Tuesday, December 30, 2014

LuxTrust Signing Stick for Ubuntu & Windows 7 virtualbox

Background:

Over the last decade or so, the government in Luxembourg has incurred large amounts of wasteful public spending to build an incoherent, confusing and technically difficult to manage 'e-government platform'.

For small business owners, the challenges might be overwhelming. They have to deliver to the various government authorities (including direct tax administration, indirect tax administration, commercial register, etc.) relatively complex accounting reports with overlapping information but quite different formats. At the same time they need to take care of fulfilling the very high technical requirements of the various report submission systems. This certainly creates some business for the specialized accounting firms which outsource these tasks and thus increases the fixed costs for the companies.

In my specific case, I want to go through the pains of doing all that stuff myself for the following reasons:
  1. I understand accounting and financial reporting myself quite well
  2. I am running a business which is mostly a 'one-man-show', therefore extremely low fixed costs are a major competitive advantage.
If you are in a similar situation, I hope this text will help you.
High Level Technical Constraints

I am using Linux (Ubuntu 14.10).

I have acquired a 'Signing Stick' from the company LuxTrust, which is the only government-approved distributor of digital certificates in Luxembourg. In fact LuxTrust is simply a local distributor of the company Gemalto. Disregarding all technical nonsense about security, digital certificates types, etc. a Signing Stick is essentially a chip which you can plug into the USB of your laptop. Then you run on your laptop a silly 'middleware' software program, and it allows you to enter a PIN and 'Import' the digital certificate from the chip into you browser or other applications.

It is not impossible to run the middlware program on Linux, and indeed LuxTrust have provided a Linux / Ubuntu version for it. However using this approach is simply waste of time, since the report submission systems of the government come with additional technical requirements. In particular they need some higher versions of Acrobat Reader which is (mis-)used there to enable filling up the reporting forms. Without it you can simply log-in to the submission system but cannot complete anything, Acrobat, however, is hardly supported anymore for Linux, and you cannot install newer versions. Even if you use some Windows emulator for Ubuntu and install the latest Acrobat version, it still does not work as the Acrobat through emulator, when embedded in your Firefox browser, crashes upon attempting to open the reporting forms.

Solution

Step 0: If you have not yet done so, activate your Signing Stick. On Ubuntu, follow these instructions.

Alternatively you may skip this step and do the activation after you do all the steps below.

Step 1: Install virtualbox.

This is not as straightforward as it seems. The virtualbox packages from the latest Ubuntu repositories are somehow corrupt and may not install. I did the following:
sudo apt-get install dkms 
Thereafter I used the version provided on the virtualbox website. The instructions for Debian-Based distributions worked fine with me: just edited the /etc/apt/sources.list file, downloaded and imported the Oracle's public key, and installed virtualbox.
 
Step 2: Create and prepare a virtual windows machine

Virtualbox is pretty easy to use. Recommended version to install on the virtual machine is Windows 7 professional or ultimate, 32 bit. You might be challenged to find a suitable Windows installation, in particular if your budget is very tight. Luckily for small companies the government reports are submitted only once per year, so even a trial Windows version will do the job.

Once you install the Windows OS, you need to install on it Java and the latest version of Acrobat Reader. This is very simple but of course time-consuming.

For the task at hand, Internet Explorer is better suited than Firefox or any other browser. So don't waste time on installing other browsers. In particular Chromium is officially not supported by some of the report submission systems.

You also need to install the middleware for the Signing Stick, it is easily found under the support section of the LuxTrust website.

At that stage I recommend you to make a first 'test'. Without caring about the signing stick itself, go to the certificate test page of LuxTrust and check if you can reach up to screen showing an empty combo-box for your product. If yes, this means that the basic technical requirements are fulfilled. If not, please ensure you have allowed pop-ups and java plug-ings to run on your browser.

Step 3: Make your USB readable from the virtual machine.

This has several sub-steps:
3.1. Add your Linux user to the group vboxusers
sudo usermod -a -G vboxusers $USER

3.2. Install the virtualbox Guest Additions. You go to the Windows virtual machine. You do Right Ctrl+D or respectively use the virtualbox menu on the top. This creates a virtual CD drive on your Windows, from where you start the installation program either through the Windows' AutoPlay, or directly from Windows Explorer. Instructions are available there.
3.3. It is optional and I don't know if this step is really necessary. You may install virtualbox Extension Pack, which provides support for USB 2.0 devices, whatever that means. Just go to the virtualbox website, download the Extension Pack and open it with the virtualbox Manager (if it does not open automatically, use File / Preferences / Extensions from the virtualbox Manager to open and install the downloaded extension pack).

Finally reboot your Linux / Ubuntu host.

To test if this steps have worked, go to the virtualbox manager, Settings of your Windows virtual machine, than the USB  menu. Plug In your LuxTrust Signing Stick into a free USB port. You should be able to enable the USB and USB 2.0 controllers and also Add a USB Device Filter for your Signing Stick as indicated below.

If successful, start again your Windows virtualbox.



Step 4: Update device drivers

Once in Windows, you should be able to to see the Gemplus USB SmartCard reader as configured above. Sometimes Windows will not install the correct driver for this device, leading to the problem that the LuxTrust middleware will not be able to read the certificate from the USB Stick. In such case you need to update the device drivers from the webiste of Gemalto. Just take a look at their download section under support, take the correct driver and install it under Windows.

Before and after this stage, I recommend you to make tests from the certificate test page of LuxTrust. At the latest after this step, if you should be able to reach up to screen showing an combo-box with your certificate's details and a pin code entry field.

Step 5: Activate LuxTrust Signing Stick

In case you have not already activated your signing stick as in Step 0, you need to do it now. Activation has 2 steps
5.1. Set up your PIN
5.2. Activation procedure from the LuxTrust website

Detailed Instructions are given on the Guides Section of the LuxTrust website.  Note that you just need to do what LuxTrust explains under sections IV and V, the rest has already been done.


Have fun!