Tactics, Techniques, & Procedures (TTP) Dual Persona Personal Identity Verification (PIV) Authorization Certificate Version 3.0 23 Jan 2012 This document is not to be distributed or changed without express permission from the Network Enterprise Technology Command (NETCOM). This document contains information EXEMPT FROM MANDATORY DISCLOSURE under the Freedom of Information Act (FOIA). Exemption 5 applies (internal advice, recommendations, and subjective evaluations that are reflected in records pertaining to the decision-making process of or among agencies). Distribution This document is intended for use by US Government agencies and their Contractors doing business with the U.S. Army Network Enterprise Technology Command. This document is for information purposes only and is not to be construed as directive in nature or official policy. This document is available by request from NETCOM, ATTN: NETC-G, 2133 Cushing Street, Fort Huachuca, AZ 85613-7070
THIS PAGE IS INTENTIONALLY BLANK. ii
DISCLAIMER The contents of this document are not to be construed as an official Department of the Army position unless so designated by other authorized documents. The use of trade names in this document does not constitute an official endorsement or approval of the use of such commercial hardware or software. Do not cite this document for the purpose of advertisement. CHANGES Refer requests for all changes that affect this document to email address: usarmy.huachuca.netcom-9-sig-cmd.mbx.eeupdate@mail.mil. DISPOSITION INSTRUCTIONS Destroy this document when no longer needed. Do not return it to the organization. Safeguard and destroy this document with consideration given to its classification or distribution statement requirements. DANIEL R. MACHETTE COL USA ACofS G5 GERALD H. MILLER COL USA ACofS G3 iii
DOCUMENT REVISIONS LIST DATE DESCRIPTION OF CHANGES ORGANIZATION 11 Jan 2012 Initial G3 15 Feb 2011 1.0 Initial Release NETCOM/G3 20 July 2011 2.0 Major Content Changes NETCOM/G3 18 Aug 2011 2.1 Added steps for Piv Auth Cert NETCOM/G3 12 Dec 2011 2.2 Added NOTE: NETCOM/G3 09 Jan 2012 2.3 Admin NETCOM/G3 23 Jan 2012 3.0 Section 6.0 for Dual persona users with 64 bit NETCOM/G3 iv
TABLE OF CONTENTS 1.0 Purpose... 1 2.0 References... 1 3.0 Scope... 1 4.0 Procedures... 1 4.1 DMDC USER MAINTENANCE PORTAL... 1 4.2 REPUBLISH CERTIFICATES TO WINDOWS... 6 4.3 UPDATING EMAIL/CERTIFICATES (FOR DUAL CAC HOLDERS ONLY)... 8 4.4 Republish Certificates In Outlook... 11 4.5 RETREIVE YOUR ESCROWED CERTIFICATES FOR READING OLD ENCRYPTED MAIL (OPTIONAL)... 21 4.6 DUAL PERSONA USERS ON WINDOWS 7 64 BIT MACHINES... 28 Acronym List.. 29 v
TABLE OF FIGURES Figure 1- DMDC User Maintenance Portal... 2 Figure 2 CAC Welcome Portal... 2 Figure 3 UMP Select Reader... 3 Figure 4 CAC Portal: Reading Data from CAC... 3 Figure 5 PIV Update... 4 Figure 6 CAC Portal Info... 4 Figure 7 CAC Portal Updating PIV... 5 Figure 8 CAC Portal Summary... 5 Figure 9 Toolbar... 6 Figure 10 Certificates... 6 Figure 11 Forget State... 7 Figure 12 Make Certificates Available... 7 Figure 13 CAC Welcome Portal... 8 Figure 14 UMP Select Reader... 9 Figure 15 CAC Portal... 9 Figure 16 Replace Certificates... 10 Figure 17 Microsoft Outlook Trust Center... 11 Figure 18 Microsoft Outlook Email Security Settings... 11 Figure 19 Microsoft Outlook Delete Security Settings... 12 Figure 20 Microsoft Outlook Delete Security Settings Prompt 1... 12 Figure 21 - Microsoft Outlook Security Settings Prompt 2... 13 Figure 22 - Microsoft Outlook Publish to GAL... 13 Figure 23 - Microsoft Outlook Remove Published Settings... 14 Figure 24 - Microsoft Outlook Certificates Prompt... 14 Figure 25 - Microsoft Outlook Encrypted Email Settings... 15 Figure 26 - Microsoft Outlook Security Settings Preferences... 15 Figure 27 - Microsoft Outlook Default Security Settings... 16 Figure 28 - Microsoft Outlook Signing Certificate... 16 Figure 29 - Microsoft Outlook Select Certificate... 17 Figure 30 - Microsoft Outlook Encryption Certificate... 17 Figure 31 - Microsoft Outlook Select Certificate... 18 Figure 32 - Microsoft Outlook Signed Messages... 18 Figure 33 - Microsoft Outlook Publish to GAL... 19 Figure 34 - Microsoft Outlook Publish Security Certificates... 19 Figure 35 - Microsoft Outlook Certificates Prompt... 20 Figure 36 Digital Certificate... 21 Figure 37 Defense Information Systems Agency... 21 Figure 38 Compliance Prompt... 22 Figure 39 Automated Key Recovery... 22 Figure 40 Encryption Key Recovery... 23 Figure 41 DoD Acknowledgment... 23 Figure 42 Automated Key Recovery... 24 Figure 43 Key Recovery Download... 24 Figure 44 Key Recovery Download Prompt... 25 Figure 45 Certificate Import Wizard... 25 Figure 46 Certificate Import File... 26 Figure 47 Password Prompt... 26 vi
Figure 48 Certificate Store... 27 Figure 49 Certificate Import Wizard Completion... 27 Figure 50 ActivIdentity Advanced Configuration... 28 vii
EXECUTIVE SUMMARY As part of the Army s implementation of Department of Defense (DoD) Enterprise Email (EE), there is a requirement for users with multiple personas to activate the Personal Identity Verification (PIV) Authorization (Auth) Certificate (Cert) on each of their Common Access Cards (CACs). The DoD service has elected to use the PIV Auth cert for login in the cases where an individual has two or more personas in the Defense Manpower Data Center (DMDC) database. This document will provide detailed information on how to activate the PIV Auth Cert. The steps outlined in this TTP must be accomplished by the user. viii
1.0 Purpose DoD EE is a persona based messaging solution. CAC cards do not, by default, display the PIV Auth cert. This TTP provides instructions on how users can utilize the DMDC web service to update the firmware on their CAC to display the PIV Auth Cert. For DoD personnel with one persona, (e.g., Civilian), the login token is their Email signing certificate. For users with multiple personas (e.g., Civilian and Reservist) their login token is the PIV Auth Cert located on their persona CAC Card. CAC cards do not, by default, display the PIV Auth cert. This TTP provides instructions on how users can utilize the DMDC web service to update the firmware on their CAC to display the PIV Auth Cert. The DoD EE system has elected to use the PIV Auth Cert for login in cases where an individual has two or more personas in the DoD. An example of a dual persona person is one who has a CAC issued as a contractor and a CAC issued as a member of the Army Reserves. This individual has two CACs, but until the PIV Auth Cert is activated on their CAC cards, they only have one digital identity. The PIV Auth Cert has a field that is unique for each persona. This is a 16 digit numeric field that starts with a 10 digit Electronic Data Interchange Person Identifier (EDIPI) and adds to it a 6 digit Federal Agency Smart Credential Number Role specific attribute. 2.0 References None 3.0 Scope The reason for activation of this certificate is to support multiple personas in the DoD EE service. CAC login to DoD EE has been enabled so that a user only requires a CAC enabled workstation to access DoD EE with Internet Explorer or an Army workstation connected to an Army network to access DoD EE, using Outlook 2007 Service Pack (SP) 1 (with specific patches). 4.0 Procedures The following guide takes you through the steps necessary to activate your CACs ability to display and use the 4th certificate on your CAC card (PIV Auth Cert). 4.1 DMDC USER MAINTENANCE PORTAL a. Sign On To The DMDC User Maintenance Portal (UMP) https://www.dmdc.osd.mil/ump 1
b. Activating Your PIV Authentication Certificate Accept the DOD Notice and Consent by clicking OK. Figure 1- DMDC User Maintenance Portal c. Select PIV Update. (Ensure that your CAC is inserted into its reader) Figure 2 CAC Welcome Portal 2
d. If you have more than one CAC reader choose the one in which your CAC is inserted. e. Enter your CAC pin number and Click 'OK'. Figure 3 UMP Select Reader Figure 4 CAC Portal: Reading Data from CAC 3
f. Select the "Activate the PIV Authentication Certificate" box then Click Update CAC. Figure 5 PIV Update g. Click Yes to continue when asked if you want to activate the PIV certificate. Figure 6 CAC Portal Info 4
h. Wait while your CAC card is updated. DO NOT REMOVE THE CARD FROM THE READER. Figure 7 CAC Portal Updating PIV i. Once the CAC update is complete remove and re-insert your CAC card. Figure 8 CAC Portal Summary 5
NOTE: If the "Activate PIV Authentication Certificate" update process failed to run, or the update failed, the user will need to visit their local Defense Enrollment Eligibility Reporting System/ Real- Time Automated Personnel Identification System (DEERS/RAPIDS) office to obtain a new Common Access Card because the CAC is too old and does not contain the PIV Auth certificate. 4.2 REPUBLISH CERTIFICATES TO WINDOWS a. Open ActivClient by double clicking the CAC icon in the bottom right taskbar. Once ActivClient is open double click My Certificates. Ensure that four certificates are displayed, one of which is the PIV Authentication Certificate. Figure 9 Toolbar NOTE: If the PIV Authentication Certificate is not displayed in this step, activation did not succeed. The user will need to visit their local DEERS/RAPIDS office to obtain a new Common Access Card because the CAC is too old and does not contain the PIV Auth certificate. Figure 10 Certificates 6
b. Open ActivClient Tools Advanced Forget state for all cards. Figure 11 Forget State c. Open ActivClient Tools Advanced - Make Certificates Available to Windows. Close ActivClient. Figure 12 Make Certificates Available IMPORTANT NOTE: THE REASON FOR EXPOSING THE PIV AUTH CERT IS THAT DUAL PERSONA USERS MUST USE THIS PIV AUTH CERT TO AUTHENTICATE TO ENTERPRISE EMAIL. AS A DUAL PERSONA INDIVIDUAL YOU WILL ALWAYS USE THIS CERTIFICATE TO AUTHENTICATE FOR ENTERPRISE EMAIL. THE EMAIL CERTIFICATE WILL STILL BE USED FOR SIGNING AND ENCRYPTING EMAIL. THE PIV AUTH CERT IS FOR AUTHENTICATION ONLY. 7
4.3 UPDATING EMAIL/CERTIFICATES (FOR DUAL CAC HOLDERS ONLY) If dual persona users have the same email address on both CACs, they must change one of the CACs so both CACs have a unique email address in order to successfully read and send encrypted emails. Follow the procedures provided below. NOTE: DO NOT COMPLETE THIS STEP UNLESS YOU ARE SURE YOU HAVE A DUAL PERSONA AND HAVE THE SAME EMAIL ADDRESS ON BOTH CACS. IF YOU DO NOT HAVE TWO CACS DO NOT COMPLETE THIS STEP. a. Dmdc Upm Updating Email/Certificates At the User Maintenance Portal Welcome screen select Replace Certificates. Figure 13 CAC Welcome Portal 8
b. Ensure that your CAC is inserted into its reader. NOTE: If you have more than one CAC reader, choose the correct one your CAC is inserted into. c. Enter your CAC pin number and Click 'OK'. Figure 14 UMP Select Reader Figure 15 CAC Portal 9
d. Replace the email address and email certificates on the CAC for the given DoD membership by entering in your new email address, then once again to confirm. Click Update CAC to continue. NOTE: This only needs to be done for dual persona users and only on one CAC so that both CACs have different email addresses. Recommend changing one CACs email address to mail.mil. Figure 16 Replace Certificates 10
4.4 Republish Certificates In Outlook a. Once the CAC has been updated you will need to remove your old certs associated with your CAC and re-publish your new certs to the Global Address List (GAL). Open Microsoft Outlook Tools Trust Center. NOTE: When launching Microsoft Outlook if you do not see your PIVAuth Cert, go to Section 6.0 for procedures for resolution. Figure 17 Microsoft Outlook Trust Center b. Click on Email Security then select Settings. Figure 18 Microsoft Outlook Email Security Settings 11
c. To remove your certificates select Delete. Figure 19 Microsoft Outlook Delete Security Settings d. Certificates have been removed, next click ok. Figure 20 Microsoft Outlook Delete Security Settings Prompt 1 12
e. Click Yes to continue. f. Click Publish to GAL. Figure 21 - Microsoft Outlook Security Settings Prompt 2 Figure 22 - Microsoft Outlook Publish to GAL 13
g. A message will appear that says there are no valid security settings to publish. Would you like to remove your previously published settings? Click OK to continue. Figure 23 - Microsoft Outlook Remove Published Settings h. Your certificates were removed successfully. Click OK. Figure 24 - Microsoft Outlook Certificates Prompt 14
i. To update your certificates associated with your new email on your selected CAC under Encrypted e-mail select Settings. Figure 25 - Microsoft Outlook Encrypted Email Settings j. Under Security Settings Name, pull the drop down and select your account. If there is nothing there you can name this anything Ex: Jones Security Settings. Figure 26 - Microsoft Outlook Security Settings Preferences 15
k. Under Security Setting Preferences check both Default Security Settings checkboxes. Figure 27 - Microsoft Outlook Default Security Settings l. Under Certificates and Algorithms select Choose for the signing certificate. Figure 28 - Microsoft Outlook Signing Certificate 16
m. Ensure the certificate you select states it is for U.S. Government Signature Certificate/ DOD EMAIL Click OK to continue. Figure 29 - Microsoft Outlook Select Certificate n. Select the Encryption Certificate by clicking the second Choose button. Figure 30 - Microsoft Outlook Encryption Certificate 17
o. Ensure the certificate you select is for U.S. Government Encryption Certificate/DOD EMAIL Click OK to continue. Figure 31 - Microsoft Outlook Select Certificate p. Check the checkbox for Send these certificates with signed messages Click OK to continue. Figure 32 - Microsoft Outlook Signed Messages 18
q. Under Digital IDs Click Publish to GAL. Figure 33 - Microsoft Outlook Publish to GAL r. A message will appear stating Microsoft Office Outlook is about to publish your default security settings to the Global Address List Click OK to continue. Note: This process may take a few seconds to complete. Figure 34 - Microsoft Outlook Publish Security Certificates 19
s. Once you get the completion screen Click OK twice and exit all the way out of Outlook. NOTE: Outlook MUST BE restarted for your changes to take effect. Figure 35 - Microsoft Outlook Certificates Prompt IMPORTANT NOTE: TO IDENTIFY THE PIV CERT TO USE FOR AUTHENTICATION INTO OUTLOOK, OPEN OUTLOOK, ONCE PROMPTED FOR A CERT GO INTO DETAILS ON THE CERTIFICATE (CLICK ON CERTIFICATE TO VIEW DETAILS) VIEW EACH CERT AND LOOK FOR A 16 DIGIT ID. ALL OTHER CERTS WILL HAVE A 10 DIGIT ID. USE THE 16 DIGIT PIV CERT TO AUTHENTICATE TO EMAIL. USE THE 10 DIGIT EMAIL CERT FOR SIGNING AND ENCRYPTING. 20
4.5 RETREIVE YOUR ESCROWED CERTIFICATES FOR READING OLD ENCRYPTED MAIL (OPTIONAL) a. Retrieving Escrowed Certificates From Disa Key Recovery (CTRL) + Click to follow link: Auto Key Recovery - Recoverable Key List Figure 36 Digital Certificate NOTE: Do not use your email certificate, otherwise you will get an error and have to close your browser and reopen the universal resource locator (URL). b. The Defense Information Systems Agency window will open; you should see a list of your available certificates. Choose the certificate that has most recently expired and select recover. Figure 37 Defense Information Systems Agency 21
c. A DoD warning banner will appear. Please read the statement and Click OK. Figure 38 Compliance Prompt d. An automated key recovery screen will appear, please wait while it pulls up a list of your certificates. Figure 39 Automated Key Recovery 22
e. Scroll through the list of available keys for recovery and select the key that has the most recent Not After date. You may also select an older certificate if required. Figure 40 Encryption Key Recovery f. A prompt will display asking if you are a DoD subscriber for this key. Click OK. Figure 41 DoD Acknowledgment 23
g. Another window will appear requesting for you to wait. Figure 42 Automated Key Recovery h. A page will appear to download your old cert. Click on the Download link. NOTE: DO NOT close this page until you have completed the Certificate Import Wizard or you will have to start the process over again. Figure 43 Key Recovery Download 24
i. To download the certificate Click Open. Figure 44 Key Recovery Download Prompt j. On the Certificate Import Wizard Click Next. Figure 45 Certificate Import Wizard 25
k. To continue Click Next. Figure 46 Certificate Import File l. Type the password into the Certificate Import Wizard Password field as it appears on the DoD web page and Click Next. NOTE: DO NOT check any of the checkboxes. Figure 47 Password Prompt 26
m. On the Certificate Store window leave the default and Click Next. Figure 48 Certificate Store n. Click Finish. If the import did not fail you will see another window that the import was successful. Click OK. Figure 49 Certificate Import Wizard Completion o. The certificate recovery is now complete. You may now close the Internet Explorer window to the DoD recovery web site. 27
4.6 DUAL PERSONA USERS ON WINDOWS 7 64 BIT MACHINES User will need to contact Tier I helpdesk to turn off the following setting in ActivClient as this function must be accomplished by a user with administrative access. a. Administrator must open users ActivClient tools advanced configuration smart card. b. Under the smart card property window change the default setting of Prefer GSC-IS over PIV EndPoint from YES to NO. c. Changing this setting will disable the implicit mapping of the smart card identity, and allow the user to specify the PIV cert properly. d. Restart the user s computer and log in with the user s standard DoD cert (NOT the PIVAUTH Cert). PIV Auth Cert is only required for authenticating to Microsoft Outlook or OWA. e. The user should now be able to complete setup of the dual persona client without error. Figure 50 ActivIdentity Advanced Configuration 28
Appendix A: Acronyms and Abbreviations Checklist AGM CAC Cert DEERS DMDC DoD EDIPI EE FOIA GAL NETCOM PIV RAPIDS TTP UMP URL SP Army Golden Master Common Access Card Certificate Defense Enrollment Eligibility Reporting System Defense Manpower Data Center Department of Defense Electronic Data Interchange Personal Identifier Enterprise Email Freedom of Information Act Global Access List Network Enterprise Command Personal Identity Verification Real-Time Automated Personnel Identification System Tactics, Techniques, and Procedures User Maintenance Portal Universal Resource Locator Service Pack 29