How to: Use Medicare PKIs on Windows 64 bit
When you buy a new computer these days, it is likely that it will come with a 64-bit version of a Microsoft operating system, either the popular Windows 7 or the newest Windows 8.
The 64-bit version is a good choice, as it can support more than 4GB of RAM and it can run both 32 and 64-bit applications. Windows 32 bit, on the other hand, cannot run 64-bit applications.
However, if like me, you have been using a Medicare PKI individual certificate for authentication, for example to access the Health Professional Online Services (HPOS) portal, you may have noticed that it does not work properly on a 64-bit system.
When you want to use your Medicare individual PKI token on a new computer, you are required to install the supporting software:
- a system driver for the USB token (smart card reader)
- a token administration utility (SafeSign Identity Client)
- and the Medicare Australia Chain of Trust.
Unfortunately, the CD provided with the tokens (release 1.1 April 2010) included only the software for 32-bit operating systems, which will not work on a Windows 64-bit platform.
Searching for an updated version of the supporting software was not straightforward. At first I looked in the download section of the Medicare PKI website Medicare PKI website but I could not find any updated software.
I therefore contacted Medicare directly and was advised that they do not currently support Windows 64 bit OS.
I finally located the updated driver on the Gemalto website. This driver allows the operating system to correctly identify and handle the token (card reader and smart card).
If you now install the token administration utility provided on the CD (version 2.3/32 bit) you will be able to access the HPOS portal using the USB token. This is possible only using the 32-bit version of the Internet Explorer browser, which you can find either in the Windows start menu (all programs) or in C:\Program Files (x86)\Internet Explorer\iesplore.exe.
If you use the default 64-bit version of Internet Explorer or any other unsupported browser such as Firefox or Chrome to access HPOS, you will encounter the following error message: "An attempt to authenticate with a client certificate failed. A valid client certificate is required to make this connection."
However, if your practice uses thin client and a 64-bit Windows remote desktop server (or terminal server), the above solution still will not work. You will have to obtain a 64-bit version of the SafeSign Identity Client (version 3.0).
(Please note that this is commercial software and therefore you will not find it as a free download over the Internet. If you Google it, the results may take you to several places that offer illegal copies of the software, which may be infected with malware.)
You should obtain a legal copy of the SafeSign software from Medicare or from the Australian distributor, Giesecke & Devrient Australasia, on 03 9765 1200.
Finally, do not forget to install the Chain of Trust file. You do not need an up-to-date version of this as the one from the CD or from the Medicare website will be fine.
Simply double click on it, follow the installation wizard accepting all the default options and when prompted for a password, enter the following: Pass-123.
Job done!
Alberto Tinazzi is a certified IT security consultant and director of eHealth Security Services.Posted in Australian eHealth
Comments
- Do not use the Certificates MMC as it runs in 64bit mode so you will think you have done something wrong
- You don't need to install the Gemalto 64bit driver, the "Microsoft Usbccid Smartcard Reader (WUDF)" 6.1.760.17514 driver works fine for the Smart card reader
- No matter what driver I tried there was always an unknown "Smart Card" device appearing under "Other Devices" in Device Manager. If you are anally retentive like me you can download the Gemalto .NET Minidriver from here: http://www.gemalto.com/products/dotnet_card/ there is a link to Microsoft Update at the bottom of the page.
- They key to your instructions is the 32bit SafeSign Identity Client 2.3.2 and using Internet Explorer 32bit.
- I have downloaded multiple "dodgy" 64bit copies of the SafeSign software but all of them error when I attempt to do an install (the 32bit ones install fine), I will contact the Australian distributor as suggested - thank you.
I had similar frustrations last year but with the release of V1.2 of the medicare drivers earlier this year I had no problems installing and running it in a Windows 7 64 bit environment...
Regards
Felix
felix (at) xyon.com.au
G&D are going to investigate further (find out if Medicare supply smartcards to my organisation) and decide if they can/should help me. They have been very polite and helpful so far, I hope they will make the right decision.
However, in order to get the token working on a Windows 2008R2 Remote Desktop Server (Terminal Server) I had to install the 64 bit version of SafeSign Identity Client 3.0.
Tried the Server 2008 64-bit driver. Running terminal services so trying to leave the cards on the server to minimise thin client communication problems. PKI cards and USB keys show up for a while and safesign appears to talk to firefox (didn't have passwords at the time to check). After a while, the tokens fail to appear in the Token Administration Utility and no amount of plugging/unplug ging or restaring smart card services will make them come up again without a reboot.
Any clues why this is - is it a driver problem or a security policy problem??