000018580 - Problem with RSA Keon Web PassPort virtual card after user ID name change

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018580
Applies ToKeon Web PassPort 1.1.2
Microsoft Windows 2000 Server SP4
IssueProblem with RSA Keon Web PassPort virtual card after user ID name change
Problem with new virtual card getting new certificates from RSA Keon OneStep
Essentially, the user goes through OneStep enrollment, but the new certificates in the virtual card are not written back to Active Directory successfully. Below are the steps to reproduce the issue:

1. Create a normal user named a.a.test and create a new default virtual card with mkkeonvc

2. Go through the enrollment process, saving the certificates

3. Verify that a.a.test has a normal enrolled virtual card in AD with two certificates that correspond to the a.a.test and CA certificate

4. Run a name change process for a.a.test to change the name to b.b.test

5. Delete the public certificates (in userCertificate attribute in AD) for the user, now called b.b.test, that correspond to the old user name a.a.test. Run mkkeonvc to create a new default virtual card for b.b.test.

6. Verify that user b.b.test has one default virtual card for user name b.b.test in AD and one normal enrolled virtual card with certificates that correspond to the old name a.a.test

7. Go through the OneStep enrollment process again without doing a "delete certificates and log off" in the plugin

8. Verify that b.b.test now has:

  a. One normal enrolled virtual card with certificates associated with the name a.a.test from the first enrollment

  b. One default virtual card with Keon General certificates associated with the name b.b.test (not expected!)

  c. Two public certificates in userCertificate that match the new name b.b.test

The expected result was that the default card would be a normal enrolled virtual card, since enrollment completed successfully and new certificates got published from the CA. However, the new virtual card did not get written back to AD. Thus the user?s state has been corrupted.
CauseRSA Keon Web PassPort protects the integrity of virtual cards by creating a digital signature of the virtual card plus LDAP DN of the user. If the user ID changes, the signature becomes invalid, and the user can no longer use the virtual card. The user may still want to use the virtual card; for example, to read email that was encrypted with the public key contained in the virtual card.
A virtual card (PSD) is normally signed using the private key in the DS container (within PSD), and the signature is appended to the end to be stored as a virtual card in the repository. The signature is made up of {PSD + DN} of the user, thus changing the user ID means effectively changing the DN. This will change the resulting signature and make the current virtual card invalid.
ResolutionTo correct this issue, contact RSA Security Customer Support and request the "RSA Keon Web PassPort Virtual Card Re-sign Utility" (KWP_v1.1.2build7). This utility enables administrators to verify the signatures of virtual cards and re-sign virtual cards when the user ID has changed. The utility creates a new digital signature for each of a user?s virtual cards that have invalid signatures and replaces the virtual cards.
WorkaroundUser's name has changed. This requires changing the user's UID in LDAP. User will need a new virtual card that reflects new name and still keep old virtual card with old name to access any previous encrypted email.
Legacy Article IDa22104