New Smartcard &
President & CEO
Over the last few years we have implemented all sorts of
authentication and authorization mechanisms within our products to
needs of our corporate and government users. Our
integrated authentication solutions
include LDAP servers, Kerberos, NTLM, RADIUS, as well as a very rich OATH implementation for
multi-factor authentication (in addition to RSA SecurID).
Many of our key customers also use PKI
authentication and authorization as well as smartcards, but up
our product PKI support has been usable, but not exactly exciting or as
flexible as it should be.
and Certificate Support
For the next version of Enterprise
Random Password Manager (ERPM), also known as 4.83.4, we decided to
full blown PKI
support implementation of certificate enrollment, authentication and
authorization in collaboration with some of our major US Government
and major commercial accounts. Our goal
was to make it easy to use all of the different smartcards and
We know that many of our government account users have been
asking us to provide a better solution for PKI and we now have
exciting to try out – keep reading!
The Back Story
I have always been a huge supporter of PKI, FIPS 201, PIV , HSPD
12 and certificates for
authentication, encryption, signing and other usages where physical
of the crypto device/container can provide both the power and physical
that is needed to really create a secure environment.
One of the inhibiting factors (up until now) in adopting
smartcards by ISVs and customers has been the poor situation regarding
smartcard middleware and internet browser integration. For
reference, in this discussion, the
middleware layer provides a standardized way for the operating system
browsers to read from and manage smartcards and certificates.
Starting in Windows Vista and
Windows 7, Microsoft
implemented a really nice certificate and smartcard middleware layer
ships with the operating system (standardized), and also provides
the card readers and cards. Drivers for
readers and cards are installed automatically from Microsoft Update
drivers and cards are first plugged into a computer running Windows
Windows 7 (also Server 2008 and 2008 R2).
In older US Government desktops running Windows XP, and CAC
cards, everything including reader and card device drivers, middleware
libraries were extra cost items and proprietary. The
exclusive use of proprietary solutions in
older generations of desktops meant that if a company such as ours
support the government CAC
smartcard standard, it was a gigantic pain that required that we
development kits and software from proprietary vendors (who were
uncooperative). Since the vendors of CAC
cards, readers and middleware generally had little interest in
very few commercial software packages supported CAC cards were
to the dismay of the US Government.
A New Day: Universal
and Documented Smartcard Support
With the new universal and well documented smartcard
support within Windows, it is now a breeze to support these
devices. Microsoft now provides a well
interface (API), as well as middleware and transparent access
for common devices and smartcards. Gone
is the need to beg for support from middleware vendors who could care
about ISV needs.
This new technology allows the US Federal Government to move
forward past the CAC debacle into the era of PIV cards with a fresh
system that has all of the drivers and middleware built-in or readily
via automatic updates.
The McAfee Connection
We were further inspired last year when we saw the latest
version of McAfee ePO (one of our integration partners) and their certificate
handling in ePO 4.6 at the last Focus 11 show where
exhibiting our latest
What We Are Doing
In our latest release of ERPM that is now in beta, we have
provided an easy way to manually enroll client certificates,
verify certificates on smartcards and local storage, configure rights
privileges for certificates and more within the console of ERPM.
You can now configure ERPM for transparent web logon (yes,
Internet Explorer and Firefox in a cross platform environment) using
certificates and/or use a combination of shared secrets (user name +
plus the smartcard to both identify and authorize specific usage
If you are a government agency that has been mandated to
support PIV (HSPD 12) or a corporate site using smartcards/PKI
authentication, we would like to work with you to test out our latest
build of ERPM. Please contact me (Phil@Liebsoft.com) to request the
incorporates these new capabilities.
This latest beta has a lot of cool new features besides
enhanced PKI support, so even if you are partially interested in PKI,
to try out some of our other new capabilities (i.e. visualizations and
reporting), we also are interested in working with you by having you
What do you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.