| ActivID® ActivClient for Windows |
RELEASE DATE: 28-May-2020
PRODUCT VERSION: 7.2.1
(FIXS2005001)
BUILD:207
Table of Contents
This document provides the latest information about the ActivID® ActivClient
for Windows. For product details, please refer to the formal technical
publications delivered with the release.
PRODUCT INFORMATION
This hotfix applies to ActivID® ActivClient 7.2.1 for Windows x64.
HOTFIX INFORMATION
This hotfix includes the following updated files:
- ac.smmw.srvprov.dm.piv.ai.ep.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.v2.standalone.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.v1.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.v2.c1150.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.cacv1.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.piv.ai.ep.standalone.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.soft.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.piv.ai.wrap.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.virtualMD.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.v2.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.v2.common.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.gp.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.v1.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.info.javacard.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.v2.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.piv.std.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.piv.std.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sma.v3.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.cacv2.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.v1.common.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.disco.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.v1.standalone.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.piv.ai.262.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.piv.ai.30.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sm.piv.ai.27.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.dm.cac.dll
updated to version 7.6.0.207
- ac.smmw.srvprov.sma.v1.dll
updated to version 7.6.0.207
- ac.smmw.mwctl.dll
updated to version 7.5.0.200
NEW IN THIS VERSION
P1389-100847:
Failed Installation Roll-Back Does NOT restore 'Shared Store Service'
ActivClient introduced a custom action as
part of the setup to restore the shared store service during rollback of
patch.
P1389-101011:
C2300 standard profile cards (applet 3.0.1) and Crescendo Key standard
profile (applet 3.0.1) should support option to select default certificate
ActivClient provides the option to select
a default certificate for Crescendo 2300 standard profile cards (applet
3.0.1) and Crescendo Key standard profile (applet 3.0.1) such that:
For an Authentication
Certificate compatible with Windows logon
- When the user imports the certificate on a Crescendo 2300 standard
profile card (applet 3.0.1) and Crescendo Key standard profile (applet
3.0.1) via the Windows MMC (for Microsoft CA) or the ActivClient User
Console, it is flagged as default certificate.
- The user can change the default certificate from the User Console.
- The information about the default certificate is saved on the card.
Note: If you use a CIV compliant
card, and if you deselect the default certificate in the User Console (the
menu is hidden with PIV cards but is visible with some CIV cards,
depending on their configuration), then the PIV Authentication certificate
will automatically be selected as default (in the 9A certificate slot, per
NIST specifications).
P1389-101012:
Crescendo Key standard profile (applet 3.0.1) should support importing the
root certificate on the device through ActivClient
Crescendo Key standard profile (applet
3.0.1) supports importing the root certificate on the device through
ActivClient so that when user downloads / imports a certificate on a
Crescendo Key standard profile (applet 3.0.1), it automatically stores the
root certificate on the device.
Improved error handling on Idemia Cosmo 8.1 with ID-One PIV
When authenticating to Idemia Cosmo v8.1
with ID-One PIV 2.4.1 card through BSI PIN verification process, if a
wrong PIN (alpha numeric) value was entered, a generic error message was
displayed. This is corrected in this fix to "This PIN is incorrect. Please
try again."
Comments on Crescendo C2300& Crescendo Key
PIV
data initialized by ActivClient for Crescendo 2300 cards and Crescendo
Key is designed to bring compatibility with Windows Logon and Mac Logon;
it is not fully compliant with the FIPS 201 specifications (for example,
the CHUID signature is not valid).
When
Crescendo C2300 and Crescendo Key are initialized by ActivClient
(standalone mode), the devices are aligned with the FIPS 201
specifications. However, to provide increase usability, the Signature
Certificate does not enforce "PIN Always"; it follows the regular PIN
caching rules configured in ActivClient.
The
Crescendo C2300 does not contain space to import CA certificates.
ADDITIONAL ISSUES
ActivID®
ActivClient for Windows hotfixes are cumulative.
This
hotfix includes the following updated files that were included in previous
hotfixes:
- ac.sharedstore.dll
updated to version 9.11.0.48
- ac.sharedstorecl.dll
updated to version 9.11.0.48
- ac.sharedstoreps.dll
updated
to version 9.11.0.48
- ac.scapi.scmd.dll
updated to version 7.6.0.21
- ac.activclient.gui.usrconsrc.dll
updated to version 7.2.1.68
- ac.activclient.gui.usrcons.exe
updated to version 7.2.1.68
P1389-100989:
Support for "Set as Default Certificate" option on C2300 cards with
compatible profile
ActivClient provides option to select
default certificate for C2300 cards (with a compatible profile) such that:
For an Authentication
Certificate compatible with windows logon
- When user imports certificate on a C2300 card via the Windows MMC
(for Microsoft CA) or the ActivClient User Console, it is flagged as
default certificate.
- The user can change the default certificate from the User Console.
- The information about the default certificate is saved on the card.
Note: If you use a CIV compliant
card, and if you deselect the default certificate in the User Console (the
menu is hidden with PIV cards but is visible with some CIV cards,
depending on their configuration), then the PIV Authentication certificate
will automatically be selected as default (in the 9A certificate slot, per
NIST specifications).
P1389-100971:C2300
profile card/key asks for recurring PIN Entry on user console when
card/key is inserted
"Do not display unlock
code” feature now works for C2300 standalone profile cards and
keys.
P1389-100946:Need
support for the Next Gen CaC Giesecke & Devrient SmartCafe Expert v7.0
144K DI with T=0
The
following new cards are supported with this hotfix
- Oberthur ID-One Cosmo v8.0 128K
- Giesecke & Devrient SmartCafe Expert v7.0 144K DI (contactless)
P1389-100973:Enhancement: CKey and C2300 family of cards should accept PIN
Once for the digital signature operation
With the
introduction of Crescendo family of devices (Crescendo Key and Crescendo
2300 cards), for all Signature Operations, PIN is asked once. However all
existing PIN caching rules and policies are applicable.
P1389-100959:
Enhancement:C2300 with new applet v3 should use a PIN once (instead of
PIN Always)for the digital signature certificate
Digital Signature operation uses PIN
from the PIN Cache if available [PIN Once] rather than asking every time
from the user (PIN Always).
P1389-100943: Ensure
ActivClient always use ActivClient Minidriver
Resets the Windows registry key
"Identity Device (NIST SP 800-73 [PIV])" to ensure ActivClient always use
ActivClient Minidriver.
INSTALLATION PROCEDURE
This section describes how to install this hotfix.
How to check the hot-fix
integrity:
- Right-click on the .msp file and select "Properties".
- Go to the "Digital Signatures" tab.
- Select "HID Global Corporation" in the "Signature list" area.
- Click "Details" and look for "This digital signature is OK.".
Method 1: Interactive
installation
- Double click on the hotfix MSP file.
- The ActivClient Patch InstallShield Wizard opens. Select “Update”.
- Follow any additional instructions that may appear in the installation
wizard.
- If prompted to do so at the end of the installation, restart your
computer for the changes to apply.
Remarks:
- On Windows 7, a Windows Security dialog box asking “Would you like to
install this device software?” may be displayed; this is a Microsoft
limitation that can be solved by installing Microsoft hot-fix available
on https://support.microsoft.com/en-us/kb/2921916.
If the dialog box is displayed, press “Install” for a correct
installation on the hot-fix.
- It is highly recommended to disable ActivClient logging before
applying the hot-fix on Windows 7 with FIPS 140-2 Compliant mode
enabled.
Method 2: Remote
installation
To deploy software updates using Microsoft Active Directory push or
Microsoft SCCM refer to the ActivClient Administration Guide.
Method 3: Automatic update
To deploy software updates from your company’s internal web site using the
ActivClient automatic update feature, refer to the ActivClient
Administration Guide.
TECHNICAL SUPPORT
If you purchased your product from a third party, then please contact that
third party for Technical Support.
If you purchased your product directly from HID Global:
| Americas |
Europe, Middle East and Africa |
Asia Pacific |
| +1
800 670 6892 |
+33
(0) 1 74 18 17 70 |
+852
3160 9873
+61 3 9111 2319 |
For further contact details, go to www.hidglobal.com/support
COPYRIGHT NOTICE
© 2008-2020 HID Global Corporation/ASSA ABLOY
AB. All rights reserved.
HID, HID Global, the HID Blue Brick logo, the
Chain Design, ActivIdentity, ActivID and ActivClient are trademarks or
registered trademarks of HID Global, ASSA ABLOY AB, or its affiliates(s)
in the US and other countries and may not be used without permission. All
other trademarks, service marks, and product or service names are
trademarks or registered trademarks of their respective owners.
HID Global Corporation
611 Center Ridge Drive
Austin, TX 78753
USA
www.hidglobal.com
Tel.: +1 512 776-9000
Fax: +1 512 776-9930