Rohde & Schwarz R&S Trusted Disk 3.3.1 Скачать руководство пользователя страница 14 | Manualshive

Страница: 14 / 49

Rohde & Schwarz R&S Trusted Disk 3.3.1 Скачать руководство пользователя страница 14

Preparing the installation

14

Administration manual 4603.7988.02 ─ 03

3.3.1

Installing R&S

Trusted

Identity

Manager

(Standalone)

► Execute

TrustedIdentityManagerStandaloneSetup.msi

.

You have installed R&S

Trusted

Identity

Manager

(Standalone).

3.3.2

Creating a root certificate authority

The first step of creating an internal PKI is to create a root CA to validate the identity of
subordinate certificates (e.g. user certificates on smart cards).

1. Open R&S

Trusted

Identity

Manager

(Standalone).

2. Select the tab "Root Certificate".

3. Click "Create Root CA".

4. Configure the root CA.

●

Country:

Use only ISO 3166 Alpha-2 country codes, e.g. EN.

●

Common name:

This field is mandatory.

●

Email:

This field is checked while you type.

5. Click "Next" > "Execute".

Backup R&S

Trusted

Identity

Manager

(Standalone) data

To ensure access to the root CA, smart card information and all certificates in case the
administrator workstation does not work properly, we recommend creating a backup of

%username%\AppData\Local\Sirrix AG\TrustedIdentityManager

.

To install R&S

Trusted

Disk on a workstation, the root certificate of your root CA is nee-

ded (see

Chapter 4.3, "Installing R&S

on page 21). The root certificate

identifies the root CA that is used to issue certificates (e.g. user certificates on smart
cards) and validates the identity of a user.

To save the root certificate, proceed as follows:

1. Select the tab "Root Certificate".

2. Click "Export Certificate".

3. Select a destination folder.

4. Click "Next" > "Execute".

The root certificate is saved as

CACertificate.crt

.

Configuring R&S

Trusted

Identity

Manager

«
...
12
13
14
15
16
...
»

Содержание R&S Trusted Disk 3.3.1

Страница 1: ...R S Trusted Disk Standalone Administration manual Administration manual Version 03 4603798802 3 2...

Страница 2: ...Rohde Schwarz would like to thank the open source community for their valuable contribution to embedded computing 2019 Rohde Schwarz Cybersecurity GmbH M hldorfstr 15 81671 Munich Germany Phone 49 89...

Страница 3: ...tributable 11 3 2 2 PKCS 11 module 12 3 2 3 R S TD CryptoHelper 13 3 3 Configuring R S Trusted Identity Manager 13 3 3 1 Installing R S Trusted Identity Manager Standalone 14 3 3 2 Creating a root cer...

Страница 4: ...7 5 2 3 List of parameters 28 5 2 4 Structure 29 6 Advanced tasks 30 6 1 Updating R S Trusted Disk 30 6 2 Configuring the PIN policy 31 6 3 R S Trusted Disk key update 32 6 4 Stealth mode 33 6 4 1 UEF...

Страница 5: ...ers groups policies certificates and devices This document assumes basic device networking and security knowledge including the following Setup and configuration of endpoint hardware Partitioning form...

Страница 6: ...separated by angle brack ets Each UI item is enclosed in quotation marks User Authentication Local Users Settings Device Management Parameters and placeholders are capital ized in monospaced font The...

Страница 7: ...ting your network security at risk In tables and lists this annotation is indicated by NOTICE 1 4 Contact service and support We provide technical support as detailed in your service level agreement T...

Страница 8: ...n email to our Support team If you require additional support after creating a ticket you can contact our Support team by phone or email indicating your ticket ID Ticket system https myrscs rohde schw...

Страница 9: ...g smart cards Use of algorithms AES XTS 512 for encryption and SHA 2 512 for hashing Support of RSA 2048 bit 3072 bit and 4096 bit Fulfillment of compliance requirements based on audit logs in authori...

Страница 10: ...s an integrated PKI and all necessary components for per sonalizing and man aging smart cards R S Trusted Disk R S Trusted Disk Setup X X X VS NfD msi R S Trusted Disk Setup X X X eToken msi See Chapt...

Страница 11: ...g For maximum compatibility we highly recommend updating the BIOS UEFI firm ware to the newest version 3 2 Installing the middleware and dependencies All workstations need the following middleware and...

Страница 12: ...he smart card The middleware differs depending on whether you use CardOS smart cards or Gemalto eTokens CardOS API for CardOS smart cards 12 SafeNet Authentication Client for Gemalto eTokens 12 3 2 2...

Страница 13: ...is not required For more information see Chapter 5 1 FDE initialization tool on page 24 If you install the application with the parameter quiet the installation takes place with out user interaction T...

Страница 14: ...hecked while you type 5 Click Next Execute Backup R S Trusted Identity Manager Standalone data To ensure access to the root CA smart card information and all certificates in case the administrator wor...

Страница 15: ...Open CardOS Viewer b Select your card reader from the list c Click Card Initialize Card d Fill in the required information e Click OK 3 Open R S Trusted Identity Manager Standalone 4 Select the tab To...

Страница 16: ...te 3 Select the administrator s smart card 4 Click Next 5 Select the destination folder 6 Click Next Execute The administrator certificate is saved 7 Rename the exported certificate to SecurityAdminCe...

Страница 17: ...the smart card You can reset the smart card PIN with the PUK Additionally the PUK is needed to unlock the smart card if the PIN was entered incorrectly three times You can enter the PUK incorrectly up...

Страница 18: ...ot status 18 Enabling Secure Boot 18 3 4 1 Checking the Secure Boot status 1 Start Windows PowerShell with administrator rights 2 Enter Confirm SecureBootUEFI 3 Press Enter If the return value is True...

Страница 19: ...played Tip You can access the UEFI by pressing a hotkey right after you power on the workstation The hotkey differs between systems the most frequent being F2 DEL and ESC 2 In the UEFI navigate to the...

Страница 20: ...g the middleware and dependencies on page 11 The latest cumulative Windows update is needed on Windows 10 1507 10240 UEFI We only support Windows versions that are still supported by Microsoft For mor...

Страница 21: ...lid i e not expired 1 Create a folder on the workstation 2 Transfer SecurityAdminCertificate crt and the R S Trusted Disk installer to the folder 3 In the folder create a subfolder CACerts Note To ens...

Страница 22: ...rary data on a workstation Only the admin and users with permission can access an encrypted workstation using a smart card and PIN for pre boot authentica tion Contents Full disk encryption wizard 22...

Страница 23: ...iled instructions refer to the user documentation of the hardware Usually current systems offer one of the following options to activate setup mode Activating setup mode directly Deleting all pre inst...

Страница 24: ...The tool is located in the R S Trusted Disk installation folder i e C Program Files x86 Sirrix AG TrustedDisk Contents List of parameters 24 Examples 25 5 1 1 List of parameters You can execute fdeini...

Страница 25: ...FDE initializa tion tool Not VS NfD approved Initializing the full disk encryption without a smart card is not VS NfD approved 1 Start a command prompt 2 Enter the command fdeinit exe 3 Add the parame...

Страница 26: ...e l 4 Press Enter The list displays all partitions that can be encrypted with the parameter 5 Enter the command fdeinit exe 6 Add the parameter o for the directory containing owner certificates Exampl...

Страница 27: ...istrator rights in Windows The tool is located at C Program Files x86 Sirrix AG TrustedDisk InstallSBM exe 5 2 2 InstallSBM efi InstallSBM efi can be executed before Windows boots i e you need to acce...

Страница 28: ...SBM efi is located on with the command fs X X is placeholder for the respective partition number Example fs0 cd EFI RSCS InstallSBM efi help 5 2 3 List of parameters You can execute InstallSBM exe Ins...

Страница 29: ...he amount of partial write operations that could corrupt the file sys tem Reset configuration reset configuration Resets all settings to its default values Disabling logging or reducing its verbosity...

Страница 30: ...are valid i e not expired If you use intermediate CAs all CA certificates of the chain including the root CA cer tificate must be present in the CACerts folder see Chapter 4 3 1 Update the middleware...

Страница 31: ...update Manually restart the workstation Disable hybrid shutdown in your Windows settings You have updated R S Trusted Disk 6 2 Configuring the PIN policy You can require users to set up a complex PIN...

Страница 32: ...ing the smart card with R S Trus ted Identity Manager you can perform the key update with R S Trusted Disk For the system volume the key update is performed when the R S Trusted Disk application is st...

Страница 33: ...n encrypted system is not disclosed Stealth mode is supported on the following systems UEFI GPT 33 Legacy BIOS MBR 36 6 4 1 UEFI GPT 6 4 1 1 Preparing stealth mode Windows installation 1 Boot the work...

Страница 34: ...th mode Make this configuration before initializing the full disk encryption 1 Boot the workstation with the system that you want to encrypt see Chapter 6 4 1 1 Preparing stealth mode on page 33 2 Sta...

Страница 35: ...script UEFI GPT on page 45 You have prepared the workstation for its full disk encryption Full disk encryption During the full disk encryption deactivate the option Encrypt all sections so that the o...

Страница 36: ...B Boot partition Partition 2 Primary x GB First Windows partition Unpartitioned space 5 Select the first Windows partition 6 Install Windows Preparing the second Windows installation Before initializi...

Страница 37: ...tem 100 MB Boot partition Partition 2 Primary x GB First Windows partition Partition 3 Primary y GB Second Windows partition 3 Select the second Windows partition 4 Install Windows 5 When the installa...

Страница 38: ...our support team provides a rescue CD This feature is not intended to uninstall or remove R S Trusted Disk it only works for recovering data After the decryption you have the following options to rec...

Страница 39: ...rescue CD The program checks if encrypted partitions are available Note The SATA controller must be set to AHCI mode instead of RAID mode Oth erwise the rescue CD may not detect the encrypted hard di...

Страница 40: ...sts on the workstation R S Trusted Disk overwrites it during this procedure Optional manual update Run Setup exe with the following command line argument Setup exe ConfigFile C Users Default AppData L...

Страница 41: ...t card readers 46 7 1 Activating setup mode UEFI GPT Lenovo T460p 1 To access the UEFI press F1 right after starting the workstation 2 Navigate to the tab Security Figure 7 1 Lenovo T460p Secure Boot...

Страница 42: ...nter 5 Save and exit the UEFI With activated setup mode R S Trusted Disk starts the system takeover Possible Secure Boot menu items Name Value Description Secure Boot Enabled Disabled Enables or disab...

Страница 43: ...ot Enable menu item to allow R S Trusted Disk to perform the sys tem takeover A firmware update from the manufacturer might resolve this behavior For models that do not show this deviation you can ski...

Страница 44: ...rts the system takeover 12 If the pre boot authentication screen says Secure Boot is deactivated after exiting the UEFI reboot the system Figure 7 5 Secure Boot deactivated 13 To access the UEFI press...

Страница 45: ...info txt print false result foreach line in store if line StartsWith displayorder print true elseif Not line StartsWith print false if print data line Split foreach word in data if word StartsWith re...

Страница 46: ...Compatible smart card readers We recommend using the smart card reader models IDBridge CT30 IDBridge K30 or IDBridge K50 from Gemalto If you have any questions about the use of specific smart card re...

Страница 47: ...t f r Sicherheit in der Informationstechnik German Federal Office for Information Security C CA Certificate Authority F FDE Full Disk Encryption P PBA Pre Boot Authentication PKI Public Key Infrastruc...

Страница 48: ...TD CryptoHelper 13 SafeNet Authentication Client 12 P PIN policy 31 Pre boot authentication 18 22 23 Boot manager tool 27 PIN policy 31 Product description 9 Scope of delivery 9 Security features 9 R...

Страница 49: ...Index 49 Administration manual 4603 7988 02 03 Feature update 40 System requirements 20...

Отзывы:

Нет отзывов