Belgian Government Belgium e-ID middleware

Views: 786  |  Created: 07/06/2016 by: comicsserg

Average Rating: 0
Belgium e-ID middleware has 1 inventory records, 1 Questions, 0 Blogs and 0 links. Please help add to this by sharing more!

Deployment Tips (2)

Most Common Setup Type
Windows Installer (MSI)
Average Package Difficulty Rating
Rated 3 / 5 (Average) based on 2 ratings
Most Commonly Reported Deployment Method
Windows Installer Command Line (No MST)
or cancel
1
Script
Prerequisites:
1) Make sure KB3125574 is installed otherwise the silent installer will not work on Windows 7 SP1

Preparation:
1) download msi installation from http://eid.belgium.be/nl/je_eid_gebruiken/hulp_nodig_/problemen_met_de_installatie
2) Install Belgium e-ID manually on a windows 7 PC
3) Installer asks to install Drivers. When you accept it it will install certificate on a local machine store
L0CWyW.png
4) Then using mmc extract the certificate from local machine Trusted Publisher Store that is installed after installing SmartCard Drivers Software

I am using ps1 script to install the sofware via SCCM Application 
In script I am installing certificate by using this function:

function Import-Certificate
{
param
(
[IO.FileInfo] $CertFile = $(throw "Paramerter -CertFile [System.IO.FileInfo] is required."),
[string[]] $StoreNames = $(throw "Paramerter -StoreNames [System.String] is required."),
[switch] $LocalMachine,
[switch] $CurrentUser,
[string] $CertPassword,
[switch] $Verbose
)

begin
{
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Security")
}

process 
{
        if ($Verbose)
{
            $VerbosePreference = 'Continue'
        }
    
if (-not $LocalMachine -and -not $CurrentUser)
{
Write-Warning "One or both of the following parameters are required: '-LocalMachine' '-CurrentUser'. Skipping certificate '$CertFile'."
}
try
{
if ($_)
            {
                $certfile = $_
            }
            $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certfile,$CertPassword
}
catch
{
Write-Error ("Error importing '$certfile': $_ .") -ErrorAction:Continue
}

if ($cert -and $LocalMachine)
{
$StoreScope = "LocalMachine"
$StoreNames | ForEach-Object {
$StoreName = $_
if (Test-Path "cert:\$StoreScope\$StoreName")
{
try
{
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store $StoreName, $StoreScope
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($cert)
$store.Close()
Write-Verbose "Successfully added '$certfile' to 'cert:\$StoreScope\$StoreName'."
}
catch
{
Write-Error ("Error adding '$certfile' to 'cert:\$StoreScope\$StoreName': $_ .") -ErrorAction:Continue
}
}
else
{
Write-Warning "Certificate store '$StoreName' does not exist. Skipping..."
}
}
}

if ($cert -and $CurrentUser)
{
$StoreScope = "CurrentUser"
$StoreNames | ForEach-Object {
$StoreName = $_
if (Test-Path "cert:\$StoreScope\$StoreName")
{
try
{
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store $StoreName, $StoreScope
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($cert)
$store.Close()
Write-Verbose "Successfully added '$certfile' to 'cert:\$StoreScope\$StoreName'."
}
catch
{
Write-Error ("Error adding '$certfile' to 'cert:\$StoreScope\$StoreName': $_ .") -ErrorAction:Continue
}
}
else
{
Write-Warning "Certificate store '$StoreName' does not exist. Skipping..."
}
}
}
}

end
{ }
}


Then I am using this function like this in the script to import certificates:
$ScriptPad = $Script:MyInvocation.MyCommand.Path
$ScriptFolder = Split-Path -Parent $ScriptPad
Write-Host "Try to add certificates..."

$filename = Join-Path -Path $ScriptFolder -ChildPath "cert_fedict.cer"
$filename2 = Join-Path -Path $ScriptFolder -ChildPath "fedict_codesiging.cer"
try {
Import-Certificate -CertFile $filename -StoreNames TrustedPublisher -LocalMachine
Import-Certificate -CertFile $filename2 -StoreNames TrustedPublisher -LocalMachine
Write-Host "Certificates ready`n"
} catch {
Write-Error "Failed while adding certificate..."
}

Next using Manage-Drivers.ps1 script from this post we can add the driver silently:
http://www.itninja.com/blog/view/app-v-5-and-drivers
write-host "Installing driver...`n"
. $ScriptFolder\Manage-Drivers.ps1 -DriverSource "$ScriptFolder\BeID Minidriver" -LogName "eID_driver.log"

And finally we can install msi by using this line:
write-host "Installing Belgium e-ID msi...`n"
Start-Process -FilePath "msiexec.exe" -ArgumentList "/norestart /i $ScriptFolder\BeidMW_64_4.1.18.msi /qn /l*vx c:\logs\beid4.1.18.log" -Wait

We can verify if the right version (4.1.18) is installed by using this check
if (gwmi -Namespace root\cimv2\sms -class SMS_InstalledSoftware | ?{$_.SoftwareCode -like "{DB942AEA-93D6-4FE4-8862-180D35A71730}"}) {
    Write-Host "Installation completed`n"
}

{DB942AEA-93D6-4FE4-8862-180D35A71730} is the product id of the software version 4.1.18 and is different for other versions


PS: Thanks everybody for helping to find this out:
http://www.itninja.com/question/silent-belgium-e-id

 
Setup Information:
Setup Type: Windows Installer (MSI)
Deployment Method Used: Windows Installer Command Line (No MST)
Deployment Difficulty: Average
Platform(s): Windows
Please log in to comment
0
Note
Deployment trhough Group policy is also possible. (requires no scripting)

Download the latest msi. At this moment its BeidMW_64_4.1.18.msi or x84: BeidMW_32_4.1.18.msi

Install the msi on a machine. Extract the certificate from mmc -> Local machine certificates -> Trusted Publishers -> Fedict.

Create a GPO for the machines where you want to deploy the program to:
-> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Publishers. Import the certificate here.

Create a GPO (or the same GPO) for the software installer:
-> Computer Configuration -> Policies -> Software Settings -> Software installation -> New package -> ...

Upgrades to the msi are also possible this way. 

A remark though: If there is an update of the certificate, make sure you push the new certificate through GPO. If the machine does not have the latest certificate, the new msi won't install. (and machines may be able to come in a rebooting state)
Setup Information:
Setup Type: Windows Installer (MSI)
Deployment Method Used: unspecified
Deployment Difficulty: Somewhat Easy
Platform(s): Windows
Please log in to comment

Inventory Records (1)

View inventory records anonymously contributed by opt-in users of the K1000 Systems Management Appliance.

Versions

Belgium e-ID middleware

Version

4.1.18

Questions & Answers (1)

Questions & Answers related to Belgian Government Belgium e-ID middleware

3
ANSWERED

Blogs (0)

Blog posts related to Belgian Government Belgium e-ID middleware

Reviews (0)

Reviews related to Belgian Government Belgium e-ID middleware