User`s guide
IBM Lotus Notes, Domino, Domino Designer 8 Release Notes
Smartcard Package Caveats :
z
The technique introduced in 7.0 to "Lock ID With Key on Smartcard" will be used with all tokens
that support C
_
Sign for CKM
_
RSA
_
PKCS with input lengths up to k-11 bytes, in accordance with
the PKCS#11 specification. New techniques for locking the ID file using a private RSA key on the
smartcard were added in later releases for some tokens that do not support the full range of input
lengths, and those tokens are marked with (version+) in the relevant columns of the above table.
ID files locked with these new techniques can not be used by older versions of Notes/Domino;
attempts to do so will result in an "Unsupported ID file version" error.
z
Aladdin eToken RTE 3.65 has been tested with this beta release using eToken PRO USB 64k
tokens and eToken NG-FLASH USB tokens.
z
The Belgian eID was tested with run-time version 2.5.9, and we highly recommend that
customers upgrade to the most recent version of the Belgian eID Run-time software. Users will
receive redundant PIN prompts from the PKCS#11 library as well as Notes due to the token
failing to set the CKF
_
PROTECTED
_
AUTHENTICATION
_
PATH token flag, but setting
"allow
_
sso = false" in the Belgian eID configuration file beidbase.conf will eliminate the duplicate
prompts. However, setting that variable and rebooting with the token in the reader may result in
the PKCS#11 library hanging when first attempting to use the smartcard. This problem does not
appear to occur when the ID file is locked with a key on the smartcard.
z
The DataKey CIP 4.07 software installs multiple PKCS#11 libraries. dkck201.dll uses PKCS#11
v2.01 and has been tested successfully with Notes; dkck232.dll uses PKCS#11 v2.00 and does
not work with Notes.
z
The Estonian eID was tested with the PKCS#11 library from id-card-installer-0.7.exe (2/14/2006)
Using this version of the library, the pre-loaded certificates could be imported into the ID file and
used for S/MIME signing and decryption, but smartcard login was nonfunctional. It is possible that
a newer version of the smartcard drivers will fix the token limitation that prevented the "Lock ID
With Key on Smartcard" action from succeeding.
z
The GemSafe Libraries 4.2 SP3 returns CKR
_
DEVICE
_
ERROR instead of
CKR
_
TOKEN
_
NOT
_
PRESENT from C
_
GetTokenInfo when no token is in the reader. If Notes
fails to automatically activate a workaround for this token bug, it may be necessary to manually
set PKCS11
_
TOKEN
_
BUGS=128 in the notes.ini file. Due to the occasional failure of this token
to report slot events, it may also be necessary to hit F5 and log out of Notes in order to force a
PIN prompt when using keys on a smartcard when the ID file is not secured with that same
smartcard.
z
The Rainbow CryptoSwift eCommerce Server Accelerator fails to report that RSA cryptographic
operations are performed in hardware. If you are having difficulty performing cryptographic
operations (including importing X.509 certificates or exporting RSA keys) with this device, setting
PKCS11
_
NO
_
HWCHECK=1 or PKCS11
_
TOKEN
_
BUGS=2 in the NOTES.INI file will activate a
workaround in Notes/Domino for this problem.
z
The Secude token cannot perform cryptographic operations with a number of smart card readers
due to the high power demands of that token. Please confirm that your token readers are
supported by Secude before deploying this package. If you are having difficulty signing S/MIME
messages with a key on these smartcards and are using a supported token reader, setting
PKCS11
_
TOKEN
_
BUGS=1 in the NOTES.INI file will activate a workaround in Notes that may fix
this problem. and upgrading your Secude software may fix this problem.
21