• FAQ

Information Sources

Where to buy an eToken?

http://www.lsexperts.de In fact the LSE is an offical Aladdin reseller.

Where can I get an eToken for testing?

Getting eTokens and an the middleware for testing at http://www.aladdin.de/produkte/usbtoken_esecurity/etoken_teststellung.html

What is the current version of the middleware?

The current version of the Linux middleware is 4.55.

What is opensc?

Learn more about opensc http://www.opensc-project.org/

You will have to decide if you are using the Aladdin middleware or opensc/openct. They use different formats/containers to store the information on the eToken.

Nevertheless if using the Aladdin middleware you can still use many usefull tools from the opensc project like:

• pkcs11-tool to read and write information from/to the eToken

• pam_pkcs11 to authenticate to your machine (you will have to use libetpkcs11.so as pkcs11-module)

• opensc-engine to use the eToken with openssl (you will have to use libetpkcs11.so as pkcs11-module)

Where can I get the Aladdin eToken middleware / eToken driver?

The Aladdin eToken Middleware is also a software that needs to be licensed.

If you already use your eTokens under Windows, you probably will have licensed the Windows drivers and got your windows drivers from your reseller. So your reseller should be the right guy to also ask for the eToken middleware for Linux. He will provide you the middleware on Aladdin's website https://lc.aladdin.com.

If - for some strange reason - you have purchased your eToken as hardware only, you need to license the drivers and - at least theoretically - pay the drivers.

If you need the drivers for your own personal use or testings drop us a note and tell us, what is your situation and what you plan to do. We can provide you with this software. <cornelius.koelbel AT lsexperts DOT de>

How can I reset my eToken?

If you are totally screwed up, you can still reset your eToken to the factory defaults. That is if

• you did not activate FIPS mode
• and you did not change the format password

Then you can use the new Aladdin Linux Middleware 4.55 to intialize the eToken. After this, the eToken will be in the same state like when it left the shop.

eToken hardware and software

What eTokens are available?

There are the eToken R2, which does not have a real smartcard inside, but an eeprom. The eToken R2 is not supported by Linux and maybe will never be.

Then there is the eTokenPRO, which we are talking about. This one has a real smartcard inside and is supported by the Linux driver. It comes in many different ways: the eTokenPRO USB 16k, 32k, or 64k. The tokens differ in the smartcard chip inside, the speed and the memory for storing the certificates. The eToken comes with CardOS 4.01, 4.20 or 4.2B.

The eTokenNG OTP has a real smartcard inside like the eTokenPRO and additionally an OTP generator. Using a new Aladdin driver you can also use this Token under Linux.

The eTokenNG Flash is also the same smartcard like in the eTokenPro but it also combines a flash memory on the same device with up to 2 GB of memory.

The eToken Pro (Java) is a new smartcard, not the infineon chip anymore - no CardOS. It is an Athena OS755 and supports 2048bit size.

All eTokens are supported with the current middleware.

What software is available?

So what is this middleware thing... and the driver, and the RTE or PKI Client? There is only one package for your eToken provided by Aladdin. This is the nowadays so called PKI Client. Once it was called middleware. And on Windows systems it was called RTE (Run Time Environment) and for a short while also called RTE on Linux. But today Aladdin likes to call it PKI Client.

Supported Distributions

PKI Client 3.65

officially

The officially supported distributions are at the moment with the current driver

• Fedora Core 4

• RHEL 4

• SuSE Linux 9.3.

unofficially

• Gentoo: It was also reported, that the eToken driver was running under Gentoo.

• Debian Sarge 3.1 and Etch 4.0: If you are using the RHEL4-drivers, you can also use the eToken under Debian 3.1. There is a HowTos/eToken_on_debian.

• Fedora Core 5: Runs with install script by LSE -> HowTos/eToken_and_uDev.

• Fedora Core 6: The eToken (Aladdin's pkcs11 lib) runs fine with the Firefox on Fedora Core 6 test 2. -> HowTos/FC6.

• Ubuntu 5.10: Make a link to satisfy the dependencies of pcsc-lite. etokend will expect pcsc-lite 1.2.0, althoug you will have 1.2.9. Using 1.2.9 and using the link will only work for Firefox and Thunderbird. If you want to use pam_pkcs11, you need to roll back to 1.2.0. Anyway, if you want to use eTokenPro 64K you need to compile pcscd anew.

• Ubuntu 6.06 LTS: Successfully tested with the pkcs11-Interface of firefox. You have to apply the same changes like for Fedora Core 5.

• Ubuntu 7.04 and Ubuntu 7.10: You have to apply the same changes (udev) like for Fedora Core 5.

• SUSE LINUX 10.1: Runs with install script by LSE-> HowTos/eToken_and_uDev.

PKIClient 4.55

officially

There are two install packages available:

• pkiclient-full_4.55-24_i386.deb

  • Debian

  • Ubuntu

  • Kubuntu

• pkiclient-full-4.55-19.i386.rpm

  • RHEL WS 4 and 5

  • SuSE Linux 10.2 and 10.3

  • Fedora 6 and 7

unofficially

These distribution were kindly reported by users to work. But note that there is no official support for these distributions by Aladdin.

• Gentoo Linux, Kernel 2.6.21, pcsclite 1.4.2, pki client 4.55-34, make aks-bundle visible for pcsc-lite by copying eToken/drivers/aks-ifdh.bundle to /usr/lib/readers/usb. Thanks to Maciek Pietka

• Ubuntu 8.10 comes with pcscd 1.4.102. The pki client does not work with this pcscd version. Downgrade to 1.4.99 taken from ubuntu 8.04. (Quick and dirty just copy the binary pcscd)

If you manage to run the eToken with the Aladdin eToken driver on any other platform, please drop us a note.

Changes from 3.65 to 4.x

Installation

eToken will not work after reboot

In some cases the eToken will not work after rebooting your system. This can be due to the fact, that your pcscd is not running. The installation of pki-client does not configure the pcscd to start automatically.

pcsc-lite: PCSCLITE_ENHANCED_MESSAGING

In version 1.2.0 of pcsc-lite you have to define the PCSCLITE_ENHANCED_MESSAGING to use 2048 bit RSA keys. This has changed in version 1.3.0. To turn on 2048 bit support you have to use the configure option --enable-extendedapdu.

Cannot compile pcsc-lite 1.2.0

If you get this kind of error message:

./.libs/libpcsclite-core.a(libpcsclite_core_la-configfile.o): In function `yylex':/root/pcsc-lite-1.2.0/src/configfile.c:828: undefined reference to `yywrap'

Your installation is missing the package flex. Install it and start over

make clean && ./configure && make

Is it possible to use the Aladdin PKSC11 library without opensc and pcsc lite?

When using the Aladdin middleware you always need the pcscd. The Aladdin middleware does not only provide the pkcs11 lib but also a ifd handler, which links into the pcscd. When using Aladdin middleware you do not need opensc at all. But you can gracefully use opensc-parts for additional functionalities like: - pam_pkcs11 for login - pkcs11_engine for openssl

Should I install pcsc lite that come with my distribution or from source?

You can install pcscd from your distibution's repositories.

eToken handling

How can I change my eToken password (RTE 4.55)

Either you use the cute GUI or - if you are on a server without X you do this

# pkcs11-tool --module /usr/lib/libeTPkcs11.so --slot 0 --change-pin --login
Please enter the current PIN:
Please enter the new PIN:
Please enter the new PIN again:
PIN successfully changed

How can I get the Key ID?

with RTE 3.65

When using e.g. openssl you need to know the Key ID of your private Key to address it. You can use the Aladdin tool etckdump to find the corresponding key id.

etckdump --slot=0 -v1 --pin=XXX

Will show you all the objects on the token. Now search for the CKA_ID of the Object Private Key.

It could look like this

CKA_ID size:1,              45

or this

CKA_ID size:38,             39 45 39 45 37 33 35 31       9E9E7351
                            2d 33 35 45 44 2d 34 30       -35ED-40
--snip--

with RTE 4.55

There is no etckdump with RTE 4.55 anymore. But you can use pkcs11-tool like this:

pkcs11-tool --module /usr/lib/libeTPkcs11.so --slot 0 -O --login

In the ouput search for a private key object and its ID.

Private Key Object; RSA
  label:      eTCAPI private key
  ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a35
  Usage:      decrypt, sign, unwrap

How can I use the Token with mozilla et. al.?

With the middleware 3.65 you have to add the file /usr/local/lib/libetpkcs11.so as a new crpyto module to your firefox or thunderbird. If you are using middleware 4.55 you need to add /usr/lib/libeTPkcs11.so.

What about 2048bit RSA keys?

CardOS 4.01 only supports 1024 bit.

CardOS 4.20 supports 1024 bit and supports 2048bit RSA keys, when you initialized the eToken with the 2048Bit-Module. This can be done using the Windows program eToken Properties. There you have to initialize the Token with this addional paramter for the 2048bit Support.

After having initialized the eToken under Windows for this purpose you can use all the 2048 bit keys with the eToken under Linux.

CardOS 4.2B supports 2048bit RSA keys right aways without having to initialize or install anything.

JavaCard eTokens support 2048bit RSA keys.

How can I use the eToken for login

Try pam_pkcs11, which is needed to Login via eToken http://www.opensc-project.org/pam_pkcs11/ Then continue reading our Howto HowTos/eToken_on_Linux

How can I roll out a certificate to the eToken?

openca can be used, to rollout your certificates to the eToken http://www.openca.org

with the pkcs11 engine from the opensc project you can now also use openssl at the command line to roll out the eToken.

how do I initialize the eToken and what is the default User PIN?

The eToken is initialzed with the Aladdin tool etckinit The default user pin will be "1111". Please note, that the default user PIN under windows is 1234567890

Using the GUI with pki client 4.55 you can set your preferred default PIN when initializing the eToken.

How to restart all the necessary services?

RTE 3.65

If due to excessive playing everything is screwed up, you can restart all the necessary services

• etokend
• pcscd
• etsrvd

  /etc/init.d/etsrvd stop
  /etc/init.d/pcscd stop
  /etc/init.d/etokend restart
  /etc/init.d/pcscd start
  /etc/init.d/etsrvd start

PKI Client 4.55

There is the start script/etc/init.d/eTCacheMarkerwhich could be restarted. And there is the tray icon thePKIMonitor.

Errors

All token stuff is scrambled (3.65)

If you get such an output:

[root@computer ~]# etckdump --slot=0
Dumping token "`^|mù¸ù´Õ]ô" in slot #0
Free public memory  = 134552844
Free private memory = 1293053
Skipping C_Login (use etckdump --pin | --pinhex | -h)
Found 0 Objects
etckdump complete

It will be likely that you got some problems with your pcscd. Check if pcscd is running and if your /etc/readers.conf is setup correctly. When everything is fine, you will get such an output:

[root@computer ~]# etckdump --slot=0
Dumping token "koelbel                         " in slot #0
Free public memory  = 34384
Free private memory = 34384
Skipping C_Login (use etckdump --pin | --pinhex | -h)
Found 7 Objects
etckdump complete

Note: Sometimes also a reboot would work to bring the daemons into the right order.

The eToken will work only once (3.65)

If your eToken will work only once after you have started the etokend, then you got some problems with your hotplug. The middleware 3.60 is using hotplug and the socket /tmp/.etokend.

If you got a distribution running udev, please take a look at HowTos/eToken_and_uDev.

failed rv=00000012-CKR_ATTRIBUTE_TYPE_INVALID

The CKA_OBJECT_ID, which is 0x00000012, is defined starting with version 2.10 of the PKCS11 Spec. The libetpkcs11 does not know about it.

symbol lookup error: /usr/lib/libQtSql.so.4 (4.55)

With RTE 4.55 you might get errors like

 symbol lookup error: /usr/lib/libQtSql.so.4: undefined symbol:
_ZN14QObjectPrivate15checkWindowRoleEv

If you take a look at /usr/lib/eToken you will see, that the pki client package brings some own Qt libraries. These might collide with the libs of your system. You might manage to solved it this way:

• remove the file /etc/ld.so.conf.d/etoken-ld.conf or uncomment the lib path in it

• do an ldconfig

• you might need to restart the eToken pki client apps.
  • (tested on ubuntu 8.04 and pki client 4.55)

Windows

How do I logon with the eToken to microsoft windows

Sorry for this questions. Some guys have a windows client left. ...why? Can't tell

Logging into windows using the eToken (Smartcard) and a certificate stored on it, is a bit different. By default MS Windows only allows logging in with a certificate/smartcard when the computer is a member of a domain. You need a CA to issue a windows logon certificate to your eToken. The CA also needs to issue a domain controller certificate to your domain controller. Otherwise you will not be able to logon, as the domain controller needs to be addresses via LDAPS. If these things are fullfilled you can easily logon with the eToken to windows XP or Vista without having to install anything but the Aladdin RTE.