MOVEit DMZ supports the use of SSL client certificates, including certificates on hardware tokens, for authentication to MOVEit DMZ via its FTPS or HTTPS interfaces. This document discusses how to configure an Aladdin eToken Pro for use with MOVEit DMZ.
The eToken Pro is a small USB-based cryptographic device that can store client certificates. When an SSL-enabled FTP client or web browser attempts to use a client certificate that is stored on an eToken, the Aladdin software drivers obtain the certificate from the token and present it to the application. The token must be physically attached to the computer at the time the certificate is needed.
Installing the eToken
Before connecting the eToken to the computer, insert the Aladdin CD-ROM and choose Install eToken RTE. This will install the USB drivers and a simple "eToken Properties" utility. If you want to be able to copy certificates to a token, you must also choose Install Utilities from the CD.
Regarding the eToken Utilities: There need not be a separate administrative computer for managing eTokens: it is possible for end users to perform all eToken configuration themselves on their own computers. If you want end users to be able to manage the certificates on their eTokens themselves, then the eToken Utilities should be installed on each computer.
If an administrator will be doing certificate management for all eTokens on a single administrative computer, then the eToken Utilities don't need to be installed on the end user computers. However, in order for an administrator to be able to configure all eTokens from a single administrative computer, the individual client certificates must also be installed on that computer.
When the software has been installed, insert the USB token. (You do not need to reboot the computer.) The red light inside the token (visible from all sides) should light up.
Run Start | Programs | eToken | eToken Properties and change the token's password from the default of 1234567890.
Copying certificates to the eToken
Once you have created and installed a certificate on the computer, you can copy it to the eToken:
If you move the hardware token to a different computer, you will not need to take any special actions (other than installing the eToken RTE) for the computer to be able to use the certificate.
You can run the "eToken Properties" program again to confirm that the certificate is now on the token. You can also use Internet Explorer to confirm that the certificate is available, by choosing Tools | Internet Options... | Content | Certificates... If you unplug the token, then subsequently the Microsoft Certificates applet will not show the certificate.
When you run an FTP client or web browser that uses the certificate, you'll get a eToken Base Cryptographic Provider dialog, asking for the token's password, each time the program runs.