Configure the smart card PIN reset plugin
The scpinplugin program works with the ActiveX control HISCPINToolAX.ocx to reset SmartCard PINs. PIN strength checking can be done by checking the combinations of rules specified in a configuration file and the Bravura Pass password policy.
HISCPINToolAX.ocx is shipped with Bravura Security Fabric in the \<instance>\wwwdocs\ directory. This ocx is installed on the user’s machine when the browser loads the page which using the ocx for the first time.
You can customize the user interface text in the plugin-scpinmanage.m4 file. You can also modify ActiveX’s result message in the RESULT_MESSAGES section of this m4 file. See Customizing skins for more information.
Requirements
The scpinplugin requires a configuration file to specify PIN strength rules. They can be used in combination with Bravura Security Fabric password policy when the Password Manager service (idpm ) is installed and configured.
The following sample file, scpinplugin.cfg is included in the samples\ directory.
#KVGROUP-V2.0
config "scpincgiplugin" = {
Hosts = {
"AD" = {
CLASSID = "clsid:be43e0e9-9d20-4f53-a5ee-4043fd10e1c9";
CODEBASE = "HISCPINToolAX.ocx#version=1,0,0,1";
CLASSID_X64 = "clsid:be43e0e9-9d20-4f53-a5ee-4043fd10e1c9";
CODEBASE_X64 = "x64/HISCPINToolAX.ocx#version=1,0,0,1";
TITLE = "Bravura Pass Smartcard";
SEARCHDESC = "Please Insert Bravura Pass Smartcard";
CARDNAME = "Bravura Security Smartcard|Raak Technologies C2-40";
UILEVEL = 0;
EXTINIT = "";
EXTCHANGEPIN = "";
EXTRESETPIN = "";
EXTRESPONSE = "3des.exe -e \"%USERID%\" \"%HOSTID%\" \"%OLDPIN%\" \"%NEWPIN%\"";
PushPassTimeOut = "60";
PINManagementUITag = "SCPIN_BUTTONS_HTML";
PINStrength = {
AcceptRegExp = "^[0-9a-zA-Z].⋆$";
RejectRegExp = "";
TargetId = "AD-SMARTCARD";
};
};
};
};
};Where:
If the configuration file does not contain PINStrength, the PIN strength test is bypassed; scpinplugin.exe accepts any PIN, but the SmartCard ActiveX may be failed by an invalid PIN.
If AcceptRegExp is empty or does not exist, any input is accepted. If there are more then one AcceptRegExp, a PIN passes the strength test if it matches any one of them.
If RejectRegExp is empty or does not exist, any input is accepted. If there are more then one RejectRegExp, the PIN is rejected if it matches any one of them.
If TargetId is not empty, the strength test also has to be passed on the Bravura Pass server by calling the Password Manager service.
The external program defined by EXTRESPONSE supplies the SmartCard response string (stdout) to the challenge question (stdout). The SmartCard vendor should supply or configure this binary.
For security reasons, any time the external program is used to calculate challenge/response for PIN resets, the event is logged.
The Password Manager service must be running on the Bravura Pass server in order for resets to succeed.
Usage
The scpinplugin CGI plugin is run by the:
Help users (IDA) module when configured by the A RESET EXT plugin point
Change passwords (PSS) module when configured by the S CHANGE EXT plugin point
See Providing HTML to the Change passwords pages for more information about these plugin points.
Troubleshooting
ActiveX controls
Current ActiveX controls only execute using the 32-bit version of Internet Explorer. The card provider must have the 32-bit drivers installed on the workstation in order to perform the PIN change or PIN reset.
404 error during DLL download
If an HTML 404 error appears when trying to directly download the ocx from http(s)://<server>/<virtual directory>/docs/HISCPINToolAX.ocx, then verify that there are no mappings for ocx extensions, such as ISAPI filters on IIS. If a mapping exists, it can be removed from the docs folder.
Using target ID to check PIN strength
If you are using target ID to check PIN strength, then you must configure Password Manager service to accept requests from the localhost (127.0.0.1).
To do this:
Click Manage the system > Maintenance > Services > Bravura Security (idpm ) Password Manager Service.
Configure the value for Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests.