NEA Certificate Cache Issue

Nymi Bands and Nymi-Enabled Applications (NEAs) use certificates to support secure communications over Bluetooth Low Energy (BLE). Examples of NEAs include Nymi Band Application (NBA), Nymi Lock Control Application, and the Evidian Client. 

The Nymi Band:

• Stores the NES L1 certificate during the enrollment process to securely “bind” the Nymi Band to an NES. 
• Caches each new NEA certificate that it encounters on a user terminal to optimize performance.

The NES server defines the validity time period for NEA certificates.  After the validity period, the NEA certificates expire and the user terminals receive new NEA certificates from NES, which in turn are passed on to the Nymi Band. The default  validity period is 14 days.

The Nymi Band monitors the cache size and deletes the cache when the Nymi Band is on charger and detects the presence of 45 or more cached certificates.

In environments that do not include Citrix and RDP, the Nymi Band might clear the cache at any time after approximately 630 days(assuming the user uses a single machine). If the user uses multiple NEAs in their day-to-day work (including IT-OT scenarios), the duration decreases proportionally.

For RDP/Citrix deployments in which the user profile is not retained beyond the RDP/Citrix user session, each application launch through Citrix/RDP can potentially create a new NEA certificate, which quickly exhausts the Nymi Band certificate cache capacity.

Description of the Issue 

In all versions of Nymi Enterprise Edition and CWP 1.3.4 and earlier, the Nymi Band cache includes the L1 certificate.  When the Nymi Band deletes the cache, the Nymi Band also deletes the L1 certificate.  When the L1 certificates is not on the Nymi Band, the user cannot perform tap operations until the the user re-enrolls the Nymi Band.  Re-enrolling the Nymi Band resolves this issue until the Nymi Band clears the cache again.

NOTE: This issue and the following remediation do not apply to Evidian with RFID-only and FIDO2 configurations.

Resolution 

Nymi has created a new version of firmware that stores the L1 certificate on the Nymi Band in a secure location, and not in the cache.

Nymi recommends that customers:

• Update all Nymi Bands to the CWP 1.3.6 firmware release, which contains the firmware fix for this defect.
• Lengthen the NEA certificate validity period.   A longer validity period reduces the number of NEA certificates that are generated and then stored on the Nymi Band.  This change can increase the time it takes for a Nymi Band to experience the issue, and provides you with more time to apply the firmware update.

To apply the fix, perform one of the following actions:

• For users with an enrolled Nymi Band who are not currently experiencing this issue, apply the firmware update to the Nymi Band to resolve the issue. The user does not need to perform a re-enrollment.
• For users with an enrolled Nymi Bands who is currently experiencing this issue, perform the following steps to resolve the issue:
  1. Update the Nymi Band firmware.
  2. Perform a delete user data operation on the Nymi Band.
  3. Delete the Nymi Band association to the user in NES and if used, Evidian
  4. Re-enroll the Nymi Band.

To increase the NEA certificate validity period, perform the following steps on the NES server:

1. Edit the C:\inetpub\wwwroot\nes\NEnrollment\web.config file.
2. Search for "CertificateExpireIn".  
3. Change the value to 90.00:00:00
4. Save the web.config file.
5. Restart IIS.