Notes/Domino 6 and 7 Forum

It is currently possible to lock an ID file such that a smartcard and smartcard PIN are required, instead of the Notes password. Removing the smartcard from the reader will then log the user out of Notes. This feature can be enabled through the following steps:

1. Ensure that your ID file is recoverable via ID File Recovery, and that your ID file is not configured for password expiration in your person document on your server's public directory.

2. Install the smartcard reader hardware and software, following the instructions provided by the smartcard vendor.

3. Open the User Security Panel (File -> Security -> User Security)

4. Open the Your Identity // Your Smartcard Pane

5. Enter the path or browse to the location of the PKCS #11 library, installed by the smartcard installation. Some sample paths and names are listed below:

c:\WINNT\system32\gclib.dll (GemSAFE 3.1)
c:\WINNT\system32\acpkcs201.dll (ActivCard Gold 2.2)
c:\WINNT\system32\pk2priv.dll (GemSAFE 2.21)
c:\Program Files\Netscape\Communicator\Program\acpkcs.dll
c:\Schlumberger\Smart Cards and Terminals\Cyberflex Access Kits\v4\slbck.dll (Schlumberger Cyberflex Access V4.3)
c:\Schlumberger\Smart Cards and Terminals\Common Files\slbck.dll (Schlumberger Cyberflex Access V2)
c:\WINNT\system32\dkck201.dll (Rainbow iKey 2032)
c:\WINNT\system32\dkck201.dll (Datakey CIP 4.07)

6. Click on the Enable Smartcard Login button to lock the ID file using a key stored on the smartcard instead of a password.

Internet Keys on a Smartcard:

It is currently possible to place an RSA private key from the ID file onto a smartcard and use that key to sign and decrypt S/MIME mail, and to authenticate to "Internet" servers using SSL client certificate authentication.

To place an RSA private key onto a smartcard:

1. Open the User Security Panel (File -> Security -> User Security)
2. Open the Your Identity // Your Certificates pane
3. Select the Internet Certificate associated with the private key that you want to move to the smartcard.
4. Select Other Actions // Store Private Key on Smartcard.

Smartcard functionality has only been tested under win32-based operating systems. Untested smartcards that include PKCS #11 libraries may work with Notes 6. The following smartcard packages have been tested, and indicated (*) packages have caveats listed below:

Smartcard Package	Login with the token	Removing token will generate 'F5'-style logout	512-bit RSA keys on the token	1024-bit RSA keys on the token
ActivCard Gold 2.2	yes	yes	yes	yes
Datakey CIP 4.07	yes	yes	yes	yes
GemSAFE libraries 3.1 SP4 (GPK16000)	yes	yes	yes	yes
GemSAFE Enterprise Workstation 2.21 (GPK8000) (*)	yes	no	no	yes
GemSAFE Enterprise Workstation 2.0 (GPK4000) (*)	yes	no	no	yes
Rainbow iKey 2032 SDK v4.7.0	yes	yes	yes	yes
Schlumberger Cyberflex Access SDK V4.3	yes	yes	no	yes
Schlumberger Cyberflex Access SDK V2	yes	yes	no	yes

Caveats and Warnings:

• The only way to recover from losing or breaking a smartcard or to revert a smartcard-protected ID file to a password is through ID File Recovery. ID File Recovery should be configured for an ID file before the ID file is smartcard-enabled. Recovering a smartcard-protected ID file will revert the ID file to use a password and will restore any keys that were pushed onto the smartcard, as long as the recovery information was not changed after the key was pushed down to the smartcard.
• Password expiration should be disabled in a user's person record before they smartcard-enable their ID file.
• Password checking will result in only a single smartcard being usable with a given ID file, even across multiple computers or platforms. In this scenario, one copy of the ID file should be smartcard-enabled, and then that version of the ID file should be copied to all of the other respective computers. That single smartcard will now be required for all of the copies of the ID file.
• Many smartcard packages only support 1024-bit RSA keys. You can find the strength of a given key by selecting an Internet Certificate and pressing the Advanced Details button from the "Your Identity//Your Certificates" pane of the User Security Dialog (File//Security//User Security).
• Server setup will not function with a smartcard-protected server ID. In order to use a smartcard-protected ID with a server, finish server setup with a password-protected version of the ID file, then add the path to the PKCS #11 library in the server's notes.ini (PKCS11_Library=<path to library>), and finally smartcard-enable the server's ID file on a client using the steps indicated above.
• Single Logon, which synchronizes the Notes and Windows passwords, cannot be used with a smartcard-protected ID file. You must restart Notes after disabling Single Logon before smartcard-enabling an ID file.
• The format in which smartcard-related information is stored in the ID file has changed since the earliest beta releases of Notes 6. Using an ID file that was smartcard-enabled with one of these early beta releases will result in an "Incomplete or incorrect smartcard configuration" with Notes 6.
• Notes uses version 2.01 of the PKCS #11 API to communicate with smartcards and other PKCS#11 devices. PKCS #11 libraries that only implement version 2.0 will not result in an "F5"-style logout when the card is removed from the reader. Updated libraries may be available from the smartcard vendors.
• Version 2.2 is the required minimum version of ActivCard Gold supported for Notes 6.
• GemSAFE 2.21's NT Lock Workstation feature has been known to crash some versions of NT and deadlock with Notes. When installing GemSAFE 2.21, the NT lock workstation feature defaults to on. Un-check the box.
• There may be problems when installing GemSAFE 2.21 on a laptop running NT 4.