SmartCard

This section controls the smart card policy.

CalculateUsedTime

This entry specifies whether execution time on smart card should be written to trace.

0

Will not calculate and write card execution time

1

Will calculate and write card execution time

Default value is 1; will calculate and write execution time.

This time may be misleading when measuring small time differences, since most of the time may be spent writing to trace.

CommandChaining

Command chaining will be activated when 256 or more bytes are sent towards smart card. This parameter may be used to set a lower number to activate command chaining earlier.

X

The number of bytes which will start command chaining

Default value is 0; command chaining is activated when needed.

CreateUpdateCounter

This entry enables/disables creation of the update counter as soon as logged in towards a smart card.

0

Update counter created when updating objects

1

Update counter created at logon

Default value is 0; will create update counter when creating any other object.

The update counter is needed for public object caching; not using update counter may affect performance, since it may cause unnecessary reading of public objects.

DefaultProfile

All smart card profiles have a detection mechanism built into the specification, but this parameter may be used to detect a card profile not using the standard detection mechanism. Currently, only "PKCS#15" and "ISO7816-15" are supported.

Default value is none; profiles are found according to specifications.

MaxProfiles

The card profile is detected after card type detection. Some smart cards have multiple profiles on the same smart card which should be loaded in parallel. This parameter specifies the number of maximum number of profiles that may be detected.

MaxProfiles=4

Default value is 4; the same value as the maximum number of PINs (currently 4).

NoDiskCache

This entry is used to disable writing card cache file to disk. SSO service will be used for card cache if available.

0

Card cache will be written to disk

1

Card cache will not be written to disk

Default value is 0; card cache will be written to disk.

ObjectSortMode

This entry is used to set sorting mode for the certificates on a smart card. Some applications will use the first returned certificate as the default certificate, so it can be considered as setting the default certificate.

0

none → Certificates are returned in stored order

1

day → Certificates are returned in newest order based on day

2

second → Certificates are returned in newest order based on seconds

Default value is 2; sorting based on seconds.

The sorting order also specifies the default behavior for different versions of Net iD Enterprise. Value 0 is the behavior for version 5.3 and earlier, value 1 is the behavior for version 5.4 to 5.5, and value 2 is behavior for version 5.6 and later.

PinExpire

This entry is used to enable/disable PIN expire policy. The PIN may be configured to require a change after X number of days.

0

PIN expire policy disabled

X

PIN will expire after X days

Default value is 0; no PIN expire policy.

Pin expire policy requires support for PIN update counter with time on smart card. Some smart cards only store a PIN update counter, a single byte without connection to any time.

PinHistory

This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private object and compared with a new password.

0

Password history disabled

X

Password will compare X last passwords

Default value is 0; no password history checking.

PinMaxLen

This entry is used for maximum PIN length policy.

0

No maximum PIN length

X

Maxmimum X bytes PIN length

Default value is 0; smart card profile will specify the PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

PinMinLen

This entry is used for minimum PIN length policy.

0

No minimum PIN length

X

Minimum X bytes PIN length

Default value is 0; smart card profile will specify the PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

PinPolicy

This entry is used for password policy, 0xaAbBcCdD:

  • aA → min/max for number of digits

  • bB → min/max for number of lower characters

  • cC → min/max for number of upper characters

  • dD → min/max for number of special characters

Default value is 0; no special PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

PinType

This entry is used for PIN type policy, the requirement are below:

0

all characters (case sensitive)

1

all characters (case insensitive)

2

all characters (min 2 digits and max 2 in row or in sequence)

3

all characters (min 2 digits and max 2 in row)

4

only digits

Default value is 0; smart card profile will specify the PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

Temporary

This entry is used to specify a list of names, separated with ;, containing smart card types that should be considered temporary smart cards. The parameter only has any meaning when used with a LRA component, see LRA documentation for more information.

TemporaryValidity

This entry is used to specify a number of days for certificate validity to be considered as a temporary smart card. The parameter only has any meaning when used with a LRA component, see LRA documentation for more information.

TemporaryValidity=30

UnlockMode

This entry specifies if a smart card should use PUK, challenge-response, or both to unlock PIN.

When specifying more than one smart card, separate every <token label>|N with a semi-colon (;).

[SmartCard]
UnlockMode=<token label>|N;<token label>|N;

Values

<token label>

Token label

N
1

PUK

2

CHV-RSP (challenge-response)

3

PUK and CHV-RSP

Example 1. UnLockMode default value

IDPrime and BEID are token labels.

[SmartCard]
UnlockMode=IDPrime|3;BEID|3;

UseInternalUpdate

This entry specifies the use of internal update counter. The update counter is needed to detect updates of the smart cards, so it should usually always be activated

0

Internal update counter is inactive

1

Internal update counter is active

Default value is 1; will use internal update counter.

The update counter is needed for public object caching, not using the update counter may affect performance, since it may cause unnecessary reading of public objects.

ValidateUpdateCounter

This entry enables/disables validation of the update counter when external update counter is used.

0

Will assume application handling update counter will behave correct

1

Will validate update counter at each write to reset public cache when needed.

Default value is 0; will not validate update counter when using external update counter.