Build History


Press August '12
   Success Stories

A Smart Card for Everything

LVM Insurance has consolidated user authentication beyond system boundaries. On all Clients, the users now log-on using Smart Card, whether the operating system used is Linux or Windows.

by Jan Schulze, freelance journalist

The LVM Insurance company in Germany uses the strategy, where practical, to use open-source solutions. Maximum flexibility with minimum dependence on single providers, is the motto. As a result, for years now, Linux is the operating system of choice. Currently LVM employs Ubuntu 10.04 LTS (Long Term Support) by Canonical. Around 10,000 systems are being operated in this way by the insurance company. Accordingly, user management based on the open standard LDAP. Here, LVM uses the IBM Tivoli Directory Server. Since 2002, users have logged onto Linux clients using a Smart Card. This very secure method of user authentication should now be extended at the request of the security officer, the internal audit and also of the Board of Directors to the parallel-running Windows world.

Windows in many special cases

Daniel Timmerhindrick, responsible for the security of application systems in the area of IT Infrastructure with LVM, explains: "In addition to the Linux clients, we operate approximately 1000 Windows workstations, currently still using Windows XP. These are used where Ubuntu isn't practical." In this Windows environment, authentication is performed against an Active Directory, the user logged on with their username and password to their computers. "Besides this, Windows is often being used on workstations used by specialists", said Timmerhindrick. The security of these computers no longer conforms to the safety guidelines of LVM.

„Besides this, Windows is often being used on workstations used by specialists.", said Daniel Timmerhindrick.

pict: Daniel Timmerhindrick
The idea of simply extending the existing Smart Card solution to the Windows world, was discarded in the first project planning in February 2010. "An integration of native Windows Smart Cards would have been quite costly for our infrastructure," says Timmerhindrick. "Since Windows is being used by us only on specialists' workstations, we are not as broadly diversified in this area as in the Linux environment. Thus, we wanted to
not only leave our existing processes unchanged, but wanted also the Windows systems as little changed as possible." Moreover, the Smart Cards of the Windows users should not be issued via the Active Directory, but on Linux using the existing internal PKI. It was also requested that the existing Smart Cards continue to be used. They are not only for Linux users to log on to computers, but can also be used by all the employees as access control and payment cards. The solution was found by the LVM in the Viennese software house Comtarsia IT-Services GmbH, that has a suitable standard solution. This solution promised to cover the needs of LVM Insurance with minimal effort.

Middleware instead of Windows Customization

After the project team had carried out an analysis of the actual state of the LVM-Client-IT, those in charge with the project sounded out the market. An available open source solution was discarded because the effort to adapt to the needs would have been too great. Among commercial providers, the Comtarsia concept seemed to best meet LVM's needs.

The solution consists mainly of four components: A client processes the user log-on in the workstation. Over a middleware, the log-on client communicates with the Smart Card that contains the certificate. The client calculates a session password and passes it together with the certificate to a proxy server, which verifies the validity of the certificate using the data stored in the LDAP and certificate-mapping to determine the user name. In the final step, an agent adds the temporary password for the user in the Active Directory. The client concludes the registration to the Windows domain. Thus, no adjustments are necessary in the Active Directory.

The Company

With over 3.1 million customers, 2.7 billion euro premiums as well as capital assets of more than 13.5 billion euro, LVM Insurance is among the leading 20 direct insurance groups in Germany. Customer service is being offered by 2,200 LVM delegates and their staff of 4,200 in country-wide LVM service offices, supported by over 3,000 of their staff from the company's headquarters in Münster. The group of companies has a comprehensive range of products for private and commercial customers. Via LVM's own bank, the Augsburger Aktienbank AG and the LVM cooperation partner HKK Erste Gesundheit, Aachen Bausparkasse and Federated Investors Inc., offer further insurance and financial services. On the IT side, LVM Versicherung follows a clear open-source strategy to avoid dependence on single suppliers. This includes ensuring that the bulk of desktop computers is operated by the open-source Linux operating system and in-house software development consistentally uses Java's independent platform.

An important request from LVM was that the already existing Smart Cards in the Linux-world also work with Windows. These are based on Starcos (Smart Card Chip Operating System). An upgrade to JCOP (Java Card Open Platform) should be considered in the solution.

Comtarsia presented for this request a middleware that handles the communication with the chip-card. This middleware is available for both Starcos and for JCOP. Using this intermediate layer, the cards being issued under Linux can be used also on Windows as requested by LVM.

Aside from this, the insurance company requested that the solution should be compatible both with the currently used Windows XP as well as Windows 7 operating systems. The upgrade from XP to Windows 7 is fixed, as the out-dated operating system has virtually no support. Comtarsia scores here too, as the solution supports Windows 7. According to the manufacturer,


Already, at the test installation that Comtarsia implemented at the request of LVM most of the insurance company's requirements have been met.

use with Windows 8 will also be possible once the new version is officially launched.

Successful test installation

Already, at the test installation that Comtarsia implemented at the request of LVM most of the insurance company's requirements have been met. Because of this, the project team decided to introduce this solution into the Windows authentication. For the pilot phase, those responsible chose individual users from all departments. Thus, it could be ensured that responses were representative of the entire company. The same devices were used as a card-reader which have already proven themselves in the Linux environment. Thus, the necessary Windows drivers could be rolled out early.

During the pilot phase it became clear that in some places even more detailed functional enhacements were necessary. This way the process of LVM provides that the user will be notified when their certificates are about to expire. "Communication with Comtarsia went very well," recalls Timmerhindrick. "They were quick to understand our needs and gave an accurate assessment of the necessary time and effort needed." The roll-out phase began after all necessary adjustments were made.

One problem was the question of how the card-reader should be distributed to the Windows users. LVM IT wanted to avoid sneaker administration in the classical sense. Here, the project team benefited in that the IT of LVM is divided into three departments: While servers, networks and the like from the "IT Infrastructure" are being administrated by the “IT Infrastructure”, “IT organization” is responsible for in-house software development. The data-processing center is under the care of "DV-service". For the distribution of the card reader all areas of IT put their expertise together from previous rollouts that made it possible to keep the schedule.

In the foyer, an information booth was set up, where employees could pick up the card reader. Additionally, users received a flyer in which the installation and operation were thoroughly explained.

Which cards work?

A further challenge was simple in nature, as Timmerhindrick explains: "The Smart Card chip of Windows users on the employee ID's has never been in use. Access and payment functions are integrated on cards with RFID. We didn't know if a card had been personalized in the past and if so, whether the employee in question still knew his PIN."

Instead of speaking to employees individually, the IT department used information booths for this purpose. “The exchange rate has been lower than initially feared, perhaps 10 to 15 percent of the Smart Cards had to be renewed." said Timmerhindrick.

Just eight months after the initial planning, the authentication solution for Windows clients could be put into use. In general, Timmerhindrick is very satisfied with the progress of the project: "There were no serious difficulties in the project, all hurdles were quickly mastered. Our solution provider quickly understood our requirements and showed himself to be very flexible in the project."

From LVM's perspective, the investment return plays no role and has not been determined. "For security projects this is always very difficult to put into numbers..." said Timmerhindrick. "Because Windows is often used by our management, additional security was very necessary."   

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Project thumbnail
User: LVM Insurance
Branch: Insurance
Project type: User authentication
Products in use: Comtarsia SignOn Proxy, Comtarsia SignOn Agent, Comtarsia LogOn Client, Comtarsia Smart-Card Middleware
System environment: Linux, Windows, LDAP, Active Directory
Time and effort: --
Challenge: Extension of the authentication Smart Card from an existing Linux to a Windows environment with as little interference as possible with Microsoft's infrastructure.
Result: Successfully introduced.
Stage of Project: Productive, time-frame approximately 10 months.
Involved suppliers: Comtarsia IT Services GmbH
Contact person: Daniel Timmerhindrick, LVM Versicherung

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All product and company names mentioned herein are the trademarks of their respective owners. (c) 2001-2024 Comtarsia IT Services GmbH. |  Print  |  Impressum