercial accounts. Our goal was to make it easy to use all of the different smartcards and certificate formats including PIV.

We know that many of our government account users have been asking us to provide a better solution for PKI and we now have something very exciting to try out  – keep reading!

The Back Story

I have always been a huge supporter of PKI, FIPS 201, PIV , HSPD 12  and certificates for authentication, encryption, signing and other usages where physical possession of the crypto device/container can provide both the power and physical security that is needed to really create a secure environment.

One of the inhibiting factors (up until now) in adopting smartcards by ISVs and customers has been the poor situation regarding smartcard middleware and internet browser integration. For reference, in this discussion, the middleware layer provides a standardized way for the operating system and web browsers to read from and manage smartcards and certificates.

Starting in Windows Vista and continuing into Windows 7, Microsoft implemented a really nice certificate and smartcard middleware layer that ships with the operating system (standardized), and also provides drivers for the card readers and cards. Drivers for readers and cards are installed automatically from Microsoft Update when the drivers and cards are first plugged into a computer running Windows Vista or Windows 7 (also Server 2008 and 2008 R2).

In older US Government desktops running Windows XP, and CAC cards, everything including reader and card device drivers, middleware and libraries were extra cost items and proprietary. The exclusive use of proprietary solutions in older generations of desktops meant that if a company such as ours wanted to support the government CAC smartcard standard, it was a gigantic pain that required that we obtain development kits and software from proprietary vendors (who were notoriously uncooperative). Since the vendors of CAC cards, readers and middleware generally had little interest in supporting ISVs, very few commercial software packages supported CAC cards were developed much to the dismay of the US Government.

A New Day: Universal and Documented Smartcard Support

With the new universal and well documented smartcard support within Windows, it is now a breeze to support these devices. Microsoft now provides a well documented programmer interface (API), as well as middleware and transparent access to drivers for common devices and smartcards. Gone is the need to beg for support from middleware vendors who could care less about ISV needs.

This new technology allows the US Federal Government to move forward past the CAC debacle into the era of PIV cards with a fresh operating system that has all of the drivers and middleware built-in or readily available via automatic updates.

The McAfee Connection

We were further inspired last year when we saw the latest version of McAfee ePO (one of our integration partners) and their certificate handling in ePO 4.6 at the last Focus 11 show where we were exhibiting our latest ePO integration.  

What We Are Doing

In our latest release of ERPM that is now in beta, we have provided an easy way to manually enroll client certificates, transparently verify certificates on smartcards and local storage, configure rights and privileges for certificates and more within the console of ERPM.  

You can now configure ERPM for transparent web logon (yes, Internet Explorer and Firefox in a cross platform environment) using the certificates and/or use a combination of shared secrets (user name + password) plus the smartcard to both identify and authorize specific usage capabilities.

Beta Program

If you are a government agency that has been mandated to support PIV (HSPD 12) or a corporate site using smartcards/PKI certificates for authentication, we would like to work with you to test out our latest beta build of ERPM. Please contact me (Phil@Liebsoft.com) to request the beta that incorporates these new capabilities. 

This latest beta has a lot of cool new features besides enhanced PKI support, so even if you are partially interested in PKI, but want to try out some of our other new capabilities (i.e. visualizations and reporting), we also are interested in working with you by having you join our beta program.