RELEASE DATE: 2014-04-17
BUILD: 4.0.0.69

Table of Contents

• New Features
• Installing ActivClient
  • Prerequisites
  • Install the Packages
  • Verify the Package Signature
  • Uninstall ActivClient
• Using Your Smart Card With ActivClient
• Software and Interoperability Requirements
  • Software Requirements
  • Interoperability Requirements
• Policy Configuration
  • Middleware Configuration
  • Logging Configuration
  • PKCS#11 Protected Authentication Path
• Known Limitations
• General Comments
• Technical Support and Copyright Notice

New Features

ActivID ActivClient 4.0 for Linux includes a PKCS#11-compliant library. It has been tested with Mozilla^® Firefox^®; and can also be used by a variety of PKCS#11-compliant applications.

ActivClient also includes a Smart Card Basic Services Interface (BSI) library, compliant with the U.S. Government Smart Card - Interoperability Specifications (GSC-IS). For more information, go to http://csrc.nist.gov/groups/SNS/smartcard/index.html.

This release does not include any other library or management user interface.

Installing ActivClient

This release is provided as the following packages:

• ac-ac4linux-4.0-69.i386.rpm - “ActivClient for Linux x86” for installation on Red Hat^® and CentOS™ x86

• ac-ac4linux-4.0-69.x86_64.rpm - “ActivClient for Linux x64” for installation on Red Hat and CentOS x64

• ac-ac4linux-4.0-69.i386.deb - “ActivClient for Linux x86” for installation on Debian^® and Ubuntu^® x86

• ac-ac4linux-4.0-69.amd64.deb - “ActivClient for Linux x64” for installation on Debian and Ubuntu x64

Prerequisites

• To install and uninstall ActivClient, you must have admin rights.

• For Red Hat 6.5 and CentOS 6.5, the ccid package is not installed by default. To install it (and dependencies including pcsc-lite and pcscd), use the following command:
  yum install ccid
  Note: You must restart the computer after installing the package.

• For Debian 7.3 and Ubuntu 12.04.3, the pcscd package is not installed by default. To install it, use the following command:
  apt-get install pcscd


• If you use another PKCS#11-enabled application, you might need to configure this application to use the ActivClient PKCS#11 library:
• For x86 platforms, use /opt/hidglobal/ac.ac4linux.pkcs11/lib/libac.pkcs220ong.so
• For x64 platforms, use /opt/hidglobal/ac.ac4linux.pkcs11/lib64/libac.pkcs220ong.so

Install the Packages

• To install an ActivClient RPM package, use the dedicated RPM command:
  rpm –i <RPM package filename>

• To install an ActivClient DEB package, use the command:
  dpkg –i <DEB package filename>


Verify the Package Signature

The ActivClient for Linux packages are signed with a GNU Privacy Guard (GPG) key to verify the integrity and origin of the package.

In some configurations, you might see a warning during ActivClient installation, reporting that the signature of the ActivClient package cannot be found or cannot be verified.
To address this warning, you need to install the ActivClient signature public key on the Linux® platform. The recommended method is:

1. Start a web browser and go to http://keyserver.pgp.com to access the PGP Global Directory, or go to https://www.hidglobal.com/security-center.
2. Search for the ActivIdentity signing key with the key ID 0x66E8AB60.
3. Download the key (the name is “ActivIdentity Engineering (Code Signing 2011-06 RSA)”) to the local system.
   By default, the proposed filename is key0x9386BBCE66E8AB60.asc.
4. In a terminal window, import the file in the local key database using one of the following commands:
   • On Red Hat or CentOS:
     rpm --import key0x9386BBCE66E8AB60.asc
   • On Debian or Ubuntu:
     gpg --import key0x9386BBCE66E8AB60.asc

On Debian or Ubuntu, if you need to trust the ActivClient signature public key in the gpg database, open a terminal window and run the following command:
gpg –-edit-key 66E8AB60
Then enter the contextual commands as needed.

Uninstall ActivClient

• To uninstall an ActivClient RPM package, use the dedicated RPM command:
rpm –e ac-ac4linux

• To uninstall an ActivClient Debian package, use the command:
  dpkg –-purge ac-ac4linux

Using Your Smart Card With ActivClient

With ActivClient for Linux, you can use your smart card in multiple cases:

• You can initialize your smart card (for example, configure the PIN) via PKCS#11.

• You can generate and load key pairs and certificates using applications based on PKCS#11 (for example, Mozilla Firefox).

• You can authenticate to web sites and applications using applications based on PKCS#11 (for example, Firefox).

• You can change your PIN code using applications based on PKCS#11 (for example, Firefox).

• If you lock your card by entering too many incorrect PIN codes, you can unlock it via PKCS#11.

Software and Interoperability Requirements

Software Requirements

Operating system:

• Red Hat Enterprise Linux 6.5 x86 and x64

• CentOS 6.5 x86 and x64

• Debian 7.3 x86 and x64

• Ubuntu 12.04.3 x86 and x64

Interoperability Requirements

Smart cards:

• ActivID Smart Card 64K v2 with standalone profile (same as Oberthur^® CosmopolIC^® 64K V5.2)

• ActivID Smart Card 64K v2c with standalone profile (same as Gemalto^® Cyberflex^® Access 64K v2c)

• ActivID Smart Card 80K v3.2 (same as Giesecke & Devrient^® SmartCafe^® Expert 80K DI v3.2)

• ActivID Smart Card 144K v3.2 (same as Giesecke & Devrient SmartCafe Expert 144K DI v3.2)

• HID Global^® Crescendo^® C1150

• Personal Identity Verification (PIV) cards compliant with NIST Special Publications 800-73

• Common Access Cards (CAC) issued by the US Department of Defense

• All smart cards supported by ActivClient 7.0.2.3xx for Windows^®

Smart card readers - any PC/SC compliant reader is supported, including:

• OMNIKEY^® 3021 USB

• OMNIKEY 5321 USB (contact interface)

• OMNIKEY 5325 (contact interface)

Middleware on other platforms:

• Cards initialized with ActivClient for Linux are compatible with ActivClient for Windows 6.2 and 7.0.2.

• Cards initialized with ActivClient for Windows 6.2 or 7.0.2 are compatible with ActivClient for Linux.

Policy Configuration

ActivClient for Linux offers the following policy configuration options.

Middleware Configuration

The following policies are configured in policies.conf located in /opt/hidglobal/ac.sharedstore/.

• PIN Cache Timeout, in minutes (hexadecimal)
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\SharedStore\Authentication]
  “Timeout”=dword:0000000F

The following policies are configured in policies.conf located in /opt/hidglobal/ac.ac4linux.smmw/.

• Turn on US Department of Defense configuration GSC-IS (1) or PIV (0)
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\SecurityModuleMW\DiscoveryProvider\CardEdge]
  “DefaultCardEdge”=dword:00000000

Note: These policies are similar to policies available in ActivClient 7.0 for Windows. For more information about these policies, refer to the ActivClient for Windows Administration Guide.

Logging Configuration

The following policies are configured in policies.conf located in /var/opt/hidglobal/ac.log/.

• Turn on ActivClient logging
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\Logging]
  “ActivClientEnabled”=dword:00000000

• Full path to log files folder
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\Logging]
  “LogFile”=”/var/log/activclient”

• Maximum log file size in MB (hexadecimal)
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\Logging]
  “MaxFileSize”=dword:00000014

• Maximum number of backup files
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\Logging]
  “MaxFileBackups”=dword:00000003

Note: These policies are similar to policies available in ActivClient 7.0 for Windows. For more information about these policies, refer to the ActivClient for Windows Administration Guide.

PKCS#11 Protected Authentication Path

The ActivClient PKCS#11 library supports the CKF_PROTECTED_AUTHENTICATION_PATH flag defined in the PKCS#11 standard.

As some PKCS#11 enabled applications do not support this flag, it might lead to integration issues.

If you run into such issues, you can configure ActivClient to disable this feature by creating a config.reg file in /opt/hidglobal/ac.ac4linux.pkcs11, and adding the following content:

   [HKEY_LOCAL_MACHINE\SOFTWARE\HID Global\ActivClient\PKCS11]

   “isCKF_PROTECTED_AUTHENTICATION_PATHsupported“=dword:00000000

Alternatively, to enable the feature, set the value to 00000001.

Known Limitations

PKCS#11

• PKCS#11 SDK − you should create the RSA Private Key before creating the certificate when importing an RSA key.

• Firefox displays a PIN prompt during a Change PIN operation. This is a Firefox limitation. (81514)

• Certificate import is not supported in Firefox when ActivClient PIN Cache timeout is configured to 0. (82425)

• Certificate backup in Firefox causes a crash if you are not logged on to the card.

• Using ActivClient with Firefox 32-bit is not supported on a Linux x64 version – use Firefox 64-bit instead.

General Comments

• If you enable ActivClient log files, the size of the log files will increase quickly. Only enable logging when prompted by HID Global customer support. (81849)

Technical Support and Copyright Notice

If you purchased your product from a third party, then please contact that third party for Technical Support. For products purchased directly from HID Global, please use the following Technical Support address:

www.hidglobal.com/support

hidglobal.com

© 1998-2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID GLOBAL, HID, the HID logo, and ActivID are the trademarks or registered trademarks of HID Global Corporation, or its licensors, in the U.S. and other countries. The absence of a mark, product, service name or logo from this list does not constitute a waiver of the HID Global trademark or other intellectual property rights concerning that name or logo. The names of actual companies, trademarks, trade names, service marks, images and/or products mentioned herein are the trademarks of their respective owners. Any rights not expressly granted herein are reserved.

Corporate Headquarters

611 Center Ridge Drive
Austin, TX 78753

www.hidglobal.com

+1 949.732.2000