WWPass Security Pack is a client side software pack that is installed on notebook, desktop or terminal server systems. It provides WWPass PassKey functionality for web browsers, VPN and mail clients, and encrypted file systems.
Important: To install WWPass Security pack on a desktop computer you should have administrative rights.
To install WWPass Security Pack, use your browser to navigate to https://ks.WWPass.com/download/. The site automatically identifies your desktop operating system and highlights the appropriate download. Press the Download button. When the download completes, run the installer. Security Pack requires a computer reboot to finish installation.
WWPass Dashboard is an application that provides an interface for users to manage certificates, view key status, and launch WWPass programs and configurations and get access to information about using WWPass PassKeys with other software packages.
Dashboard is launched automatically by the operating system on computer start up. Dashboard displays the WWPass icon in the system tray. The icon image reflects the connection status of WWPass keys and smart card readers:
– The Key icon is blue when your PassKey is connected to your computer.
– The Key icon is yellow when a smart card reader is available but a WWPass PassKey is not connected to your computer.
– The Key icon is gray when your WWPass PassKey or smart reader is not connected to your computer.
– The Key icon is red when the smart card subsystem is not running.
– The Key icon is shown with an exclamation point when a new version of the WWPass Security Pack is available.
The computer needs to be restarted after installation or after an update of the WWPass Security Pack. A restart enables all features of the Security Pack.
A left mouse click on the dashboard tray icon opens the main Dashboard window. The window contains four tabs: Solutions, Certificates, Key Status and Advanced.
PSS allows you to store confidential files in your personal vault in the WWPass cloud. Your data is encrypted, fragmented and dispersed in WWPass data centers around the globe so that it cannot be stolen. Only you can access files stored in PSS using your PassKey or PassKey for Mobile.
Click on PSS icon to start the application. You will be requested to connect your Pass Key (if not connected) and provide an Access Code. To open PSS documentation, follow the User Guide link shown in Dashboard.
RClient (RADIUS client) is a self-descriptive name: indeed it is a client part of WWPass RADIUS solution. RClient provides native WWPass authentications to applications and hardware devices which support RADIUS protocol for user login. RClient is installed on user desktop and is included into SecurityPack. At present it supports VMware Horizon View Client, Fortinet FortiGate and OpenVPN, and contains built-in configuration profiles for these applications.
More applications may be supported in future or on request.
Click on RClient icon to start the application. To open RClient documentation, follow the User Guide link shown in Dashboard.
OpenVPN is free open source VPN client/server software. It is one of the most used VPN solutions in the world. OpenVPN supports user-side Certificate authentication. Creating configuration files for a VPN connection can be a difficult task, especially when PKCS#11 smart cards are involved.
The WWPass helper solution (available for Windows and Linux) allows you to properly configure a VPN connection, substituting the correct PKCS#11 library path and pointing to suitable certificate associated with a WWPass KeySet. The “Add a connection” link creates a new configuration for OpenVPN. Detailed instructions may be found on WWPass.com.
Follow the steps below to configure the OpenVPN client for authentication with your PassKey or Passkey for Mobile. These steps create a configuration file that is associated with your PassKey or PassKey for Mobile and OpenVPN certificate.
Before you begin:
To configure the OpenVPN client
The “How to Secure” group on the Solutions tab provides you with links to Help Document on using WWPass with third-party software programs:
The certificates tab is WWPass’ certificate manager. It allows a user to view, import and delete X.509 certificates controlled by a WWPass KeySet.
X.509 certificates prove your identity when you use your PassKey or PassKey for Mobile to authenticate within a domain, application, service, or website. They may be used to exchange secure mail and access encrypted file systems.
Once a certificate is added to your KeySet, it is encrypted by the PassKey and stored in WWPass’ cloud storage, where it is encrypted again, fragmented, and dispersed. There is no single point of vulnerability from which it could be stolen.
Each certificate specifies its owner and certifies that the public key included in the certificate belongs to the certificate owner. The public key is part of a public/private key pair that lets you use digital signing and encryption to securely and privately exchange data over a network or the Internet:
Note: Only Firefox and Internet Explorer web browsers support certificate installation directly on a smart card (WWPass KeySet). Use FF or IE when obtaining mail certificates on a Comodo web site. Internet Explorer is the only browser which installs certificates from the Windows Server PKI service directly onto a KeySet.
All certificates available on a user’s KeySet are listed on the Certificates tab. The following information is shown for each certificate:
To view additional information about a certificate, click its name in the Certificates tab. The Certificate Details window opens. From Certificate Details, you can open a Window’s system dialog with detailed information on the certificate .
Certificates may be stored (along with their private keys) in files of type PFX or P12. In most cases, the certificate file is encrypted with a password. Be sure you know this password. To import a certificate to a KeySet, do the following:
The certificate is imported and shown in Dashboard's Certificate tab. At this point, the certificate is securely stored in WWPass cloud storage, where it is encrypted, fragmented, and dispersed.
It is highly recommended to delete the certificate file (PFX or P12) from the computer when it has been added to your KeySet.
One of the major problems when using certificates is their limited lifetime. You should check the certificate expiration date frequently.
The Expire Date column in the Certificates tab helps to detect problems in advance
Prior to its expiration date, a certificate must be renewed or a new certificate for the same purpose must be obtained and associated with your WWPass KeySet.
Note: Not every expired certificate should be deleted. Certificates used to decrypt data (such as email messages) should be preserved even if they are expired. Without those certificates, it will be impossible to read these messages. To the contrary, expired certificates used for authentication purposes (Windows logon or VPN access, for example) are unusable and should be deleted.
The Key Status tab shows the information about WWPass Keys – Pass Key, Service Key or PassKey for Mobile.
Internal Technical Information might be needed for advanced troubleshooting when you contact the WWPass Service Desk. It consists of:
|Status||What It Means||What To Do|
|Blank PassKey||Shown for a PassKey/Passkey for Mobile that has not been activated.||Activate your KeySet from WWPass Key Services: https://ks.WWPass.com/|
|Blank Service Key||Shown for a Service Key that has not been activated.||Activate your KeySet from WWPass Key Services: https://ks.WWPass.com/|
|Key has an internal error||Shown when a problem has occurred with a Key's software or hardware.||Please contact firstname.lastname@example.org for assistance.|
|Key is active and operating normally||Shown when there are no problems with a Key.||Use your Key as normal.|
|Key is blank||Shown when a Key has not been configured as a PassKey/Passkey for Mobile or Service Key.||Activate your KeySet from WWPass Key Services: https://ks.WWPass.com/|
|Key is not initialized||Shown when a Key has not been configured as a PassKey/PassKey for Mobile or Service Key.||Activate your KeySet from WWPass Key Services: https://ks.WWPass.com/|
|Key is not initialized properly||Shown when something went wrong during Key activation.||Please contact email@example.com for assistance.|
|Key is disabled||Shown when a Key was disabled from Key Services. You can disable a Key if it was lost or stolen.||If the Key is found, you can activate it from WWPass Key Services: https://ks.WWPass.com/|
|No Key present||A PassKey/PassKey for Mobile or Service Key is not connected to your computer.||Connect your PassKey/PassKey for Mobile or Service Key to your computer by placing it on or near your NFC reader/inserting it into a USB port or pairing it with your computer in case with PassKey for Mobile. Then click Refresh to obtain the Key's status.|
|Unknown device detected||Shown when a device other than a PassKey/Passkey for Mobile is connected to your computer. Examples of other devices include smart cards for public transportation and mobile phones.||Connect your PassKey/Passkey for Mobile or Service Key to your computer by placing it on or near your NFC reader/inserting it into a USB port or pairing it with your computer in case with PassKey for Mobile. Then click Refresh to obtain the Key's status.|
The Advanced tab provides settings that let you:
By default, the HTTPS protocol is used for all communication between your PassKey and PassKey for Mobile and WWPass services. You can control whether the HTTPS or HTTP protocol is used for certain parts of this communication using the Enable SSL encryption feature. It is highly recommended to keep SSL encryption enabled.
To use the SSL encryption feature
Set the Enable SSL encryption checkbox as follows:
Check the checkbox when your system prevents use of the HTTP protocol. The HTTPS protocol and SSL encryption will be used for all communication between your PassKey or PassKey for Mobile and WWPass. (The checkbox is checked by default).
Clear the checkbox when your system allows use of the HTTP protocol and you want to speed up communication between your PassKey or PassKey for Mobile and WWPass. HTTPS is used only for communication that requires the security of SSL encryption. HTTP is used for all other communication.
The Use proxy to connect WWPass services feature lets you control whether your PassKey or PassKey for Mobile communicates with WWPass Services over the Internet via an HTTP proxy server.
Note: Internet connections are made through a proxy server primarily at organizations and companies. Typically, people connecting to the Internet from home do not use a proxy server.
To use the HTTP proxy feature
Note: Internet Explorer may be configured to auto-detect http proxy in proper environment. This case click button to get proxy settings. If a proxy configuration is not available, the "No active proxy configuration found" message appears.
The Smartcard removal behavior lets you control what happens when you disconnect your PassKey or PassKey for Mobile after using it to log into a Windows Active Directory domain. You can choose to disconnect from a remote session or automatically log out of Windows, or remain logged into Windows when your PassKey or PassKey for Mobile is disconnected.
Note: Microsoft Windows provides a native solution to handle card removal behavior. It works best for smart card authentication on local computers, but often fails on Remote Desktop/Terminal Servers. Due to time delays this native setting may cause false card removal detection and involuntary session interrupts.
WWPass solves this problem with an improved card presence detection algorithm. If you experience problems with the Microsoft native service, switch to WWPass removal behavior control.
Disconnecting remote session and logging out are the most secure behaviors in a work setting when you plan to leave your computer unattended.
To use the Smartcard removal feature
Select from the list under Smartcard removal behavior:
“Passkey for Mobile” is a software implementation of PassKey functionality. It is available as an application for Android phones. Passkey for Mobile connects to a computer via Wi-Fi or Bluetooth interface.
The Passkey for Mobile section of the Advanced tab is available only on Windows machines.
Before Passkey for Mobile and a computer can be connected, they need to be “bound”, the computer and Passkey for Mobile are to be introduced to each other. The procedure follows standard “Bluetooth binding” steps.
Download the Passkey for Mobile app to your Android phone using the Google Play Store. Start the application. You will see a notification that your device has not been paired with your computer.
Note: Make sure you have turned on Bluetooth or Wi-Fi on your computer. A Wi-Fi connection is only possible when the computer and the smartphone are in the same network.
To pair your smartphone with a computer:
Note: You need to pair your smartphone to a computer or a laptop only once.
Now you are able to easily connect and disconnect your phone to your computer at any time just by touching the Bluetooth or Wi-Fi icon to the right of selected computer name.
PassKey for Mobile activation
After installation, Passkey for Mobile it is not personalized. Now that your smartphone has been paired you need to activate it so you can start using it as a PassKey. You can add it to an existing KeySet or create it as a standalone PassKey.
Note: If you just paired your smartphone with the computer, make sure you disconnect it before creating an extra PassKey and be sure to insert your Service Key first.
To activate refer to WWPass PassKey for Mobile manual for the steps to follow:
To disconnect your smartphone, tap the computer name it was connected to and click “OK” to confirm the disconnection in the dialog window.
Credential providers are Windows operating system components which authenticate users of the computer. Two types of credential providers are already included in Windows: login with password and smart card. Smart card logon should be used for strong user authentication. It is especially important when accessing Remote Desktops or Terminal Servers.
Sometimes users may experience difficulties when using the native Windows smart card credential provider. In case there are more than one authentication certificates (for different domains for example), Windows may automatically choose an incorrect certificate. Alternatively a user may be presented with long list of available certificates with the same name.
The WWPass credential provider automatically selects the correct certificate corresponding to particular computer domain.
You need administrator rights on your computer in order to change the credential provider.
The WWPass Credential provider results in an increase in authentication time.
The two Credential Providers that are available are described below:
To use the WWPass credential provider feature
Note: In order to update Security Pack on any platform you should have administrative rights.
Updating WWPass Security Pack updates all of its components, including the Dashboard. On Windows and Mac, the Security Pack can be updated from Dashboard. Alternatively you can always get latest version from the WWPass download page: https://ks.wwpass.com/download/
Provided the instructions on https://ks.wwpass.com/download/ were followed, the Security Pack is updated the same way as all other packages. A user is notified of availability of newer packages via update managers. Alternatively, you can install all available updates, using the commands
$ sudo apt-get update
$ sudo apt-get upgrade
When a new version of WWPass Security Pack is available, the Dashboard tray icon shows red exclamation point .
To update Security pack, follow the steps below:
Follow the steps below to update the WWPass Security Pack on a Mac from the WWPass Dashboard. You must have administrator rights for your computer.
Dashboard is the main component of Security Pack. Other components (drivers, plugins) are controlled by respective applications – browsers, mailers etc. – and reveal themselves only through notification messages in host applications.
Firefox is an open source, cross-platform Web browser. It is widely used all over the world. One of its unique features is cross-platform smart card support based on PKCS#11 standard.
Starting from Security Pack version 3.0, Dashboard automatically configures Firefox when installed. The following components are added
Mozilla Thunderbird is an open source and cross platform mail client. Same as Firefox, it supports PKCS#11 specification for smart cards. This feature allows Thunderbird users to exchange encrypted messages and sign outgoing mail. Thunderbird complies with S/MIME specification.
Starting from Security Pack version 3.0, Dashboard automatically configures Thunderbird when installed. Particularly WWPass PKCS#11 (cryptoki) smart card support is added to the list of available modules.
WWPass Security Pack comes with standard compliant smart card support:
PassKey for Mobile is a software implementation of the PassKey functionality. It is available as an application for Android phones. Passkey for Mobile connects to a user’s computer through Wi-Fi or Bluetooth interfaces. A virtual smart card driver is responsible for this connection on the computer side. Emulating smart card driver functionality makes WWPass features uniform and allows, e.g. to use Passkey for Mobile even with Remote Desktops or Terminal Servers.
Dashboard is a control application which provides detailed status of WWPass hardware and software components. Running in the system tray, it detects the presence of WWPass Keys and the status of smart card subsystem as well as indicating the availability of upgrades.
The certificate management tab of the Dashboard provides full control over certificates associated with a WWPass KeySet. Other functions of the Dashboard allow a user to check on the type of WWPass Key and its status.
RClient is a desktop application which works with WWPass RADIUS server and provides user access to OpenVPN, Fortigate VPN and VMware View servers.
PSS provides every WWPass KeySet owner with free access to personal, highly encrypted file storage.
Copyright 2014 WWPass Corp. All rights reserved.
WWPass | 1155 Elm Street, Manchester, NH 03101 | Tel: +1.603.836.4932 or +1.888.997.2771 | www.wwpass.com