How to: Use Medicare PKIs on Windows 64 bit

When you buy a new computer these days, it is likely that it will come with a 64-bit version of a Microsoft operating system, either the popular Windows 7 or the newest Windows 8.

The 64-bit version is a good choice, as it can support more than 4GB of RAM and it can run both 32 and 64-bit applications. Windows 32 bit, on the other hand, cannot run 64-bit applications.

However, if like me, you have been using a Medicare PKI individual certificate for authentication, for example to access the Health Professional Online Services (HPOS) portal, you may have noticed that it does not work properly on a 64-bit system.

When you want to use your Medicare individual PKI token on a new computer, you are required to install the supporting software:

  • a system driver for the USB token (smart card reader)
  • a token administration utility (SafeSign Identity Client)
  • and the Medicare Australia Chain of Trust.

Unfortunately, the CD provided with the tokens (release 1.1 April 2010) included only the software for 32-bit operating systems, which will not work on a Windows 64-bit platform.

Searching for an updated version of the supporting software was not straightforward. At first I looked in the download section of the Medicare PKI website Medicare PKI website but I could not find any updated software.

I therefore contacted Medicare directly and was advised that they do not currently support Windows 64 bit OS.

I finally located the updated driver on the Gemalto website. This driver allows the operating system to correctly identify and handle the token (card reader and smart card).

If you now install the token administration utility provided on the CD (version 2.3/32 bit) you will be able to access the HPOS portal using the USB token. This is possible only using the 32-bit version of the Internet Explorer browser, which you can find either in the Windows start menu (all programs) or in C:\Program Files (x86)\Internet Explorer\iesplore.exe.

If you use the default 64-bit version of Internet Explorer or any other unsupported browser such as Firefox or Chrome to access HPOS, you will encounter the following error message: "An attempt to authenticate with a client certificate failed. A valid client certificate is required to make this connection."

However, if your practice uses thin client and a 64-bit Windows remote desktop server (or terminal server), the above solution still will not work. You will have to obtain a 64-bit version of the SafeSign Identity Client (version 3.0).

(Please note that this is commercial software and therefore you will not find it as a free download over the Internet. If you Google it, the results may take you to several places that offer illegal copies of the software, which may be infected with malware.)

You should obtain a legal copy of the SafeSign software from Medicare or from the Australian distributor, Giesecke & Devrient Australasia, on 03 9765 1200.

Finally, do not forget to install the Chain of Trust file. You do not need an up-to-date version of this as the one from the CD or from the Medicare website will be fine.

Simply double click on it, follow the installation wizard accepting all the default options and when prompted for a password, enter the following: Pass-123.

Job done!

Alberto Tinazzi is a certified IT security consultant and director of eHealth Security Services.

Posted in Australian eHealth

Comments   

# Gerard 2012-11-17 14:18
We had trouble using gemalto keys in Firefox 4+ within iOS. Solution was to run Firefox in 32 bit mode. Terminal server is a real pain!! Got keys working in server 2003 but not 2008+. We are finding more and more specialist and GPs moving to Terminal services, madness Medicare haven't got their act together when it comes to terminal services!
# Daniel Blacklock 2012-11-17 15:37
I have been working on this for the past few days - my findings on Windows Server 2008 R2 SP1:
- Do not use the Certificates MMC as it runs in 64bit mode so you will think you have done something wrong
- You don't need to install the Gemalto 64bit driver, the "Microsoft Usbccid Smartcard Reader (WUDF)" 6.1.760.17514 driver works fine for the Smart card reader
- No matter what driver I tried there was always an unknown "Smart Card" device appearing under "Other Devices" in Device Manager. If you are anally retentive like me you can download the Gemalto .NET Minidriver from here: http://www.gemalto.com/products/dotnet_card/ there is a link to Microsoft Update at the bottom of the page.
- They key to your instructions is the 32bit SafeSign Identity Client 2.3.2 and using Internet Explorer 32bit.
- I have downloaded multiple "dodgy" 64bit copies of the SafeSign software but all of them error when I attempt to do an install (the 32bit ones install fine), I will contact the Australian distributor as suggested - thank you.
# Felix Burkhard 2012-11-18 14:49
Alberto

I had similar frustrations last year but with the release of V1.2 of the medicare drivers earlier this year I had no problems installing and running it in a Windows 7 64 bit environment...

Regards

Felix
felix (at) xyon.com.au
# Vanessa - Practice Manager 2012-11-20 08:25
Our practice last week has received the medicare drivers from Medicare and they are still Version 1.1
# Daniel Blacklock 2012-11-20 13:40
Update: I contacted Giesecke & Devrient. They are reluctant to give me the SafeSign Admin Tool as the organisation I work for doesn't purchase them directly from G&D. They normally only deal with their clients which is Medicare Australia in this instance. They asked me to contact Medicare and get the tool from them. I told them that wasn't possible because they don't support 64bit operating systems.

G&D are going to investigate further (find out if Medicare supply smartcards to my organisation) and decide if they can/should help me. They have been very polite and helpful so far, I hope they will make the right decision.
# Alberto Tinazzi 2012-11-23 20:52
I have the latest CD from Medicare, Version 1.3 (May 2012). This CD still does not contain updated drivers and software for Windows 64 bit. It still has SafeSign Identity Client 2.3.2 (32 bit) which, as I mentioned in the article, can be installed on Windows 64 bit and it works with Internet Explorer 32 bit.

However, in order to get the token working on a Windows 2008R2 Remote Desktop Server (Terminal Server) I had to install the 64 bit version of SafeSign Identity Client 3.0.
# Daniel Blacklock 2012-12-07 14:55
Giesecke & Devrient will not give me the 64bit Safesign Admin Tool and have pushed me back to Medicare who keep telling me they don't support 64bit environments. Medicare are going to support 64bit in the future so I am expecting an email from the manager of the Online Technical Support team tomorrow detailing their plans and timeline for supporting 64bit environments.
# Ian Cheong 2013-04-18 09:30
Medicare is still working on an official release of Wiindows 64-bit drivers. Found a few to play with here http://nicca.nic.in/html/datakey.html

Tried the Server 2008 64-bit driver. Running terminal services so trying to leave the cards on the server to minimise thin client communication problems. PKI cards and USB keys show up for a while and safesign appears to talk to firefox (didn't have passwords at the time to check). After a while, the tokens fail to appear in the Token Administration Utility and no amount of plugging/unplug ging or restaring smart card services will make them come up again without a reboot.

Any clues why this is - is it a driver problem or a security policy problem??

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.