An eToken with a Public Key Infrastructure (PKI) security certificate provides two-factor authentication, thereby reducing the chances of someone being able to impersonate you. Someone would need both your eToken and your password in order to impersonate you when accessing systems that require eToken authentication.
eTokens allow you to: access the Dartmouth Secure wireless network, identify (authenticate) yourself to some applications, digitally sign e-mail and other electronic documents and transactions, encrypt data traffic (either on-campus wireless using 802.1x or all traffic when off campus using VPN), and encrypt e-mail and other documents to prevent unauthorized access (note: this is risky because if you lose your key, there is no recovery).
Note: If you have an eToken, you do not need to download a private software certificate to your machine because a certificate will be added to your eToken when it is created for you.
An eToken is a device that plugs into a USB port on your computer. It is designed to hold a Public Key Infrastructure (PKI) security certificate, which is an electronic certificate that uniquely identifies individuals to computers. A rough analogy would be that an eToken is part of an electronic Identification Card that is completed or enabled when you enter your password. The eToken is about the size of a house key and can be kept on your key ring.
Students can purchase an eToken from The Computer Store, located in 001 McNutt Hall.
Faculty and staff should contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, or call your department's IT support office for more information on getting an eToken.
The eToken software must be installed for your eToken to work on a computer.
The eToken is compatible with the Macintosh (Mac OS 10.4 and earlier) Firefox, Safari, Mozilla and Netscape. Other web browsers that support the PKCS#11 interface may also work. There is currently a problem with using Mac OS X 10.5 and an eToken for the Dartmouth Secure wireless network. Dartmouth Secure works on Mac OS X 10.5—just not with an eToken.
Regardless of which browser you use, you will need to have the Dartmouth Root Certificate installed on your computer. If the Dartmouth Root Certificate has not already been installed on your computer, see the instructions for Getting the Dartmouth Root Certificate.
In addition to installing the Dartmouth Root Certificate, Firefox users and those using older versions of Netscape must also do the following:
To obtain an eToken and have the electronic certificate installed on your eToken, students must first purchase one from The Computer Store at 001McNutt Hall. After purchasing the eToken, go to the Student IT Service Desk (Help Desk) at 178J Baker/Berry. Faculty and staff should contact their department's IT support office. Everyone needing a certificate on their eToken will need to show their Dartmouth I.D. card or other form of picture identification, such as a driver's license or passport, to verify that you are the person whose name is going to be put on the eToken.
Your eToken password is important. For help with selecting a good password, see Selecting a Password. If you want to change the password on your eToken sometime in the future, go to the eToken Properties application in your Programs or Applications listing and change it, but be sure to keep the password strong. This does not affect the value of the private key on the eToken, just access to the other information on the eToken.
To use your personal certificate, you may also need to install the Dartmouth Root Certificate in your web browser’s certificate store. This root certificate helps your computer determine whether Dartmouth-issued certificates are trustworthy.
Go to the Dartmouth Root CA web page and follow the instructions below, depending on which browser and operating system you are using. Note: if you use Firefox or Netscape, you have to import the root certificate for each browser.
Under the "Download certificates" section of the Dartmouth Root CA web page, click the Dartmouth CertAuth1 CA (Dartmouth Root CA) link. The Downloads window will open showing that DartmouthCA.cer has been downloaded to your default download location. Drag and drop the certificate file onto the Keychain Access icon in the Applications/Utilities folder. The Keychain Access application opens and you are prompted to add the certificates from the file to a Keychain. For Mac OS X 10.4 and earlier, select the X.509 Anchors keychain. For Mac OS X 10.5, select the System keychain. Keychain Access will now contain the Dartmouth College Root certificate. Quit the Keychain Access application.
Under the "Download certificates" section of the Dartmouth Root CA web page, click the Dartmouth CertAuth1 CA (Dartmouth Root CA) link. A Downloading Certificate box will open. Put a check mark beside each of the three options in the center of the box, then click OK.
For normal use, insert the eToken into a USB port on your computer before you start your applications. The red LED light on the eToken will flash while loading, then stay on once loaded. When an individual application requires the use of a certificate in the eToken, a box will appear asking for the password for the eToken. Each separate application requires entering the password to unlock your certificate on the eToken. Most applications will only ask for the password once per session.
When you are finished using your eToken, simply unplug it from the computer’s USB port.
You will select a password when configuring the eToken. It is not related to any other password, and should be different from your DND password. Do not forget the password or enter the wrong password more than 15 times in a row. If you do, the eToken will become unusable and require reformatting (you will need to go to the IT Service Desk (Help Desk) to have it reformatted or you can contact your department's IT support office). This is a security feature that prevents misuse of lost or stolen eTokens. You may, however, change the password by using the eToken Properties program, which has to be installed on your computer for the eToken to work.
Helpful hints:
With your eToken, you can:
Note: Both of the above e-mail applications (sign and encrypt) will work on Macintosh computers. You just need an S/MIME compatible e-mail client, such as Thunderbird. The latest version of BlitzMail for the Macintosh (2.9) is S/MIME compliant.
You can use the eToken Properties application to change your eToken's password or name, to view the contents of your eToken, and remove keys and certificates from it. If it is not already on your computer, you can download it from the Web; see eToken Runtime Environment.
If you remove your certificate from your eToken, a new certificate can be installed for you onto your eToken; please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, or call your department's IT support office.
Note: Any e-mail messages or files encrypted with the previous certificate may no longer be able to be decrypted. We recommend you only encrypt a file if you have an unencrypted backup or you do not care whether you lose the document, or if you have a backup of your private key. An example of using encryption might be sending somebody a password; you don't care if you lose your encrypted copy as you can make another and send it.
Try not to get the eToken wet or dirty. If it gets wet, dry it out before using it.
