Managing Smartcards with Hard Token Management Framework


News: Managing Smartcards with Hard Token Management Framework

  1. After long and heavy development, the first beta of the Hard Token Management Framework and its first application suite 'ToLiMa' have been released. Hard Token Management Framework is used to manage the complete lifecycle of an organization's Smartcard and/or USB dongles. It communicates with the tokens through a PKCS11 interface so it is possible to change hardware as long as it's supplied with a good implementation of PKCS11. It comes along with ready made modules that can be composed to fit the need of the organization. The Hard Token Management Framework is an Add-on to EJBCA Certificate Authority ( . The framework uses client certificate authenticated Webservice calls (JAX-WS) to perform the operations on the CA side. The current application suite of modules using the hard token management framework 'ToLiMa' have the following features.
    • Issue tokens, regular, temporary and project
    • Unlock PIN of a token without exposing the PUK code for the users or administrators
    • Revoke lost cards
    • Renew expiring cards
    • Activate cards in the organizations systems
    It is also possible to issue and unlock tokens on an approval basis, used in scenarios were no token administrator is available (for instance in 24/7 operational environments). Then it is possible for a colleague of the end user to generate a request of the action which is sent to a central support unit for review and approval. Message was edited by:

    Threaded Messages (9)

  2. "Currently is IE the only browser supported" - dat means you've got serious issues from the architectural point of view.
  3. Alex, I hope you know what you are talking about but I think you underestimate the complexity of provisioning smartcards using the browser. It is not just spitting out valid xhtml. It is all about communicating with the smartcard(readers) etc. Supporting multiple browsers in not straight forward! Development team: the flash demo is impressive! My complements, Richard
  4. Complexity...[ Go to top ]

    I don't think we underestimate the comlexity. This is why the "Hard Token Management Framework" is just a framework, which is not dependent on any browser. You can just as easily code a java application doing the same stuff, without browsers. Everything with smartcards is imho quite complex and depends on a lot of factors, so you really have to use and test the framework in the intended environment, where for example you only have to support one browser. Communication with the smartcard is done using pkcs#11, and also here you need a pkcs#11 module that is capable enough together with your smart card, so you have to test you rspecific setup (or use one already tested by the project). Having said this, the flash demo is taken from the actual running application, so it does work very nicely in this, restricted, environment. But yes, you will probably need very god knwoledge about smart cards to use the frmaework succesfully, due to the overall complexity involved in basically all smart card related stuff. Cheers, Tomas
  5. Re: Complexity...[ Go to top ]

    Hi Thomas, Just to be clear. My response was a reply to the message from Alex. Not your work. From the demo it was clear to me that you know what's involved. Richard
  6. Re: Complexity...[ Go to top ]

    Hehe ok, my missunderstanding :-)
  7. Only IE supported[ Go to top ]

    No there is no architectural issue, it is an issue of the Java plug-in för applets. The ToLiMa application is an applet that uses the same certificate as the browser authenticates with to issue webservice calls. For some reason this only works in IE. This can be done in various other ways though, depending on the specific user case and requirements. The framework itself is completely browser independent, and ToLiMA could be run as a java application instead using a smart card to authenticate the webservice calls. (information just retrieved from the actual author, Philip, which is not me...) Cheers, Tomas
  8. Is this gona work with most of the card reader that support PKCS11? I think most card store cryptographic information using PKCS#11 RSA standard right? Regards, Shabbir
  9. PKCS11[ Go to top ]

    Yes it would work with most *smart cards* that supports pkcs#11, if the pkcs#11 module is good enough. There might be alot of pkcs#11 modules that does not implement all the functionality needed to generate keys etc. Probably all card readers will be supported, since today they all use the standard pc/sc interface. the pkcs#11 module will use pc/sc to be independent of card reader, but it will be dependent on the smart card. There might be other problems with card readers though, for example to support 2048 bit you will probably need a very new card reader, since older ones will not support that. Cheers, Tomas
  10. HMFT wtih etoken[ Go to top ]

    I tried to use HMFT with Etoken Pro, but unfortunately not supported, however by modifying some class got it to work although not 100%, still needs some work .

    I explained how to use PKCS#11 to write a new Token Class for HMFT at my blog : , hope it helps.