The United States Federal Agencies now use a software system that allows smart card authentication for the HSPD-12 requirements. A U.S. Federal smart card contains the necessary data for the cardholder to be granted access to Federal facilities and information systems. This access ensures appropriate levels of security for all applicable Federal applications.
Some Windows client computers or workstations already have PIV or CAC readers built into the keyboards.
Symantec Endpoint Protection Manager authenticates administrators who use the following types of smart cards:
Personal identity verification (PIV) card (for civilians)
Common Access Card (CAC) (for military personnel)
In FIPS mode: Symantec Endpoint Protection Manager does not support smart cards that are signed using ECDSA and RSASSA-PSS.
In non-FIPS mode: Symantec Endpoint Protection Manager does not support smart cards that are signed using RSASSA-PSS.
This step validates that the card certificate is issued by the correct authority. Then, at the point that the administrator logs on, the management server reads the smart card's certificate and validates it against these CA certificates.
To validate a certificate file, the management server checks that the certificate file is not listed in a certificate revocation list (CRL) on the Internet.
Make sure that all the root files and intermediate files are present on the administrators' computer, or else they cannot log on.
To configure Symantec Endpoint Protection Manager for smart card authentication
In the console, click Admin > Servers, and select the local management server name.
Under Tasks, click Configure Smart Card Authentication.
In the Specify the paths for the root and/or intermediate certificate files text box, browse to one or more certificate files, and then click OK.
Select all the certificate files you need to check for revocation. To select multiple files, press Ctrl.
If the administrator logs on to Symantec Endpoint Protection Manager remotely with the web console, they must restart the Symantec Endpoint Protection Manager service and the Symantec Endpoint Protection Manager Web service.
Step 2 (Optional): Configure the management server to perform the revocation check (Required for dark networks)
If a management server does not have Internet access, you must configure it to check for the CRL file on the management server computer instead. Without this check, administrators can still log on, but the management server cannot check the CRL file, which can cause security issues.
To configure the management server to perform the revocation check (dark networks only)
On this management server, open the following file: Symantec Endpoint Protection Manager installation path\tomcat\etc\conf.properties
In the conf.properties file, add smartcard.cert.revocation.ocsp.crldp.enabled=false and save the file.
Step 3: Add an administrator account and register the smart card
This step authenticates the administrators as the user of the smart card by setting up PIV authentication. PIV authentication requires a certificate and key pair that is used to verify that the PIV credential was issued by an authorized entity, has not expired, and has not been revoked. The PIV credential also identifies the administrator the same individual it was issued to.
This step also ensures that users only need to enter their user name, insert the card, and type the smart card pin to log on to Symantec Endpoint Protection Manager. They do not need to enter a Symantec Endpoint Protection Manager password.
Smart card authentication is not supported over IPv6.
To add an administrator account and register the smart card
In the console, click Admin > Servers > Administrators.
Add a new administrator or edit an existing administrator.
On the Authentication tab, click Enable smart card authentication.
Browse to the authentication certificate file for the PIV card or CAC for that administrator, and then click OK.
In the Confirm Change dialog box, type the administrator's password and click OK.
Follow this step for each administrator that uses a smart card to log on to Symantec Endpoint Protection Manager.
Step 4: Log on to Symantec Endpoint Protection Manager using a smart card
To log on to Symantec Endpoint Protection Manager, the administrator inserts the card into a smart card reader and types a pin number. The smart card must always be inserted into the reader while the smart card administrator is logged on and using the management server. If the administrator removes the smart card, the Symantec Endpoint Protection Manager logs off the administrator within 30 seconds.
The Java console and web console support smart card authentication. The RMM console and the REST API do not support smart card authentication.