FFE doesn't encrypt for smart card users

Question

Hello, We are trying to start deploying Dell Encryption Enterprise to our laptops/tablets using Policy based FFE.  It works successfully for our users that log into the laptop with their username and password.  However, users that log into their laptop with a smart card (using standard Windows Smart Card logon, no special GINA) are not registered properly to the Dell Security Server, so the laptop doesn't encrypt. CMGShield.log has the following: [03.27.19 13:51:30:998 XmlRpcActivate.: 184 H] Activation - Sending activation request for user@domain.com [03.27.19 13:51:30:999 XmlRpcActivate.: 521 E] Setting errors to be ignored!!! [03.27.19 13:51:31:001 XmlRpcActivate.: 521 E] Setting HTTP timeouts based on value 300. [03.27.19 13:51:31:001 XmlRpcActivate.: 521 E] Setting HTTP Security Protocols (TLS 1.0,1.1,1.2 succeeded [03.27.19 13:51:31:183 XmlRpcActivate.: 207 E] Activation - Activation request failed [device server fault:0x3ec]: Invalid X509 certificate [03.27.19 13:51:31:184 Activator.cpp: 848 E] Activation - Unable to activate new user DOMAIN\USER [MS error = 1004] [03.27.19 13:51:31:184 Activator.cpp: 861 E] Activation - Verify network connectivity to the Dell Security Server at 'server.domain.com' and Dell Device Server at 'https://server.domain.com:8443/xapi/' I verified going to the server address works successfully with no certificate errors, so I think it's having an issue with the smart card certificate representing the user.  I've tested this with both a new user (not in the DDS Server), and a user that already exists in DDS, but the result is the same. Anyone have any ideas? Thanks, RMills1

dell-dale p · Accepted Answer

Hi RMills1!

It sounds like we are not able to validate the certificate or the chain of the certificate that is being provided by the client to the Dell Security Management Server. The service that handles activations, the Dell Security Server, leverages a java keystore for the certificates that it is aware of and any trusts that it may hold. This keystore will need to be updated to hold the root and the intermediate certificate that are being used in the chain for the smartcard certificates that have been issued to your users for login.

To update this, we can leverage keytool that is built into the Dell Security Management Server to import the certificate into the keystore. This KB Article, specifically under the section of "Dell Data Protection | Enterprise Edition Configuration" should point you in the right direction: https://www.dell.com/support/article/us/en/19/sln303783

I will work with the team to separate this section out to its own KB article and get a bit more detail around why this may be needed.

Let us know if this does or does not work for you!

RMills1 · Answer

Hey Dale,

Thanks for the response. You were right, and it's working now that I've added the root and intermediate CA certificates to the cacerts keystore. The only catch was that the article is for Windows, and I use the virtual edition running on Linux, so the paths were different. It was easy enough to find though. /opt/dell/server/security-server/conf/cacerts

Now to go upgrade from 10.1 to 10.2.1!

Thanks,

RMills1

Dell Data Security

Was this post helpful?